To register for the October health tech executive event please contact Alice Turinas
Location map for where to park:
Parking map (with path to Roundtable building location)
To register for the October health tech executive event please contact Alice Turinas
Location map for where to park:
Parking map (with path to Roundtable building location)
Your company might have cyber insurance but, unless you’ve carefully checked this policy, you might be surprised to learn that it does not cover the risks your company faces. Unlike other types of insurance which are fairly standard, cyber insurance is not uniform across carriers. Many polices contain exclusions and carve-outs which are buried in the fine print. Below are some of the questions to ask as you select the cyber policy that is right for your company.
Items Covered. Not all costs incurred because of a cyber event are necessarily covered by your cyber insurance policy. In particular, you should review your policy to understand whether it covers costs related to:
2. Regulatory investigations
3. Forensic investigations
4. Notifications to affected consumers (mandatory and voluntary)
5. Credit monitoring for affected consumers
6. Statutory and regulatory penalties
7. Data restoration
8. Business interruption costs
9. Public relations
11. Indemnification of third parties for 1-10
Potential Exclusions. Even when coverage appears broad, buried within your policy could be certain exclusions of which you are not aware. The following are some questions to ask to help avoid that risk:
1. Definition of Covered information: Will coverage apply to all breached proprietary information or only Personally Identifiable Information?
2. Encryption exclusion: Does coverage apply if data is not encrypted?
3. Timing of coverage: Does coverage begin from the date an event occurs or from the date of discovery. It can take months or even years to learn that your network has been infiltrated. If your policy only covers events that occur as of the date of coverage, you’ll need additional coverage to protect you from earlier breaches that you might not have been aware of when you bought your policy.
4. Reasonably Foreseen: Ensure coverage does not exclude events that could have been “reasonably foreseen”.
5. Data outside insured network: Does coverage cover data in the cloud or on third party systems or does it only extend to data on your network?
6. Rogue employees: Does coverage include malicious acts by insiders?
7. Ransomware: Does coverage include cost of denial of service attacks?
8. Criminal Activity/Phishing: Does coverage include loss due to an employee being tricked?
9. Rogue States: Does coverage include state sponsored criminal activity?
10. Third Party Fault: Does coverage include breaches that occur at the vendor level? (i.e. if breach your hosting service is breached but you’ve promised to indemnify)
As cyber threats become more pervasive companies do realize that cyber insurance is critical. If your company has gotten to that point, there is no reason not to take the additional step of making sure that the policy you purchase gives you the coverage you expect.
As a US Company operating domestically, you might not be worrying too much about the European Union’s General Data Protection Regulation (the “GDPR“), scheduled to go into effect in May of 2018. However, if you are collecting EU consumer data, you would be wise to plan ahead and adapt because the financial penalties for non-compliance are very significant. The GDPR applies to any entity that processes personal data about an EU resident in connection with the offer of goods or services in the EU or the monitoring of behavior in the EU. Even if you never set foot on European soil, If your activities fit this description, this law might apply to you.
In general, the GDPR sets a high standard for consent. The goal is to offer people genuine choice and control over how their personal data is used. Specifically, the GDPR defines consent as, “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” It goes further than prior regulations in that it also requires keeping records of consent, clarity and prominence of consent requests, the right to withdraw consent, and avoiding making consent a condition of a contract. So, what exactly is required for consent to be valid under the GDPR? What exactly is “informed and unambiguous” consent? What is “clear affirmative action?” In early March, the Information Commissioner’s Office, the United Kingdom’s independent body which regulates privacy rights in the United Kingdom (the “ICO”), offered some clarity. According to the ICO, valid consent must be:
Unbundled. This means consent must be separate from other terms and conditions and may not be a precondition of signing up to a service unless necessary for that service.
Active. Pre-ticked opt-in boxes are not valid. In contrast, unticked opt-in boxes or similar active opt-in methods (for example, a binary choice given equal prominence) are sufficient. The key point here is that all consent must be opt-in consent. Failure to opt out will not be considered consent.
Granular. There must be separate consent options for different processing operations and different purposes. If purposes or activities evolve beyond what was originally specified, consents will have to be renewed.
