January 16, 2015

What Would The White House's Data Security Breach Proposal Mean For North Carolina Businesses?

Earlier this week, the President announced a new cybersecurity initiative. The White House explained that:
"[t]here is a growing perception that individuals have lost control of their personal information; a negative implication of such a view is it may serve as an inhibitor of the use of technology, stymie innovation, and contribute to a less productive economy."
Of course, the President has no legal authority to implement most of his proposals. The Constitution gives Congress the sole power to introduce and pass legislation. The President's role is simply to sign or veto a bill once Congress approves. However, the President's bully pulpit gives him the practical ability to influence Congress' agenda. The primary purpose of the President's current cybersecurity push is to pressure Congress to enact comprehensive cybersecurity legislation.
As of now, the White House has not disclosed all of the text of the proposed bill--only bits and pieces. What we have been told is that the proposal has multiple components. One component that has been described in detail is the breach notification requirement (styled as "The Personal Data Notification & Protection Act"), the full text of which you can read here.

North Carolina and 45 other states already have a data breach notification law. This might suggest that there is no need for a nationwide breach notification rule. Are state breach notification rules inadequate? Is there a compelling need for nationwide uniformity? These are important policy questions. In order to evaluate them, it might be helpful to understand how the White House proposal differs from state laws--particularly the data breach notification requirement found in the North Carolina Identity Theft Protection Act. This blog post will compare the White House proposal to North Carolina's existing breach notification requirement.

Entities Covered. The North Carolina breach notice statute applies to any business in North Carolina or that "owns or licenses" information about North Carolina residents. Under the White House proposal, only businesses that hold sensitive personally identifiable information about more than 10,000 individuals would be covered.

The Reporting Requirement of a Security Breach. The White House proposal would require business entities to give notice of a "security breach" involving "sensitive personally identifiable information." The term "security breach" in the White House proposal would mean a "compromise of the security, confidentiality, or integrity of, or the loss of, computerized data that results in, or there is a reasonable basis to conclude has resulted in...unauthorized acquisition... or access...."

The term is defined slightly differently under North Carolina law. Under our Identity Theft Protection Act, a security breach is "[a]n incident of unauthorized access to and acquisition of unencrypted and unredacted records or data containing personal information where illegal use of the personal information has occurred or is reasonably likely to occur or that creates a material risk of harm to a consumer."

Here's one difference: It would be harder to avoid reporting "low risk" incidents under the White House proposal. There are all sorts of scenarious that might result in unauthorized access, some of which can be relatively innocuous, and probably do not warrant reporting. You can imagine such situations easily. The White House proposal would make it harder to avoid reporting in these situations. Under the North Carolina law, a breach occurs when "illegal" use "has occurred or is reasonably likely to occur" or there is "a material risk of harm to a consumer." Under the White House proposal, there is a breach, and therefore a reporting requirement (at least to the FTC), if there is an "unauthorized acquisition" or "accesss...in excess of authorization." Under the White House proposal, even if the incident presents a low degree of risk, it must be disclosed to the FTC.

Here's another difference: Under the North Carolina statute, if a hard drive is stolen, but it's encrypted, there is no breach. Under the NC statute, that ends the analysis, and there is no reporting requirement. Under the White House proposal, there is a breach, even if the information was encrypted, and the custodian of the information would then have to undertake a risk assessment to determine if there is a "reasonable risk that a security breach has resulted in, or will result in, harm to the individuals." Encryption might support a presumption that there is no reasonable risk of harm. However, under the White House proposal, the business would be required to self-report to the Federal Trade Commission within 30 days:
  • that it had experienced a breach and conducted a risk assessment,
  • the results of the risk assessment,
  • that it had concluded that there was no reasonable risk to individuals; and
  • logging data (i.e., records of access and changes to a database) for the six months prior and database users' and administrators' log-in information.

Definition of Personal Information. The term "sensitive personally identifiable information" is defined in the White House proposal similarly to the term "personal information" in the North Carolina statute, except that the White House proposal is slightly more broad and would also allow the Federal Trade Commission to create other categories of "sensitive personally identifiable information" by rule. In this way, the White House proposal might be more easily adjusted to changes in technology.

Timing of Notice. The days immediately following discovery of a security breach are difficult for a business, as well as being important to law enforcement. The first priority is almost always to identify and eliminate vulnerabilities. Businesses are reluctant to make public statements before they have obtained and analyzed the facts. Each of these steps may require outside help from forensic computer experts and security experts. It takes time. One of the ways in which the White House proposal differs from the North Carolina statute is the timing of reporting obligations. Under the both the North Carolina statute and the White House proposal, the breached business must notify affected customers "without unreasonable delay." However, under the White House proposal, that means no later than 30 days unless the FTC grants an extension.

Public Notice. In addition to notifying affected individuals, state statutes often require a public announcement, of some sort, of the breach. Under the North Carolina statute, the business must notify statewide media of the breach (and place a notice on its website) only if it chooses not to contact affected individuals directly because the cost of providing notice would exceed $250,000 or the number of affected individuals exceeds 500,000. Under the White House proposal, if more than 5,000 residents of any particular state are affected, the breached business must notify statewide "major media outlets" of the breach.

