5 Proactive Steps For Employers and Businesses in a Post-Equifax World

Companies should proactively prepare for changes in consumer behavior and corporate responsibility.

By now, most people have heard about the massive data breach at Equifax, one of the four US credit bureaus along with Experian, TransUnion and Innovis, affecting 143 million people. Credit bureaus (also known as consumer reporting agencies) compile and keep a file containing a person’s credit history, including things like the types of credit, how long credit accounts have been open, how much available credit is utilized/available, whether bills are paid on time, late payments/collection notices/foreclosure notices, and public records such as liens and bankruptcies, as well as personal information such as Social Security Number (SSN), date of birth (DOB), and current and previous addresses. Credit bureaus make a report of a person’s credit history (their “credit report”) available to that person, and to employers and other businesses.

Employers and businesses often want to base decisions on whether to offer a person their products or services such as a loan/mortgage/credit offer, the interest rate to charge on that offer, a cell phone plan, an insurance policy, etc., or extend that person an offer of employment or a lease, on as much available relevant information as possible.  This often includes a review of that person’s credit history. Credit reporting agencies monetize accumulated credit history and associated personal information by making credit reports available to employers, insurers, service providers and other businesses for a fee, as permitted by applicable law. If an employer or business wants to obtain your credit report, they obtain your permission to access your report as required by law and ask you to provide certain sensitive personal information about you which they will use to request your report, and they pay a fee to one or more of the credit bureaus to receive a copy of your credit report.

Many employers and businesses rely on easy access to credit reports.  However, this may be one of the more likely casualties of the Equifax breach. As noted earlier, 143 million Americans may now be at risk for identity theft using their sensitive personal information from this one breach event alone. Unlike a credit card number, which can be changed in the event the data is compromised, SSNs and DOBs (which were compromised in the Equifax breach) can’t be changed. This is why the Equifax breach is so significant – unlike most previous breaches, the scale of this breach and the nature of information compromised mean that consumers will be at risk for, and must remain vigilant for, identity theft for the rest of their lives, which will likely drive changes in the way people monitor and manage their credit reports and sensitive personal information.

Most of the advice and guidance regarding the Equifax breach to date has been consumer-focused – what consumers can and should do to protect themselves in the post-Equifax world. This includes recommendations for more robust use of credit freezes currently offered by the credit bureaus and use of third party monitoring services which alert consumers to (or require the consumer’s approval for) changes in their credit report, representing a shift in the spectrum towards consumer identity protection and away from access to easy credit such as point-of-sale, “save 20% if you open an account today”-type offers requiring an instant check of your credit. It is also likely the earthquake caused by the Equifax breach will result in additional security and legal requirements not just for credit bureaus, but for all companies possessing sensitive personal information such as SSNs and DOBs, as well as industry-driven or legislatively-mandated enhanced best practices and/or new ways for consumers to help them control access to their credit reports in an effort to minimize identity theft, such as a tool to manage security freezes at all three credit bureaus simultaneously and make it easier to impose, and temporarily lift, such freezes. The Equifax breach is also likely to increase consumer acceptance of more complex login processes, such as multi-factor authentication.

Employers and businesses should start thinking about how they can and should adapt to the coming post-Equifax changes in consumer and credit bureau behavior, and increases in corporate responsibility with respect to security and collection/use of sensitive personal information. By taking proactive steps, companies can demonstrate to their employees and customers that they are sensitive to the importance of identity protection and security. Here are 5 proactive steps companies may want to consider:

1. Address consumer credit freeze/release approval in the new employee hiring process and other processes requiring a consumer credit check (such as point-of-sale credit offers).

While implementing a credit freeze will help protect a person from identity theft, it’s not without its drawbacks. As of today, these drawbacks include the need to separately implement or lift freezes on a per-credit bureau basis, and the fact that the freeze must be lifted (temporarily or permanently) before an employer or business can perform a credit check. Despite this drawback, more people will likely implement credit freezes in the post-Equifax world, which will impact companies’ ability to easily complete background checks or receive point-of-sale credit offers.

  • Employers and other businesses performing a consumer credit check should anticipate this and consider proactively modifying their credit check process by adding a question to their credit report authorization form asking whether a person has a credit freeze, or whether that person’s approval is required for the release of their credit report. If that person answers “yes,” the employer or business should have a standard exception process to work with that person to ensure the freeze is temporarily lifted, or approval for the credit check is given, so the employer or business can perform the credit check.
  • Retailers offering point-of-sale credit offers should consider ensuring their offer disclosures include a statement that people with credit freezes may not be eligible for the offer due to the inability to verify their credit history. For those businesses which use sales associates to offer point-of-sale promotions, consider requiring them to ask whether the consumer has a credit freeze in place, and if so notify them if the freeze renders them ineligible for the offer.

Employers and businesses should also know which credit bureau(s) they use for background checks, and be prepared to provide this information to make it as easy as possible for a prospective employee or customer to implement a temporary lift of the credit freeze. It may be worth having a short URL handy which can be provided to a prospective employee or customer who wants to temporarily lift their credit freeze to enable them to take advantage of the offer on the spot or at a later time.

2. Enable multi-factor authentication for access to online services and consumer portals.

Most businesses use a username and password as access credentials. Some, but not all, have moved to a more secure authentication mechanism known as multi-factor authentication. Multi-factor authentication requires a user to provide not only a username, but two or more of the following “authentication elements” to validate the user’s identity: (1) something you know (e.g., a password, the answer to a challenge question), (2) something you have (e.g., a one-time PIN or password or a code delivered specifically through the user’s mobile device), and/or (3) something you are (e.g., facial recognition or fingerprint). Each factor must be independent of the other so that knowing one factor does not reveal another. Other data, such as geolocation information or time-based access requirements, can be used as well. The most commonly-known type of multi-factor authentication is two-factor authentication, where two authentication elements (of which one is typically a password) are required. Multi-factor authentication helps reduce the chance a bad actor could successfully exploit a username and password obtained through a security breach, through phishing, or through other social engineering attack vectors. Companies can use multi-factor authentication to demonstrate to its users (and potential users) that it places a high value on security.

Some companies argue that the burden of providing additional verification does not outweigh the simplicity of a username/password, especially where the company is not collecting any sensitive personal information. However, multi-factor authentication is an industry standard in certain areas, such as under the current Payment Control Industry Data Security Standard (PCI-DSS) for companies that are required to be PCI compliant, and will likely continue to gain traction as an industry standard, or customer expectation, in other areas. The National Institute of Standards and Technology (NIST) recommends using multi-factor authentication wherever possible. For companies where multi-factor authentication is not an industry standard or legal requirement, consider offering multi-factor authentication anyway, or offering it as an enhanced security option to customers concerned about protecting access to their accounts.

3. Evaluate whether there is a true need to collect SSNs and DOBs from consumers, and/or other creative ways to validate SSN and DOB information.

Companies which collect Social Security Numbers or dates of birth from their users should consider whether the collection of this information is truly required. One of the core tenets of data privacy is the Collection Limitation principle, which advocates for limits on companies’ collection of personal data. HIPAA takes this a step further and applies a “minimum necessary standard” – companies should limit the use and disclosure of collected personal information to the minimum necessary to accomplish the intended purpose. Companies should consider following HIPAA’s “minimum necessary standard” even if they are not subject to HIPAA. With respect to sensitive personal information such as SSN and DOB, companies should look carefully at whether they truly need to collect this information, and for what purpose. If there is another way to accomplish the same goal without collecting the information, consider implementing that alternative approach. Here are two examples:

  • With respect to SSNs, instead of asking for a user’s SSN for validation purposes considering asking for the sum of the digits in their SSN, or the sum of the digits in their SSN plus the digits in their home street address. This provides a strong identity validation mechanism without the need to capture and store SSNs.
  • With respect to DOBs, if validating a user’s age (e.g., for COPPA purposes), consider whether the month and year is sufficient, and keep a flag indicating that the age information was verified instead of the month/year information itself.

4. Review and freshen (or implement) their incident response and incident communications plan(s).

To many, Equifax’s response has been a lesson in how not to manage communications regarding a security breach. Companies should take the opportunity to learn from Equifax’s missteps and review and freshen up their incident response and incident communication plan(s). For companies still without an incident response/incident communications plan, now is the time to ensure one is in place. A few things to consider:

  • According to press reports, the Equifax breach allegedly stemmed from the failure to timely implement a security update to the Apache Struts Web Framework. As part of incident response preparedness, work with IT to ensure that your company is actively monitoring for hardware/software security patches, and is applying them as quickly as possible following release.
  • There have been numerous reports regarding sales of Equifax stock valued at $1.8 million by three senior Equifax executives within days of Equifax’s discovery of the breach. While Equifax has stated that the executives were not aware of the breach, whether or not the executives (including the CFO and President of US Information Systems) had knowledge doesn’t really matter – the perception and optics of it are awful in the eyes of the public, the SEC, and state attorneys general. Consider ensuring that the entire senior team is notified immediately in the event of a security breach, and have your General Counsel or external breach counsel discuss with them the risks of continuing with any automated stock sale programs in light of the breach.

5. Consider offering credit monitoring as an employee benefit.

Finally, employers may want to consider adding credit monitoring as an employee benefit, by offering subsidized or free credit monitoring services to their employees through a partnership with a credit bureau or a third-party provider such as AllClear ID. While there are some questions as to the value of credit monitoring in protecting against identity theft, services that notify you and/or require your approval before a new account is opened can be very valuable in fighting identity theft. As the possibility of identity theft is becoming a fact of life in the 21st century, companies may find it beneficial to help their employees guard their identity. Among other benefits to companies, minimizing identity theft reduces the time employees need to take away from work, whether as PTO or lost productivity, to deal with the repercussions of having their identity stolen, and provides employees with increased peace of mind with respect to identity protection.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The What, Why and How of SLAs, aka Service Level Agreements (part 2)

Every company uses technology vendors, such as Software-as-a-Service providers, to provide critical components of their business operations. One pervasive issue in technology vendor agreements is the vendor’s commitment to the levels of service the customer will receive.  A representation to use commercially reasonable efforts to correct product defects or nonconformity with product documentation may not be sufficient for a customer relying on a technology vendor’s service for a mission-critical portion of its business. In this situation, the vendor may offer (and/or a customer may require) a contractual commitment as to the vendor’s levels of service and performance, typically called a “Service Level Agreement” or “SLA.” Service Level Agreements (SLAs) ensure there is a meeting of the minds between a vendor and its customer on the minimum service levels to be provided by that vendor.

In Part 1 of this post, I walked through uptime and issue resolution SLAs.  In this second part, I cover other types of technology SLA commitments, SLA remedies, and other things to watch for.

Other Types of Commitments in SLAs

Other common types of SLAs in technology agreements include latency SLAs and customer service SLAs.

Latency SLAs. “Latency” is the time it takes for a server to receive a server request, process it, and send a response. For example, when you load a webpage, a server request is sent to a web server to deliver the webpage, the server processes the request, and sends a response with the code to render the page in the user’s web browser. Latency can be affected by a number of factors, including the geographic location of servers, network/Internet capacity, and server optimization. For companies using a vendor to provide services as part of its client-facing systems (e.g., an address verification service), minimizing latency to ensure a high level of performance is critical. A latency SLA is a commitment to a maximum roundtrip response time for a vendor server request. Latency SLAs typically exclude the time it takes to get from the customer’s server to the boundary of the vendor’s network, and vice versa (as this is outside of the vendor’s control).