Named. Organizations and any third parties relying on consent must be precisely named (categories will not be sufficient).
Documented. Records must be kept to demonstrate what the individual has consented to, including what they were told and how they consented.
Easy to Withdraw. People must be informed of their right to withdraw consent and it must be easy to do so.
No Imbalance in the Relationship. Consent cannot be freely given if there is an imbalance in the relationship between the individual and the controller.
Can Companies Continue to Use Previously Collected Data? For those companies wondering whether they can continue to use data obtained prior to the effective date of the GDPR, the answer might not be the one you want to hear. While there is no need to repaper consents that meet GDPR standards and are properly documented (provided that mechanisms are added to make withdrawal of consent easy), if existing consents don’t meet GDPR standards or are poorly documented, you will need to seek fresh, compliant consent for your processing or stop processing altogether.
What Are the Penalties for Non-Compliance? Companies who rely on invalid or inappropriate consent may find themselves open to substantial fines under the GDPR which states that infringements of the basic principles for processing personal data, including conditions for consent are subject to administrative fines which could be as large as 20 million Euros (approximately 21.6 million dollars), or 4% of your total revenues, whichever is higher.
For US Companies used to a little more freedom and flexibility around the collection and use of personal data, if European Data is being collected, those days may be gone. The implementation of systems that comply with GDPR will require technical and administrative changes that may be costly and may take time. However, because the penalty for non-compliance is so great, it is important that plans are made to ensure compliance before the GDPR becomes effective.
A recent report from Deloitte, described by The Wall Street Journal, predicts mergers and acquisitions will accelerate in 2017, following an uptick in Q4 2016. Among principal reasons are acquisition of technology and convergence across healthcare, life sciences and pharma.
The report covers a 2016 year-end survey of 1,000 corporate executives and private equity investors and ties an interest in acquiring technology assets to industry consolidation. This has been the experience of one of our clients, acquired for its technology in November in the highly fragmented digital health industry.
Assuming a convergence in healthcare, life sciences and pharma and anticipated regulatory change, each identified in the report as a factor, owners of independent digital health companies may see increased opportunities to exit.
Other technology focused businesses may also benefit from more opportunities.
As agencies such as the Federal Trade Commission (the “FTC”) and the New York State Department of Financial Services (the “NYSDFS”) begin review of their cybersecurity policies, it looks like the road ahead may be a bit more prescriptive. This could be a good thing for cloud-based service providers and their customers, both of whom could see costs decrease as vague standards are replaced with more specific guidance.
Historically, regulatory agencies have resisted the call for specific cybersecurity guidelines for cloud-based service providers. Citing the rapidity at which technological options evolve, the varying size and financial strength of the parties involved, and the range in criticality of data, regulations are riddled with vague mandates to develop and maintain “effective” or “reasonable” security programs which include “consideration of the company’s size and complexity, the nature and scope of the company’s activities and the sensitivity of the data that is collected.” Vendors are expected to use “best practices,” and to be consistent with “industry standard” but what exactly that is, nobody truly knows.
The Cost of Regulatory Ambiguity
For the cloud service provider, this ambiguity creates a great economic toll and an increasing barrier to entry.
Professionals and Consultants Required. Because the reasonableness standard is developed through a steady trickle of case law and regulatory enforcement actions, the only way to truly understand the state of play is to engage professionals who have been tracking regulatory pronouncements and case law on an ongoing basis and who have been working with many players in the industry over a long period of time.
Customer Insistence on Unreasonable Security Standards. Because cloud customers are (i) in the dark about what “industry standard” actually means, (ii) fearful of data breach risk, and (iii) eager to pass as much risk and expense onto third party service providers, they often begin contract negotiations with unreasonably aggressive security requests. This creates an additional financial burden on the entire system as each side is forced to invest considerable time and energy into negotiating each and every service contract.
A Trend Toward More Prescriptive Guidance?
Whether it is a coincidence or a recognition that more specific guidance is needed, this Fall, both the FTC and the NYSDFS announced plans to review cybersecurity guidance. In each case, there was a new (and welcome) interest in increased specificity.
