by Matthew J. Kiefer and Louise B. Giannakis
The Commonwealth of Massachusetts prides itself on being “first in the nation” for many milestones: the first public park (Boston Common), the first college (Harvard) and the first to legalize same-sex marriage. A lesser known “first” was the Commonwealth’s formal recognition of the public trust doctrine, a legal concept dating at least to Justinian. The doctrine, first codified by the Colonial Ordinances of the 1640s, obligates the Commonwealth as trustee to ensure that land subject to tidal action is used for public benefit. The doctrine evolved into M.G.L. c. 91 (“Chapter 91”), the Public Waterfront Act (“Act”). Historically, the Act focused on preserving public access to the water, protecting tidelands for water-dependent uses such as fishing and boating, and encouraging uses and development that animate the waterfront. However, with record-breaking coastal flooding and sea level rise no longer distant threats, climate resilient waterfront development has become a policy imperative in Chapter 91 licensing.
Chapter 91 is a comprehensive licensing program, administered by the Massachusetts Department of Environmental Protection (“DEP”), to ensure that proposed waterfront development projects meet public benefit standards with respect to environmental protection, public safety, navigation, preservation of historic maritime industries, and recreational, commercial and industrial activities and uses. Licensing by DEP can be a complex and lengthy process, especially for large-scale urban projects. Although DEP has yet to incorporate formal climate resiliency requirements into its licensing program, a prudent project proponent should include climate resilience as an integral part of a project’s public benefit profile in light of the DEP’s recent licensing decisions, public comments and formal requirements established by other regulatory agencies, such as the Boston Redevelopment Authority (d/b/a Boston Planning and Development Agency or “BPDA”).
Do the regulatory homework: Effective representation of a proponent of a waterfront project requires a determination of how the Chapter 91 and associated regulatory standards and policy goals apply to a particular project. See Waterways Regulations, 310 CMR 9.00 et seq., Designated Port Area (DPA) Regulations, 301 CMR 25.00 et seq., Municipal Harbor Plan (MHP) Regulations, 301 CMR 23.00 et seq. Early analysis of site-specific factors by a cross-disciplinary team is often required to identify which Chapter 91 requirements are applicable to a particular site — such as whether the site is historically filled or currently flowed tidelands or is nontidal, whether it is above or below the historic low water mark, and whether it serves water-dependent or nonwater-dependent uses. This is critical to developing an effective Chapter 91 permitting path, and should include evaluation of appropriate climate resiliency measures. For example, as sea levels continue to rise, it would be wise to anticipate whether structures currently above the high water mark, and thus exempt from licensing, may become “intertidal” and thus subject to Chapter 91 jurisdiction.
Review other agencies’ climate change initiatives for guidance: As climate resiliency becomes a policy imperative for the modern world, federal, state and local agencies are increasingly launching initiatives and establishing requirements to protect communities from the adverse effects of climate change. In March, 2016, Governor Baker signed Executive Order 569, “Establishing an Integrated Climate Change Strategy for the Commonwealth,” and in early 2018, authorized over $1.4 billion in capital allocations “to mitigate and adapt to climate change” and “build a more resilient Commonwealth.” These climate resiliency investments include infrastructure repairs and improvements, as well as grants to communities through the Municipal Vulnerability Preparedness Program and the State Hazard Mitigation and Adaptation Plan. In October, 2017, the BPDA formally integrated climate resilience measures into its approval process under Boston Zoning Code Article 80 for Large Project, Planned Development Area and Institutional Master Plan Reviews by requiring a “Climate Resiliency Checklist Report” that incorporates sea level rise, storm surge, extreme precipitation, extreme heat events, and other considerations. Other Boston initiatives include the recently-approved Downtown Waterfront Municipal Harbor Plan, which encourages a comprehensive, district-wide approach to creating a climate resilient waterfront that overcomes the limitations of a parcel-by-parcel permitting process, and Climate Ready Boston, an ongoing city-wide planning effort to address the effects of climate change. At the federal level, the newly revised Federal Emergency Management Agency flood hazard maps increase the reach of flood zones and show a stepped-up focus on the topic.
Consider climate resilience measures in recently approved projects: Many questions remain on the Chapter 91 licensing implications of many potential climate resiliency measures. Can raised seawalls or berms be licensed if they reduce public pedestrian access? Would a flood protection berm consisting of new fill in flowed tidelands be licensable? Would raising the grade of a project site to anticipate rising sea levels allow for a commensurate increase in building height? What is the scope of responsibility for an individual licensee whose site is located on an area-wide flood zone and whose flood protection activities may not be effective until the entire area is protected?
Regulatory uncertainty notwithstanding, it is clear that adapting to sea level rise is necessary for the long-term viability of a waterfront project. For instance, the developers of Clippership Wharf in East Boston have designed a floodable harbor-walk that can act as a buffer for high seas and are importing significant amounts of new fill to raise parts of the seven-acre site above anticipated flood levels. The developers of a large mixed-use campus at Suffolk Downs in Boston-Revere have proposed a sunken amphitheater with capacity to hold millions of cubic feet of flood water for days to address anticipated flood levels. The developers of the L Street Power Station in South Boston have proposed an elevated floor of the building to accommodate the possible need to raise the ground level while maintaining a reasonable floor to ceiling height.
In short, even in the absence of clear regulatory requirements, waterfront development proponents should incorporate climate resilience measures early in the licensing strategy, not only to extend the project’s design life, but also to facilitate the licensing approval by anticipating the public benefit expectations of the DEP and interests of the waterfront communities.
Matthew J. Kiefer is a Director at Goulston & Storrs, focusing on real estate development and land use. Matt has extensive experience licensing projects under Chapter 91, including Clippership Wharf in East Boston, the Innovation and Design Building in the Ray Flynn Marine Park, and Building 114 and the Spaulding Rehabilitation Center in the Charlestown Navy Yard. He co-chairs the firm’s Climate Resilience Task Force.
