The Massachusetts Commission Against Discrimination: Steady in the Storm

by Simone R. Liebman

Legal Analysis

Introduction

In October, the Supreme Court of the United States heard argument in three cases that involve an unconventional division between the U.S. Department of Justice (DOJ) and the Equal Employment Opportunity Commission (EEOC), the federal agency authorized to interpret and enforce Title VII of the Civil Rights Act of 1964 (Title VII). These cases concern whether Title VII’s prohibition against bias “because of . . . sex” encompasses employment discrimination based on sexual orientation and transgender status.[1] At the federal circuit court level, the EEOC argued that discriminating against an employee because of sexual orientation and gender identity amounts to sex discrimination under Title VII. When the cases were appealed to the Supreme Court, however, the DOJ took the extraordinary step of filing briefs on behalf of the EEOC, rather than permitting the agency to do so.[2] Moreover, the DOJ urged the Court to review Title VII restrictively, contrary to the EEOC’s established position, and argued that the law does not explicitly prohibit sexual orientation or gender identity discrimination. The split in the federal government was further underscored when former federal officials, including the EEOC’s former chairs, commissioners, and general counsels, filed briefs arguing that sexual orientation and gender identity are intrinsically functions of sex and predicated on sex stereotypes.

The DOJ’s effort to override the authority and precedent of the EEOC is unique and historically noteworthy. And it provides a sharp contrast with the robust protections ensuring equal opportunities in employment available to Massachusetts employees through chapter 151B of the Massachusetts General Laws as enforced by the Massachusetts Commission Against Discrimination (MCAD). In enacting G.L. c. 151B in 1946, the Legislature granted the MCAD broad remedial powers and significant enforcement authority. The MCAD is a law enforcement agency with police powers designed to vindicate public rights. This legislative mandate has shaped judicial precedent, often putting Massachusetts at the vanguard in providing protection for employees. The statutory scheme includes a case process that is accessible to victims of discrimination regardless of socio-economic class and results in remedies designed to compensate past wrongs and deter future illegal workplace conduct. Due to the independent, prosecutorial nature of the agency, courts have found that victims of discrimination at the MCAD may proceed in situations where private litigants would otherwise have been barred. The current battle in the Supreme Court over who interprets Title VII, and whether the law should be broadly or restrictively construed, demonstrates the importance of the MCAD’s ability to act in its own name as a public law enforcement agency to protect civil rights in Massachusetts.

G.L. c. 151B grants the MCAD law enforcement authority.

Chapter 151B has always prohibited religious, race, national origin and ancestry discrimination.[3] The Legislature acknowledged that discriminatory conduct is no less than a “harmful influence to our democratic institutions” and stated that “no well-informed, right thinking person can be oblivious or indifferent to this evil.”[4] The elimination of discrimination, the Legislature declared, was a “corner-stone” upon which “world peace must be based.”[5] With extraordinary legislative foresight, the statute authorized the MCAD at its inception to act as a civil prosecutor with significant enforcement authority. The legislation granted the MCAD the ability to conduct investigations; subpoena individuals; and issue complaints in its own name, even where no complaint has been filed by an aggrieved person.[6] To ensure that the MCAD has the opportunity to identify trends and, if appropriate, take action, MCAD’s enforcement proceedings “shall, while pending, be exclusive,” taking precedence over any other type of recourse available.[7] The statute imposed criminal sanctions, including imprisonment, where an employer willfully resists, prevents, impedes, or interferes with the MCAD in the performance of its statutory duties.[8]

G.L. c. 151B Mandates Liberal Construction.

Of considerable importance, the legislation explicitly requires that G.L. c. 151B “be construed liberally for the accomplishment of the purposes” of the statute.[9]  This directive has resulted in significant protections for Massachusetts employees. In 2013, the Supreme Judicial Court held that G.L. c. 151B prohibits discriminating against an employee based on the employee’s association with an individual who is disabled, despite the absence of an explicit statutory prohibition against associational disability discrimination.[10] In 2017, the SJC was the first state appellate court to conclude that under specific circumstances, an employer may be required to reasonably accommodate an employee with a debilitating medical condition that is treated through the use of medical marijuana.[11]  This year, the SJC concluded that an employer could be found to have engaged in illegal discrimination even when the discriminatory act in question was a lateral transfer, without any effect on the employee’s base salary, work responsibilities, or title.[12] Each of these cases relied, in large part, on the long-standing mandate that G.L. c. 151B must be interpreted liberally to achieve its remedial purposes. In contrast, Title VII has no such mandate.

The MCAD’s case processing furthers the remedial goals of the statute.

There is no fee for filing a charge of discrimination with the MCAD and no requirement to obtain legal assistance in filing. If the investigating commissioner concludes that the case has “probable cause” to proceed, and the charging party does not hire private counsel, the matter is assigned to a Commission attorney to prosecute the matter in the public interest. Almost half of the cases found by the MCAD to have probable cause are assigned to a Commission attorney, who generally prosecutes the matter through public hearing at no cost to the complainant.[13] After probable cause has been found, the Commission schedules a mandatory conciliation conference, again at no cost to the parties, in which an MCAD conciliator “will attempt to achieve a just resolution of the complaint and to obtain assurances that the Respondent will satisfactorily remedy any violations . . . and take such action as will assure the elimination of the discriminatory practices, or the prevention of their occurrence in the future.”[14] Many cases are resolved at the conciliation conference, and include public interest relief such as training or policy change.

The case is certified to public hearing if the investigating commissioner determines that the public interest so requires, and a complaint is issued in the name of the Commission.[15] It will then be heard by an MCAD hearing officer or a commissioner with expertise in G.L. c. 151B. If the employer is found to have violated the statute, the MCAD issues remedies designed to deter future illegal conduct, including a cease and desist order, a wide array of injunctive and affirmative relief such as training, reinstatement, policy change, and civil penalties, in addition to attorneys’ fees and compensatory damages to make the complainant whole. See Stonehill College v. Massachusetts Comm’n Against Discrimination, 441 Mass. 549, 563 (2004).

The MCAD may proceed where private litigants may not.

The MCAD’s “police powers” allow it to proceed with civil prosecutions in situations where a private litigant seeking redress in court could not. For example, where an employer files for bankruptcy during a civil proceeding, the automatic stay preventing the continuation of any civil proceeding generally applies.[16] Cases pursued through the administrative process at the MCAD, however, fall within the exception to the automatic stay that allows governmental units to exercise police or regulatory power.[17] Recognizing the “strongly felt” public policy against discrimination and the enforcement powers granted to the MCAD, the court in In re Mohawk Greenfield Motel Corp., 239 B.R. 1 (Bankr. D. Mass. 1999), held that the MCAD possessed police or regulatory power that qualified for the exception. The court further acknowledged that while back pay awards have a financial benefit to an employee who proves liability and is awarded victim-specific relief, the imposition of this remedy ensures future compliance and serves a public purpose: ensuring that the employer at issue “as well as others who might contemplate similar odious behavior, would be dissuaded from its future practice.” Id. at 9. Crucial to this decision exempting MCAD proceedings from the automatic stay was the recognition that it is fundamental to the MCAD’s authority to act in the public good to identify and remediate discriminatory conduct without excessive delay, and that “the benefit to the public arising from the continuing capability of MCAD to identify and sanction discriminatory behavior overshadows any associated pecuniary benefit to the victim of that discrimination.” Id. at 9.

Similarly, it was the public enforcement nature of the MCAD’s process that led the SJC in Joulé, Inc. v. Simmons, 459 Mass. 88 (2011), to permit the continued prosecution of an MCAD claim even where a binding pre-employment arbitration agreement required the victim of discrimination to arbitrate the claim rather than file a private right of action. Acknowledging that it is the MCAD and not the complainant that prosecutes the discrimination claim, the SJC concluded that mandatory arbitration clauses, otherwise applicable to private claims of workplace discrimination, do not and cannot bar administrative enforcement proceedings under G. L. c. 151B, § 5. Id. at 95-96. Given that over half of American private-sector nonunion employees are subject to mandatory arbitration procedures, the ability to proceed with a claim at the MCAD despite a binding arbitration agreement is of notable significance to employees in the Commonwealth.[18] In Whelchel v. Regus Management Group, LLC, 914 F. Supp. 2d 83 (D. Mass. 2012), the substantial state interest in preserving the MCAD’s oversight role over discrimination claims led the court to refuse to allow an employer to remove an MCAD matter to federal court. These practical advantages to proceeding at the MCAD all flow from the Legislature’s recognition over seventy years ago that the main object of an MCAD proceeding is to “vindicate the public’s interest in reducing discrimination in the workplace by deterring and punishing, instances of discrimination by employers against employees.” Stonehill College, 441 Mass. at 563.

Conclusion

When the Legislature enacted G.L. c. 151B in 1946, no one could have foreseen the current divisiveness in the federal government, nor were there any federal civil rights protections or an EEOC in place to enforce them. That was not to come into play until 1964. But the Massachusetts Legislature created safeguards resilient enough to withstand the winds of change.

Rather than merely creating a forum through which private litigants resolve disputes, the Legislature recognized the need for an independent, public agency to promote and protect the fundamental right of Massachusetts citizens to obtain equal opportunities in the workplace.

 

Simone R. Liebman is Commission Counsel at the MCAD where she where she represents the agency in Massachusetts trial and appellate courts, files amicus briefs in select cases, assists with the drafting of policy and guidance, prosecutes cases through public hearing, and conducts affirmative litigation. This article represents the opinions and legal conclusions of its author and not necessarily those of the MCAD. Opinions of the MCAD are formal documents rendered pursuant to specific statutory authority.

 

[1] Altitude Express, Inc. v. Zarda, No. 17-1623 and Bostock v. Clayton County, Georgia, No. 17-1618 involve the question of whether sex discrimination under Title VII includes bias based on sexual orientation. R.G. & G.R. Harris Funeral Homes, Inc. v. Equal Employment Opportunity Commission, No. 18-107, addresses the question of whether it is a violation of Title VII to discriminate against an employee based on the employee’s transgender status or under a theory of sex stereotyping under Price Waterhouse v. Hopkins, 490 U.S. 228 (1989).

[2] http://www.abajournal.com/news/article/eeoc-doesnt-sign-us-brief-telling-supreme-court-that-transgender-discrimination-is-legal; https://www.reuters.com/article/us-otc-doj/once-again-trump-doj-busts-convention-splits-government-in-high-profile-employment-case-idUSKBN1AC32U.

[3] See G. L. c. 151B, inserted by St. 1946, c. 368, § 4. Since its enactment, G.L. c. 151B has been expanded to include other protected categories. Currently, G.L. c. 151B prohibits discrimination based on race, color, religious creed, national origin, disability, sex, gender identity, sexual orientation, genetic information, pregnancy (including a pregnancy-related condition), veteran status, age, and active military service. G.L. c. 151B, § 4. The MCAD also has jurisdiction over a host of other types of discriminatory conduct including retaliation, failure to accommodate disabilities, housing discrimination, certain inquiries regarding criminal records, parental leave, public accommodation discrimination, mortgage lending and credit discrimination, and certain types of education discrimination.

[4] REPORT OF THE SPECIAL COMMISSION RELATIVE TO THE MATTER OF DISCRIMINATION AGAINST PERSONS IN EMPLOYMENT BECAUSE OF THEIR RACE, COLOR, RELIGION, OR NATIONALITY, H.R. Rep. No. No. 337, 154th Leg., 1st Sess. at 2 (Mass. 1945).

[5] REPORT  OF  THE GOVERNOR’S COMMITTEE TO RECOMMEND FAIR EMPLOYMENT PRACTICE LEGISLATION, H.R. REP. No. 400, 154th Leg., 2nd Sess., at 7 (Mass. 1946).

[6] G. L. c. 151B, §§ 1(7) & 5, inserted by St. 1946, c. 368, § 4.

[7] G. L. c. 151B, § 9, inserted by St. 1946, c. 368, § 4.

[8] G. L. c. 151B, § 8, inserted by St. 1946, c. 368, § 4.

[9] G. L. c. 151B, § 9.

[10] Flagg v. AliMed, Inc., 466 Mass. 23 (2013) (“reading the statutory language broadly in light of its remedial purpose, and in order best to effectuate the Legislature’s intent, we think that the concept of associational discrimination also furthers the more general purposes of c. 151B as a wide-ranging law, ‘seek[ing] … removal of artificial, arbitrary, and unnecessary barriers to full participation in the workplace’ that are based on discrimination”).

[11] Barbuto v. Advantage Sales and Marketing, LLC, 477 Mass. 456 (2017) (employee use of medical marijuana is not facially unreasonable as a reasonable accommodation).

[12] Yee v. Massachusetts State Police, 481 Mass. 290 (2019) (where there are material differences between two positions in the opportunity to earn compensation, or in the terms, conditions, or privileges of employment, the failure to grant a lateral transfer to the preferred position may constitute an adverse employment action under G.L. c. 151B).

[13] 2018 MCAD Annual Report, p. 11 (Commission counsel were assigned 46% of these cases in 2018).

[14] 804 C.M.R. § 1.18(1)(a).

[15] 804 C.M.R. § 1.20(3).

[16] 11 U.S.C. § 362(a)(1) (the filing of a bankruptcy petition stays the commencement or continuation of all non-bankruptcy judicial proceedings against the debtor).

[17] 11 U.S.C. § 362(b)(4).

[18] See A. Colvin, Economic Policy Institute (EPI), “The Growing Use of Mandatory Arbitration” 1-2, 4 (Sept. 27, 2017).


The Importance of Written Information Security Policies in Data Governance

by Christopher E. Hart

Legal Analysis

A critical component of data governance is the written information security program or policy, or “WISP” for short.  WISPs are important for three reasons:  first, they are often required by specific statutes or regulations.  Second, their drafting and maintenance often force organizations to consider more closely the adequacy of their security practices.  Third, they can be excellent defenses against liability in the event of a data security incident.  Yet organizations often find themselves caught by surprise when they learn that they are either legally required to have a WISP, or ought to have one as a best practice or risk mitigator.

