Pre-IPO Compliance Advice for Lyft, Slack, Airbnb and Levi's
As avid users of these services and products, we want these companies to succeed. In the last couple of years, we've been involved with over a half dozen tech company acquisitions and building up their compliance programs.
March 21, 2019 at 10:45 AM
8 minute read
(Photo: Shutterstock.com)A number of companies are planning IPOs this year: Uber, Slack, Levi's, Lyft and Airbnb, to name a few. We've written a few articles on Uber's compliance woes and the company's response (including how they have hired a number of resources and taken steps to build a compliance program). Lyft has not seemed to have had the same issues. Neither has Slack, Airbnb or (thankfully) storied jean company Levi's.
As avid users of these services and products, we want these companies to succeed. In the last couple of years, we've been involved with over a half dozen tech company acquisitions and building up their compliance programs. Every company needs something different. There is a lot of guidance out there from the government to figure out the key themes, such as Chapter eight of the U.S. Sentencing Guidelines, the FCPA Resource Guide, as well as the U.S. DOJ's Evaluation of Corporate Compliance Programs, and the OECD's Anti-Corruption Ethics and Compliance Handbook for Business and Good Practice Guidance on Internal Controls, Ethics, and Compliance (both referenced by the U.S. DOJ). And there is also guidance for companies on specific compliance processes, for instance, NASA's Guidelines for Risk Management, COSO's Risk Assessment in Practice guideline, and the ISO 19600 standard. It's a lot to read, honestly. And we know these companies are busy focusing on making great products for customers, so we've done some of the work for them.
What is a pre-IPO company supposed to do? Fortunately, we have combed through hundreds of pages of guidance and mapped out the requirements into five simple program elements. We put our work on our website: http://www.rmcconnellgroup.com/compliance-by-design/. Go now and look before reading further. We'll wait.
Now that you've finished (or if you are in a hurry), here are some takeaways:
- Leadership. For a compliance program to work, someone needs to run the program that can work with the business to evaluate the legal requirements and address the company's key risks. This person could be a dedicated chief compliance officer, or it could be the general counsel (deciding this structure is a separate article). For a tech company about to go public, you need to assess the compliance areas you have to deal with (more on that below) and ensure you have resources to address them. For instance, privacy will be a big issue for many of the IPO companies this year (particularly as they await California's new privacy law, the California Consumer Privacy Act, to take effect in January 2020). These companies should have effective resources and an organization to think about issues such as third party data collection/management, privacy by design, notice regarding the use, security, and sharing of personal information, individual privacy choice and breach response. This organization element and leadership are key themes in the regulatory guidance. A company has to have leaders who consistently promote and enforce an organizational culture that demands ethical conduct and a commitment to complying with the law. Leadership must also be responsible for the structure of the program and ensuring that the company's resources are allocated in a risk-based manner. The guidance notes that enforcement of the program is also fundamental to its effectiveness. Leadership must consistently apply incentives and disciplinary measures to effectively implement the program. This is basic blocking and tackling for mature compliance programs, but for a developing program, a key step is to get company leadership engaged and create the right culture.
- Risk Assessment. Risk assessment is where it all starts. If you're Airbnb, you are looking at your risk profile across the business. What are the requirements? Licensing and privacy are likely significant subject matters for the company. A risk assessment process should start by identifying the company's risks and analyzing relevant business metrics. For licensing, key risks may include the risk of not renewing licenses timely or the risk of failing to comply with regulatory requirements to obtain required licenses. Privacy may include the risk of not timely responding to suspected breaches of personal information or the risk of not providing appropriate privacy choices to individuals. Once you have the key risks, the company should calculate the residual risk scores by talking to relevant business partners—usually some combination of likelihood and impact of the risk. For licensing, the company may speak with legal or other business partners involved in the licensing process. For privacy, the company may speak with its IT or information security business partners. After determining the scores so the company can evaluate how to prioritize the risks, Airbnb would then develop action plans to mitigate its highest risks. An example of a privacy action plan could be to develop a comprehensive breach response plan. Each action plan should mitigate a risk and should be specific, measurable, achievable, realistic, and timely. This way, leadership knows when they are complete. The company should develop a risk assessment report to document the results in a meaningful way and present the results to the board of directors.
- Policies, Procedures, and Other Controls. What should Lyft do? If you are Lyft's general counsel, you have done your risk assessment and determined that privacy, licensing and safety are your top three risks and you have to ensure you have a program around these three areas. You develop policies (which tell you what to do and why) and corresponding procedures (which tell you how to implement the policy), as well as controls to ensure the program works effectively. For privacy, your policy may address the type of personal information you collect and how you use it and you may have a procedure on how to respond to privacy breaches, and then controls to address. For Lyft, we hope that rider and driver safety would score as the highest risk (at least inherent because the company hopefully has great controls for this area). The company's program on safety would address all of these risks in a documented and cohesive way. And this framework should be simple and easy to understand for employees.
- Training and Awareness. Now you have a risk assessment and a documented program. What's next? Tell people about it in a fun and engaging way. What does a good job look like for employees? What does the company expect them to do? Is leadership on message? The regulatory guidance notes that companies should consistently communicate their policies and procedures to employees through training and communication. The guidance (and our mapping suggests that companies first assess their training and communication needs, develop a plan to address them, and then identify and assign training and communication to targeted audiences. It is also important to regularly track and evaluate the effectiveness of these trainings and communications to ensure the company's employees are adequately equipped to fulfill their roles.