Customer Service SLAs. In some vendor relationships, ensuring the prompt provision of customer support is a critical component of the relationship. For example, if a vendor is providing support to a customer’s clients or employees, or is providing level 2 escalation support, customer support SLA commitments may be important to the customer to ensure a high level of service.  Customer support commitments often include commitments on time to first response (the time from the submission of a request to the time an agent opens the support ticket to begin working on it); time to resolution (total time needed to resolve the issue); average speed to answer (the percent of calls answered within a maximum time, e.g., 85% of calls within 30 minutes, or percent of emails answered within a maximum time, e.g., 90% of emails within 4 business hours); and/or abandonment rate (the maximum number of calls being abandoned in queue before a support agent picks up the call).

SLA Remedies

In order to ensure the service level commitments made by a vendor have teeth, the SLA should have remedies available to the customer in the event of a failure to meet one or more SLA commitments. The remedies are often the most heavily negotiated section of the SLA. There are a variety of remedies that can be applied in the event of a SLA failure.

Service Credits. One of the more common forms of remedy is a service credit, often a percentage of fees paid by the customer for the period in which the SLA failure occurred.  For example, if a vendor fails to meet a 99.9% monthly SLA, a service credit equal to a percentage of the monthly fees paid by the customer would be applied to the next monthly invoice.  A credit is often provided on a tiered basis, up to 100% of the fees for the relevant period based on the size of the SLA miss. Vendors may want to include language ensuring that if multiple credits are available for the same reporting period (e.g., a credit for failure to meet the uptime SLA as well as the issue resolution SLA), only the greater credit will apply.  The credit is usually applied to the next invoice, or if there will be no additional invoice, paid directly to the customer.  For a service credit related to an uptime SLA commitment, instead of a percentage of fees some vendors will offer a credit equal to the fees earned by the vendor during the period of time during which the Service was unavailable during the previous measurement period (or an average of the amount during previous measurement periods), under the theory that the credit is an accurate reflection of the actual fees that would have been earned by the vendor had the service been available in compliance with the SLA.  Customers should carefully consider what fees are used to calculate the credit – customers will want this to be as inclusive as possible.

Termination. In the event of a SLA failure, another remedy commonly offered by vendors is a right to terminate. Vendors typically put restrictions around the exercise of this right, e.g., termination is the sole and exclusive remedy available; termination is limited to the service subject to the SLA failure, not the entire service agreement; it is offered on a “use it or lose it” right which can only be exercised for a period of time following the measurement period in which the SLA failure giving rise to the termination right arose; or the right to terminate is only triggered by multiple failures, such as failure to meet its SLA commitments in three (3) consecutive months or any two (2) out of three (3) consecutive calendar quarters. Customers should carefully consider whether the limits on these rights are appropriate (e.g., ensure that “sole and exclusive remedy” applies only to a SLA failure, and would not preclude the customer enforcing its rights and remedies for any other breaches of the vendor agreement; ensure a right to terminate extends to the entire service agreement if the affected service component is a significant portion of the value of the relationship to the customer; etc.)

Other creative remedies. Vendors and customers should consider whether other creative remedies for a breach of the SLA, such as waiver of fee minimums, waiver or imposition of other contractual obligations, or provision of additional services (e.g., a certain number of free hours of professional services), may be an appropriate remedy for the customer and an appropriate motivator for the vendor to meet its SLA commitments.

Closing Thoughts – Things to Watch For

  • Remember that most vendors are trying to provide as close to 100% uptime as possible, and the best possible service they can to their clients. A SLA is intended to be a floor on performance, not a ceiling.
  • Some vendors do not include a SLA in their standard service agreement, instead letting customers ask for one. In my experience, less customers will ask for a SLA than you’d think.  It’s always a good idea to ask a vendor to ensure they include their SLA with the service agreement at the outset of the contract negotiation process.
  • If the vendor will not agree to include a SLA, ask them why.
    • In some cases, vendors will not provide a SLA with credits to all but their largest clients, relying on the fact that as a multi-tenant platform all clients receive the benefit of the SLAs provided to their largest clients. In this event, customers should consider whether to fight for a direct SLA or rely on their commitments to larger clients (which commitments may change over time).
    • If you can’t get a SLA from a vendor, customers should consider whether to push for a termination for convenience right (and refund of prepaid but unaccrued fees) in the event they are dissatisfied with the service levels they are receiving from the vendor.
    • Customers should also ask whether the service is truly a mission-critical service. If not, it may be worth considering how hard to fight for the SLA, or if the customer can offer to concede the SLA to win on another open negotiation point of greater importance.
  • Customers should watch for language in the vendor agreement that gives the vendor the right to unilaterally change terms of the agreement, instead of having changes mutually agreed upon. This unilateral right is often broad enough to allow a vendor to change the terms of the SLA as well. If so, customers may seek to limit the scope to exclude the SLA, or ensure that the agreement includes a termination right as described above.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The What, Why and How of SLAs, aka Service Level Agreements (part 1)

Every company uses technology vendors, such as Software-as-a-Service providers, to provide critical components of their business operations. One pervasive issue in technology vendor agreements is the vendor’s commitment to the levels of service the customer will receive.  A representation to use commercially reasonable efforts to correct product defects or nonconformity with product documentation may not be sufficient for a customer relying on a technology vendor’s service for a mission-critical portion of its business. In this situation, the vendor may offer (and/or a customer may require) a contractual commitment as to the vendor’s levels of service and performance, typically called a “Service Level Agreement” or “SLA.” Service Level Agreements (SLAs) ensure there is a meeting of the minds between a vendor and its customer on the minimum service levels to be provided by that vendor.

At a high level, a SLA does three things:

  1. Describes the types of minimum commitments the vendor will make with respect to levels of service provided by the vendor;
  2. Describes the metrics by which the service level commitments will be measured; and
  3. Describes the rights and remedies available to the customer if the vendor fails to meet their commitments.

In many cases, a SLA is presented as an exhibit or appendix to the vendor agreement (and not a separate agreement). In others, a SLA may be presented as a separate document available on a vendor’s website.  Think of the former as a customer-level SLA which is stated directly in (and quite often negotiated on a customer-by-customer basis as part of) the service agreement with that customer, and the latter as a service-level SLA which the vendor wants to apply equally to every user of its service.

In this two-part post, I’ll explain the contents of, reasons for, and important tips and tricks around technology SLAs.  Part 1 will cover uptime and issue resolution SLAs.  Part 2 will cover other types of technology SLA commitments, SLA remedies, and other things to watch for.

Common types of commitments in SLAs

The most common types of commitments found in technology SLAs are the uptime commitment and the issue resolution commitment.

Uptime SLA Commitment

An uptime commitment is generally provided in connection with online services, databases, and other systems or platforms (a “Service”). A technology vendor will commit to a minimum percentage of Service availability during specified measurement periods.  This percentage is typically made up of nines – e.g., 99% (“two nines”), 99.9% (“three nines”), 99.99% (“four nines”), 99.999% (“five nines”), etc.  Some SLAs will use “.5” instead of “.9”, for example, 99.5% or 99.95%”.   Uptime is typically calculated as follows:

(total minutes in the measurement period - minutes of Downtime in that period) / Total minutes in the measurement period

Definitions are key. The right definitions can make all the difference in the effectiveness of an uptime SLA commitment. Vendors may gravitate towards a narrower definition of “Downtime” (also called “Unavailability” in some SLAs) to ensure they are able to meet their uptime commitment, e.g., by excluding a slowdown that makes the Service hard (but not impossible) to use. Customers should look carefully at this definition to ensure it covers any situation in which they cannot receive substantially all of the value of the Service. For example, consider the difference between Unavailability/Downtime as a period of time during which the Service fails to respond or resolve, versus a period of time during which a material (or non-material) function of the service is unavailable. The SLA should define when the period of Unavailability/Downtime starts and ends, e.g., starting when the vendor first learns of the issue, and ending when the Service is substantially restored or a workaround is in place; customers should look at this carefully to ensure it can be objectively measured.

Mind the measurement period. Some vendors prefer a longer (e.g., quarterly) measurement period, as a longer measurement period reduces the chance a downtime event will cause a vendor to miss its uptime commitment. Customers generally want the period to be shorter, e.g., monthly.

Consider whether the uptime percentage makes sense in real numbers. Take the time to actually calculate how much downtime is allowed under the SLA – you may be surprised. For a month with 30 days:

  • 99% uptime = 432 minutes (7 hours, 12 minutes) of downtime that month
  • 99.5% uptime = 216 minutes (3 hours, 36 minutes) of downtime that month
  • 99.9% uptime = 43.2 minutes of downtime that month
  • 99.99% uptime = 4.32 minutes of downtime that month

One critical question customers should ask is whether a Service is mission-critical to its business.  If it’s not, a lower minimum uptime percentage may be acceptable for that service.

Some vendors may offer a lower uptime commitment outside of business hours, e.g., 99.9% from 6am to 10pm weekdays, and 99% all other times. Again, as long as this works for a customer’s business (e.g., the customer is not as concerned with downtime off-hours), this may be fine, but it can make it harder to calculate.

Ensure the Unavailability/Downtime exclusions are appropriate. Uptime SLAs generally exclude certain events from downtime even though the Service may not be available as a result of those events. These typically include unavailability due to a force majeure event or an event beyond the vendor’s reasonable control; unavailability due to the equipment, software, network or infrastructure of the customer or their end users; and scheduled maintenance.  Vendors will often seek to exclude a de minimis period of Unavailability/Downtime (e.g., less than 5/10/15 minutes), which is often tied to the internal monitoring tool used by the vendor to watch for Service unavailability/downtime. If a vendor wouldn’t know if a 4-minute outage between service pings even occurred, it would argue that the outage should not count towards the uptime commitment.

Customers should make sure there are appropriate limits to these exclusions (e.g., force majeure events are excluded provided the vendor has taken commercially reasonable steps to mitigate the effects of such events consistent with industry best practices; scheduled maintenance is excluded provided a reasonable amount of advance written notice is provided.  Customers should watch out for overbroad SLAs that try to exclude maintenance generally (including emergency maintenance).  Customers may also want to ensure uptime SLAs include a commitment to take reasonable industry-standard precautions to minimize the risk of downtime (e.g., use of no less than industry standard anti-virus and anti-malware software, firewalls, and backup power generation facilities; use of redundant infrastructure providers; etc.)

Don’t overlook SLA achievement reporting. One important thing customers should look for in a SLA is how the vendor reports on SLA achievement metrics, which can be critical to know when a remedy for a SLA failure may be available. Vendors may place the burden on the customer to provide notice of a suspected uptime SLA failure within a specified amount of time following the end of the measurement period, in which case the vendor will review uptime for that period and verify whether the failure occurred. However, without proactive metrics reporting, a customer may only have a suspicion of a SLA failure, not actual facts. Customers using a mission-critical system may want to consider asking for proactive reporting of SLA achievement within a certain amount of time following each calendar month.

Issue Resolution SLA Commitment

Of equal importance to an uptime commitment is ensuring that a Service issue (downtime or otherwise) will be resolved as quickly as possible.  Many technology SLAs include a service level commitment for resolution of Service issues, including the levels/classifications of issues that may occur, a commitment on acknowledging the issue, and a commitment on resolving the issue.  The intent of both parties should be to agree on a commitment gives customers assurances that the vendor is exerting reasonable and appropriate efforts to resolve Service issues.

