Paralegal vs. Legal Assistant vs. Junior Attorney – Know the Differences and Pick the Right Professional Before Hiring or Contracting

It’s a good sign when the volume of legal work at a company increases to the point where another legal resource is needed, either permanently or temporarily. Most often a company will look for a generalist resource, such as a paralegal, a legal assistant, or a junior attorney, to handle a variety of tasks and free up time for senior attorneys and other specialists to focus on other work. However, many companies post a new position or reach out to a placement firm for a temporary resource without first thinking through which type of legal professional is best suited for the needs of the organization.

Paralegals and legal assistants are non-attorney legal professionals that can perform substantive legal work under the supervision of an attorney, and often form an integral part of an in-house legal department or law firm.  There are advantages and disadvantages to adding a paralegal, legal assistant, or junior attorney. Thinking through whether a paralegal, legal assistant, or junior attorney is the best role for your company’s needs can help maximize productivity for the person filling the role, and help ensure that the person is capable and ready for the work he or she will be tasked to perform. Just as important, understanding what attorney and non-attorney legal professionals can’t do, and how they should be classified from an employee perspective, can help protect your company (and any existing in-house attorneys) from ethical or business issues.

I’ll conclude with a note about contract managers, another role used by some companies to manage transactional work.

Differences at a Glance

At a high level, here are the differences between paralegals, legal assistants and junior attorneys:

Diving In

Let’s look at each of these roles in a little more detail.

Paralegals

Paralegals are non-attorney legal professionals with education, a certification, work experience, or other training which allows them to perform substantive legal work under an attorney’s guidance and supervision. Paralegal as a profession first appeared in the 1960s. Paralegals support the substantive work of attorneys by allowing attorneys to delegate work to them that attorneys would otherwise need to perform directly. Paralegals can play a critical role within legal departments given the breadth of work they can perform. Unless it involves the unauthorized practice of law (which I’ll address later in the article), paralegals can be delegated almost any project that an attorney would normally perform, as long as the paralegal is qualified to do it or willing to learn and the paralegal is supervised by an attorney. Paralegals at smaller departments may also handle administrative tasks for the legal team. There are a number of certification programs for paralegals, such as the National Federation of Paralegal Association (NFPA)’s Paralegal CORE Competency Exam (PCCE) and Paralegal Advanced Competency Exam (PACE) and the National Association of Legal Assistants (NALA)’s Certified Paralegal (CP) and Advanced Paralegal Certification (APC) credentials. There are also paralegal associate degree, bachelor degree, and master’s degree programs.

If a company needs a legal professional with the training, experience and ability to perform substantive legal work under the supervision of one of the company’s attorneys, and does not need an attorney for the role to provide legal advice/counsel or to represent the company, a paralegal may be a good option. For example, a paralegal may be best suited to help with a document review project, to draft and negotiate standard agreements, or to research a specific question or new law.

Legal Assistants

Legal assistants also perform substantive legal work under an attorney’s guidance and supervision. Legal assistants may be tasked with administrative activities such as filing, maintaining the legal calendar of important deadlines (e.g., trademark renewal deadlines), and managing legal department bills and expense reporting. Legal assistants may aspire to grow into a paralegal role. If a company needs a non-attorney legal professional who does not possess the training, education and experience of a paralegal but who has the ability to perform both substantive and administrative legal work under the supervision of an attorney, a legal assistant may be a good option. For example, a legal assistant may be best suited to help a small legal department which has administrative needs as well as other substantive work.

Many non-attorney legal professionals within corporations prefer the title “Paralegal” to “Legal Assistant,” as it is often perceived as a more professional and senior position than that of a legal assistant. Some in-house legal departments will use the title “Junior Paralegal” for a legal assistant who does not yet have the necessary experience, education, certification or training to be a full paralegal, but where the person or the company wants the individual contributor to have a paralegal title.

Paralegals and Legal Assistants as Non-Exempt Personnel

One very important note for US employers – the US Department of Labor (DOL) has stated that paralegals and legal assistants should be classified as non-exempt personnel in most circumstances. Under 29 CFR Part 541.301(e)(7), the Department of Labor stated that “paralegals and legal assistants generally do not qualify as exempt learned professionals because an advanced specialized academic degree is not a standard prerequisite for entry into the field.” The DOL has issued opinion letters, such as FLSA2005-54 and FLSA2006-27, supporting this position. However, do not interpret this as meaning that paralegals and legal assistants are not professionals – they are (just not from a Fair Labor Standards Act perspective according to the DOL). It’s also important to note that the DOJ’s webpage on the Overtime Final Rule added a note in January 2018 stating that the DOL is “undertaking rulemaking” to revise the Overtime Final Rule, so employers with paralegals and legal professionals should watch this carefully.

Why Paralegals and Legal Assistants are Different

Many view paralegals and legal assistants as interchangeable titles and roles. For example, the American Bar Association uses the same definition for both paralegals and legal assistants. Both paralegals and legal assistants can perform substantive legal work under an attorney’s supervision. However, I think it’s more accurate to view them as two different points on the spectrum of non-attorney legal professionals. Here are some of the key differences I see between the roles:

  • Paralegals often perform (and expect to be tasked with) more and higher-level substantive work than legal assistants.
  • Legal assistants are more likely to be tasked with administrative legal responsibilities than paralegals in the same department.
  • Paralegals are more likely to have completed a certification, education, or other training programs demonstrating a higher level of skill and experience to provide supporting substantive legal work, and are required to maintain paralegal certifications through continuing paralegal education.
  • Paralegals, especially those with a certification, tend to expect a higher compensation rate/salary than non-certified paralegals or legal assistants.

What Paralegals and Legal Assistants Can’t Do

Paralegals and legal assistants can do many things, but cannot provide legal advice or opinions, sign documents or pleadings, engage in other prohibited tasks such as establishing attorney-client relationships, or engage in the unauthorized practice of law. This is a critically important point – paralegals cannot, and should not be permitted to, perform substantive legal work except under an attorney’s supervision, and should not do anything (directly or indirectly) that could be considered the unauthorized practice of law. For in-house paralegals, this can be very tricky as others will undoubtedly come to the paralegal asking for an opinion or advice.  Rank-and-file employees often feel anyone in Legal should be able to give them an answer on a legal question. It’s up to the paralegal to let them know that they need to defer to the attorney on legal advice or opinions, and to ensure their work is being supervised by an attorney. The voluntary codes of paralegal ethics, such as the NALA Code of Ethics and Professional Responsibility and the NFPA Model Code of Ethics and Professional Responsibility and Guidelines for Enforcement, clearly state that paralegals cannot engage in the unauthorized practice of law, perform duties that only attorneys can perform, or take actions that only an attorney can take.

