Skip to content

Archive for


Privacy Program Management

Companies need to have a comprehensive privacy program in order to comply with legal requirements and satisfy the concerns of their customers and business partners.  Several distinct, yet highly related, activities must be undertaken in order to effectively implement and manage a privacy program: 

  • Management must engage in strategic and business planning relating to operational activities that are impacted by requirements imposed by privacy-related laws, regulations and industry standards.
  • An assessment must be made of the current level of company compliance with privacy-related requirements and the risks confronting the company from non-compliance must be identified and quantified.
  • Solutions to deficiencies in the current level of company compliance should be created and introduced into the operational activities of the company.
  • Appropriate criteria and procedures for monitoring the effectiveness of the privacy program should be developed and implemented.
  • The privacy program should be regularly and continuously evaluated by both internal and external auditors.

The relationship between the privacy program and the company’s overall business strategy is particularly interesting.  Obviously, each company should have its own unique and overriding vision for the long-term direction of its business and the goals and objectives that it wishes to achieve.  One important element of this vision is the type of organizational culture that it wishes to establish and nurture including the norms and values with respect to collection, use and protection of personal information.  The organizational culture should also include an understanding of how the company interacts with its external environment, including customers, and the approach that management expects its employees to take with respect to legal, social and ethical issues that are part of the company’s business environment.  Realization of the management’s vision for the company occurs through the creation and implementation of a strategic plan.  While a strategic plan is necessary comprehensive and covers all areas of the company’s business it should identify privacy compliance issues and establish strategies and tactics for dealing with those issues.  For example, the strategic plan should address acquisition and allocation of the resources necessary to establish and manage a privacy program including a budget for security systems, employee training, administration, advertising, auditing and other related services.

Also, since the privacy program is part of the company’s broader compliance efforts consideration must be given to auditing the efficacy of the program.  Regular monitoring of the effectiveness of the privacy program should include formal internal and external audits that provide management with independent and objective assessments of how well the program is operating and how effective it has been in achieving its stated goals and objectives.  Audit procedures can focus on specific aspects of the compliance program.  For example, auditors can review the manner in which the company has handled requests for personal information, the processes used to collect such information, and the safeguards that are used when such information is disclosed (e.g., what steps are taken to verify that the recipients of the information are entitled to receive it and will take the necessary steps to protect such information).  Internal auditors can assist management in creating efficient internal processes for privacy compliance and their effectiveness is enhanced by their greater familiarity with the operational activities of the company.  External auditors, on the other hand, can provide independent assurance services that provide greater comfort to outside parties such as customers, regulators, business partners and visitors to the company’s website.  The goal of the internal and external audit process is to generate reports and data for management that can be used to modify and improve the strategic and business plan underlying the privacy program. 

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Supply Chain Management Arrangements

Companies often need to obtain parts and accessories from a large and diverse group of vendors in order to manufacture and assemble their finished products.  If a company is in that situation it may choose to enter into a separate procurement relationship with each vendor; however, negotiation and management of a large number of contracts can be extremely time-consuming.  An alternative to this approach is to contract with a single vendor that will be responsible for purchasing all of the needed items from the original manufacturers and then reselling them to the company on mutually agreed pricing and payment terms (e.g., a fixed percentage above the price charged by the original manufacturers).  This type of arrangement will be operated under the terms and conditions set out in a supply chain management services agreement.  Such an agreement will cover all of the issues normally addressed in a long-term purchase and sale contract including forecasting requirements; fixtures and programs; change orders; ordering procedures; pricing and payment terms; shipment and acceptance procedures; warranties and indemnities; limitations on liability; dispute resolution; and term and termination.  In addition, the agreement should include confidentiality provisions given that the parties will exchange sensitive information regarding product specifications and forecasts.  One of the most important features of the agreement is the ability of the buyer to retain control over the quality of the partners and accessories through its ability to place conditions and limitations on the factories and vendors from which the seller can obtain the accessories.  Upon execution of this agreement the supplier may agree that it will initially use only certain listed vendors; however, the supplier is typically allowed to recommend consideration of other factories or vendors by producing a production sample that can be reviewed and hopefully approved for acceptance by the buyer and then added to the list that would be part of the agreement. The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Sponsorship Arrangements for Online Portals

