The Future of Phishing is Deepfakes. Here’s How You Can Combat “Deep Phishing.”

Phishing is used by bad actors to send a communication, e.g., an email or IM, pretending to be a trustworthy source in order to get people to divulge sensitive information such as usernames, passwords, credit card information, date of birth/SSN, etc. An example is where you receive an email that appears to be from your bank saying your account has been suspended, providing a (malicious) URL you can use to verify your credentials or credit card information to unlock your account. General phishing attacks are sent in waves to large groups of recipients, hoping some will think it’s real and divulge their information.

Bad actors also use targeted phishing, where a phishing communication is targeted to one or a small group of recipients, often where the actor has some basic information about the recipients. Two examples of targeted phishing are spear phishing, which is a phishing attack targeted at a single company, organization, or individual, and whaling, which is a spear phishing attack targeted directly at company executives, finance personnel, and other high-value targets within an organization. Targeted phishing communications, especially whaling, usually include credibility-enhancing details designed to entice someone to transfer company funds, provide sensitive company information, or obtain credentials that can be used to attack a company’s network. A well-known example of whaling is an email purportedly from a CEO to a controller containing some information designed to trick the recipient into thinking the communication is legit, directing the controller to pay a fake vendor invoice right away in an attempt to trigger a wire transfer to the bad actor’s own account. 

Anti-phishing tools and strategies employed by many companies, as well as anti-phishing training which is becoming more prevalent, have helped minimize the success of phishing attacks. Unfortunately, a dark revolution in phishing is on the horizon. “Deepfakes” (derived from “deep learning” and “fakes”) use artificial intelligence to create video or sound of a human that is virtually indistinguishable from an authentic recording. A well-known early example is a deepfake created by Jordan Peele of Barack Obama giving a public service announcement warning the public of the dangers of deepfakes (you can view it by clicking here). While deepfakes’ first broad application was in the realm of pornography and deepfakes often have telltale signs that they are not authentic, technology continues to improve by leaps and bounds. People have begun to create sophisticated, difficult-to-spot deepfakes and edited videos for nefarious purposes, such as political attacks. Imagine the well-timed online release of a video that appears to be a prominent politician admitting he took a bribe; even if it’s fake and the politician vehemently denies the veracity of the original video, the bad publicity may be enough to sway an election.

It is only a matter of time before deepfakes are used regularly in targeted phishing attacks against companies and individuals. Imagine the whaling emails of the 2010s replaced with a deepfake voicemail sounding exactly like your CEO, a deepfake video message that appears to be from your CEO, or even a deepfake audio or video call with your “CEO,” asking you by name to expedite a large wire transfer to a vendor. I call the use of deepfakes for enhanced phishing attacks “deep phishing.” Where in the past sophisticated makeup and sets would be needed to fool someone into thinking they were talking to someone else, deepfakes will make doing so disturbingly easy and relatively inexpensive with the right technology. It’s only a matter of time.

Strategies to Combat Deep Phishing

It’s impossible to predict when deep phishing attacks will become prevalent. While security companies will likely develop and offer solutions in the future designed to help companies detect deepfakes, such solutions do not exist today, and even if they are available in the future not all companies will be able to afford or implement such tools. Companies should consider proactively employing less-costly, easier-to-implement strategies today to protect against deep phishing attacks. These strategies that may help protect your company against today’s targeted phishing attacks as well. Here are some suggested approaches:

Manual Verification of Targeted Communications

The simplest way to combat deep phishing is to manually verify any communication typically used in targeted phishing attacks, such as a request to transfer funds over a certain threshold to a third party, a request to send your login credentials to someone, or a request to send sensitive customer or business information to someone. We’ll call these types of communications “targeted communications.” By designating two people that must sign off, and by ensuring that one verification must be provided via contact initiated from the recipient (using the company’s phone book – beware spoofed phone numbers in phishing emails), companies can help reduce the risk of falling prey to a phishing or deep phishing attack.

Authenticated Communications

Another strategy to combat deep phishing is to use an authenticated communication. Authenticated communications use an auditory, written, visual, or action key or watermark, changed periodically, which must be included in targeted communication. If a communication includes the key, the communication can be considered authentic. For example, depending on the level of security required, a key could be a spoken phrase (e.g., “seventeen bravo charlie”) or keyword (e.g., “tangerine”) in audio; a specific pin worn on a lapel, or specific background item or hand signal, in a video; or a specific image file or special signature inserted into a written communication. A key could also be an action such as a 5-second pause in a recording. Companies could also use multiple keys, or rotate among different key types. Unless the bad actor knew the authentication key(s), a company would have a greater chance of catching a deep phishing attempt before it was successful.

For enhanced security, consider using an algorithmic key (e.g., a 6-digit code generated by an RSA token or Google Authenticator that changes every 60 seconds). Use of an algorithmic key will make it extremely difficult for a bad actor to successfully conduct a deep phishing attack.

Multiple Vector Communications

Another strategy to combat deep phishing is the use of a multiple vector communication. Just as multi-factor security authentication requires you to provide two or more things you know, have or are in order to authenticate your identity, a multiple vector authorization would require a targeted communication be sent through two or more communications methods, or “vectors,” at or close to the same time. For example, in order to be considered genuine, an email or voicemail communication must be accompanied by a text message from the requestor verifying the request within 10 minutes. Without the verifying communication, the original request would be rejected.

Multiple Vector Authentication

For extremely sensitive requests, companies could consider combining both authenticated communications and multiple vector communications into a multiple vector authentication. In order for someone to take action on a target communication, the requestor must provide a key broken into two or more parts, each sent via a separate communications vector. Once all communications are received, the key can be assembled and verified by the recipient. The key would need to be changed regularly. If any of the communication vectors is missing the key or has an old key component, there’s a good chance it’s a phishing or deep phishing attack.

Make Phishing and Deep Phishing Training Your Cornerstone

Finally, it’s worth reiterating that the most important thing a company can do to combat phishing or deep phishing attacks is to continually educate your employees on the dangers of phishing and deep phishing. Make this a cornerstone of your anti-phishing strategy. Ensure all employees know what to look for when it comes to phishing, and train them on the dangers of deep phishing. Training should apply to anyone who has access to sensitive information or system access. Ensure your vendors (especially those with integrations to your systems) are contractually obligated to perform anti-phishing training for their personnel at least semi-annually and to have reasonable administrative, procedural and technical security measures in place. If you use a strategy to combat deep phishing, ensure the right personnel are trained on it, and that the details are kept strictly confidential. Otherwise, ensure targeted communications are verified manually before they are acted upon. The best anti-phishing strategy in the world won’t stop a phishing or deep phishing attack if it’s not applied in practice.

Eric Lambert is commercial counsel with Trimble Inc., a geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He serves as division counsel for the Trimble Transportation business units, leading providers of software and SaaS fleet mobility, communications, and transportation management solutions for the transportation and logistics industry. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and an avid reader of science fiction, and dabbles in a littlevoice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

The California Consumer Privacy Act: Why (and How) to Start Preparing Now

By now most companies have heard about the California Consumer Privacy Act (“CCPA”).  Privacy as an inalienable right has been enshrined in the California Constitution since 1972, and California has developed a reputation as being at the forefront of state privacy legislation. California is also known for grassroots-driven legislation through the ballot initiative process known as “Propositions.” The Cambridge Analytica scandal led to a combination of the two – a proposed data privacy law with extremely burdensome obligations and draconian penalties garnered enough signatures to appear on the ballot in November 2018.  To prevent this from happening, the California legislature partnered with California business and interest groups to introduce and pass the California Consumer Privacy Act. It went from introduction to being signed into law by the governor of Californiain a matter of days in June of 2018, resulting in withdrawal of the ballot initiative. No major privacy legislation had ever been enacted as quickly. The law will become effective as early as January 1, 2020 – the effective date is six (6) months after the California Attorney General releases implementing and clarifying regulations which are expected sometime in 2019. Given the speed at which it was enacted, CCPA has numerous drafting errors and inconsistent provisions which will need to be corrected. In addition, as of the date of this article, the implementing regulations are not yet released.

Other states have introduced statutes similar to CCPA, and there is some discussion in Congress about a superseding national data privacy law. Because of this, companies may want to look at CCPA compliance from a nationwide, and not California, perspective. For companies hoping that CCPA will be scaled back or repealed, that’s not likely to happen.  The clock is ticking for businesses to develop and implement a compliance plan.When determining what compliance approach to take, consider the wisdom of the “Herd on the African Savanna” approach to compliance –the safest place to be in a herd on the African savanna is right in the center. It’s almost always the ones on theoutside which get picked off, not the ones in the center. The ones more likely to be “picked off” through an investigation or lawsuit are the ones at thefront of the herd (e.g., those who desire to be viewed as a leader in compliance) and the ones at the back of the herd (e.g., those who start working on compliance too late or don’t make serious efforts to be in compliance). For many companies, being in the center of the herd is the optimal initial position from a compliance perspective. Once additional compliance guidance is released, e.g., through clarifying regulations, press releases, or other guidance from the state Attorney General, companies can adjust their compliance efforts appropriately.

In this article, I’ll talk through steps that companies may want to consider as a roadmap towards CCPA compliance.(This is a good place to note thatthe information in this article does not constitute legal advice and is provided for informational purposes only. I summarize and simplify some of CCPA provisions for ease of discussion; you should look at the specific language of the statute to determine if a provision applies in your case. Consult your own internal or external privacy counsel to discuss the specifics of CCPA compliance for your own business.)

 

A Quick CCPA Refresher

The first problem with the “California Consumer Privacy Act” is its name. It applies to personal information collected about any California resident (not just consumers) in either a business-to-consumer (“B2C”) or business-to-business (“B2B”) context.It applies to almost every business entity that collects personal information about California residents, their affiliates, their service providers, and other third parties with which personal information is shared or disclosed. The use of “service provider” and “third party” are somewhat similar under the CCPA – both are businesses to which a company discloses a person’s confidential information for a business purpose pursuant to a written contract. The difference between the two is whether the information is being processed on behalf of the disclosing company. For example, SalesForce would be a service provider – it is processing personal information on behalf of your company. However, if the company with whom you share personal information processes it for its own benefit, not yours, it’s a “third party” under the CCPA.

“Personal Information” is defined extremely broadly under CCPA, in some ways even more broadly than under the EU’s General Data Protection Regulation (“GDPR”).  It is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particularperson or household. It includes but is not limited to IP address, geolocation data, commercial information, professional and employment-related information, network activity, biometric information, audio/video, and behavioral analytics about a person.  CCPA covers businesses which “collect” a California resident’s personal information, defined as actively or passively obtaining, gathering, accessing or otherwise receiving personal information from a person, or by observing the person’s behavior. It also covers “selling” personal information, which is another bad choice of a defined term – “selling” personal information under the CCPA includes selling, renting, sharing, disclosing, or otherwise communicating (by any means) personal information to another business or third party for monetary or other valuable consideration, with some significant exceptions.

CCPA creates five (5) rights for California residents:

  • TheRight to Know – California residents have a general right to know the categories and purposes of personal information collected, sold, or otherwise disclosed about them.
  • TheRight to Access and Portability– California residents have a specific right to know how, why and what personal information about them is being collected, sold or disclosed, and if information is provided electronically, to receive it in a portable format.
  • TheRight to Deletion – California residents have a right to request the deletion of personal information about them collected by a business, with some exceptions.
  • TheRight to Opt Out– California residents have a right to say “no” to a company’s sale, sharing or transfer of their personal information with third parties.
  • TheRight to Equal Service & Pricing – California residents have a right to equal service and pricing whether or not they choose to exercise their CCPA rights.

Creating and Implementing a CCPA Compliance Plan

For companies that have not already gone through a GDPR compliance effort, CCPA compliance can seem daunting. However, creating a solid compliance plan and getting started now maximizes the chance your company will be in good shape for CCPA once it becomes effective. Here are some things to consider as you create and implement a CCPA compliance plan for your business. (Please note that if your company has already gone through a GDPR compliance effort, some of these may already be fully or mostly in place.)

1. Identify CCPA Champions within your business

An important initial step towards CCPA compliance is to identify the person(s) within your company that will lead the CCPA compliance effort. CCPA compliance will require a cross-departmental team. This often includesLegal(to advise on and help to interpret the statutory and regulatory requirements and to monitor for new developments both on CCPA and similar federal and state legislation, and to create a compliance plan for the business if the company does not have a data governance team);DevelopmentandInformation Technology(to implement the necessary technical and operational systems, processes, and policies which enable CCPA compliance);Sales leadership (for visibility into CCPA compliance efforts and to help manage inbound requests for CCPA compliance addenda);Customer Support (as CCPA requires customer support personnel be trained on certain aspects of CCPA compliance);Security(if your company has a Chief Information Security Officer or other information security person or team);Data Governance(if your company has a data governance person or team); and anexecutive sponsor (to support the CCPA compliance efforts within the C-Suite). Depending on your company, there may be other involved groups/parties as well.

