• The CASA Compact’s Response to the Bay Area Housing Crisis

    In 2017, the Metropolitan Transportation Committee (MTC) and the Association of Bay Area Governments (ABAG) mobilized a task force of affordable housing advocates, private developers, local government officials, and other Bay Area leaders and experts to form CASA, or the Committee to House the Bay Area. CASA set out to identify a comprehensive policy response to the region’s housing crisis.

    In January of this year, the MTC and ABAG endorsed the CASA Compact, a 15-year plan that prioritizes what it calls the 3 Ps: the production, preservation, and protection of housing in the Bay Area. The Compact calls for the production of 35,000 housing units per year, which would include 14,000 units for lower-income households and 7,000 units for moderate-income households. To encourage production of new units, the Compact supports increasing density for residential projects near transit zones, expediting and streamlining the housing approvals process, and increasing the availability of publicly-owned land for affordable housing development.

    The preservation goal is 30,000 affordable units over the next 5 years, including 4,000 units that are identified as at-risk, largely through inclusionary housing fees and long-term affordability covenants.

    Housing protection would include protecting 300,000 lower-income households from displacement by mechanisms such as an annual cap on rent increases for the next 15 years, rental assistance and legal aid to low-income tenants, and a uniform “Just Cause Eviction Policy.”

    To implement the 3 Ps, the Compact would establish a regional housing entity responsible for financing projects, leasing land for development, and providing technical assistance to local residents and businesses. Funding for the initiatives would come from business, property, and sales taxes, including reforms to the State’s Proposition 13, tax increment funding, and multijurisdictional revenue-sharing agreements.

    The State Legislature is considering several bills that have been introduced this year to address the Compact’s priorities. Among them is SB5, or the Local-State Sustainable Investment Incentive Program, which would reallocate $200 million from 2020 to 2025, and $250 million from 2025 to 2029, from each county’s Educational Revenue Augmentation Fund (ERAF) to eligible affordable housing projects. The proposed bill would designate at least half of its funding to streamline development of affordable housing projects that contain at least 50% affordable units through Workforce Housing Opportunity Zones and Housing Sustainability Districts. Other legislation includes SB50, which incentivizes affordable housing development near high-transit zones by providing concessions under the State’s Density Bonus Law and reducing the discretion of local agencies to deny affordable projects.

    Battle lines are predictably drawn, with many of the Bay Area’s smaller, suburban communities expressing opposition to the loss of local land use control and perceived disproportionate funding for larger cities. The chairs of the State Legislature’s two housing committees, Assembly Member David Chiu and Senator Scott Wiener, have both indicated a desire to move legislation forward to advance the principles of the Compact.

  • San Francisco’s Next Big Move in Maintaining Housing Affordability: Nonprofits’ First Right to Purchase Multi-Family Rental Properties

    Pending legislation introduced by San Francisco Supervisor Fewer would amend the City’s laws to give certain qualified non-profit organizations certified by the City (“Qualified Nonprofits”) the first right to purchase multi-family rental properties and certain vacant lots in San Francisco. 

    Highlights are as follows:

    • The legislation applies to any residential building with at least three rental units or a vacant lot zoned for at least three units.
    • Sellers subject to the new law would be required to notify all Qualified Nonprofits of the intent to sell before putting a qualifying property on the market.  Qualified Nonprofits would have five days to respond, triggering an obligation for the seller to provide information about building tenants.  Qualified Nonprofits would then have an additional 25 days to make an offer to purchase the building.  The seller could reject an offer made, and if no Qualified Nonprofit makes an offer, or if the seller rejects any Qualified Nonprofit offers, the seller could offer the building to the general public.
    • If a seller is prepared to accept an offer from a buyer other than a Qualified Nonprofit, then it would be required to give all of the Qualified Nonprofits the right of first refusal on the same terms and conditions and Qualified Nonprofits would have five days to accept or reject that offer (or 30 days if the seller is responding to an unsolicited offer).
    • Qualified Nonprofits would have the right to institute a civil action against any non-compliant sellers, with the potential for damages as specified in the legislation.
    • The legislation includes protection for existing tenants.  It also requires that a property purchased by a Qualified Nonprofit remain rent restricted, meaning that the value of all rents paid in the building could not exceed 80 percent of Area Median Income (AMI) and the gross household income of new tenants could not exceed 120 percent of AMI.
    • Certain sales would be excluded, including but not limited to transfers made under a mortgage, deed of trust, or deed in lieu of foreclosure and transfers between certain family members.  Seller incentives are also contemplated, which could include a partial City transfer tax exemption, if ultimately adopted by the Board of Supervisors, and federal tax benefits, if available.
  • GPS Monitoring Of Employees In California: Do You Know Where Your Employees Are? Are You Allowed To Know?

    With the advent of cost-effective GPS devices and smartphone tracking apps, employers may effectively monitor their workforce like never before. An employee’s distance traveled, sales routes, and productivity (among other things) can now be verified in real time, which is a seductive thought to most employers, to say the least. But there are things to consider before using tracking technologies to monitor employees, such as constitutional rights of privacy, state criminal statutes, union and labor issues, and good old-fashioned tort claims. In this article, we’ll review some legal considerations and provide some tips for navigating the evolving legal landscape of GPS tracking.

    In California, the right to privacy is an express constitutional right. Article I, Section I of the California Constitution provides that “[a]ll people are by nature free and independent and have inalienable rights. Among these are enjoying and defending life and liberty, acquiring, possessing, and protecting property, and pursuing and obtaining safety, happiness, and privacy.” The California Constitution differs from the U.S. Constitution in this regard, even though a right to privacy has been extrapolated from various provisions of the U.S. Constitution. The fact that the California Constitution makes the right to privacy explicit requires employers to give serious consideration to privacy issues in the workplace before taking actions that might expose them to liability.

