Pre-IPO Compliance Advice for Lyft, Slack, Airbnb and Levi's
As avid users of these services and products, we want these companies to succeed. In the last couple of years, we've been involved with over a half dozen tech company acquisitions and building up their compliance programs.
March 21, 2019 at 10:45 AM
8 minute read
A number of companies are planning IPOs this year: Uber, Slack, Levi's, Lyft and Airbnb, to name a few. We've written a few articles on Uber's compliance woes and the company's response (including how they have hired a number of resources and taken steps to build a compliance program). Lyft has not seemed to have had the same issues. Neither has Slack, Airbnb or (thankfully) storied jean company Levi's.
As avid users of these services and products, we want these companies to succeed. In the last couple of years, we've been involved with over a half dozen tech company acquisitions and building up their compliance programs. Every company needs something different. There is a lot of guidance out there from the government to figure out the key themes, such as Chapter eight of the U.S. Sentencing Guidelines, the FCPA Resource Guide, as well as the U.S. DOJ's Evaluation of Corporate Compliance Programs, and the OECD's Anti-Corruption Ethics and Compliance Handbook for Business and Good Practice Guidance on Internal Controls, Ethics, and Compliance (both referenced by the U.S. DOJ). And there is also guidance for companies on specific compliance processes, for instance, NASA's Guidelines for Risk Management, COSO's Risk Assessment in Practice guideline, and the ISO 19600 standard. It's a lot to read, honestly. And we know these companies are busy focusing on making great products for customers, so we've done some of the work for them.
What is a pre-IPO company supposed to do? Fortunately, we have combed through hundreds of pages of guidance and mapped out the requirements into five simple program elements. We put our work on our website: http://www.rmcconnellgroup.com/compliance-by-design/. Go now and look before reading further. We'll wait.
Now that you've finished (or if you are in a hurry), here are some takeaways:
- Leadership. For a compliance program to work, someone needs to run the program that can work with the business to evaluate the legal requirements and address the company's key risks. This person could be a dedicated chief compliance officer, or it could be the general counsel (deciding this structure is a separate article). For a tech company about to go public, you need to assess the compliance areas you have to deal with (more on that below) and ensure you have resources to address them. For instance, privacy will be a big issue for many of the IPO companies this year (particularly as they await California's new privacy law, the California Consumer Privacy Act, to take effect in January 2020). These companies should have effective resources and an organization to think about issues such as third party data collection/management, privacy by design, notice regarding the use, security, and sharing of personal information, individual privacy choice and breach response. This organization element and leadership are key themes in the regulatory guidance. A company has to have leaders who consistently promote and enforce an organizational culture that demands ethical conduct and a commitment to complying with the law. Leadership must also be responsible for the structure of the program and ensuring that the company's resources are allocated in a risk-based manner. The guidance notes that enforcement of the program is also fundamental to its effectiveness. Leadership must consistently apply incentives and disciplinary measures to effectively implement the program. This is basic blocking and tackling for mature compliance programs, but for a developing program, a key step is to get company leadership engaged and create the right culture.
- Risk Assessment. Risk assessment is where it all starts. If you're Airbnb, you are looking at your risk profile across the business. What are the requirements? Licensing and privacy are likely significant subject matters for the company. A risk assessment process should start by identifying the company's risks and analyzing relevant business metrics. For licensing, key risks may include the risk of not renewing licenses timely or the risk of failing to comply with regulatory requirements to obtain required licenses. Privacy may include the risk of not timely responding to suspected breaches of personal information or the risk of not providing appropriate privacy choices to individuals. Once you have the key risks, the company should calculate the residual risk scores by talking to relevant business partners—usually some combination of likelihood and impact of the risk. For licensing, the company may speak with legal or other business partners involved in the licensing process. For privacy, the company may speak with its IT or information security business partners. After determining the scores so the company can evaluate how to prioritize the risks, Airbnb would then develop action plans to mitigate its highest risks. An example of a privacy action plan could be to develop a comprehensive breach response plan. Each action plan should mitigate a risk and should be specific, measurable, achievable, realistic, and timely. This way, leadership knows when they are complete. The company should develop a risk assessment report to document the results in a meaningful way and present the results to the board of directors.
- Policies, Procedures, and Other Controls. What should Lyft do? If you are Lyft's general counsel, you have done your risk assessment and determined that privacy, licensing and safety are your top three risks and you have to ensure you have a program around these three areas. You develop policies (which tell you what to do and why) and corresponding procedures (which tell you how to implement the policy), as well as controls to ensure the program works effectively. For privacy, your policy may address the type of personal information you collect and how you use it and you may have a procedure on how to respond to privacy breaches, and then controls to address. For Lyft, we hope that rider and driver safety would score as the highest risk (at least inherent because the company hopefully has great controls for this area). The company's program on safety would address all of these risks in a documented and cohesive way. And this framework should be simple and easy to understand for employees.
- Training and Awareness. Now you have a risk assessment and a documented program. What's next? Tell people about it in a fun and engaging way. What does a good job look like for employees? What does the company expect them to do? Is leadership on message? The regulatory guidance notes that companies should consistently communicate their policies and procedures to employees through training and communication. The guidance (and our mapping suggests that companies first assess their training and communication needs, develop a plan to address them, and then identify and assign training and communication to targeted audiences. It is also important to regularly track and evaluate the effectiveness of these trainings and communications to ensure the company's employees are adequately equipped to fulfill their roles.
- Monitoring and Investigation. Now that the program is put together, are we done? Almost. If you are Slack and you've developed a great program on privacy and data security, you have to monitor it and make sure it's working. And have a plan to investigate compliance failures in a documented and effective way. The guidance notes that companies should develop business metrics to enable them to monitor and audit their program and identify any opportunities or gaps. Based on these audits, the company should then develop and execute proactive mitigation efforts. Importantly, the guidance notes that companies should also implement confidential internal and external reporting channels to identify program gaps.
Tech is an exciting space with interesting and evolving issues. If you are ready to go public, better to do compliance sooner rather than later. And if you've already had some issues, it's never too late to try to get it right. Both your shareholders and customers will insist! We hope our guidance helps the effort.
Ryan McConnell and Stephanie Bustamante are lawyers at R. McConnell Group—a compliance and investigations boutique law firm in Houston, Texas with Fortune 500 clients across the globe. McConnell is a former assistant U.S. Attorney in Houston who has taught criminal procedure and corporate compliance at the University of Houston Law Center. Bustamante's work at the firm focuses on risk and compliance issues in addition to assisting clients with responding to compliance failures. Send column ideas to [email protected].
|This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllA Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute readThree Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Corporate Confidentiality Unlocked: Leveraging Common Interest Privilege for Effective Collaboration
11 minute readTrending Stories
- 1'We Should Be Pragmatic': Meet the Possible Next FTC Chair
- 2Bank of America's Cash Sweep Program Attracts New Legal Fire in Class Action
- 3Jury That Convicted Ex-Sen. Robert Menendez Accidentally Saw Improper Evidence, Prosecutors Say
- 4Freshfields Hires DOJ Official, Squire Taps Paul Hastings Atty for US Antitrust Head
- 5Goodbye 'Yellow Freight' Road?
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250