The Why, When and How of Confidentiality Agreements (Part 2)

Nondisclosure Agreements (NDAs), a/k/a Nondisclosure Agreements (NAs), Confidentiality Agreements (CAs), Confidential Disclosure Agreements (CDAs), and Proprietary Information Agreements (PIAs), are something most business leaders and lawyers deal with from time to time.  However, few companies have implemented policies stating why, when and how NDAs should be used.  In Part 1 of this article, I talked about the “why” and the “when.”  Part 2 covers the “how.”

HOW to use an NDA.  Once you’ve figured out the why and the when, use the following tips and tricks as you work with NDAs:

  • Keep them fair and balanced. While you always want to try to avoid getting bogged down in contract negotiations, this is especially true for NDAs typically entered into at the outset of a relationship or where disclosure of specialized information is needed to further a business purpose.  Counsel should work with business leaders to ensure the NDA template is fair and balanced. If a potential partner or vendor insists on their NDA, consider whether it is fair and balanced – if it is, it may not be the best time for a battle over whose form to use.
  • Make sure “purpose” is defined. NDAs should include a description of why the parties are sharing information (a potential business relationship between them, a potential business combination, to allow your company to participate in an activity, etc.)  This is usually defined as the “Purpose.” Defining the Purpose, and restricting the recipient’s use of your CI to the Purpose, can help ensure contractually that information you disclose is not misused.
  • Avoid sharing customer records or personally identifiable information under an NDA.Be very careful if you want to share customer or employee records or other personally identifiable information under an NDA. You generally need other security protections that aren’t in a standard NDA; your privacy policy might not allow it; you may not have the necessary permissions from the data subjects to share it; there may be specialized laws (e.g., HIPAA) that could be impacted; etc.  If you need to share data to evaluate a new product or service, use dummy data.
  • Ensure “Confidential Information” covers what you want to share. Make sure the definition of “Confidential Information” is broad enough to cover all of the information that you’re planning to share.  Whether you are disclosing financial projections, business plans, network credentials, samples of new products, or other information, if it’s not covered by the definition the recipient has no obligation to protect it.
  • Watch out for “residuals” clauses.One dangerous clause to watch out for (and avoid) in NDAs is the “Residuals” clause.  “Residuals” are what you retain in memory after you look at something (provided you don’t intentionally try to memorize it).  Residuals clauses let you use any residuals from the other party’s CI retained in your unaided memory.  However, it’s next to impossible to prove that something was in someone’s “unaided memory.”  Residuals clauses are a very large back door to NDA requirements.
  • Understand the “marking requirements.” NDAs generally require identification of confidential information so that the recipient knows that it should be kept confidential.  For example, you generally have to mark any information in written disclosures as “confidential” using a stamp, watermark, or statement in the header/footer (don’t forget to mark all pages of a document and its exhibits/attachments in case pages get separated).  Some NDAs require that confidential information disclosed orally has to be summarized in a written memo within a certain period of time in order to fall under the NDA – don’t lose sight of this obligation, and consider steps to mitigate the risk if you have this requirement (e.g., a reminder in your lead management system to summarize when a note of a sales call is included).  Other NDAs include a “catch-all” to keep confidential any information where, from the circumstances of disclosure, the disclosing party clearly intended (or the recipient can determine) that it should be kept confidential.  This last clause is a double-edged sword – it ensures the broadest possible protection for you, but also for the other party
  • Look at the “nondisclosure period.” Most NDAs have a defined period of time during which confidentiality obligations will apply to CI.  Once the period ends, your CI is no longer considered confidential by the other party.  If you are disclosing trade secrets, it’s important that they are kept confidential forever, or until the information enters the public domain through someone else’s acts or omissions. Also, consider language that requires the other party to securely dispose of your CI when there is no longer a business or legal need for them to possess it.
  • Control onward transfer. Ensure you’re controlling the onward transfer of your CI.  Generally, a recipient’s onward transfer of your CI should only be permitted when (a) the receiving party is a business partner of the recipient (a contractor, subsidiary, supplier, etc.); (b) the receiving party needs to know the CI in furtherance of the Purpose; and (c) the receiving party is bound by written confidentiality obligations at least as strong as those in the NDA between you and the recipient.  Make sure the NDA holds the recipient liable for any improper disclosure of CI by the third party so you don’t have to go after the third party, and requires that data be transferred securely.
  • Watch out for overlapping confidentiality obligations.As I noted in Part 1, it’s important to look out for duplicate confidentiality obligations governing the same confidential information.  In some cases, a party may suggest that each party sign the other’s NDA.  In other cases, a party might try to keep an NDA alive after a services or other agreement has been finalized and signed.  You should avoid having different confidentiality obligations govern the same agreement, as it can easily lead to a big fight over what contractual obligations and provisions apply in the event of a disclosure, distracting you from dealing with the actual breach of your CI.
  • Be mindful of your return or destruction obligations. In most NDAs there is a requirement for a recipient to return or destroy the discloser’s CI, either upon request and/or upon termination.  Sometimes the discloser gets to pick between return and destruction, sometimes the recipient.  In order to ensure compliance, make sure you limit disclosure of third party CI internally, and keep track of who has access to/copies of it.  Without tracking that information, it’s very difficult to ensure return or deletion when the time comes.
  • Be careful sharing access credentials. If you’re sharing any network or other computer access credentials as part of the Purpose, ensure the NDA contains additional security obligations to maintain appropriate safeguards to protect access credentials, to limit use of them (no onward transfer), notification in the event the credentials are (or are suspected to have been) compromised, and an indemnity if the security obligations are breached.  Remember, the Target breach began with the compromise of a subcontractor’s network credentials.
  • Consider using electronic signatures. As I described in my earlier blog post, using an electronic signature system for NDAs can make the nondisclosure process even more quick and efficient, letting your business team get to sharing information sooner.