Under the White House proposal, if more than 5,000 individuals are affected by a breach, the business must notify the credit reporting agencies. Under the North Carolina statute, the threshold for making such a report is 1,000.

Allocation of Responsibility to Provide Notice. Under the North Carolina statute, the reporting obligation falls on the business that "owns or licenses" the personal information. A third party custodian who does not own or license the information must merely notify the owner or licensee of the information (not the affected individuals) in the event of a breach. The North Carolina statute does not address whether the owner/licensor can agree with the custodian that, in the event of a breach, the custodian would be responsible to provide notice to customers.

The White House proposal expressly allows owners/licensees and custodians to enter into a contract that allocates the responsibility to notify affected individuals of a breach; however, the notice must include reference to the party who has a direct business relationship with the affected individuals (i.e., the owner/licensee).

Summary. As you can see, the White House proposal differs from existing North Carolina law in a number of ways. From the perspective of a business that has consumer data, the White House proposal generally seems more burdensome; however, for businesses operating in multiple states, the additional obligations of the White House proposal might be outweighed by the benefits of having a uniform law across jurisdictions. (Responding to a multi-state breach is very challenging because of the variation in state breach response laws.) 

Whether Congress will take up the proposal in earnest, and whether legislation resembling the White House proposal will pass both houses, is anyone's guess, but one thing is clear at this point--the President has initiated a public dialogue on these issues.

January 11, 2015

When Your Identity Has Been Stolen: 10 Steps to Follow

On several occasions, I've been asked to help individuals whose identities have been stolen. However, most of the time, it is not cost-effective for a lawyer to handle the majority of the initial steps in responding to the theft of an individual's identity. Instead, the affected person is usually best advised to handle most of the first steps themselves. [FN1]

As a public service, I'm providing the following step-by-step guide for individuals who suspect that credit has been obtained in their name without their consent. (There are other kinds of identity theft, but this is the most common.) Although the Federal Trade Commission has an a good guide for victims of identity theft, it (i) requires you to read several different webpages instead of just one, and (ii) does not explain the state-law-specific aspects of recovering from identity theft. This is intended to be a simplified guide for North Carolina residents.

1.   Put a Fraud Alert on Your Credit Report. Call any one of the three major credit reporting agencies and instruct them to place a fraud alert on your credit report. (Tell the agency you contact to tell the other two to do the same...although there's no harm in calling all three yourself). You'll be required to prove your identity when placing a fraud alert. There is no cost to you to place a fraud alert. The purpose of an initial fraud alert is to make it harder for an identity thief to open more accounts in your name. An initial fraud alert lasts 90 days, but can be renewed.

You can contact the credit reporting agencies at the following: Equifax - 1-800-525-6285, www.equifax.com, P.O. Box 740241, Atlanta, GA 30374-0241; Experian - 1-888-397-3742, www.experian.com, P.O. Box 2104, Allen, TX 75013-0949; TransUnion - 1-800-680-7289, www.transunion.com, P.O. Box 1000, Chester, PA 19022.
2.   Order Your Free Credit Reports. When placing a fraud report, you are entitled to a free credit report from each of the three major credit reporting agencies. The agency that you call (as instructed in #1 above) will explain your rights and how you can get a free copy of your credit report. You could also use this form.

3.   Submit an Affidavit to the FTC. Write out a description of how you learned about the suspected identity theft and everything you've learned about it since, in as much detail as you can. Next, you need to put this information into the form of an affidavit (a sworn written statement). The Federal Trade Commission has a helpful tool (called the "FTC Complaint Assistant") to put your information into the proper form, which you can use for free at https://www.ftccomplaintassistant.gov/. When finished, submit the affidavit to the FTC through the website. Print or save a copy for your records. (Alternatively, you can use this form.)

4.   File a Police Report. Call the local law enforcement agency (a) where the theft appears to have occurred, or (b) where you live, or (c) both. In North Carolina, this is usually a police department if you live in a city or town, or a county sheriff's department if you live outside a municipality (though there are exceptions to this general rule). File a police report. (Either they will send an officer to you, or will ask you to come to the station.) Give the officer a copy of your FTC Identity Theft Affidavit. Also give the officer a copy of the FTC's official memo to local law enforcement agencies, a copy of which is available here. Ask to be given a copy of the police report once it's ready.
5.   File an FTC ID Theft Report. Together, your FTC Affidavit and the police report comprise an "FTC ID Theft Report." An FTC Report can help you (i) get fraudulent information removed from your credit report; (ii) stop a company from collecting debts that result from identity theft, or from selling the debt to another company for collection, (iii) extend the fraud alert on your credit report; and (iv) get information from companies about any accounts the identity thief opened or misused. Send the ID Theft Report to the credit bureaus and to any organization affected by the ID theft (such as a retailer or credit card company).
Send an ID Theft Report to the credit reporting agencies, and tell them whether you want to extend the fraud alert or initiate a security freeze (see #6 below). In either case, you should notify all three of the credit reporting agencies.

