Authored by Scott Hall

Pursuant to a settlement agreement with the Attorneys General of nearly all 50 states¹, Target Corporation will pay $18.5 million to settle claims brought by the state Attorneys General arising from the November 2013 data breach – involving the credit or debit card information of approximately 40 million Target customers – caused by cyberattacks on Target’s network.

The settlement is the latest in a string of settlement payments made by Target as a result of the breach, which includes payments of over $100 million to banks and credit/debit card companies for fraudulent charges and other damages, as well as a $10 million payment to settle a civil class action brought by affected customers.  In total, Target reports that, to date, the cost of the data breach has exceeded $200 million.²

Notably, the settlement agreement with the Attorneys General goes beyond mere payment of monetary penalties.  It requires Target to take specific steps to ensure implementation of a comprehensive information security program aimed at avoiding future breaches.  The settlement agreement requires Target to implement this new security program within 180 days of the effective date of the agreement, and mandates that Target, among other things: (1) maintain a written policy that adequately addresses the administrative, technical and physical safeguards for personal information maintained by Target, taking into account Target’s size, the nature of its operations, and the sensitivity of personal information maintained by it; (2) employ an executive or officer with an appropriate background or experience to implement and maintain the program; and (3) maintain encryption protocols and related policies reasonably designed to protect personal information.  Target is also required to separate its customer credit and debit card data from the rest of its computer network and to test for, and correct, vulnerabilities in its computer network.³

Within one year of the settlement, Target must obtain a third-party “information security assessment” to review and report on the implementation of the new information security program.  The Attorneys General have the right to initiate a proceeding for any failure to comply with the provisions of the settlement agreement, as well as for any other failure to comply with applicable data security laws.  In other words, Target’s implementation of these data security policies and procedures will be under a regulatory microscope for the near future.

The moral of the story for other companies, as made clear in a statement by Connecticut Attorney General George Jepsen, is that “Companies across sectors should be taking their data security policies and procedures seriously.  Not doing so potentially exposes sensitive client and consumer information to hackers.”⁴  This is true even for companies that do not face the significant exposure of a large retailer like Target.  Regardless of company size or industry, the settlement sends a message that companies must either implement reasonable and adequate data security safeguards, or risk a breach that could result in government implementation and oversight of a much more rigorous and burdensome program.

In sum, this is reminder that now is a good time for all companies to review their data security policies and programs, data breach response protocols, and compliance with applicable consumer protection and data security laws, to ensure that they do not become the next example of what not to do.

^1.Alabama, Wyoming and Wisconsin are not parties to the settlement.  A copy of the settlement agreement is available at:  http://www.ct.gov/ag/lib/ag/press_releases/2017/20170522_targetmultistateavc.pdf

^2.See “Target in $18.5 million multi-state settlement over data breach” (Reuters May 24, 2017), available at: http://www.cnbc.com/2017/05/24/target-in-18-point-5-million-multi-state-settlement-over-data-breach.html

^3.Certain of the specific data security requirements expire after five years (Settlement Agreement ¶ 32.)

^4.See http://www.ct.gov/ag/cwp/view.asp?Q=593122&A=2341

Authored by Timothy Crudo and Andrew Schalkwyk

Originally published in ABTL Northern California Report, Volume 25, No. 2, Spring 2017. Republished with permission.

It is an age-old principle of corporate law: corporations can act only through their agents. Ensley v. City of Nashville, 61 Tenn. 144, 146 (1872) (“Corporations can only act through their agents, and must be held accountable for their acts, otherwise citizens may be ruined through irresponsible citizens.”)  Companies therefore are generally liable, both civilly and criminally, for the conduct of agents acting on their behalf.  But what about their thoughts?  Do corporations think only through their agents, or do they have a mind of their own?  The answer is more than a philosophical one, and it can have real consequences, as shown by two recent federal criminal trials in the Northern District of California.