There are other NDA issues as well, such as ensuring injunctive relief language is not too limiting or broad for your company’s needs.  As always, consult an attorney with expertise in NDAs (and a business-savvy approach) to ensure your company, its confidential and proprietary information and its trade secrets are properly protected.

The Why, When and How of Confidentiality Agreements (Part 1)

Nondisclosure Agreements (NDAs), a/k/a Nondisclosure Agreements (NAs), Confidentiality Agreements (CAs), Confidential Disclosure Agreements (CDAs), and Proprietary Information Agreements (PIAs), are something most business leaders and lawyers deal with from time to time.  However, few companies have implemented policies stating why, when and how NDAs should be used.  Quite often different people at the same organization take very different approaches to using NDAs, resulting in inconsistent protection of a company’s confidential or proprietary information (“CI”) — or worse, jeopardizing company trade secrets.  This two-part article provides a summary of the why, when and how of NDAs.  In Part 1, I talk about the “why” and the “when.”

WHY to use an NDA.  There are three primary, and sometimes overlapping, reasons why to use an NDA – for protectivepurposes, for strategic purposes, and for contractual purposes.

  • The most common reason for entering into an NDA is to ensure there are adequate (and binding) protections for your CI before you share sensitive information with another party.  If your company has trade secrets, failing to put confidentiality obligations in place with third parties who have access to your trade secrets can cost you your trade secret protection.
  • An NDA can also be used as a litmus test to gauge whether a party is truly interested and serious about discussions with your company.  If you’re asked to sign an NDA well before confidential information will be exchanged, this might be the reason.  An example is a requirement for potential vendors to sign an NDA before the RFP is provided to them, even if there’s nothing confidential in the RFP.  Requiring an NDA up front can also ensure that you don’t get down the road with a potential vendor or partner only to find that they are resistant to signing an NDA.
  • An existing confidential obligation to a third party may require you to put confidentiality obligations in place with any subcontractor or business partner with whom you need to share the third party’s CI for business purposes (more on this in Part 2).  If an existing agreement with your subcontractor or business partner doesn’t satisfy contractual requirements, a separate NDA may be needed.

If a third party questions why an NDA is needed, consider whether that should be a red flag in and of itself.  They may not view confidentiality as a significant concern or priority, may not be sophisticated about the importance of strong confidentiality practices, or may be trying to get you to reveal confidential information without an NDA in place.

WHEN to use an NDA.  Once you’ve determined that you need an NDA for one or more of the above purposes, you then need to determine when to use one.  Keep these questions in mind:

  • What is confidential information?In order to know when to use an NDA, you need to first know what needs to be protected.  This is often the MOST IMPORTANT question a company can ask.  What information is considered confidential or proprietary information, and what information is a trade secret?  Everything else should be considered non-confidential.  Look at your IT policies to see how data is classified at your company (many classify CI into levels) and use those classifications to determine what categories of information should be protected.  If it’s information you include in your marketing brochures or on your corporate website, it’s not confidential or proprietary information.  Use this test – if you would have a problem with the information showing up on the front page of your local paper or elsewhere for the world to see, or if it ended up in the hands of your competitors, you may want to treat it as confidential if it’s disclosed.  Educate your sales and other internal business teams as to what’s considered CI, and when an NDA is required — make sure to remind them that part of their job to protect your company’s confidential information.
  • Who is disclosing what? Not every discussion about a potential business relationship requires an NDA.  Look at what information may be disclosed and by whom.  If your company isn’t disclosing confidential information as part of the discussion, the onus should be on the other party to ask for an NDA.
  • Are there existing confidentiality terms? Sometimes an existing business partner or vendor will ask for an NDA before sharing information about a new product or service.  Before signing, check your existing agreement to see whether its confidentiality language is broad enough to cover the new information.  If it is, push back on the need for a separate NDA.  You should always try to avoid having multiple confidentiality terms governing the same confidential information (for more on this, see Part 2.)  If they insist, make sure the new NDA is limited in its purpose and does not overlap with the existing agreement.
  • When will sharing begin? Determine when in the in the sales cycle/vendor selection process you need to start sharing CI – that’s your “NDA point.”  Once you’ve determined your NDA point, make sure it’s build it into your SOPs and other business process documentation to minimize the chance that CI is shared without a valid NDA in place.
  • What is the right effective date?In business, the cart sometimes gets ahead of the horse when it comes to getting an NDA in place.  If your company gets out over its ski tips by disclosing CI without having the NDA in place first, ensure that the NDA applies retroactively to by setting the effective date as the date on which confidential information was first disclosed, not the date on which it was signed.

Why do in-house lawyers get so “lawyerly” sometimes?

It’s no secret that lawyers have been stereotyped as evil, stuffy, lying, legalese-spouting, risk-averse ambulance chasers. As the joke goes, “what’s the difference between a lawyer and a catfish?  One’s a scum-sucking bottom dweller, the other’s a fish.”  William Shakespeare’s famous line in Henry VI, Part 2 – “the first thing we do, let’s kill all the lawyers,” found everywhere from t-shirts to Eagles song lyrics – is commonly referenced to bash lawyers. (It was actually meant in the play as praise for lawyers as guardians of justice and keepers of law and order.)

You have an in-house attorney whom you view as a valued business partner.  While having lunch together, you ask him about an employee issue on your team and ask him for a short email summarizing his thoughts.  It can be confusing and frustrating when an hour later he sends you an email laden with designations of “ATTORNEY/CLIENT COMMUNICATION – PRIVILEGED AND CONFIDENTIAL” copying the head of Human Resources; pronouncements of potentially dire consequences for the company if you move forward with firing the employee; requests that you obtain approval from someone higher in your reporting structure; confirmations of something you have already discussed with him in person and said you would do; and warnings about forwarding the email on to others.  What’s going on?  Why do in-house lawyers get so lawyerly sometimes?

First, remember who your in-house attorneys represent.  Their client is the company that employs them – not you, or your supervisor, or management, or the CEO, or the Board of Directors.  (If you have wondered why in-house attorneys can’t advise employees on personal matters such as tax issues, family law issues, real estate issues, and wills & trusts, that’s the reason.)  In most cases in-house counsel can provide legal advice to you about company matters as you are an employee (and representative) of its client, but only where the matters fall within the scope of your official duties. This is why attorneys sometimes remove people from an email thread when they need to provide potentially privileged advice. Unlike many other employees, in-house attorneys must have a valid license in order to practice their craft, and are bound by a detailed code of professional ethics, which includes protecting their clients and their interests.

When outside counsel (attorneys at law firms retained by companies) provide advice to a client, that advice is generally presumed to be legal advice. Legal advice from an attorney to a client is generally considered confidential, and protected from disclosure to third parties, by what’s known as the “attorney-client privilege.” A company has a right to private communications with its legal counsel, and can refuse to disclose attorney-client privileged communications.  Unlike outside counsel, in-house attorneys dispense business advice as well as legal advice, or in some cases just business advice.  Because of this, there is no presumption that advice provided by in-house attorneys to their client and its representatives (employees) is legal advice and therefore protected by the attorney-client privilege.  They have to clearly demonstrate that the advice they are providing is protected legal advice and not unprotected business advice if they hope to assert an attorney-client privilege in the communication.