6.   Decide Whether You Want to Extend the Fraud Alert or Institute a Credit Freeze. Next, you need to decide whether to (a) extend the fraud alert or (b) initiate a security freeze.

Once you have created an ID Theft Report (FTC affidavit plus police report), you are entitled under federal law to extend your fraud alert for seven years. When you extend the fraud alert, you can get two free credit reports within 12 months from each of the three major credit reporting bureaus, and they must take your name off marketing lists for prescreened credit offers for five years, unless you ask them to put your name back on the list.

North Carolina residents are entitled by state law to "freeze" their credit reports. When a security freeze is in place, a consumer reporting agency may not release your credit report or information to a third party without your prior express authorization. If you want someone (such as a lender or employer) to be able to review your credit report (for a credit application or background check), you must ask the credit reporting agency to lift the security freeze. You can ask to lift the security freeze temporarily or permanently. (The credit reporting agency is required by NC law to give you a unique PIN or password when you initiate the security freeze to be used by you when requesting a temporary or permanent lift of the freeze.) If you request a lift to the freeze by mail, the agency has three business days to comply, but if you request electronically or by telephone, the agency must comply with the request within 15 minutes, pursuant to NC law. Putting a credit freeze on your credit file does not affect your credit score.

The cost to place and lift a freeze, and how long the freeze lasts, depends upon state law. Here in North Carolina, a freeze lasts as long as you wish, and a consumer reporting agency cannot charge a fee to put a security freeze in place, remove a freeze, or lift a freeze if your request is made electronically. If you request a security freeze by telephone or by mail, a consumer reporting agency can charge up to $3.00 (unless you are 62 or older, or have submitted a police report--see #4 and #5 above).
So, to summarize, a "security freeze" generally stops all access to your credit report unless you lift it, while an "extended fraud alert" permits creditors to get your report as long as they take steps to verify your identity. My general preference is the freeze, because it gives you the most control.
7.   Review Your Credit Reports and Dispute Errors. Carefully review your credit reports for errors. If errors on your credit report are the result of identity theft and you have submitted an Identity Theft Report, you are entitled to tell the credit reporting companies to block the disputed information from appearing on your credit report. Here is a sample letter that may be helpful.
The credit reporting agency will notify the relevant business of any disputed information, after which the business has 30 days to investigate and respond to the credit reporting agency. If the business finds an error, it must notify the credit reporting agency so your credit file can be corrected. If your credit file changes because of the business’ investigation, the credit reporting agency will send you a letter to notify you. The credit reporting agency cannot return the disputed information to your file unless the business says the information is correct. If the credit reporting company puts the information back in your file, it will send you a letter telling you that.
8.   Contact Any Businesses Involved. If you are aware of specific accounts that have been opened in your name without authorization, or existing accounts that have been accessed without your authorization, contact those organizations, even if you have already notified the credit reporting agencies of the problem. Ask to speak to someone in the fraud department. Ask them to reverse any unauthorized charges and to preserve all records for use by law enforcement. You might also want to ask them to simply close the accounts, and open new accounts for you. [Use different access credentials (such as a PIN or password) for the new accounts.] Ask for copies of any documents used by the identity thief. (Here's a sample letter.) Ask for a letter confirming that any fraudulent information has been removed or transactions reversed. Also ask them to stop reporting information relating to the fraud to credit reporting agencies. As soon as you conclude the conversation, memorialize your discussion in a certified letter to the organization. Here is a sample.
9.   Stop Debt Collectors from Contacting You about Fraudulent Debts. If an identity thief opens accounts in your name and doesn’t pay the bills, a debt collector may contact you. To stop debt collectors from contacting you, in addition to the steps described above, you can send them a letter using this form.

10.  Additional Tips:
  • Remember to record the dates you made calls or sent letters.
  • Keep copies of all correspondence in your files.
  • A number of sample letters are available here.
I hope you find this guide helpful. Please feel free to share it with your family, friends, and colleagues. Although I hope you never need it, I encourage you to bookmark this post for quick reference, along with the FTC's ID Theft website and the NC DOJ's website, just in case.


[FN1] When the person whose identity has been stolen either (a) lacks the ability to respond themselves, whether due to a disability, age, or otherwise, or (b) is someone whose time is sufficiently valuable that it makes economic sense for them to hire someone else to remedy the situation, a lawyer/paralegal team may be well-position to handle these matters. Otherwise, it makes sense for the affected person to handle most aspects of resolving a stolen identity, with limited guidance from a knowledgeable lawyer.

IMPORTANT: This blog post is for educational purposes only, and does NOT constitute legal advice. You should consult with your own attorney about your specific situation. This blog post does not create an attorney-client relationship, and it will not be updated to reflect changes in law or practices, so you should refer to other sources to ensure you receive the most accurate, up-to-date information.

January 8, 2015

Has the FTC Overstepped Its Bounds on Privacy and Information Security?

One of the most frustrating things about privacy and information security law is the lack of certainty when it comes to acceptable uses and protocols.  This piece is intended to explain some of the reasons for the uncertainty, and to highlight a pending case that might shed additional light.