This article discusses what a WISP is, when they are required, what they are good for, why organizations should consider creating and maintaining them, and what the future holds.  In the end, you will hopefully consider the WISP to be a critically important component of your or your client’s overall data governance strategy.

What is a WISP?

A WISP is a set of organizational practices relating to certain information, normally personally identifiable information (PII) that the organization maintains (such as a person’s name, email, password, social security number, and credit card information), memorialized in an inward-facing document.[1]  While the WISP really refers to the practices or program of information security, the memorialized document is often what people are referring to when they think of WISPs.  A WISP is inward-facing in the sense that it is meant to be used internally by an organization, both as a reference and as a memorialization of practices, and not necessarily meant for consumption by consumers or the general public.  (In contrast, privacy policies tend to be outward-facing documents, meant to notify potential consumers about an organization’s data use and security practices at or before the point that data is provided.)

To illustrate, one of the most important laws relating to WISPs, the Massachusetts regulations on Standards for the Protection of Personal Information of Residents of the Commonwealth, requires that “[e]very person that owns or licenses personal information” about a Massachusetts resident must “develop, implement, and maintain a comprehensive information security program that is written in one or more accessible parts.”  201 CMR 17.03(1).

What Does a WISP Require?

The purpose of the WISP is to “[i]nsure the security and confidentiality of customer information,” “protect against any anticipated threats or hazards to the security or integrity of such information,” and “[p]rotect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer.”  201 CMR 17.01(1).  The WISP is a security requirement, not a privacy requirement: it mandates certain technical and administrative safeguards relating to specific kinds of information.  To accomplish these objectives, regulations mandating WISPs focus on a number of common elements:

  1. Risk Assessment. WISPs generally require that organizations implement practices that are commensurate with the sensitivity and volume of data the organization has, and the resources the organization can bring to bear to protect that data.
  2. Minimum Technical Security. WISPs will carry requirements that computer systems have adequate encryption, anti-malware software, and other perimeter and internal defenses.
  3. Third-Party Contracts. Central to a WISP is the concept that organizations that collect information but contract with vendors or other organizations to handle data ensure that those third parties protect the data at least as adequately as the collecting organization, requiring both that vendors be adequately vetted and that assurances regarding security programs by third parties are placed into contracts as specific obligations.
  4. Specific Accountability. WISPs normally require that a specific individual be held out as having responsibility for implementation of the security program.
  5. Regular Auditing. WISPs, and the specific requirements within them (such as risk assessments), must normally be reevaluated on at least an annual basis.
  6. Employee Training. Employees must be trained on the organization’s security requirements, and must be knowledgeable of the WISP, in order for the WISP to be a useful instrument.

As these requirements make clear, a WISP is best seen as a bundle of living practices, rather than merely a document that allows an organization to paper its liability.

When is a WISP Required?

As creatures of statute or regulation, WISPs are legally required if an entity falls within the jurisdictional scope of a regulatory regime.  So, for example, the Gramm-Leach-Bliley Act, or GLBA, will only apply to those entities that fall under the definition of a “financial institution” as defined by the statute.  See 15 U.S.C. § 6809(3) (“The term ‘financial institution’ means any institution the business of which is engaged in financial activities as described in section 1843(k) of title 12”).  On the state level, states such as Pennsylvania, New Hampshire, and South Carolina have a WISP requirement for certain insurers as defined by the state’s insurance code.   See, e.g., 31 Pa. Code § 146c.3 (“A licensee shall implement a comprehensive written information security program that includes administrative, technical, and physical safeguards for the protection of customer information.”).

Given the relatively narrow scope of many of these WISP requirements, the Massachusetts regulations stand out as particularly broad.  Far from being cabined to entities within a particular industry, the Massachusetts regulations do not limit their application to entities that are domiciled or headquartered in Massachusetts, or even that specifically do business in Massachusetts.  Rather, they apply to “all persons [that is, natural person, corporation, other legal entity, etc.] that own or license personal information about a resident of the Commonwealth.”  201 CMR 17.01(2).  In other words, if a business “owns or licenses” the personal information about a single resident of Massachusetts, the regulations (and thus the requirement to develop a WISP) will apply.[2]  This is true even if an organization is already regulated by some other regulatory scheme, such as HIPAA.  See Commonwealth v. Milton Pathology Assocs., P.C., Civ. A. No. 12-4568 H, 2012 Mass. Super. LEXIS 2902 (Super. Ct. Dec. 20, 2012) (requiring a HIPAA-covered entity to maintain a WISP).

Why Should You Have a WISP?

The first reason to have a WISP is because the law might require it, and being out of compliance can prove to be an expensive and embarrassing risk.  The Commonwealth of Massachusetts has entered into consent judgments with parties in part (if not exclusively) to bring them into compliance with this requirement.  The Attorney General of Massachusetts is an avid enforcer of the WISP requirement.  See, e.g., Commonwealth v. Briar Grp., LLC, Civ. A. No. 11-1185 B, 2011 Mass. Super. LEXIS 2939 (Mass. Super. Ct. March 28, 2011) (requiring implementation of a WISP against a restaurant group accused of “failing to take reasonable steps to protect the personal information obtained from its patrons” in point of sale credit and debit card transactions); Commonwealth v. Haney, Civ. S. No. 16-00183m 2016 Mass. Super. LEXIS 915 (Super. Ct. January 14, 2016) (requiring a solo real estate practitioner to implement a WISP after allegedly failing to notify clients of a data breach); Milton Pathology Assocs., P.C., 2012 Mass. Super. LEXIS 2902.  So is the Federal Trade Commission with regard to the WISP requirement in the GLBA’s Safeguards Rule.  See In the Matter of Paypal, Inc., 162-3102, ¶ 40a (Fed. Trade Commission, 2017) (bringing a complaint against Venmo for failing to have a WISP through “at least August 2014”).

Having a good WISP might be as important as simply having one at all.  In the wake of the 2017 Equifax breach affecting millions of individuals, the Attorney General of Massachusetts (among countless others) sued Equifax.  Among the claims made by the Attorney General was that Equifax had violated the Massachusetts Data Security Regulations by having an insufficient WISP:  “Equifax failed to develop, implement, and maintain an adequate written information security program . . . and . . . this failure made the data breach possible.”  Commonwealth v. Equifax, Inc., Opinion No. 139895; 2018 Mass. Super. LEXIS 66 at *2 (Mass. Super Ct. April 3, 2018) (emphasis supplied).  Specifically, the Commonwealth alleged that “Equifax knew or should have known” that there was “a serious security vulnerability” in Equifax’s systems; that Equifax “failed to patch or upgrade its software to eliminate this vulnerability,” and that “Equifax did not even take reasonable steps to determine whether unauthorized parties were infiltrating its computer systems.”  Id.  Considering the issue at the motion to dismiss stage, the court concluded that the Commonwealth stated a claim and denied the motion to dismiss.  Id. at *3.  Critically, the Commonwealth used the WISP requirements as a basis for a series of allegations that Equifax did not take reasonable measures to prevent or mitigate the breach—emphasizing that it is not the mere existence of the document, but the adequacy of the practices, that the regulations are intended to control.

In  fact, in Massachusetts, the data protection statute authorizing the regulations that require the WISP has itself recently changed, requiring that in the event of a breach triggering notification to the Attorney General and the Office of Consumer Affairs and Business Regulations, the company notify these agencies whether a WISP was  in place at the time of the breach.  See G.L. c. 93H § 3(b).  The clear intent of this change to the statute is to (1) create an in terrorem motivation to put a WISP in place if one has not yet been developed, and (2) to make it easier for the Commonwealth to prosecute cases in which a breach occurred without adequate safeguards.

The second reason to have a WISP is that it can provide a defense to liability.  Data breaches are, unfortunately, ubiquitous.  So long as the data breach looms large, so too does the follow-on lawsuit.  But data breaches are notoriously difficult events for which to hold companies liable.  In federal court, simply getting through the hurdle of Article III standing can be impossible.  See, e.g., Clapper v. Amnesty International, 133 S. Ct. 1138 (2013) (holding that, in order for a plaintiff who alleges future harm to have the necessary Article III standing to sue in federal court, the plaintiff must demonstrate that the harm is “certainly impending”); Carlsen v. GameStop, Inc., 112 F. Supp. 3d 855 (D. Minn. 2015) (applying Clapper to hold that there was no actual injury arising from the defendant’s alleged use of Facebook to share personally identifiable information in violation of the company’s privacy policy).  But see Remijas v. Neiman Marcus Group LLC, 794 F.3d 688 (7th Cir. 2015) (“Clapper does not . . . foreclose any use whatsoever of future injuries to support Article III standing” in the case of a data breach).  When the cause of action is a state-based tort claim, such as negligence, the presence of a WISP can also make it difficult for a plaintiff to survive a motion to dismiss.  See Guin v. Brazos Higher Educ. Serv. Corp., Civ. No. 05-668 (RHK/JSM), 2006 U.S. Dist. LEXIS 4846 *12 (D. Minn. Feb. 7, 2006) (noting that, while defendant conceded owing plaintiff a duty of care pursuant to the GLBA’s requirement of maintaining a WISP, the fact that the defendant indeed maintained a WISP was evidence of reasonable care); Warren v. Rodriguez-Hernandez, Civ. A. No. 5:10CV25, 2010 U.S. Dist. LEXIS 96121 at *15 (N.D.W.V. Sept. 15, 2010) (noting that plaintiffs could offer no evidence that their information had not been adequately protected given that, among other things, defendants maintained a WISP).

Conversely, failing to have a WISP can potentially be evidence of negligence.  When in search of a working theory of liability for a claim against an organization suffering a data breach, plaintiffs can turn to WISP requirements as evidence of a duty, and thus bring a claim sounding in negligence (whether or not it succeeds).  See Baum v. Keystone Mercy Health Plan, 826 F. Supp. 2d 718, 721 (E.D. Pa. 2011) (remanding a removal case to state court when the state statute requiring a “comprehensive” WISP potentially allowed for a negligence per se claim even though HIPAA did not provide a private right of action); Rebello v. Lender Processing Servs., 30 N.E. 3d 999, 1016 (Ohio App. 2015) (holding that the GLBA “manifests a clear public policy against the unauthorized access and disclosure of the nonpublic personal information of consumers” applicable to plaintiff in an unlawful termination suit, as manifested in part through the WISP requirement, and allowing the claim to proceed).

The third reason to have a WISP is that it is simply good practice.  While having a WISP can help an organization avoid compliance and litigation risk, having a WISP—that is, having actual practices to safeguard PII, memorialized in a document read and understood by those who handle such data—can, before any discussion of liability, help avoid a data breach or minimize the fallout from a data breach if it occurs.  In the end, isn’t that the point?

What Does the Future Hold?

The WISP is not only here to stay; it stands a good chance of becoming a universal instrument in a complete data management tool kit, both as a matter of good practice and a matter of law.  For example, the EU’s General Data Protection Regulation, or GDPR, does not specifically require a WISP.  But the law has a host of requirements suggesting something like a WISP is prudent, if not required.  See, e.g., GDPR Art. 5(2) (noting that the controller of personal data “shall be responsible for, and able to demonstrate compliance with” the requirement that personal data be processed lawfully, which includes processing with adequate security); id., Art. 25(2) (“The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”).  Given the GDPR’s potentially global territorial scope, something like a WISP is almost certainly going to become a legal norm.

In short, the WISP is a deeply important instrument for organizations in their privacy and security programs.  While sometimes overlooked, it is both an increasingly important and ubiquitous regulatory requirement and a critical tool for creating robust security practices in an organization.

 

[1] For purposes of this article, unless otherwise indicated I will use “PII” to refer to the kind of information the practices outlined in WISPs are intended to safeguard.  However, protected information can often be referred to by other terms of art, depending on the regulatory scheme:  non-public financial information (the Gramm-Leach-Bliley Act); protected health information (the Health Insurance Portability and Accountability Act); and personal data (the European General Data Protection Regulation), to name three.

[2] A deep dive into the regulations reveals just how broad their scope is.  A “person” can be a natural person or any legal entity; “owns or licenses” can mean, simply to “process” or simply “have access to” the personal information of a Massachusetts resident.  201 CMR 17.02.

 

Chris is Counsel and Partner-Elect in Foley Hoag’s Litigation Department, and an active member of the firm’s Data Privacy and Security Group.  Chris has an active practice assisting organizations with their privacy compliance, data breach response, and government defense and litigation needs.  In addition, Chris teaches data privacy compliance as a Part-Time Lecturer at Northeastern University School of Law.


Understanding When Competitive Bidding Applies to Affordable Housing in Public-Private Partnerships

by Lauren D. Song and Tyler Creighton

Legal Analysis

Anyone who owns, constructs, or finances a construction project involving public funds, public ownership, and/or public use must carefully consider whether the project may be classified as “public construction.” If so, the project will be strictly regulated under an array of local, state, and federal requirements, including competitive bidding and procurement requirements, prevailing wages, bonding, and affirmative action goals. Mistakenly treating a project with a strong public-private interdependence as exempt from the public construction laws can expose the hybrid project to bid disputes, financial penalties, unenforceable contracts, and costly delays in the permitting, acquisition, funding, rehabilitation, and construction of critically needed housing. But compliance with the Massachusetts system of procurement when not required to will also constrain the construction process, significantly increase project cost and time, and result in other inefficiencies. This article reviews two bid protests recently decided by the Massachusetts Office of Attorney General (“AG”) to illustrate the challenges inherent in determining when affordable housing projects undertaken through public-private partnerships (“P3”)[i] may be “public construction” for purposes of the competitive bidding requirements under G.L. c. 149, §§ 44A44H (“statute”).