Additionally, part of an in-house attorney’s central role within a company is risk management.  Whether explicit or implicit in a Legal department’s mission statement, part of their job is to facilitate the company’s business objectives while at the same time managing risk to within the company’s stated risk tolerance level.  As I explained in my Risk Management 101 blog entry, any risk management decision comes down to some combination of accepting, mitigating, shifting, or avoiding risk.  To ensure risk is properly managed, in-house attorneys strive to ensure that business decision-makers understand the pros and cons of a business decision before making a risk management decision.  Lawyers often perform a risk management analysis as part of providing legal advice – they identify the potential risks and benefits of a particular course of action (and provide a suggested or recommended course of action if asked or expected to do so), and identify the person or role who needs to make the risk management decision, so that decision-maker can make an informed risk management decision on what to do about the identified risks.

Protecting the attorney/client privilege and managing risk while facilitating business objectives are the two primary reasons why in-house lawyers get “lawyerly” at times – they are doing their job representing and protecting the company and its interests while driving business forward.  When an in-house attorney provides legal advice, he/she “puts on their legal hat” and may seek to preserve attorney-client privilege in the advice to prevent its disclosure in later litigation or other proceedings, which could hurt the client.  This is why legal advice from an in-house attorney is clearly marked as being attorney-client privileged, why attorneys limit the number of recipients on emails or memos containing potentially privileged advice, and why in-house attorneys sometimes state that the email or memo should not be forwarded without their permission. If an in-house attorney formally asks you to do something in an email or memo that you have already discussed with them, this too is to help preserve privilege by ensuring you are acting at the direction of or under the supervision of counsel.

With respect to the legal advice itself, the attorney’s email may seem like “doom and gloom” by pointing out the risks (as well as the benefits) of a course of action, but the role of in-house counsel is not to accentuate the positive and eliminate the negative – our job is to facilitating the company’s business objectives while managing risk.  A good attorney does not say “yes” or “no” to a particular course of action (unless it’s illegal of course), but instead points out all the material pros and cons, provides an opinion if asked, and then lets the appropriate decision-maker call the ball on what to do about the risk.  In-house attorneys strive to ensure that decision-makers are making informed business risk management decisions based on a solid analysis of the pros and cons, not a quick decision based only on the potential benefits of doing (or not doing) something.

The next time your in-house lawyer starts sounding more lawyerly than normal, there’s likely a good reason they’re doing it — so suppress that urge to follow Shakespeare’s suggestion.

Moving on up (North) – Bringing your App, Website or Product to Canada

“We want to start selling our [app/product/service] in Canada,” says your Digital business executive.  “Any legal problems we should know about?”   Selling an app, product or service in Canada can seem like an easy way for a US company to expand the market for, and revenues generated from, something developed for the US market.  However, there are a number of considerations to consider, both from a legal and business perspective.  Some of them include:

  • Localize for the Canadian Market. As an American, I imagine that Canadians can easily tell whether a product is one designed for the US market being offered in Canada, or is one designed for the Canadian market.  Apps, websites, and services should be localized for the Canada market.  Canadian English is different than US English, and localization something that should not be overlooked.  If there is address information collected or displayed through an app or corresponding website, they should support provinces, Canadian postal codes, etc.  Localization is more than just translation; the app, website or service should be reviewed (ideally by one or more Canadian employees) to identify any pages, language, or content that may need adjusting for a Canadian audience.
  • Bilingual Requirements. The official language of Quebec is French, and many other provinces recognize both English and French as official languages. Websites (and apps) in Quebec are required to be bilingual.  Even without that requirement, it’s a good idea for websites and apps to be bilingual in Canada given the significant number of French Canadian speakers in the country.  Consider translating your license/services agreement and policies into French.  If you make your agreements bilingual, consider using a “dual-column” format so the English and French versions appear next to each other.  Ensure any bilingual agreements contain a provision stating that the parties agree that controlling version of the agreement shall be in the English language.
  • Data Privacy.From a legal perspective, Canada has a much more stringent national data privacy law than the US does.  Under Canada’s national data privacy laws, affirmative consent is generally required by consumers for a company to process personal information from Canadian consumers. Many provinces have their own privacy laws for private entities and public bodies. In addition, certain provinces also have provincial data privacy laws that can impact US companies.  For example, British Columbia’s data privacy law governing public bodies prevents any public body in BC from using a cloud-based service that stores data outside of Canada. (This law dates to 2004 and was a backlash against US government access to data under the USA PATRIOT Act of 2001.)  While many BC entities, such as schools, have complained about this law, it’s still on the books in British Columbia.
  • Marketing Communications. In addition, sending commercial electronic messages can be trickier in Canada due to a more complex Canadian law called CASL (Canada’s Anti-Spam Law) that governs commercial electronic messages (not just emails).  We’d want to look at that to see if it had an impact.  For more information, see my earlier post on preparing for CASL compliance.
  • Branding and IP. Companies should look at their branding, trademarks, and other IP used in or in connection with their app, websites, and services.  US trademark registrations don’t help in Canada if someone else is already using an identical or similar brand name in Canada. Dropping your US-branded app into the Canadian market could result in a cease-and-desist letter, or a lawsuit brought in Canadian courts. Patent protection in the US are not enforceable in Canada; you’d need to file Canadian registrations to obtain similar protections.
  • Other Considerations. Other considerations include looking at whether there are any export requirements or restrictions on exporting your product to Canada; whether NAFTA (the North American Free Trade Agreement) comes into play if there are any physical goods being sent to Canada; and ensuring you are complying with any local, provincial, or national tax requirements that may apply.