Louise B. Giannakis is an Associate in Goulston & Storrs’ Real Estate practice group. Louise graduated from Boston College Law School in 2017 and is a member of the Urban Land Institute’s Young Leader Group.
by William G. Cosmas
Two years ago in this journal, I examined the process of obtaining a pardon in the Commonwealth of Massachusetts from the perspective of having represented one of the first successful petitioners for such relief since 2002. This article examines the Executive Clemency Guidelines issued by Governor Charles D. Baker (the “Baker Guidelines”) as compared to those that his predecessor, Governor Deval L. Patrick, issued in January 2014 (the “Patrick Guidelines”).
In Massachusetts, a governor’s Executive Clemency Guidelines (the “Guidelines”) largely govern the process from petition to clemency. Statutes and regulations set forth the procedure through which the Parole Board, acting as the Advisory Board of Pardons (the “Board”), reviews, evaluates, and considers petitions for clemency. The Guidelines set forth the qualitative framework for that analysis, through an expression of the governor’s philosophy concerning clemency and the criteria that he or she will use to determine whether a petitioner merits recommendation to the Governor’s Council (the “Council”) for relief. On the day after his inauguration, Governor Baker rescinded the Patrick Guidelines, under which Governor Patrick had issued four pardons at the close of his term, halting administrative review of existing petitions until he could draft and issue his own Guidelines. Baker Rescinds Ex-Gov. Patrick’s Clemency Guidelines, Associated Press, Jan. 16, 2015. Governor Baker described his decision as “standard operating procedure,” because with a new governor comes a new understanding of the nature and contours of the governor’s pardon power. See Gov. Baker To Submit New Pardon Guidelines In Coming Weeks, Associated Press, Jan. 23, 2015. The Baker Guidelines were issued in December 2015.
An Apparent Attempt to Streamline
While the Baker Guidelines offer streamlined, procedural clarity and hew closely to relevant law, the Patrick Guidelines contemplated a holistic review of each petitioner, “intend[ing] to inform” the Board—the “public officials who are most able to make informed decisions on the persons seeking relief” —in its preliminary analysis of each petition. See Patrick Guidelines (“PG”) at 1-2. In contrast, the Baker Guidelines emphasize his prerogative to “direct” the Board’s analysis, in language that agrees with the Board’s recently-revised regulations (see, e.g., 120 CMR 900.01(2) (2017) (“The [Board] shall be directed by the Governor’s Executive Clemency Guidelines in its consideration of petitions for executive clemency.”) See Baker Guidelines (“BG”) at 1-2. Such emphasis also reflects the governor’s constitutional power, under Article 73 of the Amendments to the Massachusetts Constitution, to determine which clemency petitions merit submission to the Council for approval. See In re Op. of the Justices, 210 Mass. 609, 611 (1912); see also M.G.L. ch. 127 § 152.
Both sets of Guidelines reserve that power notwithstanding their own terms, but the Baker Guidelines explicitly acknowledge that they do not bind the Council, whose “concurrent action” on a petition is required to issue a pardon. BG at 2; see In re Op. of the Justices, 210 Mass. at 611. This nod to the Council’s constitutional independence, see Pineo v. Exec. Council, 412 Mass. 31, 36-37 (1992), an esoteric point of law easily lost on those without experience on Beacon Hill, may prove crucial to future petitioners who reach the final stage of review. Without this provision, a petitioner (and his/her counsel) might assume that the same Guidelines that governed the lengthy process to that point also set the rules for Council’s essential consideration of a petition. In truth, there are no rules for the Council’s analysis or for any related hearing other than those, if any, promulgated by the Council for the occasion.
Finally, the Baker Guidelines offer added precision by incorporating relevant statutory and regulatory provisions. For example, both Guidelines indicate that, for certain offenses, a pardon “rarely” would include restoration of a petitioner’s firearms rights. Unlike the Patrick Guidelines, however, the Baker Guidelines specifically incorporate the offenses included in M.G.L. ch. 140 § 121’s definition of “violent crime”: “any crime punishable by imprisonment for a term exceeding one year… that: (i) has as an element the use, attempted use or threatened use of physical force or a deadly weapon against the person of another; (ii) is burglary, extortion, arson, or kidnapping; (iii) involves the use of explosives; or (iv) otherwise involves conduct that presents a serious risk of injury to another,” BG at 4. Although the Supreme Judicial Court struck down part (iv) of the statute as unconstitutionally vague in May 2016, Commonwealth v. Beal, 474 Mass. 341, 349-51 (2016), the precision that the rest of § 121 provides may help petitioners set more accurate expectations for the process.
An Embrace of Retributive Justice
Both Guidelines establish similar basic threshold considerations for pardon relief, but the Baker Guidelines imbue those considerations with a retributive theory of justice. Perhaps drawing the line for the Commonwealth’s retribution at the petitioner’s release from state supervision, the Patrick Guidelines first considered whether “[t]he grant of a pardon is in the interests of justice,” considering “the nature of the underlying offense(s), the impact of the crime on any victim(s) and society as a whole, the petitioner’s role in the underlying offense, and the fundamental fairness and equity of granting a pardon to the petitioner.” PG at 3. By contrast, the Baker Guidelines identify the “nature and circumstances of the offense” as the first “paramount consideration,” paying particular attention “to the impact on the victim or victims and the impact of the crime on society as a whole.” BG at 3. The greater the severity of the petitioner’s offense, the more time “that should have elapsed in order to minimize any impact clemency may have on respect for the law.” Id. at 2.