Severity Levels. Issue resolution SLAs typically include from 3-5 “severity levels” of issues.  Consider the following issues:

Impact Example Classification
Critical The Service is Unavailable
High An issue causing one or more critical functions to be Unavailable or disrupting the Service, or an issue which is materially impacting performance or availability
Medium An issue causing some impact to the Service, but not materially impacting performance or availability
Low An issue causing minimal impact to the Service
Enhancement The Service is not designed to perform a desired function

Issue resolution SLAs typically use some combination of these to group issues into “severity levels.”  Some group critical and high impact issues into Severity Level 1; some do not include a severity level for enhancements, instead allowing them to be covered by a separate change order procedure (including it in the SLA may be the vendor’s way of referencing a change order procedure for enhancements). Vendors may include language giving them the right to reclassify an issue into a lower severity level with less stringent timeframes. Customers should consider ensuring whether they should have the ability to object to (and block) a reclassification if they disagree that the issue should be reclassified.

Acknowledgment Commitment. Issue resolution SLAs typically include a commitment to acknowledge the issue. As with the uptime SLA, the definition of the acknowledgment timeframe is important (when it starts and when it ends). A vendor will typically define this as the period from the time it is first notified of or becomes aware of the issue to the time the initial communication acknowledging the issue is provided to the customer.  Customers should look at the method of communication (e.g., a post to the vendor’s support page, tweet through their support Twitter account, an email, a phone call from the customer’s account representative required, etc.) and determine if a mass communication method versus a personal communication method is important.

For critical and high impact issues, vendors (especially those operating multi-tenant environments) will often not offer a specific acknowledgment commitment, instead offering something like “as soon as possible depending on the circumstances.”  The argument for this is that for a critical or high impact issue, a vendor wants all available internal resources triaging and working the problem, not reaching out to customers to tell them there is a problem. In many cases, this may be sufficient for a customer provided there is some general acknowledgment provided to a support page, support Twitter account, etc. to alert customers that there is an issue. In others, a customer may want to push for their account representative, or a vendor representative not involved in triaging the problem such as an account executive, to acknowledge the issue within a fixed amount of time, putting the burden on the vendor to ensure it has appropriate internal communication processes in place.

Resolution Commitment. Issue resolution SLAs also typically include a time commitment to resolve the issue. One important thing to focus on here is what “resolve” means.  Vendors may define it as the implementation of a permanent fix or a workaround that temporarily resolves the problem pending the permanent fix; in some cases, vendors may also define it as the commencement of a project to implement a fix.  Customers should ensure that a vendor promptly implement a permanent fix if a workaround is put in place, and that failure to do so is a failure under the SLA. Many vendors are reluctant to provide a firm issue resolution timeframe, as the time required to resolve or implement a workaround is dependent on the issue itself, and are often unwilling to negotiate the resolution commitment or commit to a fixed timeframe for resolution.  Customers should ensure the resolution commitment is reasonable and that the vendor is doing everything it can to correct issues.  For example, for critical and high impact issues, consider an issue resolution commitment of “as soon as possible using continuous diligent efforts” – as long as the vendor is working diligently and continuously to fix the issue, they’re in compliance with the SLA. For lower impact issues, consider a commitment to implement a fix or workaround in the ordinary course of business.

In part 2, I’ll cover other types of technology SLA commitments, SLA remedies, and other things to watch for.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The New Revenue Recognition Standards Are Coming – Will You Be Ready?

Most companies measure their financial performance by the revenues and other compensation they earn through their business operations, which in many cases means the sale of goods or provision of services. Knowing when to recognize the proceeds from a sale of good or provision of services as revenue is therefore critical to financial reporting. For many years, two different rules by two different standards organizations governed revenue recognition:

  1. The Financial Accounting Standards Board (“FASB“)’s Accounting Standards Codification (“ASC“) provide US generally accepted accounting principles (“GAAP“), including those governing revenue recognition. Under the current GAAP revenue recognition rule in ASC 605, revenue recognition varies by industry and in some cases by transaction, which makes revenue recognition a complex and difficult exercise in many situations.
  2. The International Accounting Standards Board (“IASB“)’s International Accounting Standards (“IAS“) provide an international standard for financial statements and accounting. Under the current international revenue recognition rule known as IAS 18, revenue recognition also varies by industry and transaction type, but IAS 18 provides less guidance than ASC 605 making it harder for companies to recognize revenue in a consistent fashion. The IASB is the successor to the International Accounting Standards Council (“IASC“) which originally promulgated the IAS.

Beginning in 2001, the IASB began replacing the IAS with new International Financial Reporting Standards (“IFRS“). In 2002, the FASB and IASB began collaborating on developing an improved. stronger, more robust, more useful, more consistent revenue recognition standard to make revenue recognition simpler and easier to consistently apply. This collaboration bore fruit 12 years later in May 2014, when the FASB and IASB released a converged revenue recognition standard titled Revenue from Contracts with Customers, codified as ASC 606 by FASB and IFRS 15 by IASB. Since 2014, there have been a few amendments (and implementation delays) by the FASB and IASB, and there have been a few small areas where the standards have diverged (e.g., the definition of what “probable” means). Despite this, for the most part the goal of a unified revenue recognition standard remains intact. These new standards will go into effect in December 2017 (for ASC 606) and January 2018 (for IFRS 15). All this background can be summarized in the following table:

A tabular representation of the history behind the ASC 606 / IFRS 15 revenue recognition standard.Here’s what you need to know about the new twin revenue recognition standards (for simplicity, this analysis is based on ASC 606):

How Revenue Recognition Works Under ASC 606/IFRS 15

To recognize revenue under the new standard, companies must do 5 things: (1) identify a customer contract, (2) identify the distinct performance obligations under that contract, (3) determine the transaction price (expected revenue), (4) allocate the expected revenue to the performance obligations, and (5) recognize allocated revenue when (or as) each performance obligation is satisfied. As stated in ASC 606, “an entity should recognize revenue to depict the transfer of promised goods or services to customers in an amount that reflects the consideration to which the entity expects to be entitled in exchange for those goods or services.” As we go through each step, keep this visual representation in mind:

ASC 606 Revenue Recognition DiagramStep 1 – Identify the contract(s) with a customer. The first step of the revenue recognition process is to identify a contract, i.e., an agreement creating enforceable rights and obligations among two (or more) parties. A contract must be signed or otherwise approved by the parties, must have identifiable rights and payment terms, have commercial substance, and it must be probable that one party will receive the revenue or other consideration expected from the performance of its obligations (e.g., provision of goods or services). Remember that a contract does not have to be in writing to be considered a contract for revenue recognition purposes – oral or implied contracts may satisfy these requirements.

Step 2 – Identify the contract’s distinct performance obligations. For goods and services contracts, a “performance obligation” is promise to transfer a good or provide a service to another party. A “distinct” performance obligation is one that benefits the recipient alone or with other readily available resources (e.g., delivery of a computer that is usable with power and Internet access obtained separately) and can be identified separately from other obligations under the contract (e.g., a company is delivering 5 computers, delivery of all 5 computers should be combined into a single performance obligation). A series of distinct performance obligations that are substantially similar can still be treated as individual performance obligations (e.g., delivery of a new computer at the start of each quarter during a calendar year, 4 new computers total). In a services agreement such as a SaaS contract, implementation obligations and the provision of services may be separate obligations. A SaaS company may look at its distinct performance obligation as providing a service each day during the term of the Agreement, so each day would be a distinct performance obligation.

Step 3 – Determine the transaction price. The “transaction price” is the expected payment and other consideration to be paid/provided in return for satisfaction of the performance obligations. Financial consideration can usually be grouped into fixed (stated in the contract) vs. variable (contingent on the occurrence or non-occurrence of a future event). For variable consideration, companies should look at the expected value taking into account the potential for changes in the variable payment component. If compensation for a performance obligation will be deferred, and not paid contemporaneously with the satisfaction of the performance obligation, the present value of the deferred compensation should be considered. Non-cash compensation (e.g., bartered goods or services) should be measured at fair value, or if not available the standalone selling price. Other consideration such as coupons or vouchers may need to be deducted from the transaction price. For SaaS companies that use a tiered pricing structure and monthly or annual minimums, calculating the expected revenue can be tricky (e.g., by using a probability-weighted methodology).

Step 4 – Allocate the transaction price to the performance obligations. If your contract has one performance obligation, you’re already done with this step. If not, the next step is to allocate the transaction price among each distinct performance obligation, i.e., to separate the transaction price into each discrete “piece” of consideration a party expects to receive from satisfying the associated performance obligation. This can be done by allocating the standalone selling price (i.e., the price at which the good would be sold separately) to the performance obligation, or where that standalone price is not available, the selling entity should estimate it by utilizing as many observable data points as possible to come up with the best estimate possible. ASC 606 includes examples of estimation methods. If a company provides a discount, the discount should be allocated proportionally among the expected revenue for the performance obligations to which the discount applies.

Step 5 – Recognize allocated revenue when (or as) the performance obligations are satisfied. The final step is to recognize each allocation of the transaction price as each distinct performance obligation is satisfied (i.e., the promised good or service is transferred to the recipient). For physical assets, transfer occurs when the recipient obtains control of the asset. For services, a performance obligation is satisfied when the benefits from the provider’s performance are received and utilized, the provider’s performance creates and/or enhances an asset in the recipient’s control, or the provider’s performance creates a payment right without creating an asset with an alternative use to the recipient (e.g., a company is contractually restricted from using a provided service for other purposes). Performance obligations may be satisfied on a specific date (e.g., for delivery of goods) or over a specific time period (e.g., for delivery of services). If satisfied over a time period, revenue may be recognized based on the progress towards satisfying the performance obligation.

Get Prepared Now

While it may seem like there is plenty of time to prepare for the implementation of the new revenue recognition standard, there’s a lot of work that needs to be done to be ready, including the following:

  • Learn the details. It’s important to note that this article represents a very high-level summary of the new revenue recognition standard. Having a more in-depth understanding of the new standard and how it applies to your company and its costing models/contracts is critical. There is an abundance of articles, seminars, and other publicly-available materials available on ASC 606 and IFRS 15. Also, talk with your accounting firm on what they have done as a firm to prepare, and their recommended action plan for your business – they may have some great materials they can provide to get you and your company up to speed.
  • A lot of work be done proactively. Conduct a proactive review of existing contracts, contractual obligations, and other revenue sources that may be classified as a “contract” subject to the new revenue recognition standard. Analyze each to determine the distinct performance obligations, and determine the transaction price. Work with your accountants to allocate the transaction price among the performance obligations.
  • Review (and update if necessary) contract templates. Accounting should partner with Legal and Sales to review sales proposal templates and contract templates describing or creating performance obligations. Review all standard variations of pricing offered to clients to identify any issues under the new revenue recognition standards. Consider whether warranties, returns language, or other contractual terms create distinct performance obligations and how they can be satisfied. Make any updates as necessary to ensure your templates align with the new standards going forward.
  • Create a plan. Assign a resource to manage the process of preparing for the new standard. Consider creating a cross-departmental group to meet regularly to discuss progress and assign tasks. Consider what internal education will need to be done to prepare employees and groups for the new standard, what changes to internal or third party systems may be required, what additional disclosure requirements may be required, whether internal policies will need to be updated or created, and what changes may be needed to internal processes. Secure the support of executive sponsors, such as the CFO and CEO. If you have personnel who were involved in rolling out SOX compliance in the early 2000s, talk to them about lessons learned to avoid repeating the mistakes of the past.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Know and Use All the Risk Reduction Tools in Your Risk Management Toolkit

A central tenet of risk management is that managing the legal and business risk of a particular business opportunity or course of action involves (1) reducing risks by shifting and mitigating them as much as possible, and then (2) having an authorized decision-maker “call the ball” on whether the benefits from the opportunity or course of action outweigh the remaining risks (risk acceptance), or vice versa (risk rejection). Each company has its own tolerance for risk, and its risk tolerance evolves over time — for example, a start-up is generally more willing to take risk to land business than a mature company. A company may also have different risk tolerances for different divisions or product lines. Reducing risk to within the applicable risk tolerance can make the difference on whether the business decision-maker will accept or reject the risks from your proposed opportunity or course of action. Therefore, attorneys and business owners should use every tool in their toolkit to mitigate and shift as much risk as possible before asking the business decision-maker for approval on a certain opportunity or course of action. But all too often, risk decisions are presented to the decision-maker before risk reduction strategies are fully implemented or leveraged. Why is this?