Companies may be established to launch and maintain so-called “online portals” that focus on providing information and services to a targeted group of customers.  For example, a website might be created to appeal to entrepreneurs and provide information on how to start a new business, obtain financing, recruit employees and create a business plan.  In order to generate financial support for such a site and collect content of interest to the target group the promoters of the website may enter into sponsorship arrangements with professional services providers, such as a law or accounting firm.  The arrangement will be memorialized in a sponsorship agreement that sets forth the terms and conditions upon which the provider will be acknowledged as a “sponsor” of the portal, which will allow the provider to receive the benefits of having its name and services prominently featured in the portal in order to generate sales activities with the visitors to the site from the target market.  The agreement should describe the consideration to be delivered by the provider in order to maintain sponsorship status, the steps that the company is required to take in order to market and promote the services of the provider, the term of the agreement, and the terms of any licenses from the provider to the company relating to the use of the provider’s intellectual property (e.g., copyrighted materials and trademarks). The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Creating and Preserving Confidentiality and Privilege in Internal Investigations

Before any internal investigation begins, counsel must consider how information uncovered during the investigation is to be preserved in confidence. Of course, some of the information collected during the investigation may already be eligible for protection under some form of confidentiality or nondisclosure agreement. The confidentiality of internal investigation materials may be eligible for protection under the attorney-client, work-product or self-evaluation privileges, provided that such privileges are not waived during or after the investigation by inadvertent or intentional disclosure of the information.

In order to maximize the chances that the results of any investigation, or legal review for that matter, will be eligible for protection from unwanted disclosure, counsel should take the following steps:

  • Generate a record that supports an expectation of privacy and intent to prevent and cure violations of law.
  • Obtain formal authorization of the investigation from management that makes it clear that the purpose of the investigation is to render sound legal advice to the company. Counsel should make a written request for authorization that sets out the potential forms of litigation which may arise from any violations in the legal area under review. A formal authorization and retention letter also should be used for work to be done by outside counsel, and the letter should describe the procedures for the investigation and set out the details of the privilege.
  • Coordinate and control the investigation, including, without limitation, ensuring that all investigation participants are instructed to report directly to counsel.
  • Persuade management to formally direct employees to cooperate in the investigation and make sure employees are aware that counsel represents the corporation.
  • Employees should be admonished to avoid hyperbole, legal conclusions, speculation or offensive language in their internal communications.
  • Educate managers in the laws and practices relating to protection of internal communications, including the operation of the legal system and the role of counsel. Memorialize interviews in a way that integrates factual information with counsel's thought processes and opinions.
  • Counsel should avoid verbatim transcripts and tape recordings in favor of memoranda that include evaluations of the statements made by the interviewee and relate the interviewee's statements to other evidence that the interview either supports or refutes. Mark documents "privileged and confidential attorney work-product"; maintain separate files and limit access to the files only to persons in the legal department; retain custody and control of materials, and dispose of unnecessary materials. Distributions of copies of materials for which protection is sought, particularly e-mail communications, should be strictly limited.
  • Hire and control investigation experts and consultants and instruct experts and consultants to report directly to counsel and to submit reports that set forth the elements necessary for a privilege to be recognized.
  • Draft reports and summaries in a fashion that reflects the elements of the privileges. For example, counsel should include affirmative statements on documents (such as witness interview summaries) to the effect that information included therein was solicited and obtained for purposes of rendering legal advice.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Acquisitions by Purchasing a Controlling (But Less than 100%) Interest

While most acquisitions take the form of a merger or stock/asset purchase that results in the buyer-acquiring full control over the equity interests and/or assets associated with the target business it is also possible to break into a new business area by purchasing a controlling (but less than 100%) interest in the target.  For example, if the target is owned by a single shareholder who also operates the business the transaction may be structured to permit the buyer-acquirer to purchase a sufficient number of shares (e.g., 70%) to give it a controlling voting interest over management of the affairs of the target while allowing the selling shareholder to retain a minority interest and continuing serving as a key executive of the target.  The former sole shareholder’s minority interest serves as a performance incentive since he or she retains the right to share in future increases in the value of the business.  Incentives for other executives and key employees can be created by both parties to this agreement by adopting a stock option or other form of bonus performance plan.