The second threshold question under the Patrick Guidelines focused on a petitioner’s rehabilitation, considering whether “the petitioner has been a law-abiding citizen and presents no risk for re-offense,” to determine whether a pardon would be consistent with maintaining public safety. PG at 3. That analysis focused on the petitioner’s “good citizenship” during a period of time following confinement or probation based on whether the petitioner’s offense was a felony or misdemeanor. PG at 3. The Baker Guidelines’ analogous “paramount consideration”—“the character and behavior, particularly post-offense behavior, of the petitioner”—presents a striking shift from the Patrick Guidelines. See BG at 3. A petitioner must have “clearly demonstrated acceptance of responsibility for the offense for which the petitioner is seeking clemency” —and appealing or challenging the underlying conviction or sentence is “[g]enerally… inconsistent with acceptance of responsibility.” Id. In other words, a petitioner who exercised his legal right to appeal or challenge a conviction twenty-five years ago, no matter the justification, unwittingly disadvantaged his future clemency petition to Governor Baker in the process. The Baker Guidelines also essentially require that a petitioner have “made full restitution” to victims economically injured by the petitioner’s crime(s), giving “stronger consideration to petitioners who have made restitution in a prompt manner.” Id. A petitioner’s public service will also lead to “stronger consideration,” whether that public service consists of “substantial assistance to law enforcement in the investigation or prosecution of other more culpable offenders” or “service in the military or other public service, or . . . charitable work.” Id.
Narrowed Opportunity for Petitioners
Both sets of guidelines provide additional factors to be taken into account in determining a petitioner’s entitlement to relief, such as requiring a period of “good citizenship” since release from government supervision, but the Baker Guidelines take a narrower focus, limiting opportunities for petitioners. The Patrick Guidelines considered “either (1) a compelling need for a pardon; or (2) extraordinary contributions to society that would justify restoration of his/her reputation as a concluding step of rehabilitation.” PG at 2. Similarly, the Baker Guidelines require petitioners to “demonstrate both good citizenship and a verified, compelling need,” but do not expressly consider the “extraordinary contributions to society” that might have tipped the balance to clemency under the Patrick Guidelines. BG at 3. Instead, the Baker Guidelines require disclosure and investigation of “whether the petitioner has been the subject of any civil lawsuit, including any restraining order, during the claimed period of good citizenship,” thus imposing a greater burden than the Patrick Guidelines, which required consideration only of restraining orders or civil contempt orders. See BG at 4; PG at 4.
On the whole, the Baker Guidelines provide additional clarity—but commensurately narrower paths to clemency—than those they replaced. It remains to be seen whether and in what circumstances Governor Baker will exercise his constitutional power to grant the “extraordinary remedy” of a pardon—and whether his Guidelines will impact his ability to do so.
William G. Cosmas, Jr., is an associate at Fitch Law Partners LLP, where he works primarily in the areas of business litigation, white-collar criminal defense, government investigations, real estate disputes, and complex civil litigation. In 2014, he represented a successful petitioner for clemency in Massachusetts.
The Massachusetts Securities Division (“Division”) is the state agency entrusted with protecting investors. And the scope of its power is considerable, ranging from the authority to order the disgorgement of profits to its ability to issue cease and desist demands. But parties defending against the Division’s Registration Inspections, Compliance and Examinations (“RICE”) Section are often disadvantaged by a very limited right to discovery.
Respondents in Division proceedings can, however, request to subpoena third parties, which can be valuable considering the paucity of other discovery tools. But getting the Division to issue a subpoena is not easy or intuitive. This article, therefore, provides an overview of the subpoena process in adjudicatory proceedings before the Division.
Discovery in Division Proceedings
Under the Division’s rules, respondents have no right to propound interrogatories or requests for documents. 950 C.M.R. § 10.01 et seq. Instead, the Division has held that RICE is only required to produce documents it identifies as exhibits in its pre-trial memorandum. Conversely, RICE may issue subpoenas even before an adjudicatory proceeding has begun. M.G.L. c. 110A, § 407(b).
Subpoenas can mitigate this imbalance, as there are many scenarios in which third parties will hold key information. For example, in insider trading cases, establishing whether information is material or obtained in violation of a fiduciary duty could depend upon information held by the third-party company whose shares were traded. With third-party subpoenas, respondents can gain advance notice of the evidence upon which RICE may rely at trial while also potentially obtaining exculpatory evidence which RICE would otherwise not be obligated to produce.
Right to Issue of Subpoenas
How do respondents obtain subpoenas in Division proceedings? At first, the answer may seem straightforward. Under M.G.L. c. 30A, § 12(3):
Any party to an adjudicatory proceeding shall be entitled as of right to the issue of subpoenas in the name of the agency conducting the proceeding. The party may have such subpoenas issued by a notary public or justice of the peace, or he may make written application to the agency, which shall forthwith issue the subpoenas requested.
That is, respondents appear entitled to subpoenas “as of right.”
The Division’s position, however, is that Section 12(3) does not apply to its adjudicatory proceedings because M.G.L. c. 110A, § 407(b) supplants it. See, e.g., In the Matter of Blinder, Robinson, & Co., Docket No. E-85-27, 1986 Mass. Sec. LEXIS 63 (Mass Sec. Div. April 30, 1986). As the reasoning goes, under Section 407(b), the Division “may” issue subpoenas, but is not required to, and therefore, there is a conflict between Section 12(3) and Section 407(b). And where Section 407(b) deals specifically with the Division but Section 12(3) is merely a default rule applicable to all agencies, Section 407(b) prevails. Accordingly, respondents in Division proceedings are subject to 950 C.M.R. § 10.09(l), which requires a respondent to make a “written application” for a subpoena to the Presiding Officer, who “may” grant the application.