2. Determinehow CCPA applies to your business

A key early step in CCPA compliance is determininghow CCPA applies to your business.  There are different compliance requirements forcompanies that collect personal information,companies that process personal information as a service provider for other companies, andcompanies that “sell” personal information or disclose it for a business purpose.

  • Does your business collect information directly from California residents, e.g., through online web forms, through customer support contacts, from employees who are California residents, through creation of an account, etc.? If so, it must comply withCCPA requirements for companies that collect personal information (a “data controller” in GDPR parlance).
  • Does your business receive and process personal information on behalf of customers or other third parties?  If so, it must comply withCCPA requirements for companies acting as a service provider (a “data processor” in GDPR parlance.) If you are a service provider, you must ensure your service offerings enable customers to comply with their own obligations under CCPA.  If not, expect a lot of requests for assistance from your customers, which could result in significant manual effort.
  • Does your business (a) “sell” personal information to affiliates, service providers or third parties (other than for the excluded purposes under CCPA), and/or (b) disclose or otherwise share personal information with an affiliate, service provider or third party for operational or other notified purposes?  If so, it must comply withCCPA requirements for companies that “sell” personal information or disclose it for a business purpose. It’s important to note that under Section 1798.40(t)(2) of the CCPA, there are certain exceptions that when satisfied mean a company is not “selling” personal information under the CCPA. For example, a business does not “sell” personal information if a person uses that business’s software or online system, or gives consent for a business, to disclose their personal information to a third party, as long as that third party is also obligated not to “sell” the personal information. As another example, a business does not “sell” personal information when it shares it with a service provider, as long as certain conditions are met.

3. Inventory your data assets, data elements and data processes

One of the most important steps in CCPA compliance, and data privacy compliance in general, is to conduct a data inventory.  For CCPA purposes, consider inventorying yourdata assets (programs, SaaS solutions, systems, and service providers in which data elements are stored for use in data processes),data elements (elements of personal and other information stored in data assets), anddata processes (business processes for which data elements are stored and processed in data assets).  This inventory should also collect information on service providers and other third parties with whom data elements are shared or disclosed by your business, and the purposes for which information is shared or disclosed. Companies should try to complete this inventory as quickly as possible.  The CCPA compliance team should work to create a list of internal individuals who should complete this inventory; once all responses are received, the compliance team should consolidate the responses into a master table.

The data inventory is a snapshot in time.  It’s also important to refresh the data inventory on a regular basis, e.g., quarterly, to capture changes to data collection and usage over time.

4. Cease any unnecessary collection and/or storage of personal information (“data minimization”)

Once the data asset/element/process inventory is created, businesses should be encouraged to use the opportunity to conduct a “data minimization” exercise.  One of the central principles of data privacy isdata minimization – limiting the collection and storage of personal information to only what is directly necessary and relevant to accomplish a specified business purpose.  The CCPA compliance team should consider both (a) identifying data elements without an associated data process, which I call “orphaned data elements,” and purging and ceasing the further collection of stored orphaned data elements; and (b) identifying data collection which is not associated with an associated business purpose, which I call “orphaned data transfers,” and cease any further orphaned data transfers and terminate the associated contracts.  Also consider validating that record retention policies are being followed so that data is promptly irretrievably deleted once it is no longer needed for a business purpose.

5. Implement a compliance plan for the 5 CCPA privacy rights

The heart of a CCPA compliance plan is implementing compliance with the 5 privacy rights created by the CCPA.  A solidly-constructed plan should cover compliance requirements where the business acts as a data collector, a service provider, or a company selling or otherwise disclosing personal information.

a. The Right to Know

One of CCPA’s core requirements is to publicly provide the necessary disclosure of the CCPA privacy rights, including the specific methods by which a person can submit requests to exercise those rights.  Many companies will likely add this to their privacy policy, as well as any California-specific disclosures already made by the business. Don’t forget this disclosure needs to be added not only to websites, but to mobile apps.  The disclosures must include a list of the categories of personal information collected, sold or disclosed for business purposes during the previous 12 months, as well as a list of the business purposes for which the categories are used. If this information is collected as part of the data inventory, it can greatly simplify the process of creating this disclosure.  The implementation plan should include a process for updating these disclosures as needed to reflect a rolling 12-month period.

b. The Right to Access and Portability

Another key requirement is the implementation of a process to respond to verifiable requests from data subjects for the following information covering the 12-month period preceding the request date.  Companies will need to provide information including:

  • Thecategories of personal information collected about that person
  • Thecategories of sources from which the personal information is collected
  • Thebusiness/commercial purpose for collecting/selling personal information
  • Thecategories of third parties to which their personal information is shared/disclosed
  • Thespecific data elements collected about that person for the 12-month period preceding the request date (this could be read to conflict with data destruction policies or data minimization best practices, but I suspect that destruction policies or data minimization best practices will trump this disclosure requirement)
  • If a person’s personal information is sold or is disclosed for a business purpose by your business unit,additional information must be provided

If the data inventory is done right, it can be a source of data for this response (except for the requestor’s specific data elements). Companies must provide at least 2 methods for a person to submit a verifiable request – a toll-free number and website address are both required.  The California Attorney General will release regulations on how to “verify” a request. Information must be disclosed within 45 days of receipt of the request, but there is a process under CCPA to extend the time period to 90 days if necessary. If information is provided electronically, they must be provided in aportable format (e.g., an .xml file). The team that is responsible for fulfilling verified requests should be trained on how to prepare a response, and should test it before the CCPA effective date to validate that the process is working properly. You can’t require someone to have an account with you in order to submit a request. Don’t forget to train your website and customer service personnel on how to handle consumer requests.

Also, if you are a service provider, your clients will look to you to ensure they are able to pull information from your systems necessary for them to comply with the right to access and portability. Don’t overlook including in your compliance plan a review of your customer portal and interfaces (e.g., APIs) to ensure customers are able to satisfy their CCPA compliance obligations.

c. The Right to Deletion

Another key requirement is to implement a process todelete collected personal information of a person if that person submits a verified request for deletion, and todirect your service providers to do the same. Note that this does not apply to third parties with whom information has been shared or disclosed who are not service providers.  As with the right to access and portability, you can’t require someone to have an account with you to exercise this right.

There are many important exclusions to the right of deletion.  These include:

  • Completing a transaction with, providing a good or service requested by or reasonably anticipated under a business relationship with, or otherwise needed to perform a contract with, a person
  • Security purposes
  • Debugging and error resolution
  • Conducting formal research (many conditions apply)
  • “Solely internal uses” that are reasonably aligned with a person’s expectations based on the person’s relationship with the business
  • Compliance with a legal obligation
  • Internal uses in a lawful manner that is compatible with the context in which the person provided the personal information
  • Other limited exceptions under CCPA

d. The Right to Opt Out

This one may be the most challenging for many companies to implement.  It applies if a business “sells” personal information to third parties, or otherwise shares personal information with a third party (e.g., a data sharing agreement).   CCPA appears to provide that an opt-outwould not apply to information provided to a company’s own service providers to further the company’s own business purposes, as long as there are certain contractual requirements in place with the service provider.

CCPA requires companies to implement a “Do Not Sell My Personal Information” opt-out page linked to from the homepage footer on a website, and from their mobile apps.  (The description of a person’s rights under CCPA in section (a) above should include a description of the right to opt out.) Creating a process to verify requests (pending guidance from the California Attorney General) is especially important here since opt-out requests can be submitted by a person or that person’s “authorized representative.”  Once a request has been verified, the personal information of the data subject cannot be shared with third parties (e.g., by associating an opt-out flag with the personal information) until the person later revokes the opt-out by giving the business permission to share his or her personal information with third parties. However, you cannot ask for permission for at least 12 months from the opt-out date.  Companies must train their customer service representatives on how to direct persons to exercise their opt-out rights.

e. The Right to Equal Service and Pricing

As part of a CCPA compliance plan, businesses should consider ways to make sure that they do not charge more or otherwise “discriminate” against a person who chooses to exercise one of their CCPA rights.  A business can offer financial incentives to persons for the collection, sale or retention of their personal information, as long as that incentive is notunjust, unreasonable, coercive or usurious.

5. Verify you haveCCPA-compliant written contracts in place with service providers and third parties receiving personal information

Personal information governed by CCPA may only be disclosed to a service provider or third party under a written contract. Businesses should work with their internal or external Legal resource to validate that written contracts are in place with all service providers and third parties to which personal information is disclosed, and that there is a valid business purpose for disclosing the personal information. If no written agreement exists, work with your Legal resource to negotiate and execute a CCPA-compliant agreement. For existing written agreements, a CCPA contract addendum will likely be required which adds into the agreement the obligations and commitments required under CCPA. Don’t forget to look at any data sharing with your corporate affiliates which is likely under an inter-company agreement.

6. Prepare for compliance requests where your company is a service provider

If your company is a service provider to other businesses, you should expect to start receiving questions about, and contract amendments/addenda related to, CCPA.  It’s the inverse of #5 above. Consider how to most efficiently handle these requests. Some companies may want to consider whether to have a standard CCPA compliance addendum for use with customers, or to have a CCPA compliance statement on a public facing website that can be referred to as needed.  Work with Sales and account managers to educate them as to why the company cannot accept a customer’s own CCPA addenda, which may include more than just CCPA compliance terms.

 7. Take steps to permit continued use of de-identified personal information

Finally, a CCPA compliance plan should include implementation of appropriate steps as needed so your company can continue to usede-identified personal information (an information record which is not reasonably capable of being identified with, relating to, describing, being associated with or being directly/indirectly linked to the source person) andaggregated personal information (information relating to a group or category of persons from which individual identities have been removed, and which is not linked or reasonably linkable to aperson or device).  CCPA talks about de-identified data only with respect to the following requirements, but the same safeguards and processes would likely apply to aggregated personal information.

  • Implement technical safeguards to prohibit re-identification of the person to whom de-identified personal information pertains.
  • Implement business processes that specifically prohibit re-identification of de-identified personal information.
  • Implement business processes to prevent the inadvertent release of de-identified personal information.

Your company can only use de-identified personal information as long as it makesno attempt to re-identify the de-identified personal information (whether or not that attempt is successful).  If your company begins re-identifying personal information, cease any use of de-identified personal information immediately.

8. Review your security procedures and practices, and consider encryption and data redaction options

Finally, business are encouraged to review their security procedures and practices to ensure they are reasonable and appropriate to protect personal information in their possession or control. CCPA creates a private right of action for consumers whose un-encrypted or un-redacted personal information is subject to an unauthorized “access and exfiltration,” theft, or disclosure as the result of a business’s violation of its duty to implement and maintain reasonable security procedures and practices to protect personal information appropriate to the nature of the information. For this private right of action, CCPA specifically uses a different definition of personal information, the one found in California Civil Code § 1798.81.5(d)(1)(A). Here, “personal information” means a person’s first name or first initial and last name coupled with the person’s (i) social security number, (ii) driver’s license number or California identification card number, (iii) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account, (iv) medical information, and/or (v) health insurance information, where such information is not encrypted or redacted. Any private right of action is sure to spawn a cottage industry of class action lawsuits. If your company collects and/or receives personal information as defined above, consider a review of your company’s security procedures and practices to ensure that they are reasonable and appropriate to protect such personal information given the nature of the information.

In 2016, the California Attorney General issued a Data Breach Report in which the Attorney General stated that “[t]he 20 security controls in the Center for Internet Security’s Critical Security Controls identify a minimum level of information security that all organizations that collect or maintain personal information should meet. The failure to implement all the Controls that apply to an organization’s environment constitutes a lack of reasonable security.” Given this, all companies are encouraged to review the Center for Internet Security’s Critical Security Controls to ensure that they meet the California AG’s minimum definition of “reasonable security.”

The California Attorney General’s report included other recommendations, such as use of multi-factor authentication on consumer-facing online accounts containing sensitive personal information, and the consistent use of strong encryption to protect personal information on laptops, portable devices, and desktop computers. Companies may want to evaluate whether implementing encryption at rest on servers, workstations, and removable media, and/or redacting personal information (e.g., through tokenization and deletion of the source data or another data redaction technique), would make sense as a part of its security procedures and practices.

 

Eric Lambert is counsel for the Transportation division of Trimble Inc., an geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports the Trimble Transportation Mobility and Trimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a little voice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

Defend, Indemnify and Hold Harmless: What They Mean and How To Use Them

Some phrases turn up regularly in contracts, e.g., a party that “represents, warrants and covenants” something; the grant of a “right and license”; a set of “terms and conditions”; and a party owning all “right, title and interest” to something. When drafting, reading and/or interpreting a contract, you may view each of these phrases as a single concept. However, the component terms in these phrases often have different meanings. I have previously written about the differences between representations, warranties and covenants, and why those differences can be extremely important.