In the olden days, it was accepted under the common law that “a corporation cannot commit treason, or felony, or other crime, in its corporate capacity: though its members may, in their distinct individual capacities.” 1 BLACKSTONE, COMMENTARIES ON THE LAWS OF ENGLAND 464 (1765).  The modern view is quite different, and criminal prosecutions of corporations have been widely accepted for more than a century.  In the seminal case, N.Y. Central & H.R.R. Co. v. United States, 212 U.S. 481, 492–93 (1909), the railroad argued that as a corporation it could not be held liable for payments of illegal rebates.  The Supreme Court rejected the argument, quoting a contemporary treatise: “[s]ince a corporation acts by its officers and agents, their purposes, motives, and intent are just as much those of the corporation as are the things done. If, for example, the invisible, intangible essence or air which we term a corporation can level mountains, fill up valleys, lay down iron tracks, and run railroad cars on them, it can intend to do it, and can act therein as well viciously as virtuously.”  At least for offenses where the crime consisted in purposely doing the thing prohibited (in N.Y. Central it was paying a rebate), the Supreme Court saw “no good reason why corporations may not be held responsible for and charged with the knowledge and purposes of their agents.”

But corporations often act through the acts of a combination of employees.  What  happens where no individual agent has the knowledge or intent necessary to be held criminally responsible for the corporation’s act – can the corporation still be legally culpable?  More recently, courts have considered the aggregation of individual employees’ knowledge in evaluating corporate knowledge.  This doctrine of “corporate collective knowledge” traces back primarily to the First Circuit’s decision in United States v. Bank of New England, 821 F.2d 844 (1st Cir. 1987).  In that criminal case, which involved alleged violations of the Currency Transaction Reporting Act by the Bank of New England, the government had to prove that the bank had acted “willfully.”  Proof of willfulness required evidence that the bank had “knowledge” of the reporting requirement and, separately, the “specific intent” to commit the crime.  On the issue of knowledge, the court applied the “collective knowledge” doctrine and determined that the bank knew everything that all of its employees knew, even if no single agent had sufficient knowledge to meet the elements of the offense: “So, if Employee A knows one facet of the currency reporting requirement, B knows another facet of it, and C a third facet of it, the bank knows them all.”  Id. at 855.  The court determined that the specific intent element could be satisfied either through the willful failure of a bank employee to file the necessary reports or through the bank’s own “flagrant indifference” to its reporting obligations.  Id. at 857.

Since Bank of New England, courts have applied the collective knowledge doctrine to determine what a corporation knew.  But few have applied that doctrine to determine what a corporation intended, and there has been little discussion of whether specific wrongful intent of a corporation can be found without the prosecution identifying a particular individual who had such intent.  The idea raises some profound philosophical problems.  If, as N.Y. Central and many later cases have held, the actions, motives, and intent of an individual can be attributed to a corporation for purposes of criminal culpability, what evidence is needed to prove that the corporation itself had such intent even if no individual employee did?

As the First Circuit observed in the language above taken from Bank of New England, knowledge can exist in discrete portions.  It can be measured, combined, and added to.  Although the corporate collective knowledge doctrine has been criticized (See e.g. Thomas A. Hagemann & Joseph Grinstein, The Mythology of Aggregate Corporate Knowledge: a Deconstruction, 65 GEO.WASH L. REV. 210, 226-36 (1997)), there is some logic to the idea that employees’ knowledge can be “collected” and attributed as a whole to the corporation.

But can intent be similarly combined and accumulated?  Whereas sufficient knowledge is primarily a question of quantity, sufficient intent is a question of quality. If a specific intent is required for finding culpability of a specific intent crime, can the otherwise innocent intent of individuals be combined to create a collective intent that is of a distinctly different – i.e., guilty — character?  In other words, can the corporation be deemed to have the necessary criminal intent if none of its agents does?

There is scant law on the question, itself perhaps a clue to the answer.  One case that did address the question of corporate willfulness is United States v. T.I.M.E.- D.C., Inc., 381 F. Supp. 730 (W.D. Va. 1974), which upheld a criminal conviction that a trucking company knowingly and willfully violated federal regulations concerning driver safety.  The court held that because the corporation knew, under the collective knowledge doctrine, that it was not complying with its duties under the regulations and declined to act on that knowledge, there was sufficient evidence to find that it had thereby acted willfully, a holding consistent with the later result in Bank of New England.