No court has yet weighed in on the Division’s interpretation, however, and its position is open to challenge. First, nothing in Section 407(b), which was enacted after Section 12(3), states that it overrides Section 12(3), and there is “a very strong presumption against [the] implied repeal” of a statute, Commonwealth v. Hudson, 404 Mass. 282, 286 (1989) (internal quotation marks omitted), particularly where the statute unequivocally confers a procedural “right.” Nor is it clear there is a conflict between Section 12(3) and Section 407(b); the former deals with a respondent’s ability to issue subpoenas whereas Section 407(b) refers to the Division’s prerogative to do so. Moreover, the Division, in a slightly different context, has itself stated that “[a] party to an adjudicatory proceeding before the Division is entitled as a matter of right to the issuance of [a] subpoena.” In the Matter of Cohmad Sec. Corp., Docket No. E-2009-0015 (Mass Sec. Div. Nov. 17, 2009). There are, therefore, ample grounds upon which to invoke subpoena rights under Section 12(3).
What should a respondent do if it wishes to issue a subpoena under Section 12(3)? It could simply ignore Division precedent and serve a notarized subpoena pursuant Section 12(3). But RICE will almost certainly respond with a motion to quash, which in turn may result in an order to withdraw the subpoena from the Presiding Officer.
The prudent approach would be to file a motion before the Division under both Section 12(3) and 950 C.M.R. § 10.09(l). This approach affords two advantages. First, the Division may simply grant the subpoena, in which case the applicability of Section 12(3) is moot. Second, if the Division denies the subpoena, then the respondent will have preserved the issue for appeal under M.G.L. c. 30A, should the Division ultimately decide unfavorably. If the respondent believes that it cannot wait until after a final decision, it might also consider interlocutory relief by way of a mandamus action in the Superior Court pursuant to M.G.L. c. 249, § 5. Mandamus relief will likely be an uphill battle, however, as it is only available where a M.G.L. 30A appeal is an inadequate remedy. Because a court can always reverse the Division’s judgment and order more discovery, there is usually an adequate remedy. If there is an immediate need for the subpoena, however, a mandamus action may be an important option to preserve by moving for a subpoena under both Section 12(3) and Section 10.09(l).
Requesting a Subpoena
To request a subpoena from the Presiding Officer under 950 C.M.R. § 10.09(l)(1), the respondent must make a “written application,” which should consist of a copy of the proposed subpoena and a short motion. The Presiding Officer may deny a request if she determines that the subpoena would be “unreasonable, oppressive, excessive in scope, or unduly burdensome.” Id.
Both the Division’s rules and M.G.L. c. 30A, § 12(3) allow the subpoenaed party, but no one else, to move to quash the subpoena. Accordingly, the Division has held that only “a party to whom the subpoena is directed may move to vacate or modify the subpoena.” In the Matter of Cohmad Sec. Corp. RICE, however, has argued that applications for subpoenas are “motions” under 950 CMR § 10.07(a), entitling it to file an opposition. Thus far, the Division appears to have rejected RICE’s position, and a respondent should promptly move to strike any opposition RICE files.
RICE has also argued that any subpoena served prior to the exchange of pre-trial memoranda under 950 C.M.R. § 10.09(b) is per se unreasonable because it is inherently inefficient to serve subpoenas that may overlap with the documents that RICE may produce with its memorandum. RICE’s argument is difficult to square with the language of Section 10.09(l), which imposes no time limitation on requesting subpoenas, and Section 10.09(b), which deals solely with the exchange of documents between parties, not third-party subpoenas. At least one Presiding Officer has rejected RICE’s position that subpoenas must be filed after the exchange of pre-trial memoranda. In the Matter of Risk Reward Capital Management Corp., Docket No. E-2010-0057 (Sept. 23, 2014). Nevertheless, respondents seeking to obtain subpoenas should be ready to field similar objections.
Subpoenas are a valuable tool in proceedings before the Division. But respondents should anticipate resistance and RICE’s likely objections. By preparing to do so, respondents can maximize their chances of success, either before the Division or (if necessary) on appeal.
Thomas Sutcliffe is an associate at Prince Lobel Tye LLP. His practice focuses on complex commercial and administrative litigation.
by Mark Szpak, Seth Harrington and Lindsey Sullivan
In August, the United States Department of Justice (“DOJ”) and the Securities Exchange Commission (“SEC”) unsealed complaints alleging a scheme to hack into computer systems of newswire services in order to steal material nonpublic information, which the hackers then allegedly used to place trades.
This case is strikingly different than many other recently reported data-breach cases. Typically such cases have involved an attacker breaking into a company’s network to access personal nonpublic information (e.g., credit card numbers, medical history, social security numbers) that potentially could be sold to other criminals who would use it to attempt to commit identity theft or fraud. This hack involved information concerning publicly traded companies, obtained not from the companies themselves, but third-party newswire services. These complaints highlight that cyberattack risk is not limited to the theft of personal information but extends to any confidential information that hackers may seek to exploit for financial gain – trade secrets, insider information, customer prospects, bid packages, marketing data, business plans, etc. Companies need to understand this risk as well as how to prevent it and manage it if it occurs.
The Alleged Hacking and “Insider” Trading Scheme
The criminal complaints filed by the DOJ allege that nine individuals hacked into the computer systems of newswire services Marketwired, PR Newswire, and Business Wire, accessed nonpublic information, and allegedly used it to generate $30 million in illegal profits. The civil complaint, brought by the SEC against 32 individuals, alleges that the defendants generated more than $100 million in illegal profits by trading on the stolen nonpublic information in violation of federal antifraud laws and related SEC rules.
These newswire services were engaged by major publicly traded companies to publish corporate releases and, as a result, received confidential information hours and even days before the information was publicly released. By infiltrating the computer systems of these newswire services, the criminals were able to access – and act upon– the releases ahead of the market.