I. Background: Public-Private Partnerships for Affordable Housing 

Greater Boston perennially ranks nationally among the top-five highest average in rents and home prices. But because of the lack of funding, most low-income people in Massachusetts do not receive rental assistance, and three in ten low-income people are either homeless or must pay over half of their income in rent. The need for affordable housing preservation and production is at a crisis level in Massachusetts and nationally.[ii]

As the supply of affordable housing in the private market has lagged, public housing has been dying a slow death of divestment for decades. Established under the United States Housing Act of 1937, the public housing program produced nearly 1.4 million units nationwide, but today, only about 1 million units remain with a combined $49 billion backlog in unaddressed repairs.[iii] This backlog will continue to rise even as more federal public housing units are lost permanently with the U.S. Housing and Urban Development’s (“HUD”) effort to “reposition” the public housing inventory through public-private partnerships under the Section 18 demolition and disposition, Rental Assistance Demonstration (“RAD”), and Moving to Work programs.

The trend favors increased P3 initiatives with an expectation of greater efficiencies through risk sharing, leveraging financing from both public and private sectors, and accessing broader innovations, knowledge and skills. Already, “most HUD programs are structurally public-private partnerships (P3s) or have some public-private aspects.” Yet the legal uncertainty and fact-specific scrutiny necessary to determine when P3 arrangements are subject to the competitive bidding requirements may inadvertently chill critically-needed private investments for affordable housing in Massachusetts.

II. Massachusetts Public Construction Law

A. Massachusetts Competitive Bidding Statute

The Massachusetts public construction bidding law mandates that “[e]very contract for the construction, reconstruction, installation, demolition, maintenance or repair of any building by a public agency estimated to cost more than $150,000 … shall be awarded to the lowest responsible and eligible general bidder on the basis of competitive bids in accordance with the procedure set forth in section 44A to 44H.” G.L. c. 149, § 44A(1)(D).[iv] The dual remedial purpose of the statute is to eliminate favoritism and corruption through “an honest and open procedure for competition for public contracts,” Interstate Engineering Corp. v. Fitchburg, 367 Mass. 751, 757 (1975), and to ensure that taxpayers dollars obtain the lowest price for competent construction by qualified bidders under uniform criteria. Fordyce v. Town of Hanover, 457 Mass. 248, 259-60 (2010).

The AG is “charged with investigating allegations of violations of the competitive bidding statute and enforcing its provisions” through “bid protests.” Brasi Development Corp. v. Attorney General, 456 Mass. 684, 691 (2010) (“Brasi”). Awards of contracts can also be challenged in Superior Court where “the potential class of plaintiffs … is not necessarily limited to the low bidder on each contract” because standing is interpreted liberally in furtherance of the statute’s remedial purpose.[v] Barr Inc. v. Town of Holliston, 462 Mass. 112, 119 (2012).

The AG may enforce her bid protest decision by filing an action in the Superior Court. See G. L. c. 149, §§ 27C (a), 44H. However, the AG’s bid protest decision is accorded no deference by the courts which construe the statute de novo. Brasi, 456 Mass. at 694. Accordingly, a bid protest decision cannot settle the legal uncertainty as to whether and under what circumstances the statute applies to P3s.

B. The Brasi “Totality of Circumstances” Test

In Brasi, the Supreme Judicial Court (“SJC”) held that the competitive bidding statute applied to a “build to lease” arrangement between a private developer, Brasi Development Corporation (“BDC”), and the University of Massachusetts at Lowell (“University”). In so deciding, the SJC adopted a totality of circumstances test to conclude that the so-called “lease back” scenario[vi]  in Brasi was in fact “the functional equivalent of a construction contract.” Id. at 684. The SJC reasoned that “limiting the inquiry to the [Request for Proposal (‘RFP’) as has been done in other contexts] ignores relevant circumstances that have a direct bearing on the transaction that the parties contemplated,” and that the totality of circumstances indicated the creation of a project by “an agency for the agency’s use in carrying out its public purpose” which constitutes “construction of a building by a public agency” to which the statute applies. Id. at 697-699.

Specifically, the SJC concluded that where BDC was obligated to construct a dormitory and lease it back to the University for up to 30 years subject to the University’s option to purchase and automatic transfer of ownership at the end of the lease, the “character of the agreement was, in essence, a contract for construction by a public agency… rather than a lease.” Id. at 684. The SJC admonished that “[o]therwise, the parties could easily employ long-term leases to evade the ‘competitive bidding requirement’ of the procurement statute.” Id. at 695. Brasi underscores that in evaluating whether public bidding laws apply to a P3, (1) public ownership is not necessary or dispositive and, (2) the “totality of the circumstances” of all agreements focuses on whether there is a “creation of a project by the [public] agency” that is “for the agency’s use in carrying out its public purposes.” Id. at 697.

III. Recent Attorney General Decisions on P3 Projects

A. Holyoke Housing Authority Decision: Public Housing Conversion under RAD

On June 20, 2019, the AG issued a detailed decision in In re Holyoke Housing Authority Rehabilitation of Lyman Terrace (“Holyoke Housing”) methodically applying the Brasi factors to the P3 rehabilitation of Lyman Terrace (“Project”) and found that the project constituted a public construction subject to the statute. However, the AG expressly declared that the decision in Holyoke Housing was “prospective only and, therefore, does not apply to this specific project, but will serve as guidance to other awarding authorities.” Holyoke Housing, p. 2.

This Project involved the conveyance and rehabilitation of 167-units of distressed federal public housing built in 1939 and owned by the Holyoke Housing Authority (“HHA”) to The Community Builders, Inc. (“TCB”), a private developer, as part of HUD’s RAD program under a 75-year ground lease (“Ground Lease”).[vii] Largely consistent with HHA’s RFP, the Master Development Agreement (“MDA”) required TCB to “initiate, coordinate and administer all planning, design, development, financing, construction and management activities in connection with” the Project,[viii] subject to certain rights of HHA to approve the general contractor and to review the plans, and subject to procedures for the selection of the contractor to help ensure competitive pricing, payment of prevailing wages, and compliance with other contracting standards.

To implement the Project, TCB formed a separate private limited liability company (“Owner”) to own Phase 1 of the Project pursuant to G.L. c. 121A, and HHA obtained HUD’s approval for the disposition of the public housing units under the RAD program. The Owner paid a base rent of $2,710,000 to HHA, and obtained over $35 million of financing for Phase 1 (including a $1 million loan from HHA, eight other loans from different public and private lenders, and almost $16 million of private equity contribution from the allocation of low-income housing tax credits (“LIHTC”)).[ix] TCB provided all corporate construction completion guarantees required by financing sources.

In exchange, as required for the RAD conversion, HHA entered into new Housing Assistance Payment (“HAP”) contracts with HUD to ensure the Owner would receive subsidy payments for the continued operation of the rehabilitated units under the Section 8 program. HHA and HUD also retained regulatory and enforcement rights with respect to the Section 8 HAP contracts, and HHA retained a limited right of first refusal and the option to buy back the buildings in 15 years. Other agreements obligated the Owner to “maintain the public purpose of the housing development” by operating and managing the rehabilitated units as affordable for low-income residents. Holyoke Housing, at 12.

According to the AG, the RAD Project posed the question under Brasi: “whether the public bidding laws apply when a private entity undertakes construction on a housing project that was initially owned by a public housing authority, was initiated by the public housing authority, is funded by public money, serves a governmental purpose, with control over the design and construction process retained by the public housing authority which may revert to the public housing authority if the authority pays fair market value, within a relatively short amount of time.” Holyoke Housing, p. 11. Notably, absent from the Project is the “lease back” arrangement that troubled the SJC in Brasi.[x] Rather, Holyoke Housing reveals a complex and pervasively regulated set of transactions typical of RAD conversions, which is one of the limited options available to some housing authorities to preserve distressed public housing units as affordable housing.

Nonetheless, the AG decided the Project was subject to the statute, applying the Brasi factors and following the SJC’s focus on whether the Project will “assist the public entity in ‘carrying out its public purposes.” Id. at 11-12. The AG also queried why a home-rule waiver from the statute had not been sought for the Project, as had been successfully done in other similar public housing redevelopments undertaken by TCB. See Holyoke Housing, p. 4.

B. Chestnut Park Preservation Decision: Privately-Owned, LIHTC Housing

On September 25, 2019, the AG decided In re MHFA, DHCD, and City of Springfield: Chestnut Park Apartments (“Chestnut Park”) finding that the P3 project there did not constitute public construction. Chestnut Park involved the occupied-rehabilitation of a privately-owned and privately-developed, 489-unit, LIHTC-financed, mixed-income rental housing development (“LIHTC Project”). In concluding that the LIHTC Project was not a “construction of a building by a public agency” subject to the statute, the AG recognized that there are “two separate legislative systems for creating and maintaining affordable housing…on both the state and federal levels”: a public housing system owned by public agencies that rely on grants and operating subsidies (as in Holyoke Housing), and a private affordable rental housing system developed, owned, and operated by private for-profit and non-profit entities relying on public and quasi-public loans, subsidies, and tax incentives. Chestnut Park, pp. 9-11. The AG then declared that nevertheless, even privately-owned affordable housing like the LIHTC Project is subject to the Brasi test. The AG also rejected a narrow interpretation of Brasi that the “totality of circumstances” test is “confined to cases involving leases.” Chestnut Park, p. 11. Finally, the AG distinguished Chestnut Park from the facts in Brasi and Holyoke Housing to conclude that because the public lenders, MHFA, DHCD, and the City of Springfield (collectively “Public Agencies”), “did not initiate or plan the design or construction of the Project; have never owned and will not own the Project land, buildings or improvements; do not have an absolute right to acquire the premises; and do not control the design or construction of the Project in any way other than as lenders, the public bidding laws do not apply” to the LIHTC Project. Id., p. 2 (italics added).

Applying Brasi to each indicia of public ownership, project control, use, purpose, and funding, the AG rejected the argument that Chestnut Park Apartments is a government agency-financed and controlled affordable housing facility subject to the statute, and determined that the conditions of financing in the Public Agencies’ regulatory agreements did not constitute “significant control over either the design or the construction of the Project” but were “programmatic” requirements for the operation of the LIHTC Project as affordable housing consistent with the Public Agencies’ public purpose and underwriting requirements.[xi] Id., pp. 12-15. The AG concluded that “public financing alone ‘does not render a private development … a public building or public work, or make [an owner] an agent or servant of a public instrumentality,” and noted that “[i]f that were the case, the private businesses that invest in low-income communities while benefiting from the New Markets Tax Credit Program … would become subject to laws governing public construction and prevailing wage,[xii] since they [likewise] advance the public purpose of serving low-income communities.” Chestnut Park, pp. 16-17 (quoting Salem Bldg. Supply Co. v. J.B.L. Constr. Co., 10 Mass. App. Ct. 360, 362 (1980)).

IV. More Challenges on the Horizon?

The AG’s recent bid protest decisions applying the Brasi totality of circumstances test underscore that in Massachusetts, all public and privately-owned P3 projects are well-advised to continue to consider carefully the applicability of the statute and all other public construction requirements [xiii] when one or more of the following “red flags” of potential challenge is present: (1) direct or indirect public ownership in part or all of the project, (2) public or quasi-public financing in the form of equity or debt, or assumption of risks or provision of guarantees, (3) significant public entity control over the construction, rehabilitation, or design of the project, and/or (4) construction to serve a specific public purpose or public use. By addressing the legal requirements for public construction early, P3 projects will be optimally positioned to provide badly needed affordable housing efficiently, with quality construction, within budget, and in a timely manner, and avoid costly public relations hiccups and litigation.

 

Lauren D. Song is a Senior Attorney at Greater Boston Legal Services where her practice focuses on affordable housing preservation and development through public-private partnerships, including under the federal “Section 18,” “RAD,” and state demonstration programs. Lauren is a current member of the Boston Bar Journal and the Citizens’ Housing and Planning Association.

Tyler Creighton is a law student at Boston University and former legal intern with Greater Boston Legal Services. Prior to law school, Tyler worked on election and voting policies with Common Cause Massachusetts and ReThink Media.  

 

[i] The U.S. General Accounting Office defines “public-private partnerships” as joint efforts between the public and either the private for-profit or private nonprofit sectors.

[ii] All five Greater Boston counties rank nationally in the top 10 percent for income inequality. The median rent of $2,450 for a one bedroom apartment in Boston in 2019 is unaffordable for most lower-income and working-class households.

[iii] ”Public housing” refers to federal public housing in this article unless otherwise specified. Public housing is funded exclusively by Congressional appropriations. HUD administers the public housing operating and capital funds appropriated by Congress to approximately 3,300 public housing authorities (“PHAs”). However, Massachusetts (along with New York, Connecticut, and Hawaii) also has a state public housing program comprised of more than 240 local PHAs and overseen by the Massachusetts Department of Housing and Community Development (“DCHD”) which also faces a $2 billion capital funding shortfall.

[iv] In Massachusetts, “public construction” falls generally under two categories of either “vertical construction” of “public buildings” governed by G.L. c. 149, or “horizontal construction” of “public works” governed by G.L. c. 30, § 39M. Generally, the vertical projects are subject to more requirements than the horizontal projects. The AG has jurisdiction to investigate bid protests in both vertical and horizontal  construction.

[v] See e.g., Andrews v. City of Springfield, 75 Mass. App. Ct. 678 (2009) (standing for group of city residents); Associated Subcontractors of Mass., Inc. v. Univ. of Mass. Bldg. Authority, 442 Mass. 159 (2004) (standing for subcontractors’ association); East Side Const. Co. v. Town of Adams, 329 Mass. 347 (1952) (standing for group of taxpayers).

[vi] Lease backs typically involve creative arrangements where a public entity leases land to a private developer (often for a de minimus amount) in exchange for the developer’s promise to build on the land and then enter into a [sub]lease-to-own agreement for the construction with the public entity. See, e.g., Andrews v. City of Springfield, 75 Mass. App. Ct. 678, 679 (2009) (invalidating lease and option to purchase because “Springfield’s request for proposal (RFP), while styled as a lease, was in reality a construction project subject to the bidding procedures set forth in c. 149” which Springfield did not follow).

