Alabama has now joined a growing number of states that have recently enacted pay equity laws. In all, 49 states have an equal pay law of some kind, with Mississippi being the only state without one. Gov. Kay Ivey signed the Clarke-Figures Equal Pay Act (CFEPA) on June 11, 2019. The CFEPA generally prohibits pay discrimination based on sex or race and also prohibits retaliation against an applicant for refusing to provide salary history information.
Pay Discrimination Based on Sex or Race is Prohibited
The CFEPA took effect September 1 and applies to both public and private employers. There is no exception for small employers. The law states that an employer:
may not pay any of its employees at wage rates less than the rates paid to employees of another sex or race for equal work within the same establishment on jobs the performance of which requires equal skill, effort, education, experience, and responsibility, and performance under similar working conditions…
However, similar to the federal Equal Pay Act — which prohibits pay discrimination based on sex only — wage disparities are permissible under the Alabama law if the disparity is due to (1) a seniority system, (2) a merit system, (3) a system that measures earnings by quantity or quality of production or (4) a differential based on any factor other than sex or race.
Individuals who believe they are being paid less than someone of a different gender or race performing the same work may bring a lawsuit in state court under the CFEPA or in federal court under the Equal Pay Act (EPA). If a plaintiff prevails under this provision of the CFEPA, as well as under federal law, the plaintiff must repay the employer one of the two “recoveries,” whichever is less. In other words, the law prohibits plaintiffs from receiving two sets of damages for the same alleged harm.
Inquiries about Salary History
The second major prohibition in the CFEPA relates to salary history, stating:
An employer shall not refuse to interview, hire, promote, or employ an applicant for employment, or retaliate against an applicant for employment because the applicant does not provide wage history. . .
“Wage history” is defined as wages paid to the applicant by a current or former employer. This provision is meant to decrease the chance that a new employer will continue the pay gap created by former employers between employees of different races or different genders. Often, employers determine a new applicant’s pay rate based on their pay rate at their former job. If women and minorities are being paid less than their peers at one job, then using their former pay rate to determine their new pay rate could continue the pay gap cycle.
For instance, if Employer XYZ pays its male workers in Department A $12.00 per hour, then it should pay its new female worker, Mary, in Department A $12.00 per hour (assuming there is no other legitimate reason for the disparity) even if Mary previously only made $9.00 per hour at her former job. Employer XYZ may be tempted to offer Mary $10.00 per hour instead of $12.00 based on her prior salary history.
The CFEPA doesn’t prohibit employers from asking about wage history on an application or during an interview. However, if an applicant refuses to provide the information and fails to get the position, the applicant could bring a claim under the CFEPA arguing that they were not hired because of their refusal to provide wage history information.
The federal EPA does not address questions about salary history or use of salary history in determining compensation. Recently, the U.S. Court of Appeals for the Ninth Circuit held that the EPA prohibits employers from basing compensation decisions solely on salary history, but the U.S. Supreme Court vacated that decision for other reasons.
Other Provisions of the CFEPA
Pleading An applicant or employee who brings an action under the CFEPA against an employer “must plead with particularity in demonstrating . . . [that he or she] was paid less than someone for equal work despite possessing equal skill, effort, education, experience, and responsibility,” and that the differential was not covered by one of the exceptions (for example, a seniority system).
Damages An applicant or employee who prevails on a claim under the Alabama CFEPA can recover lost wages plus interest.
Recordkeeping The CFEPA also requires Alabama employers to maintain records in accordance with regulations issued by the U.S. Department of Labor in connection with the federal Fair Labor Standards Act.
Statute of limitations The statute of limitations to bring an action under the retaliation provision is two years “after the act of discrimination giving rise to a cause of action.” The statute of limitations for wage claims is also two years pursuant to Alabama Code 6-2-38(m).
There is no express statute of limitations for pay discrimination claims, as opposed to retaliation claims. Under the federal Lilly Ledbetter Fair Pay Act, which applies to pay discrimination claims brought under the Equal Pay Act and Title VII, each paycheck that contains discriminatory compensation is a separate violation regardless of when the discrimination began.
Recommendations for Employers
Employers with operations in Alabama should review their payroll records, recordkeeping and pay practices, and new applicant paperwork to ensure compliance with the CFEPA:
Payroll Records: Review payroll records for current employees to ensure that employees in the same department performing the same work are receiving the same pay rate. If there is a disparity of pay rates, document a legitimate reason for the different rates such as seniority, merit, quantity or quality of production, or other differential not based on sex or race.
Recordkeeping and Pay Practices: Review your recordkeeping policies to ensure that you are in compliance with the recordkeeping provisions of the Fair Labor Standards Act. The CFEPA incorporates those provisions into the law and requires employers to maintain records to prove they are not in violation of CFEPA’s provisions prohibiting pay discrimination based on sex or race.
New Applicant Paperwork: Although the CFEPA does not prohibit employers from continuing to ask for salary history, employers are encouraged go the extra step and remove those questions from application forms to avoid retaliation claims.
A judgment of $11.8 billion against ExxonMobil on behalf of the State of Alabama recently won the state’s attorney firm in that case a place on the Hall of Fame of the National Law Journal.
The verdict won by Mobile-based Cunningham Bounds LLC earned the firm a #4 place among the 100 inductees on the publication’s honor roll.
The lawsuit was based on audits by the Alabama Department of Conservation that showed ExxonMobil shorted the state of royalties owed on natural gas wells in state waters of the Gulf of Mexico.
In 2001, a jury ruled in favor of Alabama and awarded the state $3.5 billion in punitive damages. The Alabama Supreme Court overturned that case and directed a retrial, which resulted in another jury raising damages to $11.8 billion — one of the highest judgments in history.
“‘We’re dealing with Alabama. We’ve got us a bunch of Bubbas, and they’ll never figure out that we’re cheating them out of royalties.”‘ That’s what plaintiff attorney John Crowder told jurors was the thinking of ExxonMobil officials.
And such a view was just what ExxonMobil’s attorney’s told the jury — arguing that the lease agreement developed by the Alabama Department of Commerce was the cobbled-together work of amateurs.
“Most industry leases were just put on Farmer Brown’s table,” Robert Macrory — the man who drew up the lease on behalf of the state — told Business Alabama in our March, 2001 cover story, “Minding the Till, or Tort Hell?”
Macrory, a state conservation department attorney, was no amateur. He was the former executive director of the Alabama Petroleum Council, a chapter of the American Petroleum Institute.
Alabama, said Macrory, set out with determination to draft a lease that was suitably different from standard industry-drawn documents — leases that based royalty on the lowest possible value of gas at the wellhead.