Few are surprised that the newswire services were targeted, but the extent of the scheme is drawing attention. The hacking allegedly lasted five years, during which the criminal attackers allegedly accessed over 150,000 press releases. In one instance, according to the SEC complaint, the hackers and traders were able to act within the 36-minute period between when the press release was provided to the newswire service and public disclosure of the release, executing trades that resulted in $511,000 in profit.
Compared to other cybercases, these complaints represent the relatively rare occurrence in which claims are brought against the perpetrators of the data breach and the individuals who seek to use and profit from the stolen information. As this article goes to press, no litigation is known to have been initiated against either the newswire services or the companies whose information is alleged to have been stolen in this attack. Yet, based on trends in litigation and regulatory enforcement efforts in matters involving data breaches of personal information, one can expect that claims against hacked entities or their clients may begin also to arise even where only nonpersonal information is involved.
With respect to private litigation, potential claims could face a number of hurdles. Any potential plaintiff would have to allege a cognizable injury as well as the breach of a duty owed by the defendant to the particular plaintiff. Many courts in breach cases have dismissed claims (under both tort and contract theories) based on the attenuated relationship between the plaintiff and defendant regarding an alleged duty to safeguard information for the benefit of the plaintiff. As we move beyond personal information, each new digital information context will raise questions regarding whether a duty to anticipate and protect against criminal cybertheft can be fairly imposed, in what circumstances, pursuant to what standards, and, if so, to whom is it owed.
With respect to regulators, the SEC has made clear its position regarding the importance of cybersecurity. In March 2014, Chair Mary Jo White explained that “the SEC have been focused on cybersecurity-related issues for some time” because “[c]yber threats  pose non-discriminating risks across our economy to all of our critical infrastructures, our financial markets, banks, intellectual property, and, as recent events have emphasized, the private data of the American consumer.” Other regulators (most notably the FTC) have also staked out a position of overlapping jurisdiction.
Best Practices for Companies
In a world where the electronic landscape and the sophistication of cyberhackers are both moving at high speed, here are nonetheless a few best practices that companies facing an actual or potential data security incident (i.e., all companies) can follow to mitigate potential risk:
- Think carefully about third-party vendors— Companies rely on numerous third parties for everything from corporate disclosures to marketing advice. Thoughtful contracting and training can go a long way to reducing the risk of loss or misuse.
- Supplement perimeter detection systems— According to the indictments in the newswire case, the criminal hackers were resident in the victims’ systems for years. The case illustrates the potential significance of taking a “defense-in-depth” approach to security and system monitoring.
- Be realistic about law enforcement and regulators— Notifying and cooperating with law enforcement can be important for many reasons, and the same is true for governmental regulators. But law enforcement usually focuses on getting the criminal attacker, while regulators (by comparison) often focus instead on examining any role the company had in having been criminally attacked. Keeping that difference in mind can be significant in dealing simultaneously with these respective governmental actors.
- Involve outside experts (both legal and forensic) at the earliest sign of a possible problem— Never guess or assume what may have taken place. Forensic experts can help your team assess whether an attack or breach has occurred, the actual scope of the breach, and how to contain it, while legal experts (both internal and outside counsel) can direct that forensic review and assess potential legal obligations involving notification, public statements, remediation, responding to law enforcement, dealing with regulators, preparing for litigation, and protecting the record.
- Carefully draft external statements— When an incident occurs, all outward facing statements should be carefully crafted to say only what is necessary, and to avoid committing to specifics until facts are definitely known. Before an incident occurs, promising any level of protection is risky because, if a hacker makes it into the system, the company’s statements will inevitably be second-guessed.
- Check your insurance— For the sake of planning, assume that erstwhile attackers will be able to access any system in your network. Consider, then, what kind of attack or what kind of data loss could cause the most exposure or disruption. Then make sure your insurance will actually cover those costs and that any related exposure to liability is indeed included. Evaluate your incident response preparedness through “tabletop exercises” to confirm that you have identified the potential risks and expenses.
- Avoid creating a bad record— Preservation of evidence after discovering a data breach often involves much more than just the usual email and paper files. In a network attack, the relevant evidence may include large groups of servers, firewall configuration records, network access logs, security management databases, vulnerability scan results, software hotfix schedules, or any number of other forensic or technical data sources that in most litigation rarely come into play. Identifying that relevant forensic and technical evidence and then maintaining it, while preserving applicable privileges and minimizing the interruption of critical ongoing company operations, can in many cases pose enormous challenges.
The panoply of costs that a cyberhack can impose make it clear that a well-developed program to secure all types of business information, not just personal information, can provide a competitive advantage. And when data thieves strike, regardless of the type of data they target, following a prompt and careful response protocol can pay significant legal dividends.
Mark Szpak is a partner in Ropes & Gray’s privacy & data security practice. He focuses on the wide range of challenges that arise after a computer network intrusion, including defending against multidistrict class actions in the U.S. and Canada, handling forensic investigations and responding to regulators.
Seth Harrington, also a partner in Ropes & Gray’s privacy & data security practice, represents clients in all aspects of the response to a privacy or data security incident, and he regularly advises clients on indemnification and insurance matters, including cyber risk insurance.
Lindsey Sullivan is an associate in Ropes & Gray’s business & securities litigation practice, where she focuses on assisting clients through forensic investigations and preservation efforts around privacy and data security breaches.
“If you don’t know where you are going, you might wind up someplace else.”
