My friends in the start-up community are excited about recent headlines suggesting the SEC has greenlighted crowdfunding. Leave it to the lawyer in the crowd to suggest they temper their excitement. As lawyers, we are used to telling people to be careful.
The headlines come from two SEC actions that appear to allow AngelList and the fundersclub.com the ability to operate as crowdfunding sites. The SEC no action letters are linked here for thefundersclub.com and here for AngelList.
Technically, the SEC authorized AngelList and the fundersclub to receive a carried interest in the companies without having to comply with rigorous broker-dealer rules. These sites are not simply taking 3-10% of whatever is raised by the company like some broker-dealers registered with FINRA might. Instead, they are now allowed to take a carried interest in the companies to compensate them for raising money in what are essentially investment vehicles or funds to invest in start-ups. This costs the founders much more out of the profits (anywhere between 20-30%) and the carried interest takes it out of the broker-dealer rules. To read more, check out this blog post from Stephen Quinlivan of Leonard, Street and Dienard.
Both sites pre-screen and approve the companies seeking funds (although AngelList appears to have a lot of start-up that you can peruse without registering). The investors don’t invest directly into the companies, but into investment vehicles (like a separate limited partnership or fund) which then manages the investment on behalf of all of the investors. Therefore, it is not likely the individual investors get to vote their stock or impact management, other than through the collective investment vehicle. Finally, both sites only allow accredited investors to participate.
What does it mean?
This is big news. It does not mean, however, you can post your idea on Facebook and start asking for small contributions from your 2,000 Facebook “friends” of $100 each in exchange for stock in your company.
While the ruling focused on the broker-dealer exemption, it did not provide any guidance or loosen the restrictions against general solicitations of equity which is still against the law. Importantly, the SEC’s tepid authorization of these sites was conditioned on the representation that all of the investors using the site would be accredited investors, registered and pre-screened. Finding accredited investors interested in start-ups is easier said than done.
With regard to individuals, to be an accredited investor, the individual must:
- Have a net worth that exceeds $1 million at the time of the purchase, excluding the value of the primary residence; or
- Have an income exceeding $200,000 in each of the two most recent years or joint income with a spouse exceeding $300,000 for those years and a reasonable expectation of the same income level in the current year.
Both sites claim to abide by Rule 506 of Regulation D which still prohibits “general solicitations.” Rather than a true crowdfunding site that allows you to peruse various companies, you agree to invest in certain funds to be sued on start-ups and then state your interest in certain pre-screened startups.
In the letter to the SEC, AngelList says it does not engaged in general solicitation because:
AngelList Advisors’ activities with respect to the qualification and approval of Investors should not be deemed a solicitation for any securities transaction. In particular, AngelList Advisors is proposing to impose a thirty day waiting period from the time a potential Investor submits an RFI and questionnaire until he or she closes on an investment. Consistent with the Staff’s guidance in Lamp Technologies Inc., this waiting period is designed to ensure that Investors do not join the AngelList Advisors platform to invest in a particular Investment Vehicle, and accordingly is sufficient to ensure that AngelList Advisors’ qualification of the potential Investor is not deemed to be a solicitation of an investment in the applicable Investment Vehicle.
The Fundersclub.com website is silent on the solicitation issue, but explains their process as follows:
FC Inc. and FC Management collectively identify and perform due diligence on start-up companies for which FC Management may wish to form investment funds. Once they have identified such a company, FC Management enters into a non-binding term-sheet agreement with that company on a target amount of capital which a limited liability investment fund managed by FC Management would invest in that company. FC Inc. then posts information about that start-up company, provided by the start-up company, on its thefundersclub.com website. The name of and information about a start-up company is available online only to FundersClub members who have already been qualified as accredited investors. FC Inc. makes available the investment fund which will invest in that company for its members to offer non-binding indications of interest. FC Inc. provides those members who express indications of interest in an investment fund with standardized legal documentation through which they will invest in that investment fund. When an investment fund reaches indications of interest sufficient to fund the target amount originally agreed upon between FC Inc. and the start-up company (or if the company agrees to increase the target level of capital), then FC Inc. closes the indication of interest process. FC Inc. then reconfirms the indication of interest with each member who has offered the indication of interest and reconfirms the accredited investor status of each of those members. Simultaneously, FC Inc. negotiates the final terms of the investment fund’s investment with the start-up company. That negotiation may include the management rights that FC Management will have in the start-up company after the completion of the investment fund’s investment in the start-up company.
