The Massachusetts Securities Division (“Division”) is the state agency entrusted with protecting investors. And the scope of its power is considerable, ranging from the authority to order the disgorgement of profits to its ability to issue cease and desist demands. But parties defending against the Division’s Registration Inspections, Compliance and Examinations (“RICE”) Section are often disadvantaged by a very limited right to discovery.
Respondents in Division proceedings can, however, request to subpoena third parties, which can be valuable considering the paucity of other discovery tools. But getting the Division to issue a subpoena is not easy or intuitive. This article, therefore, provides an overview of the subpoena process in adjudicatory proceedings before the Division.
Discovery in Division Proceedings
Under the Division’s rules, respondents have no right to propound interrogatories or requests for documents. 950 C.M.R. § 10.01 et seq. Instead, the Division has held that RICE is only required to produce documents it identifies as exhibits in its pre-trial memorandum. Conversely, RICE may issue subpoenas even before an adjudicatory proceeding has begun. M.G.L. c. 110A, § 407(b).
Subpoenas can mitigate this imbalance, as there are many scenarios in which third parties will hold key information. For example, in insider trading cases, establishing whether information is material or obtained in violation of a fiduciary duty could depend upon information held by the third-party company whose shares were traded. With third-party subpoenas, respondents can gain advance notice of the evidence upon which RICE may rely at trial while also potentially obtaining exculpatory evidence which RICE would otherwise not be obligated to produce.
Right to Issue of Subpoenas
How do respondents obtain subpoenas in Division proceedings? At first, the answer may seem straightforward. Under M.G.L. c. 30A, § 12(3):
Any party to an adjudicatory proceeding shall be entitled as of right to the issue of subpoenas in the name of the agency conducting the proceeding. The party may have such subpoenas issued by a notary public or justice of the peace, or he may make written application to the agency, which shall forthwith issue the subpoenas requested.
That is, respondents appear entitled to subpoenas “as of right.”
The Division’s position, however, is that Section 12(3) does not apply to its adjudicatory proceedings because M.G.L. c. 110A, § 407(b) supplants it. See, e.g., In the Matter of Blinder, Robinson, & Co., Docket No. E-85-27, 1986 Mass. Sec. LEXIS 63 (Mass Sec. Div. April 30, 1986). As the reasoning goes, under Section 407(b), the Division “may” issue subpoenas, but is not required to, and therefore, there is a conflict between Section 12(3) and Section 407(b). And where Section 407(b) deals specifically with the Division but Section 12(3) is merely a default rule applicable to all agencies, Section 407(b) prevails. Accordingly, respondents in Division proceedings are subject to 950 C.M.R. § 10.09(l), which requires a respondent to make a “written application” for a subpoena to the Presiding Officer, who “may” grant the application.
No court has yet weighed in on the Division’s interpretation, however, and its position is open to challenge. First, nothing in Section 407(b), which was enacted after Section 12(3), states that it overrides Section 12(3), and there is “a very strong presumption against [the] implied repeal” of a statute, Commonwealth v. Hudson, 404 Mass. 282, 286 (1989) (internal quotation marks omitted), particularly where the statute unequivocally confers a procedural “right.” Nor is it clear there is a conflict between Section 12(3) and Section 407(b); the former deals with a respondent’s ability to issue subpoenas whereas Section 407(b) refers to the Division’s prerogative to do so. Moreover, the Division, in a slightly different context, has itself stated that “[a] party to an adjudicatory proceeding before the Division is entitled as a matter of right to the issuance of [a] subpoena.” In the Matter of Cohmad Sec. Corp., Docket No. E-2009-0015 (Mass Sec. Div. Nov. 17, 2009). There are, therefore, ample grounds upon which to invoke subpoena rights under Section 12(3).
What should a respondent do if it wishes to issue a subpoena under Section 12(3)? It could simply ignore Division precedent and serve a notarized subpoena pursuant Section 12(3). But RICE will almost certainly respond with a motion to quash, which in turn may result in an order to withdraw the subpoena from the Presiding Officer.
The prudent approach would be to file a motion before the Division under both Section 12(3) and 950 C.M.R. § 10.09(l). This approach affords two advantages. First, the Division may simply grant the subpoena, in which case the applicability of Section 12(3) is moot. Second, if the Division denies the subpoena, then the respondent will have preserved the issue for appeal under M.G.L. c. 30A, should the Division ultimately decide unfavorably. If the respondent believes that it cannot wait until after a final decision, it might also consider interlocutory relief by way of a mandamus action in the Superior Court pursuant to M.G.L. c. 249, § 5. Mandamus relief will likely be an uphill battle, however, as it is only available where a M.G.L. 30A appeal is an inadequate remedy. Because a court can always reverse the Division’s judgment and order more discovery, there is usually an adequate remedy. If there is an immediate need for the subpoena, however, a mandamus action may be an important option to preserve by moving for a subpoena under both Section 12(3) and Section 10.09(l).
Requesting a Subpoena
To request a subpoena from the Presiding Officer under 950 C.M.R. § 10.09(l)(1), the respondent must make a “written application,” which should consist of a copy of the proposed subpoena and a short motion. The Presiding Officer may deny a request if she determines that the subpoena would be “unreasonable, oppressive, excessive in scope, or unduly burdensome.” Id.
Both the Division’s rules and M.G.L. c. 30A, § 12(3) allow the subpoenaed party, but no one else, to move to quash the subpoena. Accordingly, the Division has held that only “a party to whom the subpoena is directed may move to vacate or modify the subpoena.” In the Matter of Cohmad Sec. Corp. RICE, however, has argued that applications for subpoenas are “motions” under 950 CMR § 10.07(a), entitling it to file an opposition. Thus far, the Division appears to have rejected RICE’s position, and a respondent should promptly move to strike any opposition RICE files.