— Attributed to Yogi Berra
Massachusetts has one of the country’s most stringent statutory and regulatory schemes relating to data privacy and security. The complexity and scope of available insurance products dealing with “cyber” exposures, in Massachusetts and throughout the business world, has dramatically increased over the past several years and is now as fractured and complicated as is the law, which differs from state to state and from country to country. Insurance underwriters, insurance brokers, technologists, security professionals, pundits and others offer conflicting advice about how to best move through this maze of insurance policies, technology, and the many potentially applicable state and federal regulations that often conflict. Imagine that there is growing apprehension that a company is at risk. At some point, a lawyer is called to advise on insurance protection. What is that lawyer to do?
The first step is to establish a team of professionals and client representatives who will, together, work through the issues that will allow the development of a meaningful strategy. The team should include the lawyer, an insurance professional, a technology resource (internal to the client’s business operations or external), and a representative of the client who is sufficiently vested with authority so that access to required information will be facilitated. Once the team is in place, the following should happen, in more or less this sequence:
1. The team should develop a realistic understanding of the client’s cyber/privacy and data risk profile. It is important to analyze not just electronic exposures, but traditional paper-based exposures as well. Among the many factors to consider are the following:
A. The type and location of protected information that is procured, handled, managed and stored by the client. Protected information includes, but is not limited to, private personal information (which is defined differently in various jurisdictions and under different regulatory schemes but often consists of an individual’s first name, last name, and either a social security number, bank account number or other similar data point), and confidential business information.
B. The federal, state, and local statutory and regulatory schemes that impact the client’s obligations with respect to protected information. Most states have adopted data privacy regimes that are grounded in statutes (in Massachusetts the applicable statute is Mass. Gen. Laws ch. 93H) and implemented through a series of regulations. Several federal agencies, including the FTC and the SEC, are focused in meaningful ways on the security of personal and other confidential information that is handled by businesses. Courts are, in most instances, finding statutory and regulatory support for robust enforcement actions by these agencies. It is important to keep in mind that many states, Massachusetts among them, have taken the position that their privacy schemes are meant to be protective of their citizens wherever those citizens conduct commerce.
C. The commercial obligations that have been assumed by the client by contract or otherwise in connection with data security and privacy. These should be charted, and compliance measured.
D. The security of non-electronic records that contain protected information.
E. The client’s network and electronic information storage infrastructure. As with non-electronic records, this infrastructure should be assessed by qualified professionals, and a plan should be established for correction of deficiencies.
2. Next, insurance coverage that is already in place should be reviewed. Among the policies to be reviewed are:
A. General Liability policies
B. Directors and Officers Liability policies
C. Errors and Omissions policies
D. Fiduciary policies
E. Crime policies
F. Professional Liability policies
G. Commercial Property policies
The risk profile that has been developed should be reviewed in the context of the insurance coverage that is present in these policies (there are no true “standard forms” and careful, term-specific analysis is required). The insurance professional who is part of the team should assist in identifying potential exposures that are not within the scope of the existing coverage.
3. Having established a risk profile, assessed the protection afforded by the insurance coverage in place and begun the process of correcting deficiencies, the team should next consider whether existing coverage should be supplemented, including whether stand-alone cyber/privacy coverage should be procured. The policy wordings that might be employed to supplement existing policies, and the policy forms that are available as stand-alone products, are not standard forms of insurance. Nearly all wordings can and should be specially negotiated.
As the stand-alone cyber/privacy insurance market has evolved, these general coverage types have become “standard” in most offerings (with the caveat that while the coverage “type” may be standard, the implementation varies from insurer to insurer, and from product to product, in meaningful ways):
A. Third party coverage against claims asserting a “data privacy wrongful act,” a “network security wrongful act,” or other similar coverage grant. This coverage affords the cyber/privacy equivalent of general liability coverage. A client purchases this coverage to protect against third party claims alleging damages due to the client’s handling of protected information.
B. Third party coverage for claims relating to violation of intellectual property rights or copyright.
C. Various types of first party coverages (coverage that will pay an insured for loss that the insured suffers itself, rather than indemnifying an insured for claims asserted by others), such as:
1. Notification and related expense coverage;
2. Coverage for regulatory fines and penalties;
3. Coverage for the expense of recreating information that is damaged, compromised or destroyed as the result of a data security incident, or other covered occurrence;
4. Coverage for the expense resulting from the inability to use a network or other asset as the result of a covered event; and
5. Coverage for fines and penalties payable as the result of a failure to maintain appropriate levels of Payment Card Industry compliance in connection with credit or payment card exposures (this is not as generally available).
There are, of course, additional issues that will arise in the course of developing an appropriate mitigation strategy and insurance structure. For example, it may be necessary to allow an insurer, or several insurers, to independently audit a client’s infrastructure. It may be that an insurer adds exclusions to a policy that render otherwise appropriate coverage difficult to accept – for example, adding an exclusion that would allow an insurer to avoid payment obligations in the event that there is a change in network structure, levels of security protection, or the like. These types of potentially devastating exclusions, sometimes based on ambiguous terms that are difficult to either understand in an operational sense or manage, can make otherwise meaningful protection unacceptable.
So, dealing with the structure of an effective cyber/privacy insurance program requires knowing what you’ve got, knowing what’s lacking, and filling gaps in a targeted way. Know where you’re starting, understand the potential end points, and you’ll get where you’re going and not someplace unexpected.
Alan M. Reisch is a Director in the Litigation Group at Goulston & Storrs, as well as a Founder of the firm’s risk management affiliate Fort Hill Risk Management, and counsels clients in connection with insurance coverage and portfolio analysis, risk assessment and management, fraud, data privacy and other related issues.
From marijuana legalization to campaign finance reform to a constitutional amendment to impose a “millionaire’s tax,” citizen groups turned to the initiative petition process this year to propose a variety of public policy measures. The process, governed by article 48 of the amendments to the state constitution, allows citizens to place measures directly on the ballot as an alternative to enacting legislation through elected representatives. Twenty-three other states permit similar forms of “direct democracy.” But compared to some systems (notably, the much-criticized California model), the Massachusetts process contains comparatively strict requirements to help ensure public support before a measure reaches the ballot and to make better law.
