Maybe it's because I was at a cybersecurity conference last week, but somehow cyber issues are dominating this week's newsletter— from a case that could change the data breach litigation landscape to emerging problems around cybersecurity risk disclosure. In non-cyber news, a look at how Boeing recruited 11 ex-Supreme Court clerks to its legal department.

Welcome back to Inside Track, where we're covering key issues for in-house lawyers, answering your pressing questions and keeping you in the know about what your colleagues are up to. I'm Jennifer Williams-Alvarez, covering in-house lawyering from New York City. If you have questions or something to share, you can email me at [email protected] or find me on Twitter at @jenkayw.

|

➤➤ Sign up here to get next week's Inside Track straight to your in-box.


|

What's happening –

OLD NEWS, HUGE CASE. As 2017 comes to a close, I'm hearing a lot about what's on the horizon for in-house counsel in the coming year. (Stories to come on this.) One big case that's been mentioned to me more than once is a lawsuit over data breach victims' rights to sue that may find its way before the Supreme Court.

The facts. In 2014, electronic servers at CareFirst were hacked, the insurer notified policyholders in 2015 and a putative class action suit was brought shortly thereafter. The district court found that the theory of injury was too speculative to create Article III standing, but the U.S. Court of Appeals for the D.C. Circuit reversed. In its October petition to the Supreme Court, CareFirst said this case “presents an ideal vehicle” to clarify when data breach victims meet Article III's injury requirement.

What's the big deal? “If the Supreme Court decides to grant review in CareFirst, it will be one of the most important privacy and cybersecurity cases in recent memory,” said Alan Butler, senior counsel at the Electronic Privacy Information Center. “The Court has not yet addressed the standard for plaintiffs to sue over data breaches, but usually we expect that private parties can bring suit when their rights under state or federal law have been violated.”

And then? Whatever the Supreme Court has to say on victims' standing, Butler said,”companies and their in-house counsel should focus on proactively addressing cybersecurity issues to prevent future breaches from happening.”


|

FAILING TO REPORT. I recently looked at a report that shows that more than 60 percent of public companies are not identifying cybersecurity as a risk factor in SEC filings. Given how often we hear about cybersecurity incidents, that number seemed high to me, so I asked around to see what's going on here.

Just say something. Jacob Olcott, VP of strategic partnerships at BitSight Technologies and former cybersecurity counsel to the Senate Commerce Committee, said the data is concerning. “Every company that uses information technology or relies on the internet to do business faces this risk, so every company should be disclosing 'something' in these filings,” he said.

But Olcott is even more troubled by the fact that companies aren't disclosing incidents that have actually occurred already.

Why is this happening? Companies may not be aware incidents are occurring and many “infrequently and inconsistently account for cyber incidents and related losses,” Olcott said.

Also, there are varying interpretations of the material cyber risk and incident disclosure standard established by the SEC in 2011, which Olcott said some lawyers view as voluntary. There is very broad and confused understanding and interpretation of the SEC's cybersecurity disclosure requirements in the legal community, and additional training and education by the SEC about these requirements is likely necessary,” he said.

➤ What's the fix? According to Olcott: The SEC needs to raise awareness and enforcement around disclosure. And the commission should work with companies and investors to create a “basic, consistent and standard reporting structure.”


CLERK TO IN-HOUSE FLIGHT PLAN. As part of our ongoing look at U.S. Supreme Court clerkships, my colleague Tony Mauro has discovered an unlikely grouping of 11 former Supreme Court clerks at Boeing. It's true that ex-clerks have been known to go in-house – look no further than Apple's new GC Katherine Adams, Facebook GC Colin Stretch, Campbell Soup GC Adam Ciongoli, Waymo deputy GC Thomas Lue and Boeing's own legal leader, J. Michael Luttig, for proof – but how did Luttig end up with more than 10 in his legal department?

A ticket to Boeing. There's no way to compete with firm salaries and hiring bonuses, Luttig told Tony, but Boeing can offer a smaller signing bonus and stock grants. And it's worked. “Every year, unfortunately, we have to turn away former Supreme Court clerks who would like to come to Boeing,” Luttig said.

Much to offer. Luttig said law clerks bring more than being “just academic scholars or legal nerds” to the table, they stand out in Boeing's legal department.

On diversity in the Supreme Court. “You have to go get the best minority or diverse candidates, and you have to do whatever it takes to recruit them,” Luttig said. “You have to affirmatively look for it and affirmatively get it.”