Bills to create nationwide privacy and information security rules seem unable to gain traction in Congress. (Perhaps that will change with the new class of legislators having just been sworn into office.)  At present, the United States has no comprehensive privacy statute nor is there a comprehensive set of privacy regulations.  Instead, we have a "patchwork" of privacy regulation:
Most privacy laws in the United States are industry-specific and enforced by industry-specific agencies.  For example, the federal banking agencies (the FDIC, OCC, FRB, and NCUA) govern financial institutions' handling of financial information, and the Department of Health and Human Services holds healthcare providers responsible for following the health information privacy rules.

At the federal level, the Federal Trade Commission is the agency with the broadest reach to address privacy and information security issues.    The FTC has taken the role of filling the gaps left by the patchwork of regulations by pursuing enforcement actions against all sorts of companies for all sorts of privacy-related issues.  But from where does the FTC's broad authority over privacy practices come, and how far does it reach?  Certain specific federal statutes give the FTC authority over specific issues, like the privacy of children's information on the internet, and credit reports, but what about the FTC's authority over the broad spectrum of privacy-related issues?

The Federal Trade Commission Act prohibits "unfair and deceptive acts and practices in or affecting commerce.”  The FTC relies upon this broad language to justify its sometimes aggressive enforcement actions against organizations that do not handle customer information in the way the FTC finds acceptable.  For example, the FTC has pursued, and extracted large sums of money from, many website operators and social media platforms that it alleged had failed to carry out the promises those companies had made in their privacy policy statements, on the grounds that such shortcoming were "deceptive acts" (and more recently, also "unfair").  Privacy lawyers have observed that the FTC seems to take a very expansive view of its statutory authority in these contexts, but most companies that have found themselves in the crosshairs of the FTC have settled rather than challenge the FTC's authority (such as Facebook, Twitter and Google, as I've written about here). 

Another significant problem with the FTC's broad and ambiguous authority is that the FTC has not been given the explicit authority to write and publish regulations governing privacy and data security generally.  As a result, the FTC "regulates by enforcement," meaning the primary way in which we know what will draw the FTC's ire is by looking at the instances in which it has brought enforcement actions in the past and drawing inferences from the court filings and settlement agreements that become public.  The obvious problem is that the rules of the game are not given to the players at the outset of the game, and are never made perfectly clear.  Only by carefully observing the FTC's public actions and public statements can we begin to infer the kinds of activities that might trigger FTC action.  Regulating privacy and information security in this way (after-the-fact punishment based on very broad principles) leaves a lot of room for uncertainty, and many organizations are craving clarity in these areas.

A case pending before the Third Circuit Court of Appeals may result in additional certainty:  The FTC brought an enforcement action against Wyndham Hotels following information security lapses by the hotel chain, but Wyndham is fighting back, arguing that the FTC lacks the authority under the FTC Act to bring data security enforcement actions, as well as arguing that the FTC failed to give it fair notice of the security practices the FTC expects.  Wyndham further challenges the FTC's claim that its practices were "unfair."  (A practice is "unfair" under the FTC Act only if it "causes or is likely to cause substantial injury to consumers which is not reasonably avoidable by consumers themselves and not outweighed by countervailing benefits to consumers or to competition.”) 

Because most FTC enforcement actions in this area result in settlement, this is the first time a federal appeals court will be asked to clarify the FTC's role in data security.  You can bet privacy and information security lawyers and other InfoSec professionals will be watching this case closely!

In Good Company

I am very honored to be included--along with a number of fine lawyers across the state--in the 2015 "Legal Elite."  This year I was listed in the "Business" category, as well as the "Young Guns" category.  Business North Carolina magazine surveys more than 20,000 North Carolina lawyers by asking the following question: "Whom would you rate among the current best in these categories [of law]?"   The results are compiled, and fewer than 3% of the lawyers in North Carolina are then named to the list.

My sincere thanks go out to all of the lawyers across North Carolina who participated in the peer review process conducted by Business North Carolina magazine.  I certainly do appreciate your support.  I know that many of you read this blog, and I have the privilege to work with many of you through the North Carolina Bar Association on important issues affecting our state and our profession.  I truly appreciate your friendship and trust.  I consider it a privilege to be able to recommend several of you for well-deserved recognition, and I am pleased to see some very deserving names on this year's list (although there are several others I wish had also been included).   May this new year bring each of you the success and recognition you have earned.

November 15, 2014

Yet Another Reason to Handle Consumer Electronic Consents Correctly

From time to time, clients balk when I describe the components of an effective consumer consent to an electronic transaction.  They say "I've seen lots of other websites, and they don't require this." 

They are correct, in part.  Most websites do not do what I advise my clients to do, because most websites have deficient disclosures and consent language.  Most of the time, these do not result in anything catastrophic.  But that does not make it legal...or smart. 