RICE has also argued that any subpoena served prior to the exchange of pre-trial memoranda under 950 C.M.R. § 10.09(b) is per se unreasonable because it is inherently inefficient to serve subpoenas that may overlap with the documents that RICE may produce with its memorandum. RICE’s argument is difficult to square with the language of Section 10.09(l), which imposes no time limitation on requesting subpoenas, and Section 10.09(b), which deals solely with the exchange of documents between parties, not third-party subpoenas. At least one Presiding Officer has rejected RICE’s position that subpoenas must be filed after the exchange of pre-trial memoranda. In the Matter of Risk Reward Capital Management Corp., Docket No. E-2010-0057 (Sept. 23, 2014). Nevertheless, respondents seeking to obtain subpoenas should be ready to field similar objections.
Subpoenas are a valuable tool in proceedings before the Division. But respondents should anticipate resistance and RICE’s likely objections. By preparing to do so, respondents can maximize their chances of success, either before the Division or (if necessary) on appeal.
Thomas Sutcliffe is an associate at Prince Lobel Tye LLP. His practice focuses on complex commercial and administrative litigation.
by Mark Szpak, Seth Harrington and Lindsey Sullivan
In August, the United States Department of Justice (“DOJ”) and the Securities Exchange Commission (“SEC”) unsealed complaints alleging a scheme to hack into computer systems of newswire services in order to steal material nonpublic information, which the hackers then allegedly used to place trades.
This case is strikingly different than many other recently reported data-breach cases. Typically such cases have involved an attacker breaking into a company’s network to access personal nonpublic information (e.g., credit card numbers, medical history, social security numbers) that potentially could be sold to other criminals who would use it to attempt to commit identity theft or fraud. This hack involved information concerning publicly traded companies, obtained not from the companies themselves, but third-party newswire services. These complaints highlight that cyberattack risk is not limited to the theft of personal information but extends to any confidential information that hackers may seek to exploit for financial gain – trade secrets, insider information, customer prospects, bid packages, marketing data, business plans, etc. Companies need to understand this risk as well as how to prevent it and manage it if it occurs.
The Alleged Hacking and “Insider” Trading Scheme
The criminal complaints filed by the DOJ allege that nine individuals hacked into the computer systems of newswire services Marketwired, PR Newswire, and Business Wire, accessed nonpublic information, and allegedly used it to generate $30 million in illegal profits. The civil complaint, brought by the SEC against 32 individuals, alleges that the defendants generated more than $100 million in illegal profits by trading on the stolen nonpublic information in violation of federal antifraud laws and related SEC rules.
These newswire services were engaged by major publicly traded companies to publish corporate releases and, as a result, received confidential information hours and even days before the information was publicly released. By infiltrating the computer systems of these newswire services, the criminals were able to access – and act upon– the releases ahead of the market.
Few are surprised that the newswire services were targeted, but the extent of the scheme is drawing attention. The hacking allegedly lasted five years, during which the criminal attackers allegedly accessed over 150,000 press releases. In one instance, according to the SEC complaint, the hackers and traders were able to act within the 36-minute period between when the press release was provided to the newswire service and public disclosure of the release, executing trades that resulted in $511,000 in profit.
Compared to other cybercases, these complaints represent the relatively rare occurrence in which claims are brought against the perpetrators of the data breach and the individuals who seek to use and profit from the stolen information. As this article goes to press, no litigation is known to have been initiated against either the newswire services or the companies whose information is alleged to have been stolen in this attack. Yet, based on trends in litigation and regulatory enforcement efforts in matters involving data breaches of personal information, one can expect that claims against hacked entities or their clients may begin also to arise even where only nonpersonal information is involved.
With respect to private litigation, potential claims could face a number of hurdles. Any potential plaintiff would have to allege a cognizable injury as well as the breach of a duty owed by the defendant to the particular plaintiff. Many courts in breach cases have dismissed claims (under both tort and contract theories) based on the attenuated relationship between the plaintiff and defendant regarding an alleged duty to safeguard information for the benefit of the plaintiff. As we move beyond personal information, each new digital information context will raise questions regarding whether a duty to anticipate and protect against criminal cybertheft can be fairly imposed, in what circumstances, pursuant to what standards, and, if so, to whom is it owed.
With respect to regulators, the SEC has made clear its position regarding the importance of cybersecurity. In March 2014, Chair Mary Jo White explained that “the SEC have been focused on cybersecurity-related issues for some time” because “[c]yber threats  pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer.” Other regulators (most notably the FTC) have also staked out a position of overlapping jurisdiction.
Best Practices for Companies
In a world where the electronic landscape and the sophistication of cyberhackers are both moving at high speed, here are nonetheless a few best practices that companies facing an actual or potential data security incident (i.e., all companies) can follow to mitigate potential risk:
- Think carefully about third-party vendors— Companies rely on numerous third parties for everything from corporate disclosures to marketing advice. Thoughtful contracting and training can go a long way to reducing the risk of loss or misuse.
- Supplement perimeter detection systems— According to the indictments in the newswire case, the criminal hackers were resident in the victims’ systems for years. The case illustrates the potential significance of taking a “defense-in-depth” approach to security and system monitoring.
- Be realistic about law enforcement and regulators— Notifying and cooperating with law enforcement can be important for many reasons, and the same is true for governmental regulators. But law enforcement usually focuses on getting the criminal attacker, while regulators (by comparison) often focus instead on examining any role the company had in having been criminally attacked. Keeping that difference in mind can be significant in dealing simultaneously with these respective governmental actors.
- Involve outside experts (both legal and forensic) at the earliest sign of a possible problem— Never guess or assume what may have taken place. Forensic experts can help your team assess whether an attack or breach has occurred, the actual scope of the breach, and how to contain it, while legal experts (both internal and outside counsel) can direct that forensic review and assess potential legal obligations involving notification, public statements, remediation, responding to law enforcement, dealing with regulators, preparing for litigation, and protecting the record.