In Minnesota, like most US states, the unauthorized practice of law is illegal. Minn. Stat. § 481.02 prohibits a non-attorney from acting as an attorney or giving legal advice or services. In many states, the unauthorized practice of law is a felony. An attorney responsible for supervising the work of a paralegal or legal assistant who engages in the unauthorized practice of law will also find themselves in violation of Rule 5.5 of the Minnesota Rules of Professional Conduct which prohibits attorneys from assisting others from the unauthorized practice of law.

This is one of the reasons why the first in-house legal hire at most companies is an attorney. It is generally not recommended that a company’s first legal hire be a paralegal or legal assistant, as many of the substantive legal tasks to be performed by the first legal hire at a company require legal supervision, and outside counsel may not be willing to supervise the work of a non-attorney employed by the corporation due to ethical concerns. An attorney who fails to properly supervise the work of non-attorney legal professionals reporting to that attorney is putting his or her legal reputation, license to practice law, and company at risk.

Junior Attorneys

As licensed attorneys, junior attorneys offer a company the ability to do more than paralegals or legal assistants. Not only can they perform substantive work, but they can provide legal advice and opinions, represent the company in court, and otherwise engage in the practice of law. However, junior attorneys are usually considerably more expensive than either paralegals or legal assistants. If a company is hiring its first legal professional and does not need a more senior attorney as its first attorney (e.g., the company has a strong relationship with outside counsel that is acting in a quasi-General Counsel capacity), or needs a legal professional who can perform substantive legal work, provide legal advice and counsel and represent the company, and the company can afford the higher compensation an attorney typically requires, a junior attorney may be a good option.

Contract Managers

There is one other role used by some companies with respect to contracts – the contract manager. A contract manager is a person who is tasked with negotiating, administering and interpreting a company’s contracts (both standard and non-standard). Contract managers can be non-attorneys, or non-practicing attorneys. Contract managers often act in a project manager role to help ensure a company is meeting its requirements with respect to deliverables and other contractual obligations under its agreements. Like paralegals, there are professional associations governing contract managers, including the International Association for Contract & Commercial Management (IACCM) and the National Contract Management Association (NCMA), as well as contract manager certification programs including the NCMA’s Certified Federal Contract Manager (CFCM), Certified Commercial Contract Manager (CCCM), and Certified Professional Contract Manager (CPCM) designations which require a certain amount of continuing education. In some cases, a company’s procurement department will have contract managers who negotiate procurement and other agreements to take load off of the company’s legal team. Some companies choose to establish an in-house legal function by hiring a contract manager as their first legal professional.

Like other non-attorneys in the United States, contract managers cannot provide legal advice or opinions. However, it is an unsettled question whether a contract manager who does not have a legal degree and negotiates agreements, including risk management terms, on behalf of a company without attorney supervision is engaging in the unauthorized practice of law. Companies should consider whether to ensure contract managers are part of the Legal department and are supervised by attorneys just as paralegals must be, or alternatively require candidates for a contract manager position to hold a JD degree – the attorney would be acting not as an attorney for the corporation but in a “quasi-legal” role, and would remain subject to the Model Rules of Professional Responsibility governing attorneys, which would help avoid issues regarding the unauthorized practice of law.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Know and Use All the Risk Reduction Tools in Your Risk Management Toolkit

A central tenet of risk management is that managing the legal and business risk of a particular business opportunity or course of action involves (1) reducing risks by shifting and mitigating them as much as possible, and then (2) having an authorized decision-maker “call the ball” on whether the benefits from the opportunity or course of action outweigh the remaining risks (risk acceptance), or vice versa (risk rejection). Each company has its own tolerance for risk, and its risk tolerance evolves over time — for example, a start-up is generally more willing to take risk to land business than a mature company. A company may also have different risk tolerances for different divisions or product lines. Reducing risk to within the applicable risk tolerance can make the difference on whether the business decision-maker will accept or reject the risks from your proposed opportunity or course of action. Therefore, attorneys and business owners should use every tool in their toolkit to mitigate and shift as much risk as possible before asking the business decision-maker for approval on a certain opportunity or course of action. But all too often, risk decisions are presented to the decision-maker before risk reduction strategies are fully implemented or leveraged. Why is this?

One reason for this is the mistaken belief that reducing risk is too time-consuming, and if a quick risk management decision is needed there is no time for anything more than cursory risk reduction. However, many risk reduction strategies can be implemented quickly and in parallel, or even proactively, to minimize the time impact of risk reduction. You can also pick and choose those risk reduction strategies which “move the risk needle” the most to ensure the time you are devoting to risk reduction will generate the strongest return before a risk decision is needed. Another reason for this is a failure to know and understand all of the risk reduction tools that may be available. The less residual risk a business risk decision-maker is asked to accept, the more likely the answer will be that the potential benefits to the business outweighs the risks. Given this, it’s essential to know all of the available risk reduction tools in your toolkit.

When working with a client, supplier, vendor or business partner, one of the best risk reduction strategies is to build a strong and effective working relationship. If an issue or potential risk exposure arises, the ability to leverage your relationship to work quickly and effectively to resolve the issue, and lessen or eliminate its impact to you and your company, will pay huge dividends.

Here are 10 additional risk reduction strategies to equip your risk management toolkit:

1. Separate factual risks from perceived risks with good research and information.

Risks can be generally grouped into two categories — perceived risks and factual risks. Once the facts related to a particular risk are known, a perceived risk from an opportunity or course of action may turn out not to be a risk at all. For example, a perceived risk of doing business with a particular vendor may be the potential impact to your Payment Card Industry Data Security Standard (PCI DSS) compliance. If the facts show that the vendor will not handle any PCI data, or is already PCI compliant, the risk may not play into the risk acceptance decision. Investigate each business opportunity or course of action thoroughly to ensure you are shifting and mitigating factual risks, not perceived risks. Investigate your prospective client or partner thoroughly and as early as possible. Look at publicly available information regarding the prospective partner to better understand the risks of doing business with the business partner, including its current website and former versions, its BBB rating, its capitalization and liquidity, its litigation history through PACER and other online search tools, and (if public) its security filings. Investigate whether there is a potential for disputes or litigation around a particular business opportunity (e.g., if the technology you are seeking to acquire has been the subject of intellectual property litigation). Check business references and ask what they view as the biggest risks of doing business with that vendor.