One reason for this is the mistaken belief that reducing risk is too time-consuming, and if a quick risk management decision is needed there is no time for anything more than cursory risk reduction. However, many risk reduction strategies can be implemented quickly and in parallel, or even proactively, to minimize the time impact of risk reduction. You can also pick and choose those risk reduction strategies which “move the risk needle” the most to ensure the time you are devoting to risk reduction will generate the strongest return before a risk decision is needed. Another reason for this is a failure to know and understand all of the risk reduction tools that may be available. The less residual risk a business risk decision-maker is asked to accept, the more likely the answer will be that the potential benefits to the business outweighs the risks. Given this, it’s essential to know all of the available risk reduction tools in your toolkit.

When working with a client, supplier, vendor or business partner, one of the best risk reduction strategies is to build a strong and effective working relationship. If an issue or potential risk exposure arises, the ability to leverage your relationship to work quickly and effectively to resolve the issue, and lessen or eliminate its impact to you and your company, will pay huge dividends.

Here are 10 additional risk reduction strategies to equip your risk management toolkit:

1. Separate factual risks from perceived risks with good research and information.

Risks can be generally grouped into two categories — perceived risks and factual risks. Once the facts related to a particular risk are known, a perceived risk from an opportunity or course of action may turn out not to be a risk at all. For example, a perceived risk of doing business with a particular vendor may be the potential impact to your Payment Card Industry Data Security Standard (PCI DSS) compliance. If the facts show that the vendor will not handle any PCI data, or is already PCI compliant, the risk may not play into the risk acceptance decision. Investigate each business opportunity or course of action thoroughly to ensure you are shifting and mitigating factual risks, not perceived risks. Investigate your prospective client or partner thoroughly and as early as possible. Look at publicly available information regarding the prospective partner to better understand the risks of doing business with the business partner, including its current website and former versions, its BBB rating, its capitalization and liquidity, its litigation history through PACER and other online search tools, and (if public) its security filings. Investigate whether there is a potential for disputes or litigation around a particular business opportunity (e.g., if the technology you are seeking to acquire has been the subject of intellectual property litigation). Check business references and ask what they view as the biggest risks of doing business with that vendor.

2. Shift risk through indemnification.

One of the most common ways to shift risk is through indemnification. An indemnity is a contractual provision through which one party (the “indemnifying party”) agrees to be responsible for certain monetary costs and expenses incurred by the other party (the “indemnified party”) which arise from, result from or relate to certain acts or omissions of the indemnifying party or other indemnified acts. A party will generally indemnify, defend and hold the indemnified party harmless in connection with indemnified losses and claims. Consider whether to include an indemnity obligation for breaches of representations, warranties and covenants, breach of material obligations, breach of confidentiality/security, misappropriation or infringement of IP, and other risks your company may suffer, which will shift risk and cost to the other party if paired with the right limitation of liability and other risk allocation terms. Consider whether to use a third-party indemnity (insulation from damages and losses resulting from lawsuits and other causes of action by a third party against the indemnified party), or a first-party indemnity (insulation from damages and losses suffered directly by the indemnified party, which is essentially insurance and is often hard to get). Remember that an indemnity is only as good as the company standing behind it (this ties into parental guarantees and insurance requirements, below).

3. Shift risk through insurance requirements.

Another way to shift risk to a client, vendor or business partner is to require them to maintain certain levels of insurance during the term of the relationship (and for a period of time thereafter). This can help ensure that the other party will have the resources necessary to pay you in the event their performance (or lack thereof) under your agreement with them creates a liability on the part of your company. Ensure you are requiring the appropriate types of coverage to protect against the risks you may face under the agreement (e.g., not just a commercial general liability policy, but an errors & omissions policy, cyber liability policy, etc. Consider insisting on being added as an additional insured, and ensuring that the insurance is primary and non-contributory. Consider whether to ensure it covers ongoing and completed operations, and waives the right of subrogation against you (so the insurer cannot “step into the shoes” of the insured party by paying the claim, giving them a claim against you) and the “insured vs. insured” exclusion (so a claim by you, an additional insured, against the named insured under the policy is not excluded from coverage). Strongly consider requiring a certificate of insurance for your records evidencing the coverage.

4. Shift risk by limiting contractual liability.

Another tool for shifting risk is to set a contractual risk allocation (disclaimer of certain damages and limitation of liability for direct damages) beyond which the other party is liable. For example, consider warranty disclaimers and disclaimers of liability from certain types of behaviors, e.g., a party may disclaim any liability resulting from force majeure events and/or disclaim all warranties, express or implied, not expressly set forth in the agreement. Include an appropriate disclaimer of consequential damages and the like, and limit your direct damages (but also consider whether exceptions to the general disclaimers and limits are appropriate – consider a “second tier” of liability for direct damages of a certain type, or exclusions from the limitation of liability). Consider a liquidated damages provision for certain issues that may arise. Ensure you understand what cannot be limited under applicable law (e.g., in certain states, it’s against public policy for a party to disclaim liability for its own gross negligence or willful misconduct).

5. Shift risk by using subcontractors.

Another risk shifting approach is to utilize subcontractors for certain responsibilities where the risk associated with performing the responsibilities in-house are greater than the risk your company is willing to take. For example, suppose you are refurbishing an office which will need a considerable amount of work to bring the electrical system up to code. Instead of using your own electrician, you may choose to outsource the electrical work to a more experienced subcontractor to whom you can contractually shift the risk from performance. The risk allocation and indemnity provisions in your subcontractor agreement will be critical here. While in some cases the primary contractor may remain liable in the event of a problem causing damage or liability to a third party, the risk-shifting terms in your independent contractor agreement may help protect your company.

6. Shift risk through a parental guaranty.

If the potential counterparty or business partner is not fully capitalized, or is the subsidiary of a larger “deep pocketed” organization, consider requesting a parental guaranty. Guaranty agreements typically include a payment guaranty requiring the guarantor to stand behind the guaranteed party’s payment and indemnification obligations, and/or a performance guaranty requiring the guarantor to perform obligations under the agreement if the guaranteed party fails to perform its obligations. A guaranty ensures you can compel the guarantor to perform the guaranteed payment or performance obligations if the party with which you are contracting fails to comply with its payment and performance obligations. There are many tricky provisions in a guaranty, so ensure you use good counsel to help you construct the guaranty. The guaranty should survive the termination or expiration of the underlying agreement for as long as guaranteed obligations survive. Also, if you are considering a parental guaranty, think about whether it would make more sense to contract directly with the parent and not the subsidiary (which would eliminate the need for the guaranty).

7. Mitigate risk through internal processes.

When evaluating the impact of a business risk, consider whether the risk can be mitigated through existing or new business processes. Are there administrative, technical and physical safeguards or processes in place at your company, or that could easily be put in place, that would reduce the chance of a risk exposure? For example, suppose a contract requires that your software is free of viruses, spyware, malware, and the like. If you have existing technology in place to scan your software for viruses, or can easily put it in place, you may feel comfortable taking this risk as the risk of an exposure is mitigated. However, be careful implementing a manual process to mitigate risk — they can be prone to error as they are often dependent on employees manually adding a few tasks to their already crowded plate. Even if a manual risk mitigation process is well documented, it may just be replacing one type of risk with another.

8. Mitigate risk through third party certifications.

Another risk mitigation approach is to require your business partner or vendor to maintain and certify compliance with third party certifications or industry standards which demonstrate that the partner or vendor has implemented steps reasonably designed to protect your company against certain risk exposures. For example, if a partner or vendor will be handling personal information or sensitive confidential information, consider asking for a SOC 2 Type 2 report which is a statement of the effectiveness of a company’s non-financial controls. It’s important to require an unqualified report — a qualified report means that one or more of the controls covered by the report are not effective and the report should not be relied upon in that area. Other common certifications include ISO 27001 for information security management systems, SOC 1/SSAE16 for financial controls, and HITRUST certification for HIPAA business associates.

9. Mitigate risk through your own insurance.

Consider whether your existing or other available insurance coverage would protect you against certain risks arising from your partner/provider relationships. Review the biggest risks faced by your company (including risks impacting your partner/provider agreements) on a regular basis to determine if changes to your insurance coverage profile are warranted; your coverage should evolve as your business evolves. Understand what exclusions apply to your insurance. Consider asking your broker to walk you through your coverage on an annual basis.

10. Mitigate risk through contract provisions.

Finally, consider mitigating risk with your business partners through contractual provisions other than limitation of liability. For example, consider requiring your business partner agree to agree not to engage in risky behaviors, or to not provide you with data types you don’t want to receive (e.g., trade secrets, PCI data, HIPAA data). Include appropriate representations, warranties and covenants applicable to your business partner, and ensure yours are not overbroad. Consider your rights in the event of non-payment under the agreement. Consider whether an escrow provision would help mitigate risk. Consider rights to injunctive relief (including whether to waive posting a bond or other security, or proof of actual damages). Financial and security audit rights may be important. Ensure your business partner has implemented its own strong risk reduction strategies, such as implementing a business continuity plan/disaster recovery plan and anti-phishing training.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

The Wayback Machine: Portal to the Internet’s Past, and Essential Business and Legal Tool

 

The World Wide Web has revolutionized the world as an information communication medium, but it has one significant drawback – no long-term memory. Once a web page is updated or removed, it disappears as if it was never there. The Wayback Machine, named after Mr. Peabody’s WABAC machine from Rocky & Bullwinkle and located at http://www.archive.org/web, was conceived to give the Web a long-term memory. It is a tool for looking at previous versions of a web page by viewing different iterations captured over time. Internet enthusiasts can easily spend hours peering back in time to what web pages looked like “back in the day.” For example, Google’s November 1998 search page boasted about having 25 million indexed pages, “soon to be much bigger” – it’s likely even Google could not imagine how true that would be!

The Wayback Machine is operated by the Internet Archive, a non-profit organization created in 2001 for the purpose of building and maintaining a historical record of the Web. It has been “crawling” web pages and other Internet-accessible content for archiving purposes since 1996, serving as an “archaeological history” of websites. As of March 5, 2017, the archive contains 279 billion web pages, but not everything on the Web is preserved in the Wayback Machine. It visits web pages for archiving purposes on a periodic basis, ranging from weeks to hours depending on the website; it respects requests not to archive web pages if specified by the website owner (e.g., by using a “robots.txt” file); it also does not fully archive dynamically generated web pages, such as those with web forms or JavaScript; and it does not archive websites which require a login.