- Carefully draft external statements— When an incident occurs, all outward facing statements should be carefully crafted to say only what is necessary, and to avoid committing to specifics until facts are definitely known. Before an incident occurs, promising any level of protection is risky because, if a hacker makes it into the system, the company’s statements will inevitably be second-guessed.
- Check your insurance— For the sake of planning, assume that erstwhile attackers will be able to access any system in your network. Consider, then, what kind of attack or what kind of data loss could cause the most exposure or disruption. Then make sure your insurance will actually cover those costs and that any related exposure to liability is indeed included. Evaluate your incident response preparedness through “tabletop exercises” to confirm that you have identified the potential risks and expenses.
- Avoid creating a bad record— Preservation of evidence after discovering a data breach often involves much more than just the usual email and paper files. In a network attack, the relevant evidence may include large groups of servers, firewall configuration records, network access logs, security management databases, vulnerability scan results, software hotfix schedules, or any number of other forensic or technical data sources that in most litigation rarely come into play. Identifying that relevant forensic and technical evidence and then maintaining it, while preserving applicable privileges and minimizing the interruption of critical ongoing company operations, can in many cases pose enormous challenges.
The panoply of costs that a cyberhack can impose make it clear that a well-developed program to secure all types of business information, not just personal information, can provide a competitive advantage. And when data thieves strike, regardless of the type of data they target, following a prompt and careful response protocol can pay significant legal dividends.
Mark Szpak is a partner in Ropes & Gray’s privacy & data security practice. He focuses on the wide range of challenges that arise after a computer network intrusion, including defending against multidistrict class actions in the U.S. and Canada, handling forensic investigations and responding to regulators.
Seth Harrington, also a partner in Ropes & Gray’s privacy & data security practice, represents clients in all aspects of the response to a privacy or data security incident, and he regularly advises clients on indemnification and insurance matters, including cyber risk insurance.
Lindsey Sullivan is an associate in Ropes & Gray’s business & securities litigation practice, where she focuses on assisting clients through forensic investigations and preservation efforts around privacy and data security breaches.
“If you don’t know where you are going, you might wind up someplace else.”
— Attributed to Yogi Berra
Massachusetts has one of the country’s most stringent statutory and regulatory schemes relating to data privacy and security. The complexity and scope of available insurance products dealing with “cyber” exposures, in Massachusetts and throughout the business world, has dramatically increased over the past several years and is now as fractured and complicated as is the law, which differs from state to state and from country to country. Insurance underwriters, insurance brokers, technologists, security professionals, pundits and others offer conflicting advice about how to best move through this maze of insurance policies, technology, and the many potentially applicable state and federal regulations that often conflict. Imagine that there is growing apprehension that a company is at risk. At some point, a lawyer is called to advise on insurance protection. What is that lawyer to do?
The first step is to establish a team of professionals and client representatives who will, together, work through the issues that will allow the development of a meaningful strategy. The team should include the lawyer, an insurance professional, a technology resource (internal to the client’s business operations or external), and a representative of the client who is sufficiently vested with authority so that access to required information will be facilitated. Once the team is in place, the following should happen, in more or less this sequence:
1. The team should develop a realistic understanding of the client’s cyber/privacy and data risk profile. It is important to analyze not just electronic exposures, but traditional paper-based exposures as well. Among the many factors to consider are the following:
A. The type and location of protected information that is procured, handled, managed and stored by the client. Protected information includes, but is not limited to, private personal information (which is defined differently in various jurisdictions and under different regulatory schemes but often consists of an individual’s first name, last name, and either a social security number, bank account number or other similar data point), and confidential business information.
B. The federal, state, and local statutory and regulatory schemes that impact the client’s obligations with respect to protected information. Most states have adopted data privacy regimes that are grounded in statutes (in Massachusetts the applicable statute is Mass. Gen. Laws ch. 93H) and implemented through a series of regulations. Several federal agencies, including the FTC and the SEC, are focused in meaningful ways on the security of personal and other confidential information that is handled by businesses. Courts are, in most instances, finding statutory and regulatory support for robust enforcement actions by these agencies. It is important to keep in mind that many states, Massachusetts among them, have taken the position that their privacy schemes are meant to be protective of their citizens wherever those citizens conduct commerce.
C. The commercial obligations that have been assumed by the client by contract or otherwise in connection with data security and privacy. These should be charted, and compliance measured.
D. The security of non-electronic records that contain protected information.
E. The client’s network and electronic information storage infrastructure. As with non-electronic records, this infrastructure should be assessed by qualified professionals, and a plan should be established for correction of deficiencies.
2. Next, insurance coverage that is already in place should be reviewed. Among the policies to be reviewed are:
A. General Liability policies
B. Directors and Officers Liability policies
C. Errors and Omissions policies
D. Fiduciary policies
E. Crime policies
F. Professional Liability policies
G. Commercial Property policies
The risk profile that has been developed should be reviewed in the context of the insurance coverage that is present in these policies (there are no true “standard forms” and careful, term-specific analysis is required). The insurance professional who is part of the team should assist in identifying potential exposures that are not within the scope of the existing coverage.
3. Having established a risk profile, assessed the protection afforded by the insurance coverage in place and begun the process of correcting deficiencies, the team should next consider whether existing coverage should be supplemented, including whether stand-alone cyber/privacy coverage should be procured. The policy wordings that might be employed to supplement existing policies, and the policy forms that are available as stand-alone products, are not standard forms of insurance. Nearly all wordings can and should be specially negotiated.
