Authored by Scott C. Hall and David (Duff) Beach.

The Equifax data breach has dominated news headlines for weeks, and Equifax will be dealing with the legal and financial fallout from the breach for many years.  While many companies may be relieved not to be in Equifax’s position right now, no company is immune to data breaches.  Those who fail to learn key lessons from Equifax’s mistakes may find themselves in the next headline.  Accordingly, companies in every industry, and of every size, that maintain any type of sensitive personal data—whether it be of customers, employees, or data maintained on behalf of others—should study the Equifax situation and ensure that they are better prepared for a data breach incident.

1.  Everyone (yes, everyone) will experience a data breach. 

When it comes to data breaches, the question is not if, but when.  This makes the more important question how will you respond?  Data breaches do not only result from malicious hackers or phishing scams.  They can occur when employees inadvertently access and/or mistakenly share personal data.  They can occur when company laptops, flash drives, or even personal phones or tablets that contain company data, are lost or stolen.  These kind of events occur in every company in every industry.  As a result, everyone needs to prepare to respond.  Indeed, the manner in which Equifax handled this most recent data breach—including: (1) the several weeks that elapsed before notifying affected individuals,(2) the executives who sold stock during the period between discovery of the breach and notifying the public, and (3) the company’s offer to provide credit monitoring services to affected individuals, but only in exchange for a waiver of certain legal rights against the company—indicates that Equifax was not sufficiently prepared to deal with this kind of a data breach.

Every company should have a basic data breach response plan in place that at a minimum  identifies who (among IT, HR, business operations, public relations, and other personnel) will respond to the breach, what their respective roles will be, and who will be the ultimate contact point and decision-makers with respect to the response.  The plan should also include a timeline and enumerated steps to follow regarding discovering the scope of the breach, investigating the cause, remedying or mitigating the breach, notifying affected individuals, and contacting law enforcement as necessary.

Because of the widely publicized nature of Equifax’s data breach, as well as other recent high-profile data breaches, no company will get a “free pass” or be able to argue that they had no idea a data breach could happen to them.  In effect, these high-profile breaches put everyone on notice that data security must be a priority for all.  Any company that chooses to put its head in the sand, does so at its own (certain) risk.

2.  Act quickly to show affected individuals that you are trying to protect them.

In responding to data breaches, time is of the essence.  Many have criticized Equifax for waiting until early September to notify affected individuals of a data breach it discovered in July.  Most state data breach notification statutes require that a company disclose a data breach “in the most expedient” time possible, without further clarification about what that means.  The minimum amount of time specified under state laws that contain specific time periods for notification is generally either 30 or 45 days from discovery of the breach.

In light of these general standards, Equifax’s timing for notification to individuals may not have constituted an improper or unlawful delay as a matter of law.  After all, it takes some time to investigate what happened, confirm what data was breached, and implement remedial measures. And, as a company responding to a data breach, you do not want to rush to publicize inaccurate facts that you later have to correct.  However, as a practical matter, 6 weeks is a lengthy period of time for sensitive personal information to be exposed without notifying affected individuals—and as the response to Equifax shows, many people believe this kind of delay is unreasonable, regardless of the legal standards.  Thus, while a company needs time to investigate the incident and communicate accurate facts to those affected, all companies should seek to notify those whose information has been compromised sooner rather than later.

3.  Take actions that demonstrate that you are genuinely attempting to remedy the problem.

Data breaches happen.  They will continue to happen.  And the public generally understands that not every data breach, especially a hacking attack, can be prevented.  However, when a data breach occurs, affected individuals want to know that the company is doing everything in its power to protect them, not itself.  Equifax added insult to injury when it offered to enroll affected consumers in free credit monitoring services—something required under at least some state data breach laws—only if consumers agreed to waive certain legal rights against the company.  Unsurprisingly, this did not go over well in the court of public opinion.  And, while Equifax has since agreed to provide credit monitoring without these legal restrictions, the reputational damage has already been done.

Ultimately, the legal fallout from any data breach will be what it will be based on the circumstances and whether the company had reasonable protections in place.  But reputational harm may damage the company as much or more than the legal process.  The best thing a company can do in the wake of a breach is to diligently correct its data security weaknesses and work with affected individuals to minimize the scope and harm caused by the breach.

