Category Archives: Management

CALIFORNIA LAWYERS ASSOCIATION PWG: Proposed California Consumer Privacy Act Regulations – COMMENTS

Hello Again, All:

Last week, on Twitter, I promised to try to post the California Lawyers Association Privacy Working Group’s comments on the California Consumer Privacy Act.  I made it.  Before you skip directly to the comments, I wanted to briefly discuss my specific role and also make a suggestion (it’s my blawg, so I get to do that!)

My colleagues are attorneys who immersed themselves in technology and the law.  In my case the opposite is true.  I’m a technology professional who passed the California Bar when I was 44 years old (2007, for the curious).  As such, I became the ‘roving technology consultant’ on the various aspects of this law.  In short, I worked with several of our writing subgroups to identify where the concepts in the law don’t mesh with how the technology actually works.

Aside from some minor formatting differences between WordPress and the original – plus some bolds and one URL added by me – these are verbatim comments.

The suggestion?  While you may discern most of the original issues via the comments alone, it would be best to review the proposed regulations that these comments address.

Estimates are that implementation of CCPA may cost $55 billion – and it does not exclusively apply to California companies – so, we understand and appreciate your interest in being well-informed.

Best wishes for the holiday season and the adventure that awaits us in 2020!

Perry

**************************************************************************

December 6, 2019

Privacy Regulations Coordinator

California Office of the Attorney General

300 South Spring Street, First Floor

Los Angeles, CA 90013

Email: PrivacyRegulations@doj.ca.gov

Re: Proposed California Consumer Privacy Act Regulations

Dear Attorney General Becerra:

The California Lawyers Association (“CLA”) Privacy Working Group (“PWG”) respectfully submits these comments on the proposed California Consumer Privacy Act (“CCPA”) regulations. The PWG is a multidisciplinary group with members drawn from various sections of the California Lawyers Association, including: Antitrust, UCL and Privacy; Business Law; and Intellectual Property Law. Our members have broad-ranging expertise in areas that include consumer privacy, cybersecurity, and data protection, and extensive experience with related regulatory, transactional, and litigation matters.

The Attorney General released these proposed regulations for public comment on October 10, 2019. The regulations are intended to operationalize the CCPA and provide clarity and specificity to assist in the implementation of the law. The CCPA requires the Attorney General to adopt initial regulations on or before July 1, 2020.

The PWG applauds the Office of the Attorney General for engaging in a broad and inclusive rulemaking process, including public forums. This public comment period is important because the stakes are high. According to estimates in the Standardized Regulatory Impact Assessment for the CCPA regulations, published by the Berkeley Economic Advising and Research, LLC, the CCPA will protect over $12 billion worth of personal information that is used for advertising in California each year. If finalized, businesses are estimated to spend between $467 million to $16,454 million in costs to comply with the draft regulation during the period 2020-2030. The CCPA grants new rights to consumers and imposes new obligations on businesses.

As highlighted in the CCPA Fact Sheet, published together with the proposed regulations, the CCPA and the European Union’s General Data Protection Regulation (“GDPR”) are separate legal frameworks with different scopes, definitions, and requirements. A business that is subject to GDPR and also processes personal information of California consumers will need to reconcile the differences between the two regimes. In addition, a business will need to examine what additional obligations apply under the CCPA that are outside of how personal information is collected, processed, sold or disclosed pursuant to the federal Gramm-Leach-Bliley Act, the California Financial Information Privacy Act, the Driver’s Privacy Protection Act of 1994, the Confidentiality of Medical Information Act, the Health Insurance Portability and Accountability Act of 1996 and the Federal Policy for the Protection of Human Subjects.

We submit the following comments on the proposed regulations.

All views expressed in these comments are our own as individual members of the PWG and do not represent the views of any entity whatsoever with which we have been, are now, or will be affiliated.

Overall Concerns:

The PWG notes that the proposed regulations will not be final before the January 1, 2020 effective date of the CCPA. Once the regulations are final, it will likely take most businesses several months to fully implement processes consistent with the final regulations. Accordingly, we urge the Office of the Attorney General to take into consideration the practical impact these regulations will have on businesses as well as the desire to protect consumer rights.

Our comments below are organized by section. We underlined for ease of reading new or amended language and we struck out language we propose to have deleted (i.e., underline or strike out).

Article 2. Notices to Consumers

§ 999.305. Notice at Collection of Personal Information

Section 999.305(a)(2)(d) provides that a notice at collection of personal information shall: “Be accessible to consumers with disabilities. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.” This same language exists in § 999.306(a)(2)(d) (Notice of Right to Opt-Out of Sale of Personal Information), § 999.307(a)(2)(d) (Notice of Financial Incentive), and § 999.308(a)(2)(d) (Privacy Policy).