As the stand-alone cyber/privacy insurance market has evolved, these general coverage types have become “standard” in most offerings (with the caveat that while the coverage “type” may be standard, the implementation varies from insurer to insurer, and from product to product, in meaningful ways):
A. Third party coverage against claims asserting a “data privacy wrongful act,” a “network security wrongful act,” or other similar coverage grant. This coverage affords the cyber/privacy equivalent of general liability coverage. A client purchases this coverage to protect against third party claims alleging damages due to the client’s handling of protected information.
B. Third party coverage for claims relating to violation of intellectual property rights or copyright.
C. Various types of first party coverages (coverage that will pay an insured for loss that the insured suffers itself, rather than indemnifying an insured for claims asserted by others), such as:
1. Notification and related expense coverage;
2. Coverage for regulatory fines and penalties;
3. Coverage for the expense of recreating information that is damaged, compromised or destroyed as the result of a data security incident, or other covered occurrence;
4. Coverage for the expense resulting from the inability to use a network or other asset as the result of a covered event; and
5. Coverage for fines and penalties payable as the result of a failure to maintain appropriate levels of Payment Card Industry compliance in connection with credit or payment card exposures (this is not as generally available).
There are, of course, additional issues that will arise in the course of developing an appropriate mitigation strategy and insurance structure. For example, it may be necessary to allow an insurer, or several insurers, to independently audit a client’s infrastructure. It may be that an insurer adds exclusions to a policy that render otherwise appropriate coverage difficult to accept – for example, adding an exclusion that would allow an insurer to avoid payment obligations in the event that there is a change in network structure, levels of security protection, or the like. These types of potentially devastating exclusions, sometimes based on ambiguous terms that are difficult to either understand in an operational sense or manage, can make otherwise meaningful protection unacceptable.
So, dealing with the structure of an effective cyber/privacy insurance program requires knowing what you’ve got, knowing what’s lacking, and filling gaps in a targeted way. Know where you’re starting, understand the potential end points, and you’ll get where you’re going and not someplace unexpected.
Alan M. Reisch is a Director in the Litigation Group at Goulston & Storrs, as well as a Founder of the firm’s risk management affiliate Fort Hill Risk Management, and counsels clients in connection with insurance coverage and portfolio analysis, risk assessment and management, fraud, data privacy and other related issues.
From marijuana legalization to campaign finance reform to a constitutional amendment to impose a “millionaire’s tax,” citizen groups turned to the initiative petition process this year to propose a variety of public policy measures. The process, governed by article 48 of the amendments to the state constitution, allows citizens to place measures directly on the ballot as an alternative to enacting legislation through elected representatives. Twenty-three other states permit similar forms of “direct democracy.” But compared to some systems (notably, the much-criticized California model), the Massachusetts process contains comparatively strict requirements to help ensure public support before a measure reaches the ballot and to make better law.
The initiative petition process is straightforward in theory but complex in its implementation. It begins with a filing with the Attorney General’s Office, usually by the first Wednesday in August of the year preceding a biennial state election. If the petition is “certified” by the Attorney General, the petitioners must then collect thousands of signatures by the first Wednesday in December in order to present the petition to the legislature. The legislature can choose to enact the petition in the same form or take no action by the following May, and, in the latter event, the petitioners must gather more signatures in order to place the petition on the November ballot. Proposed constitutional amendments follow a similar process, except that the measure must receive at least 25 percent support in joint sessions of two successive legislatures before it can appear on the ballot. Thus, a proposed constitutional amendment submitted in 2015 could not appear on the ballot until the 2018 election year.
Article 48 also restricts the types of initiative petitions that may appear on the ballot. Among the most litigated limitations is the requirement that the petition must contain “only subjects . . . which are related or  mutually dependent.” Art. 48, The Initiative, II, § 3. In Carney v. Attorney General, 447 Mass. 218 (2006), the Supreme Judicial Court construed this phrase narrowly as requiring that a measure reflect an “operational relatedness among its substantive parts that would permit a reasonable voter to affirm or reject the entire petition as a unified statement of public policy.” Id. at 230-31. The Court applied this standard to deny certification of a petition seeking simultaneously to ban the dog racing industry and to increase penalties for the inhumane treatment of dogs. Although the Carney standard did not pose a hurdle for this year’s petition to legalize marijuana for adult users, similar petitions that address one “subject” broadly, but seek to make reforms in many “operationally” unrelated areas of the law, could be susceptible to challenge.
Importantly, article 48 bars petitions that are “inconsistent” with certain rights enumerated in the Declaration of Rights. See art. 48, The Initiative, II, § 2. For instance, the Supreme Judicial Court in Bowe v. Secretary of the Commonwealth, 320 Mass. 230 (1946), denied certification of a petition proposing to eliminate all forms of political spending by labor unions as “inconsistent” with unions’ free speech and assembly rights. Id. at 252. However, the list of rights in article 48 is limited, reflecting a compromise among the members of the constitutional convention to prospectively allow voters to “override” decisions of the state’s highest court only in certain areas. The members specifically had in mind Lochner-era cases declaring social welfare legislation invalid as violating “due process” as a type that could be addressed by an initiative petition, but they identified other “concrete” and “definite” rights enumerated in the Declaration of Rights that would not be subject to the initiative petition process. This compromise impacts advocates of all political persuasions, as is evident from this year’s petition to roll back corporate political spending in a manner similar to that in the Bowe petition banning labor union spending.