Aside from letting people look back at their favorite website’s beginnings or remember what a favorite long-dead site was all about (I still love pets.com‘s slogan, “because pets can’t drive”), there are a number of practical business and legal uses for the Wayback Machine. These include:

Business Intelligence

  • Individuals and companies can use the Wayback Machine to search for information on persons, companies and products/services, especially where the companies, products or services no longer exist or the information sought about them is no longer available online. For example, if you are looking for information about a technology, product or program offered or licensed by your company years ago, and you can’t find information about in company records (the project manager has left the company, records have been purged under the records retention policy, the company that offers it is out of business, etc.) or want to supplement what you have located so far, the Wayback Machine may have an archived version of a page from your website with the information you’re looking for.
  • Similarly, if you are researching a prospective client, partner or acquisition target, looking at the client, partner or target’s historical websites through the Wayback Machine can yield valuable information, such as details on the history and development of the company and its products/services. This information can identify topics to ask about during due diligence, and can help you identify representations, warranties and covenants for inclusion in a sales, partnership or purchase agreement.
  • If you are researching a new potential executive or potential board member, use the Wayback Machine to look at historical bios on archived websites of his or her former companies as part of a thorough due diligence process or to verify information before including it on a company website or in a securities filing.

Contracts

  • The Wayback Machine can help in locating missing copies of license agreements, e.g., for previously licensed software such as a software program or font acquired years ago. If you can’t find the agreement and the company from which it was acquired no longer has it on their website or has gone out of business, the Wayback Machine may help you locate a copy of the agreement from the archived version of the website around or following the date on which you acquired the licensed material, enabling you to ensure you understand your or your company’s rights to the licensed materials.
  • The Wayback Machine can also help locate prior versions of online agreements, such as vendor agreements. For example, if you are renewing your agreement with a large vendor who sends you a new contract available on their corporate website, and you can’t find the old version of their contract you signed years ago, use the Wayback Machine to find the old version on an archived version of their website to generate a redline against the new agreement to facilitate your review of the new agreement.

Records Retention

  • If a company is reconstructing their historical records, the Wayback Machine is a great place to start. Companies often find that their historical records are spotty, especially in the time before a formal records retention process was put in place. Companies may not have a policy to archive and save information of historical or business value, which may be lost over time. Use the Wayback Machine to find and save historical versions of website policies such as Terms of Use, Privacy Policy, Terms of Sale, and other website disclosures, as well as historical information such as bios on former executives and directors and product information.

Intellectual Property and Litigation

  • The Wayback Machine can be an excellent source of information which may be valuable or essential to a party’s position in intellectual property disputes and litigation. For example, Wayback Machine pages can be used to establish or substantiate infringing activity by a person or entity. They have also been admitted in business litigation as far back as 2003 as evidence of a parties’ course of performance.
  • Pages from the Wayback Machine have been used in patent litigation as prior art, i.e., a printed publication describing an invention which publication is shared with a third party (e.g., made available to the public) prior to the date on which the “inventor” filed for patent protection for that invention, and have been used to establish a first date of use in commerce for trademark purposes. (It’s important to note that the Wayback Machine only shows the date on which a page was archived, not the date it was first made accessible online.)
  • The Wayback Machine is also an excellent source for strategic direction in discovery or when preparing a subpoena. Reviewing a discovery or subpoena recipient’s historical websites can help refine a company’s requests for production of documents, interrogatories or other discovery requests where the subject of the request is historical or aged information. It can also help identify potential witnesses who have knowledge as to facts central to the litigation, e.g., a former employee mentioned in a historical blog post.
  • Many federal courts have admitted Wayback Machine web pages in court, in some cases requiring an affidavit authenticating the archived web page, or in other cases where an employee of the company hosting the original web page attests to its authenticity as a true and accurate reproduction of the original page – the ideal person is the person who created the original page, or has first-hand knowledge of the original page. The Internet Archive can provide an affidavit authenticating Wayback Machine printouts for a fee as described on its website, but strongly recommends that a party first request judicial notice or ask the other party to stipulate to the authenticity of printouts from the Wayback Machine (this can be a good approach in arbitration). Note that seeking to admit Wayback Machine web pages can lead to evidentiary objections such as hearsay. Attorneys may want to consider asking their expert witnesses about their familiarity with the Wayback Machine and whether they have previous experience in testifying as to Wayback Machine pages.
  • A prominent example of the Wayback Machine’s value in litigation is the Kleargear.com case. Kleargear.com instituted a provision in its Terms of Use preventing a consumer from taking any action, including posting a review, that negatively impacts the company or its reputation, and imposing a $3,500 “fine” for Kleargear’s legal fees to sue the consumer for breach of the Terms of Use. John and Jen Palmer had a negative experience purchasing a product from Kleargear.com in 2008 and left a negative review. Years later in 2012, Kleargear.com demanded payment from the Palmers of the $3,500 fine if the negative review was not removed and turned the amount over to collections when it was not paid, resulting in an impacted credit rating for the Palmers. Aside the Palmers winning the inevitable litigation they filed against Kleargear.com, the lawsuit led to legislation in California in September 2014, and federal legislation in December 2016, prohibiting anti-disparagement clauses in consumer contracts. One of the key facts in the case and in press coverage was the fact that according to the Wayback Machine’s archived Kleargear.com site from 2008, the non-disparagement clause wasn’t even part of the Terms of Use at that time (it was added to the site later on).

Business Tools

  • The Internet Archive offers useful business tools. For example, consider the Wayback Machine’s 404 error page handler. The 404 error page handler enables a website to offer an archived version of a page from the Wayback Machine if a current page is not found and an archived version exists in the Wayback Machine. This can help reduce the impact of 404 errors for websites where content of web pages does not change too quickly, and where displaying an older page is better than no page.
  • The Internet Archive also offered an archiving service called “Archive-It” which companies can use to collect, catalog, manage, store, and provide 24/7 online search of and access to archived content collections. If your company or organization wants to preserve a collection of online content, consider using this service. Users include museums and art libraries, NGOs, colleges and universities, other private companies and non-profits.

Access the Wayback Machine at http://archive.org/web. Frequently-asked questions are located at https://archive.org/legal/faq.php. If you don’t find the Wayback Machine to be a useful business and legal tool, you can at least take a stroll down Internet memory lane.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

6 Contract Templates Every Company Should Have at the Ready

One of my favorite sayings is “opportunity is equal parts luck and preparation.” In other words, being proactively prepared for an opportunity puts you in a better position to take advantage of one when it comes along. When a business opportunity arises that requires a contract or other legal document, being prepared includes having a well-written template ready to go. It can help avoid missing critical terms and points when rushing to draft a document for the opportunity, minimize the time and effort required to respond, and turn a “fire drill” into a routine but urgent request. Conducting business on a handshake agreement, or on a hastily drawn-up set of terms, to save time can backfire if the opportunity turns into a dispute. Having a well-drafted, legally binding agreement in place ensures the parties both understand their rights and obligations in connection with a business opportunity, and gives your company the protection it needs if and when the need arises.

Here are six contract templates every company should have drafted and ready for use when the opportunity arises. If your company does not have in-house counsel, consider whether having outside counsel prepare some or all of these templates for you is a worthwhile investment. If you have (or are) in-house counsel, check to ensure that you have up-to-date versions of these agreements in place. Consider whether to take this opportunity to freshen them up.

1) Mutual and unilateral NDA templates

Companies use non-disclosure agreements (aka “confidentiality agreements” or “NDAs”) for protective, contractual, and strategic purposes. NDAs ensure there are adequate (and binding) protections for your confidential information before you share it with another party. If your company has trade secrets, failing to put confidentiality obligations in place with third parties who have access to your trade secrets can cost you your trade secret protection. NDAs may also satisfy a contractual obligation to a third party (e.g., not to disclose a company’s confidential information unless the recipient is also subject to written confidentiality obligations). They can help ensure that a third party is truly interested and serious about discussions with your company. (I discussed the why, when and how of NDAs in depth in a previous LinkedIn article.) If your company and a prospective business partner want to “pull back the curtain” to share confidential information as part of discussions about a proposed relationship, you’ll want to have an NDA template ready for use.

Companies should have a minimum of two NDA template “flavors” at the ready – mutual (where both parties are providing confidential information to the other) and unilateral (where only your company is sharing confidential information). Use the template that best matches the actual disclosures occurring, and avoid putting a mutual NDA in place where you don’t expect (and don’t want) confidential information from the other party. For example, if you want to share financials and future business plans with a candidate for employment, a unilateral NDA is likely your best bet. Some companies use other flavors of NDAs as well (e.g., a specific version for M&A opportunities, one for interview candidates, etc.)

NDAs should also be drafted as fairly as possible – the last place you want to get bogged down in negotiation is over the NDA (tripping up your business discussions before they even start). Consider avoiding contentious language such as residuals clauses and first-party indemnities in your NDA templates. Also consider having your NDA template as a PDF with fillable form fields to minimize negotiation and simplify the process of completing the NDA.

2) Professional Services/Independent Contractor Agreement template

Every company, big and small, uses subcontractors, vendors and service providers (collectively, “contractors”). Contractors are often brought in where a company needs additional support or services its employees cannot provide (or want to outsource), where it needs subject matter expertise it does not have, or where it needs to temporarily augment its existing personnel or other resources. There are many benefits to using contractors, from avoiding the need to pay payroll-related costs to having the ability to “target” spend on subject matter expertise when needed. Having a written agreement in place with your contractors, and a template Independent Contractor Agreement (also called an “ICA” or “Professional Services Agreement”) ready for use, is critical to protect your company’s rights.

Most ICAs are a master set of terms governing each work engagement, and use “statements of work,” “work orders,” or “project assignments” for each discrete project (collectively, “SOWs”). Among other things, ICAs typically cover the scope of work performed; the independent contractor relationship between the parties (misclassification of independent contractors by companies is a current “hot button” issue for the IRS); testing, acceptance and ownership of deliverables; payment terms, expenses and taxes; representations, warranties and remedies around the work and/or deliverables; and insurance. SOWs generally include sections on the scope of services, in-scope and out-of-scope items, deliverables, timeline and milestones, fees (e.g., time and materials, not to exceed amount) and payment schedule, and change order procedure.

Companies may also want to consider using the core provisions of their ICA to create a set of “Vendor Terms & Conditions” that exist on a URL on the company’s domain. Companies can incorporate Vendor Terms & Conditions by reference into a vendor’s purchase order or invoice, with language ensuring a term in the Vendor Terms & Conditions governs over any conflicting terms in the vendor’s own terms, to avoid the need to negotiate every services order or contract. This can be a simple and cost-effective way to ensure a base set of standard risk allocation and other terms apply to each vendor even where the vendor spend or vendor size does not warrant the use of significant Legal or Procurement resources.

3) Employee Confidentiality and Inventions (and Non-Solicit and Non-Compete) Agreement and Employee Offer Letters

As a condition of employment, most companies require their employees (1) to maintain the confidentiality of the company’s confidential and proprietary information, and any similar information of the company’s clients, vendors and service providers, that the employee may receive or have access to during the term of his/her employment, and (2) to agree that the company owns any inventions or other “work product” created by the employee in connection with his/her employment. Some companies also require employees to agree, during the term of employment and for a period of time afterwards, not to solicit the company’s clients or employees, and/or to not compete with the company on behalf of another company (these are known collectively as “restrictive covenants”). To ensure these obligations are in place and legally enforceable, every company must have a well-drafted Employee Confidentiality and Inventions Agreement (or “ECIA”).

The ECIA is the type of agreement that is worth a little of outside employment counsel’s time to ensure it is both well-written and legally enforceable. If your company has offices or employees in multiple states, the laws around the enforceability of these types of agreements, especially restrictive covenants, differs widely. For example, in California, restrictive covenants are generally void, but in other states such as Minnesota, restrictive covenants can be enforceable if they are reasonable in time and scope and satisfy other legal requirements such as supported by consideration and supporting a legitimate employer interest. Consideration itself is an important consideration that varies from state to state — you may not be able to enforce a new (or updated) ECIA against existing employees unless it is supported by additional non-token consideration provided to the employee. Also, NDAs and partner agreements often require that a company only disclose the other party’s information to employees who have a need to know the information and are bound by written obligations of confidentiality to protect it, and a properly worded ECIA can satisfy this requirement.