Proposed NYSDFS Regulations. In September 2016, the NYSDFS announced proposed cybersecurity regulations for institutions under its jurisdiction. Among the more specific requirements (unless modified, scheduled to go into effect on January 1, 2017) for cloud service providers servicing NYFDFS regulated institutions are:
FTC Safeguards Rule Review. Similarly, in September of 2016 the FTC announced plans to review the Safeguards Rule. Among the items under consideration are whether the Safeguards Rule should specifically include the requirement of a breach response plan, and whether the rule should be more prescriptive in nature.
Lower Administrative Costs Ahead?
While more specificity could lead to greater implementation costs, those costs could be offset by a reduction in legal costs associated with deciphering regulatory requirements and negotiating contracts. In addition, to the extent companies rely on consultants or other professionals to guide them through regulatory compliance, these services should become more stream-lined and “off the shelf.” Perhaps over time we will see spending going where it belongs: security dollars spent on creating information security.
Last week, the Federal Trade Commission (the “FTC”) announced plans to review the Safeguards Rule of the Gramm-Leach-Bliley Act (“GLBA”). The Safeguards Rule requires financial institutions to develop, implement, and maintain a comprehensive, written information security program which contains administrative, technical, and physical safeguards to protect the security, confidentiality, and integrity of customer information. The areas in which the FTC seeks comment suggest that the FTC is evaluating a broader definition of financial institutions and security requirements, issues that could have important implications for FinTech companies.
Safeguards Rule Currently Not Prescriptive
As it stands, the Safeguards Rule is not terribly specific and may not capture all companies working with consumer financial data. In terms of requirements, it instructs financial institutions to identify reasonably foreseeable internal and external data security risks and to design and implement information safeguards to control those risks. In connection with those requirements, there is an expectation that there will be ongoing monitoring and assessment of security procedures and appropriate adjustments as needed.
Safeguards Rule Does Not Currently Reach All Companies Working in the Financial Sector
Another issue that seems to concern the FTC is that GLBA does not reach all companies tinkering in the financial space. It applies only to “financial institutions” (as defined in the Bank Holding Company Act of 1956 (12 U.S.C. § 1843(k)) which are significantly engaged in financial activities. Those companies engaging in activities that are considered to be “incidental” or “complementary” to financial activities are not subject to GLBA. In addition, activities that were determined to be financial in nature after the enactment of GLBA may also be excluded from the Safeguards Rule.
FTC Seeks Comments re Issues of Concern
In addition to more general questions of the relative cost and benefits of the Safeguards Rule to consumers and companies alike, the specific issues raised for comment show a focus on more explicit security and response requirements as well as broadening the reach of GLBA. In particular, the FTC is seeking comment on the following questions:
While we don’t know what kind of feedback the FTC will receive, and what the ultimate review outcome will be, one thing is clear: the FTC is focused on whether the lack of specificity of the Safeguards Rule is problematic and whether too many companies in the finance sector are able to elude GLBA’s grasp. For those fintech companies either interpreting GLBA security and response requirements loosely, or not subject to GLBA at all, it is a warning shot that the FTC is increasingly concerned about security procedures in the the realm of finance.
HealthTech, Fintech, HRTech, TravelTech. What sector doesn’t have its accompanying group of entrepreneurs adding innovation to the market? The fashion industry, although slow to adapt, is no different. The following are the top emerging trends:
1. Wearable Tech
As computers and sensors get smaller, cheaper, and more flexible, the growth of wearable tech is inevitable. Light-sensitive glasses were the forerunner. The Apple Watch made it modern. Now companies large and small are getting involved. From the phone-answering Levis Jacquard jacket powered by Google, to the Elemoon bracelet which finds your phone, alerts you to calls, and changes light design to match your outfit, power players and newcomers alike are entering the fashiontech arena, offering consumers the style they want with the newest technological features baked right in.
2. Big Data Reduces Overproduction and Returns
The bane of the fashion industry is overproduction and returns. Who knew until it reached the consumer that nobody would choose the yellow sweater? Or that the puff sleeve just wouldn’t be flattering? Now, with the increased ease of consumer polling, real-time aggregation of inventory and return data, retailers are able to get timely product feedback, enabling them to quickly modify production to better match consumer demand.