In addition, article 48 bars initiative petitions that make a “specific appropriation of money from the treasury of the commonwealth.” While this limitation preserves the legislature’s exclusive authority to make appropriations, it does not prohibit a petition from specifying how funds may be spent once they are so appropriated. For instance, this year’s petition imposing an additional 4% tax on incomes over $1 million states that the revenues collected under this provision shall be spent for the purposes of enhancing public education and transportation, but specifies that such spending is “subject to appropriation.” While this could mean that the legislature may decline to appropriate the collected revenues for the stated purposes, the fact that the “millionaire’s tax” is proposed as a constitutional amendment—which requires at least 25 percent support of the legislature—could reduce the chance of such a result. So too may the legislature’s separate duty under article 48 to “appropriate such money as may be necessary to carry such law [if passed] into effect.” Art. 48, The Initiative, II, § 2; see also Bates v. Director of the Office of Campaign and Political Finance, 436 Mass. 144, 154-61 (2002).
Whatever one’s views on the effectiveness of the initiative petition process as a means of making public policy, everyone should agree that any measure that is destined to become law should be well-drafted. A few suggested guidelines in this regard include the following:
• Research the law to ensure consistency with existing provisions. Some changes proposed by a petition could be achieved through existing law or a more modest modification of such law.
• Consider the impact of the petition on other areas of the law. For instance, a change in the definition of a term could affect every provision of the General Laws where that term is used.
• Keep the legislative language succinct. An often-cited rule of thumb is to draft a summary of the petition as it would appear on the ballot, and then craft legislative language to match the summary.
• Consider issues that may subject the law to constitutional or other challenges if the petition were enacted, even if such issues would not bar certification. For instance, laws that have retroactive effect could raise due process issues.
These suggestions could help reduce duplication and confusion in the law, while also keeping issues succinct and clear for the voters. Overall, they further the goal of making “good” workable laws, in accordance with the overriding purpose of article 48.
Tori T. Kim is Deputy General Counsel in the Executive Office for Administration and Finance. Previously, as Assistant Attorney General, she co-directed the review of initiative petitions at the Attorney General’s Office.
Establishment of casino gaming in Massachusetts was the subject of a passionate debate. But the Legislature has acted and casinos are in Massachusetts to stay. The Massachusetts Gaming Commission has issued three licenses—full casino licenses to Wynn Resorts in Everett and MGM in Springfield, and a “slots-only” license to Penn National Gaming in Plainville—and is considering applications for the fourth license in the southeastern region of the state.
In addition, the Commission has promulgated regulations covering the gaming industry in Massachusetts. The opportunities for vendors to provide goods and services under these regulations are extensive and will remain so for years to come.
The licensed casinos are expected to purchase an enormous variety of locally-supplied goods and services totaling between $150 and $200 million annually, from tomatoes to toilet paper, and from limousines to linen supply.
Although the opportunities for Massachusetts vendors to supply goods and services to casinos is substantial, so too is the regulatory burden imposed on such vendors. This article will provide an overview of the process and the issues to which attorneys should pay particular attention.
In November 2011, Governor Patrick signed into law the Expanded Gaming Act (“Act”), which included a new Chapter 23K of the General Laws. Among the stated goals of the Act are providing “new employment opportunities” and “promoting local small businesses and the tourism industry.” G.L. c.23K, §1(5)-(6).
However, the Act also emphasizes integrity in the licensing process. This emphasis extends from vendors to casinos. Under the Act, “[n]o person shall conduct business with a gaming licensee unless such person has been licensed or registered with the commission.” G.L. c.23K, §31(a). The Act creates two broad classes of vendors – gaming vendors and non-gaming vendors. Gaming vendors, those who make and service gaming and simulcasting equipment, must be licensed by the Commission, whereas non-gaming vendors are subject only to registration with the Commission. Because manufacturers and servicers of gaming equipment are well-established in the marketplace, this overview will focus on non-gaming vendors – a key area of opportunity for Massachusetts businesses.
A “non-gaming vendor” provides goods or services “not directly related to games” such as food purveyors or suppliers of the many non-gaming items that a large, destination resort needs to operate. Non-gaming vendors are required to register with the Commission.
A “secondary gaming vendor” also provides goods and services unrelated to gaming, but in amounts exceeding $250,000 in a twelve month period or $100,000 in a three-month period. Secondary Gaming Vendors must be licensed by the Commission. If the Commission determines that a non-gaming vendor “has met or is reasonably likely to meet the thresholds” for sales volume, it will notify the non- gaming vendor of the need to apply for licensure as a secondary gaming vendor.
The secondary gaming vendor designation only applies to non-gaming vendors, who “regularly” conduct business triggering these monetary thresholds. Single or infrequent transactions will not necessarily result in this designation. For example, a vendor who makes a single sale of $500,000 of lighting fixtures is unlikely to be designated.
Importantly, the monetary thresholds apply to the amount of business a vendor conducts with a single gaming licensee, and not to the aggregate of all business the vendor conducts with all Massachusetts casinos. Thus, a vendor who regularly conducts business with two casinos will not be designated as a secondary gaming vendor, even if the aggregate of the business conducted with the two gaming licensees exceeds $250,000 per year, or $100,000 in a three-month period.
The Gaming Commission’s Investigations and Enforcement Bureau (“IEB”) oversees the registration and licensing of vendors. The Commission’s regulations identify a number of classes of business that do not have to register — including insurance and media companies, professional services (legal, accounting, and financial services), medical services, and entertainers.
If none of these exemptions apply, the vendor must register, regardless of the monetary value of the transaction(s) conducted. The Non-gaming Vendor Registration Form requires disclosure of general business information (trade name, address and contact information, nature of services or goods provided, FEIN), as well as personal identifying information (name, residential address, social security number, and birth date) of: (a) the sales representative(s) soliciting business from the gaming licensee; (b) any person authorized to sign any agreement with the casino; and (c) any person or entity owning more than five percent of the vendor. In addition, the vendor must agree to be fingerprinted by IEB, and a registrant may have to submit a Subcontractor Information Form, which requires certain disclosures about “known or anticipated” subcontractors.