[vii] RAD allows for significant PHA discretion in how the public-private interdependence is structured. At a minimum, RAD conversions of public housing to the more reliable Section 8 platform allow PHAs greater access to private financing and on better loan terms for renovations. See, e.g., Fischer, Will. 2014. “Expanding Rental Assistance Demonstration Would Help Low-Income Families, Seniors, and People with Disabilities.” Center on Budget and Policy Priorities. See also, Meryl Finkel, Ken Lam, Christopher Blaine, R.J. de la Cruz, Donna DeMarco, Melissa Vandawalker, Michelle Woodford.  (Nov. 2010). Capital Needs in the Public Housing Program.

[viii] HHA separately undertook the “horizontal” improvement of the public works for Lyman Terrace through grants. HHA used a contractor selected through a competitive bid process but subsequently contracted with a TCB affiliate to complete the site improvement.

[ix] The Low-Income Housing Tax Credit (LIHTC), created by the Tax Reform Act of 1986, is now the most significant private incentive for affordable rental housing production in the United States, involving more than 3.13 million housing units placed in service between 1987 and 2017.

[x] Some have argued that the Brasi totality of circumstances test applies only in similar “build to lease” or “lease back” scenarios.

[xi] The Public Agency loans impose certain affordability, unit-mix, tenant-selection, and other use restrictions for 52 years, after which the units can be converted into market-rate housing under G.L. c. 40T, § 3.

[xii] While the AG is charged with enforcing the state’s prevailing wage statute, the Massachusetts Department of Labor Standards is tasked with issuing state prevailing wage schedules and making applicability determinations, Felix A.  Marino Co. v. Comm’r of Labor and Indus., 426 Mass. 458, 460 (1998), and has adopted Brasi’s totality of the circumstances test for determining whether a project is a “public work” subject to the prevailing wage law. See e.g., Re: Construction of Leasehold Space in Private Buildings by Charter Schools for the Purpose of Use as a School, Prevailing Wage Program Opinion Letter (Feb. 22, 2012). Notably, projects that are covered by the state’s prevailing wage statute, G.L. c. 149, § 2627 are not necessarily subject to the competitive bidding statute and vice versa. This is because, for example, there are amount thresholds in the Competitive Bidding Statute not applicable to the Prevailing Wage Statute, and whereas the bidding laws cover “buildings by a public agency,” the prevailing wage laws apply to “public works.”

[xiii] Other issues that may affect P3 projects in addition to competitive bidding requirements include whether it is federal, state or local, such as relates to: (1) prevailing wages, (2) work force policy mandates relating to DBE, WBE, LBE, etc.  (3) procurement restrictions on materials and equipment, (4) bonding requirements, and (5) mechanics lien rights, and (6) even the timing of presentation of claims or commencing an action or the applicability of sovereign immunity or limits on damages.


Gelfgatt, Jones, and the Future of Compelled Decryption

by Eric A. Haskell

Legal Analysis

As great quantities of data have come to repose in electronic devices, obtaining access to the content of those devices has come to be greatly important to law enforcement in many criminal investigations.  It sometimes happens that law enforcement has a right—typically pursuant to a search warrant—to search for data on a particular device, but is prevented from doing so by the presence of a password or other “key” that makes the data inaccessible or unreadable.  Law enforcement sometimes can bypass the password on its own.  See generally O.S. Kerr & B. Schneider, Encryption Workarounds, 106 Geo. L.J. 989 (2018).  But, other times, the only practical way law enforcement can execute the search is with the help of a person who knows the password.  Because the person who knows the password often is the suspect, their help generally is available only if compelled by court order.  Such “compelled decryption” implicates not only the constitutional requirement that the search of the device be “reasonable,” but also the suspect’s constitutional privilege against compelled self-incrimination.

Basic Principles of the Privilege Against Self-Incrimination

The Fifth Amendment to the federal Constitution provides that “[n]o person . . . shall be compelled . . . to be a witness against himself . . . .”  Article 12 of the Massachusetts Declaration of Rights similarly provides that “[n]o subject shall . . . be compelled to accuse, or furnish evidence against himself.”  Decisional law has interpreted these privileges to bar the government from: (1) compelling a person; (2) to make a testimonial communication; (3) that is incriminating.  Fisher v. United States, 425 U.S. 391, 408 (1976); Commonwealth v. Burgess, 426 Mass. 206, 218 (1997).

The privilege does not protect against compelled provision of a physical identifier such as fingerprints, a blood sample, or a handwriting exemplar.  See generally Schmerber v. California, 384 U.S. 757, 767 (1966); Commonwealth v. Brennan, 386 Mass. 772, 776-83 (1982).  This is because such identifiers do not “extort[] . . . information from the accused” or “attempt to force him to disclose the contents of his own mind,” and thus are not viewed as sufficiently “testimonial” for the privilege to attach.  Doe v. United States, 487 U.S. 201, 210-11 (1988).  Nor does the privilege shield documents from being disclosed pursuant to compulsion, even if their contents are incriminating.  United States v. Hubbell, 530 U.S. 27, 35-36 (2000).  This is because “the creation of those documents was not ‘compelled’ within the meaning of the privilege.”  Id.

The privilege may apply where the mere act of producing a document or a thing is “testimonial” in that it implies an incriminating assertion of fact, such as: that the demanded object exists; that the object produced is authentic; or that the suspect possesses or controls the object.  Fisher, 425 U.S. at 410; Commonwealth v. Hughes, 380 Mass. 583, 588-93 (1980).  But this “act of production” doctrine does not apply where law enforcement already has independent evidence of the incriminating assertions that the act of production would imply.  In other words, if the act of production “adds little or nothing to the sum total of [law enforcement’s] information,” then any facts implied by the act of production are “foregone conclusions” and the privilege does not apply.  Fisher, 425 U.S. at 411; Hughes, 380 Mass. at 592.

Commonwealth v. Gelfgatt

In Gelfgatt, the defendant was arrested in connection with a complex fraud scheme that involved the creation and recording of forged mortgage assignments.  Commonwealth v. Gelfgatt, 468 Mass. 512, 514-15 (2014).  On the day of his arrest, investigators seized several encrypted devices from his home and also interviewed the defendant, who asserted that he was capable of decrypting them.  Id. at 516-17.  After the defendant was charged with forgery, uttering, and attempted larceny, the Commonwealth filed a motion seeking to compel him to enter the passwords into the encrypted devices.  Id. at 517-18 & n.10.  The Superior Court denied the motion and reported the case to the SJC.

The SJC determined that the contents of the devices were not privileged on self-incrimination grounds because they had been “voluntarily created by the defendant in the course of his real estate dealings.”  Id. at 522 n.13.  The SJC then held that the defendant’s act of entering the passwords would be a testimonial act of production, because it would implicitly acknowledge his “ownership and control of the computers and their contents.”  Id. at 522.  But, the SJC continued, the defendant had already acknowledged as much in his statement to the police; thus, any facts implied by his entering the passwords were foregone conclusions.  Id. at 523-24.  In doing so, the SJC commented that the “foregone conclusion” exception would apply where law enforcement already was aware of “(1) the existence of the evidence demanded; (2) the possession or control of that evidence by the defendant; and (3) the authenticity of the evidence.”  Id. at 522 (citing Fisher, 425 U.S. at 410-13).

Commonwealth v. Jones

In Jones, the defendant was arrested and later charged with sex trafficking and deriving support from prostitution.  Commonwealth v. Jones, 481 Mass. 540, 543-44 (2019).  At the time of his arrest, he possessed a cellular telephone that, the police learned from other sources, he had used to facilitate prostitution transactions.  Id.  The Commonwealth filed a motion seeking to compel him to decrypt the telephone (although, as discussed below, the motion imprecisely described what it sought to compel him to do).  The motion judge demurred, interpreting Gelfgatt to require the Commonwealth to establish “(1) the existence of the evidence demanded; (2) the possession or control of that evidence by the defendant; and (3) the authenticity of the evidence,” and concluding that the Commonwealth had failed to demonstrate those propositions with “reasonable particularity.”  Id. at 545, 548, 553 n.14.  The Commonwealth subsequently made a renewed motion, furnishing additional evidence that, it argued, showed that the defendant’s knowledge of the telephone’s password was a foregone conclusion.  Id.  But the motion judge declined to consider the newly-furnished evidence without a showing that it had been unknown or unavailable to the Commonwealth at the time of the initial motion.  Id. at 545, 558-59.  The Commonwealth then sought relief before a single justice of the SJC, who reserved and reported the case to the full Court on three questions: (1) what burden of proof the Commonwealth must bear to establish the “foregone conclusion” exception to the privilege under Gelfgatt; (2) whether the Commonwealth had met that burden; and (3) whether the Commonwealth was required, in a renewed Gelfgatt motion, to show that any newly-furnished evidence had been unknown or unavailable at the time of the initial motion.

Before answering those questions, the SJC addressed a threshold issue:  What factual assertions must the Commonwealth demonstrate are “foregone conclusions” in order to obtain a Gelfgatt order?  The SJC answered that, when the Commonwealth seeks to compel a defendant to enter a password into a device, “the only fact conveyed . . . is that the defendant knows the password, and can therefore access the device.”  Id. at 547-48.  The Court rejected the proposition that the compelled entry of a password also asserts the defendant’s ownership and control of the device, observing that “individuals may very well know the password to an electronic device that is owned and controlled by another person.”  Id. at 547 n.8.  Accordingly, the SJC concluded, the Commonwealth may invoke the “foregone conclusion” exception simply by showing that the defendant knows the password.  Id.

Turning to the reported questions and relying on article 12, the SJC held that the Commonwealth must make that showing beyond a reasonable doubt.  Id. at 551-55.  Applying that standard, the Court found that the Commonwealth had shown the defendant’s knowledge of the password beyond a reasonable doubt, where: (1) the defendant possessed the telephone at the time of his arrest; (2) one month before his arrest, when asked by the police for his number, the defendant had provided the telephone’s number; (3) a woman told the police that the defendant used the telephone to facilitate prostitution transactions; (4) the telephone’s subscriber records were associated with a second number that was associated with the defendant; and (5) the telephone’s cellular site location information (CSLI) placed it in the same locations at the same times as another telephone that was confirmed to belong to the defendant.  Id. at 555-58 (“[S]hort of a direct admission, or an observation of the defendant entering the password himself and seeing the phone unlock, it is hard to imagine more conclusive evidence of the defendant’s knowledge of the [telephone’s] password.”).  Finally, the Court found that the motion judge abused his discretion by declining to consider evidence presented in the Commonwealth’s renewed motion that was not shown to have been unknown or unavailable at the time of the initial motion.  Id. at 558-61.  The Court observed that a Gelfgatt motion, “[m]uch like a search warrant application,” is an “investigatory tool,” the factual support for which may evolve over the course of an investigation.  Id. at 559-60.

The Future of Compelled Decryption

Although Gelfgatt and Jones mark the SJC as a national leader on compelled decryption issues, important questions remain to be answered.

  • Non-Gelfgatt Decryption Procedures

The order in Gelfgatt required the defendant to appear at a digital forensic lab, to enter the password into each device, and “immediately [to] move on . . . .”  468 Mass. at 517 n.10.  It also forbade the Commonwealth from viewing or recording the password entered by the defendant.  Id.  In contrast, the order sought in Jones was “not perfectly clear” as to what it would require the defendant to do, but “suggested that it sought to require the defendant to make a written disclosure of the actual password.”  481 Mass. at 546 n.9.  Acknowledging the possible infirmity with such a procedure, the SJC construed the order sought in Jones as tracking the one sought in Gelfgatt, and approved its issuance on that basis.  Id.

The SJC was correct to hesitate when faced with a request to compel the defendant to disclose his password to law enforcement.  This is because the compelled disclosure of a password is not a testimonial act of production to which the “foregone conclusion” exception might apply: Rather, it is a “pure” testimonial statement to which the “foregone conclusion” exception cannot apply.  See id. (acknowledging as much in dicta); see also United States v. Oloyede, Nos. 17-4102, 17-4186, 17-4191, & 17-4207, — F.3d —, 2019 WL 3432459 (4th Cir. Jul. 31, 2019) (distinguishing between suspect’s typing password into device and giving password to law enforcement).

Furthermore, in both Gelfgatt and Jones, the suspect was not compelled to produce any particular files from the device after decrypting it; that was left to the analyst executing the warrant.  In Jones, the SJC highlighted this aspect of the decryption procedure, observing that “the analysis would have been different” if the suspect had been compelled to produce particular files, because doing so “would implicitly testify to the existence of the files, [the suspect’s] control over them, and their authenticity.”  481 Mass. at 548 n.10.  In that situation, the Commonwealth would have been obligated to prove, beyond a reasonable doubt, that those additional assertions were foregone conclusions before it could obtain a corresponding Gelfgatt order.  Cf. Hubbell, 530 U.S. at 44-45 (act of production is privileged where grand jury subpoena would require recipient to produce documents whose existence and location were previously unknown to government).

  • Cloud-Based Storage

Gelfgatt and Jones both involved a tangible device that was in the physical possession of law enforcement.  But their holdings as to the privilege against compelled self-incrimination can also be applied to a request to compel decryption of a cloud-based digital space.  Such a request would follow the same analysis, with law enforcement required to: (1) have a right to search the cloud location; (2) show beyond a reasonable doubt that the suspect knows the password to access the cloud location, thereby availing itself of the “foregone conclusion” exception; and (3) allow the suspect to input the password in a way that law enforcement does not see or record.

  • Biometric Keys

In both Gelfgatt and Jones, the sought-after “key” was an alphanumeric password.  But a key can also take the form of a biometric such as a facial scan, retinal scan, or fingerprint.  Biometric keys introduce two novel questions:  (1) is compelled biometric decryption properly viewed as a testimonial act of production, and thus within the scope of the privilege against compelled self-incrimination?; and, if so, (2) what must law enforcement show is a “foregone conclusion” before it can compel such biometric decryption?