Yes, this is a big step. It may even be the first step toward loosening general solicitation restrictions. It does give guidance on broker-dealer requirements, but almost no guidance or even clearance of where the line is on general solicitation restrictions.
No one likes to be sued. It may make you mad enough that you want to scream and holler on the Internet. There is a reason, however, a lot of lawyers recommend not commenting on personnel issues and pending litigation.
Take a lesson from Coyote Ugly that does not involve dancing on the bar. The lesson is — don’t go to the Internet to rail on your former employees when they file a Fair Labor Standards Act minimum wage case against you.
About a month after a group of employees filed suit against the Coyote Ugly Saloons, the president of the chain of Coyote Ugly Saloons went to her “Lil Spill” blog and wrote:
This particular case will end up pissing me off[,] cause it is coming from someone we terminated for theft. I have to believe in my heart that[,] somewhere down the road, bad people end up facing bad circumstances!
I have been reading the basics of Buddhism[,] and am going to a class on Monday. The Buddhist way would be to find beauty in the situation and release anger knowing that peace will come. Obviously, I am still a very new Buddhist[,] cause my thoughts are “[f***k] that [b**ch.]” Let me do my breathing exercises and see if any of my thoughts change. Lol .
A slightly different take then, say, Warren Buffet may have taken. The subject of the post had already been reinstated by the time the blog post was published.
To add to the fire, a supervisor allegedly posted on Facebook when drunk about another plaintiff who was still employed but had joined the suit: ”Dear God, please don’t let me kill the girl that is suing me . . . . that is all . . . .”
The result of these diatribes was a retaliation claim in addition the underlying minimum wage claims. The federal district court in Tennessee recently allowed both claims to continue. You can read the opinion here.
I am not an employment lawyer, but I know enough to warn clients you can almost get into more trouble for retaliating against an employee for making an overtime, workers’ compensation, minimum wage, harassment or discrimination complaint than you can for the underlying complaint. My colleague Michael Kelsheimer has written on retaliation on his Employer’s Handbook blog.
The emedia law lessons seem almost too obvious. I’ve never thought to add ”don’t let your supervisors post to about your employees while drunk” to my social media policies. The real lesson is to train your employees and have policies. Considering the founder was the first to take to the Internet, I’m not sure there was much respect for policies or compliance. Your business, I am guessing, is probably different. You should have policies and plans in place regarding who can say what about pending claims and what is and is not appropriate to do on the Internet.
The full name of the book is Civility in the Digital Age: How Companies and People Can Triumph over Haters, Trolls, Bullies, and Other Jerks.
Author Andrea Weckerle gave me a free copy* to look over Chapter 9 entitled “Legal Aspects of Online Disputes and Conflicts.” The legal basics are adequately covered, but I found myself more intrigued by the rest of the book for good reason.
I would encourage any brand manager, PR professional, lawyer that work with brands and social media, dispute resolution professionals and marketing people to read this book. This is a rare book that looks at how to handle online criticism from all of these angles with a nice mix-in of sociology and psychology as well.
I was able to implement some of the gems while reading the book. Being an attorney and counselor at law requires more than simply explaining and advocating a client’s legal rights. There is meaning behind the “counselor” aspect of our profession and this book helped me advise of ways to quietly and quickly handle and resolve more than one online issue before it reached a full-blown crisis.
There are lists of resources you can immediately use, sample policies and plans. Before the book culminates with a 30-day action plan to “for better conflict management online,” it includes a chapter with real world good and bad examples along with hypotheticals to implement the concepts and strategies explained in the book.
This book is not a cure-all and by reading it, you will not avoid online criticism or disputes. It also won’t let you lose 20 pounds without exercising or eating less either. By reading it though, you and your organization, will be better equipped to react to online issues and even better yet, be proactive to manage conflict and criticism. I plan to keep the book handy to share its insights with clients and colleagues.
When not writing books, Andrea runs Civilination.org which is a non-profit that promotes more civility in our online discourse. When trying to resolve some of our online bullying disputes, we often discuss a donation to a non-profit entity to show the aggrieved party is not after the money. Civilination is now on that list.
*Notice the online disclosure – practicing what we preach about online endorsements.