2. Shift risk through indemnification.

One of the most common ways to shift risk is through indemnification. An indemnity is a contractual provision through which one party (the “indemnifying party”) agrees to be responsible for certain monetary costs and expenses incurred by the other party (the “indemnified party”) which arise from, result from or relate to certain acts or omissions of the indemnifying party or other indemnified acts. A party will generally indemnify, defend and hold the indemnified party harmless in connection with indemnified losses and claims. Consider whether to include an indemnity obligation for breaches of representations, warranties and covenants, breach of material obligations, breach of confidentiality/security, misappropriation or infringement of IP, and other risks your company may suffer, which will shift risk and cost to the other party if paired with the right limitation of liability and other risk allocation terms. Consider whether to use a third-party indemnity (insulation from damages and losses resulting from lawsuits and other causes of action by a third party against the indemnified party), or a first-party indemnity (insulation from damages and losses suffered directly by the indemnified party, which is essentially insurance and is often hard to get). Remember that an indemnity is only as good as the company standing behind it (this ties into parental guarantees and insurance requirements, below).

3. Shift risk through insurance requirements.

Another way to shift risk to a client, vendor or business partner is to require them to maintain certain levels of insurance during the term of the relationship (and for a period of time thereafter). This can help ensure that the other party will have the resources necessary to pay you in the event their performance (or lack thereof) under your agreement with them creates a liability on the part of your company. Ensure you are requiring the appropriate types of coverage to protect against the risks you may face under the agreement (e.g., not just a commercial general liability policy, but an errors & omissions policy, cyber liability policy, etc. Consider insisting on being added as an additional insured, and ensuring that the insurance is primary and non-contributory. Consider whether to ensure it covers ongoing and completed operations, and waives the right of subrogation against you (so the insurer cannot “step into the shoes” of the insured party by paying the claim, giving them a claim against you) and the “insured vs. insured” exclusion (so a claim by you, an additional insured, against the named insured under the policy is not excluded from coverage). Strongly consider requiring a certificate of insurance for your records evidencing the coverage.

4. Shift risk by limiting contractual liability.

Another tool for shifting risk is to set a contractual risk allocation (disclaimer of certain damages and limitation of liability for direct damages) beyond which the other party is liable. For example, consider warranty disclaimers and disclaimers of liability from certain types of behaviors, e.g., a party may disclaim any liability resulting from force majeure events and/or disclaim all warranties, express or implied, not expressly set forth in the agreement. Include an appropriate disclaimer of consequential damages and the like, and limit your direct damages (but also consider whether exceptions to the general disclaimers and limits are appropriate – consider a “second tier” of liability for direct damages of a certain type, or exclusions from the limitation of liability). Consider a liquidated damages provision for certain issues that may arise. Ensure you understand what cannot be limited under applicable law (e.g., in certain states, it’s against public policy for a party to disclaim liability for its own gross negligence or willful misconduct).

5. Shift risk by using subcontractors.

Another risk shifting approach is to utilize subcontractors for certain responsibilities where the risk associated with performing the responsibilities in-house are greater than the risk your company is willing to take. For example, suppose you are refurbishing an office which will need a considerable amount of work to bring the electrical system up to code. Instead of using your own electrician, you may choose to outsource the electrical work to a more experienced subcontractor to whom you can contractually shift the risk from performance. The risk allocation and indemnity provisions in your subcontractor agreement will be critical here. While in some cases the primary contractor may remain liable in the event of a problem causing damage or liability to a third party, the risk-shifting terms in your independent contractor agreement may help protect your company.

6. Shift risk through a parental guaranty.

If the potential counterparty or business partner is not fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a parental guaranty. Guaranty agreements typically include a payment guaranty requiring the guarantor to stand behind the guaranteed party’s payment and indemnification obligations, and/or a performance guaranty requiring the guarantor to perform obligations under the agreement if the guaranteed party fails to perform its obligations. A guaranty ensures you can compel the guarantor to perform the guaranteed payment or performance obligations if the party with which you are contracting fails to comply with its payment and performance obligations. There are many tricky provisions in a guaranty, so ensure you use good counsel to help you construct the guaranty. The guaranty should survive the termination or expiration of the underlying agreement for as long as guaranteed obligations survive. Also, if you are considering a parental guaranty, think about whether it would make more sense to contract directly with the parent and not the subsidiary (which would eliminate the need for the guaranty).

7. Mitigate risk through internal processes.

When evaluating the impact of a business risk, consider whether the risk can be mitigated through existing or new business processes. Are there administrative, technical and physical safeguards or processes in place at your company, or that could easily be put in place, that would reduce the chance of a risk exposure? For example, suppose a contract requires that your software is free of viruses, spyware, malware, and the like. If you have existing technology in place to scan your software for viruses, or can easily put it in place, you may feel comfortable taking this risk as the risk of an exposure is mitigated. However, be careful implementing a manual process to mitigate risk — they can be prone to error as they are often dependent on employees manually adding a few tasks to their already crowded plate. Even if a manual risk mitigation process is well documented, it may just be replacing one type of risk with another.

8. Mitigate risk through third party certifications.

Another risk mitigation approach is to require your business partner or vendor to maintain and certify compliance with third party certifications or industry standards which demonstrate that the partner or vendor has implemented steps reasonably designed to protect your company against certain risk exposures. For example, if a partner or vendor will be handling personal information or sensitive confidential information, consider asking for a SOC 2 Type 2 report which is a statement of the effectiveness of a company’s non-financial controls. It’s important to require an unqualified report — a qualified report means that one or more of the controls covered by the report are not effective and the report should not be relied upon in that area. Other common certifications include ISO 27001 for information security management systems, SOC 1/SSAE16 for financial controls, and HITRUST certification for HIPAA business associates.