Before moving on up north, business teams should consider performing a cost/benefit analysis of the potential ROI of entering the Canadian market, evaluating these and other factors, to determine if adapting an app, website and/or service to the Canadian market is a sound business decision.

Progressive Reduction, Progressive Disclosure and Legal Disclosures – Incompatible?

Progressive Disclosure and Progressive Reduction are two common user experience (UX) techniques in website and application design.  Both reduce the amount of information provided by default to a user, which can be very useful when you have a small amount of screen real estate available on a website or in an application or striving for a clean user interface.  Both are designed to favor selective content disclosure over mouse clicks (it takes more clicks to view all of the information, but many people may not need to see the additional information and therefore won’t need the clicks).

Progressive Disclosure stack ranks information, features and options by usage, and breaks the display of the information, features and options onto multiple screens so that only the most commonly used or popular items appear by default.  The intent of Progressive Disclosure is to simplify the user interface and avoid overwhelming a user with information, features and options on a single screen (which results in a bad user experience).  Common examples of Progressive Disclosure in apps and on websites are “Learn More” links and expandable/collapsible data elements that are collapsed by default but expandable by the user. An example of Progressive Disclosure in the legal context is a “layered” privacy policy with an initial summary and links to the longer, full privacy policy.

Progressive Reduction uses user profiles and other information or options to progressively reduce content elements based on time or usage.  As the user becomes more familiar with the website or app (or as more time passes), the design can be simplified and reduced, as the assumption is that the user will still understand what to do.  For example, suppose a website has a prominent “Change Your Preferences” button with an icon.  As a user becomes more familiar with that button, it can be reduced to a “Preferences” button with an icon, and then just the icon.  Another example is expandable/collapsible data elements that are expanded by default, where if the user collapses them the website or application will remember the user’s preference and collapse them by default thereafter.

The Federal Trade Commission and state Attorneys General expect websites and apps to have “clear and conspicuous” and “legible and understandable” legal disclosures to avoid deceptive trade practice claims.  Requiring a click to access important disclosures is neither clear nor conspicuous to a user.  Thus, the concepts of Progressive Disclosure and Progressive Reduction seem to conflict with proper legal disclosures.  So can they coexist?  The answer is yes, but not for (1) the critical elements of the initial disclosure, and (2) information you are legally obligated to present to the user.

An initial website legal disclosure (e.g., special terms regarding a product, automatic renewal terms, etc.) must be clear, conspicuous, legible and understandable, as the FTC and state AGs expect. Progressive Disclosure and Progressive Reduction should not be used for the initial disclosure, and should never be used to break apart a legal agreement such as click-through terms. (If space is a concern, an attorney should try to make the disclosure as concise as possible, or use a scroll box with a greyed-out checkbox for consent or greyed-out “continue” button until the consumer scrolls to the bottom of the scroll box.)  For legal policies posted on a website, using a layered approach is a common way to apply principles of Progressive Disclosure.

In some cases, there are supplemental references to or confirmations of the initial disclosure, such as in an order confirmation email, or online notices of a policy change previously communicated by email or postal mail.  The supplemental references to, or confirmations of, a website legal disclosure are generally used to remind the consumer what they have agreed to, which can help defend against a claim that the disclosure was not clearly or conspicuously provided.  In some circumstances, such as with auto-renewing subscriptions in California, the full initial disclosure must be provided in the supplemental disclosure.  However, where there is no legal requirement to do so, Progressive Disclosure can be applied to the supplemental disclosure as long as the terms initially displayed are the ones for which the consumer would most expect to be reminded, i.e., the most critical terms.