Courts have answered the first question both ways.  Some have viewed the compelled biometric decryption as no different than compelled provision of a traditional physical identifier, and thus nontestimonial.[1]  See, e.g., State v. Diamond, 905 N.W.2d 870, 875-76 (Minn. 2018); In re Search of [Redacted], 317 F. Supp. 3d 523, 535-37 (D.D.C. 2018); In re Search Warrant Application for [Redacted], 279 F. Supp. 3d 800, 803-05 (N.D. Ill. 2017); Commonwealth v. Baust, 89 Va. Cir. 267, 2014 WL 10355635 (Va. Cir. Ct. Oct. 28, 2014).  Others have reasoned that, unlike providing a physical identifier, compelled biometric decryption implies factual assertions about the suspect’s relationship with the device.  See, e.g., Seo v. State, 109 N.E.3d 418 (Ind. App. 2018), vacated and transferred to Ind. Supreme Court, 112 N.E.3d 1082 (Ind. 2018); In re Application for Search Warrant, 236 F. Supp. 3d 1066, 1073-74 (N.D. Ill. 2017); In re Search of a Residence in Oakland, Cal., 354 F. Supp. 3d 1010, 1015-16 (N.D. Cal. 2019); In re Search of White Google Pixel 3 XL Cellphone, No. 1:19-mj-10441, 2019 WL 2082709 at *3-4 (D. Idaho May 8, 2019).  No Massachusetts court has yet issued a published opinion on this issue.

In this author’s view, law enforcement should be prepared for a Massachusetts court to depart from the traditional treatment of compelled provision of a physical identifier, and instead to view compelled biometric decryption as a testimonial act of production.  Compelled provision of a physical identifier has been deemed nontestimonial not because it does not assert facts, but rather because the facts that it does assert are so “self-evident” as to be “[in]sufficiently testimonial for purposes of the privilege.”  Fisher, 425 U.S. at 411 (compelled handwriting exemplar is nontestimonial for purposes of the privilege, despite its asserting both that handwriting belongs to suspect and that suspect is literate); accord Commonwealth v. Nadworny, 396 Mass. 342, 363-64 (1985) (fact that defendant is right-handed, unlike handwriting exemplar itself, is testimonial, although “trivial”).  But, when law enforcement seeks to compel biometric decryption, its object is not merely provision of the biometric standing alone:  If it were, the method of capturing the biometric would not matter, and investigators could just as well take a photograph of the suspect’s face, or ink-and-paper impressions of his fingerprints.  Rather, the object of compelled biometric decryption is the interaction of the biometric, in a pre-programmed fashion, with a particular device.  The successful interaction of biometric and device, in contrast to the biometric standing alone, asserts at least one fact that neither is trivial nor is self-evident from the biometric—specifically, it asserts that the suspect’s biometric is capable of decrypting the device.[2]  See In re Application for Search Warrant, 236 F. Supp. 3d at 1073.  In other words, compelled biometric decryption asserts facts that are basically similar to those asserted by compelled decryption using a password.

This reasoning simultaneously answers both the first question of whether compelled biometric decryption should be viewed as a testimonial act of production (it should) and the second question of what law enforcement must establish is a “foregone conclusion” before it can compel such a biometric.  If the assertion implied by the compelled biometric decryption is that the suspect’s biometric is capable of decrypting the device, then, pursuant to Jones, that is what the Commonwealth must prove beyond a reasonable doubt.  As in Jones, the Commonwealth can do so through either direct evidence (e.g., that the suspect actually used his biometric to decrypt the device) or circumstantial evidence (e.g., that the suspect used the device in a manner indicating that he must have had the ability to do so).

As a practical matter, the utility of compelled biometric decryption to law enforcement may be circumscribed.  This is because some biometric-based security technologies—including Apple’s popular fingerprint-based Touch ID—self-disable if, since the last time the device was unlocked, too much time has passed, or the device has been restarted or has lost power, or multiple attempts to unlock the device have been unsuccessful.  See About Touch ID Advanced Security Technology.  In addition, law enforcement may have limited ability to both maintain power to a biometrically locked device and to secure it from network activity (i.e., to minimize the risk of remote wiping or deletion of data).  Perhaps for these reasons, federal practice has often encountered requests to compel biometric decryption made as part of an application for an omnibus search warrant to also authorize law enforcement: (1) to seize the device; and (2) to search the device for particular data after it has been seized and decrypted using the compelled biometric.  See, e.g., In re Search of a Residence in Oakland, 354 F. Supp. 3d at 1013; In re Search of [Redacted], 317 F. Supp. 3d at 525-26; In re Search Warrant Application for [Redacted], 279 F. Supp. 3d at 801-02; In re Application for Search Warrant, 236 F. Supp. 3d at 1066-67.

  • Ex Parte Gelfgatt Proceedings

Gelfgatt and Jones each arose in the posture of a motion filed in a criminal case in the Superior Court.  This posture suggests that, in those cases, any evidence contained on the encrypted device was not necessary to support charges against the defendant.  But some investigations will require a compelled decryption before charges can be brought.  It thus seems likely that some Gelfgatt motions will arise in an ex parte posture.

The Appeals Court has already addressed a Gelfgatt motion arising out of a grand jury investigation, concerning a device that the police had previously obtained a warrant to search.  See In re Grand Jury Investigation, 92 Mass. App. Ct. 531 (2017), further appellate review denied, 478 Mass. 1109 (2018).  The Commonwealth filed a sealed Gelfgatt motion in the Superior Court and attached documents containing grand jury evidence that, the Commonwealth argued, satisfied its burden under the “foregone conclusion” exception.  Id. at 532.  The Commonwealth served the motion, but not the attachments, on counsel for the individual whom it sought to compel.  The Appeals Court affirmed the Superior Court’s issuance of a Gelfgatt order, concluding that the attachments showed that it was a foregone conclusion that the individual knew the password, among other things.  Id. at 534-35; see also Burgess, 426 Mass. at 215-16 (Fifth Amendment applies in same way to grand jury witness/target as to indicted defendant).  The Appeals Court also specifically affirmed the non-disclosure of the attachments to counsel, reasoning that grand jury materials are secret, and that both the Superior Court judge and the appellate court could review the attachments on an ex parte basis.  Id. at 535-36.

It is a small step from In re Grand Jury Investigation to think that at least some Gelfgatt orders may be sought as part of a search warrant application.  Indeed, search warrant applications bear similarities to the motions sustained in Gelfgatt, Jones, and/or In re Grand Jury Investigation:  They are ex parte, they rely on affidavits rather than live testimony, and they form an “investigatory tool that aids investigators in obtaining material and relevant evidence related to a defendant’s conduct.”  Jones, 481 Mass. at 559.  As noted, search warrant applications seeking compelled biometric decryption have appeared in federal practice.  See, e.g., In re Search of a Residence in Oakland, 354 F. Supp. 3d at 1015-16; In re Search of [Redacted], 317 F. Supp. 3d at 535-37; In re Search Warrant Application for [Redacted], 279 F. Supp. 3d at 803-05; In re Application for Search Warrant, 236 F. Supp. 3d at 1073-74.  Nonetheless, a search warrant application seeking a Gelfgatt order in state court would entail innovations to Massachusetts search warrant practice that the applicant must be prepared to address.

The applicant must be prepared to show that the act sought to be compelled is of a type of evidence for which the Legislature has authorized issuance of a search warrant.  See G.L. c. 276, § 1 (enumerating categories of evidence that may be sought by search warrant).  Compelled biometric decryption likely will fall into that category.  See, e.g., In re Lavigne, 418 Mass. 831, 834-35 (1994) (statute authorizes use of warrant to procure bodily sample from suspect); cf. In re Search of [Redacted], 317 F. Supp. 3d at 540 n.13 (declining to decide whether Fed. R. Crim. P. 41 authorizes issuance of warrant to compel biometric decryption, and instead issuing warrant under All Writs Act, 28 U.S.C. § 1651).  Compelled decryption using a password, on the other hand, might not.

The applicant must also be prepared to show that the application does not trigger an adversarial hearing, which the SJC has required as a prerequisite for issuance of warrants for some especially invasive searches.  E.g., Lavigne, 418 Mass. at 835 (warrant to extract blood sample from suspect must be preceded by adversarial hearing at which court can weigh intrusiveness of procedure against need for evidence); Commonwealth v. Banville, 457 Mass. 530, 539-40 (2010) (warrant to obtain suspect’s DNA using buccal swab would have been preceded by adversarial hearing if it had occurred in Massachusetts).  So long as compelled biometric decryption “[does] not involve penetration into [the suspect’s] body,” Banville, 457 Mass. at 539 n.2, it likely will not trigger such a hearing.  See also Commonwealth v. Miles, 420 Mass. 67, 83 (1995) (ex parte order compelling suspect to appear and have his body inspected for poison ivy need not be preceded by hearing).

The applicant must take care to particularly identify the person whose biometric is to be compelled, perhaps by including a photograph and/or detailed physical description of that person in the warrant application papers.  This stems in part from the “particularity” requirement applicable to any search warrant.  See G.L. c. 276, § 2.  It also follows from this author’s view (above) that compelled biometric decryption may be analyzed under the “foregone conclusion” exception to the “act of production” privilege: If that view is accepted, the identity of the person whose biometric is to be compelled would form one aspect of the “foregone conclusion” that, under Jones, the Commonwealth must prove beyond a reasonable doubt.  The need for particularity in identifying the person whose biometric is to be compelled likely precludes law enforcement from obtaining a warrant to compel “any person present” at the warrant execution to apply his/her biometrics to a device.  Cf. In re Search of a Residence in Oakland, 354 F. Supp. 3d at 1014 (denying such authorization); In re Application for Search Warrant, 236 F. Supp. 3d at 1068-70 (same).

And the applicant should be explicit about the different burdens it must sustain to obtain such a warrant.  That a crime has occurred and that evidence related to the crime reasonably may be expected to be found in a particular place—requirements for issuance of any search warrant—need be demonstrated only to the level of probable cause.  That it is a foregone conclusion that a particular person’s biometric is capable of decrypting the device, however, must be demonstrated beyond a reasonable doubt in accordance with Jones.[3]  The applicant should consider explicitly articulating the applicable burdens in the warrant application papers, for the benefit of the reviewing judicial officer.

 

Eric A. Haskell is an Assistant Attorney General and a member of the BBJ Board of Editors. This article represents the opinions and legal conclusions of its author and not necessarily those of the Office of the Attorney General. Opinions of the Attorney General are formal documents rendered pursuant to specific statutory authority.

[1] To ensure that even the act of placing a finger on the screen of a device does not disclose the suspect’s thoughts, the orders in some of those cases have required the police—not the suspect—to select the finger that the suspect must place on the screen.  See In re Search of [Redacted], 317 F. Supp. 3d at 537, 539; In re Search Warrant Application for [Redacted], 279 F. Supp. 3d at 804.

[2] It also strongly implies that the suspect was the person who previously programmed the device to decrypt in response to his biometric; unlike an alphanumeric password, a biometric is unique and non-transferable.  Contrast Jones, 481 Mass. at 547 n.8 (suspect’s knowledge of password to device does not necessarily imply that he owns or controls device, because password can be transferred between persons).

[3] An additional showing might be required to authorize the suspect’s temporary detention for the purpose of compelling his biometric, although that showing may well be subsumed by the two discussed in the body text.  See Hayes v. Florida, 470 U.S. 811, 816-17 (1985) (holding that police cannot transport suspect to station for fingerprinting without probable cause or prior judicial authorization, but suggesting that seizure of suspect in field for fingerprinting may be permissible based on less than probable cause in some circumstances); see also In re Search of [Redacted], 317 F. Supp. 3d at 532-33 (applying Hayes to authorize warrant to detain person for compelled biometric decryption if: “(1) the procedure is carried out with dispatch and in the immediate vicinity of the premises to be searched, and if, at time of the compulsion, the government has (2) reasonable suspicion that the suspect has committed a criminal act that is the subject matter of the warrant, and (3) reasonable suspicion that the individual’s biometric features will unlock the device, that is, for example, because there is a reasonable suspicion to believe that the individual is a user of the device”); cf. Commonwealth v. Catanzaro, 441 Mass. 46, 52 (2004) (search warrant implies authority to detain occupants of premises while search is conducted).


Spaulding v. Town of Natick School Committee: Allowing Free Speech while Accomplishing Municipal Work

by Mina Makarious and Paul Kominers

Legal Analysis

The Middlesex Superior Court’s November 2018 decision on cross-motions for partial summary judgment in Spaulding v. Town of Natick School Committee, MICV2018-01115 (Nov. 21, 2018) (Kirpalani, J.), is a reminder that all constitutional rights (like all politics) are local. The case arose from a series of School Committee meetings, the type of quintessential local government activity repeated daily in hundreds of cities and towns throughout the Commonwealth. Notwithstanding this seemingly banal background, the issues in the case are at the heart of the First Amendment’s powers and its limits — namely, how strictly a governmental entity can regulate speech in a public forum it has itself created. The answer, according to Spaulding, is that a local government body can control speech just enough to allow it to focus on the tasks at hand, but no more.

Factual Background

In Spaulding, two mothers of former Natick Public School students had attempted to speak during “Public Speak” portions of Natick School Committee meetings. The School Committee reserved the Public Speak portion of each meeting to permit members of the public to address the School Committee without response from its members. The Committee had a participation policy for this portion of the meetings that, among other things, (1) limited each speaker to three minutes of time; (2) advised speakers that “[i]mproper conduct or remarks will not be allowed. Defamatory or abusive remarks are always out of order,” and (3) instructed speakers that they “may offer such objective criticisms of the school operations and programs as concern them, but in public session the [School] Committee will not hear personal complaints of school personnel nor against any member of the school community.”