Once a non-gaming vendor has registered with the Commission, it may conduct business with a casino. IEB monitors and tracks all payments made by casinos to vendors. If IEB determines that a non-gaming vendor should be designated as a secondary gaming vendor, it will notify the vendor, who must take one of three actions within 45 days: (a) file a secondary gaming vendor application; (b) discontinue providing goods or services to the casino; or (c) file a written request for reconsideration on the ground that the goods or services are not provided on a regular or continuing basis.
Vendors have an ongoing obligation to comply with the regulations and to notify IEB of certain changes in their status. Vendors have a duty to cooperate in any Gaming Commission inquiry or investigation. Failure to comply with Commission regulations or the Act, or the arrest or conviction of a vendor’s principal, could result in the suspension, modification or revocation of a license. Since the Commission is charged with an ongoing monitoring role, licensed vendors are advised to self-regulate as closely as possible to prevent threats to their licensure. Given the intense media scrutiny the industry and regulators face, vendors are well advised to adopt strong internal controls and compliance policies when doing business with casinos. Equally important, vendors should be forthright and transparent in their dealings with IEB. A minor incident in a vendor’s past may not preclude licensure, but lying about it may. This is one circumstance in which it is not better to ask for forgiveness than permission.
The Commission continues to supplement and revise its regulations. Unlike many longer-standing regulatory processes, the regulatory scheme for gaming and gaming vendors is relatively new. Commission staff, who are veterans of both Massachusetts state agencies and the national gaming industry, have shown a refreshing willingness to engage attorneys and applicants with pre-filing reviews and discussions offering procedural guidance, and it is worth the practitioner’s time to take advantage of this resource.
The establishment of four casinos in Massachusetts offers considerable opportunity for many types of vendors to access a potentially lucrative market. But this market is regulated more stringently than most. There are significant and continuing regulatory obligations for those who participate, and public scrutiny in this highly regulated industry is certain to be constant. Detailed record keeping and communication with Commission regulators is essential and may add overhead costs for some businesses. But those who qualify and are able supply casinos in a consistently compliant manner should find themselves with a winning hand.
Andrew Upton is a partner at DiNicola, Seligson & Upton, LLP. He specializes in all phases of Administrative Law with an emphasis on licensing and permitting.
Jonathan Silverstein is a member of Kopelman and Paige, PC, focusing his practice on land development permitting, contracting and litigation. He chairs the firm’s Expanded Gaming practice and has represented clients in connection with every gaming facility proposal in the state, appearing regularly before the Massachusetts Gaming Commission.
Against a backdrop of income inequality and stagnating wages of working class families, policymakers across the country are considering more generous, family-friendly workplace policies. President Obama has called on Congress to pass legislation mandating earned sick time and appropriating funds to help states pay for similar programs. The President has also issued directives requiring federal agencies to advance up to six weeks of paid leave for parents with a new child.
In November 2014, Massachusetts voters put the Commonwealth in the vanguard by approving a ballot initiative entitling almost all employees in the state to earned sick time. Massachusetts is now one of few states with an earned sick time labor standard.
Before the Earned Sick Time Act, to be codified at G.L. c. 149, s. 148C, becomes effective on July 1, 2015, lawyers should be aware of the following to ensure compliance.
What Employers Are Subject to the New Law?
The law applies to almost all public and private employers. For employers with 11 or more employees (including full-time, part-time and temporary workers), earned sick time is paid at the employee’s standard hourly rate. For employers with 10 or fewer employees, sick time does not have to be paid. The law does not cover federal employees working in Massachusetts or municipal employees, unless the city or town votes to adopt or appropriates funding to cover the costs attributable to the earned sick time labor standard.
How Is Earned Sick Time Accrued and How Can It Be Used?
Employees will earn (“accrue”) one hour of sick time for every 30 hours worked up to a maximum of 40 hours of sick time in a calendar year. Accruals will begin on the later of July 1, 2015 or the employee’s date of hire, and may not be used until the 90th calendar day after accrual begins.
Employees may use up to 40 hours of earned sick time in a calendar year, either in hourly increments, or in the smallest increment that the employer’s payroll system uses to account for absences. If the employer already has a paid time off (PTO) or other paid leave policies, the new law does not require the employer also to provide additional paid sick time, so long as the employer allows the employee to use at least 40 hours per calendar year for the purposes allowed under the earned sick time law.
Employees can use earned sick time, whether paid or unpaid, to:
- care for a physical or mental illness, injury or medical condition affecting the employee or the employee’s child, spouse, parent, or parent of a spouse;
- attend routine medical appointments of the employee or the employee’s child, spouse, parent, or parent of a spouse; or
- address the effects of domestic violence on the employee or the employee’s dependent child.
Can Earned Sick Time Be Carried Over to the Next Calendar Year?
Yes. Although employees are not entitled to use more than 40 hours in one calendar year, they may carry over up to 40 hours of unused earned sick time to the next calendar year. Thus, an employee could start a new calendar year with a “sick time bank” from the prior year that would be available for use immediately. Unlike vacation time, which is considered a form of wages, accrued unused sick time does not have to be paid upon termination of employment.
How Does an Employee Request Use of Earned Sick Time?
When the need for sick time is foreseeable, employees must provide “good faith notice” of their intent to use earned sick time.
What Medical Documentation May an Employer Require?
For sick time exceeding 24 consecutive work hours, an employer may request “reasonable” medical documentation, but may not require information regarding the nature of the illness. Moreover, an employer may not delay an employee’s use of, or payment for, earned sick time for failure to provide the requested documentation.
What Are Consequences of Non-Compliance?
Like other wage and hour laws, the Attorney General is charged with enforcing the new earned sick time law, and employees have an individual right of action. Non-compliant employers may be subject to civil penalties up to $25,000 per violation, treble damages, attorney’s fees and costs.