A core element of every contract is risk allocation. Most agreements contain risk allocation clauses such as limitation of liability, disclaimer of consequential damages, insurance obligations, and indemnification obligations. A contractual indemnification provision often begins with a statement that a party shall “indemnify, defend and hold harmless” one or more other parties from and against losses, damages, etc. arising from or relating to certain acts, omissions or occurrences. There are three separate and distinct concepts in this phrase – an obligation to indemnify, a duty to defend, and an obligation to hold harmless. Should these always be used together? Or are there circumstances when only one or two should be used, or used separately? Understanding what each of these concepts mean and how to use them strategically (as a whole or in parts) is critical to ensuring an agreement contains the right risk allocation.

Here’s a handy summary chart to differentiate these three concepts:

The obligation to indemnify

An “indemnity” is a core risk shifting provision of a legal contract, obligating one party (the “indemnitor” or the “indemnifying party”) to compensate and reimburse (or “indemnify”) the other party (the “indemnitee” or the “indemnified party”) for certain losses such as monetary costs and expenses (the “indemnified losses”) which arise from, result from or relate to certain acts, omissions or occurrences defined in the contract (the “scope of the indemnity.”) Properly defining the scope of the indemnity and any exclusions to scope, the indemnified parties, and the indemnified losses are especially critical. For example, the scope of an indemnity may include, among other things, the material breach of a representation or warranty; a violation of a law, rule or regulation; a party’s negligent, grossly negligent, and/or willful acts or omissions; a breach of confidentiality or security obligations; and a claim that a product infringes the intellectual property of a third party. Common indemnified losses include attorneys’ fees and costs (whether or not the contract includes a duty to defend), losses, expenses, costs, damages, fines, and penalties.

Indemnification obligations can be either “third party” (protection against damages and losses claimed by a third party and not the other contractual party) or “first party” (protection against damages and losses claimed by the other contractual party). Most parties do not use a first-party agreement in contractual indemnification clauses, preferring that any damages and/or losses claimed by the other contractual party be governed by general breach of contract principles. Some courts have interpreted an indemnity as a third-party indemnity absence express language as to the parties’ intention to cover first party claims.

If you are thinking this sounds a lot like insurance, you’re right – an insurance policy is a form of an indemnity pursuant to which the insurer (the indemnitor) agrees to compensate and reimburse a policy holder (the indemnitee) for losses and damages relating to losses, expenses, or other damages suffered by the policy holder in connection with an indemnified claim. Another important point is that indemnification is not automatic – it requires the indemnitor to accept its obligation to indemnify for a particular claim, or alternatively a finding by a court, arbitrator, or similar that the claim giving rise to the loss or damage was within the scope of the indemnity. For example, if Party A is required to indemnify Party B for third party damages and losses (including attorneys’ fees) arising from Party A’s negligence, and a third party (Party C) sues Party B for damages arising from Party A’s negligence, if the court finds that Party A was negligent, then Party A’s indemnification obligations are triggered. An indemnitor may sometimes contest their obligation to indemnify, which can lead to additional litigation over the obligation to indemnify itself.

The duty to defend

Like indemnity, the duty to defend has its roots in insurance. If you tender a claim to your insurance carrier and the carrier accepts your claim, your carrier will “step into your shoes” to defend you, by either having their in-house attorney handle the matter, or more commonly, by hiring an attorney to defend you against the claim. Similarly, if in a contract you accept a duty to defend the other party in the event that other party receives a claim, is sued, or some has other cause of action or proceeding commenced against it arising from certain specified occurrences, you are agreeing to step into their shoes and be responsible for their defense, whether or not you are also sued. This includes hiring attorneys, retaining experts, retaining e-discovery providers, and taking on other obligations associated with the defense of the claim. A duty to defend includes an obligation to bear the costs of providing the defense such as attorneys’ fees, expert witness fees, electronic discovery fees, court fees, and the like. Keep in mind that the defended party will still need to be involved the defense of the claim. While a party imposing a duty to defend on the other party gives up their ability to defend the claim as they see fit, the cost-shifting generally outweighs the loss of control.

If a party feels it must maintain direct control, e.g., where the reputational risk from a claim is so significant that they want to call the shots or where a party has outside counsel that they feel is essential for a particular type of claim), that party may want to negotiate out a duty to defend and rely solely on the duty to indemnify for reimbursement of incurred defense costs. However, this is often not palatable to indemnitees who insist on a right to defend; the most common argument is that if a party has the obligation to indemnify against costs of a judgment or settlement, that party must have control over the defense of the claim so they control the outcome. Some parties shifting the duty to defend will preserve the right to retain their own counsel at their expense in the procedures section, so they retain some say in the defense strategy. Remember that the damage from a legal proceeding may be non-monetary, e.g., reputational damage, so having a say in the other party’s defense may be important.

When offering a duty to defend and an obligation to indemnify, consider separate but sequential obligations to defend and to indemnify to narrow the scope of both obligations. In this approach, a party would provide a duty to defend the other party against third party claims arising from certain acts, omissions, and occurrences, and with respect to such claims, would indemnify the other party from and against defense costs (attorneys’ fees and other litigation expenses), indemnitor-agreed settlements, and court-awarded damages resulting from such claims. This approach avoids applying the broad categories of “damages, losses, expenses, costs,” etc. to either the duty to defend or the obligation to indemnify, which language often results in a broader risk shifting to the indemnitor than was intended.

The obligation to hold harmless

A hold harmless is an agreement by a party to assume responsibility for, and to not hold the other party liable for, damages resulting from the occurrence of certain acts, circumstances or events. In practice, a hold harmless and an indemnity are functionally equivalent in that both require a party to assume responsibility for losses incurred by another party in connection with certain acts and circumstances. Some argue that while an indemnity shifts losses, a hold harmless shifts both losses and liability. However, shifting liability is often not realistic or achievable. There is no way to assume responsibility for negative and equitable intangible liabilities such as damage to reputation, bad press, a public court record, an injunction or specific performance requirement, etc.; a party can only compensate the other monetarily for such intangible liabilities.

There is one important difference between a hold harmless and an indemnity – a party granting a hold harmless not only shifts risk to itself by taking responsibility for another’s losses associated with that risk, but also assumes the risk directly and agrees not to shift it to the other party even if the other party is ultimately responsible. This may prevent a party granting a hold harmless from shifting liability to the other party if the other party turns out to be the one that caused that liability to occur. Consider whether to ensure contractually that a contractual indemnity and hold harmless excludes liability and damages caused by the other party’s own acts and omissions.

To limit the scope of risk you or your client will accept, consider providing a duty to defend and obligation to indemnify only, and negotiating or leaving out an obligation to hold harmless. If the paramount concern is shifting as much risk as possible, ask for a hold harmless as well. A hold harmless provision can be unilateral (one party retains risk) or mutual (each party retains its own risk associated with certain acts, events or occurrences). Be very careful with mutual indemnity and hold harmless provisions. If you receive an indemnity, granting a hold harmless back for the same acts or circumstances as the two provisions may result in two conflicting provisions that may cancel each other out and leave you without indemnification protections.

Final thoughts

Using the obligation to indemnify, the duty to defend, and the obligation to hold harmless properly in contracts helps ensure a party is taking on the right amount of risk under the relationship. Use of common legal phrases without thinking through whether that use is correct for a particular circumstance may cause your company or your client to take on more risk than they realized, or to give up rights you thought you had. The obligation to indemnify, duty to defend, and obligation to hold harmless also relate directly to, and may be impacted by, the language in other contractual provisions, including indemnification procedures and exclusions; disclaimer of consequential damages; limitation of liability; and insurance provisions. Working with your in-house attorney, or retaining a subject matter expert, is often a worthwhile an investment of time and resources up front to help you navigate the risk allocation terms in your agreement — such as the obligation to indemnify, duty to defend, and obligation to hold harmless — to ensure the risks you take are properly balanced against the expected rewards.

Eric Lambert is counsel for the Transportation division of Trimble Inc., an geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports theTrimble Transportation Mobility andTrimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a littlevoice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

Ready or Not, New Proposition 65 Warnings and Lawsuits Are Coming – Are Your Products, Businesses, and Websites Ready?

If you’ve seen a “WARNING: This product contains a chemical known to the State of California to cause cancer” label on a product, or a similar sign in a business, you’ve seen a warning mandated by California’s Proposition 65 law.  Those warnings are about to get more specific and even more prevalent, and are about to go digital. Most companies doing business in California are working hard to be prepared for the changes to Prop 65 that will apply as of August 30, 2018.  Some companies still may not be aware of the changes and what they mean for their supply chain, as well as for their potential exposure to class action lawsuits and other legal trouble if they are not ready in time.

Here’s the background on what’s happening with Proposition 65, and why companies affected by it should move quickly to finish (or start) implementing processes and steps to ensure compliance.

 

What is Proposition 65?

Proposition65, also known as the California Safe Drinking Water and Toxic Enforcement Act or “Prop 65,” is a “right to know” statute enacted by California voters in 1986.  Under Prop 65, businesses with 10 or more employees must in most cases provide “clear and reasonable” warnings before “knowingly and intentionally” exposing Californians to certain chemicals that cause cancer, birth defects, or other reproductive harm.  The warnings apply to exposure in products they purchase, whether used in their homes or in workplaces, as well as to environmental and occupational exposure.  Prop 65 is administered by the Office of Environmental Health Hazard Assessment (OEHHA), part of the California Environmental Protection Agency (CalEPA).

There are over 900 chemicals for which Prop 65 warnings are required, maintained on a list administered by the State of California (the “Prop 65 list”) which is updated annually. If a product contains or is made using, or an environment or occupation could expose Californians to, one or more chemicals on the Prop 65 list, and the exposure is not low enough that it does not pose a significant risk of cancer, birth defects, or other reproductive harm, a Prop 65 warning is required for that product, environment, or workplace.

While any “clear and reasonable” warning can satisfy the Prop 65 requirements, a business creating its own warnings runs a risk that they are determined to not be “clear” and/or “reasonable” and therefore deficient under Prop 65.  Fortunately, the State of California has promulgated “safe harbor” warnings that most companies use to satisfy their Prop 65 compliance requirements instead of developing their own warnings.

 

So what’s changed in Prop 65?

Under the current law, “clear and reasonable” Proposition 65 warnings are required for consumer products and environmental/occupational exposure to listed chemicals, and certain “safe harbor” warnings have been made available for use. The revisions to the law becoming effective August 30, 2018 (and applicable to products manufactured or refurbished on or after August 30, 2018) make a number of important changes and updates, including:

  • New and more detailed content and format requirements which replace the somewhat generic current Proposition 65 safe harbor warnings.
  • While the existing law tries to minimize the impact of the law to retailers, the changes clarify that manufacturers, producers, packagers, importers, suppliers, and distributors can either provide the required warning on the product via a label, or annually notify the downstream retailer of the warning requirements and provide all necessary warning materials and language to that retailer, shifting the burden to provide the warning to the seller and giving the upstream supply chain partner an affirmative defense if the retailer fails to provide the warning.
  • The new law contains more explicit transmission and placement requirements for consumer product, environmental, and occupational warnings.
  • As the existing law was written in the 1980s, it does not contain specific requirements for online sales.  The new law imposes specific Internet and catalog disclosure requirements.For internet sales, the warning must be displayed in-line (or via specific hyperlink) on the product display page or otherwise prominently displayed prior to completing the purchase.  For catalog purchases, the warning must be included in a manner that clearly associates it with the item being purchased.  This is likely the most significant change, and the one that exposes online sellers to the most legal risk under Prop 65.

 

What are the new content and format warning requirements?

The revised regulations require different warnings based on the types of listed chemicals, number of listed chemicals, and method of transmission and placement. These include specialized safe harbor warnings for certain exposures, products, and places (from alcoholic beverages, to furniture, to amusement parks, to designated smoking areas, to restaurants, to hotels),

All new warnings require the word “WARNING” in bold capital letters, as well as a specific exclamation symbol (except for food labels) which is at least as big as the font used for the “WARNING” text.  Here is an example of a generic Prop 65 safe harbor warning for consumer products:

 

Do I have to provide warning in languages other than English?

Only if the consumer information on the product label and packaging is in English only.  The Prop 65 warnings must be provided in each language in which consumer information is provided on the product label or packaging. If you use multiple languages on your product packaging, your Prop 65 warning labels must similarly be in multiple languages.

 

Why it compliance important?

Manufacturers, distributors, and retailers in the entire supply chain are potentially liable for failure to comply with the compliance requirements under Proposition 65. Prop 65 is enforceable not just by the California Attorney General, but by private parties such as consumer advocacy groups and “bounty hunters,” which has given rise to a cottage industry of parties suing companies for Prop 65 compliance violations. Penalties for violations can be as high as $2,500 per violation per day. Any time there is a change in regulatory requirements such as this, it opens the door for private party bounty hunters to file class action suits against companies slow to comply with the new requirements.

 

Do Prop 65 warnings apply just to electronics?

No. It applies to any products which contain a chemical on the Prop 65 list or which use such chemicals in the manufacture process, and to environments and workplaces which may expose people to such chemicals.  Most plasticizers are on the Prop 65 list, meaning that if your product contains plastic or is manufactured using plasticizers, there’s a good chance your company need to comply with Prop 65 warning requirements in connection with that product.  This includes plastic parts, enclosures, connectors, etc.