    The issue of GPS tracking of employees is less established, and employers have little formal guidance on what practices are permissible and what are not. A good starting point for analyzing potential GPS tracking practices is California Penal Code Section 637.7. That provision states: (a) No person or entity in this state shall use an electronic tracking device to determine the location or movement of a person. (b) This section shall not apply when the registered owner, lessor, or lessee of a vehicle has consented to the use of the electronic tracking device with respect to that vehicle. (c) This section shall not apply to the lawful use of an electronic tracking device by a law enforcement agency. (d) As used in this section, “electronic tracking device” means any device attached to a vehicle or other movable thing that reveals its location or movement by the transmission of electronic signals. (e) A violation of this section is a misdemeanor.

    Section 637.7 thus makes it illegal to monitor the movements of any person, including a vehicle owned by that person, without their consent. Company-owned vehicles could presumably be monitored without the employee’s consent, as long as the owner of the vehicle (the company) consents. However, notifying employees of such tracking (and even obtaining their consent to such tracking) is the safest practice given the still-developing legal landscape with regard to this issue, and particularly in light of new privacy laws going into effect, such as the California Consumer Privacy Act, discussed further below. Additionally, with regard to monitoring employees via smartphone apps or device tracking, providing clear notice and obtaining consent is generally considered best practices. (Although, it is subject to debate whether smartphone apps qualify as a “device” attached to the “telephone” for purposes of being subject to section 637.7.)

    In addition to the penal code, employers may be subject to civil tort claims for invasion of privacy based on their actions. A civil claim for intrusion into private affairs requires: (1) an intentional intrusion “into a place, conversation or matter as to which the plaintiff has a reasonable expectation of privacy”; (2) “in a manner highly offensive to a reasonable person.” In order for GPS tracking of employees to meet this standard, employees would need to have a reasonable expectation of privacy regarding their location that is intruded upon in a “highly offensive” manner. Arguably, employees should not have an expectation of privacy when using company-owned vehicles during business hours or for work purposes. However, whether GPS monitoring of such vehicles constitutes a violation of privacy would require considering various factors, including whether the employee uses that company-owned vehicle regularly, parks it at his or her house during non-work hours, or uses it for personal reasons during off-work hours, among other things.

    It is likely that monitoring the location of an employee during non-work hours or during the performance of non-work tasks – to say nothing of monitoring an employee’s own private vehicle – could be viewed as “highly offensive” to a reasonable person and a violation of an employee’s expectation of their privacy. Ultimately, determining whether any given practice constitutes an actionable violation of privacy requires a court to weigh various factors, including the nature and context of the alleged intrusion, as well as the reasonableness of the motives, purposes, and objectives for the disputed practice.

    Beyond statutory and tort liability, employers need to consider whether their employees belong to a union, or are subject to a collective bargaining agreement, some of which have specific provisions regarding privacy rights that might conflict with intended employer actions. Employers should review any provisions of such agreements that may apply to their workforce and ensure that GPS monitoring of employees is not specifically prohibited by the agreement and that the employer’s contemplated practices are consistent with the privacy rights set forth in the agreement.

    Finally, with the newly passed California Consumer Privacy Act (“CCPA”) going into effect on January 1, 2020, employers must consider the disclosure obligations and potential liability that come with GPS tracking of employees going forward. The CCPA gives California residents significant new data privacy access, disclosure, and deletion rights and does not distinguish between residents in their roles as consumers or employees (you can read more about the CCPA and how it will affect your business here). Thus, employees have the same rights as any consumer to request that a company (in this case, their employer) disclose how their personal information is being collected and used, and well as to obtain access to and/or deletion of that information. Because GPS tracking information collected about employees falls under the broad definition of “personal information” used in the CCPA, employers will be obligated to affirmatively disclose such collection practices at or before the point of collection, provide employees with a copy of that data upon request, and delete that data unless it is necessary to be maintained for a business purpose.

    In sum, before venturing into the wild west of GPS tracking, the safest course for employers implementing GPS tracking is to:

    1. Confirm there are no union issues raised by the tracking.
    2. Provide written notice and obtain clear prior written consent from employees that the employer is tracking vehicle movements (regardless of whether the vehicle is company-owned or privately owned).
    3. Limit tracking to strictly work hours and only for specific business purposes. The GPS should be shut off during personal hours or personal vehicle use.
    4. Develop and adopt a written policy regarding employee monitoring/tracking that sets forth the justifications and limits for GPS monitoring, how the information will be used and stored, and consequences for disabling the GPS.
    5. Limit access to the tracking information to personnel who have a clear business need to know that information.
    6. Store any tracking information securely, but in a manner that can be quickly accessed and provided in response to employee requests for personal information under the CCPA.

    The information in this article does not constitute legal advice with regard to the use of any GPS tracking or other employee monitoring practices. Please contact Data Privacy partners Scott Hall at shall@coblentzlaw.com or 415.772.5798 or Brandi Brown at bbrown@coblentzlaw.com or 415.772.5797 with specific issues or questions.

    Click here to download or print a PDF of this alert.

  • Supreme Court Issues Two Copyright Rulings

    The U.S. Supreme Court issued two rulings last week on copyright law. In both cases, they acted to resolve conflicts between the Circuits, following closely to statutory language.

    Fourth Estate Pub. Benefit Corp. v. Wall-Street.com, LLC.

    In the first ruling, Fourth Estate Pub. Benefit Corp. v. Wall-Street.com, LLC., the Court clarified the Section 411(a) registration standard for filing infringement actions. “Registration” in advance of an infringement provides the opportunity to seek damages for past infringement as well as the infringer’s profits. In Fourth Estate, the Court resolved a dispute among circuits, where the Tenth and Eleventh Circuits held that complete registration of a work was required, and the Ninth Circuit (along with the Fifth Circuit) held that receipt by the Copyright Office of a complete application satisfied the registration requirement (See Cosmetic Ideas, Inc. v. IAC/Interactivecorp, 606 F.3d 612, 616-17, 621 (9th Cir.)).