One aspect of consumer electronic transactions that people question most often is affirmative consent.  They ask whether it is truly necessary to provide detailed disclosures and obtain affirmative consent from consumers when entering into agreements through electronic means.   Affirmative consent means that the consumer expressly agrees to the terms, or "opts in."  An example of affirmative consent is the following:
"By clicking the button labelled 'Accept' below, you agree to the terms and conditions of this Agreement and acknowledge that you have read and understand the disclosures provided above."
Most businesses would generally prefer negative consent, also referred to as "constructive" consent or "opt out."   An example of negative consent is the following:
"By using this website, you are agreeing to these Terms and Conditions."
Obviously, negative consent is easier for businesses to handle than getting affirmative consent.  The question, however, is whether a negative consent is effective for all purposes.

The (federal) E-SIGN Act and the (state) Uniform Electronic Transaction Act require that if any other statute, regulation, or rule requires that a consumer be given a document or disclosure in writing, then in order to for a consumer to effectively agree to receive it in electronic format, the consumer must affirmatively consent after having been given very specific disclosures.  In some circumstances, it may be difficult to identify a specific law requiring a written disclosure in connection with the contemplated transaction.  You may think, "we are not under any legal obligation to give any notices or disclosures to these customers after this transaction."  However, there are a large number of disclosure requirements contained within the millions of pages of law affecting consumer transactions.  Just because you can't think of one off the top of your head doesn't mean none exist.  For this reason, I almost always advise my clients to obtain affirmative consent from consumers for online agreements.

In this post, I'm going to give you a real-world example of a situation in which obtaining a proper consumer electronic consent could save a lot of money:

ABC Corp. (fictional) sells products and services to consumers in North Carolina through its website and the telephone.  It has collected information from tens of thousands of consumers over the past few years, and stores that information on its database on its own server.  Included in the information are the consumers' credit card numbers (so that regular customers will not have to provide all of their information with every order).  The credit card numbers are not encrypted on the database.  ABC Corp. becomes aware of an incident of unauthorized access to its database.  Customer information likely has been accessed, and the available information indicates that the person who accessed the information has nefarious intent. 

Under North Carolina law, ABC Corp. is obligated to notify each consumer of the data security breach.  The North Carolina Identity Theft Protection Act says that ABC Corp. can notify the consumers via email only if the consumer's consent has been properly obtained in accordance with the E-SIGN Act.  If ABC Corp. has records of consumers' email addresses, but has not obtained the proper consent to provide subsequent legally-mandated notices by email, ABC Corp. cannot satisfy its obligations by providing the notice by email.  Instead, the Identity Theft Protection Act requires that the notice be provided in hard copy (if mailing addresses are available).  In this situation, because ABC Corp. has failed to obtain consumer consent in the proper way at the outset, the cost of responding to a subsequent data security breach will be tens of thousands of dollars more as a result printing and postage costs alone. 

This is just one example of the many ways in which handling consumer consent carefully at the start of an electronic relationship with a consumer can pay off for a business later.

November 7, 2014

Public Service Announcement: "Combatting Financial Exploitation: A New Tool"

Regular readers of this blog know that preventing the financial exploitation of older or disabled folks is something that I am passionate about.  I've written and spoken on the topic frequently over the past couple of years.

This week, I had the privilege to join a distinguished panel of experts for a series of training webinars on combatting financial exploitation of the elderly and disabled.  The webinar was coordinated by the NC Administrative Office of the Courts (specifically, the inimitable Lori Cole), and included representatives of the NC Department of Justice (the ever-risible Raj Premakumar), UNC School of Government (the erudite Aimee Wall), NC Bankers Association (the staid Jan Dillon), and NC Department of Health and Human Services (the passionate triumverate of Nancy Warren, Renae Minor and LeShana Baldwin).  More than 300 participants registered, most of whom were lawyers, judges, clerks of court, financial professionals, and social services officials from all across North Carolina.

Here are a few quotes from participants who contacted us after the webinar to profide feedback:

"Thank you so much for all the great information I received with the combatting financial exploitation webinar class. This will help me to stay up to date with the new change." - an Assistant Clerk of Court

 "Thank you for an informative CLE!" - a County Attorney

 "Thanks for the program and the info!" - a County Attorney

 "The webinar today was a very good introduction." - an Assistant Clerk of Court

 "It was a very good program." - a Social Services Attorney

"The information was very helpful." - an Assistant Clerk of Court
For those who were unable to join us, a copy of the materials from the presentation is available here.

A video of the presentation will be available soon, and I will update this post to include it.

If you encounter circumstances that lead you to suspect the financial exploitation of an older or disabled person, whether in your professional life or your personal life, please report your suspicions appropriately. 


November 6, 2014

A Message to New North Carolina Lawyers

The following article was published by the NC Bar Association in The Advocate earlier this month.  If you know any newly-licensed lawyers in North Carolina, I encourage you to share it with them:

Welcome to the YLD
by Matt Cordell, Division Director

Welcome to the Young Lawyers Division, which is affectionately known as the “YLD”! If you are younger than 36 or in your first three years in the practice of law in North Carolina (regardless of your age), you have been inducted automatically into the YLD effective upon joining the North Carolina Bar Association. Make no mistake—despite the fact that admission did not require much effort on your part, YLD membership is something from which you should derive great pride. (Second-career lawyers tend to be eager to call themselves members of the Young Lawyers Division—a feeling you will understand one day if you do not already—but this is not the sort of pride to which I refer.) You have joined the ranks of a dynamic, transformative organization that will ask for your talent and enthusiasm and, in return, give you meaningful experiences, skills, and relationships. The YLD has a tremendous legacy of developing effective young lawyers and serving our communities in powerful ways. In this special issue of The Advocate, we hope to show you how the YLD makes a difference in the world and can make a difference in your career.