 

My company only sells B2B.  Does it still have to comply with the warning requirements?

Yes.  Prop 65 is designed to protect Californians from exposure to products both at home and in the workplace.  The Prop 65 warning requirements apply regardless of whether a product is sold through a B2C and or B2B transaction, and regardless of whether a person is exposed at home or at work.

 

Do the warning requirements apply to new products only, or both new and refurbished products?

It covers both.  Refurbishment is a manufacturing process, and so the warning requirements also apply to refurbished products.  For example, if your business uses refurbished products to fulfill its warranty obligations, it must comply with Prop 65 requirements for those refurbished products.

 

What does my company need to do?

Update your Prop 65 warning signs and labels. Each company that sells products in California containing chemicals on the Proposition 65 list or manufactured using such chemicals, or which exposes Prop 65 chemicals environmentally or occupationally, must implement new Prop 65 warnings satisfying the new content and format requirements. This means working upstream in the supply chain to ensure manufacturers have properly determined if any chemicals on the Prop 65 list are used in the manufacture of products, that they are implementing the appropriate new safe harbor warnings, and that they are providing copies of warning materials for use downstream in the supply chain by online and catalog retailers.

Update your supply chain contracts.  The new law is the perfect opportunity to update your contracts with your suppliers, manufacturers, packagers, importers, suppliers, and/or distributors.  Ensure they are contractually obligated to comply with Prop 65 labeling requirements (and that they agree not to push the burden downstream), and that they will indemnify your company if they do not. If your contracts have a “compliance with laws” representation, warranty, or obligation, you can point to that language if they push back on compliance.

Ensure you are considering all sales channels.  Take time to think through all of your sales channels.  Does your company use resellers, distributors, or other sales channels?  If your company is in one of the “upstream from retailer” supply chain roles, ensure you are complying with any obligations your company has under the changes to Prop 65 to provide information to downstream retailers,

Implement Prop 65 warnings on your B2C and B2B sales websites. For products sold online, the new Prop 65 warning must be clearly and prominently displayed by the seller prior to product purchase, e.g., above the fold and easy to see and not something that someone has to search for.  There are two main ways to do this:

  • The static way: Display a clear and prominent image of the Prop 65 warning on the product detail page. This requires the least work but means everyone using the online store, Californian or not, will receive the warning.  My guess is that most online retailers will opt for the static way.
  • The dynamic way: Display the Prop 65 warning during the checkout process if the purchaser enters a ship-to ZIP code in California.  This limits the user experience impact to Californians, but requires coding work to dynamically display warnings based both on the ZIP code and the SKUs in the cart (the SKU will need to trigger the specific warning associated with that product or product bundle).

For product catalogs, the warning label must be clearly and conspicuously displayed in on the catalog product page.  For products we sell via phone order, if the product is being shipped to California or the purchaser resides in California, the order-taker should read the Prop 65 warning while taking the order and ensure the consumer agrees to proceed with the transaction.

Don’t forget about phone orders and warranty replacements.  The changes to the law do not specifically address phone orders or warranty replacements.  With respect to phone orders, consider how to address this. e.g., consider whether to read the warning to a phone purchaser and require them to confirm that they wish to proceed with the transaction.  With respect to warranty replacements, consider sending the Prop 65 warning for the replacement product (if manufactured or refurbished on or after August 30, 2018) with the RMA information.

 

Where can I learn more about Proposition 65?

There are some excellent online resources to help you understand your company’s requirements under Prop 65, including:

 

Eric Lambert is counsel for the Transportation division of Trimble Inc., an geospatial solutions provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports the Trimble Transportation Mobility and Trimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a little voice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

 

The Promise of, and Legal Issues and Challenges With, Blockchain and Distributed Ledger Technology

[Originally published in December 2016. Updated on April 7, 2018 to clarify the explanation of blockchain and distributed ledger technology and to add more information on the legal risks and challenges.]

Blockchain and distributed ledger technology is poised to revolutionize many aspects of the world around us. It may prove to be as disruptive and innovative of a force as augmented reality. Many people associate “blockchain” with “Bitcoin,” whose meteoric rise as a cryptocurrency has been well reported. However, they are not one and the same. Bitcoin is an application; blockchain and distributed ledger technology are the methods behind it.  But what is it? How might it change the world? And what legal and other risks does it bring?

What is Distributed Ledger Technology and Blockchain?

The Old – Centralized Ledgers

Centralized ledgers (a database, list, or other information record) have played an important role in commerce for millennia, recording information about things such as physical property, intangible property including financial holdings, and other assets. The most recent innovation in centralized ledgers has been the move from physical ledgers (paper, stone tablets, etc.) to digital ledgers stored electronically. A “centralized ledger” is a ledger maintained and administered in a single, central location (e.g., a computer database stored on a server) accessible by anyone without use of access controls (public) or through an access control layer by persons or organizations with valid login credentials (permissive). This is a “hub-and-spoke” system of data access and management. Centralized ledgers have historically had many benefits, such as minimized data redundancy, limited number of access points to the data for security purposes, centralized administration, and centralized end user access. However, there are also disadvantages, such as greater potential for loss or inaccessibility if the central location suffers a hardware failure or connectivity outage, inability to recover lost data elements, and a dependence on network connectivity to allow access to the ledger by its users.

The New – Distributed Ledgers

Distributed ledgers seek to address these disadvantages by distributing (mirroring) the ledger contents to a network of participants (aka “nodes”) through a software programso that each participant has a complete and identical copy of the ledger, and ensuring all nodes agree on changes to the distributed ledger. Nodes can be individuals, sites, companies/institutions, geographical areas, etc. There is no centralized administrator or “primary node” — if a change is made to one copy of the ledger, that change is automatically propagated to all copies of the ledger in the system based on the rules of the system (called a “consensus algorithm“) which ensures that each distributed copy of the ledger is identical. For example, in Bitcoin, each node uses an algorithm that gives a score to each version of the database, and if a node receives a higher scoring version of the ledger, it adopts the higher scoring version and automatically transmits it to other nodes. Since the distributed ledger software on each node validates each addition to the distributed ledger, it’s extremely difficult to introduce a fraudulent transaction (to put it another way, transactions are audited in real time). Essentially, each node builds an identical version of the distributed ledger using the information it receives from other nodes. The use of distributed models in computing goes back to the origins of the Internet itself — ARPANET, which evolved into what we know today as the Internet, used a distributed model instead of a linear model to manage the transfer of data packets between computer networks.

The software on each node uses cryptographic signatures to verify that it is authorized to view entries in, and make changes to, the distributed ledger. If a participant with rights to modify the ledger (e.g., a digital token giving the participant the right to record a transaction) makes an addition to the ledger using the participant’s secure keys (e.g., a record of a change in ownership of an asset or recording of a new asset), the addition to the ledger is validated by the consensus algorithm and propagated to all mirrored copies of the ledger, which helps to ensure that the distributed ledger is auditable and verifiable. A key difference between centralized and distributed ledgers is that a distributed ledger cannot be forked — if you make a copy of a centralized ledger and store it somewhere else, it will be out of sync with the original copy, whereas each copy of a distributed ledger is kept identical by the client software.

Thus, the five typical characteristics of a distributed ledger are:

  1. distributed copies among nodes via client software;
  2. cryptographic signatures, or “keys,” to allow nodes to view, or add to, the distributed ledger in an auditable and verifiable fashion;
  3. a digital token (better known as a cryptocurrency)used within many distributed ledger networks to allow participants to record ledger entries;
  4. a consensus algorithm to ensure distributed copies of the ledger match among participants without the need for a centralized administrator; and
  5. record permanency so that verified entry accepted to the ledger via the consensus algorithm becomes permanent (it can be corrected via a later addition to the ledger but never removed).

Blockchain

While most press reporting around blockchains equates blockchain with distributed ledgers, a “blockchain” is a specific type of distributed ledger. Each record of new value added to the ledger and each transaction affecting entries in the ledger (which we will collectively call a “block“) includes a timestamp and a cryptographic verification code based on a data signature or “hash” from the previous block which “chains” it to the previous block, forming a “chain of blocks,” or “blockchain,” within the nodes hosting the blockchain. Because each block is cryptographically tied to the previous block via one-way hash, the entire chain is secure – a client can verify that a block in the blockchain validates against the previous block, but it does not allow someone to trace the blockchain forward. If a block in the chain is altered, it changes the hash value and no longer matches the hash stored in later blocks, and the alteration will be rejected by the nodes on the blockchain network. In a blockchain, transactions entered into the system during a specified period of time are bundled together and added to the blockchain as a new block.

There are three primary types of blockchain networks – public, private, and permissioned.

  • Public blockchains allow anyone to participate, and therefore rely more heavily on a strong consensus algorithm to ensure the requisite level of trust between blockchain participants.
  • Private blockchainsare limited to a discrete and specified group of participants, are usually small, and may not require use of a cryptocurrency given the inherent level of trust amount private blockchain participants. Private blockchains often do not require a strong consensus algorithm.
  • Permissioned blockchainsfunction much like public blockchains, but require participants have permission to access, transact on, or create new blocks within a blockchain.

Tennessee’s recent state law on blockchain, Tn. Stat. § 47-10-201, contains a good summary definition.  It defines “blockchain technology” as “distributed ledger technology that uses a distributed, decentralized, shared and replicated ledger, which may be public or private, permissioned or permissionless, or driven by tokenized crypto currencies or tokenless.  The data on the ledger is protected with cryptography, is immutable and auditable, and provides an uncensored truth.”  Arizona’s statutory definition (which predates Tennessee’s) is almost identical, except that “crypto currencies” is replaced with “crypto economics.”

Bitcoin is an early, and famous, example of a public blockchain application. Nodes on the Bitcoin blockchain network earn new bitcoins as a reward for solving a cryptographic puzzle through computing power, or “mining.” Transactions for the purchase and sale of bitcoins are also recorded in a block in the Bitcoin blockchain – the blockchain is the public ledger of all Bitcoin transactions. In other blockchain applications, the cyrptocurrency is used as payment for blockchain transactions.

Blockchain and distributed ledger technology is not intended to fully replace existing centralized ledgers such as databases. If a number of parties using different systems need to track something electronically that changes or updates frequently, a distributed ledger may be a good solution. If those needs are not there, or if there is a continuing need to rely on paper transaction records, a centralized ledger continues to be the better choice. Companies need to ensure there is a compelling ROI and business case before implementing a blockchain development and implementation program.

Smart Contracts

An important concept in blockchain technology is the “smart contract.”  Tennessee’s blockchain law defines a smart contract as “an event-driven program, that runs on a distributed, decentralized, shared and replicated ledger and that can take custody over and instruct transfer of assets on that ledger.” Arizona’s definition is identical other than an additional reference to state.  In other words, a smart contract is a computer program encoded into a blockchain that digitally verifies, executes, and/or enforces a contract without the need for human intervention. Where a traditional contract involves risk that a party will fail to perform (e.g., a shipper delivers products but the recipient fails to make payment for the products), smart contracts are self-executing and self-verifying.  In a smart contract for the purchase of goods tracked via blockchain, the seller and buyer would program a smart contract into the blockchain.  Once the delivery record is added to the blockchain, the smart contract automatically validates the shipper’s performance, and automatically triggers payment from the buyer.  Since execution of a smart contract is part of the blockchain, it is permanent once completed. Blockchain protocols such as Ethereum have developed programming languages for smart contracts.

How Might Blockchain and Distributed Ledgers Change the World?

The impact of new technology presents at first as rapidly disruptive (positively and negatively), but often manifests organically and transparently to change the world over time.

Roy Amara, a former president of the Institute of the Future, said that people overestimate a technology’s effect in the short term and underestimate it in the long run, a statement known as “Amara’s Law.” However, I think a corollary is in order – the impact of new technology presents at first as rapidly disruptive (both positively and negatively), but often manifests organically and transparently to change the world over time at a proportional rate to the maturity of the commercially available applications, to consensus on technological standards, and to decreasing costs to implement (and increasing ROI from implementing) the technology in practical business and consumer situations. For example, RFID technology was touted early on as a “change the world” technology, and it has — but most prominently through integration of the technology organic and innovative improvements to supply chain and inventory management. Social networking is viewed by many as a “killer app” (a catalyst that accelerates the adoption of a new technology) which helped usher in the third Age of the Internet, and it has changed the world by changing how we connect with others. Both took years to become pervasive in society and industry.

Blockchain and distributed ledger networks have the potential to change the way many systems and business processes work across industries. Financial and currency transactions are a prominent emerging application of distributed ledger networks and blockchain technology. Since blockchain and distributed ledger networks are platform-agnostic, a distributed ledger could be stored in different hardware/software configurations across different nodes, reducing the need for expensive and time-consuming upgrades to support the distributed model. For example, a permissioned blockchain model could help an organization such as the US Veterans Administration better manage appointment scheduling across a large number of hospitals and clinics (in fact, a resolution was recently passed in the US House of Representatives promoting just that, “to ensure transparency and accountability.” Industry groups, such as the Blockchain in Transport Alliance (BiTA), have sprung up to help develop and promote industry-specific blockchain standards and applications.