“After Exxon’s gas wells came on line (1992),” Crowder told Business Alabama, “they made a conscious decision to ignore the terms of Alabama’s lease and threw it in the pile with their industry-friendly leases.”
It was a big mistake. The state dutifully kept track of the shortages in payments, did the accounting and hired Cunningham Bounds to present their case.
“They (ExxonMobil) have 115 lawyers. They reviewed this lease, knowing it was different,” Crowder said. “They signed it 22 times.”
Alabama is one of only two states whose dental boards have challenged SmileDirectClub, the fast-growing e-commerce upstart that sells tooth-straightening procedures by way of the internet.
Dental boards in Alabama and Georgia are taking steps to bar the company from a key component of its business plan — scanning a patient’s teeth without a dentist present, according to a story published by Bloomberg on August 22.
Both boards have been sued by SmileDirectClub, says Bloomberg. “This spring, federal judges in both cases dismissed many of the company’s claims, though they allowed others to proceed. SmileDirect is appealing the orders.”
Business Alabama was unable to immediately contact anyone authorized to comment at the Board of Dental Examiners of Alabama, in Birmingham, but expects a call back and an update.
SmileDirectClub’s dental scans are made at retail shops, “SmileShops,” and sent for analysis to a dentist licensed in the customer’s state. If the dentist gives the ok for treatment based on the scan, his recommendation is sent to SmileDirect, which makes a set of aligners for the buyer. Costs average about 60 percent less than traditional orthodontics, says Bloomberg.
In two years, SmileDirect has established 342 retail locations in the U.S. and in Canada, including 94 kiosks located in CVS stores, reports Bloomberg.
Co-founder Alex Fenkell told Bloomberg he was inspired to pinpoint “the next multibillion-dollar industry that we could disrupt, one which had that medically regulated component.”
SmileDirectClub filed for an initial public offering on August 16.
Regardless of where you live in Alabama, or where you get your news, there has been an increasing stream of stories touting non-U.S. businesses locating or investing in Alabama. The news reports detail the financial infusion into the state, as well as the high paying jobs to follow. What the articles don’t mention are the regulatory requirements on Alabamians involved in the sale of their businesses, land or joint ventures with non-U.S. parties — or what they must do to protect themselves from the maze of federal laws regarding foreign direct investment in the United States.
Having represented Alabama-based businesses in international and cross-border matters for more than 25 years, I thought it helpful to alert my fellow Alabamians of the legal requirements they face in selling their businesses or land, licensing their technology, or joint venturing with non-U.S. parties.
Critical Shift in Diligence
First and foremost, Alabamians need in early diligence to determine if there are approval or reporting requirements for a proposed transaction with a foreign party locating to Alabama, and if so how and where to file. Some initial pre-deal diligence should be conducted at the “letter of intent” stage — before a definitive agreement is executed.
This article outlines the pertinent regulations that Alabamians should review and assess when presented with the opportunity to sell a businesses, technology, land or joint venture with foreign parties locating to Alabama.
Critical International Considerations
A phrase that is becoming generally adopted for transactions or investments with non-U.S. parties is foreign direct investment or FDI. FDI is being used in the U.S. and abroad to describe and regulate non-domestic investment in countries around the world. I would recommend that you add “foreign direct investment” and “FDI” to your list of key words when assessing a prospective deal with a non-U.S. party.
In the United States, FDI triggers various regulations governing investment in business, technology, assets and real estate, as well as the export of controlled technologies, payment of customs and duties, avoidance of anti-corruption and related reporting obligations.
New obligations have arisen in the last year regarding FDI in the U.S. and abroad, including new filing and approval requirements for foreign ownership, control and influence (FOCI) of U.S. businesses, technology and real estate. These new regulations include enhanced enforcement powers and penalties, which are already being aggressively enforced.
Foreign Direct Investment in Alabama
As background, the initial source of U.S. FDI regulation came about with the creation of the Committee on Foreign Investment in the U.S. (CFIUS) by Executive Order of President Gerald Ford in 1975. Later in 2007, the Foreign Investment and National Security Act further refined the CFIUS process by providing congressional oversight and increasing transparency and reporting of decisions by the committee. The act also broadened the definition of national security and required greater scrutiny by CFIUS of certain types of foreign direct investment. In general, CFIUS was limited to technology, industries and infrastructure directly involving national security. It was also a voluntary filing.
Foreign investors were quick to adapt and began structuring investments to avoid national security reviews, including utilizing joint ventures and multiple entities in multiple jurisdictions to obfuscate ultimate parents and controlling parties. Despite a heavily polarized Congress, a bipartisan CFIUS reform bill moved rapidly through committee, Congress and the White House to respond to the increasing investment of foreign state sponsored parties in the U.S. — principally China. The U.S. regulation of FDI changed dramatically on August 13, 2018, when President Donald Trump signed the CFIUS reform act titled the Foreign Investment Risk Review Modernization Act (FIRRMA). FIRRMA was intended to close the loopholes exploited by China and others, and to better protect U.S. critical technologies, assets and businesses. In doing so, FIRMMA dramatically increased the authority of the CFIUS and the remedies available to it.
FIRRMA restricts FDI in U.S. businesses that could harm U.S. national security. It applies to U.S. businesses that design, develop, test, produce or manufacture critical technologies. FIRRMA defines “critical technologies” to include ‘‘material nonpublic technical information.’’
With corresponding speed to Congress’ passage of FIRRMA, the U.S. Treasury Department implemented a pilot program less than three months later in October 2018, creating the first mandatory CFIUS filing. The pilot program applies to investments by any non-U.S. person in a U.S. business not contractually agreed to before October 11, 2018.
Pursuant to the FIRRMA Pilot Program, CFIUS is no longer voluntary for covered transactions, and requires the filing of a CFIUS notice or a new FIRRMA declaration. Failure to file can result in a reversal of the deal, divestiture and/or civil penalties up to the value of the transaction.
For the first time FIRRMA also covers 1) real estate proximate to government installations or with risk of foreign surveillance, or critical U.S. infrastructure (e.g. airports and ports); 2) sensitive personal data of U.S. citizens (i.e. U.S. businesses engaged in collection, use, development, acquisition, maintenance or safekeeping of personal data); and 3) bankruptcy section 363 asset sales involving covered technologies and parties.
Increase in Enforcement
Enforcement has also increased with the same speed as the passage and implementation of FIRRMA. Recent FIRRMA enforcement accentuates the focus and change in U.S. FDI policy:
First $1 million civil penalty imposed for violations of CFIUS mitigation
Beijing Kunlun Tech Co. Ltd. required to divest its acquisition of Grindr LLC.
iCarbonX required to divest its majority stake in PatientsLikeMe Inc.