Sometimes, I like to talk basics and this time it’s something as basic as “tell the truth.” I’ve never had a client come to me and say, “I would like to lie as much as possible in my advertising, can you help me?” It’s never that simple.
The general rule is advertising cannot be deceptive – which means it should be the whole truth and fair. You should not have to justify a claim with a lot of explanations. It’s a matter of context and not simply a matter of whether the statement, in a vacuum, is technically true.
According to the FTC’s Deception Policy Statement, an ad is deceptive if it contains a statement – or omits information – that “is likely to mislead consumers acting reasonably under the circumstances; and is ‘material’ – that is, important to a consumer’s decision to buy or use the product.” An ad is unfair if “it causes or is likely to cause substantial consumer injury which a consumer could not reasonably avoid and it is not outweighed by the benefit to consumers.” The FTC looks at advertisements from the reasonable consumer standpoint. If a scientist may understand the half-truth in your claim, but Aunt Myrtle surfing Facebook would be fooled by it, you might find trouble.
The FTC uses the following example to illustrate their contextual, reasonable circumstances approach. If your mouthwash says it kills the germs that cause the cold, that may technically be true. It implies to the average consumer, however, that your mouthwash prevents colds even though you never said that. Therefore, you could be in trouble.
Advertising agencies need to be wary as well. You can’t simply rely upon the client to be truthful because you can also be held liable depending on the extent of the agency’s participation in the preparation of the challenged ad and whether the agency knew or should have known that the ad included false or deceptive claims.
The Online Disclosure
The same rules apply online and off. Disclosures should be clear and conspicuous so consumers will see and understand them. Disclosures tucked away in a small link not clearly identified or on a completely separate page are not likely to be effective. There is no hard-and-fast rule about the size of font or location of the disclosure or link; the FTC generally asks whether a consumer is likely to find it.
When using online disclosures, you should place disclosures near, but certainly on the same screen where the claim is. Links are acceptable as long as the link is obvious, appropriately labeled and easy to find. You should track the click-through rates on the disclosure in case you ever have to defend yourself. Make sure the disclosure is made prior to purchase and not hidden on the last page of a multi-step ordering process.
The Comparison – Four out of five clients say my lawyer can beat up your lawyer.*
Comparative advertising is legal — if truthful. You can generally use the competitor’s name and trademarks when making the comparison too. The Lanham Act, however, gives your competitor the right to sue if the comparative advertising is deceptive. If you are going to use comparative advertising and surveys, make sure the sample is large enough to be legitimate. Asking my five best clients and only my five best clients would not be a legitimate survey — nevermind that my fifth best client doesn’t love me as much as I thought they did.
The FDA Doesn’t “Like” Facebook
The Food and Drug Administration issued a Warning Letter on February 26, 2013, because a company “liked” a Facebook post from one of their customers. The customer wrote: “PolyMVA has done wonders for me. I take it intravenously 2x a week and it has helped me tremendously. It enabled me to keep cancer at bay without the use of chemo and radiation…Thank you AMARC.” The FDA said “liking” the post was an endorsement of the message and therefore it was as if the company promoted the drug as a cure or treatment for cancer in violation of the Federal Food, Drug and Cosmetic Act. You can read more here.
Pomegranate Juice makes you healthy, more attractive and just an overall better person.
The makers of POM Wonderful 100% Pomegranate Juice claimed their products could treat, prevent or reduce the risk of heart disease, prostate cancer and erectile dysfunction. While there was some evidence to arguably make such claims, the advertising was still considered deceptive by the FTC and later upheld by a judge. The FTC issued an order prohibiting POM from making any such health-related claims unless it is supported by two randomized, well-controlled, human clinical trials. POM Wonderful spent $35 million in peer-reviewed scientific research and relied upon “centuries of traditional medicine and plain common sense have taught us: antioxidant-rich pomegranate products are good for you.”
Undoubtedly, there are some health benefits to pomegranate juice. Saying the juice helped “cheat death” may have taken things too far. In the ruling, the FTC examined the “net impression” of medical claims (see the mouthwash example above) even if POM did not expressly claim the juice was a cure all. The FTC also did not let POM off the hook for using such qualifiers as “preliminary,” “promising,” “may,” or “can” when it came to health claims.
When is a foot long not 12 inches?
