The Insider: Ten essential legal department best practices for the new year

Sterling Miller

I always looked forward to the beginning of the year when I was general counsel. Basically, it was a fresh start for me and for the department, a time to close out the past year’s issues and simply move on to next year’s problems. It was also the perfect time to throw a lot of crap away. The week between Christmas and New Year’s was an excellent time to go into the office and spend a few hours tossing large amounts of paper, never-read magazines, old pleadings and clippings, or whatever into the large recycle bins. I could get my desk squared away and make all of those work-related New Year’s Resolutions that, for the most part, get cast aside within the first month or so or whenever the first crisis of the year arose, forcing me to rethink all of my priorities.

Another thing I did at the beginning of every year was put together a list of the top 10 things I thought the department needed to focus on over the course of the year. Unlike New Year’s resolutions, these were tasks that were rooted in cement – they needed to get done or there needed to be a good reason why not. Generally, my list contained items dealing with risk reduction, technology needs, management practices, key analytics, and ways to enhance the value of the department to the business.

Well, old habits die hard. As we come to the end of 2016 and look ahead to 2017, I could not help myself, and I starting jotting down things I would be focusing on in 2017 if I were general counsel. Thanks to our good friends at Thomson Reuters, this edition of The Insider will share my list with you, and I hope that it’s something you adopt yourself, or that the list gives you good ideas for things you want to get done in 2017.