4.  Consider what sensitive personal data you maintain or need to maintain and how to safeguard it.

It is a rare company that holds no sensitive personal data.  While credit reporting companies like Equifax have more sensitive information than most, all companies have some kind of personal data—in the form of customer or employee social security numbers, financial account numbers, or other information—that triggers data breach notification requirements.  All companies should, at a minimum, know the types of personal information they maintain, how and where is it stored, who has access, and whether it is sufficiently secured.  Companies then need to consider: (1) whether they truly need all the personal information they have and (2) whether such personal information can be separated, encrypted, or otherwise safeguarded to minimize the accessibility of such information or its usefulness if improperly accessed or exposed.

5.  Consider cybersecurity insurance and other professional services.

While every company will at some point experience a data breach incident, the potential risk largely depends on the type and volume of sensitive personal data a company maintains.  For those companies where there is a real possibility of significant financial injury if a data breach were to occur, cybersecurity insurance is something to consider.  Many companies elect not to carry cybersecurity insurance because they do not want to pay expensive premiums, they are unsure exactly what the policies will cover, or they are skeptical that they will suffer a significant cybersecurity incident sufficient to justify the cost of insurance.  But the Equifax breach reminds us that data breaches will occur—and likely with increasing frequency in coming years.  Companies with significant risk should analyze whether cybersecurity insurance makes sense for them.

As the Equifax breach shows, especially in the area of cybersecurity, an ounce of prevention is worth a pound of cure.  Companies should work with cybersecurity consultants, attorneys, or other professionals prior to a data breach both to protect against breaches, and to prepare to respond to a breach. Preventative cybersecurity training for employees is key, as human error is responsible for many data breaches.  Companies should ensure that their IT systems are reasonably secured, their personnel are reasonably trained, and their data breach response plan is ready to go for when a data breach occurs.  And it will.

Click here to download a printable PDF of this article.

Authored by Timothy Crudo, Rees Morgan, Skye Langs, and Mark Hejinian.

On August 17, 2017, the United States Second Circuit Court of Appeals issued a landmark ruling in Meyer v. Kalanick¹ that clarifies the standards for contract formation in the age of smartphones and mobile contracting, providing important guidance to companies about how to design enforceable mobile contracts. The Second Circuit, applying California law to determine the enforceability of the arbitration clause in Uber’s Terms of Service (“Terms”), held that a “reasonably prudent smartphone user” unambiguously assents to a conspicuously hyperlinked contract when he downloads a smartphone application (“app”) to his mobile phone and signs up for an account. Coblentz, led by Timothy Crudo, Rees Morgan, Mark Hejinian, and Skye Langs, had filed an amicus brief in the case on behalf of the Internet Association and the Consumer Technology Association urging the Court to adopt the “reasonably prudent smartphone user” standard.

The case arose after Plaintiff Spencer Meyer used his mobile phone to download Uber’s smartphone app and register for an account. During the registration process, Meyer entered his credit card information and, on the same screen, clicked a button marked “Register.” The “Register” button was located just above a notice, hyperlinked to Uber’s Terms, that “(b)y creating an Uber account, you agree to the TERMS OF SERVICE & PRIVACY POLICY.”

After using Uber’s app to hail several rides, Meyer filed a class action lawsuit alleging that the app facilitates price fixing. Uber moved to compel arbitration under its Terms, but Judge Jed Rakoff of the United States District Court for the Southern District of New York held that the contract was not binding because the registration page did not provide reasonably conspicuous notice of the Terms, nor did Meyer unambiguously manifest assent to them.²

The Second Circuit reversed, cutting through the weeds of numerous decisions governing contract formation in the modern landscape of “clickwrap,” “browsewrap,” and “sign-in-wrap” agreements. While the question of whether a consumer has assented to terms of an online agreement turns on the design of the user interface – such as the proximity between the link to the contract terms and the manifestation of assent, as well as the amount of visual clutter on the page – the Court viewed the precedent of online contracting through the lens of what a “reasonably prudent smartphone user” would expect when downloading and using a mobile app.

The Court recognized that smartphones are increasingly ubiquitous, with modern consumers conducting significant business through mobile apps, including shopping, online banking, and health management. A reasonable smartphone user engaged in such e-commerce understands that by downloading apps and creating accounts, they are entering into contracts. Explicitly applying, for the first time, the standard of a “reasonably prudent smartphone user,” the Court held that, as a matter of California law, the design of the registration page on Uber’s mobile app provided “reasonable notice” to a smartphone user that he or she was entering into a contract, and that by clicking the “Register” button, Meyer unambiguously assented to Uber’s Terms.