9. Mitigate risk through your own insurance.

Consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance. Consider asking your broker to walk you through your coverage on an annual basis.

10. Mitigate risk through contract provisions.

Finally, consider mitigating risk with your business partners through contractual provisions other than limitation of liability. For example, consider requiring your business partner agree to agree not to engage in risky behaviors, or to not provide you with data types you don’t want to receive (e.g., trade secrets, PCI data, HIPAA data). Include appropriate representations, warranties and covenants applicable to your business partner, and ensure yours are not overbroad. Consider your rights in the event of non-payment under the agreement. Consider whether an escrow provision would help mitigate risk. Consider rights to injunctive relief (including whether to waive posting a bond or other security, or proof of actual damages). Financial and security audit rights may be important. Ensure your business partner has implemented its own strong risk reduction strategies, such as implementing a business continuity plan/disaster recovery plan and anti-phishing training.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The Wayback Machine: Portal to the Internet’s Past, and Essential Business and Legal Tool

 

The World Wide Web has revolutionized the world as an information communication medium, but it has one significant drawback – no long-term memory. Once a web page is updated or removed, it disappears as if it was never there. The Wayback Machine, named after Mr. Peabody’s WABAC machine from Rocky & Bullwinkle and located at http://www.archive.org/web, was conceived to give the Web a long-term memory. It is a tool for looking at previous versions of a web page by viewing different iterations captured over time. Internet enthusiasts can easily spend hours peering back in time to what web pages looked like “back in the day.” For example, Google’s November 1998 search page boasted about having 25 million indexed pages, “soon to be much bigger” – it’s likely even Google could not imagine how true that would be!

The Wayback Machine is operated by the Internet Archive, a non-profit organization created in 2001 for the purpose of building and maintaining a historical record of the Web. It has been “crawling” web pages and other Internet-accessible content for archiving purposes since 1996, serving as an “archaeological history” of websites. As of March 5, 2017, the archive contains 279 billion web pages, but not everything on the Web is preserved in the Wayback Machine. It visits web pages for archiving purposes on a periodic basis, ranging from weeks to hours depending on the website; it respects requests not to archive web pages if specified by the website owner (e.g., by using a “robots.txt” file); it also does not fully archive dynamically generated web pages, such as those with web forms or JavaScript; and it does not archive websites which require a login.

Aside from letting people look back at their favorite website’s beginnings or remember what a favorite long-dead site was all about (I still love pets.com‘s slogan, “because pets can’t drive”), there are a number of practical business and legal uses for the Wayback Machine. These include:

Business Intelligence

  • Individuals and companies can use the Wayback Machine to search for information on persons, companies and products/services, especially where the companies, products or services no longer exist or the information sought about them is no longer available online. For example, if you are looking for information about a technology, product or program offered or licensed by your company years ago, and you can’t find information about in company records (the project manager has left the company, records have been purged under the records retention policy, the company that offers it is out of business, etc.) or want to supplement what you have located so far, the Wayback Machine may have an archived version of a page from your website with the information you’re looking for.
  • Similarly, if you are researching a prospective client, partner or acquisition target, looking at the client, partner or target’s historical websites through the Wayback Machine can yield valuable information, such as details on the history and development of the company and its products/services. This information can identify topics to ask about during due diligence, and can help you identify representations, warranties and covenants for inclusion in a sales, partnership or purchase agreement.
  • If you are researching a new potential executive or potential board member, use the Wayback Machine to look at historical bios on archived websites of his or her former companies as part of a thorough due diligence process or to verify information before including it on a company website or in a securities filing.

Contracts

  • The Wayback Machine can help in locating missing copies of license agreements, e.g., for previously licensed software such as a software program or font acquired years ago. If you can’t find the agreement and the company from which it was acquired no longer has it on their website or has gone out of business, the Wayback Machine may help you locate a copy of the agreement from the archived version of the website around or following the date on which you acquired the licensed material, enabling you to ensure you understand your or your company’s rights to the licensed materials.
  • The Wayback Machine can also help locate prior versions of online agreements, such as vendor agreements. For example, if you are renewing your agreement with a large vendor who sends you a new contract available on their corporate website, and you can’t find the old version of their contract you signed years ago, use the Wayback Machine to find the old version on an archived version of their website to generate a redline against the new agreement to facilitate your review of the new agreement.

Records Retention

  • If a company is reconstructing their historical records, the Wayback Machine is a great place to start. Companies often find that their historical records are spotty, especially in the time before a formal records retention process was put in place. Companies may not have a policy to archive and save information of historical or business value, which may be lost over time. Use the Wayback Machine to find and save historical versions of website policies such as Terms of Use, Privacy Policy, Terms of Sale, and other website disclosures, as well as historical information such as bios on former executives and directors and product information.

Intellectual Property and Litigation

  • The Wayback Machine can be an excellent source of information which may be valuable or essential to a party’s position in intellectual property disputes and litigation. For example, Wayback Machine pages can be used to establish or substantiate infringing activity by a person or entity. They have also been admitted in business litigation as far back as 2003 as evidence of a parties’ course of performance.
  • Pages from the Wayback Machine have been used in patent litigation as prior art, i.e., a printed publication describing an invention which publication is shared with a third party (e.g., made available to the public) prior to the date on which the “inventor” filed for patent protection for that invention, and have been used to establish a first date of use in commerce for trademark purposes. (It’s important to note that the Wayback Machine only shows the date on which a page was archived, not the date it was first made accessible online.)
  • The Wayback Machine is also an excellent source for strategic direction in discovery or when preparing a subpoena. Reviewing a discovery or subpoena recipient’s historical websites can help refine a company’s requests for production of documents, interrogatories or other discovery requests where the subject of the request is historical or aged information. It can also help identify potential witnesses who have knowledge as to facts central to the litigation, e.g., a former employee mentioned in a historical blog post.
  • Many federal courts have admitted Wayback Machine web pages in court, in some cases requiring an affidavit authenticating the archived web page, or in other cases where an employee of the company hosting the original web page attests to its authenticity as a true and accurate reproduction of the original page – the ideal person is the person who created the original page, or has first-hand knowledge of the original page. The Internet Archive can provide an affidavit authenticating Wayback Machine printouts for a fee as described on its website, but strongly recommends that a party first request judicial notice or ask the other party to stipulate to the authenticity of printouts from the Wayback Machine (this can be a good approach in arbitration). Note that seeking to admit Wayback Machine web pages can lead to evidentiary objections such as hearsay. Attorneys may want to consider asking their expert witnesses about their familiarity with the Wayback Machine and whether they have previous experience in testifying as to Wayback Machine pages.
  • A prominent example of the Wayback Machine’s value in litigation is the Kleargear.com case. Kleargear.com instituted a provision in its Terms of Use preventing a consumer from taking any action, including posting a review, that negatively impacts the company or its reputation, and imposing a $3,500 “fine” for Kleargear’s legal fees to sue the consumer for breach of the Terms of Use. John and Jen Palmer had a negative experience purchasing a product from Kleargear.com in 2008 and left a negative review. Years later in 2012, Kleargear.com demanded payment from the Palmers of the $3,500 fine if the negative review was not removed and turned the amount over to collections when it was not paid, resulting in an impacted credit rating for the Palmers. Aside the Palmers winning the inevitable litigation they filed against Kleargear.com, the lawsuit led to legislation in California in September 2014, and federal legislation in December 2016, prohibiting anti-disparagement clauses in consumer contracts. One of the key facts in the case and in press coverage was the fact that according to the Wayback Machine’s archived Kleargear.com site from 2008, the non-disparagement clause wasn’t even part of the Terms of Use at that time (it was added to the site later on).