Will the Attorney General’s Office Provide Guidance on Compliance?
Yes. The new law also requires the Attorney General to prepare a notice that employers must post conspicuously in their workplaces. Health care facilities, child care centers, and schools also must post the notice.
What Questions Remain Unresolved?
Some of the outstanding issues that may be resolved by regulations to be promulgated by the Attorney General or settled by the courts include:
- How is employer size determined if its workforce fluctuates during the year?
- May an employer decline requested sick time where the employee fails to provide “reasonable” medical documentation?
- What constitutes “good faith notice” of foreseeable need for sick time by an employee?
- How does the new earned sick time law interact with the requirements and rights under other wage and hour laws, such as the Family Medical Leave Act (“FMLA”) and the new Act Relative to Domestic Violence, G.L. c. 149, § 52E?
- Does the federal Labor Management Relations Act preempt a claim under the new law for more sick time than afforded a union member under a collective bargaining agreement?
Conclusion: What Steps Should Employers Take?
Lawyers can advise their clients to encourage compliance before the July 1, 2015 effective date.
Employers should review existing employee handbooks and Paid Time Off (PTO) policies covering all types of paid leave (e.g., sick, vacation, personal days) to determine whether changes are needed to meet the new earned sick time standards. The new law allows employers to maintain their existing PTO policies if the existing policies provide at least the minimum rights under the new law, such as allowing employees to accrue sick time from the first day of employment and at the rate provided under the new law, to use at least 40 hours per calendar year for the purposes authorized under the new law, and to allow employees to carry over at least 40 hours of unused earned sick time to the next calendar year.
Before July 1, 2015, employers should ensure that managers, supervisors and human resources administrators are informed about the requirements of the new earned sick time law, the new law’s definition of “sick time” (which is considerably more expansive than the FMLA), and the unresolved issues, including the level of medical documentation an employer is permitted to require under the new law.
The Earned Sick Time Act will bring significant changes as Massachusetts steps forward at the vanguard of states adopting mandatory sick time labor standards.
Paul Holtzman, a partner at Krokidas & Bluestein, LLP, focuses on employment and litigation matters, including wage and hour, discrimination, harassment, retaliation and whistleblower claims, and serves as a mediator.
Anjali Waikar is an associate at Krokidas & Bluestein, LLP, advising nonprofit, health care, and social service organizations and individuals on employment, privacy, and health care law.
In the last weeks of his term, Governor Deval Patrick granted the first four pardons in the Commonwealth of Massachusetts since 2002. Of the more than 70 people who petitioned for a pardon in 2014, the Advisory Board of Pardons recommended five favorably to Governor Patrick. These were the Board’s first such recommendations since 2009. Governor Patrick submitted four pardons to the Governor’s Council for its advice and consent. Following public hearings on each petition, the Council approved all four, one of whom was my client.
Obtaining clemency is a rare occurrence – combining legal and political processes with little guidance. The journey from petition to pardon involves uncertainty for petitioners and their attorneys alike. This article aims to shed some light on the process.
The Governor’s pardon power is long established. Article 73 of the Amendments to the Massachusetts Constitution invests the Governor with “the power of pardoning offences… by and with the advice of [the Governor’s Council].” As a result, “[t]he power to pardon as vested in the Governor is not absolute but conditional, and that condition is that it shall be exercised in accordance with the advice of the Council.” In re Op. of the Justices, 210 Mass. 609, 611 (1912). The Governor has plenary power to determine candidates for pardon relief, but no form of clemency may issue without “concurrent action by both the Governor and Council.” See id. Since 1991, Massachusetts governors have issued a total of 57 pardons, drawn from an average of roughly 100 petitions per year, and 80 percent of those pardons date to Governors Weld and Cellucci. See Margaret Colgate Love, NACDL Restoration of Rights Resource Project, December 2014; Gavriel B. Wolfe, Note, I Beg Your Pardon: A Call for Renewal of Executive Clemency and Accountability in Massachusetts, 27 B.C. Third World L.J. 417, 429 (2007); Michael Rezendes, Granting Pardons No Priority for Cellucci, Bos. Globe, Nov. 26, 1999 at A1.
Each governor establishes parameters for the pardon process through Executive Clemency Guidelines that express his or her philosophy. Governor Patrick issued three sets of such guidelines during his tenure (2007, and January and July 2014). Both of the sets he issued in 2014 made clemency more attainable for petitioners. According to those guidelines, pardons are “primarily intended to remove barriers that are often associated with a criminal record or sentence, thereby facilitating the reintegration of the petitioner into the community of the law abiding.” Such relief will be considered “for a petitioner who has demonstrated a substantial period of good citizenship subsequent to the criminal offense and either: (1) a compelling need for a pardon; or (2) extraordinary contributions to society that would justify restoration of his/her reputation as a concluding step of rehabilitation.” Governor Baker has formally rescinded these guidelines and has yet to release his own. Three hundred petitions for clemency – whether pardon or commutation – currently are pending before the Advisory Board of Pardons, which has suspended its review of such petitions until Governor Baker issues his guidelines for them to follow. Gintautas Dumcius, Actor Mark Wahlberg’s Pardon Request, Like Others, On Hold, Parole Board Chairwoman Says, State House News Serv., April 8, 2015.
Not many people complete their incarceration and then pursue an education towards a career that will involve work in jails and prisons. Arrested at nineteen for his participation in a string of burglaries on Plum Island and the New Hampshire seacoast, my client served eight months in a New Hampshire jail and two years of concurrent probation in New Hampshire and Massachusetts. He sought the pardon of a single related Massachusetts burglary conviction for which he served that probation. Eight years after his release from jail, my client had turned his life around. He graduated from college with honors, two years of which he spent interning at the local jail and counseling inmates. After graduation, a professor – who was the superintendent of another county jail in New Hampshire – hired him as a corrections officer, exploiting a loophole subsequently closed following news coverage of my client’s successful service. In Massachusetts, my client sought a pardon so he could pursue a career in criminal justice that would have been practically unattainable to him with a criminal record.