A strong partnership with the User Experience team is critical to ensuring that legal disclosures are properly presented in websites and apps.  Demonstrating an understanding of UX concepts, and how to strike the right balance with legal disclosure requirements, strengthens their view of counsel as a valued business partner and problem solver.

The Pain of Preference Payments

Bankruptcy is boon to debtors in trouble, and a pain for creditors of those debtors.  You provide goods or services to a company only to find that their receivable is noncollectable once that company enters bankruptcy, and if you’re lucky if you receive cents on the dollar on the amount owed.  However, preference payments can sting even worse.  This blog entry gives an overview of preference payments and the common defenses.

Section 547 of the Bankruptcy Code allows a bankruptcy trustee (or a debtor-in-possession under Chapter 11) to “recapture,” or invalidate, payments made by the debtor for the benefit of a creditor during the 90 day period prior to the date the bankruptcy petition was filed (the “preference period”), regardless of whether the debtor received anything in return for the payment.  This is called a “preference payment,” so named because one of the goals of bankruptcy is to promote equality of distribution of assets to similarly-situated creditors, and to prevent a debtor from paying off its preferred creditors before filing for bankruptcy leaving basically nothing for the other creditors. There are certain requirements for a preference payment, e.g., that the payment was for an “antecedent” debt (the payment to the creditor followed provision of the goods and services to the debtor), and that the payment was made when the debtor was insolvent (there is a presumption of insolvency during the 90-day preference period).

Once a bankruptcy is filed, the trustee will often look at payments made by the debtor during the preference period, and will send demand letters (or complaints) seeking repayment of the alleged preference payments from creditors. These are the letters and court actions that vex many companies.  In some cases, repaying the alleged preference payment is more economical to a company than fighting it out with the trustee, resulting in attorneys’ fees and distractions for internal personnel.  However, companies can, and often do, fight back against preference payment recapture demands.  The Bankruptcy Code includes a number of defenses to a trustee’s attempted recapture of preference payments.  The three most common of these are:

  • Ordinary Course of Business Defense.  Under Section 547(c)(2) of the Bankruptcy Code, if a payment was made in the “ordinary course of business,” the recipient of the payment can avoid the obligation to return the payment.  (The reasoning for this is that if a payment was made in the ordinary course, there’s nothing preferential about it.)  A payment was made in the “ordinary course of business” if the creditor can prove (it has the burden of proof here) that the alleged preference payment was made either (a) consistent with the parties general business practices, such as the parties’ course of dealing; amount, timing and circumstances of previous payments; and contractual terms (the “Subjective Test”), or (b) consistent with common industry practice (the “Objective Test”). If you don’t have a payment history, you may not be able to use this exception. A trustee will likely give greater credibility to contractual terms where there’s a long history between the parties.  If that doesn’t exist, look to the actual payment history, not just the contractual terms.  The more consistency you have in your accounts payable practices with your partners and suppliers and the less “one-off” exceptions you allow, and the farther back your history goes, the easier it will likely be for you to claim the ordinary course defense. Good record-keeping is essential here.  It’s unclear whether payments made pursuant to an installment plan would be considered made in the ordinary course of business.
  • Contemporaneous New Value Defense.  Under Section 547(c)(1), if a payment by the debtor is substantially contemporaneous with the provision of “new value” by the creditor, the party receiving that payment can avoid the obligation to return the payment.  If the payment is essentially offset by new value contemporaneously provided to the debtor, the debtor’s estate is unaffected and thus there just a payment (but not a preferential payment).  A good example of this is a purchase of goods by check or cash – if the debtor paid $1,000 by check and received $1,000 in office supplies on a one-off purchase, the contemporaneous new value of office supplies received by the debtor offsets the $1,000 payment to the creditor.  To assert this defense, you must demonstrate (1) that the parties intended for the exchange of payment for value to be contemporaneous; (2) that the exchange was in fact contemporaneous; and (3) that the exchange was for new value.  If you’re concerned that a vendor may be in financial trouble, one approach is to restructure payment terms to provide for contemporaneous exchanges to better enable you to assert this defense later on.
  • Subsequent New Value Defense.  Under Section 547(c)(4) of the Bankruptcy Code, if following receipt of a preference payment a company provides new value to the debtor in the form of subsequent goods or services during the preference period, the amount of that “new value” can offset the corresponding amount of a prior preference payment.   For example, if you receive a preference payment of $10,000 sixty days prior to bankruptcy, and provide new services valued at $6,000 thirty days prior to bankruptcy (for which you do not receive another payment prior to bankruptcy), the $10,000 preference payment is offset by the $6,000 in new value, leaving a remaining preference amount of $4,000.  Credit cannot be carried forward; if there is a new payment in any amount after new value is provided but before the bankruptcy filing date, the new value is extinguished for the purposes of this defense.  This defense primarily differs from the contemporaneous new value defense in that the new value is not contemporaneous with the alleged preference payment.