Don't miss Tony's full report on SCOTUS clerks, especially his exclusive—and discouraging—look at demographics and diversity. Call in Thursday at 3 ET for a discussion with Hogan Lovells partner Neal Katyal. Register here.


|

DOWN TO A SCIENCE? The Harvard Business Review recently ran an interesting article about how companies can look to behavioral science to reduce the risk that a cyber incident will occur. Working off the notion that a company's employees create major vulnerabilities, the article's author, ideas42 VP Alex Blau, suggests ways to improve employee behaviors.

A few highlights from Blau's piece:

Opting in or opting out. In the same way that the “opt-out” system has become the default in certain situations, companies could have security mechanisms, such as two-factor authentication, on by default.

Who does it best? Ranking employees based on the steps they're taking to protect against an incident may lead to greater compliance across the company.

No one likes to break a commitment. Encouraging employees to commit in advance to complete various security updates can lead to more follow through.


|


“If allowed to stand, the order would stifle the national and global trend of corporate clients employing in-house counsel as in-the-trenches litigators in order to reduce litigation costs, and relegates those inside counsel to 'second-class' litigator roles.”

From a Dec. 11 amicus brief filed by the Association of Corporate Counsel, referring to a district court order on the scope of attorney-client privilege when in-house counsel are involved with a lawsuit.


|

Question of the week –

With each edition of the newsletter, we're answering a question for in-house attorneys by going to top practitioners in those areas. If you have a pressing question you'd like answered, send it my way.

This week's question:

With the holidays right around the corner, how can in-house counsel ensure company parties aren't the source of workplace troubles?

➤ First, this is the wrong time to have a sexual harassment incident arising out of a holiday party. The sensitivity is high and the potential for a complaint, or even litigation, is a real concern. Some tips to reduce risks associated with harassment claims include: (1) Issue a reminder to everyone that holiday parties are intended to be festive but also respectful; don't embarrass yourself, your family or your company; (2) Limit alcohol; (3) consider having designated managers or HR personnel with informal responsibility to monitor conduct and intervene, if necessary, to prevent inappropriate behavior.

➤ Second, the company should ensure that alcohol is handled responsibly. Typically, this means limiting the number of drinks through tickets or some other mechanism. Employees should be discouraged from drinking and driving, and the company should promote the use of cabs or Uber for those who want to drink. Have a plan in place for handling any employee who becomes intoxicated, including assigning company personnel or security with the responsibility of removing the employee or assisting him or her with getting home.

➤ Third, plan the timing of holiday parties to avoid controversy. Don't schedule the holiday party for the day after pay raises (or lack thereof) are announced. Holiday parties are also not a good place to make announcements about bonuses or promotions. Mixing alcohol with hard feelings over employment decisions is a recipe for someone to make a comment in a seemingly casual setting that can be used against the company in a lawsuit. The holidays are stressful enough on employees, and the company should try to make the holiday party a stress free zone as much as possible.

David Barron, member at Cozen O'Connor, whose focuses include labor and employment law.


|

Don't miss –

Monday, Dec. 18 – Does your employee handbook include everything it should? FordHarrison attorneys Anessa Abrams and Nancy Holt and Fors Marsh Group corporate counsel Patrick Samsel will tackle this and other questions around employee policies in a webinar Monday. Sign up here.

Wednesday, Dec. 20Franchesca Fowler, corporate legal counsel and compliance officer at William Demant Holding, and YEEZY general counsel Kenneth Anand plan to discuss on a call next week how in-house counsel parents can be successful in both roles.
Ongoing. If Roy Moore won in Alabama, would Congress have had to seat him? Can government leaders or employers force people to participate in national rituals? The American Bar Association is answering these and other questions with its “ABA Legal Fact Check.”


|

On the move –

Taking the in-house plunge. After spending nearly two decades in firms, Rashida La Lande is moving in-house to Kraft Heinz. With a previous focus on complex commercial deals, La Lande joins Kraft Heinz with major corporate deals under her belt, including representing Kraft Foods in acquiring Cadbury in 2010 and Verizon in the acquisition of Yahoo. La Lande, who will step in as general counsel and corporate secretary early next year, replaces Jim Savina.

Alcohol to telecoms. British telecommunications company BT has found its next general counsel in Sabine Chalmers. Chalmers, who left her post as chief legal officer at Anheuser-Busch InBev in September, after more than a decade with the company, is set to take on her new role in January. Current BT general counsel Dan Fitz plans to stay on as the company secretary.

Resignation. University of Mississippi general counsel Lee Tyner is resigning from his position at the end of this year, after almost 20 years with with the university. Associate GC Perry Sansing is reportedly taking over as interim GC.