As first publicized by a teenager in Australia through Facebook with the picture to the left, Subway’s “footlongs” do not always measure up. Now, the lawyers have filed several pending state and federal class action cases. Even product names, as opposed to marketing campaigns, can bring on a challenge. If you are going to call something a footlong, it should predominantly be twelve inches long. The results of this case may depend on the percentage of footlongs not actually twelve inches and whether 11 and ¾” sandwiches are deceptive. On the other hand, Subway put lots of stock in branding the “footlongs,” which is a promise to the consumer they should keep.
So, what can you do?
If you make a claim, have the evidence to back it up which means a “reasonable basis” to make the claim including “competent and reliable scientific evidence” for health and safety claims.
Stay subjective. Saying your drink tastes great or that this is the best column ever is something the consumers can judge for themselves. Opinions are not verifiable facts and rarely can create liability.
Be careful online. Your “liking,” “re-tweeting,” or other actions can be an endorsement of someone else’s comments and violate regulatory rules that govern your industry. If you are in those industries, train the people running the official company channels.
The Business Guidance section of FTC’s website provides some good resources to help stay out of trouble.
*comments made in jest and not subject to verification unless you ask my mother.
Our last back to basics was on the use of images on the web.
Social Media is becoming pervasive in today’s society. This CLE looks at how it intersects with legal issues crossing a broad spectrum of specialty areas to give all practitioners the information they need to be aware of the special risks and issues social media presents. Our speakers will look at how it affects brands, defamation for individuals and businesses, the new area of evidence and investigative tools social media presents and the ethical issues it presents for lawyers. Oh, and we will be having a beer too.
Thursday March 28, 2013
Buffalo Bayou Brewing Company
5301 Nolda Street
Houston, Texas 77007
Brand Protection in the Online Space
Aparna Dave, Senior Counsel – Intellectual Property, Wells-Fargo
Evidence and Investigation In an Online World
Jana Woelfel, Strasburger & Price, LLP
Defamation and Privacy Online
Katie Sunstrom, Lorance & Thompson, PC
Ethics of Lawyers on Social Media
Travis Crabtree, Member, Looper Reed & McGraw, P.C.
3 hours of CLE including .75 hours of ethics
$200 per person ($150 Early Bird Special for those who register prior to March 8th)
Your employees want to be able to use their own iPhones or Android devices at work. Angry Birds on the Blackberry is just not the same. This trend is being referred to as Bring Your Own Device or BYOD.
While it will make your employees happy, it creates some issues that involve three key stakeholders: legal, IT and HR. They need to get together to make sure the company does not willy-nilly take on unneeded risk just so the recent college grad can access Instagram photos on his phone while working.
So, where do I start?
While there are IT and HR issues to consider, the primary legal risk centers on the company’s need to access the employee’s personal phone and possibility to wipe it clean if the phone is lost or the employee is terminated.
If you want to address the issues cheaply (the Yugo), then adjust your existing Computer Use or Technology Resources (whatever you have already called it) policy. Make sure the restrictions and rules also apply to the employee-owned devices (don’t forget the tablets) that access the company’s computer networks and resources. You also probably need to add a line that although the company will try not to erase or access personal items on personal devices, the company reserves the right to access the phone, its data and possibly wipe it clean if it needs to protect company assets or conduct necessary investigations. Employees should also be warned that they run the risk of losing personal data on their devices if they use them for work.
If you don’t already have some type of Computer Use policy, then you can create a brief agreement with employees before you allow them to use their personal devices to access the company’s networks to cover these basics.
This is a minimal approach to covering BYOD that covers the privacy and right to search/erase issues. In one of the few applicable cases involving the company inspection of a personal laptop, the court in Sitton v. Print Direction, Inc., 718 S.E.2d 532 (Ga. Ct. App. 2011) noted the employee gave the company permission to look at the contents on the laptop when it expressed the necessity for the company “to be able to respond to proper requests resulting from legal proceedings that call for electronically-stored evidence” and provided that for this reason, its employees should not regard “electronic mail left on or transmitted over these systems” as “private or confidential.” The company’s policy also stated the company “will . . . inspect the contents of computers, voice mail or electronic mail in the course of an investigation triggered by indications of unacceptable behavior.” The policy was expressly included personal devices used at work and not just company-issued computers.
We want more . . .