The first step in such a transaction should be a letter of intent that addresses key terms and conditions to closing including price and payment terms, post-closing management of the target, due diligence, negotiation and completion of definitive agreements, consents and approvals, escrow requirements and procedures, retention of key employees, approval of acquirer’s financing for the transaction and other issues.  Perhaps the most important section of the letter of intent is a detailed listing of the specific conditions precedent to the closing of the proposed acquisition.  Among the matters that should normally be covered from the perspective of the buyer-acquirer are the following:

  • The satisfactory completion of a due diligence investigation and acquisition audit by the buyer-acquirer showing that the assets of target and any actual or contingent liabilities against those assets, and the prospective business operations by the buyer-acquirer of the target’s business are substantially the same as currently understood by buyer-acquirer as of the date of the letter of intent.
  • A satisfactory determination that the acquisition and prospective business operations by the buyer-acquirer of the target’s business will comply with all applicable laws and regulations, including antitrust and competition laws.
  • Completion of all required approvals and consents from both parties and other interested stakeholders including governmental entities, utility providers, railways, material vendors, lenders, landlords and customers.
  • The absence of material litigation or adverse change with respect to the transaction and the ordinary business activities of the target.
  • The buyer-acquirer must be able to enter into satisfactory employment agreements with specified key employees of the target.

Best Practices for Development and Administration of Privacy Programs

An effective privacy program is one that simultaneously addresses privacy risks and business opportunities.  As time has gone by there has been an emerging consensus on what constitutes “best practices” with respect to collection, use, retention, disclosure and destruction of personal information and companies should incorporate these principles into the planning and administration of their privacy programs.  The following criteria included in the Generally Accepted Privacy Principles issued by the AICPA/CIPA are based on internationally recognized practices that have already been incorporated into a wide range of privacy laws and regulations in the United States and around the world and into recognized guidelines recommended by industry and trade organizations:

  1. Management: A company defines, documents, communicates, and assigns accountability for its privacy policies and procedures.
  2. Notice: The company provide notice about its privacy policies and procedures and identifies the purposes for which any personal information is collected, used, retained, and disclosed.
  3. Choice and Consent: The company describes the choices available to the individual whose personal information is being collected and obtains and documents the implicit or explicit consent of the individual with respect to the collection, use, and disclosure of personal information.
  4. Collection:  The company collects personal information only for the purposes identified in the notice regarding its privacy policies and procedures.
  5. Use and Retention: The company strictly limits the use of personal information to the purposes identified in the notice and for which the individual has provided the implicit or explicit consent referred to above.  The company retains personal information for only as long as necessary to fulfill the stated purposes.
  6. Access: The company provides individuals with access to their personal information for review and update.
  7. Disclosure to Third Parties: The company limits disclosure of personal information to third parties only for the purposes identified in the notice and with the implicit or explicit consent of the individual referred to above.
  8. Security for Privacy: The company establishes policies and procedures for protecting personal information against unauthorized access (both physical and logical).
  9. Quality: The company complies with the policies and procedures specified in the notice by maintaining accurate, complete, and relevant personal information for the specific purposes identified in the notice.
  10. Monitoring and Enforcement:  The company regularly monitors compliance with its privacy policies and procedures and implements and enforces procedures to identify and address privacy-related complaints and disputes.

A thorough and effective privacy program includes policies, communications, procedures and controls, and evaluation criteria.  Policies include written statements developed by the company that clearly describe the intent and goals of management with respect to privacy compliance and specific requirements, responsibilities, and/or standards.  Communications include written and oral messages delivered by the company to the individuals whose personal information is at issue, internal personnel, and third parties about the company’s privacy notice and its commitments therein and other relevant information. Procedures and controls are other actions taken by the company to realize its goals and satisfy specific requirements, responsibilities, and/or standards.  Finally, evaluation criteria should be comprehensive, relevant, clear and objective, and measurable so that management can determine the effectiveness of the program and take appropriate actions to modify the program to cure shortcomings and integrate changes in applicable legal and regulatory requirements. The evaluation process should include monitoring and auditing, performance measurement and benchmarking.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Independent Services Agreement for Youth Sports Coach

More and more youth sports organizations are turning from the traditional practice of having parents coach their teams to relying on professional coaches who can provide independent assessment of players and more experience in teaching players the subtleties of their chosen sports.  The relationship between the organization and these coaches should be formally outlined in an independent services agreement.  Such an agreement serves several purposes—defining the activities that the coach will engage in, including coaching teams and providing clinics and training to participants in the sports programs conducted by the organization; memorializing the mutual understanding of the parties that the coach is a contractor and not an employee of the organization; securing an acknowledgment from the coach of his/her understanding of the goals and mission and operating rules of the organization; and setting forth the obligation of the coach to indemnify the organization against damages suffered by the organization as a result of the coach’s criminal or tortuous conduct while performing activities on behalf of the organization.