The Second Circuit’s ruling clarifies the standards for mobile contract formation and provides companies with important guidance for designing user interfaces that will support the enforceability of internet or app-based consumer contracts. The ruling does not, however, mean that businesses no longer have to worry about the validity of the contracts their customers execute through online or mobile applications. Consumers are not automatically on notice that they are entering into a contract merely because they have downloaded and used a smartphone application or completed an online transaction. The terms and conditions still must be conspicuous, and it must be clear when and how consumers assent to them.  But the Second Circuit’s opinion recognized that the conspicuousness of the terms and the sufficiency of assent should be analyzed from the perspective of a reasonable person who engages in mobile contracting – someone, in other words, who would understand the import of hyperlinks and other common indicia of contract formation in the e-commerce era.

Now is a good time for businesses to review their online and mobile contracting practices. Make sure that your terms and conditions are highly visible on an uncluttered page or screen. Also make sure that users are required to affirmatively indicate their assent to the terms, either by clicking a button or checking a box, before engaging in any of the activities you intend to have governed by the contract. For mobile phone applications, the terms (or a link to them), along with a way to indicate assent, should be the only things displayed on the screen at the time of contract formation. Finally, while not necessarily required, requiring users to actually scroll through all the terms, and affirmatively indicate that they have read them and agree to them, goes a long way towards ensuring that users are on clear notice of the terms and have objectively assented to them.

For further information or guidance regarding the validity and enforceability of your mobile contracts, contact Timothy Crudo at tcrudo@coblentzlaw.com or Rees Morgan at rmorgan@coblentzlaw.com.

¹ Meyer v. Kalanick, Nos. 16-2750-cv, 16-2752-cv (2nd Cir. Aug. 17, 2017).

² Meyer v. Kalanick, 200 F. Supp. 3d 408 (S.D.N.Y. 2016).

The California Supreme Court has just granted broad authority to counties and cities to impose documentary transfer tax (“DTT”) on certain transfers of interests in legal entities. Before June 29, 2017, tax practitioners’ prevailing view was that documentary transfer tax generally could not be imposed on transfers of interests in legal entities. There were two exceptions. First, for transfers of partnership interests that caused a partnership to terminate for tax purposes. Second, for charter cities that were permitted to enact their own DTT ordinances and had, in fact, enacted broader DTT rules. No more. On June 29, the California Supreme Court decided in 926 North Ardmore Avenue, LLC v. County of Los Angeles¹ that all California counties and cities may impose DTT on certain transfers of interests in legal entities.

California Revenue and Taxation Code Section 11911 allows a county or city to impose DTT on “each deed, instrument, or writing” by which real property “shall be granted assigned, transferred, or otherwise conveyed.” The statute’s language does not appear to permit DTT to be imposed on transfers of legal entity interests, such as stock, partnership interests, or LLC membership interests. Charter cities, however, are permitted to enact their own DTT ordinances, some of which have imposed DTT more broadly. For example, a San Francisco ordinance permits DTT to be imposed any time that a transfer of ownership interests in a real property owning legal entity would be treated as a change in ownership of real property under California Revenue and Taxation Code Section 64.

926 North Ardmore involved an attempt by the Los Angeles County Recorder to impose DTT on a transfer of partnership interests that gave rise to a change in ownership of the real property that the partnership owned indirectly through a lower-tier entity. Los Angeles County had not enacted an ordinance specifically imposing DTT on such transfers. The taxpayer, 926 North Ardmore Avenue, LLC, challenged this attempt. The California Supreme Court found for Los Angeles County. It ruled that despite the lack of any specific statutory authorization, California counties and cities can impose DTT on transfers of legal entity interests that give rise to a “change in ownership” of real property held by such legal entities under California Revenue and Tax Code Section 64(c) or (d). That is, DTT can be imposed even if the government entity imposing DTT is not a charter city that has enacted an ordinance allowing for DTT imposition in that situation. This is a sea change in the DTT world and contrary to what practitioners had widely believed was the state of the law.