The technology could also be used in applications such as better and more secure management of governmental records and other services; tracking tax collection and receipts; managing assets; identity verification; decentralized voting; managing and tracking inventory levels and B2B/B2C product fulfillment; tracking the “data supply chain” for the flow of data among systems; managing system access controls; protection of critical public and privacy infrastructure; tracking royalties due to artists for the use of their works; and use of smart contracts to digitally create, execute, and enforce agreements between parties via blockchain transactions. Distributed ledger networks have the advantage of being more secure as the consensus algorithm makes it considerably difficult for a cyber-attacker to successfully alter the distributed ledger. It could also allow for greater access transparency, a central tenet of many privacy principles, by allowing individuals to access records in the ledger relating to them or containing their information.

Blockchain and Distributed Ledger Legal Risks and Issues

As with any new technology, blockchain creates some interesting conflicts with existing laws and regulations and raises interesting and complex legal and compliance issues.  These include:

Data privacy issues. Distributed ledger technology such as blockchain is inherently designed to share information among every participant and node. If information in a ledger transaction or block contains private information, such as an account number or company confidential information, it will be visible to every user of every node. This is one of the reasons permissive and privacy distributed ledgers are a focus of many companies seeking to innovate in the space. Additionally, as nodes in a distributed ledger network can be geographically disparate, rules and requirements for the transfer of data between geographies may play a major role. It is also possible that at some point in the future decryption technology will evolve to the point where cryptographic signatures used in blockchain and distributed ledgers may no longer be considered safe.

EU personal data and the “Right to be Forgotten.”  In the EU, personal privacy is considered a fundamental human right under the Charter of Fundamental Rights of the European Union. The General Data Protection Regulation (GDPR) is Europe’s new comprehensive data protection framework that as of May 25, 2018 has the force of law in every EU member state.  Under Article 17 of the GDPR, EU data subjects have a “right to be forgotten” which requires companies to erase personal information about that data subject if certain conditions are met (e.g., the personal data is no longer necessary in relation to the purposes for which they were collected or otherwise processed). This right has cropped up in the United States as well, for example, in California for minors under 18 with respect to websites, social media sites, mobile apps, and other online services under Cal. Bus. & Prof. Code § 22580-81.  The “right to be forgotten” creates a direct conflict with the permanency of blockchain.  Companies should factor the “right to be forgotten” into their blockchain development planning, e.g., consider hashing technologies to pseudonymize personal data before encoding it into a blockchain, or other ways to avoid this conflict.  Developments in blockchain and distributed ledger technology may also arise to address this issue.

Jurisdictional issues.The nodes in a blockchain are often in multiple jurisdictions around the country and/or around the world.  As each is a perfect copy, this can create issues from a jurisdictional perspective.  Legal concepts such as title, contract law, regulatory requirements, etc. differ from jurisdiction to jurisdiction. Does a blockchain network need to comply with the laws of every jurisdiction in which a node is operated?  Cross-border enforcement may become an issue – will one jurisdiction seek to impose its laws on all other nodes of a blockchain network? Blockchain network operators should consider how to specify, in a binding manner, a single choice of law and venue to govern disputes arising from the blockchain network and provide specificity as to compliance requirements.  This jurisdictional issue will likely lead to races between jurisdictions to establish themselves as a “blockchain and distributed ledger friendly” jurisdiction, just as Delaware established itself as a “corporation-friendly” jurisdiction in which many corporations choose to incorporate.  Jurisdictional issues will also impact discovery of data within the digital ledger network, e.g., through subpoenas.  The rules regarding document discovery differ from state to state.  A company seeking to obtain blockchain data through judicial process may have the ability to engage in “forum shopping” to find the most convenient, and friendly, jurisdiction in which to file a document discovery request.

Record retention risks. One of the features of blockchain and distributed ledger networks is record permanency. This permanency may be incompatible with statutory requirements for data to be destroyed and deleted after a period of time, such as credit/debit card data under PCI rules and HR data under various regulatory requirements, and under privacy frameworks such as the GDPR.  It also likely conflicts with a company’s existing record retention policies.  Given these factors, companies looking to introduce blockchain technology should review their record retention policies and create a separate “permanent” category for data stored in blockchain applications.  At the same time, a blockchain is permanent so long as the blockchain itself still exists.

Service Level Agreements.  Many companies include a service level agreement (SLA) in their service agreements, which provides committed minimum service levels at which the service will perform, and often includes remedies for a breach of the SLA.  SLAs are relatively easy to offer when they are limited to a company’s own systems and infrastructure.  However, a blockchain (other than perhaps a small private blockchain) may by its very nature be distributed beyond a company’s own network.  SLAs often exclude from downtime issues outside of its control, e.g., downtime caused by a third party’s hardware or software.  Does a third-party node still fit within this? Many SLAs also address latency, i.e., the time it takes for a system to respond to an instruction. Companies will also need to think about what measure of latency (if any) should apply to transactions via blockchain and other distributed ledgers, and how to address blockchain in their SLAs.

Liability and Force Majeure issues. Companies routinely implement controls (processes and procedures) to manage their systems and operations, which controls may be audited by customers/partners or certified under standards such as SOC 2. But who is accountable for a database distributed across geographies and companies? Use of a distributed ledger system with nodes outside of a company’s systems means ceding some control to an automated process and to a decentralized group of participants in the distributed ledger/blockchain. An error in a record in a distributed ledger becomes permanent and can be corrected but never removed. Is an issue with a third-party node considered a force majeure event which excuses performance under an agreement? Is the type of network (public, private or permissioned) a factor?  Companies will need to think about how blockchain should tie into an agreement’s general force majeure provision, and how to allocate blockchain risk within a contract (through indemnities, limitation of liability, etc.).

Insurance issues.  Any new technology is quickly tested under insurance policies.  Companies will begin to tender claims under their electronic errors and omissions policies, commercial general liability policies, and possibly specialized cyber policies.  As insurance companies build up experience with blockchain claims, companies will likely see new endorsements and exclusions limiting insurance carriers’ liability under standard policies for blockchain-related losses.  This is often closely followed by the emergence of custom policy riders (for additional premium) to provide add-on insurance protection for blockchain-related losses.  Companies implementing blockchain technologies may want to discuss blockchain-related losses with their insurance carriers.

Intellectual property issues.As with any new technology, there has already been a flood of patent applications by companies “staking their claim” in the brave new frontier of blockchain and distributed ledger. While the core technology is open source, companies have created proprietary advancements in which they may assert patent or other intellectual property rights.  Dozens of companies have already obtained blockchain patents.  Technology and other financial companies have undoubtedly already filed large numbers of blockchain patents that are working their way through the Patent and Trademark Office.  As is often the case with new technologies, there will likely be a flurry of patent infringement lawsuits as new patent holders seek to enforce their exclusive rights to their inventions.  Adopters of blockchain using custom applications or non-standard implementations should be especially sensitive as to whether their application or implementation could potentially be infringing filed or issued blockchain patents.  Consulting external patent counsel knowledgeable in blockchain technology will become more and more important for these types of adopters.

Confidentiality issues. Information placed into a node of a public blockchain – even if that node is within a company’s own servers – is no different than putting code into GitHub. The result is that the information enters the public domain. Even with a private or permissioned blockchain, information encoded into the blockchain becomes visible to all participants with access rights.  A company’s use of a blockchain or distributed ledger to store confidential information, such as information subject to an NDA or the company’s own trade secrets, creates a risk of a breach of confidentiality obligations or loss of trade secret protection.  Companies should consider how to prevent confidential and other sensitive company information from being stored in blockchains in a manner that could result in a breach of confidentiality. Additionally, agreements routinely require the return or destruction of the discloser’s confidential information and other provided data and/or materials upon termination or expiration. An exception for data encoded onto a blockchain must be considered.

Discovery and Subpoenas.  Information encoded into a public blockchain may be considered in the public domain.  When litigation arises, will companies be able to push back on a discovery request encompassing data in a blockchain by stating that it is publicly available?  If a person can find the identity of other nodes in a blockchain network, we may see an increase in subpoenas directed to a node for blockchain data within the copy of the blockchain or digital ledger hosted at that node (possibly based on favorable jurisdiction as noted above). Since every node maintains their own copy of a distributed ledger, and no one node owns or controls the data, this may affect the ability of a company to keep information out of third party hands as they may not have the ability to quash a subpoena directed at an independent node.

Application of existing legal structures to blockchain, smart contracts, and distributed ledgers. As is often the case, one of the challenges for lawyers and others is determining how existing laws and regulations will likely be interpreted to fit new technologies such as blockchain and distributed ledger technology; what new laws and regulations may be coming and how permissive or restrictive they may be; and how enforcement and penalties in connection with the new technologies under both new and existing laws will play out. “Smart contracts” that rely on computer algorithms to establish the formation and performance of contracts may challenge the nature and application of traditional legal principles of contract law such as contract formation and termination, and the traditional focus of laws on the acts of persons (not automated technologies), making it difficult for courts to stretch traditional contract law principles to the new technology.

Emerging laws.  It is axiomatic that law lags technology. The companies that immediately benefit from a new disruptive business method such as blockchain are those which seek to innovate applications of the method to monetize it, obtain a first mover advantage, and ideally seize significant market share for as long as possible. Industry groups and trade associations form to seek to promote it, and legislators take notice (especially given the meteoric rise of bitcoin prices during 2017). Legislators often jump to regulate something they don’t fully understand and whose potential is not fully realized, which can impede development and proliferation of the new technology.  A handful of states (including Arizona, Nevada, Tennessee, Delaware, Illinois, Vermont, and Wyoming) have already adopted blockchain-specific legislation, and this number will likely grow substantially in the next couple of years. Fortunately, the legislation enacted to date appears to support, rather than inhibit, blockchain technology. Other states have introduced or enacted legislation to study blockchain technology.

Disruptive technologies such as blockchain and distributed ledger technology bring both benefits and potential risks. If the benefits outweigh the risks on the whole, the public interest is not served when the legal, regulatory and privacy pendulum swings too far in response. The spread of blockchain and other distributed ledger technologies and applications will be dependent on the creation and fostering of a legal, regulatory, and privacy landscape that fosters innovation in the space.

Eric Lambert is the Commercial Counsel for the Transportation and Logistics division of Trimble Inc., an integrated technology and software provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He is counsel for the Trimble Transportation Mobility (including PeopleNet, Innovative Software Engineering, and Trimble Oil and Gas Services) and Trimble Transportation Enterprise (including TMW and 10-4 Systems) business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a little voice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

How to Shorten Your Job Search and Survive an “Unintentional Sabbatical”

Opportunity is equal parts luck and preparation.

Last year, I found myself unexpectedly looking for my next position. While being on what I’ve come to call my “unintentional sabbatical” was not a planned step in my career, I quickly realized that having a negative attitude was a near-certain way to ensure putting my career back on track would be a long haul. Instead, I focused on staying positive during my job search and working as hard as I could to find a new position, while at the same time finding ways to enjoy the break in my career that I hoped would be a unique opportunity to rest and recharge. Fortunately, I was able to land on my feet within six months in a new position which is a great industry, duties/responsibilities, and cultural fit at a company I hope to be with for a long, long time.

Finding my new position was the realization of one of my core mantras – “opportunity is equal parts luck and preparation.” While success in finding a new position can be a matter of being in the right place at the right time, it’s important to do the proactive work necessary so that you are prepared to take advantage of any leads or opportunities that come your way. By being proactive, you increase the odds that you’re prepared when opportunity strikes. I’d worked proactively for a long time in part to be prepared just in case an “unintentional sabbatical” happened, and it helped me shorten the time it took find a new position.

Here are some of the things I’ve done, and things I’ve learned, to help me successfully navigate and shorten the job hunting process:

Pause and think through what you want to do next.

Before you launch head-first into your job search, it’s worth taking a day to think carefully about what you want next in your career.  Is it a position like the one you left/are planning to leave?  There’s nothing worse than waking up in the morning and being ambivalent, or angry/depressed/anxious, at the thought of going into the office for another day. You spend the majority of your waking life at work with your colleagues – you have to like the people you work with, the company you work for, the work you do. Think back over your career to the positions where you were the happiest.  What are the common elements in them, or when you think back have you never been happy in any position you’ve had?  Do you want to be a manager or an individual contributor?  Do you have an industry you feel passionate about?  Use this thought exercise to either validate the direction you want to go for the next step in your career (knowing you’ve validated you’re pursuing the right course should give your job search a burst of energy), or rethink what will make you truly happy in the next phase of your career path.

Build and maintain your network before you need it.

The wrong time to build a network is when you find yourself starting a job search.  Take time to proactively build and maintain a good network. Connect with former co-workers, peers in your community, and people you meet in your personal life. Find industry groups and go to meetings and social events to meet people in your industry (make sure to mingle, not just hang out by yourself). When you’re reaching out to people you think will be valuable additions to your network, don’t just ask them for help – offer to be a help and resource as well. If you are sincere in your offer to assist them as a member of their network, they may be more likely to go out of their way to help you in your job search.