1. Impact of the Trump Administration.
   Any change in the President of the United States brings changes to our country. Even more so when there is a change of party. And with the election of someone as unorthodox as Donald Trump, it is definitely a brave new world, especially for in-house counsel who have been used to eight years of President Obama. President-Elect Trump ran on a platform of drastic change, especially when it comes to many of the things President Obama accomplished via executive power vs. bills passed by the Congress. As a result, there are a number of things that are very likely to change and, as in-house counsel, you should start thinking about how any change might impact your company. Here is a list of five things to watch:
   • “Obamacare” – The President-Elect and the Republican majorities in the House and Senate have made it very clear that undoing or drastically changing the Affordable Care Act is a top priority. This may well mean changes for employers, e.g., mandates around providing health insurance, etc.
   • National Labor Relations Board – The NLRB was hyper-active under President Obama, issuing controversial rulings on everything from employee handbooks to union organizing to social media to noncompete agreements. The NLRB general counsel went so far as to release a lengthy memorandum about expectations regarding employer policies toward employees. You can expect President Trump to reverse many of the changes implemented by the Obama NLRB.
   • Dodd-Frank – Another piece of legislation mentioned repeatedly by Mr. Trump as needing to go or be radically changed, and he has the support in the Congress to do it. If you work for a publicly traded company, you can expected to see some of the most onerous provisions to change.
   • Infrastructure opportunities – The President-Elect has promised to invest billions of dollars in new infrastructure projects throughout the Unite States. If you are involved with a company that might possibly participate in any facet of construction of things such as roads, ports, dams, rail, airports, etc., a comprehensive program could be a major economic boon for you and similarly situated companies. Boning up on government contract law might be in your future.
   • Foreign trade – Mr. Trump promises to be the bull in the proverbial china shop when it comes to foreign trade. This could mean big changes to NAFTA and with trading partners such as China. Depending on your business, these changes could be great or awful.
2. Data breach plan
   Any company that handles data, especially personal data, needs to have a comprehensive data breach plan in place. This is a written document that sets out in detail such things as what happens, who does what, and who gets contacted in the event of a data breach. You do not want to be a company experiencing a data breach without a written plan. Moreover, you do not want to be practicing your data breach plan for the first time during a real data breach. You need to ensure that you have run at least one “table top” practice exercise of your plan every year and that you use the results of the exercise to update and enhance your data breach plan.
3. Legal department succession planning
   If your legal department does not have a formal succession plan in place, you need to make it a priority for 2017. A succession plan is critical for a well-functioning legal department. It requires three key components: 1) evaluation of succession needs in terms of legal skills and available talent; 2) development of succession talent over time; and 3) a formal plan and process to update the plan on a yearly basis. By the time this article is published, Thomson Reuters and I will have posted a three-part series on succession planning for in-house legal departments. In addition to the written articles, there will be a series of three free webinars on the same topic. You can register for any of the upcoming webinars and view any of the past webinars on demand.
4. Know these three budget metrics
   Probably the biggest demand on in-house lawyers is managing outside counsel spend. There is constant pressure on you to get such spending “under control” – whatever that means. In my experience, it pays to have the following: a) a good relationship with the CFO and Finance generally – so they understand the “why” you are spending what you are spending; b) an understanding of where you are spending every dollar and why; and c) the following three budget metrics:
   • Market rates for billable hours in your city (or nationally depending on the type of work) – You also need to know your overall average rate for your legal spend. With these numbers you can determine if you are paying the right amount or if you need to cut new deals with your firms or move to the work to new firms. Without this information, you are simply at the mercy of “We’re giving you a 10% discount” but having no idea what that really means. You can get market rates via your e-billing vendor or you can purchase it from third parties (and it’s a worthwhile investment). Likewise, you should be developing a roster of boutique firms, i.e., small firms made up of lawyers who used to practice at BigLaw. You get the same quality lawyers but usually at 40% to 60% of the price of the big firms.
   • Forecast vs. actual – You need to have an accurate forecast of your legal spend on a monthly basis. All of your outside firms should be able to accurately forecast spend over the next 30 to 60 days. Demand such forecasts monthly along with the amount actually spent over the forecasted period at regular intervals. You do not want to wait until you receive an invoice to know what you actually spent. All of this is made much easier if you are using an e-billing tool. If not, you can still get it by having your outside firms provide you the information on a monthly basis – i.e., at the beginning of every month, provide a forecast for the next thirty days and the actual spend for the past thirty days.
   • Can you bring it in-house? Lastly, you should always be calculating whether work you are sending outside can be brought in-house – where it can be done at much lower cost. To do this, you need to be able to categorize the work you are sending out (and the more granular the better) along how much you are spending per category. Then, determine if there is someone on the team who can do that work or if you had permission to hire another person would the cost savings offset the cost of the new person? The answer may be “no” most of the time. But, the Finance Department and CFO will be impressed if you are regularly doing this analysis (and you bring it to their attention during any budget review updates or process).
5. GDPR preparation
   The new EU General Data Protection Regulation does not go into effect until May 2018. While that may seem like a long time, it’s not. The GDPR is a dramatic departure from the current regime under the EU Data Privacy Directive. If you process data in the EU or process the data of EU citizens, you need to fully understand what’s new under the GDPR and start preparing for its impact now. If you haven’t started yet, you’re already behind. But there is still time to get your act together. Key issues are the scope of who’s covered (e.g., data processors are now directly covered), the need for privacy impact assessments, tougher requirements around consent, significantly larger fines for violations, a new “right to be forgotten,” and most importantly, new requirements around the transfer of personal data outside the EU. As to the latter, you need to ensure you have a valid legal basis to transfer personal data out of the EU, including for your employees and customers. Many companies are using the standard contract clauses and a number are starting to sign up for the new “Privacy Shield” agreement (though both of these methods are under attack). The important thing is to establish the right cross-company team to analyze and understand the new GDPR requirements and get prepared to comply.
6. WTF is the TCPA?
   I remember asking myself this question when my company was sued for alleged violations of the Telephone Consumer Protection Act, yet another law passed by Congress designed to protect consumers but which turned into a boon for class-action lawyers looking for nothing but a nice payday. Basically, the TCPA provides for uncapped statutory damages of $500-$1,500 per violation (i.e., per call or text) for making or sending unwanted phone calls and text messages to consumers without prior written consent. Basically, if your company makes automated calls to customers or potential customers or sends text messages to customers (or if you do so on behalf of other companies) you need to be fully up to speed on the TCPA. Here’s the simple math: If you sent 5,000 unauthorized text messages, your potential exposure is $250,000 to $750,000. For some companies, the exposures has been in the hundreds of millions of dollars. It is definitely worth understanding whether and how your company contacts customers or potential customers and whether it is done in compliance with the TCPA.