California Revenue and Taxation Code Subsections 64(c) and 64(d) provide that real property held by a legal entity undergoes a change in ownership in two distinct situations. Under Subsection (c) and related property tax rules, a change in ownership occurs when any person or entity acquires control of a legal entity. Specifically, this occurs when a person or entity comes to own more than 50 percent of the voting stock of a corporation or more than 50 percent of both the capital and profits interests of a partnership or LLC. This ownership threshold can be met through direct ownership of the interests or indirect ownership through upper-tier entities. Under Subsection (d), a change in ownership of real property held by a legal entity occurs when: (1) persons or entities have contributed real property to a legal entity, (2) the transfer was exempt from reassessment under the so-called proportional ownership exception, and (3) the original contributors then, collectively, cumulatively transfer more than 50 percent of the total interests in the legal entity. In the case of a corporation, the 50 percent threshold is met when more than 50 percent of the corporation’s voting stock is transferred. In the case of a partnership or LLC, the 50 percent threshold is met when more than 50 percent of the profits interests and capital interests in the partnership or LLC are transferred.

Consequently, taxpayers must now carefully consider with their tax advisers whether any transfers of legal entity interests could cause a change of control of a legal entity that holds real property or a could cause them to exceed the 50 percent thresholds described in Subsection 64(d). Before 926 North Ardmore, the prevailing view was that these concerns only needed to be addressed in charter cities with ordinances specifically allowing DTT to be imposed in these situations. After 926 North Ardmore, these are statewide concerns. Given that DTT rates of tax can be substantial in some jurisdictions, for example up to 3 percent in San Francisco, we encourage tax payers to seek the advice of counsel when transferring interests in any legal entity that owns real property, whether directly or indirectly through a lower-tier entity.

For additional information, contact Jeffry Bernstein at jbernstein@coblentzlaw.com.

^1. Cal. S. Ct. No. S222329.

Authored by Scott Hall

Pursuant to a settlement agreement with the Attorneys General of nearly all 50 states¹, Target Corporation will pay $18.5 million to settle claims brought by the state Attorneys General arising from the November 2013 data breach – involving the credit or debit card information of approximately 40 million Target customers – caused by cyberattacks on Target’s network.

The settlement is the latest in a string of settlement payments made by Target as a result of the breach, which includes payments of over $100 million to banks and credit/debit card companies for fraudulent charges and other damages, as well as a $10 million payment to settle a civil class action brought by affected customers.  In total, Target reports that, to date, the cost of the data breach has exceeded $200 million.²

Notably, the settlement agreement with the Attorneys General goes beyond mere payment of monetary penalties.  It requires Target to take specific steps to ensure implementation of a comprehensive information security program aimed at avoiding future breaches.  The settlement agreement requires Target to implement this new security program within 180 days of the effective date of the agreement, and mandates that Target, among other things: (1) maintain a written policy that adequately addresses the administrative, technical and physical safeguards for personal information maintained by Target, taking into account Target’s size, the nature of its operations, and the sensitivity of personal information maintained by it; (2) employ an executive or officer with an appropriate background or experience to implement and maintain the program; and (3) maintain encryption protocols and related policies reasonably designed to protect personal information.  Target is also required to separate its customer credit and debit card data from the rest of its computer network and to test for, and correct, vulnerabilities in its computer network.³

Within one year of the settlement, Target must obtain a third-party “information security assessment” to review and report on the implementation of the new information security program.  The Attorneys General have the right to initiate a proceeding for any failure to comply with the provisions of the settlement agreement, as well as for any other failure to comply with applicable data security laws.  In other words, Target’s implementation of these data security policies and procedures will be under a regulatory microscope for the near future.

The moral of the story for other companies, as made clear in a statement by Connecticut Attorney General George Jepsen, is that “Companies across sectors should be taking their data security policies and procedures seriously.  Not doing so potentially exposes sensitive client and consumer information to hackers.”⁴  This is true even for companies that do not face the significant exposure of a large retailer like Target.  Regardless of company size or industry, the settlement sends a message that companies must either implement reasonable and adequate data security safeguards, or risk a breach that could result in government implementation and oversight of a much more rigorous and burdensome program.

In sum, this is reminder that now is a good time for all companies to review their data security policies and programs, data breach response protocols, and compliance with applicable consumer protection and data security laws, to ensure that they do not become the next example of what not to do.

^1.Alabama, Wyoming and Wisconsin are not parties to the settlement.  A copy of the settlement agreement is available at:  http://www.ct.gov/ag/lib/ag/press_releases/2017/20170522_targetmultistateavc.pdf

^2.See “Target in $18.5 million multi-state settlement over data breach” (Reuters May 24, 2017), available at: http://www.cnbc.com/2017/05/24/target-in-18-point-5-million-multi-state-settlement-over-data-breach.html

^3.Certain of the specific data security requirements expire after five years (Settlement Agreement ¶ 32.)