The PWG is concerned that “accessible” in the first sentence is unclear, ambiguous, and undefined. This could result in regulatory enforcement issues as well as prolonged litigation regarding interpretation and applicability, similar to other litigation we have already seen concerning website accessibility. In order to address this concern, the PWG suggests that the phrase “accessible to consumers with disabilities” be tied to the requirements of other specific provisions of law and recommends revising

§ 999.305(a)(2)(d) to read as follows:

§ 999.305(a)(2)(d)

Be accessible to consumers with disabilities to the extent required by the Americans with Disabilities Act, the Unruh Civil Rights Act, the California Disabled Persons Act, or any applicable regulations. At a minimum, provide information on how a consumer with a disability may access the notice in an alternative format.

We recommend that this same amendment be made to § 999.306(a)(2)(d)

§ 999.307(a)(2)(d), and § 999.308(a)(2)(d).

Section § 999.305(a)(3) appears to create an opt-in and consent requirement. The PWG is concerned that a new opt-in requirement not already part of CCPA will potentially lead to “click fatigue” in which consumers ignore notices because of their ubiquity. We think a better approach may be to limit the use of personal information to the purposes that were included in the notice at the time of collection or uses that are within the reasonable expectation of the consumer. We understand that the existing text of the CCPA already allows for exceptions that permit use of personal information for other purposes, as enumerated in Civil Code § 1798.145(a), including: (1) to comply with federal, state or local laws; (2) to comply with a civil, criminal, or regulatory inquiry, investigation, subpoena, or summons by federal, state, or local authorities; (3) to cooperate with law enforcement agencies concerning conduct or activity that the business, service provider,

or third party reasonably and in good faith believes may violate federal, state or local laws;

  1. to exercise or defend legal claims; and (5) to collect, use, retain, sell, or disclose consumer information that is deidentified or in the aggregate consumer information. As such, uses required by law or in furtherance of legal processes, such as serving subpoenas, providing required warranty or recall notices, providing notice of pending class actions, etc. would be permitted even if the notice at collection did not adequately cover these use cases. We recommend revising § 999.305(a)(3) to read as follows:

§ 999.305(a)(3)

A business shall not use a consumer’s personal information for any purpose other than those disclosed in the notice at collection, required by law, or reasonably aligned with the expectations of the consumer based on the consumer’s relationship with the business, or within a lawful manner that is compatible with the context in which the consumer provided the information. If the business intends to use a consumer’s personal information for a purpose that was not previously disclosed to the consumer in the notice at collection, the business shall use and obtain explicit consent from the consumer to use it for this new purpose.

Section § 999.305(b)(4) appears to require a link to a privacy policy in the notice at collection, implying the privacy policy must be a set of text that is separate from the notice at collection. The PWG suggests that if a privacy policy is provided at or before the time of collection, then a separate notice would not be required. We recommend revising § 999.305(b) to read as follows:

§ 999.305(b)

A business may inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used by providing a link to the privacy policy at or before the point of collection, or in the case of offline notices, the web address of the business’s privacy policy, by URL, QR code, or similar means. If the privacy policy or a link to the privacy policy cannot be provided at or before the time of collection, a business shall provide a separate notice at collection which includes:

    1. A list of the categories of personal information about consumers to be collected. Each category of personal information shall be written in a manner that provides consumers a meaningful understanding of the information being collected.
    2. For each category of personal information, the business or commercial purpose(s) for which it will be used.
    3. If the business sells personal information, the link titled “Do Not Sell My Personal Information” or “Do Not Sell My Info” required by section 999.315(a), or in the case of offline notices, the web address for the webpage to which it links.
    4. A link to the business’s privacy policy, or in the case of offline notices, the web address of the business’s privacy policy.

Similar to the change noted above, we recommend revising § 999.305(a)(2)(e) as follows, to allow for other means to link to privacy policies than web addresses, such as QR codes or shortened URLs such as bit.ly:

§ 999.305(a)(2)(e)

Be visible or accessible where consumers will see it in reasonable proximity to where any personal information is collected. At a minimum, the notice may consist of a link to the portion of the privacy policy that describes the categories of information collected and the purposes of collection, though a business may also choose to provide a separate notice, so long as the notice complies with this section. For example, when a business collects consumers’ personal information online, it may conspicuously post a link to the notice on the business’s website homepage or the mobile application’s download page, or on all webpages where personal information is collected. When a business collects consumers’ personal information offline, it may, for example, include the notice on printed forms that collect personal information, provide the consumer with a paper version of the notice, or post signage directing consumers to the web address where the notice can be found, by URL, QR code, or similar means.

