Archives for November 2020

Zoom Settles Dispute with Federal Trade Commission Regarding Cyber Security Practices

Cyber security

Earlier this month, the Federal Trade Commission (“FTC”) reached a settlement with Zoom Video Communications, Inc. (“Zoom”) regarding alleged misrepresentations related to its security program.  The FTC alleged that Zoom misled users by “touting that it offered ‘end-to-end, 256-bit encryption’ to secure users’ communications, when in fact it provided a lower level of security.

As part of the settlement, Zoom must (1) ensure that its representations to consumers regarding its privacy and security practices are accurate, and (2) update its security practices with a comprehensive new program that includes vulnerability management, annual documentation of risks and new security safeguards such as multi-factor authentication.

The FTC’s regulatory action against Zoom highlights the need for all businesses to ensure that representations regarding privacy and security practices are accurate and implement enterprise-wide cybersecurity protocols that take the specific risks faced by an organization into account.

NC Business Court Discusses the Limits of Attorney-Client Privilege When Attorneys Wear Multiple Hats

Male lawyer or Counselor working in courtroom have meeting with client are consultation with

Attorneys, and clients, are often guilty of taking the position that any communication involving an attorney is privileged and not subject to disclosure.  The law, of course, is much more nuanced.  In today’s world, where reliance on in-house counsel is expanding, and attorneys are consulted as much for their business advice as their legal advice, questions regarding the extent of attorney-client privilege have become more complex.

 

On November 9, 2020, the North Carolina Business Court issued a very helpful opinion analyzing the extent of attorney-client privilege in scenarios where attorneys serve in multiple roles within an organization.  Chief Judge Bledsoe’s opinion in Buckley LLP v. Series 1 of Oxford Insurance Company NC LLC, 2020 NCBC 81, resolved competing motions to compel, where each side sought to compel documents being withheld by the other on the basis of attorney-client privilege and the work product doctrine.

Overview

Plaintiff Buckley, LLP is a law firm that obtained an insurance policy through Defendant Oxford, which included coverage for the loss of key employees.  One of Buckley’s named partners, Andrew Sandler, retired shortly after the policy went into effect, and Buckley filed a $6 million dollar claim with Oxford under the policy.  Oxford refused to pay the claim, arguing that certain exclusions in the policy apply.  Significantly, Oxford contended that Buckley failed to inform Oxford of material facts regarding Sandler prior to the policy taking effect.  Prior to the date of the policy, Buckley had already received allegations of misconduct by Sandler and retained the law firm of Latham & Watkins to investigate the misconduct allegations.  Sandler negotiated a retirement agreement with Buckley rather than participate in the investigation and left Buckley shortly after the policy took effect.

In discovery, Buckley sought Oxford’s internal communications and documents related to its investigation of Buckley’s claim.  Oxford’s general counsel was a member of the team that reviewed Buckley’s claim, and Oxford withheld many of those documents involving its general counsel on the basis of attorney-client privilege.  Similarly, Oxford sought discovery of Buckley’s documents and communications with Latham & Watkins regarding the internal investigation of the misconduct allegations.  Buckley refused to produce its communications with Latham & Watkins on the grounds of attorney-client privilege.  Both sides filed competing motions to compel, which the Business Court resolved in a single opinion.  The Business Court ultimately ordered both parties to produce many, but not all, of the documents they were withholding.

Attorney-Client Privilege

Attorney-client privilege only attaches when the communication “is made in the course of giving or seeking legal advice for a proper purpose.”  As a general rule, if an attorney is not acting as a legal advisor when the communication was made—for instance, by providing financial advice or acting as a business advisor—it is not privileged.  In instances where communications contain both legal and business advice, courts will look to the “primary purpose” of the communication.

Applying these principles, the Business Court found that many of Oxford’s general counsel’s communications were not privileged.  The Business Court concluded that Oxford’s general counsel had a substantial role in the company in reviewing and processing claims for payment.  The Business Court noted that some of the general counsel’s communications reflected the primary purpose of providing legal advice, but most showed her engaging in claim review “in the ordinary course of Oxford’s business.”

This “ordinary course of business” analysis also applied to many of Buckley’s communications with Latham & Watkins.  The Business Court noted that materials “created in the ordinary course of business” and “pursuant to company policy” are typically discoverable and not privileged.  The Business Court noted that, in this instance, the internal investigation was required by Buckley’s own firm policies, which weighed heavily in favor of the documents’ disclosure.  The fact that Buckley chose to hire a prominent law firm to conduct the investigation did not automatically extend privilege to all of its communications with Latham.  The Business Court ultimately determined that many of the documents were “unrelated to the rendition of legal services” and ordered their production.

Takeaways

The Business Court’s opinion is a useful reminder that discovery is a broad tool in litigation, and a lawyer’s participation does not always render a document privileged.  Businesses working with attorneys in in-house or business advisory roles should consider the following, when facing questions of what might become public in a protracted litigation:

  • Was the attorney providing legal or business advice?
  • Did the advice require the attorney to use their legal expertise, or simply their business judgment?
  • Is the communication about a particular legal issue, or is it about our company’s ordinary business?
  • Why was this document created? Is it the result of a company policy?