One other important defense to consider is that it’s only a preference payment if made in the preference period.  For any payments made close to the 90-day mark, it may be worth a careful review of when the payment was received. In a number of courts, a “date of delivery” rule is used when determining the date of a payment for preference purposes.  Also note that for insiders of the debtor, the preference period is 1 year.

Two closing thoughts.  The possibility of recapture of preference payments shouldn’t automatically preclude you from doing business with companies which may not be fully financially stable – it’s often better to have the money and have to potentially return it than to never have it at all.  Finally, there are a lot of additional nuances to dealing with preference payment claims and litigation – consider talking with bankruptcy counsel to ensure you know your rights and defenses.

What’s the Point of a “Termination on Bankruptcy or Insolvency” Clause?

Almost every contract drafted today contains a clause allowing for a party to terminate the agreement if the other party files for bankruptcy, is forced into bankruptcy by a third party (involuntary bankruptcy), makes an assignment for the benefit of creditors, becomes or admits to being insolvent or generally unable to pay its debts when due, breaches a covenant related to financial condition, ceases to do business, etc.  This type of clause is commonly known as an ipso factoclause.  Ipso factois Latin for “by the fact itself,” and means that the occurrence of something is a direct consequence and effect of the action in question.  The action is the bankruptcy or insolvency of Party A, and the occurrence is the right to terminate by Party B.  This clause is considered “boilerplate” in most contracts, and is rarely negotiated (or even discussed).  However, attorneys and business persons alike should be very careful in relying on the right to terminate in this clause, as it’s generally unenforceable.

State law generally governs whether a contract is enforceable or non-enforceable.  However, one very big exception to that rule is the federal law governing bankruptcies (Title 11 of the United States Code, known as the “Bankruptcy Code”).  One of the primary goals of federal bankruptcy law is to allow a debtor to reorganize their business.  In order to do that, the Bankruptcy Code overrides state enforcement of ipso factoclauses and invalidates them (in most cases) as a matter of federal law.  Section 365(e)(1) of the Bankruptcy Code states that an “executory contract” (i.e., a contract where there’s still performance obligations outstanding) may not be terminated following commencement of bankruptcy solely because of a termination right based on the insolvency or financial condition of the debtor at any time before the closing of the bankruptcy.  In other words, you generally can’t exercise an ipso factoclause under federal bankruptcy law once a bankruptcy starts, no matter what the contract says.  (Another clause, Section 541(c), states that a property interest becomes property of the estate upon commencement of bankruptcy, meaning that the property interest can’t be terminated by an ipso factoclause.)  Once bankruptcy starts and while it’s underway, only the trustee of the debtor can assume or reject an executory contract – it’s out of your hands.

Ipso factoclauses have remained in agreements through the years even though they’re no longer very useful, like a contract’s version of a human appendix.  There’s actually a few good reasons to keep them around.  It’s important to remember that the clause’s unenforceability under federal law is tied to the actual commencement of bankruptcy; if that never happens, the clause is still enforceable, or at least potentially usable as a saber that can be rattled.  (Keep in mind that if you terminate under the clause and then bankruptcy is filed, the debtor may try to petition the court to reinstate the agreement and rescind the termination, similar to a “preference payment.”)  There are also a couple of limited exceptions under Section 365(e)(2) of the Bankruptcy Code, such as where applicable law excuses the other party from accepting performance (whether or not the contract prohibits or restricts the assignment or delegation), and that party doesn’t consent to the assumption or assignment, e.g., the debtor is was commissioned to paint a mural based on his expertise – the building owner doesn’t have to accept the trustee’s paint job as a substitute.  Finally, it’s always possible the Bankruptcy Code could be changed in the future to allow for the enforcement of ipso factoclauses under state law, perhaps through an expansion of the exceptions under Section 365(e)(2).