^4.See http://www.ct.gov/ag/cwp/view.asp?Q=593122&A=2341

Authored by Timothy Crudo and Andrew Schalkwyk

Originally published in ABTL Northern California Report, Volume 25, No. 2, Spring 2017. Republished with permission.

It is an age-old principle of corporate law: corporations can act only through their agents. Ensley v. City of Nashville, 61 Tenn. 144, 146 (1872) (“Corporations can only act through their agents, and must be held accountable for their acts, otherwise citizens may be ruined through irresponsible citizens.”)  Companies therefore are generally liable, both civilly and criminally, for the conduct of agents acting on their behalf.  But what about their thoughts?  Do corporations think only through their agents, or do they have a mind of their own?  The answer is more than a philosophical one, and it can have real consequences, as shown by two recent federal criminal trials in the Northern District of California.

In the olden days, it was accepted under the common law that “a corporation cannot commit treason, or felony, or other crime, in its corporate capacity: though its members may, in their distinct individual capacities.” 1 BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 464 (1765).  The modern view is quite different, and criminal prosecutions of corporations have been widely accepted for more than a century.  In the seminal case, N.Y. Central & H.R.R. Co. v. United States, 212 U.S. 481, 492–93 (1909), the railroad argued that as a corporation it could not be held liable for payments of illegal rebates.  The Supreme Court rejected the argument, quoting a contemporary treatise: “[s]ince a corporation acts by its officers and agents, their purposes, motives, and intent are just as much those of the corporation as are the things done. If, for example, the invisible, intangible essence or air which we term a corporation can level mountains, fill up valleys, lay down iron tracks, and run railroad cars on them, it can intend to do it, and can act therein as well viciously as virtuously.”  At least for offenses where the crime consisted in purposely doing the thing prohibited (in N.Y. Central it was paying a rebate), the Supreme Court saw “no good reason why corporations may not be held responsible for and charged with the knowledge and purposes of their agents.”

But corporations often act through the acts of a combination of employees.  What  happens where no individual agent has the knowledge or intent necessary to be held criminally responsible for the corporation’s act – can the corporation still be legally culpable?  More recently, courts have considered the aggregation of individual employees’ knowledge in evaluating corporate knowledge.  This doctrine of “corporate collective knowledge” traces back primarily to the First Circuit’s decision in United States v. Bank of New England, 821 F.2d 844 (1st Cir. 1987).  In that criminal case, which involved alleged violations of the Currency Transaction Reporting Act by the Bank of New England, the government had to prove that the bank had acted “willfully.”  Proof of willfulness required evidence that the bank had “knowledge” of the reporting requirement and, separately, the “specific intent” to commit the crime.  On the issue of knowledge, the court applied the “collective knowledge” doctrine and determined that the bank knew everything that all of its employees knew, even if no single agent had sufficient knowledge to meet the elements of the offense: “So, if Employee A knows one facet of the currency reporting requirement, B knows another facet of it, and C a third facet of it, the bank knows them all.”  Id. at 855.  The court determined that the specific intent element could be satisfied either through the willful failure of a bank employee to file the necessary reports or through the bank’s own “flagrant indifference” to its reporting obligations.  Id. at 857.

Since Bank of New England, courts have applied the collective knowledge doctrine to determine what a corporation knew.  But few have applied that doctrine to determine what a corporation intended, and there has been little discussion of whether specific wrongful intent of a corporation can be found without the prosecution identifying a particular individual who had such intent.  The idea raises some profound philosophical problems.  If, as N.Y. Central and many later cases have held, the actions, motives, and intent of an individual can be attributed to a corporation for purposes of criminal culpability, what evidence is needed to prove that the corporation itself had such intent even if no individual employee did?

As the First Circuit observed in the language above taken from Bank of New England, knowledge can exist in discrete portions.  It can be measured, combined, and added to.  Although the corporate collective knowledge doctrine has been criticized (See e.g. Thomas A. Hagemann & Joseph Grinstein, The Mythology of Aggregate Corporate Knowledge: a Deconstruction, 65 GEO.WASH L. REV. 210, 226-36 (1997)), there is some logic to the idea that employees’ knowledge can be “collected” and attributed as a whole to the corporation.

But can intent be similarly combined and accumulated?  Whereas sufficient knowledge is primarily a question of quantity, sufficient intent is a question of quality. If a specific intent is required for finding culpability of a specific intent crime, can the otherwise innocent intent of individuals be combined to create a collective intent that is of a distinctly different – i.e., guilty — character?  In other words, can the corporation be deemed to have the necessary criminal intent if none of its agents does?