The Young Lawyers Division Yields Lasting Dividends
The YLD is the largest division of the NCBA, with 6,500 members. It is also widely acknowledged that the YLD is the most active service arm of the NCBA. It is the source of many of the NCBA’s service initiatives, and has provided an enthusiastic workforce to carry out virtually all of the Association’s service projects—service to our members, our neighbors, and our communities. The YLD’s heritage of service dates back to its founding in 1954 and is the first goal expressed in its mission statement:
To promote the general welfare of the public, advance the professional education and welfare of young lawyers, involve young lawyers in the activities of the NCBA, promote fellowship among all members of the bar, and advance the standards of both the legal profession and the administration of justice. 

On our strong backs rest the responsibility and opportunity to carry out the vital work of the profession for the public good. The YLD has risen to the challenge in many ways, and most of its 21 committees are oriented toward service. From Murphy to Manteo, YLD members are effecting positive change across our state.
The YLD is where the future leaders of the NCBA, the State, and the nation gain valuable leadership experience. This is evident from a brief summary of the accomplishments of the prior YLD chairs:
  • Six prior YLD chairs have become presidents of this Association.
  • One became president of the ABA.
  • Nine became NCBA Section chairs.
  • Seven chaired NCBA committees.
  • Two became president of the State Bar.
  • Two more took the helm of Legal Aid.
  • A significant number went on to hold public office.
To underscore the point, note that these accomplishments reflect only the Division Chairperson—one person each year. Scores of other YLD officers and committee chairs honed leadership skills in the YLD that enabled them to accomplish great things later in life.

The YLD is Important for Your Legal Development
Legal publications and the editorial pages of newspapers have recently made common knowledge something we in the profession have known for some time: many law schools do not fully prepare students for the practice of law. As a new lawyer, you need practical experience and opportunities to develop leadership and other skills. These can be acquired in countless ways through the YLD’s many committees. You can watch more experienced lawyers counsel clients, and practice doing so yourself, through Wills for Heroes clinics or Project Grace clinics. You can develop your public speaking skills through any number of committees and events. You also can sharpen your writing by joining for the Newsletter Committee. Take advantage of opportunities to hone a host of additional skills—advocacy, event planning, speaking, or drafting—while making a difference in your community. The YLD is where newly-minted lawyers acquire the skills and experience to lead their communities, organizations, the legal profession, and society.  
This brings me to another significant benefit of YLD involvement: relationships. I have made many great friends through the YLD, and continue to encounter exceptional people each time I participate in a YLD event. If you have not discovered it already, you will learn that relationships matter tremendously in your professional life, just as they do in your personal life. The YLD is a great way to meet the very best young lawyers in the state—young lawyers who are motivated, committed, and service-oriented…and fun to be around. Basically, if you want to make friends with the leaders of the future, it is easy to do. Sign up for a YLD committee or service project. You will be surrounding yourself with some of the best young minds and hearts in this great state. But, as LeVar Burton used to say on Reading Rainbow, “you don’t have to take my word for it.” Give it a try. If you don’t make friends with lots of other bright, friendly, committed young lawyers, we’ll refund your membership fee. (Your first year of NCBA dues have already been waived!)  
Matt Cordell practices in the areas of banking, corporate, and privacy law with Ward and Smith, P.A., and serves as a YLD Division Director. This bar year marks his eighth year as an active member of the YLD. He looks forward to meeting each of you at a YLD event soon.

October 19, 2014

Bank Holding Companies, It Is Time To Update Your Tax Sharing Agreements

It is time to update tax allocation agreements between bank holding companies and affiliated entities, say the federal regulators.  According to guidance issued this summer, examiners will be looking for updated tax allocation agreements beginning this fall. 
photo by Phillip via on flickr/Foter
Bank holding companies usually own all of the outstanding stock of their depository institutions, which means that the holding companies and their banks are deemed to be "affiliated groups" within the meaning of Section 1504 of the Internal Revenue Code. Accordingly, they often choose to file consolidated federal income tax returns, and in some states, they are required to file consolidated state income tax returns. To address the allocation of the tax liability and the timing of contributions, bank holding companies and their banks are required* to enter into tax allocation agreements.

In 1998, the federal financial institution regulatory agencies jointly issued an Interagency Policy Statement on Income Tax Allocation in a Holding Company Structure ("Interagency Statement") to provide guidance to insured depository institutions and their holding companies and other affiliates regarding the payment of taxes on a consolidated basis. 