Companies should also have well-drafted employee offer letters. The offer letter is signed by the company and agreed and acknowledged by the new employee, and contains both a summary of the employment terms and important protections for the company. A well-drafted and properly worded offer letter can help avoid later issues if there is dispute over terms such as the details of the employment offer or the employee’s conduct. Companies should have separate offer letter templates for exempt and non-exempt employees. Consider including, among other provisions, the start date; the title of the position and name/title of the supervising employee; the base salary and payment cycle; probation period language; information on vacation & holidays, benefits, and equity grants (if applicable); pre-employment screening requirements; and continuing obligations (e.g., there are no existing restrictive covenants that would prevent the candidate from working for the company; the candidate will not bring any confidential or proprietary data from a former employer onto company systems; etc.). Ensure the offer of employment is labeled “contingent” so that in the event of an issue, the applicant was not truthful on the employment application, you have the right to revoke it where allowed by law. Offer letters should also be reviewed by outside employment counsel to ensure they comply with the state laws applicable to your business.

4) Business Referral Agreement

Companies looking to grow their business may happen upon a person or company willing to refer potential clients to them (e.g., a company in a complimentary business whose clients may also be interested in your company’s products or services, or a person with deep connections in the industry who can facilitate introductions with executives at some of your company’s top sales targets), typically in return for a bounty per referral or a percentage of the fees earned by the company from the referred client. When a referral opportunity arises, have a business referral agreement template ready for use.

A business referral agreement typically covers the process of submitting a lead and any rights of the company receiving the lead (the “recipient”) to reject it; the time frame for the recipient to close a business transaction with the referred lead; the fees payable for referring the lead, and the payment frequency and terms; what assistance the referring company will provide to the recipient in closing the business (if any); and audit rights to ensure the referral fees paid are accurate.

As with NDAs, consider having both a mutual referral template (where both parties are referring leads to the other) and a unilateral template (where a party is referring leads to your company only).

5) Letter of Intent/Term Sheet/Memorandum of Understanding

When negotiating a new business opportunity, there is often pressure to get something on paper as quickly as possible, even before the deal is fully negotiated. One way to do this is through a letter of intent (also called an “LOI” or “term sheet”) or memorandum of understanding (“MOU”). A LOI or MOU can act as a “snapshot in time” of the anticipated terms of the definitive agreement as of that date, highlighting both where the parties have already come to agreement and where further negotiation is needed. If done incorrectly, a LOI thought to be non-binding by one party could be held to be a legally enforceable agreement. Having a properly worded LOI or MOU template at the ready can help evidence the parties’ intent to move forward with negotiations and ensure they keep the focus on finalizing the terms for, and negotiations on, a definitive agreement, while protecting your company’s rights to walk away if a definitive agreement cannot be reached.

A LOI and MOU differ primarily in form: a LOI is typically in the form of a letter, where a MOU is typically in the form of a legal agreement. LOIs and MOUs typically include terms that can be grouped into two sections:

  • Non-binding terms. These are a summary of the terms that the parties intend, as of the date of the LOI or MOU, to include in the definitive agreement. When putting non-binding terms into a LOI or MOU, consider using non-binding terms such as “would,” “should,” and “may” instead of “will” and “shall.” Also consider a catch-all provision stating that all obligations in the non-binding section are prospective only and will not apply to the parties unless and until embodied in a definitive agreement to be negotiated and signed by both parties.
  • Binding terms. Many people believe that a LOI or MOU is completely non-binding, but that’s almost always not the case. The most common binding term is a commitment by both parties to continue negotiating in good faith toward a definitive agreement, and a statement that either party may cease negotiations at any time. Other binding terms to consider for your LOI or MOU include exclusivity or standstill obligations (e.g., the parties will negotiate exclusively with the other for a period of X months); confidentiality obligations or a reference to the existing NDA in place between the parties; non-solicitation obligations; and general legal boilerplate such as choice of law and an integration clause. Also include a statement that except for any binding terms, the LOI or MOU does not create (and is not intended to create) any binding or enforceable agreement or offer. Ensure the binding and non-binding terms are in separated sections.

I prefer to use a letter of intent when it’s non-binding (e.g., as a term sheet), with our without a commitment by the parties to continue negotiating in good faith. I use a memorandum of understanding when summarizing non-binding deal terms coupled with binding obligations. Whether you use a LOI or MOU, ensure it is signed by both negotiating parties.

6) Settlement and Release Agreement

Sooner or later, your company will have a dispute with a client, customer or vendor over fees, performance of obligations, use of deliverables, etc. Most often, business disputes are resolved by the parties without the need for formal dispute resolution such as mediation, arbitration, or litigation. When a dispute is resolved, it can be important to have a settlement template ready to memorialize the parties’ full and final resolution of the dispute, and to state any obligations the parties have to each other in connection with the resolution of the dispute. Without a well-written and legally enforceable settlement and release agreement, the parties may find that the settlement of a dispute is not as full or final as originally thought if one of them seeks to enforce the settlement terms.

Settlement templates generally include a description of the dispute being settled; the consideration to resolve the dispute (e.g., waiving certain accounts receivables, payment of an amount by one party to another) and any contingencies (e.g., payment must be received within 10 days); a release by both parties of any claims related to the dispute (ensuring this is properly worded is one of the most critical parts of the settlement agreement); confidentiality language; a non-disparagement clause if appropriate; and other appropriate legal boilerplate. There are state-specific requirements for settlement and release agreements, so consider having local counsel review your template to ensure it will be enforceable.

The easiest settlement agreement template to have at the ready can be used for the resolution of run-of-the-mill business disputes such a billing dispute. For significant or complex disputes or settlements to resolve pending or threatened litigation/arbitration and releases in cases of employee terminations, consult an attorney to ensure your template fully and completely covers the complexities or nuances of the specific case.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers through supply solutions to expand product assortment, demand solutions to promote and sell products on the channels that perform, and delivery solutions to enable rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

7 Tips for Implementing a Records Retention Policy Employees Will Follow

How long to hang on to corporate information and records (records retention) is a common source of conflict within companies. Those in the “keep it” camp believe companies should keep any business records that are needed to conduct business operations effectively, records that serve as a company’s “corporate memory,” records that must be kept for legal, accounting or other regulatory compliance purposes, or have other value to the company (such as protecting the company’s interests). Those in the “destroy it” camp believe companies must promptly destroy records when there is no longer a legitimate business need to retain them, in order (a) to ensure they are minimizing the amount of information that could potentially be exposed in the event of a security breach, inadvertent disclosure, legal disclosure requirement such as a subpoena, or during the discovery phase of litigation, (b) to comply with legal, accounting and other regulatory requirements to destroy information after a certain time, and (c) to reduce the costs of discovery and of storing corporate information. Which side is right?

The answer, of course, is that they’re both right. All of the reasons to keep corporate records, and all the reasons to destroy them, are legitimate. This is the “double-edged sword” of records retention.  For every argument that “we might need that piece of information somewhere down the line,” there’s a counterargument that “we could get in trouble someday if we still have that piece of information around.” The way to ensure your company is striking the right balance between these two extremes is to have a written records retention policy that balances the reasons to retain information against the reasons to destroy it, by setting appropriate “retention periods” for various categories of corporate records and requiring employees to destroy data once the retention period is ended in most cases. It is an essential component of a company’s incident response planning process to reducing the amount of information potentially exposable in the event of a security incident or breach. The policy must cover corporate records wherever located, including physical and electronic data wherever stored (in employee workstations, on intranets and network drives, in third party data centers, in cloud-based service providers’ systems, etc.)  It should list the categories of business records governed by the policy (I prefer a table format), and the records retention period for each category. It should clearly explain to employees what they need to do to comply with the policy, including how to ensure records are properly destroyed when the retention period ends.

It’s easy to argue why companies need a records retention policy. It’s much harder to actually draft and successfully implement one. Here are 7 drafting and implementation tips to help drive the success of your records retention policy.

1. Success is directly proportional to simplicity and communication.

The simpler you can make a records retention policy, the easier it will be for employees to follow it and the greater the likelihood that employees will take time to follow it. Policies that add significant process requirements into the life of rank-and-file employees who already feel like they are “doing more with less” and may be resistant to new ways of doing things are often met with skepticism at best, and outright rebellion at worst. It can be very difficult to successfully implement and administer a records retention policy if employees feel it is onerous and unnecessarily impeding their ability to do their job. If that happens, employees may simply ignore the policy in favor of their day-to-day business duties, or worse, use the records retention policy as a scapegoat if they fail to deliver on their projects and goals.

To solve this problem, ensure your policy is written as simply as possible, take into account the employee’s perspective, and have a communication plan to roll it out. Ensure your policy overview answers questions such as “Why is having a records retention policy important to me?”, “How hard will it be to follow the policy?”, and “What do I have to do under the policy?” Consider using a “frequently asked questions” format for the policy overview. Have a few employees whose opinion you value give you feedback on the policy. Develop a communication plan to roll out the policy to all employees, and leverage HR and Marketing for their input to make it as effective as possible. Ensure your senior leadership team endorses the policy so employees understand it has top-level visibility.

2. Set a “once per year” date for retention periods to expire.

One way to write a records retention policy is to have a fixed retention period for each business record run from the date the record was created. Under that approach, retention periods will be expiring throughout the year.  If the records retention policy requires employees to destroy records immediately upon expiration of the retention period, the policy may require employees to be managing document destruction on a daily or near-daily basis. This may make compliance seem like a daunting task to employees, even if your policy allows employees to destroy expired business records one per month or once per quarter.

As an alternative, consider having the expiration date for all retention periods expire on the same day during each calendar year by having your retention period be measured in full “retention years,” defined as a full calendar year or other 12-month measurement period. For example, if you set December 31 as your annual date for expiration of records retention periods, a presentation created on May 15, 2016 which must be kept for 3 “retention years” would be kept from May 15, 2016 through December 31, 2019 (3 full calendar years from the date of creation). While this approach does extend the retention period for some documents by a bit, that may be an acceptable trade-off to a simple, once-per-year obligation to destroy records under the records retention policy. Consider tying your annual records retention period expiration date into an “office clean-up days” event in partnership with HR where everyone pitches in to tidy up the office, clean up their workspaces, and destroy any documents for which retention periods have expired under the records retention period.

3. Right-size the departments and categories of corporate records listed in the policy.

In an effort to be as comprehensive as possible, some records retention policies include a significant number of categories of information subject to retention requirements. This can result from using an “all purpose” template such as a template obtained from a law firm, from a colleague, or from online searches. In others, a company may want to ensure they are not missing anything by including everything employees have today or could have in the future. One size does not fit all with respect to records retention categories. Consider having a “general” or “common business records” category as the first section of business records in your policy, covering items like business presentations, contracts and agreements (both current and expired); general and customer/vendor correspondence; material of historic value; software source code; etc. Then determine which departments have additional, specialized categories of business records (e.g., HR, IT, Finance, Marketing, Legal, etc.) that should be listed specifically in the policy. For each such department, learn which business records they have and use to create a first draft of your categories list and retention periods. Using a general/departments grouping of categories allows employees to find the information on records retention applicable to them a targeted and streamlined fashion. There will likely still be a significant number of categories of corporate records, but taking the time to think through the right categories for your company’s records retention policy will help ensure it is as easy as possible for employees to read, follow and use.