Business Tools

  • The Internet Archive offers useful business tools. For example, consider the Wayback Machine’s 404 error page handler. The 404 error page handler enables a website to offer an archived version of a page from the Wayback Machine if a current page is not found and an archived version exists in the Wayback Machine. This can help reduce the impact of 404 errors for websites where content of web pages does not change too quickly, and where displaying an older page is better than no page.
  • The Internet Archive also offered an archiving service called “Archive-It” which companies can use to collect, catalog, manage, store, and provide 24/7 online search of and access to archived content collections. If your company or organization wants to preserve a collection of online content, consider using this service. Users include museums and art libraries, NGOs, colleges and universities, other private companies and non-profits.

Access the Wayback Machine at http://archive.org/web. Frequently-asked questions are located at https://archive.org/legal/faq.php. If you don’t find the Wayback Machine to be a useful business and legal tool, you can at least take a stroll down Internet memory lane.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

7 Tips for Implementing a Records Retention Policy Employees Will Follow

How long to hang on to corporate information and records (records retention) is a common source of conflict within companies. Those in the “keep it” camp believe companies should keep any business records that are needed to conduct business operations effectively, records that serve as a company’s “corporate memory,” records that must be kept for legal, accounting or other regulatory compliance purposes, or have other value to the company (such as protecting the company’s interests). Those in the “destroy it” camp believe companies must promptly destroy records when there is no longer a legitimate business need to retain them, in order (a) to ensure they are minimizing the amount of information that could potentially be exposed in the event of a security breach, inadvertent disclosure, legal disclosure requirement such as a subpoena, or during the discovery phase of litigation, (b) to comply with legal, accounting and other regulatory requirements to destroy information after a certain time, and (c) to reduce the costs of discovery and of storing corporate information. Which side is right?

The answer, of course, is that they’re both right. All of the reasons to keep corporate records, and all the reasons to destroy them, are legitimate. This is the “double-edged sword” of records retention.  For every argument that “we might need that piece of information somewhere down the line,” there’s a counterargument that “we could get in trouble someday if we still have that piece of information around.” The way to ensure your company is striking the right balance between these two extremes is to have a written records retention policy that balances the reasons to retain information against the reasons to destroy it, by setting appropriate “retention periods” for various categories of corporate records and requiring employees to destroy data once the retention period is ended in most cases. It is an essential component of a company’s incident response planning process to reducing the amount of information potentially exposable in the event of a security incident or breach. The policy must cover corporate records wherever located, including physical and electronic data wherever stored (in employee workstations, on intranets and network drives, in third party data centers, in cloud-based service providers’ systems, etc.)  It should list the categories of business records governed by the policy (I prefer a table format), and the records retention period for each category. It should clearly explain to employees what they need to do to comply with the policy, including how to ensure records are properly destroyed when the retention period ends.

It’s easy to argue why companies need a records retention policy. It’s much harder to actually draft and successfully implement one. Here are 7 drafting and implementation tips to help drive the success of your records retention policy.

1. Success is directly proportional to simplicity and communication.

The simpler you can make a records retention policy, the easier it will be for employees to follow it and the greater the likelihood that employees will take time to follow it. Policies that add significant process requirements into the life of rank-and-file employees who already feel like they are “doing more with less” and may be resistant to new ways of doing things are often met with skepticism at best, and outright rebellion at worst. It can be very difficult to successfully implement and administer a records retention policy if employees feel it is onerous and unnecessarily impeding their ability to do their job. If that happens, employees may simply ignore the policy in favor of their day-to-day business duties, or worse, use the records retention policy as a scapegoat if they fail to deliver on their projects and goals.

To solve this problem, ensure your policy is written as simply as possible, take into account the employee’s perspective, and have a communication plan to roll it out. Ensure your policy overview answers questions such as “Why is having a records retention policy important to me?”, “How hard will it be to follow the policy?”, and “What do I have to do under the policy?” Consider using a “frequently asked questions” format for the policy overview. Have a few employees whose opinion you value give you feedback on the policy. Develop a communication plan to roll out the policy to all employees, and leverage HR and Marketing for their input to make it as effective as possible. Ensure your senior leadership team endorses the policy so employees understand it has top-level visibility.

2. Set a “once per year” date for retention periods to expire.

One way to write a records retention policy is to have a fixed retention period for each business record run from the date the record was created. Under that approach, retention periods will be expiring throughout the year.  If the records retention policy requires employees to destroy records immediately upon expiration of the retention period, the policy may require employees to be managing document destruction on a daily or near-daily basis. This may make compliance seem like a daunting task to employees, even if your policy allows employees to destroy expired business records one per month or once per quarter.