The content in this post has been adaptedfrom material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Extending Compliance Programs to Suppliers II

I’ve been discussing the need for companies to extend their compliance program obligations to their suppliers. One basic step that should always be taken is to include standard language in every contract with an outside party that creates a contractual duty on that party to comply with all applicable laws and regulations and spells out specific areas of concern (e.g., the Foreign Corrupt Practices Act in the case of foreign parties dealing with local government officials).  Beyond that, however, companies are beginning to create their own standards for supplier activity and integrating those into how they create and manage their supplier relationships.  For example, a company may promulgate a social and environmental responsibility policy for its suppliers.  This policy becomes a public statement of the values and business practices that the company seeks in its supplier group and a de facto checklist for the due diligence that company personnel are expected to do before entering into a relationship with a new supplier.  The requirements and expectations in such a policy can then be made a part of the formal contractual arrangement between the parties through the use of a supplier social and environmental responsibility agreement.

Company policies regarding social and environmental responsibility are often derived from industry-wide efforts to develop, and build a consensus for, standards for socially responsible business practices that would apply to all participants in a supply chain regardless of their size or where they are located.  An example of such an approach is the Electronic Industry Code of Conduct released in October 2004 following collaboration by some of the major manufacturers in the electronics industry.  This Code of Conduct becomes the basis for company-specific policies that include standards for labor, health and safety, environmental matters, and business ethics.  In addition, companies electing to comply with the Code of Conduct would be expected to establish and maintain an acceptable system of internal controls and procedures to ensure that they carry out their business activities in a manner that meets or exceeds the specific standards in each area.

While imposing compliance standards on partners in the supply chain seems to make a lot of sense, and may have actually become a mandate to fulfill specific legal obligations, a word of caution is in order for those companies adopting such an approach.  One obvious potential problem, especially with suppliers in remote foreign countries, is making sure that adequate resources are invested in actual monitor of supplier activities and enforcement of the standards set forth in policies and supplier agreements.  One of the reasons for including third parties within a compliance umbrella is the ability to represent to regulators, customers and investors that the company is indeed a good “corporate citizen” and deals only in goods and services that have been produced in accordance with the highest legal and ethical standards.  If it turns out that their vendors fail to follow those standards the company runs the risk that its own reputation will be tarnished, particularly if it can argued that the company did not adequately monitor a vendor’s activities.  It is important therefore for companies to use their contractual audit rights and take other reasonable steps to monitor their suppliers including regular visits to supplier facilities to observe the effectiveness of the supplier’s efforts to adhere to labor and environmental standards.  In fact, failure to do so might even be perceived as a breach of an unexpected duty to a third party such as a customer injured by products provided by the supplier or even employees of the supplier.  Potential problems of this type should be managed by including language in policies or supplier agreements that expressly deny that anything therein is intended to create duties to and rights in favor of third parties.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Policies for Selection of Vendors and Purchase of Goods and Services

A business often contracts with outside parties for services and projects that the business’ own personnel cannot perform cost-effectively; or call for skills beyond the business’ resources. Although varied, these services commonly include professional, such as legal and accounting services; research and development; manufacturing, sales, and maintenance of products sold to customers; data and records services; computer services; security services; and maintenance of the business’ equipment.  A business may also contract with consultants and independent contractors under special circumstances, such as during vacations of regular employees, or for servicing products sold by the business to customers in locations that the business’ own personnel cannot economically service.

As a business grows the volume and complexity of agreements for services and maintenance increases and it is important to develop and enforce formal rules and procedures for selection of vendors and negotiation and completion of procurement transactions.  In many cases the responsibility for procurement of services, as well as tangible goods, will be vested in a purchasing department that will assume the leadership role for purchasing goods and services on behalf of the company.  In order to achieve its goals and objectives the purchasing department should prepare and disseminate a policy that covers purchasing authority, including the signatures and other approvals required for certain types of contracts and expenditure amounts; evaluation and selection of vendors, including bidding procedures and prohibitions on conflicts-of-interest; delivery and inspection procedures; invoicing and payment procedures; and contract review and approval procedures.

Each requisitioning department (i.e., the department that is actually requesting the particular product or service) should be expect to contribute to the process through preparation of purchase requisitions with sufficient lead time to allow the purchasing department to complete bidding requirements and/or process orders, provide accurate specifications when requested, verifying that funds are available and securing the appropriate budget manager’s signature, and verifying delivered orders for accuracy.  Additional rules may apply to the purchase of specific products and services such as computer equipment, construction services, consulting and professional services and maintenance agreements and it is important to have the departments with the most expertise involved in the procurement process (e.g., the legal department should not be ordering software without input from the information technology department).