4. Use a limited number of retention periods, with “permanent” used as sparingly as possible.

Another common issue with records retention policies is the use of a large number of retention periods. Different departments may have different periods under which they currently retain documents, and they may put pressure to keep their own retention periods in an enterprise-wide policy. A policy with a large number of retention periods will make it harder for employees to follow, and harder for IT and others to operationalize. Remember, simplicity where possible is key to success. Consider using a limited number of retention periods (e.g., 1 year, 3 years, 5 years, 7 years, Permanent) which will simplify administration of, and compliance with, the policy. For departments with different existing retention periods, determine which of the next closest periods (longer or shorter) will work, and be prepared to explain to the head of that department why a limited number of periods is essential to the successful implementation of an enterprise-wide policy.

It can be tempting to put many things into a “permanent” bucket (those in the “keep it” camp are likely candidates to ask for this category). However, overuse of the “perpetual” category cuts against the reason for implementing the policy in the first place. While some documents may need to be kept perpetually, for example, information subject to a document preservation notice due to litigation, document categories should be assigned a “permanent” retention period very sparingly. Use it where it is legally necessary to preserve a category of documents (e.g., it’s required for regulatory purposes), or where there is a compelling business interest in keeping it forever (e.g., prior art that may have value in defending against a future patent infringement claim). One way to find a “happy medium” with those in the “keep it” camp is to include in your policy a mechanism by which Legal and the CISO/CIO can approve an exception to the retention period on a case-by-case basis, but make clear that exceptions will be rarely very sparingly and only where legally necessary or where there is a compelling business interest.

5. Partner with department heads to solicit and incorporate their feedback, and to turn them into champions of an enterprise-wide policy.

One of the keys to the successful roll-out of a records retention policy is to have the support of senior management and department heads. Compliance with a records retention policy should be driven from the top down, not bottom up. It’s also important to consider that just because a company has not implemented an enterprise-wide records retention policy does not mean that some departments have not “gone it alone” and implemented their own limited retention and destruction schedule. Partnering with department heads to gain their support for an enterprise policy, and ensure their own efforts are leveraged as part of the broader policy, is essential.

Once a draft policy is prepared, set up one-on-one meetings with the leader of each department to let them know that you want the enterprise policy to be a collaborative (and not an imposed) effort on his/her department. If they have department-specific document categories or retention periods, leverage them to the greatest extent possible to minimize the impact the enterprise policy will have on that department. If they do not, walk them through the reasons why having a well-followed enterprise records retention policy will benefit the company as a whole. Walk the department head through the draft policy, and ensure they agree with the categories and retention periods applicable to their business unit. Try to incorporate their feedback wherever possible, and talk them through where you cannot (e.g., they ask for a non-standard retention period). Finally, ask for their help in rolling the policy out to their department, e.g., by sending a note to the department as a follow-up to the enterprise-wide policy announcement. By meeting with department heads, you will not only ensure the policy hews as closely as possible to the operational and compliance needs and practices of each department, but also establish a contact for future revisions/enhancements to the policy, and hopefully foster an internal champion to help drive the success of the policy.

6. Ensure the policy accounts for document preservation notices. 

One critical element of any records retention policy is a very important exception — information subject to a litigation hold or other document preservation notice (such as in the event of litigation or anticipation of future litigation, where the company receives a subpoena, etc.) If employees follow the records retention policy and destroy business records that are relevant to a legal proceeding or subpoena, the company could face very significant fines and penalties. Ensure that the records retention policy makes it very clear that a document preservation notice supersedes the records retention periods, and that any documents and business records subject to a litigation hold or other document preservation notice must be kept for as long as the preservation notice is in effect regardless of the expiration of the retention period. It’s also important to communicate that once an employee is notified that a document preservation notice has been canceled, any documents subject to the notice should be destroyed at the next anniversary date. Ensure that any systems and processes used by the company to operationalize the records retention policy (e.g., automatic deletion of emails after a certain amount of time) account for the preservation of documents and business records subject to a preservation notice irrespective of the retention periods.

7. Partner with IT to implement technical safeguards to minimize policy “workarounds.”

Finally, partnering with IT will be critical to the success of the policy. In many cases, some document destruction processes can be automated (for example, emails can be deleted after a certain period, files older than a certain date can be automatically deleted from network shares, etc.) Work with your IT group to determine what technological solutions can be put in place to help operationalize the records retention policy. At the same time, some employees may believe that their needs trump the records preservation policy, and will try to work around it (e.g., by saving emails to a PST, printing them to a PDF and saving them on a network drive, “backdating” them by changing the system date before saving files, etc.) Partner with your IT team to put as many appropriate technical safeguards in place as possible to minimize employee workarounds to the records retention policy.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. He works primarily from his home office outside of Minneapolis, Minnesota. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

7 Tips to Avoid the Pitfalls on the Path to Marketing Success

Marketing in the 21st century encompasses a variety of printed marketing materials, online websites, blogs, case studies, text marketing, digital advertising, social media, and other digital, print and audiovisual materials. Its purpose includes providing information to current and potential customers, investors, and the public about your company, its vision, its goals, and its products/services; demonstrating thought leadership; building goodwill, credibility and trust with your target markets; and driving interest in your company and its offerings. It is a critical channel for generating new customers/clients, new revenue, and new value for investors and shareholders. Companies have a natural propensity to tout themselves and their products in the best possible light in their marketing, accentuating the positive and eliminating the negative. However, there are a number of common mistakes companies make in their marketing that inadvertently land them in hot water.

Think of the execution of your marketing strategies as walking a path on a mountain ridge. To the left are the legal and regulatory pitfalls. These include deceptive, unfair or unlawful advertising practices under federal and state law; native advertising issues; false advertising, trademark, and unfair competition claims by competitors; and the like. To the right are the contractual and customer relationship pitfalls. These include claims for fraudulent inducement to contract or material misrepresentation in your marketing materials, and clients/customers asserting a right to rescind their contract or commence legal proceedings against you, affecting your company’s revenue and reputation.

There are ways to navigate this path safely. Here are 7 key tips to help stay on the path to happy clients/customers and increased revenue.

1) Be transparent, truthful, and clear.

The easiest way for a company to get into trouble over its marketing practices is to be untruthful, unclear and/or misleading. The FTC and state attorneys general rely heavily on federal and state laws prohibiting deceptive and unfair trade practices as their “multi-tool” for cracking down on companies for marketing violations. According to the FTC, an act or practice is considered “deceptive” if it contains a material misrepresentation or an omission of information that is likely to mislead a reasonable customer.

To avoid transparency issues, make sure your marketing collateral and messaging includes all material facts and disclosures that a reasonable person would expect to see. For example, there are disclosures required under federal and state laws around “negative options” such as an auto-renewing subscription offer; there are opt-out and other disclosures needed for certain commercial email messages; if there are dependencies for your call to action (e.g., you must purchase a support package if you purchase a license to your company’s software), disclose them.

To avoid truthfulness issues, verify or qualify any facts or assertions you are using in your marketing. Keep a folder with documentation backing up your marketing facts and assertions. If you don’t have or can’t find the supporting facts, consider adding qualifications to your marketing statement.

To avoid clarity issues, marketing should be well-organized and well-formatted, written in short sentences with simple words and an appropriate level of detail, so that the information you are trying to convey is easily understood. Write from the perspective of the reader – is your marketing message(s) clear to someone who does not know much (if anything) about your company and its products/services?

2) Ensure your marketing meets design and functionality requirements.

One of the biggest mistakes companies make is assuming they know how their target audience will respond to their marketing, or worse, not thinking about it in advance at all. Proactive testing of marketing strategies before launch has parallels to performing user acceptance testing (UAT) in the software world. UAT is the process by which a deliverable is tested by actual or simulated users to validate that the deliverable meets its design and functionality requirements. Just like software UAT, before releasing marketing collateral and messaging it is important to validate that (a) it includes all important details, meets all legal requirements, and contains all legally required disclosures (the “design requirements” equivalent), and (b) it clearly and effectively delivers the marketing message such as a value proposition and/or call to action to its intended audience, and generates the target return on investment (ROI) or return on ad spend (ROAS) (i.e., “functionality requirements” equivalent). Investing time and energy to test your marketing, and incorporating feedback to ensure it meets its design and functionality requirements, will help it deliver the best possible ROI/ROAS.

3) Be careful using images of people or copyrighted works of others.

It’s often easy to grab a picture from Google Images or other online websites for use in marketing and social media. But remember, just because something is available online does not mean it is in the public domain, free to use. Even if you were not the person who originally posted a picture or other copyrighted content online, you could be liable for your use of it. (Even if you have an “innocent infringer” defense, you may still have to prove that in court, costing you and your company time and money.) Consider acquiring images for marketing use from a reputable stock photo company such as Getty Images, and ensure people whose images you capture for marketing use have given you a signed release and right to use the image. In general, you can’t use someone’s name or likeness to state or imply they are endorsing or promoting a product without their permission. Also, remember that images you use should not imply endorsement of your company’s products or services by a person without that person’s consent. Duane Reade, a drugstore chain, learned this lesson the hard way recently when they were sued by Katherine Heigl for $6 million after they used an image of her in a tweet without her permission.

4) Avoid unsubstantiated superlatives and figures.

Companies sometimes fall off the marketing path by using superlatives and figures that they can’t substantiate. One of the bedrocks of FTC policy is the FTC Policy Statement Regarding Advertising Substantiation. Under this policy, objective product/service claims “represent explicitly or by implication that the advertiser has a reasonable basis supporting these claims.” A “reasonable basis” depends on factors including the product which is the subject of the claim, the type of advertising claim, the consequences of a false claim, and the benefits of a truthful claim. Failing to have support for your claims is a deceptive and unfair trade practice under §5 of the FTC Act. Watch out for figures and superlatives such as “the best,” “the quickest,” etc. Make sure you have a reasonable basis for your superlative and data to back up your figures. For superlatives you cannot back up with documented facts (e.g., “a leading” vs. “the leading”), consider whether a comparative would work better (e.g., “easier” vs. “easy”, “more cost-effectively” vs. “cost-effectively,” etc.) As noted earlier, if a specific number is cited, ensure you have documentation for that specific number. If not, qualify it or generalize it (e.g., “approximately X,” “more than Y,” “less than Z,” “A to B”).

5) Avoid quoting quotes.

Just like images, it can be easy to find great quotes, facts and figures through an Internet search. If you are under a deadline or have a limited marketing budget, it might be tempting to find an article which cited the study and then cite to that article. However, beware of “quoting the quoter.” Quotes and cited facts/figures should be substantiated by the source material, not an article quoting the source material. If you quote a quote and not the source material, you run the risk that the author of the quote changed or misquoted the source material in their article. For example, suppose you’re looking for a statistic that at least half of participants in a study believe that the demand for products in your market segment will double in the next two years. You find and quote an online article citing research that 50% of respondents stated exactly that. What you didn’t know is that the number is really 46%, and the author of the article you cited decided to round up to 50%.  This inaccurate quote could cause significant headaches if the inaccuracy proves material to your marketing message or value proposition.

6) Tread carefully when using product endorsers and native advertising.

Native advertising, as defined by the FTC, is “content that bears a similarity to the news, feature articles, product reviews, entertainment and other material that surrounds it online.” For example, a featured article on a website that looks like an objective article, but is in fact an advertisement for a product or service written by or for the product or service provider, is native advertising. Native advertising uses the appearance of authenticity to drive interest in a product or service. This is also its Achilles’ heel. If it is too difficult to distinguish native advertising from surrounding content, it may be considered deceptive; the FTC looks at the “net impression [an] ad conveys to consumers” in determining deceptiveness. If an ad misleads a consumer by stating or implying that it’s not advertising, it’s likely deceptive. Native advertising must be accompanied by clear and prominent disclosures as to the source and/or sponsorship of the advertising to avoid misleading consumers, such as “paid content” or “advertisement” or “sponsored” disclaimers next to native advertising content or links. The FTC’s Native Advertising Guide for Business contains clear guidance on how to avoid running afoul of native advertising traps.

