Posts Tagged ‘Securities and Exchange Commission (SEC)’

The JOBS Act: A Summary of What it Means for Businesses

Thursday, June 28th, 2012

The Jumpstart Our Business Startups Act or JOBS Act, intended to encourage funding of United States small businesses by easing various securities regulations, was signed into law by  President Obama on April 5, 2012.

By Louis A. Zambrio

On April 5, 2012, the Jumpstart Our Business Startups Act (“JOBS Act”) was signed into law. The fundamental change that it will have on companies is their ability to raise capital through a private placement under Rule 506 of Regulation D of the Securities Act of 1933, as amended (“Rule 506 Offering”). The JOBS Act, among other things, will eliminate the prohibitions under the U.S. federal securities laws against general advertising or general solicitation in connection with a Rule 506 Offering; provided that all purchases are made to accredited investors. The elimination of the general advertising and general solicitation restrictions could have a significant impact on a company’s ability to raise capital because it allows companies to reach a more diverse group and larger number of potential investors through their marketing efforts. The enactment of the JOBS Act directed the U.S. Securities and Exchange Commission (“SEC”) to revise Rule 506 of Regulation D within 90 days of its enactment, or by July 4, 2012. The current rules are still applicable to Rule 506 Offerings until the SEC amends Rule 506 of Regulation D.

Currently, under Rule 506 of Regulation D, companies are prohibited from soliciting investors through general advertisements or general solicitations, which makes it difficult for startups and small companies to raise capital since, as is often the case, they do not have enough contacts who are accredited investors that have the financial capability to invest in their company. With the implementation of the JOBS Act, a company will have the ability to tap a larger pool of investors than they originally had access to since they will now be allowed to solicit investors through general advertisements and general solicitations. This should open up access to more funding opportunities then companies previously experienced. The one caveat is that all investors must be accredited investors as such term is defined under Rule 501(a) of Regulation D (“Accredited Investor”).

An Accredited Investor is generally someone who has enough knowledge and business experience and acumen that they do not need to be afforded the full protection of the securities laws. Since this was a difficult standard to interpret, the SEC enacted Rule 501(a) to clarify the meaning of an Accredited Investor. There are eight (8) different categories of investors under the definition of an Accredited Investor, the most widely used by startup and small companies is:

  • 501(a)(6) any natural person whose individual net worth, or jointly with their spouse, exceeds $1 million at the time of purchase, excluding the value of such person’s primary residence; or
  • 501(a)(7) any natural person with income exceeding $200,000, or joint income with a spouse exceeding $300,000, for the two most recent years with a reasonable expectation of achieving the same income level in the current year.

A company can avail itself of the elimination of the advertising prohibitions in a Rule 506 Offering by taking “reasonable steps to verify that purchasers of the securities are accredited investors”. The meaning of this standard is unclear as of now, but hopes are that the SEC will clarify its meaning when it revises Rule 506 of Regulation D.

Once the SEC amends Rule 506 of Regulation D, companies will be able to conduct private placements through the facilitation of general advertisements and general solicitations as long as they reasonably verify that the securities are sold to Accredited Investors only.

Tags: , , , , ,
Posted in Business, Corporate, Technology | No Comments »

Concerns That Mobile Devices Present For Hedge Fund Managers (Part 3)

Thursday, April 26th, 2012

OlenderFeldman LLP’s Aaron Messing was interviewed by Jennifer Banzaca of the Hedge Fund Law Report for a three part series entitled, “What Concerns Do Mobile Devices Present for Hedge Fund Managers, and How Should Those Concerns Be Addressed?” (Subscription required; Free two week subscription available.) Some excerpts of the topics Jennifer and Aaron discussed follow. You can read  the third entry here.

Preventing Access by Unauthorized Persons

This section highlights steps that hedge fund managers can take to prevent unauthorized users from accessing a mobile device or any transmission of information from a device.  Concerns over unauthorized access are particularly acute in connection with lost or stolen devices.