If you like, or want more rules, the pundits suggest there you should have a whole policy separate and apart from your computer use policy to cover things not necessarily addressed above such as:
- Required security measures the company will take (such as requiring passcodes to unlock the iPhone or company-provided apps with more complex, rotating passwords or automatic locks after a set number of failed attempts)
- The ability to clean a device remotely if stolen or lost including employee notification protocols with warning that personal items may be lost in the process
- Notice that using your own device is a privilege and not a right
- Only employees can access company resources with devices
- Reserving the right to disconnect from the company resources without notice
- Departing employee procedures
- Coordination with the data retention policies
- Identify which devices and operating systems the company will support
- Eligibility and Reimbursement procedures and restrictions
- Any required applications that the company will require to be installed
- Require IT approval before use
- Require IT approval before transfer or disposal of the device to clean
- Reserve the right to wipe clean in case of an emergency
- Disclaim any liability for increased charges
- Add that the company does not condone typing or reading while driving
- Disclaim any liability for data loss to the device as a result of the company data or applications
- What support is available for BYOD
- Restrictions against jailbreaking or otherwise modifying the operating system of the phone
The gold-plated plan would require the employee to sign off on this policy separate and apart from the rest of the employee manual.
For more . . .
Here is a website with a sample policy. It needs to be tailored to fit your specific needs and requirements. If you are just getting started, this may be a helpful place to start. SAP BYOD Policy Guidebook
The movie industry, the music industry and five major internet service providers, with some input from the White House, quietly got together in 2011 and came up with a system that would allow the ISPs to notify individual customers they were engaged in illegal peer-to-peer file sharing in violation of copyright laws. With equally low key fanfare, the Copyright Alert System went into effect this week.
Under the new system, copyright owners will notify ISPs of suspected violations. The first of the alleged six strikes is supposed to be an email from the ISP to the customer notifying the customer of the illegal act and providing the customer with information about illegal file sharing. With each strike, the ISP’s action will increase from requiring the customer to acknowledge receipt of the inquiry to eventually temporarily slowing their connection or redirecting Internet traffic until they acknowledge they received a notice or review educational materials about copyright law. Consumers who believe they are innocent can pay $35 to appeal the decision and recover the fee if they win.
This new system will allow innocent victims to take corrective actions. If I had an open wireless signal that an unscrupulous neighbor was using to download pirated porn, I would rather find out this way. It’s better than being hit with a lawsuit naming me as an aficionado of porn. The same would hold true if my kids downloaded pirated movies or music.
Although getting throttled would be bothersome, the ISP’s refused to automatically disconnect customers after their sixth strike according to this CNet article.
There was initially some privacy concern that content owners would be watching what we are watching and that ISPs would share that information. As explained in the video, that does not appear to be the case
This will be ineffective against the blatant offenders. You can disguise your IP address, use a public wireless and never be caught up in this system. David Zax calls the system “toothless” on the MIT Technology Review.
There is concern about the lack of transparency in the development of this system with a desire for transparency with its implementation. There are no judicial or administrative oversight or due process protections. The Copyright Information Center says they will be transparent and provide reports about notices that get sent out.
Finally, the DMCA already allowed ISPs to disconnect service to egregious violators. While disconnect is not officially part of the CAS, it can still be done. Also, there is nothing to prevent a lawsuit. This is not “law” and does not change existing copyright law. It is simply an agreed-upon system between ISP’s and the entertainment industry. If they would prefer to sue, the copyright owner can still sue. For the copyright owner, however, it is a better PR maneuver than suing grandmas for hundreds of thousands of dollars like in the post-Napster mid 2000′s.
So What Should You Do?
Pay attention. If you get an alert – figure out why. It may be one of those blessings in disguise. For more on what to do, read here.
Texas State Representative Jeff Leach R-Plano (full disclosure – he is a lawyer in our Dallas office) proposed a bill (HB 1989) that would allow service via social media if the more traditional methods did not work first.
Normally, to serve someone with a lawsuit you have to have the petition and citation delivered to them in person or through certified mail so the courts are certain the defendant knows they have been sued.
There is already a process in place to allow for substituted service if there is reason to believe a defendant is purposefully “ducking” or avoiding service. Usually, it means dropping the papers off at the person’s residence with anyone over the age of 16 or publication.
The current rules also allow a judge to authorize service “in any other manner that the . . . evidence . . . shows will be reasonably effective to give the defendant notice of the suit.” This proposal would expressly add “social media” as an additional substituted method.