In 2014, an addendum to the Interagency Statement became effective.  The addendum was intended to clarify the agencies' existing positions and to add new requirements in light of the FDIC's recent disputes with holding companies of failed banks for which it acted as receiver.  According to the amended guidance, a tax allocation agreement should explicitly address the following issues:
  • Calculation of Tax Allocation.  A subsidiary depository institution must compute its income taxes (both current and deferred) on a separate entity basis, regardless of whether the actual returns will be consolidated.  This is done both for purposes of preparing regulatory reports and to ensure the insured depository institution does not pay more than its own share of the tax liability. Certain adjustments that arise in a consolidated return, such as the application of graduated tax rates, may be made to the separate entity calculation as long as they are done consistently and fairly.
  • Current Taxes Only.  A bank should not pay its deferred tax liabilities or to its holding company, because the deferred tax account is not a tax liability required to be paid in the current reporting period. The regulators frown on this.
  • Timing of Payments to the Holding Company.  Tax payments from a bank to a holding company should never exceed the amount the bank's current tax expense calculated on a separate entity basis, nor should they be made before the bank would have been obligated to pay as a separate entity. The regulators consider any advance payments to be extensions of credit from the bank to the holding company (which are restricted by the Federal Reserve Act and regulations).
  • Tax Refunds from the Holding Company.  A bank incurring a loss for tax purposes should record a current income tax benefit and receive a refund--within a reasonable timeframe--from its holding company in an amount no less than the amount the bank would have been entitled to receive as a separate entity.  If the refund is not passed along to the bank within a reasonable period, regulators may consider it either an extension of credit or a dividend.  If, however, on a separate entity basis, the bank would not be entitled to a current refund because it has no carryback benefits available, its holding company can still use the bank's tax loss to reduce the consolidated group's current tax liability. In this situation, the holding company may reimburse the bank for the use of the tax loss.
  • Agency Relationship.  Because of recent litigation by the FDIC-R over tax assets, regulators emphasize that one of the most important provisions in a tax allocation agreement is the clear statement of an agency relationship between the bank and holding company.  The agreement should clearly state that a holding company that receives a tax refund from a taxing authority holds the funds as an agent for the subsidiary(ies). 
  • Board Approval.  All tax sharing agreements should be approved by the boards of directors of each holding company and insured depository institution in the consolidated group.
The agencies' addendum states that the agencies expect tax sharing agreements to be updated by October 31, 2014 (although it is not a true deadline).  Therefore, bank holding companies should update their tax sharing agreements and obtain board approvals promptly, if they have not already done so.

October 8, 2014

To Register Your Arbitration Clauses with AAA or Not to Register? That Is the Question!

art by Todd Berman / flickr
Does your organization have consumer contracts that include an arbitration clause?  Does the clause reference the American Arbitration Association?

You may already know that the American Arbitration Association ("AAA") recently announced that it would require registration of all consumer arbitration clauses incorporating its rules, apparently in response to pressure from the Consumer Financial Protection Bureau, which recently conducted a study of consumer arbitration clauses.  The requirement became effective in September.

Consumer Contracts

The AAA's new registration requirement applies to any arbitration clause in a consumer contract that invokes the AAA’s Consumer Rules or refers to the AAA. The rule change does not affect commercial contracts. As always, the distinction between consumer and commercial is a test of fact, regardless of the language of the document. If a consumer signs a document that purports to be an agreement for use with commercial customers and references the commercial arbitration rules, the consumer may nonetheless invoke the AAA Consumer Rules when bringing a claim.

Public Information

Registered arbitration provisions become publicly-accessible information. According to the AAA, “[b]y accessing the Registry, parties will be able to search businesses by name to determine if the AAA has reviewed their consumer arbitration clause and will administer their consumer arbitrations.” Moreover, according to the AAA, “the Registry will include online access to the arbitration clause reviewed by the AAA and may also include other documents related to the arbitration clause.” 

The Registry is available on the AAA website, and a password is not required to search it and view clauses that have been submitted.
As of the date of this post, only a small number of arbitration provisions appear to be registered, and some clauses are not visible.  It is unclear to me whether this is simply because the website is new and still being populated.

Effect of Registration

Rule 12 of the amended Consumer Rules states that beginning on September 1st, a business that “provides for or intends to provide for” AAA administration in a consumer contract “should notify the AAA of the existence of such a consumer contract or of its intention to do so at least 30 days before the planned effective date of the contract” and provide a copy of the arbitration clause to the AAA.  Rule 12 further states that the AAA will review the clause for material compliance with the Due Process Protocol and the amended Consumer Rules (including consumer fee limits). The Rule and the AAA website call for registration of existing clauses rather than just newly-adopted clauses.  (See, for example, Rule 55(viii).) The AAA may determine that additional, related provisions or documents are necessary in order to properly evaluate the clause, and may request them and post them on the Registry.

For arbitration clauses submitted to the AAA during 2014, the registration fee is $650, which will maintain the clause on the Registry through 2015. An annual fee of $500 is imposed thereafter.

Each arbitration provision used will require a separate registration and registration fee. The AAA's Rule states that "[a]ny different arbitration agreements submitted by the same business or its subsidiaries must be submitted for review and are subject to the current review fee." Therefore, it might make sense to use only one clause, or some other limited number of standard clauses, throughout your organization.