The School Committee applied this policy to restrict or prevent the two mothers from speaking on at least three occasions. The ACLU, on behalf of Ms. Spaulding and Ms. Sutter, challenged the School Committee’s participation policy facially, and as applied to the two mothers. The plaintiffs argued that the policy was not content-neutral and failed to set definite standards on what speech was allowed. The plaintiffs sought partial summary judgment declaring portions of the participation policy unconstitutional.

Facial Challenge

The court first assessed whether Public Speak was a traditional, designated, or limited public forum, quickly concluding that the Public Speak is a “designated” public forum, or a forum “which the government has opened for use by the public as a place to assemble or debate.” In designated public fora, the government may impose reasonable time, place, and manner restrictions on the exercise of free speech rights. However, any content-based restrictions must pass strict scrutiny, meaning they must be narrowly tailored to advance compelling government interests.

The court accepted that the School Committee had a compelling interest in conducting its business in an orderly and efficient fashion and that it therefore had the right to manage public participation at its meetings so long as it did so using rules narrowly tailored to advance that end.  To assess whether the School Committee’s rule barring “personal complaints of school personnel,” or complaints “against any member of the school community” was narrowly-tailored, the court first reviewed the School Committee’s jurisdiction. It determined that the School Committee had jurisdiction over their district’s superintendent, budget, and overall goals and policies.  The School Committee exercised no direct control over personnel other than the superintendent, and therefore could properly bar personal complaints against personnel other than the superintendent from Public Speak. Attendees could, however, voice personal complaints about the superintendent, and the participation rules were unconstitutional insofar as they barred such complaints.

The court also took issue with the requirement that the comments be “objective.”  It held (after reviewing definitions of “objective” and “subjective”) that while a requirement that comments be based on “externally verifiable phenomena” might be proper, the School Committee acted improperly in prohibiting subjective comments rooted in individuals’ concerns.

Finally, the court held that the portion of the policy barring those making otherwise germane and appropriate comments from identifying the parties involved was unconstitutional.  The public’s free speech rights, the court held, superseded any interest the School Committee had in protecting community members’ privacy.

The court then turned to the section of the Participation Policy prohibiting “defamatory” or “improper and abusive” remarks, holding that the policy banning “defamatory” remarks was constitutional only to the extent that it barred speech that had actually been adjudicated defamatory. Otherwise, the policy would be an unconstitutional prior restraint on speech concerning public officials and public business. The court read a similar limit into the policy on “improper and abusive” remarks, holding it was only constitutional to the extent that it barred threats, fighting words, or obscene content – all types of speech at the outer limits of First Amendment protection.

As-Applied Challenges

The court then ruled on the plaintiffs’ as-applied challenges to the plaintiffs’ treatment at the January 8, February 5, and March 12 meetings.

On January 8, Spaulding had introduced herself as “the mother of a child that was mercilessly bullied into suicide here in Natick” before School Committee members cut her off. After hearing just her first sentence, the court ruled, School Committee members could not have known whether Spaulding’s comment would pertain to business within their jurisdiction. If particular students or teachers had bullied her child, then she had no right to say so at Public Speak, but if the bullying had somehow been committed by the superintendent, school operations, or school policies, then she did.

On February 5, Sutter began to speak about the “retaliation and retribution” she and her family had received “at the hands of the Natick Public Schools.” School Committee members quickly reprimanded her, insisted that she stop speaking, and then suspended the meeting. As with the analysis of the January 8 meeting, the court held that the School Committee cut Sutter off before she could make clear whether her complaints were about aspects of the school system within or outside of the School Committee’s jurisdiction. The court also noted that the Participation Policy did not bar discussion of Public Speak itself.

On March 12, Sutter again began to speak about “retaliation and retribution.” The School Committee reminded her that, under the participation policy, she could not discuss individuals or make defamatory statements. The court held that, again, Sutter had the right to discuss the superintendent or discuss operations or policies within the School Committee’s jurisdiction, whether her comments were positive or not.

What the Court’s Decision Means for Cities and Towns

Spaulding was settled shortly after the trial court’s decision, so there will be no appellate review. Nonetheless, the case holds some important lessons for local government entities.

First, Spaulding’s conclusion that Public Speak was a “designated” public forum implies that if the Natick School Committee had not included the Public Speak portion of the meeting in the first place, it would not have created a public forum in which it had to hear the plaintiffs. Government entities cannot choose whether traditional public fora like sidewalks and parks will be open to speech, but they can decide whether to designate and maintain non-traditional public fora.

Second, the fact that the plaintiffs sought to speak during the “Public Speak” portions of the school committee’s meetings, rather than during the School Committee’s conduct of its scheduled business, is also important because the Massachusetts Open Meeting Law requires public bodies to set agendas for their meetings and adhere to the topics on the agenda. G.L. c. 30A, § 20(b). The plaintiffs did not appear to challenge, for instance, the School Committee chair’s asking certain audience members to restate their comments at a later part of the meeting when particular issues were due to be taken up. Further, as noted in the case, the Open Meeting Law also gives the chair of a local public body the authority to determine whether to allow public input at all during the conduct of its business. Id., § 20(g). Thus, absent an open-ended portion of an agenda such as the “Public Speak” portion of the Natick School Committee meetings, public bodies may have significantly more power to ask members of the public to focus their comments on the particular issue at hand. In other words, public bodies certainly may do their jobs, and may focus on doing so.

Third, notwithstanding these first two lessons, refusing to create opportunities for public dialogue is likely a shortsighted approach to addressing First Amendment issues. No local government entity can completely immunize itself from criticism, and neither should it be able to.  Van Liew v. Stansfield, 474 Mass. 31, 38–39 (2016) (remarks about a local official are “at the core of the speech that the First Amendment to the United States Constitution protects”). Providing opportunities for public input, as uncomfortable as it may be for elected or appointed officials to hear, promotes good governance and an opportunity for those officials to engage on important issues. Thus, local governments should think very hard before simply closing off all opportunities for public input at public meetings.

Fourth, the court made clear that public bodies could limit public comments to issues within the public body’s jurisdiction. However, where that jurisdiction begins and ends can be difficult to determine. In Spaulding, the court agreed that if the plaintiffs had in fact begun to discuss particular personnel (other than the superintendent) or students, the School Committee could end those comments because the Committee’s role was limited to policy issues. Local government officials therefore need not fear that they will entertain comments that are outside of their roles or face pressure to assert jurisdiction over issues on which they legally have no say. On the other hand, one could argue that the School Committee’s jurisdiction was broad enough to include investigating those incidents to determine whether they warranted policy changes. Further, while not at issue in Spaulding, one can easily imagine a situation in which a local board or committee had previously asserted that it did have broad jurisdiction to address a particular issue, which could make it difficult to exclude speech on that issue later.

Finally, once the government body permits the public to speak on a topic within the government body’s jurisdiction, and the speaker does so at the appropriate time, the government body cannot silence the speaker based on what they say on that topic. This is at the core of First Amendment jurisprudence. The government cannot tell the public what to say; rather, it can only place reasonable restrictions on where and when to say it. The School Committee’s key error in Spaulding, it appears, was not in opening the School Committee meetings for speech, or in requiring speakers to stay on topic.  Rather, the mistake was in prematurely cutting off speakers they believed would discuss topics the public officials deemed inappropriate.  Although it can be difficult to do so, public officials should remain open to letting members of the public make their complete comments and, only if necessary, redirect speakers to stay on topic. Further, fears that what a member of the public might say could create liability for public officials (e.g., if members of the public discuss private matters) can be overstated: given the speech courts require be permitted, it is unlikely that a court could construe a public officials’ mere listening to speech as endorsing a particular viewpoint.

Biography

Mina S. Makarious is a partner at Anderson & Kreiger LLP in Boston. He is Town Counsel to the Towns of Concord and Lexington, and advises these and other municipalities on constitutional, governance, and other issues. He is the Co-Chair of the BBA’s Environmental Section.

Paul M. Kominers is an associate at Anderson & Kreiger LLP. He advises municipal and other governmental clients on litigation, constitutional, governance, and other issues.


Taming a Strange New Beast: Securities Regulators Take on Digital Currency

by Jack Falvey and Brendan Radke

Legal Analysis

The emergence of blockchain technology led in recent years to a surge in sales and trading of digital currencies – including well-known currencies like Bitcoin as well as hundreds of offerings of so-called digital “tokens” issued for use on individual websites. In 2017 and 2018 alone, more than $20 billion was raised through “initial coin offerings,” in which technology companies, typically startups, sold tokens for use on their web- based platforms. Federal and state regulators have scrambled to understand the technologies behind this new class of assets, including whether and by whom they should be regulated. The federal Securities and Exchange Commission (“SEC”) has been at the forefront in these efforts. In April 2019, after two years of proceeding in fits and starts, it recently issued guidance that finally seeks to set firm ground rules for issuers. This article reviews the SEC’s and other regulatory and enforcement responses to date, and the landscape going forward.

Digital Currency Basics

What is Blockchain Technology?

Digital currency is built on blockchain technology, often described as a “distributed ledger” digital technology. A blockchain is a form of online database that operates upon a peer-to-peer network of computers. Those networks may be decentralized, meaning that transactions upon the ledger are independently verified by individual computers (called nodes) accessing the network rather than being routed through a proprietary central data system. In a blockchain transaction, a user requests a transaction; that request is broadcast to the network of nodes; and those nodes verify the transaction and the user’s status through a known algorithm. Once verified, the transaction is combined with others and memorialized in entries called “blocks” of data for the ledger. Finally, the new block is cryptographically (i.e., securely) linked to the previous block after validation by the network, and added to the existing blockchain. The resulting blockchain is immutable, and the new block of data then is available to the next user on the chain. Major financial and technology firms have embraced and invested heavily in blockchain: it is widely expected to cut costs and processing times sharply in fields such as financial services and supply chains.

What is Digital Currency?

The best-known application of blockchain is Bitcoin, the digital currency created over a decade ago whose market value rose as high as $20,000 per digital coin at its peak in 2017 before falling sharply since. Bitcoin and its competitors (such as Ether and Litecoin) are sometimes referred to as “cryptocurrencies” – digital assets that can be used as exchange media in online commercial transactions with parties. The novelty of cryptocurrency is that it requires no third-party bank or other agency to clear transactions: the transfer occurs directly between two parties and is permanently memorialized on the blockchain. Cryptocurrencies are now exchange-traded and widely distributed, with growing acceptance among mainstream businesses.

Digital currency also includes so-called digital “tokens,” a term used because conceptually, they are said to operate like arcade tokens – they function like money on the host’s website. A digital token typically works on the framework of an existing blockchain (say, on the Ethereum blockchain) rather than a blockchain unique to the issuing company, and is generally capable of use only upon the issuing company’s application. Hundreds of companies have issued tokens as a feature of their applications – typically to attract users to the site and seek to build loyalty in a wide range of uses.

What is an Initial Coin Offering?

Issuers have offered tokens for sale in a process referred to as an “initial coin offering” or “ICO.” In advance of token sales, offerors have issued an offering document, usually referred to as a “white paper,” that generally described the company, its plans for the token sales and their intended use, and, to varying extents, how the issuer plans to use the proceeds from the token sales. Until recently, the offerors usually didn’t conceive of the tokens as securities, in part because the tokens had a designated utility on the offeror’s web-based platform, and in part because they were referred to as “tokens” or “coins.” The offering materials typically had nowhere near the required content of a registration statement that would need to have been filed with the SEC in an offering of securities.

Despite the often scant offering information, ICOs in the last several years attracted a community of purchasers who collected and traded the tokens. Issuers sold tokens in limited supply; and third parties launched unregulated, online trading exchanges through which tokens could be traded and their value bid higher than the issuing price. The result was a considerable amount of speculation on their value.

The market for digital tokens exploded in 2017 and early 2018. While available data is inexact, hundreds of ICOs are thought to have raised roughly $20 billion in those two years alone. Total funds raised through ICOs increased from 2017 to 2018, while at the same time the average offering size was halved, from an average of $24 million in 2017 to $12 million in 2018. ICOs were launched around the globe. Initially, China had the largest presence in this market (until it essentially outlawed them in late 2017). The United States accounted for most of the market in 2017, and the United Kingdom, Singapore, and Eastern European countries also became popular forums.[1] Amounts raised have dropped sharply since early 2018, with an estimated $100 million having been raised in the first several months of 2019.[2]

The SEC Takes on Digital Currency

The success of many ICOs and the subsequent climb in many tokens’ trading value commanded the attention of state and federal regulators in 2016 and 2017. The SEC saw a need to balance “support [of] innovation and the application of beneficial technologies” with concerns that issuers were essentially raising capital in defiance of securities laws.[3]

The DAO Report and Munchee Order

In mid-2017 – after billions had already been raised through ICOs – the SEC began a series of incremental steps to delineate its regulatory and enforcement reach.[4] In the so-called DAO Report issued in July 2017 (involving a virtual organization known as “the DAO”), the SEC announced that digital currencies were securities if they met the test for an “investment contract,” an enumerated type of security under the federal securities laws.[5] The SEC applied the Supreme Court’s 1946 decision in SEC v. W.J. Howey Co. that defined an investment contract – essentially, any contract that involves an investment of money in a common enterprise with a reasonable expectation of profits from the efforts of others.[6] The DAO Report found the digital token at issue to be a security, but under a relatively unique set of facts; the DAO currency carried with it voting and profit-sharing rights, which most digital currencies lack and which strongly resemble rights associated with common stock.[7]

The next SEC action of note was its December 2017 Cease and Desist Order to a token issuer called Munchee that provided more generally-applicable guidance.[8] The Munchee Order indicated that a token would likely be deemed a security if a company: primed purchasers to expect profits (e.g., by describing how a token would or could increase in value); broadly marketed tokens rather than targeting sales to users of the platform; and/or used proceeds from the token sale to further develop the platform. All of these activities suggested that the Munchee token met the key Howey factors: purchasers reasonably expected to profit from the efforts of others by holding the tokens and were investing in a common enterprise, i.e., development of the platform. The company agreed to shut down its offering.