    In Fourth Estate, the Court held that the only satisfactory reading of the Section 411(a) language “…no civil action for infringement of the copyright in any United States work shall be instituted until preregistration or registration of the copyright claim has been made…” requires registration of the copyright.

    The Copyright Office has a procedure for “expedited registration,” which can be requested on the grounds that litigation is imminent. The expedited procedure generally speeds the registration process up from several months to a few weeks. But it’s not cheap: There is a special handling fee of $800.

    Rimini Street, Inc. v. Oracle USA, Inc.

    In Rimini Street, Inc. v. Oracle USA, Inc., the Court held that the Copyright Act’s provision for a discretionary award of “full costs” means all costs enumerated in the law and does not allow courts to award costs beyond the categories provided in the general “costs” statute (28 U.S.C. Sections 1821 and 1920). This means that prevailing parties in copyright actions cannot recover non-taxable legal fees, such as expert witness costs. Writing for the Court, Justice Kavanaugh said: “Full costs’ are all the ‘costs’ otherwise available under law. The word ‘full’ operates in the phrase ‘full costs’ just as it operates in other common phrases: A ‘full moon’ means the moon, not Mars. A ‘full breakfast’ means breakfast, not lunch.”

    The Takeaway

    Owners of copyrighted content should think ahead and not wait to encounter infringement before applying to register works. When you create valuable content, you should have a regular registration program. Applying to register copyrights is fast and easy, and we’re always here to help.

    For further information, contact Intellectual Property attorney Karen Frank (kfrank@coblentzlaw.com).


    Fourth Estate Pub. Benefit Corp. v. Wall-Street.com, LLC
    , 586 U.S. ___ (2019)
    Rimini Street, Inc. v. Oracle USA, Inc., 586 U.S. ___ (2019)

  • Update on SF Planning Department’s Streamlined Review Procedures for Development Projects

    In February, the San Francisco Planning Department issued the first quarterly performance report for implementation of its Process Improvements Plan, a program intended to overhaul the project review process.  The Plan first took effect in June 2018 in response to an Executive Directive from the Mayor’s Office to reduce approval timelines and remove administrative barriers to housing production.  According to the Department’s quarterly progress report, the Department met its deadline for two-thirds of Preliminary Project Applications (PPAs) and 79% of Project Applications, with approximately 48% of projects receiving a Plan Check Letter within 90 days.

    The Plan includes two main components.  First, for large projects, the Plan shortens the target review time for PPAs from 90 days to 60 days, and requires the Department to provide feedback to developers on the level of review required to obtain approval.  Second, the Plan includes a new Project Application, which consolidates the environmental and project information into a single document.  The new Project Application requires that project sponsors provide information earlier in the process regarding issues such as historic preservation, hazardous materials, and air quality.  The Planning Department expects this to facilitate early scoping of environmental review and entitlements.

    The Department is required to make a determination of completeness within 30 days following submittal of a Project Application.  Once the Project Application is deemed complete,  the Planning Department has  90 days to issue a Plan Check Letter to the developer documenting any open issues.  Pursuant to the Executive Directive, the Department must complete a streamlined environmental review of proposed housing projects within specified timeframes after a stable project description has been established.  If review under the California Environmental Quality Act (CEQA) is not required, the Department must render an entitlement decision within 6 months.  For housing projects, streamlined review for CEQA projects must meet new target timeframes of 9, 12, 18, and 22 months for, respectively, categorical exemptions, negative declarations, Environmental Impact Reports (EIRs), and complex EIRs.  The Directive also calls for the issuance of all permits and other post-entitlement approvals required for commencement of construction on large-scale housing development projects within a year after submission of a complete application. The Department expects to launch a new online portal in the spring, which will allow developers to submit the Project Applications, payment, and other materials electronically.

  • The California Consumer Privacy Act Is Coming. Is Your Business Ready?

    The California Consumer Privacy Act of 2018 (“CCPA”) was signed into law by Governor Jerry Brown on June 28, 2018, and goes into effect on January 1, 2020. The CCPA gives significant new data privacy rights to California residents with respect to their personal information that is collected and maintained by companies doing business in California. Even if you are compliant with current privacy laws, you must consider how the CCPA may affect your business. And, if you have not already started steps for compliance with the CCPA, now is the time.

    Businesses cannot afford to wait until next year to think about or prepare for the wide-ranging impacts of this new law. Specifically, affected businesses need to: (1) decide now whether they will or will not sell personal information to third parties (and analyze any modifications to business services that may be required if they will not (or cannot) sell such information); (2) update websites and privacy policies with required information disclosures; (3) ensure that sufficient systems, processes, and resources are in place to respond to consumer requests for access to or deletion of their personal information and required disclosures; and (4) analyze and adjust any contracts with service providers that may be necessary to ensure compliance with the law.

    Does The CCPA Affect Your Business?

    Unless you conduct business operations wholly outside of California (including having no online presence in California), the CCPA probably applies to your business. The CCPA applies to all businesses – regardless of location – that conduct business (including online sales) in California and collect personal information from California residents if at least one of the following thresholds are satisfied:

    • Gross annual revenues in excess of twenty-five million dollars ($25,000,000)
    • Collection of personal information from 50,000 or more California residents, households, or devices annually
    • Fifty percent (50%) or more of annual revenues are derived from selling consumers’ personal information

    For some businesses, this is an easy determination. But even if you do not believe your company meets these thresholds at first glance, you may want to give this further consideration. For example, because “personal information” under the CCPA is defined broadly enough to encompass essentially every piece of information related to a California resident or household, information such as IP addresses that are collected merely from website visits constitutes collection of personal information under the CCPA. Therefore, even putting aside what personal information your business collects from customers, employees and other California residents in the course of its transactions and operations, if your business has a website accessible to California residents, you are likely to exceed the 50,000-resident annual threshold, and your company must likely comply with the CCPA.