Pamplona Capital Management required to divest its minority stake in a U.S. cybersecurity business
As a result, FIRRMA necessitates Alabamians exercise early pre-deal diligence for purchases, investments, acquisitions, mergers or joint venture opportunities to determine the:
Existence of non-U.S. investors?
Critical or export controlled technologies?
Correct classification of the businesses involved?
U.S. classified information, facilities personnel or contracts?
FDI in the European Union and Elsewhere
The U.S. is not alone: The European Union Parliament, Council and Commission established Regulation 2017/0224 on November 20, 2018, which provided a framework for the screening of FDI in the EU. EU 2017/0224 mimics FIRRMA to protect the essential interests “of the EU and its Member States” from FDI. U.K., Germany and France also have FDI screening mechanisms, and 14 other member states have adopted some form of foreign investment screening. Other industrialized countries, such as Australia and Japan, have followed suit.
Export, Customs, Anti-corruption and Anti-boycott
U.S. export, customs, anti-corruption and anti-boycott regulations are also intended to protect U.S. national security and foreign policy interests, by denying means to adverse militaries, limiting or prevent terrorist activities and implementing foreign policy objectives.
Export control regulations prohibit the “export” of certain controlled items and information, to excluded foreign persons or entities, both inside and outside the U.S. Pertinent agencies and regulations include the U.S. Treasury Department – Office of Foreign Asset Control (OFAC); U.S. State Department – International Traffic in Arms Regulations (ITAR) – Directorate of Defense Trade Controls (DDTC); and Commerce Department – Export Administration Regulations (EAR) – Bureau of Industry and Security (BIS). U.S. foreign subsidiaries of U.S. companies are subject to U.S. export control laws and regulations, including classification of products, technologies and data. Most other countries have similar export control regulations, which can subject your clients to conflicting regulations.
The most recent update to U.S. export control was passed in association with FIRMMA and was enacted as the Export Control Reform Act (ECRA). ECRA applies to “critical, foundational emerging” technologies of U.S. origin, currently including but not limited to: AI, AR, Additive Manufacturing, AVs, Batteries, Big Data, Encryption, Fuel Cells, Gene Editing, Nanotech, MilTech, Semiconductors, Superconductors and Robotics. It also enhances U.S. anti-boycott regulations and includes additional restrictions on international licensing and distribution of technology. ECRA is still in the rule making process, which will likely be formalized in Q3 or Q4 of 2019.
At a minimum, Alabamians should make sure that they screen foreign parties against the OFAC list of “Specially Designated Nationals,” have an Export Compliance Plan, Technology Control Plan, designated “Empowered Official,”and export control requirements in contracts, as well as provide training of all personnel and a process for periodic assessment of export compliance.
Customs and Duties
The news has also been inundated with reporting on the U.S.’ imposition of tariffs and duties on foreign goods — so it’s likely helpful to have some background on U.S. customs and duties. The U.S. applies the Harmonized Tariff System for the determination and application of customs, tariffs and exclusions on goods imported into the U.S. It is critical to know the country of origin, shipment and HTS classification of a good in order to determine the duty that will be assessed on its importation to the U.S., or to apply for exclusions from applicable tariffs or countervailing duties. This will likely entail obtaining information and documentation from the importer, shipping agent or export/import agent. Parties should also carefully review agency contracts and powers of attorney typically required from an export/import agent.
Anti-Corruption / Anti-Boycott
As part of pre-deal diligence, Alabamians should also determine if a foreign party is owned or controlled in whole or in part, direct or indirect, by a foreign government. If so, then they should be aware of the U.S. Foreign Corrupt Practices Act (FCPA), which prevents payments or other means of conveyance of value to government representatives. Similar to U.S. export control laws, subsidiaries of U.S. companies are subject to the U.S. FCPA. If your pre-deal diligence discloses ownership or control by a U.K.-based party, then your client should be aware that it can be subject to the British Bribery Act, which limits payments and kickbacks to both governmental and commercial parties. Most other countries have similar anti-corruption laws, but whether they are enforced or not is another matter. However, the U.S. and the U.K. aggressively enforce their respective anti-corruption laws.
As recently reported in the news, the U.S. also has an anti-boycott law that prohibits boycotts of other countries without U.S. government approval. U.S. law currently provides specific prohibition of boycotts against Israel. Alabamians should be aware that most Arab League countries have laws compelling government agencies and companies based in those countries to boycott Israel. Alabamians are prohibited from entering into agreements that include language to restrict the use of products, services, designs or manufacturing from Israel. Such clauses are often very cleverly hidden within other clauses or use terms of art to hide the true intention.
Commerce and Agriculture Reporting
The U.S. Department of Commerce / Bureau of Economic Analysis (BEA) oversees a variety of data collection requirements from non-U.S. investors in U.S. businesses and operations. The Department of Agriculture oversees similar data collection requirements for non-U.S. investors in agricultural assets and real estate.
The BEA prepares statistics about the U.S. economy to assess the performance of the U.S. economy. It does so by collecting information from U.S. businesses and foreign businesses operating in the U.S. A failure to report can result in civil penalties of between $2,500 and $25,000, criminal penalties up to $10,000, and up to one year imprisonment and/or injunctive relief commanding compliance.
Per the Agricultural Foreign Investment Disclosure Act of 1978 (AFIDA), a report must be filed with the U.S. Department of Agriculture Farm Service Agency when a foreign person acquires or transfers an interest in U.S. agricultural land, more specifically:
10% foreign interest by individual, entity or government
10% foreign interest by multiple individuals or entities acting in concert
50% foreign interest by individuals or entities not acting in concert
Leases over 10 years
Penalties for failure to comply can be up to 25% of fair market value of a foreign person’s interest.
My friends and colleagues joke that I live in a realm of acronyms and alphabet soup, but like anything else advance preparation and action can clear the confusion surrounding the meaning of acronyms. Alabamians who are fortunate enough to have the opportunity to benefit from one of the many foreign investments in Alabama just need to remember to:
Exercise early pre-deal diligence and assessments
Document and follow compliance with applicable regulations
Be consistent in their processes and procedures in dealing with foreign parties
As the old Alabama maxim goes, an ounce of prevention is worth a pound of cure.
David Vance Lucas is a partner in the Huntsville office of Bradley Arant Boult Cummings LLP, where he is a member of the firm’s Intellectual Property Practice Group and leads the firm’s international and cross border team. Much of Lucas’ experience was accumulated as general counsel for Huntsville-based Intergraph Corp. (now Hexagon AB Group), where he garnered extensive experience in a variety of U.S. and foreign legal environments. He now advises both U.S. and foreign clients on the harmonized application of U.S., U.K. and European laws, and represents clients in various proceedings in the U.S. and abroad.