[Lawyers] recommended that firms require the use of passwords or personal identification numbers (PINs) to access any mobile device that will be used for business purposes.  Aaron Messing, a Corporate & Information Privacy Associate at OlenderFeldman LLP, further elaborated, “We generally emphasize setting minimum requirements for phone security.  You want to have a mobile device lock with certain minimum requirements.  You want to make sure you have a strong password and that there is boot protection, which is activated any time the mobile device is powered on or reactivated after a period of inactivity.  Your password protection needs to be secure.  You simply cannot have a password that is predictable or easy to guess.”

Second, firms should consider solutions that facilitate the wiping (i.e., erasing) of firm data on the mobile device to prevent access by unauthorized users . . . . [T]here are numerous available wiping solutions.  For instance, the firm can install a solution that will facilitate remote wiping of the mobile device if the mobile device is lost or stolen.  Also, to counter those that try to access the mobile device by trying to crack its password, a firm can install software that automatically wipes firm data from the mobile device after a specific number of failed log-in attempts.  Messing explained, “It is also important for firms to have autowipe ability – especially if you do not have a remote wipe capability – after a certain number of incorrect password entries.  Often when a phone is lost or stolen, it is at least an hour or two before the person realizes the mobile device is missing.”

Wipe capability can also be helpful when an employee leaves the firm or changes mobile devices. . . Messing further elaborated, “When an employee leaves, you should have a policy for retrieving proprietary or sensitive information from the employee-owned mobile device and severing access to the network.  Also, with device turnover – if employees upgrade phones – you want employees to agree and acknowledge that you as the employer can go through the old phone and wipe the sensitive aspects so that the next user does not have the ability to pick up where the employee left off.”

If a firm chooses to adopt a wipe solution, it should adopt policies and procedures that ensure that employees understand what the technology does and obtain consent to the use of such wipe solutions.  Messing explained, “What we recommend in many cases is that as a condition of enrolling a device on the company network, employees must formally consent to an ‘Acceptable Use’ policy, which defines all the situations when the information technology department can remotely wipe the mobile device.  It is important to explain how that wipe will impact personal device use and data and employees’ data backup and storage responsibilities.”

Third, a firm should consider adopting solutions that prevent unauthorized users from gaining remote access to a mobile device and its transmissions.  Mobile security vendors offer products to protect a firm’s over-the-air transmissions between the server and a mobile device and the data stored on the mobile device.  These technologies allow hedge fund managers to encrypt information accessed by the mobile device – as well as information being transmitted by the mobile device – to ensure that it is secure and protected.  For instance, mobile devices can retain and protect data with WiFi and mobile VPNs, which provide mobile users with secure remote access to network resources and information.

Fourth, Rege suggested hedge fund managers have a procedure for requiring certificates to establish the identity of the device or a user.  “In a world where the devices are changing constantly, having that mechanism to make sure you always know what device is trying to access your system becomes very important.”

Preventing Unauthorized Use by Firm Personnel

Hedge fund managers should be concerned not only by potential threats from external sources, but also potential threats from unauthorized access and use by firm personnel.

For instance, hedge fund managers should protect against the theft of firm information by firm personnel.  Messing explained, “You want to consider some software to either block or control data being transferred onto mobile devices.  Since some of these devices have a large storage capacity, it is very easy to steal data.  You have to worry not only about external threats but internal threats as well, especially when it comes to mobile devices, you want to have system controls that are put in place to record and maybe even limit the data being taken from or copied onto mobile devices.”

Monitoring Solutions

To prevent unauthorized access and use of the mobile device, firms can consider remote monitoring.   However, monitoring solutions raise employee privacy concerns, and the firm should determine how to address these competing concerns.

Because of gaps in expectations regarding privacy, firms are much more likely to monitor activity on firm-provided mobile devices than on personal mobile devices. . . . In addressing privacy concerns, Messing explained, “You want to minimize the invasion of privacy and make clear to your employees the extent of your access.  When you are using proprietary technology for mobile applications, you can gain a great deal of insight into employee usage and other behaviors that may not be appropriate – especially if not disclosed.  We are finding many organizations with proprietary applications tracking behaviors and preferences without considering the privacy implications.  Generally speaking, you want to be careful how you monitor the personal device if it is also being used for work purposes.  You want to have controls to determine an employee’s compliance with security policies, but you have to balance that with a respect for that person’s privacy.  When it comes down to it, one of the most effective ways of doing that is to ensure that employees are aware of and understand their responsibilities with respect to mobile devices.  There must be education and training that goes along with your policies and procedures, not only with the employees using the mobile devices, but also within the information technology department as well.  You have people whose job it is to secure corporate information, and in the quest to provide the best solution they may not even consider privacy issues.”