    What Are Your Obligations Under The CCPA?

    The CCPA provides the following privacy rights to California consumers:

    • Right to know what personal information is collected about them
    • Right to know whether their personal information is sold or disclosed to third parties
    • Right to opt-out of the sale of their personal information
    • Right to access portable copies of their personal information
    • Right to request deletion of their personal information
    • Right to equal service and pricing even if they exercise their privacy rights under law

    This will require, among other things, that businesses:

    1. Disclose to consumers – at or before the point of collection – the categories of personal information collected and the business purposes for such collection. Businesses must also disclose on their websites and in their privacy policies the categories of personal information they sell or disclose for a business purpose, or must provide a statement that they do not sell or disclose such information.
    2. Have sufficient data mapping and inventories of the personal information they collect about California residents (and their households and/or devices) and internal processes and resources in place to be able to respond (within 45 days) to requests for access to or deletion of personal information submitted by consumers.Access requests require that a business provide consumers with: (1) the categories of personal information collected; (2) the sources from which that information is collected; (3) the categories of personal information sold or disclosed and the categories of third parties to whom it was sold or disclosed; and (4) the specific pieces of personal information the business has collected about the requesting consumer. Businesses must also disclose and make available various methods to consumers for making such information requests (including by toll free phone number, website, etc.) and train their employees to handle such requests properly.
    3. Determine whether the business is (either intentionally or unintentionally) “selling” personal information as defined by the CCPA and either make adjustments to stop selling that information or make required disclosures on their website pages and privacy policies stating that they are selling personal information and notifying and enabling consumers to “opt out” of such sales.In this respect, compliance with the CCPA may require a “Do Not Sell My Personal Information” link on the website homepage. Because the CCPA defines “selling” information as any disclosure for valuable consideration, businesses should also consider whether adjustments need to be made to their vendor/service provider relationships and contracts to ensure that personal information is not unintentionally being “sold” as defined by the law. Additionally, businesses must ensure that they are not collecting any personal information from individuals under the age of 16 without affirmative “opt in” consent of the consumer (if between ages 13-16) or a parent/guardian (if under age 13).
    4. Consider adjustments to business models or services offered (i.e., paid vs. free services) based on the inability to sell certain consumers’ information and the inability to discriminate against consumers who exercise their privacy rights.
    5. Consider changes to internal policies regarding employee rights and understand the impact that new privacy rights of employees under the CCPA will have on the business. The CCPA does not distinguish between California residents in their roles as consumers, employees, patients, etc. Thus, employees have all the rights granted to any other “consumer” under the law, including rights to request access to and deletion of their personal information, rights to opt-out of the sale of their personal information, and a private right of action if their personal information is breached, among others. While employers may have a valid business reason to justify denying deletion requests during the period of employment, employees may request access to their confidential personnel files or other HR records about them and, without further clarification or amendment to the law, such information would presumably need to be provided. At a minimum, employees will need to be notified at or before the point of collection of any of their personal information and any internal policies should be updated to include disclosures of employee rights under the new law.

    What Are The Penalties For Non-Compliance?

    Businesses that fail to comply with the CCPA are subject to civil penalties in actions brought by the California Attorney General in amounts of $2,500 for each unintentional violation, or $7,500 for each intentional violation.

    The CCPA also gives a private right of action to any California resident whose personal information is subject to a data breach and allows such residents to recover between $100-$750 per resident and incident, or actual damages, whichever is greater. The availability of statutory damages resulting from a data breach should provide significant incentives for companies to increase and improve their data security practices and breach response plans and procedures. Additionally, current state legislation is under consideration that would expand this private right of action to the violation of any provision of the new law.

    Questions?

    The above summary of the CCPA is a very high-level discussion of the duties and obligations businesses have under the new law and does not constitute legal advice with regard to compliance with the CCPA. There are many additional details and rights, as well as defenses and exemptions, to take into account in assessing what steps your business may need to take to comply with the CCPA. Please contact Litigation and Data Privacy partner Scott Hall at shall@coblentzlaw.com or 415.772.5798 to discuss additional questions or details and to determine how we can help your business be prepared for the CCPA.

    Click here to download or print a PDF of this alert.

  • Connected Buildings, Connected Things and Security Concerns

    Originally Published in the Daily Journal, February 14, 2019.

    Is your “smart building” connected? Is your high-tech office, residential building or entertainment facility, with embedded sensors, wireless networks, remote monitoring devices and internet-capable security cameras, now just another “thing” connected to the global “Internet of Things”? Does embedding internet-connected devices within a building infrastructure impose enhanced “cybersecurity” requirements on developers, owners, architects, contractors or other building stakeholders? Do any of those stakeholders have affirmative obligations to mitigate the potential for breaches, hacks or misuse of embedded devices? While, perhaps, an odd question, the “connectedness” of buildings, cars, and other “objects” requires renewed consideration of security protocols and practices in light of evolving laws, changing commercial expectations and the potential implications for ubiquitous connected “things.”