Risk Management 101

Risk management is, whether actively or passively, an ongoing process at all levels of an organization, one that can lead a company down the path to prosperity or ruin.  Any time someone asks, out loud or to themselves, “What if…,” “That could mean…,” “That might cause…,” “Have we considered…,”, or the like, they’re engaging in risk management.  Attorneys, whether in-house or in private practice, practice risk management in their daily activities – the core of our job is to facilitate our client’s business objectives while managing legal risk (attorneys are often viewed as the “de facto” risk management group within an organization).  Moreover, effectively managing risks can be a lot more difficult in practice than it sounds in theory. Fostering a culture throughout an organization that embraces, rather than shies away from, risk management (understanding what potential risks are, being able to identify them, knowing who should make risk management decisions, and making reasoned decisions) is critical to the success of any company.

At its core, “risk management” in the business and legal context can be defined as “the process of identifying, analyzing, and determining how to handle risks that may result from a proposed course of action or inaction.”  In other words, it’s the process of weighing both the positive and negative consequences from any particular course of action in making business and legal decisions. I use the following in my business discussions to summarize the importance of good risk management practices:  “It’s much easier to stop a snowball from rolling the wrong way while it’s still at the top of the hill.”

There are four core parts of risk management – (1) understanding what “risks” need to be managed, (2) identifying manageable risks during day-to-day business activities, (3) determining who makes risk management decisions, and (4) making risk management decisions.  I’ll save a detailed analysis of each for a broader article, but provide an overview and some basic guidance here.

Understanding the risk.  Risk management isn’t “avoiding all risk” – risk is an important part of business.  (There is an old AIG slogan – “the greatest risk is not taking one.”)  The trick is to manage risk to a level acceptable to the company.  Every company has a different tolerance for risk – e.g., start-ups may be willing to take more risk than a well-established company. Understanding what risks must be managed and an appropriate risk tolerance level is something that senior management (with the advice and guidance of internal or external attorneys) must determine, and must re-evaluate over time as the company grows and changes. The main types of risks that companies face on a day-to-day basis are (1) revenue risks (getting the business versus lost opportunity); (2) precedent-setting risks (the slippery slope); (3) legal risks; and (4) operational risks (writing checks the company can’t cash).

Identifying the risk.  If you remember anything after reading this, let it be this – you can’t make a risk management decision if you can’t identify and escalate the risk that needs to be managed.  Many companies are equipped to manage a risk, but don’t have good processes or training on how to spot them in the first place.  Company personnel – whether attorneys, sales team members, business owners, or any other employee, contractor, or advisor – must learn to spot risks associated with a proposed or ongoing course of action or inaction and escalate them internally (e.g., to their manager, to a designated risk management officer or team, etc.).  Managers should be responsible for educating their teams on spotting and escalating risks, and this should be a core component of any corporate-wide risk management training.

Approving the risk.  Once a risk has been identified, the next step is to determine the right approver of a risk management decision.  One of the hardest aspects of an effective risk management culture is getting someone to make a risk management decision, which is why effective risk management approval structure is essential.  Everyone is willing to take credit for a good risk management decision – no one wants to take the blame if the risk exposure actually happens.  If people fear they’ll be “thrown under the bus” for bad risk management decisions (whether that person is the presenter or the approver), establishing a robust risk management culture is not going to succeed.  Companies should consider assigning roles for approval of certain risks, discouraging/punishing individuals who do not follow the proper approval process, keeping good records of risk management approvals, and ensuring that individuals who make informed, well-analyzed risk management decisions aren’t thrown under the bus if the risk exposure ultimately occurs. (If proper risk management practices are followed, the realization of a risk exposure should not result in a “witch hunt” to find someone to blame, but should result in a re-analysis of the risk management decision to see if other “hindsight” data points would have affected the risk management decision and determine if changes to the risk profile of the company and/or risk management practices are appropriate.)

Making the risk management decision.  There are four things a company can with an identified risk – avoid it (don’t take the proposed course of action or inaction); mitigate it (implement new processes, obtain insurance, or take some other action to control the risk exposure) shift it (make another party responsible for the risk exposure, e.g., through a contractual indemnity and hold harmless); or accept it (proceed with the action or inaction knowing what might happen).  Each of these is a completely valid risk management decision, and they can be used individually or in combination once the identified risk has been evaluated (i.e., both the benefits and risks of a particular course of action or inaction should be presented to the appropriate decision-maker).  There are only two “bad” risk management choices – (1) accepting the risk because of a perceived need on the part of the business to “act quickly” and not take the necessary time to evaluate and manage the risk, and (2) accepting the risk because the risk was never identified in the first place.