Similar issues have arisen with respect to “product endorsers,” people who endorse a product, brand or company. While paid celebrity endorsements (think Michael Jordan for Nike and Hanes, William Shatner for Priceline) are clearly paid to do so, companies also use employees, and non-employees such as bloggers and online personalities, to promote and drive interest in their products. Companies also run contests and sweepstakes through social media to drive awareness and increase buzz for their products. But content posted by employee brand ambassadors, compensated non-employee endorsers, and participants in a promotion who fail to identify their content as sponsored or paid may be deceptive and misleading in the eyes of the FTC (as Cole Haan discovered when they ran a Pinterest campaign to drive interest in their Wandering Sole product) and state attorneys general. The FTC stated that a “material connection” between a marketer and an endorser must be disclosed “if the relationship is not otherwise apparent from the context of the communication that contains the endorsement.”

7) Avoid statements that are forward-looking or may trigger a Regulation FD disclosure requirement.

Finally, if you work for a public company, SEC laws and regulations impose additional restrictions on what you can and cannot say in your marketing communications. Watch out for “forward-looking statements,” statements of potential or projected future events as expectations or possibilities. Saying “we plan on adding a European office in 2019” or “we expect to double our manufacturing capacity in the next six months” are likely forward-looking statements. Forward looking statements can lead to securities litigation unless accompanied by cautionary language required by the statutory “safe harbor” for forward-looking statements by public companies. Additionally, it’s important to ensure any targeted marketing or social media posts do not inadvertently selectively disclose material, non-public information about your publicly-traded company, which is prohibited by SEC Regulation FD (Fair Disclosure). For example, if an employee posts a picture while on-site at a prospective major new client, and the client’s identity can be determined by a logo in the background the employee did not see, the potential relationship inadvertently disclosed by the social media post may trigger the need for a Regulation FD disclosure.

Eric Lambert is Assistant General Counsel and Privacy Officer at CommerceHub, a leading cloud services provider helping retailers and brands increase sales and delight shoppers by expanding product assortment, promoting and selling products on the channels that perform, and enabling rapid, on-time customer delivery. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. Eric works primarily from his home office outside of Minneapolis, Minnesota. He is a technophile and Internet evangelist/enthusiast. In his spare time, Eric dabbles in voice-over work and implementing and integrating connected home technologies.

EU-US Privacy Shield Update – Roadworthy (For Now), But All Roads May Be Dead Ends

Last July, the new US-EU Privacy Shield framework became effective. The Privacy Shield replaced the International Safe Harbor Privacy Principles (commonly known as “Safe Harbor”) which had been in place since 2000. Under the EU Data Protection Directive, companies can only transfer data outside of the EU to a country deemed to have an “adequate” level of data protection, and the US (which takes a sectoral approach to data privacy and has no comprehensive national data privacy law) is not one of those countries. Given the importance of EU-US data transfer in the global economy, the Safe Harbor principles were developed as an entity-level, instead of country-level, adequacy mechanism, to allow a US company to achieve a level of adequacy (in the eyes of the EU) which allowed EU-US data transfers with that company to take place. Safe Harbor served as an alternative to two other entity-level adequacy mechanisms: standard contract clauses (SCCs, also known as model contract clauses), which are separately required for each EU company transferring data to a US entity making them difficult to scale, and binding corporate rules (BCRs), which require Board of Directors approval and significant time and resources and have only been implemented by very large multinational companies. (There is also an individual-level adequacy mechanism – direct consent.)

Everything changed in October 2015, when the European Court of Justice (ECJ) released its decision in a case brought against Facebook brought by Austrian citizen Max Schrems. The ECJ held that the Safe Harbor framework did not provide adequate privacy protections to EU individuals, and was therefore invalid. Among other reasons for invalidation, the ECJ found broad US government powers to access data (including data of EU citizens) held by private US companies directly conflicted with the EU’s declaration of data protection as a fundamental human right. Given the importance of the Safe Harbor program in facilitating EU-US data transfers, its invalidation had a far-reaching impact. While the EU agreed to wait a few months before bringing any actions against companies in the Safe Harbor program which did not move to an alternative entity-level adequacy mechanism, US companies faced a difficult choice – switch to an alternative and more difficult/costly approach, such as standard contract clauses, or wait and see whether the EU and US could quickly agree on a Safe Harbor replacement before the EU’s enforcement deadline.

Fortunately, The European Commission and the US government quickly accelerated existing talks on resolving shortcomings of the Safe Harbor principles, leading to the announcement of the Privacy Shield program in February 2016. The European Commission quickly issued a draft adequacy decision for the Privacy Shield program, and despite some misgivings about the program from certain groups the European Union gave its final approval on July 12, 2016. The Privacy Shield program is made up of 7 core principles and 15 supplemental principles. Like Safe Harbor before it, it is a self-certification program, and there are a number of the principles common to both Safe Harbor and Privacy Shield. The Privacy Shield program seeks to address a number of the perceived shortcomings of the Safe Harbor principles, including protection for onward transfer of information by US companies to third parties such as their service providers, multiple ways for individuals to make a compliant about a Privacy Shield-certified company, stronger enforcement mechanisms, and an annual review mechanism. Its intent is to be a replacement entity-level mechanism which addresses the concerns around Safe Harbor cited by the ECJ in the Schrems decision, complies with EU laws, and respects EU citizens’ fundamental rights to privacy and data protection.

Challenges and Headwinds

Since the Privacy Shield program went live in July, over a thousand companies (1,234 as of December 10, 2016, according to the Privacy Shield List) have self-certified under the program. However, the Privacy Shield program, and EU-US data transfers in general, continue to face challenges and headwinds.

  • Legal challenges – déjà vu all over again? After the Privacy Shield program was announced in February 2016, some groups and individuals expressed concerns about the program. When Privacy Shield was approved in July 2016, Max Schrems went on record stating his belief that the Privacy Shield framework was fundamentally flawed and could not survive a legal challenge. As the first legal challenges against Privacy Shield have been filed, we will find out how prescient Mr. Schrems’ comments are. In September, the digital rights advocacy group Digital Rights Ireland filed an action in the EU courts arguing that the EU’s finding of adequacy for the Privacy Shield should be annulled on the basis that the Privacy Shield program’s privacy safeguards are not adequate. In November, a similar challenge was brought by La Quadrature du Net, a French privacy advocacy group. The results of these challenges may result in the Privacy Shield program being very short-lived. Additionally, the ECJ is considering another challenge against Facebook referred to it by the Irish Data Protection Commissioner, this time to standard contract clauses. The proponents in that case are arguing that the same concerns behind the ECJ’s Safe Harbor decision should apply to standard contract clauses. The forthcoming decision in this challenge has the potential to create a precedent that could bring down the Privacy Shield program as well.
  • Other public and private actions may erode Privacy Shield’s validity. On December 1, 2016, a change to Rule 41 of the Federal Rules of Criminal Procedure became effective. The change was intended to give investigators more power to obtain warrants against cyber criminals using botnets or otherwise masking their identity, such as through secure web browsers or virtual private networks. Under the amended rule, law enforcement seeking to use remote access to search media and obtain electronically stored information can obtain a warrant from a magistrate judge located in a district where “activities related to a crime may have occurred” if the actual location of the media or information has been “concealed through technological means.” Since this rule is not limited on its face to servers in the US, without further clarification of the scope of this rule it is possible for it to be used by law enforcement to have a US magistrate judge issue a warrant to search and seize information from servers located in the EU. This global reach would likely be found in direct conflict with the concepts of privacy and data protection as a fundamental human right under the EU’s Charter of Fundamental Rights. Additionally, in early October, reports surfaced that Yahoo! had secretly scanned the email accounts of all of its users at the request of US government officials, which if true would likely be inconsistent with the terms of the Privacy Shield agreement. Opponents of Privacy Shield could use actions such as these as ammunition in their efforts to invalidate the program. In fact, there have already been calls for the European Commission and the EU’s Article 29 Working Party to investigate the Yahoo! scanning allegations, and according to a European Commission spokesperson statement on November 11, 2016, the EC has “contacted the U.S. authorities to ask for a number of clarifications.”
  • Can any EU-US framework be adequate? The legal challenges and public/private actions cited above all lead to one fundamental question that many parties involved in the Privacy Shield program have been hesitant to ask – is there a fundamental, irreconcilable conflict between (1) the United States’ approach to privacy and (2) the EU’s commitment to privacy and data protection as fundamental human rights? If yes, the US’s sectoral approach to data privacy legislation and powers for law enforcement to obtain information from privacy companies and servers may mean that no entity-level mechanism to facilitate EU-US data transfers is “adequate” in the eyes of the EU, meaning that EU-US data transfers are approaching a dead end. While the US government has imposed restrictions on its surveillance activities in the post-Snowden world, it remains very unclear whether anything short of concrete legislation protecting the rights of EU citizens (which would run counter to US counter-terrorism activities), or a modification of the EU’s principles, would be sufficient. I suspect there may be a difference between the view of those in the EU seeking a pragmatic approach (those that believe that the importance of EU-US data transfers, including economic and geopolitical benefits, necessitate some compromise), and those seeking an absolute approach (those that believe that the EU’s belief that data protection is a fundamental human right must trump any other interests). The forthcoming decisions in the challenges to standard contract clauses and the Privacy Shield program will likely help shed light on whether this fundamental conflict is fatal to any entity-level mechanism.
  • Compliance, not certification, with the Privacy Shield principles is what matters. A number of US companies have chosen to tout their Privacy Shield self-certification via blog posting or press release (for examples, see here, here and here). While a press release on Privacy Shield certification can be a useful to demonstrate its global presence and commitment to data privacy, remember that it’s a self-certification process (although some companies are using third-party services such as TrustE to help them achieve compliance). A company’s certification of compliance with the Privacy Shield principles is less important than the processes and procedures they have put in place to manage their compliance. If you need to determine if a company is self-certified under the Privacy Shield program, you can search the database of certified companies at http://www.privacyshield.gov/list, and check their website privacy policy which should contain disclosures affirming and relating to their commitment to the Privacy Shield principles. If you’re a company certified under the Privacy Shield, be prepared to answer questions from EU companies on how you comply with the Privacy Shield principles – you may be asked.

So, what does all this mean? At the moment, Privacy Shield may be a bit rickety, but unless your company can effectively use standard contractual clauses or binding corporate rules, short of direct consent it’s the only game in town for US companies which need to receive data from their EU client, customers and business partners. Even SCCs may be a short-lived solution, meaning many companies may not want to invest the time, effort and expense required to adopt that entity-level approach. Due to the current state of Privacy Shield and EU-US data transfers in general, US companies may want to consider the wisdom of the “Herd on the African Savanna” approach to compliance – the safest place to be in a herd on the African savanna is in the center. It’s almost always the ones on the outside which get picked off, not the ones in the center. Unless there is a compelling business reason to be on the outside of the herd (desire to be viewed as a market leader, willingness to risk doing nothing until clearer direction is available, etc.), the safest place from a compliance perspective is to stick with the pack. While that approach is not for everyone, many companies may feel that being in the center of the herd of US companies dealing with EU-US data transfers is the safest approach while the fate of the Privacy Shield, and EU-US data transfers in general, plays out.