There is scant law on the question, itself perhaps a clue to the answer.  One case that did address the question of corporate willfulness is United States v. T.I.M.E.- D.C., Inc., 381 F. Supp. 730 (W.D. Va. 1974), which upheld a criminal conviction that a trucking company knowingly and willfully violated federal regulations concerning driver safety.  The court held that because the corporation knew, under the collective knowledge doctrine, that it was not complying with its duties under the regulations and declined to act on that knowledge, there was sufficient evidence to find that it had thereby acted willfully, a holding consistent with the later result in Bank of New England.

But other cases have noted the problem with attributing intent to a corporation absent an individual wrongdoer who harbors the required state of mind. In Saba v. Compagnie National Air Fr., 78 F. 3d 664, 670 n. 6 (D.C. Cir. 1996), the court cited Bank of New England for the proposition that while knowledge of facts by employees could be attributed to the corporation, “the proscribed intent (willfulness) depended on the wrongful intent of specific employees.”  See also, e.g., First Equity Corp. v. Standard & Poor’s Corp., 690 F. Supp. 256, 260 (S.D.N.Y. 1988) (“A corporation can be held to have a particular state of mind only when that state of mind is possessed by a single individual.”); Gutter v. E.I. Dupont De Nemours, 124 F. Supp. 2d 1291, 1311 (S.D. Fla. 2000) (“The knowledge necessary to form the requisite fraudulent intent must be possessed by at least one agent and cannot be inferred and imputed to a corporation based on disconnected facts known by different agents.”)

Even T.I.M.E. itself has been cited for the idea that, unlike knowledge, “specific intent cannot be similarly aggregated [and therefore] there must be evidence from which a jury could reasonably determine that at least one agent of LBS had the specific intent to join the conspiracy to defraud the government.”  United States v. LBS Bank-New York, Inc., 757 F. Supp. 496, 501 n. 7 (E.D. Pa. 1990).  In one case decided shortly before Bank of New England the court, in a bench trial, was required to determine whether the defendant corporation intended to commit mail fraud.  Citing T.I.M.E., the court determined that to find the defendant liable “for fraud, I must find that a[n] employee had the specific intent required” by the statute.” Louisiana Power and Light Co. v. United Gas Pipe Line Co., 642 F. Supp. 781 (E.D. La. 1986).  (That said, the court found the company had committed fraud based on the fact that the corporation was “blind[] to obvious truths” and so violated the mail fraud statute, without identifying, or even discussing, an individual employee’s specific intent.)  Similarly, in State v. Zeta Chi Fraternity, 696 A.2d 530 (N.H. 1997), the New Hampshire Supreme Court cited to T.I.M.E. in upholding the conviction of a college fraternity, finding that there was sufficient evidence that fraternity members were aware of the facts surrounding underage drinking.  Because the fraternity’s “mental state depend[ed] on the knowledge of its agents,” the fraternity could be said to have acted recklessly in conscious disregarded of the risks involved.  Id., at 535.

Fast forward to 2016, when simultaneous corporate criminal trials were unfolding in the Northern District of California against PG&E (Case No. 3:14-cr-00175) and FedEx (Case No. 14-cr-00380).  PG&E was accused primarily of violating the Pipeline Safety Act.  FedEx was accused of conspiring with online pharmacies to deliver illegal prescriptions.  No individuals were prosecuted in either case.  The corporations alone stood trial.

Both corporate defendants argued that when prosecuting a corporation for a specific intent crime the government must prove that at least one individual acting on behalf of the corporation had the sufficient intent necessary for conviction.  Both lost on the issue.  In PG&E, the court brushed aside concerns raised with the collective knowledge doctrine, focusing instead on collective intent.  The court ultimately followed T.I.M.E., noting the similarity in the regulatory violations at issue in both cases.  The Court held that because PG&E had an affirmative legal duty to follow safety regulations (such as the Pipeline Safety Act) and “where the knowledge of the corporation’s employees demonstrates a failure to discharge that duty, the corporation can be said to have ‘willfully’ disregarded that duty.”  PG&E, 2015 WL 9460313 at *5.  In FedEx, the court cited to the PG&E order and, without further discussion, held that FedEx had “failed to identify controlling authority that calls into doubt any instructions on ‘collective knowledge’ or ‘collective intent.’”  United States v. FedEx, No. C14-00380 CRB, slip op. at 2 (N.D. Cal. Apr. 18, 2016).