The initiative petition process is straightforward in theory but complex in its implementation. It begins with a filing with the Attorney General’s Office, usually by the first Wednesday in August of the year preceding a biennial state election. If the petition is “certified” by the Attorney General, the petitioners must then collect thousands of signatures by the first Wednesday in December in order to present the petition to the legislature. The legislature can choose to enact the petition in the same form or take no action by the following May, and, in the latter event, the petitioners must gather more signatures in order to place the petition on the November ballot. Proposed constitutional amendments follow a similar process, except that the measure must receive at least 25 percent support in joint sessions of two successive legislatures before it can appear on the ballot. Thus, a proposed constitutional amendment submitted in 2015 could not appear on the ballot until the 2018 election year.
Article 48 also restricts the types of initiative petitions that may appear on the ballot. Among the most litigated limitations is the requirement that the petition must contain “only subjects . . . which are related or  mutually dependent.” Art. 48, The Initiative, II, § 3. In Carney v. Attorney General, 447 Mass. 218 (2006), the Supreme Judicial Court construed this phrase narrowly as requiring that a measure reflect an “operational relatedness among its substantive parts that would permit a reasonable voter to affirm or reject the entire petition as a unified statement of public policy.” Id. at 230-31. The Court applied this standard to deny certification of a petition seeking simultaneously to ban the dog racing industry and to increase penalties for the inhumane treatment of dogs. Although the Carney standard did not pose a hurdle for this year’s petition to legalize marijuana for adult users, similar petitions that address one “subject” broadly, but seek to make reforms in many “operationally” unrelated areas of the law, could be susceptible to challenge.
Importantly, article 48 bars petitions that are “inconsistent” with certain rights enumerated in the Declaration of Rights. See art. 48, The Initiative, II, § 2. For instance, the Supreme Judicial Court in Bowe v. Secretary of the Commonwealth, 320 Mass. 230 (1946), denied certification of a petition proposing to eliminate all forms of political spending by labor unions as “inconsistent” with unions’ free speech and assembly rights. Id. at 252. However, the list of rights in article 48 is limited, reflecting a compromise among the members of the constitutional convention to prospectively allow voters to “override” decisions of the state’s highest court only in certain areas. The members specifically had in mind Lochner-era cases declaring social welfare legislation invalid as violating “due process” as a type that could be addressed by an initiative petition, but they identified other “concrete” and “definite” rights enumerated in the Declaration of Rights that would not be subject to the initiative petition process. This compromise impacts advocates of all political persuasions, as is evident from this year’s petition to roll back corporate political spending in a manner similar to that in the Bowe petition banning labor union spending.
In addition, article 48 bars initiative petitions that make a “specific appropriation of money from the treasury of the commonwealth.” While this limitation preserves the legislature’s exclusive authority to make appropriations, it does not prohibit a petition from specifying how funds may be spent once they are so appropriated. For instance, this year’s petition imposing an additional 4% tax on incomes over $1 million states that the revenues collected under this provision shall be spent for the purposes of enhancing public education and transportation, but specifies that such spending is “subject to appropriation.” While this could mean that the legislature may decline to appropriate the collected revenues for the stated purposes, the fact that the “millionaire’s tax” is proposed as a constitutional amendment—which requires at least 25 percent support of the legislature—could reduce the chance of such a result. So too may the legislature’s separate duty under article 48 to “appropriate such money as may be necessary to carry such law [if passed] into effect.” Art. 48, The Initiative, II, § 2; see also Bates v. Director of the Office of Campaign and Political Finance, 436 Mass. 144, 154-61 (2002).
Whatever one’s views on the effectiveness of the initiative petition process as a means of making public policy, everyone should agree that any measure that is destined to become law should be well-drafted. A few suggested guidelines in this regard include the following:
• Research the law to ensure consistency with existing provisions. Some changes proposed by a petition could be achieved through existing law or a more modest modification of such law.
• Consider the impact of the petition on other areas of the law. For instance, a change in the definition of a term could affect every provision of the General Laws where that term is used.
• Keep the legislative language succinct. An often-cited rule of thumb is to draft a summary of the petition as it would appear on the ballot, and then craft legislative language to match the summary.
• Consider issues that may subject the law to constitutional or other challenges if the petition were enacted, even if such issues would not bar certification. For instance, laws that have retroactive effect could raise due process issues.
These suggestions could help reduce duplication and confusion in the law, while also keeping issues succinct and clear for the voters. Overall, they further the goal of making “good” workable laws, in accordance with the overriding purpose of article 48.
Tori T. Kim is Deputy General Counsel in the Executive Office for Administration and Finance. Previously, as Assistant Attorney General, she co-directed the review of initiative petitions at the Attorney General’s Office.
Establishment of casino gaming in Massachusetts was the subject of a passionate debate. But the Legislature has acted and casinos are in Massachusetts to stay. The Massachusetts Gaming Commission has issued three licenses—full casino licenses to Wynn Resorts in Everett and MGM in Springfield, and a “slots-only” license to Penn National Gaming in Plainville—and is considering applications for the fourth license in the southeastern region of the state.
In addition, the Commission has promulgated regulations covering the gaming industry in Massachusetts. The opportunities for vendors to provide goods and services under these regulations are extensive and will remain so for years to come.
The licensed casinos are expected to purchase an enormous variety of locally-supplied goods and services totaling between $150 and $200 million annually, from tomatoes to toilet paper, and from limousines to linen supply.