    California recently passed the first state law imposing security requirements on “connected devices.” The law, effective Jan. 1, 2020 (to be codified at Title 1.81.26 of Part 4 of Division 3 of the California Civil Code), requires manufacturers of internet-connected devices (with exceptions for federally regulated and health care-related devices) to equip them with “reasonable security features.” While ostensibly applying mainly to “off-the-shelf” wireless devices, like security cameras, thermostats and similar products with which consumers are fairly familiar, the definition of “connected devices” goes beyond the plain English. Under the new statute, “connected devices” also include any “other physical object” that is “capable of connecting to the Internet, directly or indirectly,” and that is assigned an IP address or Bluetooth address. What might that broader definition capture, with nearly every physical object today embedded with wirelessly enabled electronics that permit the exchange of data through the internet? Refrigerators, toasters, coffee makers, smoke detectors, vacuum cleaners, door locks, electricity meters, and, indeed, even formerly “static” buildings, cars and trains all come today with an embedded capability that enables them to interact with the internet. And, of course, the ability to connect with the internet offers hackers the opportunity to enter those objects, to control those objects, to lock-down those objects, to extract data from those objects and to move from connected object to connected object within a network. In April 2016, internet users in Europe and North America experienced that susceptibility when a distributed denial of service attack against Domain Name System provider Dyn, Inc., which manages web addresses and routes internet traffic, resulted in several hours of extensive network outages. The malware responsible for that attack infected the Dyn network, and overwhelmed its servers, by taking control of nearly 150,000 connected devices, including wireless security cameras, lightbulbs and baby monitors. Experts suggested that the attack had been initiated by a lone disgruntled gamer upset with the Sony PlayStation game network.

    The international research and advisory firm Gartner, Inc. estimates that by 2020, there will be 25 billion or more connected devices. PricewaterhouseCoopers estimates that nearly $6 trillion will have been spent by businesses and consumers between 2014 and 2020 on hardware, software and connectivity solutions for the Internet of Things. IDC Corporation predicts that the Internet of Things marketplace — software, services, hardware and connectivity — will reach $1.7 trillion in 2021. By all measures, the number and types of connected devices will increase exponentially and proliferate even faster. The cost of electronics components will continue rapidly to decline and components will continue to get smaller. Wireless speeds and network coverage will continue to improve, with next generation “5G” wireless networks nearly ready for commercial deployment. The collection, transmittal, storage and analysis of terabytes and terabytes of data through internet-enabled objects will continue to accelerate. The new California law, whether, intentionally or otherwise, demands that a broader cross section of stakeholders assume responsibility for, or, at least, consider the implications of lax, or non-existent, security within connected devices and objects.

    Who qualifies as a “manufacturer” of an internet-connected object under the new statute? It seems rather uncontroversial to suggest that a “car” is today a connected device and that the automobile manufacturer has likely assumed a responsibility, legal and otherwise, for the design, manufacture and security of its wirelessly enabled, and potentially “hackable,” transportation platform (that responsibility to the public stands independent of possible reimbursement claims the car manufacturer may have through customary third party indemnification arrangements with specific component manufacturers). Does a building owner, developer, architect or construction firm face similar questions regarding a networked facility that it has helped to create?

    The statute applies to the “manufacturers” of “connected devices” and “connected objects” that are sold or offered for sale in California. If a building, entertainment facility or sports arena is wirelessly enabled with embedded sensors, cameras and other internet-capable objects that are designed with input from a developer or construction firm, and built to owner specifications, might that developer, owner or construction firm qualify as the “manufacturer” of a physical object — the building, the arena, a room, a space, an office — that exchanges data with the internet?

    Connected physical objects are required to have “reasonable security features” that are “appropriate to the nature and function of the device,” appropriate to the “information” that the device may collect and transmit, and designed to protect the device from “unauthorized access.” “Appropriateness,” as a legal standard, should be expected to evolve and should remain a constant source of inquiry. Beyond an overarching set of security principles, the statute provides that preprogrammed passwords unique to a device or features that require a user to create a new means of authentication before the device is first accessed will constitute “reasonable security features.” But even if preprogrammed passwords or other authentication measures are implemented, the “appropriateness” of those measures to the nature and function of a particular device or object will remain subject to further consideration.

    The California statute does not create a private right of action. It limits enforcement to the “Attorney General, a city attorney, a county counsel, or a district attorney.” But while enforcement may initially be restricted, the effects of the statute, especially as the first of its kind in the nation, will no doubt be broad and the bar it establishes for security practices involving connected “things” will no doubt rise. If it seems a stretch to cast a building developer, owner or construction firm the “manufacturer” of a “connected object,” the underlying legislative intent is clear — turning an intentional or unintentional “blind eye” toward cybersecurity protections for connected objects is unacceptable. Expectations have evolved; standards and practices will need to catch up.

    The California statute, directly and indirectly, demands that anyone placing a connected object in the market for use by consumers or businesses undertake a critical security assessment of that “thing.” With a statutory security framework for connected devices taking hold in 2020, and a heightened societal awareness occurring in parallel, is it, or will it become, “negligent” to design or install an embedded sensor network without appropriate security features? Are there, or will there arise, express or implied warranties regarding the security of embedded devices and sensors or wireless networks within newly constructed facilities? How far and wide among the engineering and construction stakeholders associated with a new building or facility will those warranties and obligations extend? Do legacy construction and design contracts effectively address responsibility for connected security? Will questions of device security eventually inform issues of occupant safety and habitability when, for example, sensitive network data or personally identifiable information is stolen, when internet-ready cameras are turned by hackers into voyeuristic tools, when ambient sensors are used to disrupt building cooling and heating systems or when medical refrigerators are remotely disconnected causing essential medicines to spoil? Did the builder, owner, construction manager, facilities operator or other vendors properly consider appropriate security features to incorporate into their connected object during the design or “build” stage? Whether the new California statute is applicable on its face or not, and whether it affords a private claim or not, the statute, if nothing else, requires anyone creating or developing an internet-connected platform, or making available a connected object, to consider and think proactively about the features and measures necessary to ensure appropriate security for the platform and objects they intend to interact with the Internet of Things.

    Click here to download a PDF of this article.

    Categories: Publications
  • Tech is Bringing Changes to Construction

    Originally Published in the Daily Journal, February 7, 2019.

    Digital technologies are disrupting the construction industry, which has been a notable laggard in technology adoption. For an industry that until recently has relied primarily on hardcopy versions of blueprints, excel spreadsheets to schedule subcontractors and track inventory, and old fashioned measuring tape to ensure the proper fit of building materials, the times “they are a changing’,” and quickly, as the song goes. And those changes demand new legal perspectives and more contemporary assessments of legacy agreements and contractual frameworks.