As an alternative, consider having the expiration date for all retention periods expire on the same day during each calendar year by having your retention period be measured in full “retention years,” defined as a full calendar year or other 12-month measurement period. For example, if you set December 31 as your annual date for expiration of records retention periods, a presentation created on May 15, 2016 which must be kept for 3 “retention years” would be kept from May 15, 2016 through December 31, 2019 (3 full calendar years from the date of creation). While this approach does extend the retention period for some documents by a bit, that may be an acceptable trade-off to a simple, once-per-year obligation to destroy records under the records retention policy. Consider tying your annual records retention period expiration date into an “office clean-up days” event in partnership with HR where everyone pitches in to tidy up the office, clean up their workspaces, and destroy any documents for which retention periods have expired under the records retention period.

3. Right-size the departments and categories of corporate records listed in the policy.

In an effort to be as comprehensive as possible, some records retention policies include a significant number of categories of information subject to retention requirements. This can result from using an “all purpose” template such as a template obtained from a law firm, from a colleague, or from online searches. In others, a company may want to ensure they are not missing anything by including everything employees have today or could have in the future. One size does not fit all with respect to records retention categories. Consider having a “general” or “common business records” category as the first section of business records in your policy, covering items like business presentations, contracts and agreements (both current and expired); general and customer/vendor correspondence; material of historic value; software source code; etc. Then determine which departments have additional, specialized categories of business records (e.g., HR, IT, Finance, Marketing, Legal, etc.) that should be listed specifically in the policy. For each such department, learn which business records they have and use to create a first draft of your categories list and retention periods. Using a general/departments grouping of categories allows employees to find the information on records retention applicable to them a targeted and streamlined fashion. There will likely still be a significant number of categories of corporate records, but taking the time to think through the right categories for your company’s records retention policy will help ensure it is as easy as possible for employees to read, follow and use.

4. Use a limited number of retention periods, with “permanent” used as sparingly as possible.

Another common issue with records retention policies is the use of a large number of retention periods. Different departments may have different periods under which they currently retain documents, and they may put pressure to keep their own retention periods in an enterprise-wide policy. A policy with a large number of retention periods will make it harder for employees to follow, and harder for IT and others to operationalize. Remember, simplicity where possible is key to success. Consider using a limited number of retention periods (e.g., 1 year, 3 years, 5 years, 7 years, Permanent) which will simplify administration of, and compliance with, the policy. For departments with different existing retention periods, determine which of the next closest periods (longer or shorter) will work, and be prepared to explain to the head of that department why a limited number of periods is essential to the successful implementation of an enterprise-wide policy.

It can be tempting to put many things into a “permanent” bucket (those in the “keep it” camp are likely candidates to ask for this category). However, overuse of the “perpetual” category cuts against the reason for implementing the policy in the first place. While some documents may need to be kept perpetually, for example, information subject to a document preservation notice due to litigation, document categories should be assigned a “permanent” retention period very sparingly. Use it where it is legally necessary to preserve a category of documents (e.g., it’s required for regulatory purposes), or where there is a compelling business interest in keeping it forever (e.g., prior art that may have value in defending against a future patent infringement claim). One way to find a “happy medium” with those in the “keep it” camp is to include in your policy a mechanism by which Legal and the CISO/CIO can approve an exception to the retention period on a case-by-case basis, but make clear that exceptions will be rarely very sparingly and only where legally necessary or where there is a compelling business interest.

5. Partner with department heads to solicit and incorporate their feedback, and to turn them into champions of an enterprise-wide policy.

One of the keys to the successful roll-out of a records retention policy is to have the support of senior management and department heads. Compliance with a records retention policy should be driven from the top down, not bottom up. It’s also important to consider that just because a company has not implemented an enterprise-wide records retention policy does not mean that some departments have not “gone it alone” and implemented their own limited retention and destruction schedule. Partnering with department heads to gain their support for an enterprise policy, and ensure their own efforts are leveraged as part of the broader policy, is essential.

Once a draft policy is prepared, set up one-on-one meetings with the leader of each department to let them know that you want the enterprise policy to be a collaborative (and not an imposed) effort on his/her department. If they have department-specific document categories or retention periods, leverage them to the greatest extent possible to minimize the impact the enterprise policy will have on that department. If they do not, walk them through the reasons why having a well-followed enterprise records retention policy will benefit the company as a whole. Walk the department head through the draft policy, and ensure they agree with the categories and retention periods applicable to their business unit. Try to incorporate their feedback wherever possible, and talk them through where you cannot (e.g., they ask for a non-standard retention period). Finally, ask for their help in rolling the policy out to their department, e.g., by sending a note to the department as a follow-up to the enterprise-wide policy announcement. By meeting with department heads, you will not only ensure the policy hews as closely as possible to the operational and compliance needs and practices of each department, but also establish a contact for future revisions/enhancements to the policy, and hopefully foster an internal champion to help drive the success of the policy.

6. Ensure the policy accounts for document preservation notices. 

One critical element of any records retention policy is a very important exception — information subject to a litigation hold or other document preservation notice (such as in the event of litigation or anticipation of future litigation, where the company receives a subpoena, etc.) If employees follow the records retention policy and destroy business records that are relevant to a legal proceeding or subpoena, the company could face very significant fines and penalties. Ensure that the records retention policy makes it very clear that a document preservation notice supersedes the records retention periods, and that any documents and business records subject to a litigation hold or other document preservation notice must be kept for as long as the preservation notice is in effect regardless of the expiration of the retention period. It’s also important to communicate that once an employee is notified that a document preservation notice has been canceled, any documents subject to the notice should be destroyed at the next anniversary date. Ensure that any systems and processes used by the company to operationalize the records retention policy (e.g., automatic deletion of emails after a certain amount of time) account for the preservation of documents and business records subject to a preservation notice irrespective of the retention periods.

7. Partner with IT to implement technical safeguards to minimize policy “workarounds.”

Finally, partnering with IT will be critical to the success of the policy. In many cases, some document destruction processes can be automated (for example, emails can be deleted after a certain period, files older than a certain date can be automatically deleted from network shares, etc.) Work with your IT group to determine what technological solutions can be put in place to help operationalize the records retention policy. At the same time, some employees may believe that their needs trump the records preservation policy, and will try to work around it (e.g., by saving emails to a PST, printing them to a PDF and saving them on a network drive, “backdating” them by changing the system date before saving files, etc.) Partner with your IT team to put as many appropriate technical safeguards in place as possible to minimize employee workarounds to the records retention policy.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. He works primarily from his home office outside of Minneapolis, Minnesota. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Blockchain and Distributed Ledger Technology Will Change the World (Eventually)

Many people associate “blockchain” with the crypto-currency Bitcoin. However, they are not one and the same. Bitcoin is an application; blockchain and distributed ledger technology are the methods behind it. Given the widespread potential applications of blockchain and distributed ledger technology, it is poised to revolutionize many aspects of the world around us. It may prove to be as disruptive and innovative of a force as augmented reality, or the Internet itself. New articles touting blockchain and distributed ledger technology are coming every day, even while the technology is unknown or confusing to many people. What is it? How might it change the world? And what legal and other risks does it bring?