Jason Bishop, owner of Rock Solid Services Inc., a Shelby County company specializing in tree care and landscape maintenance, has been using the herbicide Roundup for most of his 44 years. The lawn service Bishop started as a teenager has grown, and he now has customers throughout Shelby and Jefferson counties.
When a customer told Bishop about the avalanche of lawsuits filed against Monsanto, the chemical’s manufacturer, and studies linking its main ingredient, glyphosate, to non-Hodgkin’s lymphoma, Bishop was stunned.
“I think I need to look into this a little more,” he says, pointing to a bumpy rash on his right forearm.
Earlier this year, a California jury ruled against Monsanto in a case that alleged Roundup caused a couple’s non-Hodgkin’s lymphoma. The jury awarded $55 million in compensatory damages and an additional $2 billion in punitive damages, the third defeat for Monsanto lawyers.
Monsanto, now owned by the German company Bayer, which paid $63 billion for the company last year, has denied allegations that glyphosate or Roundup causes cancer, but Bayer recently announced it will invest $5.6 billion to find alternatives to Roundup. “While glyphosate will continue to play an important role in agriculture and in Bayer’s portfolio, the company is committed to offering more choices for growers,” the company said in a news release.
Recently, the International Agency for Research on Cancer published a study of five insecticides and herbicides, including glyphosate. “For the herbicide glyphosate, there was limited evidence of carcinogenicity in humans for non-Hodgkin lymphoma,” the agency stated. “The evidence in humans is from studies of exposures, mostly agricultural, in the USA, Canada and Sweden published since 200l. In addition, there is convincing evidence that glyphosate also can cause cancer in laboratory animals.”
If Bishop pursues the issue, his will become one of 12,000 or more lawsuits filed across the nation, with more on the way, according to Rhon Jones, an attorney specializing in environmental issues with Beasley Allen, a Montgomery law firm.
“We are taking these cases daily,” Jones says. “They are coming in so fast that I expect that by the end of the year that we will have about a thousand cases. That is a big number, but that is how active this area is.”
Another Beasley Allen attorney, John Tomlinson, is the lead trial lawyer and is working on a case set for trial next March in Dallas County, and another case in Montgomery County which is not set yet.
Tomlinson says, “We also have two Alabama plaintiffs that are filed in a joint action in St. Louis, and while we are not lead trial counsel on that, we will be participating in trial as support for our plaintiff. That trial will be in February 2020.”
Tomlinson says his firm also has two cases, one filed in St. Louis and another filed in Dallas County, where the plaintiffs have “done farming, produce and cattle farming, where they would apply Roundup to fence rows and also they would spray it on their cotton and other foliage, so those are two of the cases.”
The two Alabama residents involved in Tomlinson’s cases are a yard maintenance worker and an individual who used Roundup extensively on his own property. “There are a lot of people in Alabama that have farms that are not professional farms but they have property and they do a lot of upkeep on that property.”
Don McKenna, a partner at Hare, Wynn, Newell and Newton in Birmingham, has been involved in Roundup litigation for about five months.
“Our involvement began after the first verdict and a review of the science,” McKenna says. “A study published this March in the International Journal of Epidemiology found an increased risk of developing non-Hodgkin’s lymphoma from exposure to glyphosate. We knew we had a lot of farmer clients from prior litigation that have significant exposure to Roundup in their farming operations. We felt we needed to make sure that our clients were aware of the link between glyphosate and non-Hodgkin’s lymphoma so that they would be informed going forward and so that they could seek legal counsel if they have developed the cancer.”
McKenna says his firm has four clients in Arkansas, two in Alabama, one in Virginia and one in Pennsylvania.
Hare, Wynn, Newell and Newton has represented a large number of farmers in genetically modified rice litigation and genetically modified corn litigation, McKenna says, and “therefore we have thousands of clients who are exposed to large amounts of Roundup in the farming industry through the use of Roundup-ready crops and application of the Roundup herbicide.”
McKenna says anybody in Alabama who has used Roundup and developed non-Hodgkin’s lymphoma should seek legal counsel to discuss whether they should bring suit to compensate them for their injuries.
“In addition,” he says, “many farmers in Alabama use Roundup-ready cotton, corn and soybeans, along with the Roundup herbicide. These farm workers have higher levels of exposure than typical homeowner use. They should be aware of the potential danger from Roundup, take precautions to avoid exposure and educate those that work with Roundup.”
The Hare, Wynn, Newell and Newton team is preparing to file several suits, McKenna says. “We do a thorough investigation of the client’s medical history and use of Roundup before we file suits.”
Tomlinson says most Roundup damage comes through exposure on the skin. “We also advise people to wear gloves and to try to wear clothing that will keep Roundup from touching the skin, but if you are a farmer and have been out using it extensively, you are going to have some runoff on your skin no matter what you have on.”
Farmers routinely take precautions when using a product marked with skull and crossbones, says Tomlinson, but Roundup “has been marketed as completely safe, there are not cancer warnings on the labels.”
McKenna takes a similar view.
“Businesses should thoroughly test the safety of their products before placing them on the market,” he says. “There is evidence from the first trials that Monsanto’s initial rat studies showed a link between glyphosate and cancer. There is also evidence that rather than conducting further studies, Monsanto hired another scientist to re-evaluate the initial study and find another cancer in the control group so that the results would not be statistically significant.”
McKenna also points out that while Monsanto’s strategy allowed the company to continue to sell the product “without any warnings to the end users, the final result may be serious cancer or death for thousands of people, and hundreds of millions or billions of dollars in litigation costs and injury payments for Monsanto.”
A lot has been made of the huge verdicts being returned, especially on the West Coast, and the impact they have had on Bayer stock prices, which fell drastically but are beginning to recover.
“There have been some very huge verdicts, especially out in California,” says Tomlinson pointing to the “non-economic damages that go along with cancer, the treatment, the pain, the suffering and then you have the punitive damages.”
“Let me just give you some details about the California verdicts,” Jones says. “The first verdict was $289 million, the second verdict was $80 million, the third verdict was over $2 billion. Let me give you a break down. The third verdict was a couple, and the husband and the wife had separate awards but their past economic loss was about $250,000, their future economic loss was about $13 million, their past economic loss was about $16 million, and they awarded a billion each. Clearly the evidence was so damning that the jury was sending a message with the $2 billion punitive, but even if you were to exclude punitive damages, you are still talking about some significant economic losses both past and future, and these are folks who contracted non-Hodgkin’s lymphoma.
“There is a trend here that clearly people are becoming upset about the use of Roundup and cancer and the economic loss that comes from contracting cancer and furthermore, the punishment side of it is just getting larger and larger.”