§ 999.306. Notice of Right to Opt-Out of Sale of Personal Information

Similar to our comment for § 999.305, we recommend allowing businesses to provide the notice of right to opt-out as part of their privacy policy. We recommend revising § 999.306(b) to read as follows:

§ 999.306(b)(1)

A business may inform consumers as to the right to opt-out of sale of personal information by providing a link to the privacy policy, or in the case of offline notices, the web address of the business’s privacy policy, by URL, QR code, or similar means. If the privacy policy or a link to the privacy policy cannot be provided, a business shall provide a separate notice of right to opt-out. A business shall post the notice of right to opt-out on the Internet webpage to which the consumer is directed after clicking on the “Do Not Sell My Personal Information” or “Do Not Sell

My Info” link on the website homepage or the download or landing page of a mobile application. The Notice shall include the information specified in subsection (c) or link to the section of the business’s privacy policy that contains the same information. For example, one of the acceptable methods to provide the notice of right to opt-out would be for the business to provide the “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on the website homepage or the download, settings or landing page of a mobile application and direct the consumer to the section of the business’s privacy policy that contains the information in subsection (c). Using pop-up or pop-over windows or check boxes may also be acceptable and appropriate means for informing consumers as to the right to opt- out.

We also recommend removing § 999.306(c)(5) so it is clear to the businesses that if a link to the privacy policy was provided, a separate notice of right to opt-out is not necessary.

We encourage the Office of the Attorney General to consider other permissible means of presenting the opt-out notice in § 999.306(b)(2), particularly for offline notices, such as providing the web address to the privacy policy or using QR codes which link to the privacy policy.

Article 3. Business Practices for Handling Consumer Requests

§ 999.312. Methods for Submitting Requests to Know and Requests to Delete

The proposed regulations in § 999.312(a) set forth the requirements for businesses to provide two or more designated methods through which consumers may submit requests to know. We ask the Office of the Attorney General to consider the legislative changes under AB 1564 (Stats. 2019, ch. 759), which clarify this toll-free number requirement and would require a business which “operates exclusively online and has a direct relationship with a consumer” to only provide an email address for submitting access requests.

We recommend revising § 999.312(a) to read as follows, adding this clarification to make the draft regulations consistent with the CCPA:

§ 999.312(a)

A business shall provide two or more designated methods for submitting requests to know including, at a minimum, a toll-free telephone number, and, if the business operates a website, an interactive webform accessible through the business’s website or mobile application. A business that operates exclusively online and has a direct relationship with a consumer from whom it collects personal information shall only be required to provide an email address for submitting requests for information required to be disclosed pursuant to Sections 1798.110 and 1798.115. Other acceptable methods for submitting these requests include, but are not limited to, a designated email address, a form submitted in person, and a form submitted through the mail.

We also recommend revising the proposed example (1) in § 999.312(c)(1) to clarify that if a business is primarily an online retailer but also has certain products or services that are provided to consumers at brick-and-mortar retail stores, the consumer may submit requests through the email address that is provided on the business’s retail website.

In Example 2, the PWG proposes revising the requirement so that the businesses can consider the methods by which they interact with consumers but the number of designated methods the retail businesses must provide is no more than the two that are required for other industries to avoid any confusion on the minimum requirement.

As such, our recommended revision to § 999.312(c) reads as follows:

§ 999.312(c)

A business shall consider the methods by which it interacts with consumers when determining which methods to provide for submitting requests to know and requests to delete. At least one method offered shall reflect the manner in which the business primarily interacts with the consumer, even if it requires a business to offer three methods for submitting requests to know. Illustrative examples follow:

      1. Example 1: If the business is primarily an online retailer, businesses can provide an email address on their retail website through which consumers can submit requests to know or requests to delete. at least one method by which the consumer may submit requests should be through the business’s retail website.
      2. Example 2: If the business operates a website but primarily interacts with customers in person at a retail location, the business may shall offer three methods to submit requests to know consumers the following designated methods for submitting requests to know or requests to delete: a toll-free telephone number, an interactive webform accessible through the

business’s website, and or a form that can be submitted in person at the retail location.