Maybe it's because I was at a cybersecurity conference last week, but somehow cyber issues are dominating this week's newsletter— from a case that could change the data breach litigation landscape to emerging problems around cybersecurity risk disclosure. In non-cyber news, a look at how Boeing recruited 11 ex-Supreme Court clerks to its legal department.

Welcome back to Inside Track, where we're covering key issues for in-house lawyers, answering your pressing questions and keeping you in the know about what your colleagues are up to. I'm Jennifer Williams-Alvarez, covering in-house lawyering from New York City. If you have questions or something to share, you can email me at [email protected] or find me on Twitter at @jenkayw.

|

➤➤ Sign up here to get next week's Inside Track straight to your in-box.


|

What's happening –

OLD NEWS, HUGE CASE. As 2017 comes to a close, I'm hearing a lot about what's on the horizon for in-house counsel in the coming year. (Stories to come on this.) One big case that's been mentioned to me more than once is a lawsuit over data breach victims' rights to sue that may find its way before the Supreme Court.

The facts. In 2014, electronic servers at CareFirst were hacked, the insurer notified policyholders in 2015 and a putative class action suit was brought shortly thereafter. The district court found that the theory of injury was too speculative to create Article III standing, but the U.S. Court of Appeals for the D.C. Circuit reversed. In its October petition to the Supreme Court, CareFirst said this case “presents an ideal vehicle” to clarify when data breach victims meet Article III's injury requirement.

What's the big deal? “If the Supreme Court decides to grant review in CareFirst, it will be one of the most important privacy and cybersecurity cases in recent memory,” said Alan Butler, senior counsel at the Electronic Privacy Information Center. “The Court has not yet addressed the standard for plaintiffs to sue over data breaches, but usually we expect that private parties can bring suit when their rights under state or federal law have been violated.”

And then? Whatever the Supreme Court has to say on victims' standing, Butler said,”companies and their in-house counsel should focus on proactively addressing cybersecurity issues to prevent future breaches from happening.”


|

FAILING TO REPORT. I recently looked at a report that shows that more than 60 percent of public companies are not identifying cybersecurity as a risk factor in SEC filings. Given how often we hear about cybersecurity incidents, that number seemed high to me, so I asked around to see what's going on here.

Just say something. Jacob Olcott, VP of strategic partnerships at BitSight Technologies and former cybersecurity counsel to the Senate Commerce Committee, said the data is concerning. “Every company that uses information technology or relies on the internet to do business faces this risk, so every company should be disclosing 'something' in these filings,” he said.

But Olcott is even more troubled by the fact that companies aren't disclosing incidents that have actually occurred already.

Why is this happening? Companies may not be aware incidents are occurring and many “infrequently and inconsistently account for cyber incidents and related losses,” Olcott said.

Also, there are varying interpretations of the material cyber risk and incident disclosure standard established by the SEC in 2011, which Olcott said some lawyers view as voluntary. There is very broad and confused understanding and interpretation of the SEC's cybersecurity disclosure requirements in the legal community, and additional training and education by the SEC about these requirements is likely necessary,” he said.

➤ What's the fix? According to Olcott: The SEC needs to raise awareness and enforcement around disclosure. And the commission should work with companies and investors to create a “basic, consistent and standard reporting structure.”


CLERK TO IN-HOUSE FLIGHT PLAN. As part of our ongoing look at U.S. Supreme Court clerkships, my colleague Tony Mauro has discovered an unlikely grouping of 11 former Supreme Court clerks at Boeing. It's true that ex-clerks have been known to go in-house – look no further than Apple's new GC Katherine Adams, Facebook GC Colin Stretch, Campbell Soup GC Adam Ciongoli, Waymo deputy GC Thomas Lue and Boeing's own legal leader, J. Michael Luttig, for proof – but how did Luttig end up with more than 10 in his legal department?

A ticket to Boeing. There's no way to compete with firm salaries and hiring bonuses, Luttig told Tony, but Boeing can offer a smaller signing bonus and stock grants. And it's worked. “Every year, unfortunately, we have to turn away former Supreme Court clerks who would like to come to Boeing,” Luttig said.

Much to offer. Luttig said law clerks bring more than being “just academic scholars or legal nerds” to the table, they stand out in Boeing's legal department.

On diversity in the Supreme Court. “You have to go get the best minority or diverse candidates, and you have to do whatever it takes to recruit them,” Luttig said. “You have to affirmatively look for it and affirmatively get it.”