7. Company website health check
   Unless your company is stuck in the 1970s, it probably has a website. When was the last time anyone took a serious look at the website from a legal compliance standpoint? For most, it’s been awhile. Well, you’re not alone here as it’s very common for websites to go years without anyone taking a serious look at them. I would focus on three things to start with (and then ensure I scheduled a yearly review of the website going forward):
   • Terms and Conditions/User Agreement – This is the heart of your legal protection for transactions or activity on your company’s website. Make sure that you have the best language around limitation of liability, mandatory arbitration, choice of forum, Digital Millennium Copyright Act, class-action/jury trial waivers, etc. View a good summary of issues to consider.
   • Privacy Notice – A privacy notice is the document on your company’s website that informs users what the company does with the data it collects. The thing to consider immediately is whether your privacy notice is up to date and accurate? Does it correctly discuss what data is collected and what the company does with the data? Have you verified with the business that all of this is still correct? Does it still reference the “Safe Harbor” agreement as the basis for transfer of data from the EU? If so, take that down immediately. Do the links work and is someone monitoring them? View a checklist of things to consider.
   • Is it accessible by the blind? A big area of litigation has risen up over the issue of whether company websites must be and are useable by the blind. For several years, the Department of Justice has deferred guidelines that would help businesses know what is required and expected. In the interim, your company is still required to comply with the law. And the law is messy, with U.S. federal courts split over the issue of whether websites, like public businesses, must be accessible to the disabled. Led by the National Federation of the Blind, over 240 businesses have been sued since 2015 with the result typically being a quick settlement (with the cash going to – surprise – the class action lawyers) and an agreement to make changes to the website to accommodate the blind. Rather than wait for the problem to catch you off-guard, it’s better to consider working on the issue on your own time frame without the pressure or publicity of a lawsuit filed by the blind.
8. Update the legal department website
   While you are taking time to review the company’s public facing website, go ahead and spend some time on the legal department’s internal facing website, i.e., the one your internal clients go to. If your legal department does not have its own website, you should evaluate whether one makes sense. Other than rare situations, a legal department website for your internal clients is an excellent way to market the department and deliver better service with lower costs and effort. For more, see my column on marketing the legal department to the business and my column on creating a great department website. At a minimum, you want to create some basic FAQs for your internal clients, a place where they can access frequently requested form agreements (like an NDA), and provide information about who does what and how to best contact the legal department to get help.
9. Protect the attorney-client privilege
   Unfortunately, it appears that more courts are taking a harsh look at claims of attorney-client privilege involving in-house counsel and finding in a number of situations that the advice given by in-house lawyers was business advice and therefore not privileged (see the latest ruling in Washington state). It should not be that way, but it is. The attorney-client privilege is an important asset of both the company and the legal department. When properly utilized, your clients can speak freely about tough legal issues. When used improperly or with a lack of care, all hell can break loose as communications that people thought were confidential are now in the hands of the other side or even publicly disclosed. Ensuring that everyone in the legal department (not just the litigators) understands the do’s and don’ts about the attorney-client privilege is a “must have” for 2017. Ensure that everyone understands what types of communications are privileged (e.g., requests for legal advice vs. business advice) and that everyone knows how to properly create and mark a privileged document. See my column on attorney-client privilege basics for more on this. Additionally, make sure that your internal clients also understand how the privilege works (e.g., do not forward privileged advice outside the company) and how to properly and clearly ask for legal advice (i.e., “I need your legal advice about …”).
10. Key compliance program heath checks
    While the Trump administration may change some of the focus on compliance, the better bet is that government regulators will continue to vigorously enforce key laws affecting corporations and senior management. One way the legal department can add additional value to the company is to always be proactive in ensuring that compliance programs and training are up to date and widely available to all employees. Given the “Yates Memo” and trying to read the tea leaves, these are the areas I would focus on for 2017:
    • Antitrust: Ensure that your training program and compliance program around antitrust/competition law issues are up to date. Of particular focus should be a) communications with competitors (especially trade associations); and b) “writing smart” (as many competition law issues arise because people write dumb things without thinking, especially testosterone-driven emails about “crushing competitors”). Learning how to write like professional business people should be a priority – especially when jail time is a real possibility for hardcore violations of antitrust law.
    • Anti-bribery: Enforcement of the FCPA and UK anti-bribery acts is increasing, with penalties getting bigger and bigger. See my column on giving your anti-bribery program a health check and focus on operations in countries with a high risk of corruption and bribery and on gift giving, especially around the holiday season, as the “anything of value” test can take on many meanings in the eye of a regulator.
    • Up-the-ladder reporting: If you work for a publicly traded company in the U.S., there is an up-the-ladder reporting requirement on lawyers under Sarbanes-Oxley, i.e., an obligation to report potential wrongdoing up the chain of command and be comfortable the matter was dealt with properly. Even if your company is not publicly traded, it is an excellent idea for the legal department to have a clear written process for what people should do if they suspect something is amiss in the company, including who to report it to (and alternative places to report if the attorney feels their concerns will not be or are not being addressed). In addition to having a well-written policy, ensure that once a year you train everyone in the department on how to use it.
    • Compliance hotline: If your company does not have an anonymous hotline where employees and others can call in suspicions about wrongdoing, get one. If you have one, make sure it is in working order (don’t laugh) and that someone is monitoring it daily. And, most importantly, ensure that employees know it exists, how to use it, and that the company encourages employees to report issues and there will be no retaliation against anyone who reports issues. In short, encourage a culture of “If you see something, say something.”
    • Standardize the internal investigation process: If wrong doing is suspected, an internal investigation will be necessary. Be sure you have a standardized process to conduct investigations, including who does what, when outside counsel will be called in, a written “Upjohn” notice and how/when utilized, standard report formats, who gets the reports, follow-up with the person making the complaint, etc. An internal investigation is not something to undertake on an ad hoc basis. You should have a written plan that is followed every time and all the time so that every investigation is treated in the same manner, with the same urgency, and with as much consistency as possible. All of this will play well with regulators in the event you uncover a serious problem.

About the author

Sterling Miller spent over twenty years as in-house counsel, including being general counsel for Sabre Corporation and Travelocity.com. He currently serves as Senior Counsel for Hilgers Graben PLLC focusing on litigation, data privacy, compliance, and consulting with in-house Legal Departments. You can follow his blog “Ten Things You Need to Know as In-House Counsel” at www.TenThings.net and follow him on Twitter @10ThingsLegal. His first book, The Evolution of Professional Football, was published in December 2015 and is available on Amazon and at www.SterlingMillerBooks.com.

Follow us on Twitter