If you connect with someone you don’t know personally on LinkedIn, send them a note thanking them for connecting with you, introducing yourself and summarizing your areas of expertise/skill, and offer to be of assistance as a member of their network. Make sure you take time to periodically reach out to members of your network – you never know who may play a critical role in helping you land your next position. Schedule regular coffees, lunches, and drinks with members of your network; reach out to congratulate them and re-connect when they make an announcement, such as a new position or a work anniversary.

Treat your co-workers the way you’d like them to treat (or remember) you.

Over the course of your career, you interact with a large number of co-workers at many levels.  Remember the golden rule you learned in grade school – do unto others as you would have them do unto you.  In addition to being a good philosophy by which to live, your current co-workers’ view of you and your skills/competencies/style can make or break a future job search. I learned this through experience; I found out after the fact that one of the hiring decision-makers for a position I had applied for (and got) did not call the references I provided. Instead, he contacted a few people we had in common in our networks (former co-workers of mine) to ask them for their thoughts on me.  Today’s co-workers are often tomorrow’s friends who may be willing to go the extra mile to help you in your job search (or even help you land that job you’re hoping for).

Don’t try to connect with everyone at once – It’s OK to stack rank and space out your networking activities.

Remember, job hunting is almost always a marathon, not a sprint. If you have built a strong network, when starting to look for a new position your first instinct may be to immediately reach out to as many members of your network as possible.  However, in my opinion you need to balance networking with other priorities in your life.  My target was 3-5 networking meetings per week (coffees, breakfasts, lunches, drinks, etc.). Create a “networking matrix” of contacts in your network with whom you want to set up networking meetings, and stack rank them. It’s OK to organize them by networking potential (i.e., those with very good connections and contacts in your target industry, former managers/bosses, etc.). Keep track of who you network with and when. Approach a handful (4-6) per week by phone, text, email, LinkedIn message, etc.; hopefully they get back to you so you can maintain a steady cadence of weekly networking meetings. You can always reach out to more contacts on your list to maintain your schedule of networking meetings. While it’s OK to stack rank by networking potential, don’t discount anyone – you never know who knows someone (who may know someone) who can lead you to a great job opportunity.

Leverage your network to prepare for interviews and research companies.

If you apply for a job, search your contacts (e.g., using LinkedIn) to see who is connected to, or working for, the company to which you’ve applied. If you have former colleagues at the company, consider reaching out to let them know you’ve applied for a position with the company and that it would be great to work with them again. Some may be willing to be an internal reference for you, or even put in a good word with the hiring manager. You can also reach out to colleagues for background on the people with whom you will be interviewing.  Additionally, if you’re researching companies you may want to target in your job search, connect with members of your network at those companies, both to reconnect with them and to learn more about the position.  Even if they don’t have a current position that would be a good fit, they may let others at the organization know you’re on the market.

Find ways to keep your skills sharp.

If you’re on an “unintentional sabbatical” like I was, it’s important to find ways to keep your skills fresh.  Fortunately, there are many ways you can do this.  For example, you can volunteer with an organization that lets you practice the skills you use at work.  Participate in online discussion forums and e-groups relevant to your industry. Offer to be a speaker or panelist at online webinars or live conferences.  Write articles in publications and on LinkedIn. These are also great ways to meet people to expand your network.

Interviews are your chance to sell yourself through the answers you give and the questions you ask.

When you get that sometimes elusive interview, take the time to prepare for the questions you’ll receive. Whether or not you’re in Sales, the interview is your chance to sell yourself, your style, and your qualifications for the position. Develop your professional “elevator pitch” as to why you’re the right person for the position – sell yourself. Research the company, and your interviewers, thoroughly. It’s OK to work out talking points for questions you anticipate receiving during the interview.  For example, if you have something in your job history that may be difficult to explain, work out how you want to position it in advance, and practice it.  When coming up with questions to ask an interviewer, think of questions where the expected answer highlights the skills and qualifications you discussed during the interview which can help cement your status as a strong candidate.

Don’t forget to thank members of your network when your job search is over.

Once you find a position, after you’re settled into your new position carve some time to send short notes to those in your network who assisted you during your job search. The networking contacts you connected with was part of what led you to your new position. Show those who took time to help you that you appreciated their support, guidance and/or friendship, and let them know that you stand ready to assist them if there’s something you can do for them in the future.

Also, while your networking will necessarily slow down while you get up to speed in your new position, don’t let it fade back to zero – maintain an achievable and regular networking schedule. Remember how important your network was while you were job hunting, and work proactively to keep your network strong should you (or someone you know) have a need in the future.

Finally, don’t forget to take time for you while job hunting.

If you find yourself on an “unintentional sabbatical,” your instinct is often to work night and day to find another position. While finding a job is a full-time pursuit in and of itself, most people don’t get the chance to take a sabbatical (intentional or not) during their career.  If you do, lean into it.  Make time to do things that will make you a better person, a better spouse, a better parent, and/or a better future employee. Once you’ve landed your next position, you don’t want to go from one stressful situation (job hunting) to another (working). By spending some time focused on you, not just finding a new job, you’ll ensure you are ready to give your new job your all when time comes.

Eric Lambert is Commercial Counsel for the Transportation and Logistics division of Trimble Inc., an integrated technology and software provider focused on transforming how work is done across multiple professions throughout the world’s largest industries. He supports the Trimble Transportation Mobility and Trimble Transportation Enterprise business units, leading providers of software and SaaS fleet mobility, communications, and data management solutions for transportation and logistics companies. He is a corporate generalist and proactive problem-solver who specializes in transactional agreements, technology/software/cloud, privacy, marketing and practical risk management. Eric is also a life-long techie, Internet junkie and avid reader of science fiction, and dabbles in a littlevoice-over work. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice.

Best Efforts, Commercially Reasonable Efforts, and Good Faith Efforts: How They Differ and How to Use Them Effectively

“Best efforts,” “commercially reasonable efforts,” and “good faith efforts” are three of the most common performance standards used in contracts. For example, Party A may agree to use best efforts to market Party B’s products; Party B may agree to use commercially reasonable efforts to complete a task; or both parties may agree to use good faith efforts to discuss additional business opportunities. Unlike objective performance measures, these three performance standards are highly subjective. What are “best” efforts? What is considered “commercially reasonable?” How do you define “good faith?” Many view these subjective performance standards to be three different levels of performance on a spectrum (good/better/best). However, this perception differs from the reality in the courts where definitions of these standards can differ significantly from jurisdiction to jurisdiction.

Parties find these subjective performance standards convenient where they can’t or do not want to be too specific or objective as to the level of performance required. Contract negotiations can get bogged down when one party insists on a subjective performance standard to which the other party is opposed. Where parties can’t fully agree, a slightly vague subjective standard can be used to “bridge the gap” and let the parties finalize contract terms. However, that’s just papering over a failure to achieve a true “meeting of the minds” on the terms of the agreement. A later disagreement in how to define and apply a subjective performance standard can lead to a foundering of the business relationship, a contract dispute, allegations of breach, and/or litigation or arbitration. Understanding the differences between these subjective performance standards, and knowing when and how to best use them, is therefore critical.

In this article I’ll talk through the commonly perceived differences between these three key subjective performance standards, and cover things to look out for when using these terms. I’ll also discuss why it is important to consider on a case-by-case basis whether including a specific definition for a subjective performance standard or using an objective performance measure may be a better approach.

Defining “best efforts,” “commercially reasonable efforts,” and “good faith efforts”

There is not a lot of case law, or consistency in case law, from which to draw definitions. In other words, there are no universally accepted definitions for these subjective performance standards. Here is how I differentiate them:

Things to consider and watch for when using these standards

Isn’t a “good faith efforts” standard already implied? US contract law has long provided that the performance of every contract is subject to an implied duty of good faith and fair dealing. Given this, every performance obligation in an agreement requires good faith efforts, unless a higher standard for a particular obligation is expressly stated in that agreement. Since good faith efforts is the default, is there any reason to expressly include good faith efforts in an agreement? Yes. A non-breaching party to a contract will want the ability to assert the strongest claims possible. Instead of having to rely on breach of an implied duty as the basis for a claim, a party may prefer to be able to claim a breach of the express terms of the contract as well. If “good faith efforts” are expressly stated, a party may have multiple causes of action in the event of a failure to meet those efforts. Also, as noted above, some courts have held that an express good faith efforts requirement should be interpreted as a higher performance standard.

Consider whether it makes sense to try to add boundaries to a “best efforts” obligation. If your company is on the performing side of a “best efforts” obligation that the other party will not agree to remove, one way to address the uncertainty and subjectiveness of the performance obligation is to “box it” with additional language that puts some boundaries around the obligation and defines which stones must be left unturned. For example, if XYZ asks for language stating “ABC will use best efforts to market XYZ’s product,” consider seeking a revision to “ABC will use best efforts to market XYZ’s product, provided such efforts will not require ABC to incur costs or expenses not expressly contemplated herein which in ABC’s reasonable judgment may negatively impact its business operations and operating results.” This revised language makes clear that in performing to the “best efforts” standard, ABC is not required to incur costs and expenses that could negatively impact it. ABC could also consider whether to add a lower standard to a “best efforts” clause, such as “reasonable best efforts” or “good faith best efforts,” which could lead to a court interpreting the language as a lower standard than best efforts and which ABC can argue more realistically characterizes the efforts to be expended in compliance with that performance obligation.

Avoid using qualifiers which can enhance, or muddy, a subjective performance standard. Consider avoiding adding qualifiers such as “all,” “every,” or “diligent” to a subjective standard e.g., “diligent good faith efforts,” “all commercially reasonable efforts,” or “commercially reasonable efforts to [do x] as soon as feasible.”  Qualifiers can add another layer of subjective complexity, and/or create a more onerous obligation than may have been intended. For example, if “commercially reasonable efforts” by definition does not require a party to leave no stone unturned and does not require continuous performance, requiring “all” or “diligent” commercially reasonable efforts may effectively convert it to a “best efforts” standard.

Subjective performance obligations may not play nicely with revenue recognition rules.Subjective performance standards like “best efforts,” “commercially reasonable efforts,” and “good faith efforts” may mean different minimum levels of effort to different parties. In order to evaluate performance under a contractual obligation, the parties must be able to (1) define the specific obligation to be performed, and (2) objectively measure whether that performance obligation has been satisfied. This is a core tenet of the new revenue recognition rules under ASC 606, which requires a contract to be broken into separate performance obligations so that revenue recognition occurs on a per-performance obligation basis when that performance obligation has been satisfied. Determining when a subjective performance obligation has been satisfied for ASC 606 purposes can be problematic as the parties may not agree when the obligation has been satisfied. It is advisable to try to use objective criteria, and not subjective performance standards, for performance obligations tied to revenue recognition.

Consider whether including a definition or an objective measure would work better

Parties should try to avoid ambiguity in contracts, and seek to use quantifiable and measurable obligations where possible. Using subjective performance standards such as “best efforts,” “commercially reasonable efforts,” and “good faith efforts” is often an easy way to agree on a performance obligation without being too specific on what level of effort is required to achieve it. There are times when using a minimum subjective standard instead of an objective one is a tactical approach in negotiation, such as where your company wants to be able to make an argument that its performance was sufficient without the need to demonstrate satisfaction of an objective measure.

> Consider using definitions.If you do use a subjective performance standard in an agreement, consider whether to include a definition of that standard in the agreement. By defining a standard such as “commercially reasonable efforts,” the parties are fencing in what is considered satisfactory performance of that standard, making it less subjective and easier to gauge performance if a dispute arises as to whether a party has satisfied the associated performance obligation.

> Consider whether an objective measure would work better.In a number of cases, an objective measure such as a maximum time period, a minimum required spend, a minimum number of generated leads or orders, or a minimum service level may make it easier for both parties to determine whether a party has minimally satisfied a performance obligation. Ask the other party what they would consider an acceptable result from the required efforts, and consider making that the contractual measure of minimum acceptable performance. For example, instead of saying that “ABC will use commercially reasonable efforts to generate sales leads during each term of the Agreement,” if the parties agree that 10 leads per year is the minimum acceptable performance, say “ABC will generate a minimum of ten (10) sales leads during each term of the Agreement.” If all ABC generates is 10 leads in a given year and the other party was hoping for more, the other party can choose to exercise its termination rights and find another partner.

Search your contracts and templates for subjective performance standards, and see if any can be replaced with objective measures – it could mean the difference in measuring satisfaction of performance obligations and avoiding costly contract disputes over subjective performance terms.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles invoice-over work and implementing and integrating connected home technologies.

Aggregate Data Clauses – Accept or Push Back?

Before reflexively rejecting a vendor/provider’s aggregate data clause, determine whether pushing back is really necessary.