Because the proposal comes from a lawyer in our firm, I will defer on providing my opinion here on the blog, but tell me what you think of the proposal in the comments.
It has been done before but there are some concerns about authentication according to Bradley Shear of Shear on Social Media. Legal Language Services, a commercial enterprise that helps effectuate service, mirrors Bradley’s concerns and provides some additional background on service via email and social media.
Here is the actual text of pertinent parts of the bill:
Sec. 17.031. SUBSTITUTED SERVICE THROUGH SOCIAL MEDIA WEBSITE.
(a) If substituted service of citation is authorized under the Texas Rules of Civil Procedure, the court may prescribe as a method of service under those rules an electronic communication sent to the defendant through a social media website if the court finds that:
(1) the defendant maintains a social media page on that website;
(2) the profile on the social media page is the profile of the defendant;
(3) the defendant regularly accesses the social media page account; and
(4) the defendant could reasonably be expected to receive actual notice if the electronic communication were sent to the defendant’s account.
BREAKING NEWS: Crowdfunding is legal. Sort of. Before you start soliciting for investors on Facebook, you need to know that general solicitations to sell equity to your company not listed on the stock exchange or otherwise registered is still illegal. That doesn’t mean you can’t engage in some form of what is considered crowdfunding.
I recently took part in a UHSBDC presentation called “Crowdfunding for Small Business” with the founder of Buffalo Bayou Brewing Company, Rassul Zarinfar. I was supposed to talk about the JOBS Act and he was assigned to discuss how he raised his needed capital to start his craft brewery from about 50 different people. He had a lot to talk about. I got to discuss Reg D. You can check out the informative slides from the presentation here: UHSBDC Crowd Funding Power Point.
Last April’s JOBS (or Jump-Start Our Business Start-Ups) Act was supposed to make it easier for entrepreneurs to raise money using Kickstarter-like campaigns so start-ups could raise small chunks of money from many investors via the internet without worrying so much about Reg D. I wrote this post about it on the day it was signed into law.
The SEC was supposed to issue specific regulations for crowdfunding to strike the balance between easier access to capital and preventing widespread fraud against unsophisticated investors. Their deadline was originally December 2012. The December 2012 deadline came and went. Alas, the brewery founder was the star of the show. Side note: he probably would have been the star anyway because he founded a craft brewery and I was going to discuss detailed securities regulations.
So, we spent most of our time at the presentation discussing how to “crowdfund” under existing laws. Much of Buffalo Bayou Brewing Company’s story is revealed in the Power Point presentation we used. In short, Rassul convinced his friends and friends of friends to invest without making a general solicitation for investors. Technically, he used Rule 505 of Regulation D which allowed him to raise up to $5 million (he raised about 10% of that), from as many accredited investors and up to 35 non-accredited investors. You can read more specifics about the various rules and what it means to be an “accredited” or “sophisticated” investor on the presentation. The SEC also does a good job of explaining Rules 504, 505 and 506 which are exceptions to the general rule that requires you to register with the SEC.
He had to invest some of his own money to pay lawyers (another reason to love him besides his great beer) to put together a Private Placement Memorandum, or PPM, that disclosed to his investors all of the risks. He also had to be careful and document exactly how he shared his PPM and who he targeted to comply with existing laws because you cannot make a general solicitation for unregistered equity. Have I said this enough. While it sounds like rainbows and unicorns, he now answers to 50 shareholders. He also concluded his second round of funding which came with its own set of headaches dealing with his original investors and their redemption rights.
Crowdfunding in the Future
The current expectation is that the SEC may have the new JOBS Act crowdfunding rules in place by the end of this year. Had they been in place, Rassul could have simply posted a video on a website, made some disclosures and asked the general public to invest in his brewery and sat back and watched the money come in from hundreds of investors each pitching in a few thousand dollars each. Because of the special relationship between founders and shareholders, Rassul still has reservations about this proposed process from the entrepreneur’s perspective.
Nevertheless, the new rules are supposed to allow companies to raise up to $1 million. Investors with a net worth of less than $100,000 will be allowed to invest 5% of their yearly income or $2,000, whichever is higher. People with more money will be allowed to invest more, up to 10% of their income. Under the proposal, a company with $1o million in assets would not have to register with the SEC until they obtain 2,000 investors (500 of whom can be non-accredited). The SEC will also allow a five-year phase in plan for companies with less than $1 billion in annual revenues.