As an alternative to remote monitoring, a firm may decide to conduct personal spot checks of employees’ mobile devices to determine if there has been any inappropriate activity.  This solution is less intrusive than remote monitoring, but likely to be less effective in ferreting out suspicious activity.

Policies Governing Archiving of Books and Records

Firms should consider both technology solutions and monitoring of mobile devices to ensure that they are capturing all books and records that are required to be kept pursuant to the firm’s books and records policies and external law and regulation with respect to books and records.

Also, firms may contemplate instituting a policy to search employees’ mobile devices and potentially copying materials from such mobile devices to ensure the capture of all such information or communications from mobile devices.  However, searching and copying may raise privacy concerns, and firms should balance recordkeeping requirements and privacy concerns.  Messing explained, “In the event of litigation or other business needs, the company should image, copy or search an employee’s personal device if it is used for firm business.  Therefore, employees should understand the importance of complying with the firm’s policies.”

Policies Governing Social Media Access and Use by Mobile Devices

Many firms will typically have some policies and procedures in place that ban or restrict the proliferation of business information via social media sites such as Facebook and Twitter, including with respect to the use of firm-provided mobile devices.  Specifically, such a policy could include provisions prohibiting the use of the firm’s name; prohibiting the disclosure of trade secrets; prohibiting the use of company logos and trademarks; addressing the permissibility of employee discussions of competitors, clients and vendors; and requiring disclaimers.

Messing explained, “We advise companies just to educate employees about social media.  If you are going to be on social media, be smart about what you are doing.  To the extent possible, employees should note their activity is personal and not related to the company.  They also should draw distinctions, where possible, between their personal and business activities.  These days it is increasingly blurred.  The best thing to do is just to come up with common sense suggestions and educate employees on the ramifications of certain activities.  In this case, ignorance is usually the biggest issue.”

Ultimately, many hedge fund managers recognize the concerns raised by mobile devices.  However, many also recognize the benefits that can be gained from allowing employees to use such devices.  In Messing’s view, the benefits to hedge fund managers outweigh the costs.  “Everything about a mobile device is problematic from a security standpoint,” Messing said, “but the reality is that the benefits far outweigh the costs in that productivity is greatly enhanced with mobile devices.  It is simply a matter of mitigating the concerns.”

Tags: , , , , , , , , , , ,
Posted in Business, Data Privacy & Information Security, Intellectual Property, Technology | Comments Off

Aaron Messing to Speak at SES NY 2012 about Privacy and FTC Compliance

Monday, March 12th, 2012

By Aaron Messing

I will be speaking at SES New York 2012 conference about emerging legal issues in search engine optimization and online behavioral advertising. The panel will discuss  Legal Considerations for Search & Social in Regulated Industries:

Search in Regulated Industries
Legal Considerations for Search & Social in Regulated Industries
Programmed by: Chris Boggs
Since FDA letters to pharmaceutical companies began arriving in 2009, and with constantly increasing scrutiny towards online marketing, many regulated industries have been forced to look for ways to modify their legal terms for marketing and partnering with agencies and other 3rd party vendors. This session will address the following:

  • Legal rules for regulated industries such as Healthcare/Pharmaceutical, Financial Services, and B2B, B2G
  • Interpretations and discussion around how Internet Marketing laws are incorporated into campaign planning and execution
  • Can a pharmaceutical company comfortably solicit inbound links in support of SEO?
  • Should Financial Services companies be limited from using terms such as “best rates?

Looks like it will be a great panel. I will post my slideshow after the presentation.

(Updated on 3.22.12 to add presentation below)

Search and Social In Regulated Industries

View more presentations from aaronmessing.