More than ever before, data is the driver of business. Companies are inundated with new data on a daily basis, which creates a number of business challenges. One of the more prominent challenges of late has been how best to protect data within a company’s infrastructure from inadvertent and improper access and disclosure. Another important challenge is how best to “mine” data sets through data analytics, the quantitative and qualitative techniques businesses use to analyze data in order to develop business insights, conclusions, strategies, and market trend data in order to provide guidance on operational and strategic business decisions. “Aggregate data” is key to data analytics; companies take existing data, anonymize it by removing any personal or other information that can be used to identify the source of the data, and aggregate it with other anonymized data to create a new set of data on which data analytics can be performed.

The strength of the conclusions and insights learned through data analytics is directly proportional to the amount of source data used. Aggregate data comes from two primary sources: (1) internal data sets within the company’s possession or control, such as transactional data, customer data, server data, etc.; and (2) external data setssuch as free online databases of government data (e.g., US Census data) and data available from data brokers who have compiled aggregate data sets for purchase and use by businesses.

To ensure businesses have the right to use customer data in their possession for data analytics purposes, SaaS, cloud, software, and other technology agreements often contain an aggregate data clause. This clause gives a vendor/provider the right to compile, collect, and use aggregate data from customer information for the vendor/provider’s own business purposes. Many vendors/providers work hard to craft an aggregate data clause that fairly and adequately protects their data sources. Before reflexively rejecting a vendor/provider’s aggregate data clause, consider the analysis and questions in this article to determine whether pushing back is really necessary to protect your company’s interests.

The vendor/provider’s perspective

Customers often push back on aggregate data clauses for a variety of reasons, such as “it’s our policy not to give this right,” “why should you benefit from our data?” and “how can you guarantee someone won’t be able to figure out it’s us?” On the other side, a vendor or provider may argue that the aggregate data clause is a “table stakes” provision in their agreement. Under this argument, analytical data is used to generate macro-level insights which benefit both the vendor/provider and its customers, and as long as it is used in a way that does not identify a specific customer or client there is no potential harm to the customer in allowing its use for data analytics. Additionally, many vendors argue that the systems used to anonymize and aggregate data do not allow for exceptions on a per-customer basis. Additionally, vendors/providers often share insights and other conclusions drawn from data analytics with their customers and clients, e.g., through client alerts, newsletters, conferences, etc., and therefore clients benefit from allowing their data to be used in the vendor/provider’s data analytics efforts. Data analytics are often a critical part of a vendor/provider’s business plans and operations, and access to client data for analytics purposes is baked into the cost of using the service.

Is the aggregate data clause well-drafted and balanced?

Many vendors/providers take the time to craft an aggregate data clause that is fair and does not overreach. As long as the vendor/provider has protected the customer’s rights and interests in the underlying customer data, the use of a customer’s data for analytics purposes may be perfectly acceptable as a part of the overall contractual bargain between the parties. A well-drafted clause usually contains the following core provisions:

  • Grant of rights – A right for the vendor/provider to compile, collect, copy, modify, publish and use anonymous and aggregate data generated from or based on customer’s data and/or customer’s use of its services, for analytical and other business purposes. This is the heart of the clause. This clause gives the vendor/provider the right to combine aggregate data from multiple internal and external data sources (other customers, public data, etc.).
  • Protection of source data – A commitment that the customer will not be identified as the source of the aggregate data. While this is really restating that the data will be “anonymous,” some customers may want a more express commitment that the aggregate data can’t be traced back to them. I’ll talk more about this later in this article.
  • Scope of usage right – Language making clear either that the vendor/provider will own the aggregate data it generates (giving it the right to use it beyond the end of the customer agreement), or that its aggregate data rights take precedence over obligations with respect to the return or destruction of customer data. The common vendor/provider reason for this is that aggregate data, which cannot be used to identify the customer, is separate and distinct from customer data which remains the property (and usually the Confidential Information) of the customer under the customer agreement. Additionally, the vendor/provider often has no way to later identify and remove the aggregate data given that it has been anonymized.

Things to watch for

When reviewing an aggregate data clause, keep the following in mind:

Protection of the company’s identity. While language ensuring that a customer is not identified as the source of aggregate data works for many customers, it may not be sufficient for all. Saying a customer is not identified as the source of aggregate data (i.e., the vendor/provider will not disclose its data sources) is not the same as saying that the customer is not identifiable as the source. Consider a customer with significant market share in a given industry, or which is one of the largest customers of a vendor/provider. While the vendor/provider may not disclose its data sources (so the customer is not identified), third parties may still be able to deduce the source of the data if one company’s data forms the majority of the data set. Customers that are significant market players, or which are/may be one of a vendor’s larger clients, may want to ensure the aggregate data clause ensures the customer is not identified or identifiable as the source of the data, which puts the onus on the vendor/provider to ensure the customer’s identity is neither disclosed nor able to be deduced.

Ownership of aggregate data vs. underlying data. As long as the customer is comfortable that aggregate data generated from customer data or system usage cannot be used to identify or re-identify the customer, a customer may not have an issue with a vendor/provider treating aggregate data as separate and distinct from the customer’s data. Vendors/providers view their aggregate data set as their proprietary information and key to their data analytics efforts. However, a well-drafted aggregate data clause should not give the vendor/provider any rights to the underlying data other than to use it to generate aggregate data and data analytics.

Scope of aggregate data usage rights. There are two ways customer data can be used for analytics purposes – (1) to generate anonymized, aggregate data which is then used for data analytics purposes; or (2) to run data analytics on customer data, aggregate the results with analytics on other customer data, and ensure the resulting insights and conclusions are anonymized. Customers may be more comfortable with (1) than (2), but as long as the vendor/provider is complying with its confidentiality and security obligations under the vendor/provider agreement both data analytics approaches may be acceptable. With respect to (2), customers may want to ask whether the vendor/provider uses a third party for data analytics purposes, and if so determine whether they want to ensure the third-party provider is contractually obligated to maintain the confidentiality and security of customer data and if the vendor/provider will accept responsibility for any failure by the third party to maintain such confidentiality and security.

Use of Aggregate Data.Some customers may be uncomfortable with the idea that their data may be used indirectly through data analytics to provide a benefit to their competitors. It’s important to remember that data analytics is at a base level a community-based approach – if the whole community (e.g., all customers) allows its data be used for analytics, the insights and conclusions drawn will benefit the entire community. If this is a concern, talk to your vendor/provider about it to see how they plan to use information learned through analytics on aggregate data.

Duration of aggregate data clause usage rights. Almost every vendor/provider agreement requires that the rights to use and process customer data ends when the agreement terminates or expires. However, vendors/providers want their rights to use aggregate data to survive the termination or expiration of the agreement. A customer’s instinct may be to push back on the duration of aggregate data usage rights, arguing that the right to use aggregate data generated from the customer data should be coterminous with the customer agreement. However, if the data has truly been anonymized and aggregated, there is likely no way for a vendor/provider to reverse engineer which aggregate data came from which customer’s data. This is why many vendors/providers cannot agree to language requiring them to cease using aggregate data generated from a customer’s source data at the end of the customer relationship. One approach customers can consider is to ask vendors/providers when they consider aggregate data to be “stale” and at what point they cease using aged aggregate data, and whether they can agree to state that contractually.

Positioning an objection to the aggregate data clause. As noted earlier, the right to use data for analytics purposes is considered to be a cost of using a vendor/provider’s software or service and a “table stakes” provision for the vendor/provider, and the ability to use data for analytics purposes is already baked into the cost of the software or service. Some customers may feel this is not sufficient consideration for the right to use their data for analytics purposes. If that is the case, customers may want to consider whether to leverage an objection to the aggregate data clause as a “red herring” to obtain other concessions in the agreement (e.g., a price discount, a “give” on another contract term, or an additional service or add-on provided at no additional charge).

The GDPR view on use of aggregate data

The European Union’s new General Data Protection Regulation (GDPR), which becomes effective on May 25, 2018, makes a significant change to the ability to use personal data of EU data subjects for analytics purposes. Under the GDPR, a blanket consent for data processing purposes is no longer permitted – consent to use data must be specific and unambiguous. Unfortunately, this directly conflicts with data analytics, as the ways a data set will be analyzed may not be fully known at the time consent is obtained, and there is no right to “grandfather in” existing aggregate data sets. Simply saying the data will be used for analytics purposes is not specific enough.

Fortunately, the GDPR provides a mechanism for the continued use of aggregate data for analytics purposes without the need to obtain prior data subject consent – Pseudonymization and Data Protection by Default. Pseudonymization and data protection principles should be applied at the earliest possible point following acquisition of the data, and vendors/providers must affirmatively take data protection steps to make use of personal data

  • Pseudonymization – Pseudonymization is a method to separate data from the ability to link that data to an individual. This is a step beyond standard tokenization using static, or persistent, identifiers which can be used to re-link the data with the data source.
  • Data Protection by Default – This is a very stringent implementation of the “privacy by design” concept. Data protection should be enabled by default (e.g., an option in an app to share data with a third party should default to off).

 

Data analytics is an important part of every company’s “big data” strategy.  Well-crafted aggregate data clauses give vendors and providers the ability to leverage as much data as possible for analytics purposes while protecting their customers.  While there are reasons to push back on aggregate data clauses, they should not result in a negotiation impasse. Work with your vendors and providers to come up with language that works for both parties.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Paralegal vs. Legal Assistant vs. Junior Attorney – Know the Differences and Pick the Right Professional Before Hiring or Contracting

It’s a good sign when the volume of legal work at a company increases to the point where another legal resource is needed, either permanently or temporarily. Most often a company will look for a generalist resource, such as a paralegal, a legal assistant, or a junior attorney, to handle a variety of tasks and free up time for senior attorneys and other specialists to focus on other work. However, many companies post a new position or reach out to a placement firm for a temporary resource without first thinking through which type of legal professional is best suited for the needs of the organization.

Paralegals and legal assistants are non-attorney legal professionals that can perform substantive legal work under the supervision of an attorney, and often form an integral part of an in-house legal department or law firm.  There are advantages and disadvantages to adding a paralegal, legal assistant, or junior attorney. Thinking through whether a paralegal, legal assistant, or junior attorney is the best role for your company’s needs can help maximize productivity for the person filling the role, and help ensure that the person is capable and ready for the work he or she will be tasked to perform. Just as important, understanding what attorney and non-attorney legal professionals can’t do, and how they should be classified from an employee perspective, can help protect your company (and any existing in-house attorneys) from ethical or business issues.

I’ll conclude with a note about contract managers, another role used by some companies to manage transactional work.

Differences at a Glance

At a high level, here are the differences between paralegals, legal assistants and junior attorneys:

Diving In

Let’s look at each of these roles in a little more detail.

Paralegals

Paralegals are non-attorney legal professionals with education, a certification, work experience, or other training which allows them to perform substantive legal work under an attorney’s guidance and supervision. Paralegal as a profession first appeared in the 1960s. Paralegals support the substantive work of attorneys by allowing attorneys to delegate work to them that attorneys would otherwise need to perform directly. Paralegals can play a critical role within legal departments given the breadth of work they can perform. Unless it involves the unauthorized practice of law (which I’ll address later in the article), paralegals can be delegated almost any project that an attorney would normally perform, as long as the paralegal is qualified to do it or willing to learn and the paralegal is supervised by an attorney. Paralegals at smaller departments may also handle administrative tasks for the legal team. There are a number of certification programs for paralegals, such as the National Federation of Paralegal Association (NFPA)’s Paralegal CORE Competency Exam (PCCE) and Paralegal Advanced Competency Exam (PACE) and the National Association of Legal Assistants (NALA)’s Certified Paralegal (CP) and Advanced Paralegal Certification (APC) credentials. There are also paralegal associate degree, bachelor degree, and master’s degree programs.

If a company needs a legal professional with the training, experience and ability to perform substantive legal work under the supervision of one of the company’s attorneys, and does not need an attorney for the role to provide legal advice/counsel or to represent the company, a paralegal may be a good option. For example, a paralegal may be best suited to help with a document review project, to draft and negotiate standard agreements, or to research a specific question or new law.

Legal Assistants

Legal assistants also perform substantive legal work under an attorney’s guidance and supervision. Legal assistants may be tasked with administrative activities such as filing, maintaining the legal calendar of important deadlines (e.g., trademark renewal deadlines), and managing legal department bills and expense reporting. Legal assistants may aspire to grow into a paralegal role. If a company needs a non-attorney legal professional who does not possess the training, education and experience of a paralegal but who has the ability to perform both substantive and administrative legal work under the supervision of an attorney, a legal assistant may be a good option. For example, a legal assistant may be best suited to help a small legal department which has administrative needs as well as other substantive work.

Many non-attorney legal professionals within corporations prefer the title “Paralegal” to “Legal Assistant,” as it is often perceived as a more professional and senior position than that of a legal assistant. Some in-house legal departments will use the title “Junior Paralegal” for a legal assistant who does not yet have the necessary experience, education, certification or training to be a full paralegal, but where the person or the company wants the individual contributor to have a paralegal title.