Effect of Not Registering

If a business has not registered its consumer clause prior to the filing of a consumer case, the AAA will require that the business register its clause at that time, and will "conduct an expedited review.” The expedited review costs an additional $250. The primary risk associated with not registering the clause in advance is the chance that the AAA will determine that it does not comply with the AAA Due Process Protocols or fee limitations, and therefore decline to arbitrate.

Updating Requirement

If an arbitration provision is updated or revised, it will require a subsequent registration with the AAA.
Rule 55 purports to require re-registration and an additional $500 fee for "[a]ny subsequent changes, additions, deletions, or amendments." Despite the strict language of the Rule, it is unclear to me whether the AAA would take the position that a minor, non-substantive change would trigger the re-registration requirement; one would hope that a non-substantive change would not require an additional filing and $500 fee.

Conclusions and Additional Considerations

Based upon the new Rules and the analysis above, you might conclude that it is most cost-effective, and administratively useful, to standardize an arbitration clause (or a limited number of clauses) across the organization, whether or not you intend to register the clause in advance of a dispute. In making these determinations, you may want to consider the risk of the AAA rejecting the clause, the frequency with which your organization has historically been subject to arbitration demands, the benefits and burdens of standardizing an arbitration clause(s) across your organization, and (for heavily-regulated entities like banks) the risk of criticism for failing to register in advance, among other factors.

An Important Decision from the North Carolina Surpreme Court

image by Silver Season
In February, I wrote about an important case for lenders in North Carolina. The North Carolina Supreme Court has issued a highly-anticipated opinion that is important for lenders in North Carolina to understand.

Under North Carolina law, real estate can be held by married couples in a form known as "tenancy by the entireties," which means that the property cannot be reached by creditors of only one spouse. Therefore, lenders often obtain guarantees from the spouses of borrowers (or the spouses of individuals who own borrowing entities) to ensure that real estate assets (that might be necessary to satisfy a debt if the borrower or guarantor does not pay as agreed) will be availalbe as a source of repayment. Without spousal guarantees, lenders would often be unable to rely upon many real estate assets when underwriting a loan. Accordingly, the ability to obtain a guaranty of a spouse sometimes means the difference between a lender being able to make a loan and being forced to decline a loan application. 

The Equal Credit Opportunity Act ("ECOA") and its implementing regulation, Regulation B ("Reg B") were intended to prohibit gender-based discrimination in lending. Its original intent was to prevent married women who were qualified borrowers from being refused credit because they did not have their husbands' approval. (This was apparently a problem in the early 1970s!) Over time, the ECOA was amended and interpreted to generally prohibit, among other things, requiring a spousal guarantee absent a showing both that the borrowing spouse is not independently creditworthy enough for the loan and that the guaranteeing or supporting spouse was not selected only on the basis of his or her status as a spouse. Put simply, if an individual seeks a loan from a lender, the lender cannot automatically require that the borrower have his or her spouse co-sign or guarantee the loan. The ECOA provides for the assertion of a claim against the lender if the ECOA is violated.

In August of last year, a panel of the North Carolina Court of Appeals had opined that a violation of the ECOA not only gave a spouse the right to assert a claim against the lender, it also allowed the spouse to escape the guaranty entirely. (RL REGI North Carolina, LLC v. Lighthouse Cove, LLC, COA12–1279.)

The case at issue involved a lending arrangement where most of the assets were held by the owner of the borrowing entity, while the borrowing entity itself had comparatively few assets. The lender required not only the borrower's owner to provide a guarantee, but also the owner's spouse. The borrower defaulted. A forbearance agreement was entered into in which both the owner and the spouse acknowledged the validity of the debt and waived any and all claims against the lender. The borrower defaulted again later. The lender sought to recover against both the owner and the spouse pursuant to the guarantees. The spouse asserted the ECOA as a defense and both the trial court and the Court of Appeals agreed that the guarantee was unenforceable against the spouse.

The North Carolina Supreme Court then agreed to hear the appeal of the creditor. Because of the harmful precedent that would be established if the Court of Appeals' ruling was upheld, one of my colleagues and I filed an amicus curiae (friend of the court) brief on behalf of the North Carolina Bankers Association in support of the creditor, asking the Court to reverse the Court of Appeals' decision. We argued both the creditor's position (i.e., that the ECOA cannot be asserted as a defense and that, in any regard, the borrowers had waived any such claim or defense) and policy arguments supporting the creditor's position. In an unanimous opinion authored by Justice Newby, the Supreme Court reversed the Court of Appeals. The Court did not address the affirmative defense issue, instead finding that the spouse-guarantor waived any potential defense by signing an agreement containing a broad waiver clause. The Supreme Court thereby left for another day the issue of whether the ECOA can be asserted as a defense to a guarantee. You can read the full opinion here.

As a result of this decision, lenders are well-advised to seek broad waivers (such as those covering "any and all claims, defenses, or causes of action") in forbearance agreements and loan modification agreements.