Jones says his Roundup clients normally contact the firm.
“What would normally happen is that someone will come to us and say ‘I have non-Hodgkin’s lymphoma, or I have some pre-cursor to it, and I have a memory of using Roundup on some kind of regular basis, and would ask us to look into the link.’ That is what we do every single day. Hours of use and the duration is always a little different, so we literally look at one pattern at a time and we have thousands of them, and we review each one and see if we can make that link or not.”
Both Jones and Tomlinson say we are looking at the tip of the Roundup iceberg.
“This has sort of gone from zero to 100 in a short period of time,” says Jones.“The litigation started and very few people knew about it, nobody read about it, it wasn’t much talked about and then these three verdicts have really put the science on display. So what we see are many more people coming forward on a weekly basis, asking us about this issue, than we have ever seen before, so I believe there will be many more claims made because people who had no reason to ever even consider the link between the use of Roundup and non-Hodgkin’s lymphoma are now coming in.”
In an effort to expedite the ever-increasing caseload, this past May a multi-district litigation (MDL) court initiated a plan to have well known attorney Kenneth Feinberg become mediator for court-mandated settlement talks between Bayer and people who say Roundup gave them cancer. Feinberg was government-appointed special master for the 9-11 victim compensation fund and the BP Deepwater Horizon compensation fund.
“MDLs bring cases together for common discovery,” says McKenna. “Everyone wants to know about the testing and studies on Roundup and cancer. Everyone wants to know about internal emails and memos regarding the safety of Roundup. Everyone wants to know why no warnings were given on the product labels. An MDL makes it efficient for that information to be provided to all litigants who participate in the MDL. Will it impact your cases? For those cases we may choose to file in the MDL, it will make common discovery available to our clients. MDLs often help facilitate settlements that individuals harmed by Roundup could choose to participate in or continue with their litigation.”
“In my opinion,” says Jones, “this is the hottest, most significant litigation going on in the entire country. It is talked about everywhere, it is in the news, it is important, and Monsanto needs to be held accountable.”
Mobile’s $120 Million GMO Chemical Plant
The June 2018 merger of Bayer and Monsanto brought together the world’s two largest developers of genetically modified crop (GMO) products, including Monsanto’s Roundup brand herbicide.
Bayer Crop Sciences is developer of another weed killer, the Liberty brand herbicide. And a chemical plant in Mobile County was set up in recent years to be one of the world’s largest producers of this weed killer.
GMO crops have been promoted as one of the greatest leaps forward in agricultural productivity. Critics question the yield gains and point out the safety hazards. For Monsanto’s Roundup, the key chemical is glyphosate. For Bayer’s Liberty herbicide, it’s glufosinate.
A groundswell of lawsuits over Roundup rocked Bayer-Monsanto shareholders with major damage awards beginning earlier in 2019.
Glufosinate has escaped the scrutiny applied to glyphosate, but its purpose in GMO farming is similar. It was developed to kill the “superweeds” that evolve a resistance to Roundup’s glyphosate.
Whether glufosinate is as damaging to humans as it is to weeds has not yet become a legal issue. But a lot of the world’s supply of it, or the ingredients that go into it, will be made in Mobile County.
In 2013, Bayer selected the Theodore Industrial Complex, on Mobile Bay, as the site for a $396 million plant that would more than double the company’s global production capacity for glufosinate.
In 2015, plans for the Alabama plant were cut back to a $120 million investment.
Following the Bayer-Monsanto merger, the plant became the property of BASF Corp., when the anti-trust division of the U.S. Justice Department required Bayer to divest itself of its U.S. agricultural holdings prior to the merger. — Chris McFadyen
Bill Gerdes, Robert Fouts and Joe De Sciose are freelance contributors to Business Alabama. Gerdes is based in Hoover, Fouts in Montgomery and De Sciose in Birmingham.
When Paige Boshell and Josh Torres got out of law school, few attorneys were interested in the area of privacy law.
“My first job out of law school was with the Social Security Administration, and that’s where I became aware of privacy law and started thinking about it,” says Torres, corporate privacy and regulatory counsel for iCIMS, a talent acquisition software company.
Boshell, too, began working early on in privacy, has focused on it for more than 20 years and now runs a Birmingham-based firm called Privacy Counsel.
Boshell and Torres are among a handful of attorneys who hold the privacy law specialty, which the Alabama Bar Association began certifying in 2018.
“We are at an incredibly important crossroads with privacy right now on a worldwide scale,” Boshell says. “Look at China’s use of facial recognition tech and San Francisco’s banning of it. Look at ‘smart cities,’ where privacy decisions have implications for civil rights and the democratic process. It’s exciting.”
Torres agrees, saying that data and other privacy breaches have piqued the interest of people who might not have even been aware of the potential problems before.
“When I got out of law school, there were not a lot of people paying attention to this area,” he says. And that has changed in the 10 years he’s been practicing. “This area of the law is growing astronomically because the demand far exceeds the supply.”
What that means is there is more demand for attorneys like Boshell and Torres, both based in Birmingham, to help companies navigate the often-treacherous waters of privacy law.
“It is critical for businesses to be mindful of the consumer data that they collect and share and that they deploy privacy practices — in addition to security measures — to protect it,” Boshell says.
Many businesses don’t even realize they need to beware of data and how it’s collected, according to Boshell.
“In Alabama, business privacy maturity is about where cyber security maturity was five or so years ago,” she says. “Many businesses are not subject to either the comprehensive European or California privacy laws, so owners and executives are wondering if and why privacy matters to them and how to decide what sort of financial and resources commitment to make to an issue that doesn’t readily show a return on investment. If you are in business, you are in the tech business and the data business, which means you are already in the privacy business, whether you know it or not. This is especially true if you collect, use, process, maintain or share consumer information.”
The first thing a business should do is inventory its data and methods of collection, Boshell says.
“You need to know what data you have, why you have it, how you are getting it, and who has access to it,” she says. “If you don’t need the data, delete it. If you have it on multiple systems, consider consolidating the data or coordinating the systems. If someone has access to it that doesn’t need it, eliminate the access.”
Torres says that’s sometimes more difficult than it seems like it should be and that, while CEOs of companies can easily tell you about the financial dealings of their companies, data is another matter.
“If you were to ask the CEO of many companies what data do you have and how do you process it, I don’t think they would know how to get to that data,” he says, citing Apple CEO Tim Cook as one of the exceptions. “He does have a view and eye toward privacy along those lines.”
In addition to the data inventory outlined by Boshell, Torres says it’s imperative that companies be transparent with consumers about the information they’re collecting.
“We should be clearly telling individuals what we’re going to collect, how we’re going to use it and how we’re going to share it,” he says.