3. The Sharing Economy
Although vintage clothing stores have been around for a long time, with the exception of the rented prom-tux, the concept of sharing clothing with strangers had an “ick” factor that practicality could not overcome. All of that may be changing. Rent the Runway broke the barrier by making high-end fashion readily rentable with its low-friction business model. Companies such as Claire’s Closet and Swap.com have taken this trend a step further. Applying the Zip-Car concept of sharing, individuals can now make a handy profit by turning their closet into inventory in a seamless way. Given that most clothing is worn just seven times (according to a Daily Mail survey) coupled with millennials’ willingness to relinquish ownership, we expect this trend to grow over time.
4. Localized Fast Fashion Production
Fast-Fashion is the buzzword of the industry and localized production is starting to follow. Companies such as Under Armour which currently produces an athletic shoe with a 3D printed midsole, and recently announced a new facility aimed at releasing designs to partner factories around the world for local production are leading the way. Over time, 3D printing as well as advanced knitting, weaving, and sewing machines should facilitate local on-demand clothing production. Garments could be made around the corner or even in the store, designed specifically to consumer’s tastes and dimensions thereby reducing the need for overseas manufacturing, production of excess inventory, and shipping.
5. Advanced Fit Technology
According to a report by Econsultancy, retailers in the US report a return rate of between 20% and 40% for online sales, with poor fit cited as the number one reason. Enter new technologies that guide shoppers to items that fit them best by comparing personal measurements or dimensions of favorite clothing against online offerings. No doubt, a virtual reality experience is on its way, allowing the shopper to try clothing on virtually before selecting the purchase button.
Technological innovation in the fashion industry is a win for everyone. Consumers greatly appreciate the innovations that affect their style and shopping experience. Retailers benefit from reduced cost and friction in connecting their products to consumers. And, best of all, less waste in the fashion industry is a major gift to our planet. According to EcoWatch (quoting Eileen Fischer), fast fashion Is the second dirtiest industry in the world, next to big oil. Excess clothing fills our landfills and the production itself pollutes our water supply. To the extent new technologies contribute to reduced production, we all stand to benefit from the integration of fashion and technology.
These days, it seems like every digital company is looking to transform itself into a “platform.” It’s the new buzzword and, without a doubt, the direction of future growth. So, what exactly do people mean when they talk about creating a platform and what is it that makes platform development so compelling at this point in time?
In reality, commercial platforms have been around for a long time. When you think about it, a department store is a platform for clothing and household goods, the radio is a platform for musicians, and auction houses are platforms for sellers of fine art. So why all the fuss now? The answer is that thanks to the Internet and the corresponding opening of global markets, the potential of the digital platform to connect participants is truly unprecedented and given the direction in which markets are moving, you either are the platform, are on the platform, or you may ultimately face irrelevance.
So, what exactly is a “digital platform and how is it different from traditional business models? In general, a digital platform has a digital component at its core which enables its users to take advantage of internet connectivity. Ultimately, it helps make resources and participants more accessible to one another on an as-needed, low friction basis. Platforms tend to create value in two ways. They either facilitate transactions between parties that would otherwise have difficulty finding each other (i.e. Uber and TaskRabbit) or, they create an environment where innovators can come together to develop complementary services and products (i.e. Salesforce or Apple’s App Store).
The key to a successful platform is what’s called” the network effect.” At the outset, a platform has to overcome the chicken and egg stage of user engagement by making sure both sides of the transaction are sufficiently represented. The key to success here is offering something that creates an efficiency, streamlines a process or eliminates existing friction. As more users engage with a platform it becomes more attractive to potential new users on both sides of the transaction. Ideally, your platform becomes “viral” meaning that it catches on to such an extent that parties are pulled to the platform without the platform company having to focus on marketing the platform itself. This kind of pull-based growth is unique to the digital world. Unlike traditional business approaches where product is “pushed” on consumers, the most successful platforms grow through the “pull” of the network.