    Sponsors and participants in new development projects have the opportunity to integrate new and emerging hardware and software technologies that will enhance productivity and increase visibility into the construction and development process, building performance and management, ongoing maintenance and future repair. Mobile applications can now deliver real-time, on-site access to digitized blue prints, punch lists, field progress reports and related data. Software platforms can enable online project bidding, vendor qualification, real-time inventory management and cost tracking. Building Information Modeling can provide 3-D digital representations of the physical and functional characteristics of facilities to architecture, engineering and construction professionals, eliminating future “guesses” about the location of mechanical, electrical and plumbing systems when maintenance is required. 3-D printing can allow onsite casting of concrete and steel objects, reducing transport and storage costs. Advanced building materials can enable the introduction of new building functionality and offer improvements in realizing sustainability objectives. Drone technology can permit remote inspection, measurement and monitoring of critical infrastructure assets, including dams, bridges and distant roadways. Embedded sensors can monitor and wirelessly report stress loads on building infrastructure. Modular construction and pre-fabrication techniques can compress project timelines, mitigate waste, reduce rework requirements and enhance coordination among subcontractors. Artificial intelligence and machine learning will offer further automation and potential efficiencies to industry participants.

    The global construction industry accounted for about 13 percent of global GDP in 2013 and is expected to increase to nearly 15 percent of global GDP by 2020, representing trillions of dollars of investment. Despite the significant percentage of global GDP generated by the construction industry, the World Economic Forum reported that between 1964 and 2012, U.S. non-farm business labor productivity increased by 159 percent compared to a decrease in labor productivity of 19 percent in the construction industry over the same period. In 2015, the McKinsey Global Institute noted that the construction industry was second to last, above only “agriculture and hunting,” of the 24 industries it surveyed in the use and adoption of digital technologies. These statistics suggest not only the immediate need for the construction industry rapidly to accelerate its adoption and use of new (and, in many cases, now readily available) technologies, but confirm the tangible opportunities that exist within the sector to improve efficiencies, to improve safety and to increase return on investment.

    While adoption of new technologies has been slow, the venture community has recently identified a significant opportunity within the construction sector. Investment in construction technology start-ups increased from about $4.5 million in 2008 to nearly $1.5 billion in 2018. Similarly, merger and acquisition activity has risen substantially. At the end of 2018, Autodesk Inc., a leading software services provider for the architecture, engineering and construction industries, spent more than $1.0 billion to acquire just two construction technology start-ups with relatively modest revenue streams. Venture investment, technology adoption and acquisition activity will continue to accelerate in 2019 and beyond. Increased digitization of project plans and construction-related information; increased availability and collection of construction-generated data; increased access to project analytics; increased industry transparency; increased use of advanced materials; and increased retention and dissemination of industry “know-how” — these and other advances made possible through the use of construction-focused technologies are fundamentally and forever changing expectations and outcomes for all stakeholders within one of the world’s oldest industries.

    But, as those expectations and outcomes evolve, industry participants need to reconsider legacy contract terms, standards of performance and the implications for risk allocation. Contractors, vendors, architects, designers, financing sources and other constituencies must assess how, or whether, possible disruptions or failures of newly-adopted technologies have been effectively addressed in “off-the-shelf” forms of project agreements used for decades. They must evaluate how the use of these technologies may have influenced professional practices and how they are influencing expectations regarding the standards of professional conduct and care moving forward. Risk assessment and risk allocation, considered in the light of fundamental changes in business practices brought about by technology, must become an essential predicate to the design and planning stages of construction projects, and not simply an afterthought. Contractual pass-through provisions, like those routinely imposed by prime contractors on subcontractors, must be reevaluated to assess the varied effects that new technology solutions may have within the traditional construction ecosystem and on its participants.

    What happens if a third-party software platform used to manage project scheduling, purchasing and inventory tracking suddenly crashes? Who is responsible if the platform stops working and construction comes to a halt, results in unforeseen delays or causes vendor payments to be missed? Who provides software platform support and to whom? What happens if blueprints that have been digitized become suddenly inaccessible or have inaccuracies? What happens if those digitized blueprints, or other digitized project information, is taken “hostage” through a ransomware attack and cannot be accessed for an extended period? Does construction stop? Do contractors need to obtain cyber insurance as the tools of their trade transition to the “cloud”? If project management software collects vendor data, where is that data stored and who “owns” the data? Since project “metadata” may offer valuable insights into regional purchasing trends and labor activity, among other things, who, if anyone, can mine and “monetize” that data during and after the project?

    Technology adoption will also inevitably affect the post-construction phase. Connected devices are being embedded in new buildings to record performance loads and torque levels, to adjust room temperatures, to turn lights on and off based on the presence of tenants and even to change the tint of exterior windows as the day progresses. Embedded sensors are transitioning formerly static facilities into software platforms that will collect, analyze and store real-time data generated by both the building and its tenants. As sensor and similar technologies proliferate, owners, facilities managers, construction firms and other stakeholders must also consider the privacy, reliability, usability and related issues that will arise. Has patent indemnification coverage flowed through to protect a building owner sued for an alleged infringement tied to embedded sensors? If an in-building network is hacked, how is responsibility allocated among the manufacturers, installers, owners, managers and users of the network? To whom were relevant representations and warranties made with respect to the affected technologies? Were there third-party beneficiaries of licensed technologies employed in the construction process?