New CFIUS Regulations Add Another Layer of Regulatory Considerations to Transactions Involving Foreign Investors

Earlier this year, new regulations promulgated by the Committee on Foreign Investment in the U.S. (the “CFIUS”) that implement the Foreign Investment Risk Review Modernization Act of 2018 (“FIRRMA”) took effect, strengthening the oversight authority and expanding the jurisdictional reach of the CFIUS.  Although the new CFIUS regulations initially went largely unnoticed by the vast majority of investors, investors are starting to feel the effect of these expanded regulations as they are advised by deal counsel of a need for targeted due diligence and additional representations and warranties related to CFIUS compliance obligations.

CFIUS Regulatory Framework

The CFIUS, which was created by the Defense Production Act of 1950, is tasked with reviewing any transaction “which could result in foreign control of any person engaged in interstate commerce in the United States.”  50 U.S.C. § 2170.  The basic premise of the regulatory scheme is that the CFIUS will review these transactions, assess the potential for impact on national security, and make formal recommendations to the President as to the appropriate mitigating action necessary to protect the national interest.

Recent Changes to CFIUS Regulations

Until recently, the CFIUS’s jurisdiction was limited primarily to acquisitions of U.S. businesses by non-U.S. businesses.  See Ralls Corporation v. Committee on Foreign Investment in the United States, 758 F.3d 296 (D.C. Cir. 2014).  Earlier this year, however, new CFIUS rules permanently expanded CFIUS jurisdiction to include certain “other” investments—namely, non-controlling foreign investments in U.S. businesses involved in certain critical technologies, critical infrastructure, or the personal data of U.S. nationals (referred to as “TID” businesses, for technology, infrastructure, and data). Covered non-controlling investments afford the foreign investor access to material nonpublic technical information or substantive involvement in the U.S. business’s decision-making with respect to the technology, infrastructure, or data.

In sum, the new CFIUS regulations expanded the jurisdiction of regulators to transactions involving U.S. businesses that: (1) produce, design, test, manufacture, fabricate, or develop “critical technologies”; (2) own, operate, manufacture, supply, or service “critical infrastructure”; or (3) maintain or collect “sensitive personal data” of U.S. citizens that may be exploited in a manner that threatens national security.  31 CFR § 800.211.  Thus, even if a transaction will not result in foreign control of a U.S. business, it may still be subject to CFIUS review if it involves a TID U.S. business.

Critical Technology

For purposes of CFIUS regulations, critical technology is defined as follows:

(a) Defense articles or defense services included on the United States Munitions List (USML) set forth in the International Traffic in Arms Regulations (ITAR) (22 CFR parts 120–130);

(b) Items included on the Commerce Control List (CCL) set forth in Supplement No. 1 to part 774 of the Export Administration Regulations (EAR) (15 CFR parts 730–774), and controlled—

(1) Pursuant to multilateral regimes, including for reasons relating to national security, chemical and biological weapons proliferation, nuclear nonproliferation, or missile technology; or

(2) For reasons relating to regional stability or surreptitious listening;

(c) Specially designed and prepared nuclear equipment, parts and components, materials, software, and technology covered by 10 CFR part 810 (relating to assistance to foreign atomic energy activities);

(d) Nuclear facilities, equipment, and material covered by 10 CFR part 110 (relating to export and import of nuclear equipment and material);

(e) Select agents and toxins covered by 7 CFR part 331, 9 CFR part 121, or 42 CFR part 73; and

(f) Emerging and foundational technologies controlled under section 1758 of the Export Control Reform Act of 2018 (50 U.S.C. 4817).

31 C.F.R. § 800.215.  The nuances of each of these critical technologies should be carefully considered when engaging in a transaction involving foreign investors.

Sensitive Personal Data

The CFIUS also may review certain transactions involving U.S. businesses that maintain or collect sensitive personal data of U.S. citizens that may be exploited in a manner that threatens national security. “Sensitive personal data” is defined to include ten categories of data maintained or collected by U.S. businesses that (i) target or tailor products or services to certain populations, including U.S. military members and employees of federal agencies with national security responsibilities, (ii) collect or maintain such data on at least one million individuals, or (iii) have a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The categories of data include types of (1) financial (e.g., bank account statements, credit applications, payment history, credit reports, credit scores); (2) geolocation, (3) health data (similar to HIPPA’s definition of non-public health information), (4) e-mail communications, (5) chat or other similar communications, (6) biometrics, and (7) information regarding government contractors.  See 31 C.F.R. § 800.241.