Although the opportunities for Massachusetts vendors to supply goods and services to casinos is substantial, so too is the regulatory burden imposed on such vendors. This article will provide an overview of the process and the issues to which attorneys should pay particular attention.
In November 2011, Governor Patrick signed into law the Expanded Gaming Act (“Act”), which included a new Chapter 23K of the General Laws. Among the stated goals of the Act are providing “new employment opportunities” and “promoting local small businesses and the tourism industry.” G.L. c.23K, §1(5)-(6).
However, the Act also emphasizes integrity in the licensing process. This emphasis extends from vendors to casinos. Under the Act, “[n]o person shall conduct business with a gaming licensee unless such person has been licensed or registered with the commission.” G.L. c.23K, §31(a). The Act creates two broad classes of vendors – gaming vendors and non-gaming vendors. Gaming vendors, those who make and service gaming and simulcasting equipment, must be licensed by the Commission, whereas non-gaming vendors are subject only to registration with the Commission. Because manufacturers and servicers of gaming equipment are well-established in the marketplace, this overview will focus on non-gaming vendors – a key area of opportunity for Massachusetts businesses.
A “non-gaming vendor” provides goods or services “not directly related to games” such as food purveyors or suppliers of the many non-gaming items that a large, destination resort needs to operate. Non-gaming vendors are required to register with the Commission.
A “secondary gaming vendor” also provides goods and services unrelated to gaming, but in amounts exceeding $250,000 in a twelve month period or $100,000 in a three-month period. Secondary Gaming Vendors must be licensed by the Commission. If the Commission determines that a non-gaming vendor “has met or is reasonably likely to meet the thresholds” for sales volume, it will notify the non- gaming vendor of the need to apply for licensure as a secondary gaming vendor.
The secondary gaming vendor designation only applies to non-gaming vendors, who “regularly” conduct business triggering these monetary thresholds. Single or infrequent transactions will not necessarily result in this designation. For example, a vendor who makes a single sale of $500,000 of lighting fixtures is unlikely to be designated.
Importantly, the monetary thresholds apply to the amount of business a vendor conducts with a single gaming licensee, and not to the aggregate of all business the vendor conducts with all Massachusetts casinos. Thus, a vendor who regularly conducts business with two casinos will not be designated as a secondary gaming vendor, even if the aggregate of the business conducted with the two gaming licensees exceeds $250,000 per year, or $100,000 in a three-month period.
The Gaming Commission’s Investigations and Enforcement Bureau (“IEB”) oversees the registration and licensing of vendors. The Commission’s regulations identify a number of classes of business that do not have to register — including insurance and media companies, professional services (legal, accounting, and financial services), medical services, and entertainers.
If none of these exemptions apply, the vendor must register, regardless of the monetary value of the transaction(s) conducted. The Non-gaming Vendor Registration Form requires disclosure of general business information (trade name, address and contact information, nature of services or goods provided, FEIN), as well as personal identifying information (name, residential address, social security number, and birth date) of: (a) the sales representative(s) soliciting business from the gaming licensee; (b) any person authorized to sign any agreement with the casino; and (c) any person or entity owning more than five percent of the vendor. In addition, the vendor must agree to be fingerprinted by IEB, and a registrant may have to submit a Subcontractor Information Form, which requires certain disclosures about “known or anticipated” subcontractors.
Once a non-gaming vendor has registered with the Commission, it may conduct business with a casino. IEB monitors and tracks all payments made by casinos to vendors. If IEB determines that a non-gaming vendor should be designated as a secondary gaming vendor, it will notify the vendor, who must take one of three actions within 45 days: (a) file a secondary gaming vendor application; (b) discontinue providing goods or services to the casino; or (c) file a written request for reconsideration on the ground that the goods or services are not provided on a regular or continuing basis.
Vendors have an ongoing obligation to comply with the regulations and to notify IEB of certain changes in their status. Vendors have a duty to cooperate in any Gaming Commission inquiry or investigation. Failure to comply with Commission regulations or the Act, or the arrest or conviction of a vendor’s principal, could result in the suspension, modification or revocation of a license. Since the Commission is charged with an ongoing monitoring role, licensed vendors are advised to self-regulate as closely as possible to prevent threats to their licensure. Given the intense media scrutiny the industry and regulators face, vendors are well advised to adopt strong internal controls and compliance policies when doing business with casinos. Equally important, vendors should be forthright and transparent in their dealings with IEB. A minor incident in a vendor’s past may not preclude licensure, but lying about it may. This is one circumstance in which it is not better to ask for forgiveness than permission.
The Commission continues to supplement and revise its regulations. Unlike many longer-standing regulatory processes, the regulatory scheme for gaming and gaming vendors is relatively new. Commission staff, who are veterans of both Massachusetts state agencies and the national gaming industry, have shown a refreshing willingness to engage attorneys and applicants with pre-filing reviews and discussions offering procedural guidance, and it is worth the practitioner’s time to take advantage of this resource.
The establishment of four casinos in Massachusetts offers considerable opportunity for many types of vendors to access a potentially lucrative market. But this market is regulated more stringently than most. There are significant and continuing regulatory obligations for those who participate, and public scrutiny in this highly regulated industry is certain to be constant. Detailed record keeping and communication with Commission regulators is essential and may add overhead costs for some businesses. But those who qualify and are able supply casinos in a consistently compliant manner should find themselves with a winning hand.
Andrew Upton is a partner at DiNicola, Seligson & Upton, LLP. He specializes in all phases of Administrative Law with an emphasis on licensing and permitting.
Jonathan Silverstein is a member of Kopelman and Paige, PC, focusing his practice on land development permitting, contracting and litigation. He chairs the firm’s Expanded Gaming practice and has represented clients in connection with every gaming facility proposal in the state, appearing regularly before the Massachusetts Gaming Commission.