    As digital technologies take hold within the construction industry, prudence requires a reassessment of legacy agreements and legal arrangements. Contracts that fail to account for the use, integration and permanence of advanced technologies, or that fail to reflect the terms, conditions, conventions and practices of the technology sector, are likely to result in undesirable or unanticipated allocations of project risk. The issues associated with increased adoption of construction-related technologies are not unique. Rather, they require the rethinking of traditional business methods and practices among industry participants through the lens of a technology user. And, they raise the need for heightened sensitivity, and indeed awareness, to the implications of technology adoption, to the terms on which technologies are purchased, licensed and used, to the ways in which technologies are integrated into industry processes and to the varied effects that these technologies may have, directly or indirectly, on construction industry stakeholders.

    Click here to download a PDF of this article.

    Categories: Publications
  • Another Warning Shot on Employee Nonsolicit Agreements

    By Fred Alvarez and Laura Seegal. Originally Published in the Daily Journal, February 6, 2019.

    It’s time to take another hard look at whether it’s worth it for employers to ask their departing employees not to recruit anyone away after they leave. Nobody wants their former employees to raid the ranks of their current employees, but they don’t want to be forced to defend an unfair competition lawsuit in California either. By the same token, nobody tempted to recruit their former colleagues wants to be sued for breach of contract or to have their new employer sued for interference with contractual relations. The need to balance those risks is becoming ever more acute.

    Up until the 2008 California Supreme Court decision in Edwards v. Arthur Andersen LLP, 44 Cal. 4th 937, California employers routinely and comfortably relied on the 1985 Court of Appeal decision in Loral Corp v. Moyes, 174 Cal. App. 3d 268, to justify including employee nonsolicitation clauses in employment and severance agreements. (Applying a rule of reason analysis, the Loral court enforced an employee nonsolicitation covenant because it did not significantly restrain trade so as to run afoul of California Business and Professions Code Section 16600.) Those provisions typically prevent employees who have left their employment from recruiting current employees of their former employer to work elsewhere.

    In Edwards, the court invalidated a noncompetition agreement that contained both noncompete and customer nonsolicitation clauses on the basis that Business and Professions Code Section 16600 unambiguously prohibits all restraints on trade, without regard to reasonableness. Though the agreement at issue in Edwards also contained an employee noncompetition clause, the plaintiff had not specifically challenged it. Therefore, despite the California Supreme Court’s sweeping rationale in Edwards, many employer-side attorneys continued to “whistle past the graveyard” on employee nonsolicitation clauses. Similarly, many employee-side attorneys had to urge caution to their clients who had signed nonsolicits but were anxious to bring former colleagues to their new ventures. Moreover, until recently no definitive Court of Appeal decision existed to compete with Loral. For these reasons, many employers routinely continue to include employee nonsolicitation clauses, just as they did before Edwards. Two recent developments have made reliance on Edwards’ silence as to employee nonsolicits a little more treacherous for employers — and a little less scary for ex-employees.

    At least one Court of Appeal case, and some commentators, have assumed or even suggested that the Edwards rationale would logically encompass employee nonsolicitation clauses. Yet, the decision of the 4th District Court of Appeal in AMN Healthcare, Inc. v. Aya Healthcare Servs., Inc., 28 Cal. App. 5th 923 (2018), brought the fight directly to Loral. In AMN, the Court of Appeal ruled that an employer could not enforce its employee nonsolicit against former company recruiters, after finding that the clause would effectively prevent the recruiters from performing their jobs in violation of Section 16600. The AMN court went to some lengths to illustrate that the analysis and rationale in Loral were not compatible with the Supreme Court’s approach to Section 16600 in Edwards. It then boldly concluded that “We thus doubt the continuing viability of [Loral] post-Edwards.”

    Employer attorneys looking to continue relying on Loral have harbored some hope that the particular facts in AMN — recruiters who could no longer practice their profession of recruiting — would help keep Loral on some solid ground despite its negative treatment in AMN. That hope was confronted with a dose of harsh reality in the recent decision of Barker v. Insight Glob., LLC, No. 16-CV-07186-BLF (N.D. Cal. Jan. 11, 2019). In Barker, Northern District Judge Beth Freeman, applying California law, reversed a decision she had made several months earlier in which she relied on Loral to dismiss a frontal attack on an employee nonsolicit. According to Judge Freeman, AMN was “a change in law warranting a fresh look and changed outcome” that now justified her denial of summary judgment in favor of an employer who sought to enforce an employee nonsolicit. In reaching this decision, Judge Freeman made two key points: (1) The particular facts in AMN — recruiters who could no longer recruit — did not limit AMN’s holding that Loral was no longer viable, and (2) the analysis in AMN was more persuasive than that in Loral.

    There is no doubt that the AMN decision arose from facts that placed the employee nonsolicit in a particularly harsh light, and that Barker is merely one federal judge’s opinion about a long-standing proposition in California nonsolicit law. Yet, employers who continue to use employee nonsolicits would be well-advised to take heed. Of course, it is also true that until the California Supreme Court definitively overrules Loral, a good faith basis will continue to exist to support the routine usage of employee nonsolicits. On the other hand, with two courts now clearly rejecting the approach and making explicit the contention that Loral’s rationale does not survive Edwards, the risks of business as usual are more tangible than ever.

    Employers should now anticipate that more employee-side attorneys will look critically at routinely imposed employee nonsolicits and that they will make litigation calculations about whether they are willing to undertake a direct challenge to those clauses based on California’s Unfair Competition law and other theories under California law. Indeed, the challenge in Barker was brought as a purported class action on behalf of all employees who had ever signed or been presented with an employee nonsolicit. Correspondingly, employers will need to assess whether these clauses are truly worth the risk that more courts will follow what could become an anti-employee nonsolicit parade following the AMN and Barker cases.

    Click here to download a PDF of this article.