As with any other policy, plans should be made for reviewing the effectiveness of the purchasing procedures on a regular basis and the review should be conducted against very specific performance metrics outlined in the policy itself such as incurring the lowest cost in the fulfillment of specified needs with appropriate levels of quality and service; developing and implementing a strategic procurement plan that ensures that goods and services will be acquired after consideration of needs, alternatives, timing, and availability of funds; identifying and satisfying all relevant legal and ethical obligations (including vetting of potential conflicts of interests) in the acquisition of goods and services by purchase or lease; and establishing a core competency in purchasing techniques by recruiting and training skilled professionals on negotiating, contractual terms and conditions, cost reduction techniques, and cooperative buying processes.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.


Extending Compliance Programs to Suppliers I

An issue that is coming up more frequently in the context of vendor relationships is whether or not the purchaser should insist that its vendors and other parties involved in the supply chain process should be subject to specified elements of the purchaser’s own global compliance rules and procedures.  It is clear that with increased use of rapid communications technologies and sophisticated logistics tools, companies are becoming more dependent on the skills and actions of outside firms and persons who are not their employees.  As such, it is understandable that companies may be concerned about whether their domestic and foreign partners are adhering to ethical principles and obeying applicable laws.  However, before extending the scope of their compliance programs to their suppliers companies must carefully evaluate the legal consequences associated with that decision, including the possibility that they will be held responsible for liabilities arising from supplier legal problems, and also consider possible adverse impacts to their image and reputation.

Potential legal liability for the conduct of others, including firms in the supply chain, may be based on a variety of common law theories, court decisions and statute-based rules:

  • Companies are increasingly vulnerable to expansion of common law principles of “respondeat superior” that could lead to liability for actions of suppliers who are deemed to have become “agents” of their customers by virtue of the duties that they undertake and the benefits derived by their customers.
  • Liability for illegal actions of third parties may occur under the Foreign Corrupt Practices Act of 1977, which makes it unlawful for a company to make a payment to a third party while knowing that all or a portion of the payment will go directly or indirectly to a foreign official for the purpose of influencing the official in his decision-making capacity.
  • The Sentencing Guidelines for Organizations (the "Guidelines") have attempted to create real incentives for corporations to establish and maintain an "effective compliance and ethics program" as a way to identify and respond appropriately to misconduct and mitigate sanctions for such misconduct that might be imposed by governmental agencies.  In its definition of what constitutes an effective compliance program the Guidelines call for (i) communicating company compliance standards and procedures to agents and providing training therein to agents about their roles and responsibilities; (ii) establishment of a publicized system that allows agents of the company to report misconduct anonymously or under protection of confidentiality; and (iii) encouragement by larger companies to their smaller business partners that such partners implement their own effective compliance and ethics programs.
  • The Sarbanes-Oxley Act of 2002 effectively requires audit committees of public companies to establish procedures for confidential, anonymous submission of concerns of accounting-related misconduct that are broad enough to be known, and accessible, by non-employees.
  • The voluntary Guidelines for Multinational Enterprises promulgated by the Organization for Economic Cooperation and Development includes a strong recommendation that companies actively encourage their business partners, including suppliers and contractors, to establish and adhere to principles of corporate conduct that are consistent with the Guidelines.

In addition to these specific legal considerations companies are also becoming increasingly sensitive to how the business practices of their partners, particularly foreign vendors, may reflect on how they are perceived by regulators, customers and investors.  For example, US companies have come under strong criticism when it is disclosed that they have used overseas suppliers that have used child and/or forced labor in their manufacturing activities on behalf of their US customers.  In light of how the business conduct and practices of third parties can expose companies to legal liability and/or have an adverse impact on their image and reputation it comes as no surprise that they are considering and implementing various strategies for making sure that the rules and principles in their corporate compliance programs are applicable to their business partners (i.e., suppliers and contractors performing various activities such as customer service and maintenance).  I’ll describe some of those strategies in my next post.

The content in this post has been adapted from material that will appear in Business Transactions Solutions (Fall 2008) and is presented with permission of Thomson/West.  Copyright 2008 Thomson/West.  For more information or to order call 1-800-762-5272.