All of this is not particularly new. Single role digital platforms have been around for a while and have been the fuel for the startup phenomenon. What is starting to become interesting though, is the rise of the “Octopus Platform” i.e. the platform that may have started by doing one thing but, once participation has reached a desired threshold, is able to hopscotch further and further away from its original, core business creating a more and more seamless experience for its user. The biggies are obvious. Amazon, formerly a bookseller is now streaming movies and selling all imaginable retail items. Facebook originally designed to link friends is now a disseminator of news. Most recently, Apple, maker of phones and computers, distributer of music and platform for all imaginable apps, with its $1 billion investment in Chinese ride-hailing service Didi Chuxing, seems to be moving into the ride share business.
Lower down the food chain however, the digital market has been quite fragmented. Filled with single-service platforms or apps which are not necessarily integrated. This is particularly true in the healthcare and HR space. There are thousands of apps and cloud based services many of which create small efficiencies but, individual and corporate consumers are overwhelmed by technological options that make fractions of their lives only a little more efficient. They are tired of creating new accounts, toggling between apps, URLs, and multiple vendors. They’re clamoring for the “butler” to manage the help. At the same time, smaller companies are starting to realize that they too, not only have the opportunity to stretch their tentacles but may have to if they don’t want to get left behind.
While some companies will continue to focus on organic growth, we are also likely to see an increasing number of mergers, acquisitions, and strategic alliance between former competitors, links of a supply chain, and participants in similar markets. The goal will be capitalizing on one another’s user base in order to add platform mass and spread the tentacles of their business a little more broadly. Some of the larger companies like Google, Facebook, Apple, and Amazon already have such dominant positions in certain parts of the market it’s hard to imagine small competitors making a dent. However, there are other markets, healthcare and HR, for instance, that continue to be highly fragmented. It is here where there is a race to the platform and that race is only just beginning to play out.
An active and engaged advisory board made up of the right people can help propel a growth-stage company to the next level. However, missteps in the selection and management of an advisory board can cause a company to waste its most valuable assets: time and equity. With this in mind, before embarking on the development of an advisory board, it’s important to clarify the board’s role and develop strategies to ensure expectations are met.
1) Understand the Role of Your Advisory Board.
It’s important not to confuse an advisory board with a board of directors. While a board of directors has specific responsibilities (such as hiring and firing the CEO) and fiduciary obligations governed by law, there are no rules with regard to an advisory board. It is essentially an ad hoc group of individuals you turn to for guidance and wisdom. Your advisory board can be as big or as small as you like, and its members can have as specific or as general responsibilities as are agreed upon by the parties.
2) Select True Advisors for Your Advisory Board.
Companies generally choose advisory board members for two reasons: (1) the person has experience, knowledge, and connections which can help propel the company forward; and/or (2) the person has name recognition and credibility which might “legitimize” the company.
While there is nothing wrong with reason number 2, unless that person is truly planning on acting as an advisor or advocate for your company (as opposed to simply letting you drop their name into your website or at meetings), it is unlikely this type of advisor will add the value you envision. In contrast, the best type of advisor for your board will be an individual who:
3) Define Specific Roles for Your Advisors.
An advisory board works best when advisors feel connected to the company and its leaders. The following are some practical steps to take to ensure your advisor remains actively engaged and involved with your company:
4) How to Compensate Your Advisory Board.
At the very early seed stage, advisory relationships tend to be more informal and board members are not necessarily compensated. However, as the company develops and advisory board members have contracts and clearly defined deliverables, it is customary to offer equity (not cash) to advisory board members. While the amount can vary depending on the individual’s contribution and stature, some fraction of 1% seems to be typical, frequently granted as options vesting over 1-4 years, assuming this is directly tied to specific deliverables and/or value creation, as opposed to responding to occasional e-mails and phone calls.
So…does it make sense to create and Advisory Board? Absolutely! The right people bring innovative ideas, create opportunities and help the company move forward faster and more efficiently. Just be sure to find the right people who have the right level of commitment, set the right goals, and communicate your expectations clearly.
Minority investors take a substantial risk when they take an equity position in a closely held company. They have limited control over the management of the company and don’t have a liquid market to sell their equity should things go wrong. For this reason, before investing, a minority investor will typically ask for substantial protections to go along with their investment. The following are the ten most typical protections we see requested by minority investors.
1. Board Participation
Although a minority investor may not be able to control the board, they will typically expect some level of board participation and might even negotiate for the majority of the board be independent. As a minority board member, they will most likely insist on protections such as appropriate D&O insurance, approval of significant transactions as well as the requirement of regular meetings.