SEC Enforcement Remedies for Failure to Register

In late 2017 and most of 2018, the SEC stepped up its public statements referring to digital currencies as securities. Top SEC officials noted that they were proceeding carefully but also that, as SEC Chairman Clayton stated in late 2017, he had “yet to see an ICO that doesn’t have a sufficient number of hallmarks of a security.” The SEC had issued dozens of investigatory subpoenas to issuers in 2017, but it had commenced few actions against digital currency offerors.

In late 2018, the SEC brought and settled two enforcement actions spelling out, for the first time, the remedies that it would demand where it determined that an ICO amounted to an unregistered securities offering. In each case it: imposed penalties of $250,000; required implementation of a public claims process whereby investors who purchased the tokens in the initial offering would notified of their rights to sue and a mechanism by which they could recover the consideration paid for the tokens plus any amounts to which they are entitled under Section 12(a) of the Securities Act; required registration of the tokens as securities; and required ongoing compliance with its public reporting requirements.[9]

The SEC’s settlement in February 2019 settlement with Gladius Network was also significant, since it signaled the somewhat softer line it would take in a scenario where the issuer self-reported and cooperated. As with the prior settlements, the company agreed to register its tokens and establish a notice and claims process, but avoided any monetary penalty due to its self-report, cooperation, and remedial steps.[10]

The April 2019 Investment Contract Framework and First No-Action Letter

Finally, and most recently, the SEC announced on April 3, 2019 two significant actions. First, it issued a “Framework for ‘Investment Contract’ Analysis of Digital Assets” (“Framework”) that, though not a rule or regulation, provides a roadmap for how the SEC intends to apply Howey.[11] It states essentially that two factors drive its analysis: whether the purchaser would be relying on managerial efforts of others, and whether he or she anticipated profits from those efforts. Key factual considerations are: the state of development of the issuer’s network; whether company management continued to oversee it; and whether the issuer had taken any steps to enhance the token’s market price including its tradability on secondary markets. A token has a better chance of avoiding classification as a security if (1) the token is not designed for use as an investment, (2) the network on which it is utilized is complete prior to the sale, and (3) there is little, if any, opportunity for price appreciation.

On the same date, the SEC’s Corporation Finance Division issued is first “no-action letter” to a token issuer, allowing it to proceed with an unregistered token issuance on the issuer’s proposed terms, which aligned with the Framework factors.[12] The requestor, TurnKey Jet, Inc. proposed to issue a token usable to purchase private jet services through its network. The SEC stated it would take no action against the company if the unregistered sale adhered to the proposed terms. Among the terms prescribed in the letter were that the tokens were usable immediately upon sale, TurnKey Jet would not use sale proceeds to develop its network, the tokens’ value was fixed at a dollar, they would be repurchased only at a discount and could not be used or transferred elsewhere, and that marketing would focus solely on the tokens’ functionality.

The Framework and no-action letter together provide a guide to whether and how an offeror may avoid having its token classified as a security and being subject to SEC registration and regulation. Alternatively, token issuers whose tokens will be deemed securities might be able to structure more restricted offerings so as to comply with any of several different exemptions: Regulation D, applicable to private offerings to qualified investors; Regulation S, a safe harbor applicable to offerings occurring solely overseas; or Regulation A+, providing a streamlined process for SEC registration, disclosure, and review of certain offerings capped at $50 million, with other restrictions.[13] Finally, more established digital-token offerors may just bite the bullet and pursue a traditional securities offering. For example, in April 2019, blockchain software provider Blockstack filed with the SEC a securities registration statement for a $50 million token sale pursuant to Regulation A+.

Other Federal and State Law Enforcement

While the SEC has been the most visible actor, a range of government agencies have sought to regulate or launch enforcement matters in connection with ICO activity. They include:

U.S. Department of Justice: The Department of Justice has actively investigated and prosecuted a number of high-profile cases against individuals for fraud and money laundering based on deliberate and materially misleading statements in connection with ICOs and other token sales. Recent cases include United States v. Zaslavskiy, No. 17-CR-647 (E.D.N.Y.) (filed October 2017), the first federal criminal action against an ICO issuer; United States v. Rice, No. 3:18-CR-587-K (N.D. Tex.) (filed November 2018); and United States v. Crater, No. 19-CR-10063 (D. Mass.) (filed February 2019).

U.S. Commodity Futures Trading Commission: The Commodity Futures Trading Commission (“CFTC”) views certain digital currencies as commodities and has pursued enforcement actions and published extensive guidance in the area.[14] It deems virtual currencies to be commodities under the Commodity Exchange Act,[15] which prohibits fraud in the sale or trading of commodities and derivative instruments based upon commodities. Recently, two federal courts upheld the CFTC’s position that digital currencies are commodities.[16]

Financial Crimes Enforcement Network: FinCen, the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, has issued guidance concerning digital currency since 2013. In 2018, it announced that it too intends to apply its regulatory requirements to digital currencies, and on May 9, 2019, it issued extensive guidance describing how crypto businesses may be considered “money transmitters” and thus subject to the restrictions of the Bank Secrecy Act and other laws.[17]

State regulators and Cross Border Actions: Securities and financial services regulators in Texas, Massachusetts, and New York all have brought recent enforcement matters. Cross-border, the North American Securities Administrators Association, an organization of state, provincial, and territorial securities regulators, announced a coordinated series of state and provincial enforcement actions in the United States and Canada.[18]

Conclusion

The SEC has proceeded cautiously in its early years of addressing digital currency offerings. Ultimately, though, its enforcement matters in 2017 and 2018, capped by its April 2019 guidance, have sought to thwart the use of ICOs to raise operating capital without complying with securities laws. Going forward, those involved in digital currency offerings will need to navigate carefully the federal securities laws, other federal and state laws, and the efforts of myriad enforcement authorities who will be closely watching the digital currency arena for currency, antifraud, and other regulatory compliance.

 

Jack Falvey is a partner at Goodwin in Boston, where he represents companies and individuals in securities-related and other white collar matters as well as a range of complex civil litigation. He has represented digital currency issuers in matters before the SEC and other enforcement agencies. He was a federal prosecutor in Boston from 1994 to 2000. 

Brendan Radke is a senior associate at Goodwin in San Francisco. His practice includes a variety of work within the cryptocurrency and blockchain sectors, as well as commercial, intellectual property, securities, and white collar litigation.

 

[1] Daniele Pozzi, ICO Market 2018 vs 2017: Trends, Capitalization, Localization, Industries, Success Rate, Cointelegraph (Jan. 5, 2019), https://cointelegraph.com/news/ico-market-2018-vs-2017-trends-capitalization-localization-industries-success-rate.

[2] #Crypto Utopia, Autonomous NEXT, https://next.autonomous.com/crypto-utopia (last visited May 16, 2019); Paul Vigna, Bitcoin Is in the Dumps, Spreading Gloom Over Crypto World, WSJ (Mar. 19, 2019), https://www.wsj.com/articles/bitcoin-is-in-the-dumps-spreading-gloom-over-crypto-world-11552927208?mod=searchresults&page=1&pos=5.

[3] Public Statement on Digital Asset Securities Issuance and Trading (Nov. 16, 2018), https://www.sec.gov/news/public-statement/digital-asset-securities-issuance-and-trading

[4] William Hinman, Director, Division of Corporation Finance, Remarks at the Yahoo Finance All Markets Summit: Crypto (June 14, 2018), https://www.sec.gov/news/speech/speech-hinman-061418.

[5] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, Exchange Act Release No. 81207 (July 25, 2017), https://www.sec.gov/litigation/investreport/34-81207.pdf. (“The DAO Report”).

[6] Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934: The DAO, Exchange Act Release No. 81207 (July 25, 2017), SEC v. W.J. Howey Co., 328 U.S. 293, 299 (1946) (the definition embodies a “flexible rather than a static principle, one that is capable of adaptation to meet the countless and variable schemes devised by those who seek the use of the money of others on the promise of profits”);Tcherepnin v. Knight, 389 U.S. 332, 336 (1967) (“form should be disregarded for substance”); United Hous. Found., Inc. v. Forman, 421 U.S. 837, 849 (1975) (the emphasis should be “on economic realities underlying a transaction, and not on the name appended thereto.”); see 15 USC § 77(b)(a)(1) , Section 2(a)(1) of the Securities Act of 1933 and 15 U.S.C. § 78c(a)(10), Section 3(a)(10) of the Securities Exchange Act of 1934.

[7] The DAO Report, at 1, 3.

[8] Public Statement, SEC Statement Urging Caution Around Celebrity Backed ICOs (Nov. 1, 2017), https://www.sec.gov/news/public-statement/statement-potentially-unlawful-promotion-icos; In the Matter of Munchee Inc., Securities Act Release No. 10445 (Dec. 11, 2017), https://www.sec.gov/litigation/admin/2017/33-10445.pdf.

[9] Press Release, SEC, Two ICO Issuers Settle SEC Registration Charges, Agree to Register Tokens as Securities (Nov. 16, 2018) https://www.sec.gov/news/press-release/2018-264

[10] Gladius Network, LLC, Securities Act Release No. 10608 (Feb. 20, 2019), https://www.sec.gov/litigation/admin/2019/33-10608.pdf.

[11] Statement on Framework for “Investment Contract Analysis of Digital Assets” (Apr. 3, 2019), https://www.sec.gov/corpfin/framework-investment-contract-analysis-digital-assets.

[12] TurnKey Jet, Inc., SEC No-Action Letter (Apr. 3, 2019), https://www.sec.gov/divisions/corpfin/cf-noaction/2019/turnkey-jet-040219-2a1.htm.

[13] See 17 C.F.R §§ 230.500 et seq.; 17 C.F.R. §§ 230.901 et seq.; 17 C.F.R. §§ 230.251 et seq.

[14] The SEC largely concedes that the cryptocurrencies Bitcoin and Ether aren’t securities, in light of their decentralized and operational networks, but this will remain a fact-specific inquiry. The Director of its Division of Corporate Finance observed in June 2018: “[W]hen I look at Bitcoin today, I do not see a central third party whose efforts are a key determining factor in the enterprise… Applying the disclosure regime of the federal securities laws to the offer and resale of Bitcoin would seem to add little value… Over time, there may be other sufficiently decentralized networks and systems where regulating the tokens or coins that function on them as securities may not be required.” W. Hinman, Remarks at the Yahoo Finance All Markets Summit, https://www.sec.gov/news/speech/speech-hinman-061418; see also https://www.cftc.gov/Bitcoin/index.htm.

[15] See 7 U.S.C. § 1a(9) (commodities include “all other goods and articles … and all services, rights and interests … in which contracts for future delivery are presently or in the future dealt in”); In the Matter of Coinflip, Inc., d/b/a Derivabit, CFTC No. 15-29 (Sept. 17, 2015), https://www.cftc.gov/sites/default/files/idc/groups/public/@lrenforcementactions/documents/legalpleading/enfcoinfliprorder09172015.pdf; CFTC v. McDonnell, 287 F. Supp. 3d 213 (E.D.N.Y. 2018); CFTC v. My Big Coin Pay, Inc., 334 F. Supp. 3d 492 (D. Mass. 2018);

[16] McDonnell, 287 F. Supp. 3d at 228 and My Big Coin Pay, Inc., 334 F. Supp. 3d at 498.

[17] U.S. Dep’t of Treas., Letter to The Honorable Ron Wyden (Feb. 13, 2018), https://coincenter.org/files/2018-03/fincen-ico-letter-march-2018-coin-center.pdf; Kenneth A. Blanco, Director, FinCEN, Prepared Remarks at the 2018 Chicago-Kent Block (Legal) Tech Conference (Aug. 9, 2018), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-2018-chicago-kent-block; Kenneth A. Blanco, Director, FinCEN, Prepared Remarks at the 11th Annual Las Vegas Anti-Money Laundering Conference and Expo (Aug. 14, 2018), https://www.fincen.gov/news/speeches/prepared-remarks-fincen-director-kenneth-blanco-delivered-11th-annual-las-vegas-1; FIN-2019-G001, “Application of FinCEN’s Regulations to Certain Business Models Involving Convertible Virtual Currencies,” (May 9, 2019), https://www.fincen.gov/sites/default/files/2019-05/FinCEN%20CVC%20Guidance%20FINAL.pdf.

[18] In the Matter of Mintage Mining, LLC, Tex. State Sec. Board, Order No. ENF-19-CDO-1774 (Feb. 21, 2019), https://www.ssb.texas.gov/sites/default/files/Mintage_ENF_19_CDO-1774.pdf; 2018 Enforcement Report, Tex. State Sec. Board (Feb. 7, 2019), https://www.ssb.texas.gov/sites/default/files/YEAR_IN_ENF_2018_post.pdf; Press release, NASAA, State and Provincial Securities Regulators Conduct Coordinated International Crypto Crackdown (May 21, 2018), http://www.nasaa.org/45121/state-and-provincial-securities-regulators-conduct-coordinated-international-crypto-crackdown-2/; Letter, N.Y. Dep’t of Fin. Servs., In re Bittrex, Inc. (Apr. 10, 2019), https://www.dfs.ny.gov/system/files/documents/2019/04/dfs-bittrex-letter-41019.pdf.


Recovering Punitive Damages in Attorney Malpractice Cases

by Jessica Kelly

Legal Analysis

Former clients of attorneys frequently assert Chapter 93A claims in legal malpractice cases, but they do not often win Chapter 93A damages.  In Massachusetts, a plaintiff, in extreme circumstances, may recover under Chapter 93A as a result of an attorney’s unfair and deceptive conduct.  It is unclear, however, whether a former client can recover Chapter 93A damages he or she could have recovered in an underlying case in a subsequent legal malpractice action.  Available Massachusetts case law, including an unreported decision on a motion in limine by the Superior Court in Chafetz v. Day Pitney LLP, et al., No. SUCV 1484-03597 (Mass. Super. Ct. May 25, 2018), suggests that lost punitive damages, such as those available under Chapter 93A, are not recoverable in a professional negligence case.