What is Distributed Ledger Technology and Blockchain?

Centralized Ledgers

Let’s start with what we know – a centralized ledger. Ledgers (what we’ll call a database, list, or other information record) have played an important role in commerce for millennia, recording information about things such as physical property, intangible property including financial holdings, and other assets. The most recent innovation has been the move from physical ledgers (paper, tablets, etc.) to electronically stored ledgers. A “centralized ledger” is a ledger maintained and administered in a single, central location (e.g., a computer database stored on a server) accessible by anyone without use of access controls (public) or through an access control layer by persons or organizations with valid login credentials (permissive). This is a “hub-and-spoke” system of data access and management. Centralized ledgers have historically had many benefits, such as minimized data redundancy, limited number of access points to the data for security purposes, centralized administration, and centralized end user access. However, there are also disadvantages, such as greater potential for loss or inaccessibility if the central location suffers a hardware failure or connectivity outage, inability to recover lost data elements, and a dependence on network connectivity to allow access to the ledger by its users.

Distributed Ledgers

One way to address these disadvantages is through a distributed ledger, where an electronic ledger is distributed (mirrored) to a network of participants (aka “nodes”) through a software program so that each participant has a complete and identical copy of the ledger. Nodes can be individuals, sites, companies/institutions, geographical areas, etc. There is no centralized administrator or “primary node” — if a change is made to one copy of the ledger, that change is automatically propagated to all copies of the ledger in the system based on the rules of the system (called a “consensus algorithm“) which ensures that each distributed copy of the ledger is identical. (For example, in Bitcoin, each node uses an algorithm that gives a score to each version of the database, and if a node receives a higher scoring version of the ledger, it adopts the higher scoring version and automatically transmits it to other nodes.) Since the distributed ledger software on each node validates each addition to the distributed ledger, it’s very difficult to introduce a fraudulent transaction (to put it another way, transactions are audited in real time). Essentially, each node builds an identical version of the distributed ledger using the information it receives from other nodes. The use of distributed models in computing goes back to the origins of the Internet itself — ARPANET, which evolved into what we know today as the Internet, used a distributed model instead of a linear model to manage the transfer of data packets between computer networks.

The software on each node uses cryptographic signatures to verify that it is authorized to view entries in, and make changes to, the distributed ledger. If a participant with rights to modify the ledger makes an addition to the ledger using the participant’s secure keys (e.g., a record of a change in ownership of an asset or recording of a new asset), the addition to the ledger is validated by the consensus algorithm and propagated to all mirrored copies of the ledger, which helps to ensure that the distributed ledger is auditable and verifiable.

Thus, the four central tenets of a distributed ledger are:

  1. distributed copies among nodes via client software;
  2. cryptographic signatures to allow nodes to view, or add to, the distributed ledger in an auditable and verifiable fashion;
  3. a consensus algorithm to ensure distributed copies of the ledger match among participants without the need for a centralized administrator; and
  4. record permanency so that verified entry accepted to the ledger via the consensus algorithm becomes permanent (it can be corrected via a later addition to the ledger but never removed).

Unlike a centralized ledger such as a database, where the data records and access/usage logs are maintained separately, a distributed ledger maintains data records within a validated structure that captures access and changes within the data store itself. Whereas the server with the centralized ledger is different from the computers which retrieve data from the centralized ledger, each node in a distributed ledger is an equally trusted “peer” of every other node. Another key difference between centralized and distributed ledgers is that a distributed ledger cannot be forked — if you make a copy of a centralized ledger and store it somewhere else, it will be out of sync with the original copy, whereas each copy of a distributed ledger is kept identical by the client software.

Blockchains

A “blockchain” is a specific way of implementing distributed ledger technology – or more precisely, it’s a specific type of distributed ledger. In a blockchain ledger, each record of new value added to the ledger and each transaction affecting entries in the ledger (which we will collectively call “blocks”) includes a timestamp and a cryptographic verification code based on a data signature from the previous block called a “hash” linking it to the previous block, forming a block “chain.” Because each block is cryptographically tied to the previous block via one-way hash, the entire chain is secure – a client can verify that a block in the blockchain validates against the previous block, but does not allow someone to trace the blockchain forward. If a block in the chain is altered, it changes the hash value and no longer matches the hash stored in later blocks, and the alteration will be rejected by the nodes on the blockchain network. In a blockchain, transactions entered into the system during a specified period of time are bundled together and added to the blockchain as a new block.

Bitcoin is an early example of a blockchain application. Participants can add new bitcoins to the blockchain by solving a cryptographic puzzle (this is called “mining” and takes a lot of computing power). Transactions for the purchase and sale of bitcoins are also recorded in a block in the Bitcoin blockchain – the blockchain is the public ledger of all Bitcoin transactions.

Blockchain applications can be grouped into 3 categories: Blockchain 1.0 applications (crypto-currencies such as Bitcoin); Blockchain 2.0 applications (financial applications); and Blockchain 3.0 applications (other emerging applications). Blockchain applications, like other distributed ledgers, can be either public (the client software does not have an access control layer, meaning anyone with access to the software can access the blockchain network), or permissive (the client software has an access control layer to restrict access to the blockchain network). It can be optimized to handle transactions (such as currency transactions) or logic (such as managing business and governance rules). Public blockchain networks can be a permanent record of transactions, whereas permissive blockchain networks can protect against external hacking attempts.

How might blockchain and distributed ledgers change the world?

The impact of new technology presents at first as rapidly disruptive (positively and negatively), but often manifests organically and transparently to change the world over time.