But other cases have noted the problem with attributing intent to a corporation absent an individual wrongdoer who harbors the required state of mind. In Saba v. Compagnie National Air Fr., 78 F. 3d 664, 670 n. 6 (D.C. Cir. 1996), the court cited Bank of New England for the proposition that while knowledge of facts by employees could be attributed to the corporation, “the proscribed intent (willfulness) depended on the wrongful intent of specific employees.”  See also, e.g., First Equity Corp. v. Standard & Poor’s Corp., 690 F. Supp. 256, 260 (S.D.N.Y. 1988) (“A corporation can be held to have a particular state of mind only when that state of mind is possessed by a single individual.”); Gutter v. E.I. Dupont De Nemours, 124 F. Supp. 2d 1291, 1311 (S.D. Fla. 2000) (“The knowledge necessary to form the requisite fraudulent intent must be possessed by at least one agent and cannot be inferred and imputed to a corporation based on disconnected facts known by different agents.”)

Even T.I.M.E. itself has been cited for the idea that, unlike knowledge, “specific intent cannot be similarly aggregated [and therefore] there must be evidence from which a jury could reasonably determine that at least one agent of LBS had the specific intent to join the conspiracy to defraud the government.”  United States v. LBS Bank-New York, Inc., 757 F. Supp. 496, 501 n. 7 (E.D. Pa. 1990).  In one case decided shortly before Bank of New England the court, in a bench trial, was required to determine whether the defendant corporation intended to commit mail fraud.  Citing T.I.M.E., the court determined that to find the defendant liable “for fraud, I must find that a[n] employee had the specific intent required” by the statute.” Louisiana Power and Light Co. v. United Gas Pipe Line Co., 642 F. Supp. 781 (E.D. La. 1986).  (That said, the court found the company had committed fraud based on the fact that the corporation was “blind[] to obvious truths” and so violated the mail fraud statute, without identifying, or even discussing, an individual employee’s specific intent.)  Similarly, in State v. Zeta Chi Fraternity, 696 A.2d 530 (N.H. 1997), the New Hampshire Supreme Court cited to T.I.M.E. in upholding the conviction of a college fraternity, finding that there was sufficient evidence that fraternity members were aware of the facts surrounding underage drinking.  Because the fraternity’s “mental state depend[ed] on the knowledge of its agents,” the fraternity could be said to have acted recklessly in conscious disregarded of the risks involved.  Id., at 535.

Fast forward to 2016, when simultaneous corporate criminal trials were unfolding in the Northern District of California against PG&E (Case No. 3:14-cr-00175) and FedEx (Case No. 14-cr-00380).  PG&E was accused primarily of violating the Pipeline Safety Act.  FedEx was accused of conspiring with online pharmacies to deliver illegal prescriptions.  No individuals were prosecuted in either case.  The corporations alone stood trial.

Both corporate defendants argued that when prosecuting a corporation for a specific intent crime the government must prove that at least one individual acting on behalf of the corporation had the sufficient intent necessary for conviction.  Both lost on the issue.  In PG&E, the court brushed aside concerns raised with the collective knowledge doctrine, focusing instead on collective intent.  The court ultimately followed T.I.M.E., noting the similarity in the regulatory violations at issue in both cases.  The Court held that because PG&E had an affirmative legal duty to follow safety regulations (such as the Pipeline Safety Act) and “where the knowledge of the corporation’s employees demonstrates a failure to discharge that duty, the corporation can be said to have ‘willfully’ disregarded that duty.”  PG&E, 2015 WL 9460313 at *5.  In FedEx, the court cited to the PG&E order and, without further discussion, held that FedEx had “failed to identify controlling authority that calls into doubt any instructions on ‘collective knowledge’ or ‘collective intent.’”  United States v. FedEx, No. C14-00380 CRB, slip op. at 2 (N.D. Cal. Apr. 18, 2016).

The result in FedEx was perhaps more surprising, given that the charges there involved a conspiracy to distribute illicit drugs rather than the type of regulatory and/or reporting violation at issue in PG&E, T.I.M.E., and Bank of New England.  PG&E was accused of not fulfilling affirmative regulatory obligations imposed by law, and distilling corporate intent from collective knowledge in such cases is perhaps not that big a jump from already accepted concepts of “reckless disregard” or willful blindness.  (The nature of the charged crimes in PG&E was crucial in the court’s decision on the collective intent instruction.)  FedEx, on the other hand, was accused of agreeing to commit affirmative acts with the knowledge and intent to achieve an unlawful result, the first time that the collective intent doctrine had ever been applied in a criminal prosecution to a non-regulatory offense.