     I.      General Law on Damages Recoverable in Legal Malpractice Actions

Legal malpractice claims represent a hybrid of contract and negligence causes of action, yet recovery is generally limited to tort-based damages, e.g. direct and consequential damages for the reasonably foreseeable losses plaintiff suffered as a result of the attorney’s negligent conduct.  Plaintiffs often try these claims as a “case-within-the-case,” having to prove that they would have obtained a better outcome in the underlying matter had the attorney not breached the standard of care.  Plaintiffs also have to prove both the damages they would have recovered, and the collectability of those damages.

Direct damages are those reasonably flowing from the tortious conduct, such as the value of a lost settlement or judgment or the attorneys’ fees incurred to fix an attorney’s mistake.  Consequential damages are those losses that occur as a result of the direct loss, such as damage to reputation, lost profits and other economic losses.  The economic loss doctrine, which usually precludes recovery for purely economic losses in negligence actions, is inapplicable to legal malpractice claims.[i]

Plaintiffs must also prove that their damages are more than speculative and, if relevant, that they would be recoverable in the underlying action.  Emotional distress damages are probably not recoverable in a Massachusetts legal malpractice action absent exceptional circumstances (such as a client being imprisoned as a result of attorney negligence), because emotional distress is usually not a reasonably foreseeable result of an economic loss.[ii]  As discussed in detail below, punitive damages and attorneys’ fees incurred to prosecute a malpractice action are also not recoverable, unless the former client can also prove that the attorney’s conduct violated Chapter 93A.

     II.     Recovery of Legal Malpractice Damages Under Chapter 93A

Chapter 93A, which protects consumers and businesses against unfair and deceptive business practices, applies broadly to the conduct of any business engaged in trade or commerce.  Legal malpractice plaintiffs often plead a Chapter 93A claim on the assumption that the threat of treble damages and attorneys’ fees can lead to quicker and more favorable settlements.  The reality, however, is that it is rare for a legal malpractice plaintiff to recover damages under Chapter 93A.  This is because ordinary negligence or breach of contract alone does not rise to the level of unfair and deceptive conduct.  To recover under Chapter 93A, evidence of something more, such as self-dealing or fraudulent acts, must exist.[iii]  It is also unlikely, albeit unsettled, that plaintiffs can recover lost Chapter 93A damages in a subsequent malpractice action.

     A.  Direct Claims Against Attorneys For Violation of Chapter 93A

The ability of a plaintiff to bring a direct claim under Chapter 93A in a legal malpractice action depends on whether the alleged conduct of the defendant attorney occurred within trade or commerce and whether the conduct is unfair or deceptive.  Courts have held that “the practice of law constitutes trade or commerce for purposes of liability under [Chapter] 93A,” but the outcome is very fact dependent.[iv]

The closer question is whether the attorney’s conduct was actually unfair or deceptive.  An attorney will only be directly liable for violation of Chapter 93A for conduct involving “dishonesty, fraud, deceit or misrepresentation.”[v]  There are few decisions where a Massachusetts court has allowed a claim against an attorney to proceed past a dispositive motion[vi] and even fewer where the attorney was actually found liable under Chapter 93A.[vii] This limited set of case examples suggests, however, that conflicts of interest, financial misconduct and dishonesty are common themes for successful direct Chapter 93A claims regarding attorney misconduct.

     B.  Claims to Recover Lost Chapter 93A Damages

Although there is no Massachusetts appellate precedent on the issue, legal malpractice plaintiffs are likely barred from seeking punitive damages that they would have recovered in the underlying case absent their attorney’s negligence.  Stated differently, it is unlikely that plaintiffs can seek from a former attorney in a legal malpractice action their missed opportunity to recover under Chapter 93A in the original litigation.  The rationale was set forth in a motion in limine decision in a recent Superior Court action, Chafetz v. Day Pitney LLP, et al.

In Chafetz, the former clients sued two attorneys and two law firms alleging negligence in the handling of a lawsuit against the builder of the former clients’ home and in the builder’s eventual bankruptcy.  Specifically, in relevant part, the former clients alleged that the defendants failed to file a non-dischargeable Chapter 93A claim in the builder’s bankruptcy action.  The former clients claimed that the “lost potential punitive damages” were a “‘reasonably foreseeable loss’ caused by [their attorneys’] negligence and thus recoverable in the malpractice action.”

On its face, the former clients’ claim made sense, assuming they could prove that the defendant in the underlying matter actually violated Chapter 93A.  If it turned out that the attorneys were negligent in not bringing the Chapter 93A claim, the former clients’ missed opportunity to bring such a claim was an actual harm.  The former clients’ ability to pursue damages for that harm is founded on the notion that plaintiffs in tort actions should be compensated “for all of the damages proximately caused by the defendant’s negligence.”[viii]

The position that lost punitive damages are compensable in a legal malpractice action, however, is the minority view.  This view was stated in Jacobsen v. Oliver, 201 F. Supp. 2d 93, 102 (D.D.C. 2002) where the United States District Court for the District of Columbia held that the former clients could assert claims for “lost punitives” in their legal malpractice action.  The Court held that the policy reasons for compensating the plaintiffs for their actual harm caused by their attorneys’ negligence was more important than the policy reasons for shielding attorneys in a subsequent malpractice case from lost punitive damages.  The Court also noted that “[a]ttorneys who appreciate that they will be liable in malpractice actions for ‘lost punitives’ will be motivated to exercise reasonable care in investigating or defending punitive damages claims.”[ix]  Courts in other jurisdictions have taken similar positions.[x]

The Chafetz Court, however, took the majority view and granted Defendants’ motion in limine to preclude the recovery of punitive damages and/or any mention of them during trial.  The Court held that plaintiffs could not seek the lost Chapter 93A damages because the public policy behind the statute is to punish and deter the wrongdoer, e.g. the defendant in the underlying case, and thus, would not be served by making the attorney defendants pay them.  The Court also held that the Legislature enacted Chapter 93A to encourage the wrongdoer to settle and take responsibility early on for unfair and deceptive behavior.  The Court wrote that the “public policy goal is not fostered by permitting recovery of lost punitive damages in a negligence case against a lawyer.”

The Chafetz Court relied, in substance, on three cases.  The first was Kraft Power Corp. v. Merrill, 464 Mass. 145, 159 (2013), where the Supreme Judicial Court held that a plaintiff cannot seek Chapter 93A damages against a defendant who becomes or is deceased.  This is because Chapter 93A “can no longer achieve the goals of punishing a defendant or deterring him from future misconduct when the wrongdoer has died.”  While not on point to the circumstances in Chafetz, the Kraft case emphasizes that the purpose behind Chapter 93A is no longer served when the punitive and deterring effects of Chapter 93A are no longer directed at the actual wrongdoer.

The second case was Dwidar-Kotb v. Altman & Altman, LLP, NO. MICV2011-04614, 2013 LEXIS 840 (Mass. Super. Ct. Mar. 13, 2013), another Superior Court decision.  In Dwidar-Kotb, the former client sued his lawyer for negligence arising from an employment matter in which the former client had sought, among other claims, damages under the Massachusetts Wage Act, which, like Chapter 93A, allows for the recovery of punitive damages.  The Court held that the plaintiff could not seek punitive damages under the Wage Act in the subsequent malpractice action, holding that the “purpose of awarding punitive damages would not be accomplished or served in a malpractice claim against attorneys.”  In other words, where the attorneys were not responsible for the Wage Act violations, but rather for the failure to bring the Wage Act claims, the purpose of imposing punitive damages no longer existed.[xi]

The third case was Ferguson v. Lieff, Cabraser, Heimann & Bernstein, LLP, 69 P.3d 965 (Cal. App. 4th 2003), in which the California Supreme Court disallowed the recovery of lost punitive damages in a legal malpractice action.  In Ferguson, the Court focused on, among other things, the “moral determination” involved in the award of the punitive damages and that such a determination is a highly subjective decision for the judge or jury in the first instance.  As such, the Chafetz Court noted that it would be speculative for it to determine whether and what the Bankruptcy Court may have awarded as punitive damages in the underlying case assuming that the former clients proved that the attorney defendants had been negligent in not bringing the Chapter 93A claim.

The Chafetz Court distinguished the case before it from cases where the legal malpractice plaintiff was a defendant in the underlying case who then sought to recover the punitive damages awarded against him or her, which the plaintiff alleges would not have been assessed but for attorney negligence.  Other courts have not made this distinction and have cited to cases involving both situations interchangeably.[xii]  From a practical standpoint, seeking to recover punitive damages against an attorney that were actually assessed in an underlying action, is much less speculative than seeking to recover damages that may or may not have been awarded in an underlying action.  Perhaps the Chafetz Court left the door open for such claims in Massachusetts because of this significant difference.

In the end, the Chafetz Court entered an order precluding plaintiffs from seeking lost treble damages under Chapter 93A as part of their damages in the legal malpractice action.  The decision is in line with the majority view and the purpose of Chapter 93A.  Punitive damage are not compensatory, but rather provide the plaintiff a windfall “to punish and deter the wrongdoer”.[xiii]  Therefore, lost punitive damages should not become compensable in a later malpractice action.[xiv]

     III.      Conclusion

In sum, legal malpractice plaintiffs can recover for their actual damages, assuming they are not speculative and can be proven to a reasonable certainty. Their ability to recover under Chapter 93A, however, is very limited, unless the lawyer’s own conduct was unfair or deceptive.  It is also likely that Massachusetts will follow the rationale of Chafetz and Dwidar-Kotb in regards to the recovery of lost punitives in a legal malpractice action if and when that issue reaches the appellate level.

 

Jessica is a litigation partner at Sherin and Lodgen LLP, where she assists clients in a variety of industries with complex business litigation, including finance, biotech, and national retail. She also represents lawyers and law firms in professional liability malpractice disputes and disciplinary investigations before the Massachusetts Board of Bar Overseers (BBO).

 

[i]  See Clark v. Rowe, 428 Mass. 339, 342-343 (1998).

[ii]  See Meyer v. Wagner, 429 Mass. 410, 423 (1999).

[iii]  See id., at 424.

[iv]  Compare Brown v. Gerstein, 17 Mass. App. Ct. 558, 571 (1984) (plaintiffs satisfied trade or commerce element because attorney represented them in the context of commercial real estate business), with First Enterprises, Ltd. v. Cooper, 425 Mass. 344, 348 (1997) (internal business dispute was not trade or commerce for purposes of Chapter 93A).

[v]  Poly v. Moylan, 423 Mass. 141, 151 (1996).

[vi]  See Blast Fitness Grp., LLC v. Dixon (In re Blast Fitness Grp., LLC), Ch. 7 Case No. 16-10236-MSH, Adv. No. 18-01011, 2019 WL 137109 (D. Mass. Jan. 8, 2019) (court held that a breach of duty of loyalty to clients was sufficient to state a claim for violation of Chapter 93A); Baker v. Wilmer Cutler Pickering Hale and Dorr LLP, 91 Mass. App. Ct. 835 (2017) (allegations that company’s lawyers participated in unlawful freeze out of minority members stated a claim for violation of Chapter 93A); Brown v. Gerstein, 17 Mass. App. Ct. 558 (1984) (trier of fact should have been allowed to determine whether attorney’s misrepresentation that he had filed complaint on behalf of clients to stop foreclosure violated Chapter 93A).  Of course, the more egregious allegations of lawyers violating Chapter 93A may never appear in court decisions because those cases often settle early in the litigation.

[vii]  See Sears, Roebuck & Co. v. Goldstone & Sudalter, P.C., 128 F.3d 10, 19 (1st Cir. 1997) (affirming judgement on Chapter 93A where attorney engaged in illegal billing practices); Guenard v. Burker, 387 Mass. 802, 809-810 (1982) (affirming finding that attorney’s reliance on unlawful fee agreement held to be a violation of Chapter 93A); Walsh v. Menton, No. 932738H, 1994 WL 879470, at *4 (Mass. Super. Ct. Sept. 23, 1994) (failing to apprise plaintiff “of the status of her account and to return her money upon demand was unfair as a matter of law”).

[viii]  Jacobsen v. Oliver, 201 F. Supp. 2d 93, 102 (D.D.C. 2002) (internal quotation omitted).

[ix]  Id. at 102.

[x]  See also Haberer v. Rice, 511 N.W.2d 279, 288 (S.D. 1994); Hunt v. Dresie, 740 P.2d 1046, 1057 (Kan. 1987); Scognamillo v. Olsen, 795 P.2d 1357, 1361 (Colo. App. 1990); Elliott v. Videan, 791 P.2d 639, 645 (Ariz. Ct. App. 1989); Herendeen v. Mandelbaum, 232 So. 3d 487, 492 (Fla. Dist. Ct. App. 2017), review denied, No. SC18-132, 2018 WL 3239289 (Fla. July 3, 2018).

[xi]  The same rationale would likely apply to bar claims seeking “lost punitives” in malpractice actions where punitive damages were potentially recoverable in the underlying case under the Massachusetts wrongful death statute, M.G.L. c. 229, or the Massachusetts employment discrimination statute, M.G.L. c. 151B.

[xii]  See, e.g., Jacobsen, 201 F. Supp. at 100.

[xiii]  See M. O’Connor Contracting, Inc. v. City Of Brockton, 61 Mass. App. Ct. 278, 285 & n.12 (2004) (holding that punitive damages against municipality “punishes only the taxpayers, who took no part in the wrongful conduct, but who nevertheless may incur an increase in taxes or a reduction in public services as a result of the award”).

[xiv]  According to the Chafetz docket, the case settled shortly thereafter and thus, the appellate courts will have to wait for another case to decide this issue as binding precedent.  Just as asserting a punitive damages claim can hasten settlement, so can removing it from consideration.