Don't miss Tony's full report on SCOTUS clerks, especially his exclusive—and discouraging—look at demographics and diversity. Call in Thursday at 3 ET for a discussion with Hogan Lovells partner Neal Katyal. Register here.


|

DOWN TO A SCIENCE? The Harvard Business Review recently ran an interesting article about how companies can look to behavioral science to reduce the risk that a cyber incident will occur. Working off the notion that a company's employees create major vulnerabilities, the article's author, ideas42 VP Alex Blau, suggests ways to improve employee behaviors.

A few highlights from Blau's piece:

Opting in or opting out. In the same way that the “opt-out” system has become the default in certain situations, companies could have security mechanisms, such as two-factor authentication, on by default.

Who does it best? Ranking employees based on the steps they're taking to protect against an incident may lead to greater compliance across the company.

No one likes to break a commitment. Encouraging employees to commit in advance to complete various security updates can lead to more follow through.


|


“If allowed to stand, the order would stifle the national and global trend of corporate clients employing in-house counsel as in-the-trenches litigators in order to reduce litigation costs, and relegates those inside counsel to 'second-class' litigator roles.”

From a Dec. 11 amicus brief filed by the Association of Corporate Counsel, referring to a district court order on the scope of attorney-client privilege when in-house counsel are involved with a lawsuit.


|

Question of the week –

With each edition of the newsletter, we're answering a question for in-house attorneys by going to top practitioners in those areas. If you have a pressing question you'd like answered, send it my way.

This week's question:

With the holidays right around the corner, how can in-house counsel ensure company parties aren't the source of workplace troubles?

➤ First, this is the wrong time to have a sexual harassment incident arising out of a holiday party. The sensitivity is high and the potential for a complaint, or even litigation, is a real concern. Some tips to reduce risks associated with harassment claims include: (1) Issue a reminder to everyone that holiday parties are intended to be festive but also respectful; don't embarrass yourself, your family or your company; (2) Limit alcohol; (3) consider having designated managers or HR personnel with informal responsibility to monitor conduct and intervene, if necessary, to prevent inappropriate behavior.

➤ Second, the company should ensure that alcohol is handled responsibly. Typically, this means limiting the number of drinks through tickets or some other mechanism. Employees should be discouraged from drinking and driving, and the company should promote the use of cabs or Uber for those who want to drink. Have a plan in place for handling any employee who becomes intoxicated, including assigning company personnel or security with the responsibility of removing the employee or assisting him or her with getting home.

➤ Third, plan the timing of holiday parties to avoid controversy. Don't schedule the holiday party for the day after pay raises (or lack thereof) are announced. Holiday parties are also not a good place to make announcements about bonuses or promotions. Mixing alcohol with hard feelings over employment decisions is a recipe for someone to make a comment in a seemingly casual setting that can be used against the company in a lawsuit. The holidays are stressful enough on employees, and the company should try to make the holiday party a stress free zone as much as possible.

David Barron, member at Cozen O'Connor, whose focuses include labor and employment law.


|

Don't miss –

Monday, Dec. 18 – Does your employee handbook include everything it should? FordHarrison attorneys Anessa Abrams and Nancy Holt and Fors Marsh Group corporate counsel Patrick Samsel will tackle this and other questions around employee policies in a webinar Monday. Sign up here.

Wednesday, Dec. 20Franchesca Fowler, corporate legal counsel and compliance officer at William Demant Holding, and YEEZY general counsel Kenneth Anand plan to discuss on a call next week how in-house counsel parents can be successful in both roles.
Ongoing. If Roy Moore won in Alabama, would Congress have had to seat him? Can government leaders or employers force people to participate in national rituals? The American Bar Association is answering these and other questions with its “ABA Legal Fact Check.”


|

On the move –

Taking the in-house plunge. After spending nearly two decades in firms, Rashida La Lande is moving in-house to Kraft Heinz. With a previous focus on complex commercial deals, La Lande joins Kraft Heinz with major corporate deals under her belt, including representing Kraft Foods in acquiring Cadbury in 2010 and Verizon in the acquisition of Yahoo. La Lande, who will step in as general counsel and corporate secretary early next year, replaces Jim Savina.

Alcohol to telecoms. British telecommunications company BT has found its next general counsel in Sabine Chalmers. Chalmers, who left her post as chief legal officer at Anheuser-Busch InBev in September, after more than a decade with the company, is set to take on her new role in January. Current BT general counsel Dan Fitz plans to stay on as the company secretary.

Resignation. University of Mississippi general counsel Lee Tyner is resigning from his position at the end of this year, after almost 20 years with with the university. Associate GC Perry Sansing is reportedly taking over as interim GC.