The result in FedEx was perhaps more surprising, given that the charges there involved a conspiracy to distribute illicit drugs rather than the type of regulatory and/or reporting violation at issue in PG&E, T.I.M.E., and Bank of New England.  PG&E was accused of not fulfilling affirmative regulatory obligations imposed by law, and distilling corporate intent from collective knowledge in such cases is perhaps not that big a jump from already accepted concepts of “reckless disregard” or willful blindness.  (The nature of the charged crimes in PG&E was crucial in the court’s decision on the collective intent instruction.)  FedEx, on the other hand, was accused of agreeing to commit affirmative acts with the knowledge and intent to achieve an unlawful result, the first time that the collective intent doctrine had ever been applied in a criminal prosecution to a non-regulatory offense.

To be fair to the FedEx trial court, the case resolved before it was required to rule on the final instruction for corporate intent, and perhaps it would have ruled differently.  (Its prior ruling on collective intent occurred during pretrial skirmishing.)  We will see whether the rulings in PG&E and FedEx embolden prosecutors to pursue criminal charges against corporate defendants in the absence of at least one culpable individual.  Criminal prosecutions against corporations are rare enough, especially when no individual is prosecuted as well, and even with the favorable rulings on collective intent the ultimate result in PG&E and FedEx may cause prosecutors to think twice before prosecuting a corporation standing alone.

Authored by Scott Hall

On May 19, 2017, the U.S. Court of Appeals for the D.C. Circuit issued a ruling vacating the Federal Aviation Administration’s “Registration Rule,” which required owners of small unmanned aircraft (“drones”) operated for recreational or hobby purposes to register with the FAA.¹  The Registration Rule, implemented in December 2015 (strategically, in the midst of a holiday season during which nearly half a million hobby drones were expected to be sold), garnered immediate criticism and opposition from drone users who questioned the FAA’s authority to regulate drones not intended to be operated for commercial purposes.  Indeed, given the FAA’s history of a hands-off policy with respect to hobby drones, the Registration Rule was viewed by some as a test of power – something akin to the FAA dipping its toe into the waters of hobby drone regulation to see how far it could go.  The D.C. Circuit’s ruling decisively ends the inquiry and precludes further FAA involvement in hobby drone regulation absent some action to the contrary by the Supreme Court or Congress.

History of FAA Regulation of Drones

Under 49 U.S.C. section 40103, the federal government has exclusive sovereignty over U.S. airspace, and the FAA has the authority to regulate all “aircraft,” which includes drones.²  However, in 2012, Congress passed the FAA Modernization and Reform Act, which states that the FAA “may not promulgate any rule or regulation regarding a model aircraft,” which term encompasses drones flown for hobby or recreational purposes.³

In light of this clear restriction, and in response to petitions challenging the Registration Rule to the extent it purports to apply to hobby drones, the D.C. Circuit concluded that the Registration Rule was barred by the plain wording of the statute because it was, in fact, a rule that created a new regulatory regime for model aircraft, regardless of whether the rule might improve aviation safety.⁴  As the Court noted, “[s]tatutory interpretation does not get much simpler.”⁵

Although the Registration Rule was likely doomed from its inception given the historical restrictions on FAA authority over hobby drones, the motivation behind the rule – i.e., the view that there should be a more formal or consistent framework for regulating hobby drones – is not outrageous.  After all, hobby drones are just as capable of, and perhaps even more likely to, violate personal privacy or engage in nuisance, trespass, or other misuse than drones used for commercial purposes.  And the number of hobby drones currently existing and anticipated in the national airspace over the next five years dwarfs the number of small commercial drones.  For example, the FAA anticipates that the number of hobby drones sold by 2021 may exceed 4 million, up from approximately 1.1 million in 2016.⁶  By contrast, the FAA forecasts that small commercial drones, which numbered just 42,000 in 2016, may increase to 420,000 by 2021.⁷  The FAA has argued that uniformity in drone regulation – regardless of whether the drones are used for commercial or hobby purposes – is essential for the safe and effective management of air traffic in the national airspace.  Thus, when faced with a substantial and unprecedented increase of hobby drones in the nation’s skies over which it had no control, the FAA rolled the dice and took a shot at reigning in what otherwise may prove to be an unmanageable contingent of this rapidly expanding technology.  The FAA lost – for now.