Many people have seen this as an opportunity to easily create a website, a la Kickstarter, taking a small cut as easy money. This is not a technology or web play because that is the easy part. This is an opportunity for those into compliance and accounting because the devil will be in the the details.
Full time securities lawyers, of which I am most certainly not one, have voiced great skepticism to me that this will ever come to fruition. They wonder:
- What disclosures will be required on these websites?
- What prevents an investor from investing his maximum on one website and then going to next site and investing more?
- Same thing with companies using more than one site?
- How do you confirm the investor is accredited or sophisticated?
- How do you enforce transfer restrictions?
- What happens when the accredited investor transfers his stock and how do you keep track of the numbers?
- What do you do about rights of redemptions?
- How do you protect unsophisticated investors from being diluted?
- Can bundlers or finders take people’s money and then invest on these sites and what rules will apply to them?
The questions are numerous which is one reason it is taking more time to promulgate the rules.
Rassul and I will do an encore performance for the UHSBDC on Crowdfunding for Small Business on March 26, 2013.
If you are the CEO of Google, Facebook, Verizon, Comcast, Exxon or Boeing, don’t read this. You have a team of lawyers working for you who have already spent hours analyzing President Obama’s Cybersecurity executive order and the numerous articles about it. If you own a one-location cupcake shop, auto repair facility or truly a “mom and pop” business, you can go back to looking at Harlem Shake videos online. This post is for the rest of us.
Even if you are not into defense, a major international conglomerate or think no foreign entities, hacktivists or cyber-terrorists are coming after your company, you may need to take steps now to respond to the executive order.
The focus of the order is on “critical infrastructure“ which largely means energy, health care, transportation, financial services, heavy manufacturing, food and drugs. If you are wondering whether you are “critical infrastructure,” you probably aren’t. In fact, the Secretary of Homeland Security is tagged with identifying “critical infrastructure at the greatest risk.” Those identified will be confidentially notified of the designation and encouraged to adopt the cybersecurity framework. But, you probably work with someone who is considered “critical.”
If you contract in any way with the government, or even contract with those who contract with the federal government, you should probably pay attention. If you work with those in likely to be identified as “critical infrastructure,” you should pay attention. Right now, many of the directives are voluntary, but it is likely preferences will be given to contractors who tighten their sybersecurity. You can expect cybersecurity to become part of the RFP process, so you need to be ready.
Have a data breach plan in place. If you store any individual’s personally identifiable information, including credit cards, or other sensitive information, you should already have a plan in place that complies with many state laws so you can report any breaches to the appropriate authorities. Now, you should have a plan in place in case you lose trade secrets or get hacked for other reasons. This plan should include the technological response to mitigate the harm and reporting requirements to the appropriate agencies.
The Government is promoting more transparency and a private-public partnership to address these national security concerns. If you do business with any federal agencies, or companies that do, start asking them what they think is appropriate for your situation. If you are in a heavy-regulated industry or would be considered “critical infrastructure,” your requirements are likely to be dicated by the National Institute of Standards and Technology (NIST) or your specifc industry regulators.
Think about your vendors and contractors. We have already written a two-part series about some state laws requiring you and your contractors to have Written Information Security Plans or WISPs. Now, think about whether you are doing business with or for anyone who may be considered “critical infrastructure.” Here’s looking at you internet marketing and web development firms. You need to be prepared to provide notices and information about data breaches. What are you prepared to disclose? How much will you have to disclose while still not disclosing too much personal privacy? You need to make sure you and your contractors have plans in place.
Go Hack Youself. Yes, I mean this literally. Your plan should include some type of periodic risk audits. Have someone try to hack into your system so you know and can address your vulnerabilities. Although not required at this point, it may become law before year’s end. If your IT guy can get through, imagine in the full weight of a foreign power or legions of hacktivists coming after you. Think about whether your business partners are also up to snuff and do periodic testing.
But wait, there’s more . . .
Just when you thought that was enough, if you are doing business in Europe, you might want to check out the EU’s Cybersecurity Directives.
Finally, Homeland Security may not be the only one interested in your cybersecurity. The SEC requires disclosures of your cyber-risks and protections.