Tags: , , , , , , , , , , , , ,
Posted in Data Privacy & Information Security, Technology | Comments Off

Putting Privacy First

Thursday, August 18th, 2011

“Putting Privacy First” was originally published in the August 2011 edition of TechNews.

By: Michael J. Feldman

Many businesses view legal compliance as a necessary evil and an obstacle to profits. Thus, compliance is often made a mere formality. Dealing with the complex privacy and data protection rules and regulations is often viewed no differently – be it industry-specific rules such as HIPAA (healthcare), age-specific rules such as COPPA (online marketing to minors), agency-specific rules (i.e., SEC or FTC rules), the rules and regulations of each individual state, or even the various foreign laws such as the Data Protection Act (applies to businesses which conduct any business with many European nations). However counterintuitive it may be for some, forward-thinking businesses do not view privacy and data protection compliance as a necessary drag on revenue, but instead, they use it as a marketing tool to distinguish themselves from the competition and grab an increased market share.

As privacy and data breach issues continue to make front page news on a near-daily basis, and with the U.S. Congress working on sweeping new privacy laws, such compliance concerns are increasing in magnitude and importance. The reality is that whether you are aware or not, the various privacy and data protection laws impact and govern the operations of almost all businesses. For example, if you can answer “Yes” to any of these questions, there are privacy and data protection laws that govern your operations: Do you accept credit cards for payment? Do you gather any personal information about your customers, patients, employees, members or vendors? Do you electronically store any data on your computers or servers? Do you sell or market on the Internet? Do you conduct any business with, or market your business to, any person or entity located in another country? Are you in the financial industry? Do you seek to conduct any credit checks on potential employees or customers? The above only addresses a tiny fraction of the activities which subject you to regulation.

So what can and should a business do to not only survive, but actually thrive in this ever-changing regulatory environment? The answer is quite simple – be compliant and market the advantages of your privacy policies.

As acknowledged by the Washington Post on July 18 in “Tech IPO’s Grapple With Privacy,” Google did not have to deal with online privacy in 2004 as such a concept did not exist. Times have certainly changed. On the same day as the Washington Post article, the New York Times reported in an article entitled “Privacy Isn’t Dead. Just Ask Google+” that “Rather than focus on new snazzy features — although it does offer several — Google has chosen to learn from its own mistakes, and Facebook’s. Google decided to make privacy the No. 1 feature of its new service.” Google+ represents a significant attempt by Google to break Facebook’s near stranglehold on social media. Given Google’s past success, it is no surprise that Google has attacked privacy concerns head-on, and turned consumers’ concern for privacy into a marketing bonanza. Such a strategy has been used successfully in the automobile industry for years by companies such as Volvo, Subaru and Mercedes; each of whom turned consumer concern about automobile safety into a marketing opportunity to distinguish themselves from the competition by marketing their superior safety features.

The obvious next question is how does a business use consumers’ privacy concerns as a marketing tool? The answer is to acknowledge your customers’ concerns, explain how and why your business cares about the customer more than your competitors, and that you will keep them safe. To accomplish this goal, you must first determine which regulatory scheme(s) govern the operation of your business. Second, you must determine the best method for compliance with the applicable law, and whether it makes business sense to implement privacy and data security policies which go beyond the minimum required by law. Third, you should examine how, if at all, your competitors address and promote their privacy obligations. Fourth, you must develop a strategic plan to promote to your customers the superiority of your privacy and data security policies. Importantly, you must not only inform your customers of what your privacy and data security policies are, but how such policies help and protect your customers. For example, Mercedes realized that people were scared of getting injured in car crashes, so their advertisements often explained how Mercedes technology would help avoid accidents (i.e., anti-lock brakes) and how they would protect you if you did crash (i.e., airbags and crumple zones). The same applies to privacy and data protection concerns. In the end, by carefully planning out and implementing each of the above four-steps, you will avoid regulatory problems while simultaneously gaining a leg up on the competition.

Tags: , , , , , , , , ,
Posted in Business, Corporate, Data Privacy & Information Security, Technology | No Comments »