Paralegals and Legal Assistants as Non-Exempt Personnel

One very important note for US employers – the US Department of Labor (DOL) has stated that paralegals and legal assistants should be classified as non-exempt personnel in most circumstances. Under 29 CFR Part 541.301(e)(7), the Department of Labor stated that “paralegals and legal assistants generally do not qualify as exempt learned professionals because an advanced specialized academic degree is not a standard prerequisite for entry into the field.” The DOL has issued opinion letters, such as FLSA2005-54 and FLSA2006-27, supporting this position. However, do not interpret this as meaning that paralegals and legal assistants are not professionals – they are (just not from a Fair Labor Standards Act perspective according to the DOL). It’s also important to note that the DOJ’s webpage on the Overtime Final Rule added a note in January 2018 stating that the DOL is “undertaking rulemaking” to revise the Overtime Final Rule, so employers with paralegals and legal professionals should watch this carefully.

Why Paralegals and Legal Assistants are Different

Many view paralegals and legal assistants as interchangeable titles and roles. For example, the American Bar Association uses the same definition for both paralegals and legal assistants. Both paralegals and legal assistants can perform substantive legal work under an attorney’s supervision. However, I think it’s more accurate to view them as two different points on the spectrum of non-attorney legal professionals. Here are some of the key differences I see between the roles:

  • Paralegals often perform (and expect to be tasked with) more and higher-level substantive work than legal assistants.
  • Legal assistants are more likely to be tasked with administrative legal responsibilities than paralegals in the same department.
  • Paralegals are more likely to have completed a certification, education, or other training programs demonstrating a higher level of skill and experience to provide supporting substantive legal work, and are required to maintain paralegal certifications through continuing paralegal education.
  • Paralegals, especially those with a certification, tend to expect a higher compensation rate/salary than non-certified paralegals or legal assistants.

What Paralegals and Legal Assistants Can’t Do

Paralegals and legal assistants can do many things, but cannot provide legal advice or opinions, sign documents or pleadings, engage in other prohibited tasks such as establishing attorney-client relationships, or engage in the unauthorized practice of law. This is a critically important point – paralegals cannot, and should not be permitted to, perform substantive legal work except under an attorney’s supervision, and should not do anything (directly or indirectly) that could be considered the unauthorized practice of law. For in-house paralegals, this can be very tricky as others will undoubtedly come to the paralegal asking for an opinion or advice.  Rank-and-file employees often feel anyone in Legal should be able to give them an answer on a legal question. It’s up to the paralegal to let them know that they need to defer to the attorney on legal advice or opinions, and to ensure their work is being supervised by an attorney. The voluntary codes of paralegal ethics, such as the NALA Code of Ethics and Professional Responsibility and the NFPA Model Code of Ethics and Professional Responsibility and Guidelines for Enforcement, clearly state that paralegals cannot engage in the unauthorized practice of law, perform duties that only attorneys can perform, or take actions that only an attorney can take.

In Minnesota, like most US states, the unauthorized practice of law is illegal. Minn. Stat. § 481.02 prohibits a non-attorney from acting as an attorney or giving legal advice or services. In many states, the unauthorized practice of law is a felony. An attorney responsible for supervising the work of a paralegal or legal assistant who engages in the unauthorized practice of law will also find themselves in violation of Rule 5.5 of the Minnesota Rules of Professional Conduct which prohibits attorneys from assisting others from the unauthorized practice of law.

This is one of the reasons why the first in-house legal hire at most companies is an attorney. It is generally not recommended that a company’s first legal hire be a paralegal or legal assistant, as many of the substantive legal tasks to be performed by the first legal hire at a company require legal supervision, and outside counsel may not be willing to supervise the work of a non-attorney employed by the corporation due to ethical concerns. An attorney who fails to properly supervise the work of non-attorney legal professionals reporting to that attorney is putting his or her legal reputation, license to practice law, and company at risk.

Junior Attorneys

As licensed attorneys, junior attorneys offer a company the ability to do more than paralegals or legal assistants. Not only can they perform substantive work, but they can provide legal advice and opinions, represent the company in court, and otherwise engage in the practice of law. However, junior attorneys are usually considerably more expensive than either paralegals or legal assistants. If a company is hiring its first legal professional and does not need a more senior attorney as its first attorney (e.g., the company has a strong relationship with outside counsel that is acting in a quasi-General Counsel capacity), or needs a legal professional who can perform substantive legal work, provide legal advice and counsel and represent the company, and the company can afford the higher compensation an attorney typically requires, a junior attorney may be a good option.

Contract Managers

There is one other role used by some companies with respect to contracts – the contract manager. A contract manager is a person who is tasked with negotiating, administering and interpreting a company’s contracts (both standard and non-standard). Contract managers can be non-attorneys, or non-practicing attorneys. Contract managers often act in a project manager role to help ensure a company is meeting its requirements with respect to deliverables and other contractual obligations under its agreements. Like paralegals, there are professional associations governing contract managers, including the International Association for Contract & Commercial Management (IACCM) and the National Contract Management Association (NCMA), as well as contract manager certification programs including the NCMA’s Certified Federal Contract Manager (CFCM), Certified Commercial Contract Manager (CCCM), and Certified Professional Contract Manager (CPCM) designations which require a certain amount of continuing education. In some cases, a company’s procurement department will have contract managers who negotiate procurement and other agreements to take load off of the company’s legal team. Some companies choose to establish an in-house legal function by hiring a contract manager as their first legal professional.

Like other non-attorneys in the United States, contract managers cannot provide legal advice or opinions. However, it is an unsettled question whether a contract manager who does not have a legal degree and negotiates agreements, including risk management terms, on behalf of a company without attorney supervision is engaging in the unauthorized practice of law. Companies should consider whether to ensure contract managers are part of the Legal department and are supervised by attorneys just as paralegals must be, or alternatively require candidates for a contract manager position to hold a JD degree – the attorney would be acting not as an attorney for the corporation but in a “quasi-legal” role, and would remain subject to the Model Rules of Professional Responsibility governing attorneys, which would help avoid issues regarding the unauthorized practice of law.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.

Can Ad Targeting Equal Discrimination? What Companies Need to Know About Targeted Ad Discrimination and the Facebook Targeted Ads Lawsuit

Federal and state laws have long prohibited discrimination in employment, housing and credit-related marketing and advertising. Title VII of the Civil Rights Act prohibits employment discrimination based on ethnicity, national origin, and other protected characteristics, which includes prohibiting discriminatory practices in the marketing and advertising of employment opportunities based on their content or target audience. The Age Discrimination in Employment Act prohibits discriminatory employment practices related to people who are 40 or older. Title VIII of the Civil Rights Act (the Fair Housing Act) prohibits housing discrimination, including discriminatory practices in the marketing and advertising of housing opportunities. The Equal Credit Opportunity Act prohibits discrimination in credit transactions, including discriminatory practices in the marketing and advertising of credit opportunities. There are many state laws which provide similar protections to their citizens, such as the Minnesota Human Rights Act and the California Fair Employment and Housing Act.

Targeted advertising is an advertising method which allows online advertisers to target their advertising to a specific audience of potential purchasers/consumers based on certain audience traits or other criteria. This allows companies to realize a higher return on ad spend (ROAS) by ensuring advertising dollars spent through pay-per-click (PPC) or cost-per-impression (CPI) models are directed towards the most relevant, and presumably receptive, audience for the company’s ads. For example, if the target audience for your product or service is millennials, there is little value to having online advertising delivered to Generation X or Baby Boomers, as the number of purchases/leads you generate from that audience will not justify the ad spend on them.  If you use an online, untargeted banner advertisement, it will be displayed to every website visitor whether or not in your target demographic. Targeting your ad spend to millennials will increase the return on your advertising dollars by ensuring it’s seen by the audience most likely to be interested in your advertisement, generating sales, leads, or applicants for your company in a cost-effective manner.

Targeted Ad Discrimination

Social media platforms such as Facebook offer targeted advertising to advertisers on their platform. Facebook allows you to target your advertising audience based on a number of different characteristics, such as age, location (e.g., ZIP code), gender, ethnicity, education level, and interests. For most products and services, this is extremely valuable. But for advertisers of employment, housing and credit opportunities, using targeted advertising to limit or restrict the target audience in a protected class or group can create unintended liability under federal and state laws, which I call “targeted ad discrimination.” This is a new, and real, risk for the significant numbers of employers, housing providers, and credit companies that use online targeted advertising to market their opportunities, goods, and services.

The potential for targeted ad discrimination has not gone unnoticed by the Federal Trade Commission.  In its January 2016 report “Big Data: A Tool For Inclusion or Exclusion?“, the FTC noted that “[i]n some cases, the Department of Justice has cited a creditor’s advertising choices as evidence of discrimination” and that “whether a practice is unlawful under equal opportunity laws is a case-specific inquiry, and as such, companies should proceed with caution when their practices could result in disparate treatment or have a demonstrable disparate impact based on protected characteristics.”

The Facebook Lawsuit

In November 2016, a class action lawsuit was brought in the Northern District of California against Facebook alleging targeted ad discrimination, following a ProPublica article that highlighted the ability to use Facebook’s targeted advertising to exclude users by “ethnic affinity.” The plaintiffs in Mobley et. al. v. Facebook, Inc., Case No. 5:16-cv-06440 (N.D.Cal.) allege that Facebook’s targeted advertising tools, which leverage the consumer profiles of its users created by Facebook, create a “pattern or practice” of facilitating discrimination against protected classes by employers and by providers of housing and credit by enabling them to target advertisements only to specific Facebook user groups or to exclude specific user groups from an advertisement’s audience, which has the result of targeting advertisements based on protected characteristics such as age, gender, ethnic background, or national origin.

Facebook has countered that targeted advertising allows brands to direct relevant advertising to audiences and that its advertising policies prohibit use of its targeted advertising tool for illegal purposes, and announced shortly after the lawsuit was filed that it would make changes intended to prevent the use of “ethnic affinity” marketing for housing, employment, and credit-related ads. It argues that it is shielded from liability under the Communications Decency Act, which protects online service providers for liability for third party content on their service. Facebook’s motion to dismiss is pending but on hold at the moment while the parties engage in mediation. ProPublica reported in November 2017 that it was still able to post rental housing ads on Facebook that they claim discriminated against ethnic groups. It remains to be seen whether Facebook will bear any liability for providing a targeted advertising solution that has the ability to be misused by its customers in violation of state and federal laws.

Advertisers Themselves May Face Liability, Too

In response to the uproar over potential interference with the 2016 US election, Facebook recently introduced new ad transparency features.  One aspect of these transparency features allows anyone to see information about the groups to which a Facebook ad is targeted. For example, by clicking on “Why am I seeing this?” on an advertisement in my Facebook feed for a Shark IONFlex™ vacuum, I was able to see the ad is targeted to “Member(s) of a family based household” who are “ages 18 to 64 who live in the United States.”)  While this may be OK for an ad for a vacuum, it could cause problems for a housing, employment, or credit-related ad.

According to Joel O’Malley (a shareholder at Nilan Johnson Lewis, a Minneapolis firm specializing in defense-side employment law), the plaintiffs’ firm that filed suit against Facebook has begun leveraging Facebook’s ad transparency features to examine the targeting criteria for employment, housing and credit-related Facebook ads, and sending letters to companies advertising on Facebook threatening class action lawsuits for discrimination in employment, housing, or credit advertising due to exclusions or limitations in their targeted advertising based on age, ethnicity, gender, or other protected characteristics. It is very likely that other class action firms may “smell blood in the water” and start sending similar letters or filing actions against companies for targeted ad discrimination through Facebook. It is also likely that other targeted advertising platforms and tools may face similar scrutiny, and the users of those tools may face similar letters or actions alleging targeted ad discrimination. It is also possible the FTC will take an increased interest in targeted ad discrimination.

What Companies Should Do

  • Don’t wait to receive a letter or claim. Companies that use online advertising for employment, housing, or credit-related purposes should review their use of targeted advertising and the content of their targeted ads, and ensure targeted ads are composed and posted in a manner that does not give rise to a targeted ad discrimination claim. For example, ensure there are no age or ethnicity restrictions on job postings.
  • Educate relevant internal stakeholders about targeted ad discrimination and the importance of being careful when using targeted advertising with certain types of advertisements, and what they should do if they receive a communication from a law firm regarding targeted ad discrimination.
  • Consider engaging an employment law defense firm, or reach out to your existing employment law defense firm, to assist with a review of your company’s job postings to determine whether you are at risk and what steps can be taken to mitigate any discovered risk. For example, Nilan Johnson Lewis has developed an audit tool for its corporate clients to assess each employer’s unique level of risk.

Eric Lambert has spent most of his legal career working in-house as a proactive problem-solver and business partner. He is a corporate generalist who specializes in transactional agreements, technology/software/e-commerce, privacy, marketing and practical risk management. Any opinions in this post are his own. This post does not constitute, nor should it be construed as, legal advice. He is a technophile and Internet evangelist/enthusiast. In his spare time Eric dabbles in voice-over work and implementing and integrating connected home technologies.