To be fair to the FedEx trial court, the case resolved before it was required to rule on the final instruction for corporate intent, and perhaps it would have ruled differently.  (Its prior ruling on collective intent occurred during pretrial skirmishing.)  We will see whether the rulings in PG&E and FedEx embolden prosecutors to pursue criminal charges against corporate defendants in the absence of at least one culpable individual.  Criminal prosecutions against corporations are rare enough, especially when no individual is prosecuted as well, and even with the favorable rulings on collective intent the ultimate result in PG&E and FedEx may cause prosecutors to think twice before prosecuting a corporation standing alone.

Authored by Scott Hall

On May 19, 2017, the U.S. Court of Appeals for the D.C. Circuit issued a ruling vacating the Federal Aviation Administration’s “Registration Rule,” which required owners of small unmanned aircraft (“drones”) operated for recreational or hobby purposes to register with the FAA.¹  The Registration Rule, implemented in December 2015 (strategically, in the midst of a holiday season during which nearly half a million hobby drones were expected to be sold), garnered immediate criticism and opposition from drone users who questioned the FAA’s authority to regulate drones not intended to be operated for commercial purposes.  Indeed, given the FAA’s history of a hands-off policy with respect to hobby drones, the Registration Rule was viewed by some as a test of power – something akin to the FAA dipping its toe into the waters of hobby drone regulation to see how far it could go.  The D.C. Circuit’s ruling decisively ends the inquiry and precludes further FAA involvement in hobby drone regulation absent some action to the contrary by the Supreme Court or Congress.

History of FAA Regulation of Drones

Under 49 U.S.C. section 40103, the federal government has exclusive sovereignty over U.S. airspace, and the FAA has the authority to regulate all “aircraft,” which includes drones.²  However, in 2012, Congress passed the FAA Modernization and Reform Act, which states that the FAA “may not promulgate any rule or regulation regarding a model aircraft,” which term encompasses drones flown for hobby or recreational purposes.³

In light of this clear restriction, and in response to petitions challenging the Registration Rule to the extent it purports to apply to hobby drones, the D.C. Circuit concluded that the Registration Rule was barred by the plain wording of the statute because it was, in fact, a rule that created a new regulatory regime for model aircraft, regardless of whether the rule might improve aviation safety.⁴  As the Court noted, “[s]tatutory interpretation does not get much simpler.”⁵

Although the Registration Rule was likely doomed from its inception given the historical restrictions on FAA authority over hobby drones, the motivation behind the rule – i.e., the view that there should be a more formal or consistent framework for regulating hobby drones – is not outrageous.  After all, hobby drones are just as capable of, and perhaps even more likely to, violate personal privacy or engage in nuisance, trespass, or other misuse than drones used for commercial purposes.  And the number of hobby drones currently existing and anticipated in the national airspace over the next five years dwarfs the number of small commercial drones.  For example, the FAA anticipates that the number of hobby drones sold by 2021 may exceed 4 million, up from approximately 1.1 million in 2016.⁶  By contrast, the FAA forecasts that small commercial drones, which numbered just 42,000 in 2016, may increase to 420,000 by 2021.⁷  The FAA has argued that uniformity in drone regulation – regardless of whether the drones are used for commercial or hobby purposes – is essential for the safe and effective management of air traffic in the national airspace.  Thus, when faced with a substantial and unprecedented increase of hobby drones in the nation’s skies over which it had no control, the FAA rolled the dice and took a shot at reigning in what otherwise may prove to be an unmanageable contingent of this rapidly expanding technology.  The FAA lost – for now.