Roy Amara, a former president of the Institute of the Future, said that people overestimate a technology’s effect in the short term and underestimate it in the long run, a statement known as “Amara’s Law.” However, I think a corollary is in order – the impact of new technology presents at first as rapidly disruptive (both positively and negatively), but often manifests organically and transparently to change the world over time at a proportional rate to the maturity of the commercially available applications, to consensus on technological standards, and to decreasing costs to implement (and increasing ROI from implementing) the technology in practical business and consumer situations. For example, RFID technology was touted early on as a “change the world” technology, and it has — but most prominently through integration of the technology organic and innovative improvements to supply chain and inventory management. Social networking is viewed by many as a “killer app” which helped usher in the third Age of the Internet, and it has changed the world by changing how we connect with others — we now post updates instead of sending letters or emails to our friends. Both took years to become pervasive in society and industry. A “killer app” is a catalyst that accelerates the adoption of a new technology.

Blockchain and distributed ledger networks have the potential to change the way many systems and business processes work across industries. Since blockchain and distributed ledger networks are platform-agnostic, a distributed ledger could be stored in different hardware/software configurations across different nodes, reducing the need for expensive and time-consuming upgrades to support the distributed model. For example, a permissioned blockchain model could help an organization such as the US Veterans Administration better manage appointment scheduling across a large number of hospitals and clinics (in fact, a resolution was recently passed in the US House of Representatives promoting just that, “to ensure transparency and accountability.” Financial and currency transactions are a major focus of practical applications of distributed ledger networks and blockchain technology. The technology could also be used in applications such as better and more secure management of governmental records and other services; tracking tax collection and receipts; managing assets; identity verification; decentralized voting; managing and tracking inventory levels and B2B/B2C product fulfillment; tracking the “data supply chain” for the flow of data among systems; managing system access controls; protection of critical public and privacy infrastructure; tracking royalties due to artists for the use of their works; and “smart contracts” (aka “blockchain contracts”) to create, execute, and enforce agreements between parties when certain pre-arranged conditions occur. Distributed ledger networks have the advantage of being more secure as the consensus algorithm makes it considerably difficult for a cyber-attacker to successfully alter the distributed ledger. It could also allow for greater access transparency, a central tenet of many privacy principles, by allowing individuals to access records in the ledger relating to them or containing their information.

The companies that immediately benefit from a new disruptive business method such as blockchain are those which seek to innovate applications of the method to monetize it, obtain a first mover advantage, and ideally seize significant market share for as long as possible. Industry groups and trade associations will form to seek to promote it, and regulators will begin to take notice. Blockchain and distributed ledger technology is already following this pattern. In late September 2016, two members of the US House of Representatives formed the Congressional Blockchain Caucus as a bipartisan group, and a “Blockchain Innovation Center” opened in Washington, DC. A coalition of lawyers and academics have founded the Digital Currency and Ledger Defense Coalition (DCLDC) whose mission, per their website, is “to help protect individual constitutional rights and civil liberties” with respect to the emerging technology. Groups such as the Hyperledger Project seek to promote the adoption of distributed ledger networks and blockchain applications. As distributed ledger and blockchain matures and start-ups present intriguing new products and services coupled with a strong value proposition for businesses to early adopt the technology, companies will begin to implement blockchain and other distributed ledger technologies in a variety of ways.

Risks and Challenges Associated with Blockchain and Distributed Ledger Technology

As companies evaluate the adoption blockchain and distributed ledger applications, they will need to focus on the risks and challenges raised by the technology. These include:

  • Ensuring the ROI and business case is there. Blockchain and distributed ledger technology is not intended to replace existing centralized ledgers such as databases. If a number of parties using different systems need to track something electronically that changes or updates frequently, a distributed ledger may be a good solution. If those needs are not there, or if there is a continuing need to rely on paper transaction records, a centralized ledger continues to be the better choice. Companies need to ensure there is a compelling ROI and business case before implementing the technology.
  • Record retention risks. One of the features of blockchain and distributed ledger networks is record permanency. This may be incompatible with the requirements for data to be destroyed and deleted after a period of time, such as credit/debit card data under PCI rules, HR data under various regulatory requirements, and the limitations of a company’s own record retention policy.
  • Data Privacy. Distributed ledger technology such as blockchain is inherently designed to share information among every participant/node. If information in a ledger transaction or block contains private information, such as an account number or company confidential information, it will be visible to every user of every node. This is one of the reasons permissive and privacy distributed ledgers are a focus of many companies seeking to innovate in the space. Additionally, as nodes in a distributed ledger network can be geographically disparate, rules and requirements for the transfer of data between geographies may play a major role. It is also likely that at some point, decryption technology will evolve to the point where cryptographic signatures may no longer be considered safe.
  • Loss of Control. Companies routinely implement controls (processes and procedures) to manage their systems and operations, which controls may be audited by customers/partners or certified under standards such as SOC 2. But who is accountable for a database distributed across geographies and companies? Use of a distributed ledger system with nodes outside of a company’s systems means ceding some control to an automated process and to a decentralized group of participants in the distributed ledger/blockchain. An error in a record in a distributed ledger becomes permanent and can be corrected but never removed.
  • A Square Peg in a Legal and Regulatory Round Hole. As is often the case, one of the challenges for lawyers and others is determining how existing laws and regulations will likely be interpreted to fit new technologies such as blockchain and distributed ledger; where new laws may be required and how permissive or restrictive they may be; and how enforcement and penalties of both new and existing laws will play out. However, a distributed ledger network may cross multiple jurisdictions, resulting in cross-border regulation and enforcement issues. All but the earliest adopters often take the “herd on the savanna” approach (staying in the center of the herd as the safest point, and migrating to one edger or another once the risks to the outliers has been better gauged). Additionally, contract law requires, at its core, offer, acceptance and consideration between the contracting parties. The emergence of “smart contracts” that rely on computer algorithms to establish the formation and performance of contracts may challenge the nature and application of traditional legal principles of contract law such as contract formation and termination, and the traditional focus of laws on the acts of persons (not automated technologies).

Finally, any technology brings both benefits and potential risks. If the benefits outweigh the risks on the whole, the public interest is not served when the legal, regulatory and privacy pendulum swings too far in response. The spread of blockchain and other distributed ledger technologies and applications will be dependent on the creation and fostering of a legal, regulatory, and privacy landscape that fosters innovation in the space.