2. Information Rights
Minority investors will expect to have access to financial information related to the company. This will include the right to review the company’s books and records and to receive financial statements and the operating budget on a periodic basis. Advance approval by the board of an annual operating budget may be required.
3. Right of First Refusal
Prior to selling shares, a shareholder who is subject to a right of first refusal must first offer shares to existing shareholders who hold a right of refusal. This gives the minority shareholder an opportunity to increase its position if they so desire, especially if they would prefer not to be in business with the proposed third party purchaser.
4. Company Call for Departed Employees’ Shares
If a founder or employee shareholder leaves the company, whether voluntarily or involuntarily, the company typically has the right to repurchase shares held by the departing party. Often if the employee has been fired, or has left voluntarily within a specified initial period, the purchase price will reflect a discount. If a minority investor is the first shareholder who is not also a founder or employee, the minority investor may need to ensure that this call right is provided for.
5. Pre-Emptive Rights
In order to prevent their ownership interest from being diluted by future issuances of shares, investors will typically require that they be given the right to participate in any subsequent offering of shares, options, warrants or other securities.
6. Tag Along Rights
Simple co-sale or “tag along” rights afford minority investors the right to participate in the sale of equity on the same terms and conditions as the selling shareholder. If the investor does not wish to remain a co-owner with the new shareholder, the minority investor can sell its shares, proportionately, along with the other selling shareholder(s). A more sophisticated tag-along provision can be drafted to cover a broader array of transactions, providing greater protection to a minority investor.
7. Drag Along Payment Rights
Majority shareholders will typically provide for drag along rights requiring the minority investor to participate in a sale of the company or a sale of a controlling equity stake. In this case, minority shareholders might also insist that if they be dragged into a transaction, the sale proceeds be allocated proportionate to equity percentages and be paid in cash or marketable securities, or at least that any other private securities to be issued will provide for certain minimum investor rights.
Anti-dilution provisions are designed to ensure an investor’s interest is not diluted through the issuance of new equity at a lower price. Usually this entails the issue of additional shares to the investor to reduce its effective average purchase price.
9. Supermajority Voting/Consent Rights
In order for minority shareholders to have a say in major changes in the company, the minority shareholder may expect consent rights or supermajority voting for significant matters. Although not an exhaustive list, it would not be unusual to see consent rights or supermajority voting with regard to:
a. Equity transactions such as sale of a particular class of equity, the reclassification or change in the rights of any such class of equity or the issuance or sale of options or other convertible securities for such class of equity;
b. Sale of the company (by asset sale, stock sale, merger, liquidation or other corporate transaction);
c. Acquisition by the company of the stock, assets or business of another entity;
d. Investment by the company in another entity;
e. The incurrence of debt, sometimes subject to a materiality threshold;
f. Amendment or modification of the company’s organizational documents in material respects;
g. Entering into, modifying, terminating or renewing any real property lease or any other material agreement;
h. Entering into affiliated transactions;
i. Material deviation from the approved annual operating budget or capital expenditure budget;
j. Relocation of the company’s primary offices;
k. Hiring or firing of any key employee or the material change in salary or bonus compensation of any key employee.
10. Put Right/Shotgun Clause
Because there is no liquid market for minority shares of a closely held corporation, an investor may want a way to exit if things do not go according to plan. A put option would require either the company or other shareholders to buy out the minority investor in specific situations such as a failure to meet milestones or key personnel leaving. A close cousin to the put right, a shotgun clause gives the minority investor the right to buy or sell shares to another shareholder or the company if specific issues cannot be resolved.
While a Company seeking funding can expect to be asked for some if not all of these concessions, whether or not the investor successfully obtains these protections will vary from transaction to transaction, depending on the relative leverage of each of the parties and the risks associated with the particular deal. Regardless of the outcome, negotiation of these issues often paves the way to a complete understanding between the parties which in turn helps to promote a more positive partnership moving forward.
New York Office
171 West 79th Street, Suite 151
New York, NY 10024
+1 (646) 475-3523
800 W. 38th Street, Suite 12206
Austin, TX 78705
+1 (646) 475-3523