- Monitoring and Investigation. Now that the program is put together, are we done? Almost. If you are Slack and you've developed a great program on privacy and data security, you have to monitor it and make sure it's working. And have a plan to investigate compliance failures in a documented and effective way. The guidance notes that companies should develop business metrics to enable them to monitor and audit their program and identify any opportunities or gaps. Based on these audits, the company should then develop and execute proactive mitigation efforts. Importantly, the guidance notes that companies should also implement confidential internal and external reporting channels to identify program gaps.
Tech is an exciting space with interesting and evolving issues. If you are ready to go public, better to do compliance sooner rather than later. And if you've already had some issues, it's never too late to try to get it right. Both your shareholders and customers will insist! We hope our guidance helps the effort.
Ryan McConnell and Stephanie Bustamante are lawyers at R. McConnell Group—a compliance and investigations boutique law firm in Houston, Texas with Fortune 500 clients across the globe. McConnell is a former assistant U.S. Attorney in Houston who has taught criminal procedure and corporate compliance at the University of Houston Law Center. Bustamante's work at the firm focuses on risk and compliance issues in addition to assisting clients with responding to compliance failures. Send column ideas to [email protected].
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2025 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All
AI Disclosures Under the Spotlight: SEC Expectations for Year-End Filings
5 minute read
A Blueprint for Targeted Enhancements to Corporate Compliance Programs
7 minute read
Three Legal Technology Trends That Can Maximize Legal Team Efficiency and Productivity
Trending Stories
- 1Uber Files RICO Suit Against Plaintiff-Side Firms Alleging Fraudulent Injury Claims
- 2The Law Firm Disrupted: Scrutinizing the Elephant More Than the Mouse
- 3Inherent Diminished Value Damages Unavailable to 3rd-Party Claimants, Court Says
- 4Pa. Defense Firm Sued by Client Over Ex-Eagles Player's $43.5M Med Mal Win
- 5Losses Mount at Morris Manning, but Departing Ex-Chair Stays Bullish About His Old Firm's Future
Who Got The Work
J. Brugh Lower of Gibbons has entered an appearance for industrial equipment supplier Devco Corporation in a pending trademark infringement lawsuit. The suit, accusing the defendant of selling knock-off Graco products, was filed Dec. 18 in New Jersey District Court by Rivkin Radler on behalf of Graco Inc. and Graco Minnesota. The case, assigned to U.S. District Judge Zahid N. Quraishi, is 3:24-cv-11294, Graco Inc. et al v. Devco Corporation.
Who Got The Work
Rebecca Maller-Stein and Kent A. Yalowitz of Arnold & Porter Kaye Scholer have entered their appearances for Hanaco Venture Capital and its executives, Lior Prosor and David Frankel, in a pending securities lawsuit. The action, filed on Dec. 24 in New York Southern District Court by Zell, Aron & Co. on behalf of Goldeneye Advisors, accuses the defendants of negligently and fraudulently managing the plaintiff's $1 million investment. The case, assigned to U.S. District Judge Vernon S. Broderick, is 1:24-cv-09918, Goldeneye Advisors, LLC v. Hanaco Venture Capital, Ltd. et al.
Who Got The Work
Attorneys from A&O Shearman has stepped in as defense counsel for Toronto-Dominion Bank and other defendants in a pending securities class action. The suit, filed Dec. 11 in New York Southern District Court by Bleichmar Fonti & Auld, accuses the defendants of concealing the bank's 'pervasive' deficiencies in regards to its compliance with the Bank Secrecy Act and the quality of its anti-money laundering controls. The case, assigned to U.S. District Judge Arun Subramanian, is 1:24-cv-09445, Gonzalez v. The Toronto-Dominion Bank et al.
Who Got The Work
Crown Castle International, a Pennsylvania company providing shared communications infrastructure, has turned to Luke D. Wolf of Gordon Rees Scully Mansukhani to fend off a pending breach-of-contract lawsuit. The court action, filed Nov. 25 in Michigan Eastern District Court by Hooper Hathaway PC on behalf of The Town Residences LLC, accuses Crown Castle of failing to transfer approximately $30,000 in utility payments from T-Mobile in breach of a roof-top lease and assignment agreement. The case, assigned to U.S. District Judge Susan K. Declercq, is 2:24-cv-13131, The Town Residences LLC v. T-Mobile US, Inc. et al.
Who Got The Work
Wilfred P. Coronato and Daniel M. Schwartz of McCarter & English have stepped in as defense counsel to Electrolux Home Products Inc. in a pending product liability lawsuit. The court action, filed Nov. 26 in New York Eastern District Court by Poulos Lopiccolo PC and Nagel Rice LLP on behalf of David Stern, alleges that the defendant's refrigerators’ drawers and shelving repeatedly break and fall apart within months after purchase. The case, assigned to U.S. District Judge Joan M. Azrack, is 2:24-cv-08204, Stern v. Electrolux Home Products, Inc.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250