Where To Go From Here

The fight regarding federal-state authority over drones, including hobby drones, is far from over.  The FAA’s uniform rules for commercial operation of small drones, which went into effect last August, provide a general federal framework for limited commercial drone use (and preempt many aspects of state commercial drone regulation), but explicitly do not apply to hobby drones.⁸  In fact, the FAA maintains a Fact Sheet on its website that identifies specific areas of law potentially applicable to drones – whether commercial or hobby – that would not be subject to federal regulation, including land use, zoning, privacy, trespass, and law enforcement operations.⁹  But while many states have started to enact drone-specific laws,¹⁰ there is still much to be done by state and local governments if they are to effectively and comprehensively regulate hobby drones, particularly as usage and technology continue to expand.

Ultimately, the D.C. Circuit’s ruling creates a fork in the road for hobby drone regulation:  Congress can either extend FAA authority over hobby drones or leave it to state and local governments.  The Court’s opinion was explicit in this regard, noting, “Congress is of course always free to repeal or amend its 2012 prohibition on FAA rules regarding model aircraft.  Perhaps Congress should do so.  Perhaps not.  In any event, we must follow the statute as written.”¹¹

In the wake of the decision, the FAA will likely take the Court’s suggestion and seek to have Congress expand FAA authority over hobby drones.  But both the FAA and Congress should think carefully before proceeding down this path.  Although expansion of federal authority for limited purposes such as registration may not seem problematic, such a grant of authority would start down a slippery slope of exclusive federal authority over all drone regulation.  Before Congress takes that step, serious consideration should be given to whether the FAA is best positioned to regulate hobby drones, which, for the most part, operate within limited geographical areas, in typically lower altitudes than commercial aircraft, and in volumes that would be extremely difficult, if not impossible, for the FAA to effectively police.

State and local governments may be much better suited to enact and enforce laws and restrictions applicable to hobby drones, particularly with respect to issues or operational concerns unique to their locale.  And, although some measure of coordination between federal and state governments will certainly be necessary to ensure that hobby drones can safely operate in the national airspace along with commercial drone traffic, Congress should not hastily put all regulatory authority in the hands of the federal government without carefully weighing the potential drawbacks of an exclusively federal drone regime.  The preferred course may be for federal and state governments to share authority over drones and work collaboratively to create a cooperative and comprehensive framework for commercial and hobby drones alike.  For this to be effective, however, state and local governments must step up and actively address drone issues through local legislation to a greater extent than they have done previously.

For now, hobby drone users can operate their drones free of any registration requirement or other federal oversight.¹²  However, hobby drone users should not get too comfortable with the current lack of formal regulation.  Given the ever-increasing popularity of drones, as well as rising concerns regarding drone privacy violations, trespass, and other misuse, a more formal regulatory framework for hobby drones – be it state, federal, or combined – appears all but inevitable.

^1. See Taylor v. Huerta, Case No. 15-1495 (D.C. Cir. May 19, 2017).  A copy of the opinion is available at: https://www.cadc.uscourts.gov/internet/opinions.nsf/FA6F27FFAA83E20585258125004FBC13/$file/15-1495-1675918.pdf

². See 49 U.S.C. § 40102(a)(6), defining aircraft as “any contrivance invented, used, or designed to navigate or fly in the air.”  See also Michael P. Huerta, Administrator, Federal Aviation Administration v. Raphael Pirker, NTSB Order No. EA-5730, Docket CP-217 (Nov. 18, 2014) (holding that drones are “aircraft” subject to federal regulations).

^3. Pub. L. No. 112-95, § 336(a), 126 Stat. 11, 77 (2012) (codified at 49 U.S.C. § 40101).

^4. Taylor, Case No. 15-1495, at 7-8.

^5. Id. at 7.

^6. See FAA Aerospace Forecasts, available at: https://www.faa.gov/data_research/aviation/aerospace_forecasts/media/Unmanned_Aircraft_Systems.pdf

^7. Id.

^8. 14 C.F.R. Part 107.

^9. December 7, 2015 Fact Sheet: State and Local Regulation of Unmanned Aircraft Systems (UAS).

^10. For an overview of current or pending state drone laws, see http://www.ncsl.org/research/transportation/current-unmanned-aircraft-state-law-landscape.aspx

^11. Taylor, Case No. 15-1495, at 8.

^12. The ruling does not take effect immediately, however, and provides 7 days for the parties to petition for rehearing.  See https://arstechnica.com/wp-content/uploads/2017/05/faastay.pdf