Where To Go From Here

The fight regarding federal-state authority over drones, including hobby drones, is far from over.  The FAA’s uniform rules for commercial operation of small drones, which went into effect last August, provide a general federal framework for limited commercial drone use (and preempt many aspects of state commercial drone regulation), but explicitly do not apply to hobby drones.⁸  In fact, the FAA maintains a Fact Sheet on its website that identifies specific areas of law potentially applicable to drones – whether commercial or hobby – that would not be subject to federal regulation, including land use, zoning, privacy, trespass, and law enforcement operations.⁹  But while many states have started to enact drone-specific laws,¹⁰ there is still much to be done by state and local governments if they are to effectively and comprehensively regulate hobby drones, particularly as usage and technology continue to expand.

Ultimately, the D.C. Circuit’s ruling creates a fork in the road for hobby drone regulation:  Congress can either extend FAA authority over hobby drones or leave it to state and local governments.  The Court’s opinion was explicit in this regard, noting, “Congress is of course always free to repeal or amend its 2012 prohibition on FAA rules regarding model aircraft.  Perhaps Congress should do so.  Perhaps not.  In any event, we must follow the statute as written.”¹¹

In the wake of the decision, the FAA will likely take the Court’s suggestion and seek to have Congress expand FAA authority over hobby drones.  But both the FAA and Congress should think carefully before proceeding down this path.  Although expansion of federal authority for limited purposes such as registration may not seem problematic, such a grant of authority would start down a slippery slope of exclusive federal authority over all drone regulation.  Before Congress takes that step, serious consideration should be given to whether the FAA is best positioned to regulate hobby drones, which, for the most part, operate within limited geographical areas, in typically lower altitudes than commercial aircraft, and in volumes that would be extremely difficult, if not impossible, for the FAA to effectively police.

State and local governments may be much better suited to enact and enforce laws and restrictions applicable to hobby drones, particularly with respect to issues or operational concerns unique to their locale.  And, although some measure of coordination between federal and state governments will certainly be necessary to ensure that hobby drones can safely operate in the national airspace along with commercial drone traffic, Congress should not hastily put all regulatory authority in the hands of the federal government without carefully weighing the potential drawbacks of an exclusively federal drone regime.  The preferred course may be for federal and state governments to share authority over drones and work collaboratively to create a cooperative and comprehensive framework for commercial and hobby drones alike.  For this to be effective, however, state and local governments must step up and actively address drone issues through local legislation to a greater extent than they have done previously.

For now, hobby drone users can operate their drones free of any registration requirement or other federal oversight.¹²  However, hobby drone users should not get too comfortable with the current lack of formal regulation.  Given the ever-increasing popularity of drones, as well as rising concerns regarding drone privacy violations, trespass, and other misuse, a more formal regulatory framework for hobby drones – be it state, federal, or combined – appears all but inevitable.

^1. See Taylor v. Huerta, Case No. 15-1495 (D.C. Cir. May 19, 2017).  A copy of the opinion is available at: https://www.cadc.uscourts.gov/internet/opinions.nsf/FA6F27FFAA83E20585258125004FBC13/$file/15-1495-1675918.pdf

². See 49 U.S.C. § 40102(a)(6), defining aircraft as “any contrivance invented, used, or designed to navigate or fly in the air.”  See also Michael P. Huerta, Administrator, Federal Aviation Administration v. Raphael Pirker, NTSB Order No. EA-5730, Docket CP-217 (Nov. 18, 2014) (holding that drones are “aircraft” subject to federal regulations).

^3. Pub. L. No. 112-95, § 336(a), 126 Stat. 11, 77 (2012) (codified at 49 U.S.C. § 40101).

^4. Taylor, Case No. 15-1495, at 7-8.

^5. Id. at 7.

^6. See FAA Aerospace Forecasts, available at: https://www.faa.gov/data_research/aviation/aerospace_forecasts/media/Unmanned_Aircraft_Systems.pdf

^7. Id.

^8. 14 C.F.R. Part 107.

^9. December 7, 2015 Fact Sheet: State and Local Regulation of Unmanned Aircraft Systems (UAS).

^10. For an overview of current or pending state drone laws, see http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx

^11. Taylor, Case No. 15-1495, at 8.

^12. The ruling does not take effect immediately, however, and provides 7 days for the parties to petition for rehearing.  See https://arstechnica.com/wp-content/uploads/2017/05/faastay.pdf