There were challenges to his petition, however. Like the petitioner whom Governor Patrick did not recommend to the Governor’s Council, my client was not a Massachusetts resident, living instead with family in New Hampshire as he attended graduate school. Unlike the other successful petitioners, my client was a young man – only in his late twenties – and his age might have worked against him by facilitating a perception that he was more likely to re-offend.
My client’s journey to a pardon began, as each one must, with a pardon petition form, available on the Parole Board’s website, which requests biographical information, discussion of the events related to the conviction for which pardon is sought, and an explanation of why the candidate seeks and merits a pardon. The form remains centrally important through the pardon process, and therefore it is best if counsel assists in filling it out. Relevant CORI information and police reports should be reviewed to create as accurate a petition as possible to avoid problems due to mistaken memory as the petition advances. Any petition also should avoid claiming the petitioner deserves the pardon, no matter the merits of the petition.
Counsel also should advise the petitioner as to the nature of a pardon pursuant to Massachusetts law. While a pardon removes the penal consequences of a conviction, such as statutory bars to employment, the facts of the underlying offense remain and may present similar barriers. Comm’r of Metro Dist. Comm’n v. Dir. of Civil Serv., 348 Mass. 184, 194 (1964). The petitioner must decide whether to seek a full pardon – which restores the ability to apply for a firearms permit – or to proceed with a conditional pardon that does not and therefore may be more palatable to the Governor and/or the Governor’s Council, based on the petitioner’s underlying offense and biography. The guidelines will dictate the required additional steps, if any, that a full pardon application requires; however, the facts of the pardoned offense may still preclude the issuance of a permit. See Firearms Records Bureau v. Simkin, 468 Mass. 168, 180 (2013).
The Advisory Board of Pardons
Candidates submit their petition forms, together with letters of recommendation and other documentation, to the Council, which forwards them to the Parole Board, operating in clemency cases as the Advisory Board of Pardons. See G.L. c. 127, § 154; 120 CMR 100.00, 902.02. The Board initially reviews pardon petitions for “substan[tial] compli[ance] with the criteria set by statute, the Governor’s Pardon Guidelines, and the Advisory Board’s regulations…” 120 CMR 902.04(1). Based on this review, the Board must submit a recommendation to the Governor within ten weeks, unless “adequate consideration of the case requires a hearing on the merits.” See G.L. c. 127, § 154. In such cases, the Board’s Executive Clemency Unit directs an investigation “concerning the petitioner’s criminal, social, and institutional histories, as well as concerning any other factor deemed relevant to the issue of pardon.” Id. Parole officers fact-check the petition, following up on background and CORI information, and conduct an in-person interview of the petitioner. Copies of the petition also go to the Attorney General’s Office, to the district attorney and chief of police for the relevant jurisdiction, and the Secretary of Public Safety, each of whom has six weeks to make a written recommendation to the Board. See id.; 120 CMR 902.05.
If the petitioner merits further consideration, the Board convenes a hearing before at least two of its members, at which time the petitioner has the burden “to show, by clear and convincing evidence, that pardon relief is appropriate.” 120 CMR 902.09(2). Regulations enumerate both a list of potential topics and the procedure for such hearings, and petitioners may offer testimony in support of their application, as may government officials and victims, whether in opposition or support. See G.L. c. 127, § 154; see also 120 CMR 902.09. Considering only “matters which properly bear upon the propriety of the extension of clemency to the petitioner,” the Board makes a recommendation to the Governor no later than six months after the Board’s receipt of the petition. See G.L. c. 127, § 154; 120 CMR 902.10. However, “[a] pardon is not generally available to individuals who do not meet the applicable Governor’s Pardon Guidelines.” 120 CMR 902.01(2).
Back to the Governor’s Office
Once the petition returns to Beacon Hill with the Board’s recommendation, the Governor and the Office of the Governor’s Legal Counsel review the two documents and begin their formal analysis of the candidate. Nothing requires the Governor to follow the Board’s recommendation – Governor Patrick advanced only four of the five candidates recommended for pardon relief – as he or she applies his or her Guidelines.
The Governor’s Council
If the Governor decides to grant a pardon, the venue shifts to the Governor’s Council and therefore the focus shifts to the Council’s constitutional advise and consent function. The Governor’s Guidelines do not bind the Council even as it considers pardon petitions – and Advisory Board recommendations – crafted to comply with them. See Pineo v. Exec. Council, 412 Mass. 31, 36-37 (1992). As a result, the Councilors, in coordination with the Governor’s Office, control the structure, extent and nature of any public hearings the Council holds on a pardon petition. See id. In 2014, the Council held a series of intensive public hearings on each pardon, and during these hearings, Councilors posed questions directly to the petitioners, witnesses, and counsel. Other incarnations of the Council, however, may choose to proceed differently. Finally the Council schedules a vote on whether to ratify the Governor’s decision to grant a pardon. A petitioner must wait a calendar year from any denial of pardon relief to reapply. 120 CMR 902.12.
At the end of this long and winding process, the petitioner hopefully has a well-earned second chance at life under the law. My client remains grateful for the clemency afforded him – and hopeful, both for his own future and for the futures of others who may, eventually, obtain such relief for themselves.
William G. Cosmas, Jr., is an associate at Sally & Fitch LLP, where he works primarily in the areas of business litigation, white-collar criminal defense, government investigations, and complex civil litigation. In 2014, he represented a successful petitioner for clemency in Massachusetts. He received his undergraduate degree from Georgetown University and his law degree from Boston College Law School.