    Categories: Publications
  • Partnerships and LLCs Need to Revise Their Agreements to Address New Audit Procedures

    In August 2018, the U.S. Department of the Treasury issued final Regulations concerning the qualifications, designation, authority, and resignation of the required Partnership Representative under the new Centralized Partnership Audit Regime.[1] The rules are effective for tax years beginning after December 31, 2017 and apply to all partnerships and LLCs taxed as partnerships, although certain partnerships and LLCs may elect out of the regime to continue to be audited under the former rules. The option to elect out of the regime is limited to partnerships having 100 or fewer partners with individuals or corporate partners only (any partnership or LLC with a trust or a disregarded entity as a partner/member cannot elect out). Partnerships and LLC’s taxed as partnerships both will be referred to in this letter as “partnerships.”

    Under the new partnership audit regime, the IRS can make an audit change to a partnership’s tax return and assess the tax against the partnership instead of the partners. This could result in the partnership paying additional tax for a prior year adjustment even though there are different partners or different ownership interests in the current year than in the year that was audited. As discussed, partnerships need to amend their agreements to address this and other partnership audit issues.

    In addition, the new regime replaces the former “Tax Matters Partner” with a “Partnership Representative” (“PR”), but provides much greater authority for the role of the PR. Importantly, the PR has the sole and binding authority over all matters of the partnership before the IRS in audits under the Bipartisan Budget Act of 2015 (BBA). The partnership must designate the PR each year on its filed tax return for all tax years beginning after 2017. For a calendar year Partnership/LLC this would be its 2018 tax return, so this issue needs prompt attention.

    Authority of the Partnership Representative in Centralized Partnership Audit Regime

    The PR has the “sole authority to act on behalf of” the partnership. Other than the PR or designated individual for a PR that is an entity, no partner or other person may participate in administrative proceedings without permission by the IRS.[2] However, the rules are not intended to prohibit partnerships from using state law to limit the authority of the PR. Therefore, partnerships and LLCs should review and amend agreements carefully to tailor the duties and authority of the PR.

    Designation and Eligibility of the Partnership Representative

    Every partnership must designate a PR for each separate taxable year. There may only be one designated PR for a partnership taxable year at any time, and the designation will remain in effect for that year until terminated by resignation, revocation, or a determination by the IRS that a designation is not in effect. If a partnership fails to designate a PR, then the IRS will designate one for the partnership.[3] When designating a PR for the partnership, the IRS may designate anyone except an IRS employee, unless the IRS employee is a partner in the partnership or was a partner in the partnership for the year under audit.[4]

    The PR need not be a partner or member of the entity. Any person or entity who meets the requirements in the Regulations may serve as the PR, even the partnership itself. If an individual is designated as PR, the person must have a “substantial presence” in the United States, which exists if (1) the person makes itself available to meet in person with the IRS, and (2) the person has a United States taxpayer identification number, a street address located in the United States, and a telephone number with a United States area code. If an entity is designated as the PR, there must be a “designated individual” appointed to act for the partnership at the time of designation, and the individual must meet the substantial presence requirements for an individual PR.[5]

    Resignation, Revocation, or Determination by the IRS that a Designation is Not in Effect

    Resignation. A PR or designated individual of an entity PR may resign by notifying the partnership and the IRS in writing of the resignation, but may not appoint a successor PR or designated individual.

    Revocation. The partnership may revoke a PR designation for a tax year for any reason by notifying the PR and the IRS in accordance with applicable forms and instructions, but the partnership must designate a successor PR. However, the flexibility for revoking a PR designation is limited where the PR has been designated by the IRS.

    IRS Determination that a Designation is Not in Effect.  The has the authority to determine that a PR designation is not in effect in situations including: the IRS becoming aware that the PR or designated individual does not have a substantial presence in the U.S., the partnership failing to appoint a designated individual of an entity PR, the partnership failing to make a valid designation of a PR, and the PR or designated individual resigning. Until a termination, resignation, or revocation is in effect, the PR’s authority to bind the partnership remains unaffected.[6] Therefore, a partnership will want be sure that the particular requirements for a valid resignation are followed.

    Push-Out Elections

    Partnerships and LLCs may make a “push-out” election to transfer the liability for underpayments from the partnership itself to those who were partners during the year being audited. The economic effect of this election may be material in situations where the ownership of the partnership may change from year to year.

    Amendments to Consider in Partnership and LLC Agreements

    Partnerships and LLCs taxed as partnerships should consider amending agreements to account for how the new rules might affect the liability of partners in the audit year and the prior year, and due to the amount of power vested in the PR, should specifically address the obligations and limitations on the PR’s authority. Amendments to agreements will vary, but items that should be considered include:

    • The conditions for making the opt-out election (the election to opt out of the new regime) and push-out election (the election to cause audit adjustments to be allocated to those who were partners in the year under audit), and maintaining eligibility for making these elections;
    • Indemnification by former partners if partners become liable for any tax, penalties, or interest that effectively pertain to a former partner with respect to a prior year;
    • The manner and method of appointing and removing the PR;
    • The PR’s fiduciary duties to the other partners, if any;
    • The PR’s duties to notify and keep informed the partnership and the partners of any matters relating to its authority under the new rules;
    • Extending the PR’s duties beyond the year of designation until the statute of limitations for such year has run; and
    • Limiting the PR’s authority, such as by requiring cooperation with the partners prior to any settlement with the IRS.

    This is not an exhaustive list, and new amendments will vary based on the needs of each partnership or LLC. Partnerships and LLCs should carefully review and amend their agreements to address the new audit procedures.

    For more information, contact Coblentz Tax Partner Jeff Bernstein at jbernstein@coblentzlaw.com.

     

    [1] See Treas. Reg. §§ 301.6223-1 and 301.6332-2.

    [2] Treas. Reg. § 301.6223-2(d).

    [3] Treas. Reg. § 301.6223-1(c) and (f).

    [4] Treas. Reg. § 301.6223-1(f)(5).

    [5] Treas. Reg. § 301.6223-1(b).

    [6] Treas. Reg. § 301.6223-1(d) – (f).

    Categories: Publications