While this may seem like an unreasonable burden, the administrative record includes policy statements that inject some degree of restraint into the definition of sensitive personal data.  84 FR 50177.  More specifically, the ancillary information published in the federal register provides the following:

Given that most companies collect some type of data on individuals, the proposed rule protects national security while attempting to minimize any chilling effect on beneficial foreign investment by focusing on the sensitivity of the data itself, as well as the sensitivity of the population about whom the data is maintained or collected. In particular, the proposed rule identifies specific categories of data that constitute sensitive personal data only if the U.S. business (a) targets or tailors its products or services to sensitive U.S. Government personnel or contractors, (b) maintains or collects such data on greater than one million individuals, or (c) has a demonstrated business objective to maintain or collect such data on greater than one million individuals and such data is an integrated part of the U.S. business’s primary products or services. The proposed definition also includes all genetic information and generally carves out data pertaining to a U.S. business’s own employees.

Id. at 50177-78 (emphasis added).

It is also of note that the information collected does not qualify unless it includes “identifiable data.”  31 C.F.R. § 800.239.  Based on the administrative record, it is clear that regulators wanted businesses to use common sense in assessing whether data constituted “identifiable data” by including the following as part of the administrative record:

In some cases, a U.S. business may maintain or collect the data described in § 800.241(a)(1)(ii)(A)-(J), but it is not possible to attribute such data to any specific individual. For example, a U.S. business may store health records on its servers, but those records are encrypted such that only a third party in possession of the encryption key can read the data. The U.S. business in these circumstances would not be maintaining or collecting sensitive personal data. The proposed rule makes clear, however, that identifiable data is not limited to data that includes an individual’s name or other obvious identifier, but rather includes any personal identifier, as defined in § 800.239.

84 FR 50178 (emphasis added).  Thus, if the information is encrypted or otherwise anonymized, it will not qualify as identifiable dataSee 31 C.F.R. § 800.202 (“The term anonymized data means data from which all personal identifiers have been completely removed.”).

Mandatory Filings

Another significant change in the review regime is the introduction of mandatory filings for certain transactions. Historically, all filings made to the CFIUS were submitted on a voluntary basis. However, FIRRMA introduces, and the new regulations implement, the concept of mandatory filings. Despite this, the process remains mostly based on voluntary filings, with a relatively small number of transactions requiring a mandatory filing, namely, (i) a substantial foreign government investment in a TID U.S. business, or (ii) controlling or non-controlling investments in critical technologies within the scope of the CFIUS Pilot Program on critical technologies.

  • A substantial foreign government investment in a TID business. Under the new regulations, there is a substantial interest if a foreign person obtains 25 percent or more voting interest in the TID business, and a foreign government owns 49 percent or more of the foreign person. FIRRMA §1705(v)(IV)(bb)(AA); 31 CFR §800.244;
  • CFIUS Pilot Program on critical technologies of Nov. 10, 2018. Controlling or non-controlling investments in U.S. businesses that produce, design, test, manufacture, fabricate or develop one or more critical technologies in one of 27 identified industries – including aviation, defense, semiconductors, telecommunications and biotechnology – are subject to a mandatory filing with CFIUS. The final regulations, for now, will continue to use the same NAICS codes. However, the CFIUS announced that it will issue a notice of proposed rulemaking, perhaps moving away from an industry-based approach for these filing requirements in favor of “export control licensing requirements.” In the meantime, mandatory declarations must be filed 45 days before the close of a transaction.

For either mandatory or voluntary filings, FIRRMA has developed an abbreviated filing process through a declaration, allowing parties to submit basic information to the CFIUS.  FIRRMA §1706(v)(1). These provisions are expanded in the new, final regulations.  31 CFR §800.401.  The declarations should generally not exceed five pages in length, and it is likely that a form will be ultimately designed to increase the ease and usefulness of the process. Although declarations are intended to streamline the process by moving less complex transactions through the CFIUS review process with less administrative burden on the filing companies, filing a declaration may actually increase the processing time: the CFIUS has 30 days to render a decision on a mandatory declaration, but may at that time require a full notice, adding a full review cycle to reach a decision, thereby delaying the overall timing of a mergers and acquisition transaction. This may act as a significant deterrent to the use of this mechanism.

Penalties

FIRRMA directs the CFIUS to impose certain fees on parties who violate the CFIUS review process. Any person who submits a material misstatement or omission in a declaration or notice, or who makes certain other false statements, may be liable for a civil penalty of up to $250,000 per violation.  31 C.F.R. 800.901(a). Any person who fails to comply with the mandatory filing procedures may be liable for a civil penalty of up to $250,000 or the value of the transaction, whichever is greater.  31 C.F.R. 800.901(b).  Furthermore, any person who, after Dec. 22, 2018, intentionally or through gross negligence violates a material provision of a mitigation agreement entered into before Oct. 11, 2018, will also be liable for a civil penalty of up to $250,000 or the value of the transaction.  31 C.F.R. 800.901(c).  Further guidance on penalties is expected in new rules to come from the CFIUS.

Conclusion

FIRRMA and the recently enacted final regulations make a variety of sweeping changes to the CFIUS process that will certainly bring more transactions under the scope of CFIUS review.  These changes were implemented in response to increased national security concerns but were carefully crafted to avoid suppressing foreign direct investment in the United States.  Nevertheless, given the significant penalties associated with violations of CFIUS regulations, it is extremely important that all parties to investment transactions take steps to ensure compliance with CFIUS regulations.