And though the public may be worn out when it comes to hearing about data breaches, that’s another area that businesses need to be concerned with.
“How can we prevent a data breach, and, in the event of one, how do we eradicate and contain the data breach, and then how do we notify people about it?” Torres says.
Boshell believes in the importance of privacy law so much that she left a Birmingham law firm — where she had co-chaired its privacy and cyber security practice — after 27 years in April 2018 and started Privacy Counsel.
“Working on my own allows me to focus directly on cyber and privacy, rather than having it be incidental to other legal practices and client business needs,” she says. “Most of my clients are financial institutions and tech vendors, and most are out of state. I love being a lawyer, and I especially love privacy law. Privacy is a universal value that impacts a variety of legal disciplines. It’s a relatively new practice, so there aren’t many of us who have been doing this for 20-plus years.”
To receive the Privacy Law Specialist certification, which is authorized by the American Bar Association and certified by the International Association of Privacy Professionals, Torres and Boshell had to be members in good standing of at least one Alabama law practice, to hold several other certifications and to pass an ethics exam.
Torres says that most who hold the privacy certification are, like him, working for businesses, either in-house or at a law firm. “In the next decade, though, I think you’ll see attorneys on the plaintiff’s bar getting the certification.” In other words, attorneys will specialize in privacy, similar to what they do now with car wrecks, disability cases and other specialties.
Also in the next few years, Torres anticipates more law schools introducing privacy law into their curriculums. “Very few even have a class on this topic right now,” he says.
And the specialty also will probably result in more attorneys leaving their practices.
“They’ll join leadership positions in technology from what they’ll gain in knowing about privacy and data security,” Torres says. “The business title that’s most applicative is chief privacy officer.”
Consumers shouldn’t forget their role in privacy matters, either.
“It’s imperative that consumers educate themselves,” Torres says. “You wouldn’t give your money over to a bank if you didn’t know what they were going to do with it. So why do we do that with our data? You can never get it back once you give it. Consumers have got to get more educated.”
Alec Harvey and Art Meripol are freelance contributors to Business Alabama. Harvey is based in Auburn and Meripol in Birmingham.
The Alabama Legislature in May passed the Clarke-Figures Equal Pay Act. Gov. Kay Ivey signed it into law and it goes into effect at the end of August.
While Alabama employers have been subject to federal laws regarding wage equality for years, Alabama workers may now also sue for wage discrepancies under Alabama law and in Alabama courts. Here are five things that you need to know about the Clarke-Figures Act.
1. Equal Pay for Equal Work. The act prohibits employers from paying any worker at a wage rate less than that paid to employees of another race or sex for equal work where the jobs require equal skill, effort, education, experience, and responsibility under similar working conditions. There is an exception for payments made pursuant to a seniority system, a merit system, a system measuring earnings by quantity or quality of production, or a differential based upon any factor other than race or sex. While this standard sounds a lot like the standard in the federal Equal Pay Act, it may be very different than the legitimate, nondiscriminatory reason standard under Title VII.
2. Applicants Do Not Have to Provide Wage History. Employers may not refuse to interview, hire, promote, or employ an applicant and may not otherwise retaliate against an applicant for refusing to provide wage history information during the application or interview process. The law does not preclude an employer from asking about wage history, but employers cannot hold it against an applicant who refuses to provide it.
3. Potential Damages. A successful plaintiff can recover an amount equal to the wages that were lost because of the violation, plus interest. This is different than the recovery available under Title VII (i.e., back wages, compensatory damages, punitive damages and attorneys’ fees) or the Equal Pay Act (i.e., lost wages, liquidated damages equal to the lost wages, and attorneys’ fees). If an employee pursues claims under both the new Alabama law and federal law and receives a recovery for both, the employee must return to the employer the lesser of the two amounts recovered.
4. Two Years to File a Lawsuit. Employees have two years after the alleged discrimination to file a lawsuit. An employee who chooses to file suit must allege with particularity that:
a. the employee was paid less than someone else for equal work despite having equal skill, effort, education, experience, and responsibility; and
b. the wage schedule at issue was not correlated to any of the above-mentioned exceptions.
While it is possible that an employee may choose to only file suit under the new Alabama law, employers should expect claims to also be filed under the applicable federal laws, such as Title VII and the Equal Pay Act (which provide for attorneys’ fee awards and more potential damages).
5. Recordkeeping Requirement. State law now requires Alabama employers to comply with the recordkeeping requirements established by the Department of Labor pursuant to the Fair Labor Standards Act.
It is unclear how much use this new law will get. Only time will tell.
It is not unusual to read glaring headlines describing manufacturers that have been hit by a nine-figure jury verdict. These jaw-dropping monetary awards can occur even when a manufacturer has not committed a wrongful act, but the jury believes the company could have done more to protect users of its products. The top three categories of lawsuits that pose a risk to manufacturers are: (1) defects in manufacturing and/or design, (2) marketing defects, and (3) the class action. If these three risks are addressed through a manufacturer’s standard practices and procedures prior to a lawsuit walking through the door, it may fare better during settlement negotiations or at trial.
Defect: Manufacturing or Design
Potential product defects routinely land manufacturers in court. Typically, on the other side of a lawsuit, there is a sympathetic plaintiff who suffered a traumatic injury or death while using the manufacturer’s product. They will claim that the manufacturer either defectively designed or manufactured the product, leading to the alleged injury. As a result, manufacturers must always be prepared to address these types of claims with evidence that their product does not have a design or manufacturing defect.
A lack of adequate record-keeping will always hurt a manufacturer in this type of lawsuit. Manufacturers must be prepared to provide a judge or jury with ample evidence of its efforts to design and manufacture a reasonably safe product. To be in a position to assemble this evidence, manufacturers must make it a top priority to implement policies and procedures that ensure the preservation of documents that may be pertinent in a lawsuit, such as evidence of safety-testing.
Juries also regularly find manufacturers to be non-compliant with governmental or industry standards. Demonstrating non-compliance is an easy way for a plaintiff’s lawyer to prove a product is defective. That said, manufacturers must show the jury the documents that establish a product was in compliance with safety standards at the time. The manufacturers will most certainly also need to put an engineer on the stand to explain to the jury how and why the design met those standards. Without the documents to back up the engineer’s testimony, a jury is likely to find against the manufacturer. Even if the case does not proceed to trial and settles, the value of the settlement may be significantly higher without clear evidence of compliance.
Another area of liability for manufacturers is the so-called “marketing defect.” In this type of litigation, plaintiffs sue claiming a manufacturer either failed to warn of the danger of a product or advertised in an untruthful way to make their product appear safer and more compelling than it actually is.
As seen in the media over the past few years, manufacturers such as Johnson & Johnson are being hit with massive jury verdicts over alleged marketing defects. For example, a Los Angeles jury awarded a woman $417 million after finding that Johnson & Johnson was aware that their talcum powder was linked to ovarian cancer, and failed to warn consumers of the risk.
The best way to guard against such lawsuits is through effective product labeling. A manufacturer should put every possible risk on a warning label, even if the risk is unlikely to occur. The warning labels should be an appropriate size and font so as to catch the eye of the consumer. Even if a manufacturer does place a warning on a product, a jury may still find in favor of a plaintiff if the warning label was so small that an average consumer would not have seen it. There are safety standards that should be used to help craft an appropriate warning. A manufacturer must use these standards because plaintiffs’ lawyers will tell the jury the failure to follow these standards makes the warning inadequate.
The Class Action
A class action lawsuit has the potential to be a manufacturer’s worst nightmare. The plaintiffs’ lawyer can use the class action to take a few plaintiffs with a relatively small problem and combine them with a class of allegedly similar consumers with allegedly similar problems to create a potential multi-million dollar exposure. Even worse than that, potential exposure can be the negative publicity that a class action brings a manufacturer. These are lawsuits that can grab media attention and create the perception that a manufacturer has a shoddy product that has potentially damaged millions of consumers.
One such example is the class action lawsuit alleging certain Whirlpool front-loading washing machines had a design defect that allowed water to accumulate and create moldy front gaskets resulting in smelly washers. Whirlpool ultimately settled this class action in a manner that resulted in notices being sent to more than 5.5 million people advising them they might be eligible for a $50 cash payment or a 20 percent cash rebate on the purchase of certain washers and dryers made by Whirlpool.
As this washing machine example demonstrates, class actions are often brought by plaintiffs’ attorneys to try to force a settlement due to the risks posed by both the lawsuit and the adverse publicity generated by the lawsuit. One of the best ways a manufacturer has to manage those risks is by evaluating the class action thoroughly when first hit with the suit. Often, the class allegations are weak and legally suspect — and can be knocked out on procedural grounds, allowing the class allegations to be dismissed. It is important, therefore, to scrutinize a class action lawsuit to identify jurisdictional concerns or weaknesses involving the class of plaintiffs itself.
Manufacturers are going to get sued, even if their products do not have any defects. To help mitigate potential liability, manufacturers should take steps to keep careful records that clearly demonstrate compliance with safety standards. They should also ensure products carry adequate and clearly marked warnings and instructions. Finally, any class action lawsuit should be met with an aggressive response that focuses on eliminating class allegations from the outset.
Adam K. Peck is a partner at Lightfoot, Franklin & White LLC in its Birmingham office. Amber N. Hall and Bridget E. Harris are associates at the firm.
Despite a strong first quarter for the American economy in 2019, there have been many troubling signs. The recent inversion of the yield curve, newly announced layoffs and tariffs in the automotive and agriculture sectors, and modest increases in GDP growth indicate that troubled financial times may be around the corner for Alabama. Companies facing financial difficulties are often concerned with how to identify financial stress, when to ask for help, and how to navigate through troubled financial waters.
Identifying the problem
One of the keys to getting ahead of potential financial issues is identifying when you have a problem. Companies should be paying close attention to monthly and quarterly performance metrics. Important questions to consider include: Are you in compliance with your loan covenants? Are you having to stretch payables? Are you having to finance receivables or manipulate them beyond normal limits? Each of these indicators can predict impending problems. Early warning signs also often come from a friendly call from your banker/lender, or maybe a concerned visit from the company CPA.
Take the early warning signs seriously. Companies may be able to avoid a bankruptcy or a substantial restructuring by proactively identifying potential areas of concern and addressing them in a timely fashion. Moreover, sometimes even bad financial news can be an opportunity for growth and retrenching. For example, recognizing that a product line is not profitable and discontinuing it can allow for expanding core activities that generate profit.
Successful companies can face bankruptcy or substantial financial challenges and come out stronger on the back side. Many people in Alabama remember the stories of HealthSouth (now Encompass Health) and its financial struggles. That company has now rebranded, is extremely profitable and is an established leader in the healthcare industry. This is just one example illustrating that a bankruptcy or substantial financial restructuring may not be the end of the line.
Taking the plunge
If a company gets to a point of financial uncertainty, assembling the right team of professionals is important for successful reorganization. As with many aspects of the legal profession, the restructuring world is highly skilled and specialized. Identifying the right professional to assist and guide your company is an important step. In addition to legal advice, financial advisors/accountants and potential investment bankers can help companies resurface in troubled waters of a bankruptcy.
In considering when to file bankruptcy, there is an important legal principle to remember. A once profitable company begins to show that it is insolvent (in other words, that it’s not making its regular payments to creditors or is upside down on its balance sheet) when it enters what is known as the “zone of insolvency.” When companies enter this zone, legal fiduciary obligations shift. Normally companies are beholden to their shareholders and are driven by profit and earnings. When a company enters the zone of insolvency, that legal obligation changes, and company leadership’s priority responsibilities are redirected to creditors. As a result, the interests of creditors have to be placed above that of equity interest holders.
How to Chart a Course
A bankruptcy is a difficult and expensive process, but one that can streamline and modernize a company. An important adage I always tell clients is, “When you have dug a hole the first rule is to stop digging!” Companies that have been losing money can’t continue to simply lose money and think a bankruptcy will solve their problems. Rather, a bankruptcy is an opportunity to put a pause on creditor concerns and focus on the bottom line to realign priorities. Companies should take a bankruptcy filing as an opportunity to reject and abandon practices and product lines that have been losing money and focus on core assets and profitable ventures.
Restructuring professionals, both legal and accounting, can help guide companies through this process. For example, tools exist that allow a company to reject unnecessary leases or burdensome contracts. Bankruptcy professionals can help companies identify those leases and contracts and take steps to mitigate future loss.
The reality of a bankruptcy is that there is simply not enough money to go around, and cash to pay creditors and establishing the ground work for future operations is critical. Spending precious dollars on activities that are not fruitful or assist in the long run success of the company have to be curtailed and eliminated.
In addition to short-term concerns about cash, long-term issues also need to be addressed. Can potential profits be sustained in the long run? Are product lines and business opportunities going to continue to present themselves in the future? Will a company’s reputation be sustainable? Will the marketplace accept products in the future? Every decision a bankrupt company makes must be made with an eye toward the future.
What is a successful bankruptcy?
In a bankruptcy, success is measured in the eye of the beholder. Creditors always want to be paid in full, but often that is impossible. Alternative routes to success include companies who can maintain their workforce and provide vendors an opportunity to continue to sell product to a new entity, or those that sell or restructure themselves so that a hiccup in financial performance can be overcome with a fresh start.
In a bankruptcy, recovery is different for every party and in every circumstance. A bankruptcy, however, should always be entered into knowingly and with a clear path forward charted. This path helps the company navigate its way through a bankruptcy as quickly and efficiently as possible to ensure and maximize creditor recoveries, and to enhance the long-term prospects of the company.
Scott Williams is a partner in Rumberger, Kirk & Caldwell’s Birmingham office, where he represents parties in complex commercial bankruptcy and litigation matters. He can be reached at firstname.lastname@example.org.
On June 1, Alabama’s new data breach notification law goes into effect, which contains notification and other requirements regarding “sensitive personally identifying information” (Sensitive PII). What can Alabama businesses do to prepare and protect themselves?
What is the Alabama Data Breach Notification Act of 2018?
To lay the groundwork, Sensitive PII includes an Alabama resident’s first name or initial and last name combined with one or more of the following data regarding the same resident: a non-truncated SSN or tax ID number; a non-truncated driver’s license number, state ID, passport, military ID, or other unique government ID; a financial account number (e.g., bank or credit/debit card) in combination with any password or code necessary to access the account or to conduct a transaction; information regarding medical history, mental or physical condition, or medical treatment or diagnosis; a health insurance policy number or unique identifier; or a user name or email address, in combination with a password that would permit access to an online account affiliated with your business that is reasonably likely to contain or is used to obtain Sensitive PII.
If your business acquires or uses Sensitive PII and determines that a security breach has occurred or is reasonably believed to have occurred, and is likely to cause substantial harm, you must notify affected individuals as expeditiously as possible and without unreasonable delay, but no later than 45 days after the determination of a breach and likelihood of harm. A security breach is defined as an “unauthorized acquisition of data in electronic form containing” Sensitive PII. If you determine notice is not required, document and maintain your determination for at least five years. The statute also contains individual notification format and content requirements. Substitute notice (e.g., website or media) may be provided if affected individuals exceed 100, 000, if there is insufficient contact information, or if direct notice would cause excessive cost relative to your business’s resources. Costs exceeding $500, 000 are automatically deemed excessive.
In addition, Attorney General notification is required if the affected individuals exceed 1, 000, and must be “as expeditiously as possible and without unreasonable delay, ” but not more than 45 days from receiving notice of breach by a third-party agent or upon determination of a breach and substantial likelihood of harm. There are content requirements for such notice, although you may provide supplemental or updated information at any time. If notice is required for more than 1, 000 at any single time, you must also notify all consumer reporting agencies without unreasonable delay.
This new law also affects third-party agents maintaining a system on behalf of your business. They must notify you of a breach as expeditiously as possible and without unreasonable delay, but no later than 10 days following their determination (or having reason to believe) that a breach has occurred.
It’s important to note that notification violations are an unlawful trade practice under the Alabama Deceptive Trade Practices Act (ADTPA). There is no private cause of action — the Attorney General has exclusive authority to bring an action for penalties. Violations of the notification provisions are subject to penalties of up to $2, 000 per day, and a cap of $500, 000 per breach. In addition, any business violating the notification provisions will be liable for a penalty of up to $5, 000 per day for each day it fails to take reasonable action to comply with the notification provisions.
While enforcement authority is limited strictly to notification violations, the statute also includes other requirements:
“Reasonable Security Measures” — Your business and its third-party agents must implement and maintain reasonable security measures to protect Sensitive PII. The law lists “reasonable security measures” as including: designated employees to coordinate protective measures; identifying internal/external risks; adopting safeguards to address identified risks and assessing their effectiveness; retaining service providers contractually required to maintain appropriate safeguards; evaluating and adjusting security measures to account for changes in circumstances affecting the security of Sensitive PII; and keeping management, including the board of directors, appropriately informed of the overall status of security measures. The law also provides guidance on what an assessment of your business’s security measures should consider.
Breach Investigation — If you determine a breach may have occurred, you must conduct a “good faith and prompt investigation” and the statute lists what such an investigation should consider.
Records Disposal — The law requires reasonable measures to dispose of or arrange for the disposal of records containing Sensitive PII when they are no longer to be retained, and includes examples of such disposal methods.
It is unclear how these provisions would be enforced, except potentially as consideration of whether a notification violation was willful or with reckless disregard.
What Can Businesses Do To Protect Themselves?
Once you determine a breach may have occurred, things move quickly. Alabama’s 45-day notification period can come and go in a flash. It pays to be as prepared as you can ahead of time.
Inventory your Data — What do you have and where? In what states do your customers reside? Who has access to data, and with whom can they share it? For what purposes and for how long? Make a record to understand how data flows within your business, and what state or regulatory laws may apply.
Form a data response team and plan — Form a small, diverse team whose responsibilities include legal, compliance, PR/communications, information governance, IT, HR and possibly more. The team should create a formal data response plan to address breaches of varying scopes and information types. It will need to be consistent but flexible. Train and test it regularly. Review and assess risks, and report them to management, including the board. Make sure policies and practices address the “reasonable security measures” mentioned above.
Review policies, procedures, agreements and practices — This helps to ensure that the proper safeguards are in place to promote compliance. Are there gaps in your policies? What is covered and not covered by your insurance? Are employees educated on your policies? Most data breaches are caused by human error. As I often tell clients, it doesn’t matter how high you build your castle walls if you’re constantly opening the door. Training against phishing attacks is also highly encouraged.
What if a breach has occurred? — First, immediately engage outside counsel to help establish attorney-client privilege and work product over the ensuing investigation. They can also help assess and meet legal obligations, mitigate potential liability, and work with communications to create compliant and nuanced messaging. Second, identify the source, type and scope of the compromised data. Preserve a record to retain evidence while restoring system integrity and operations. Identify all notification obligations and deadlines, whether statutory or contained in your vendor agreements or insurance policies. Finally, control the story. Communicate early and regularly, and in a clear, consistent but accurate manner. Try to strike the right balance between giving sufficient information to provide stakeholders with enough confidence that you are on top of it, but not so much that you must retract or correct yourself as the investigation evolves.
Brandon N. Robinson is a partner at Balch & Bingham focusing on energy regulation, cybersecurity and data privacy, and emerging technologies. One of the first Alabama attorneys to obtain the IAPP’s CIPP/US certification as a privacy professional, Robinson counsels multiple industries on data privacy and cybersecurity issues, has worked with a number of agencies in developing industry-wide standards and best practices, and serves as the editor of the firm’s Data Privacy & Security Observer blog, which covers legal developments in data privacy & cybersecurity, which can be accessed at dataprivacyandsecurityobserver.com