We understand that the intent of § 999.312(d) may be to allow for instances where a consumer may have submitted the deletion request by mistake, especially in an electronic setting where accidents may occur at the click of a button. However, we do not believe this is a significant issue as deletion requests under the CCPA already require a process for verifying the identity of the consumer. As such, we recommend revising § 999.312(d) to indicate that the businesses can apply discretion in asking the consumers if they indeed meant to submit such deletion request but it is not a requirement. Our suggested language for § 999.312(d) reads as follows:

§ 999.312(d)

A business may shall use a two-step for online requests to delete where the consumer must first, clearly submit the request to delete and then second, separately confirm that they want their personal information deleted.

The PWG suggests removing proposed §999.312(f) because it is overly burdensome and unworkable as drafted. If a business has 10,000 employees, we cannot expect all 10,000 employees to be trained to handle privacy-related inquiries. Especially given that the draft regulations require a response from the business within certain number of days after receiving such requests, we ask that the regulations do not add this new requirement and keep the requirement intact as it is written in the CCPA, which is for the businesses to respond to requests that are submitted through the designated methods. In the alternative, we would propose at a minimum that the requirement is amended to read as follows:

§ 999.312(f)

If a consumer submits a request in a manner that is not one of the designated methods of submission, or is deficient in some manner unrelated to the verification process, the business shall, to the extent feasible, either:

  1. Treat the request as if it had been submitted in accordance with the business’s designated manner, or
  2. Provide the consumer with specific directions on how to submit the request or remedy any deficiencies with the request, if applicable.

§ 999.313. Responding to Requests to Know and Requests to Delete

Section 999.313(c)(7) allows a business that maintains a password-protected account with the consumer to comply with a request to know by utilizing a secure self-service portal for consumers to access, view, and receive a portable copy of their personal

information. The PWG proposes the below changes to make clear that the business which uses such a portal may direct the consumer to the portal for submission and processing of a consumer request.

The PWG suggests revising § 999.313(c)(7) to read as follows:

§ 999.313(c)(7)

If a business maintains a password-protected account with the consumer, it may comply with a request to know by using directing the consumer to a secure self- service portal for consumers to access, view, and receive a portable copy of their personal information if the portal fully discloses the personal information that the consumer is entitled to under the CCPA and these regulations, uses reasonable data security controls, and complies with the verification requirements set forth in Article 4.

Section 999.313(d)(1) requires businesses to treat a failed deletion request as an opt-out request. The CCPA treats the right to opt-out and the right to delete as two separate rights. We do not recommend conflating the two and instead recommend clarifying that if the business is unable to verify the identity of the requestor for the deletion request, the requestor must be informed how she may rectify the issue and allow an opportunity to complete verification. The PWG recommends revising § 999.313(d)(1) to read as follows:

§ 999.313(d)(1)

For requests to delete, if a business cannot verify the identity of the requestor pursuant to the regulations set forth in Article 4, the business may deny the request to delete. The business shall inform the requestor that their identity cannot be verified, and shall instead treat the request as a request to opt-out of sale the information needed for verification, and allow the requestor to provide additional information to complete verification.

We understand the intent behind the proposed regulations in § 999.313(d)(3) may be to provide the businesses the flexibility to not have to search through and delete personal information from archived or backup systems if the information is not in use currently. We recommend revising the language in § 999.313(d)(3) to clarify that the requests to delete do not apply to information on archived or backup systems but if the information were accessed or used by the business, the deletion request would apply to that information. Our recommended version reads as follows:

§ 999.313(d)(3)

If a business stores any personal information on archived or backup systems, it may delay compliance with the consumer’s request to delete, with respect to data stored on the archived or backup system, until the archived or backup system is

next accessed or used. The consumers’ request to delete shall not apply to any personal information on archived or backup systems, as long as that information is not accessed or used by the business.

§ 999.315. Requests to Opt-Out

The CCPA already contains a provision which restricts the resale of personal information (see Civil Code § 1798.115(d)). We suggest removing § 999.315(f), as any third parties to whom the personal information is sold would already be restricted from reselling the personal information unless the consumer has received explicit notice and is provided an opportunity to exercise the right to opt-out. The proposed requirement to look back 90 days in § 999.315(f) is unnecessary and unduly burdensome.

§ 999.317. Training: Record-Keeping

In § 999.317(b), there is no clear indication of when the 24 month clock starts (i.e., from the date the business receives the request, responds to the request, etc.). The PWG recommends the Attorney General clarify when the 24 months record-keeping requirement begins. Recommended version of § 999.317(b) reads as follows:

§ 999.317(b)

A business shall maintain records of consumer requests made pursuant to the CCPA and how the business responded to said requests for at least 24 months from the date the consumer submitted any such request.

The PWG proposes a minor change to § 999.317(f) in order to provide clarity as to what record-keeping purpose it pertains. We recommend revising § 999.317(f) to read as follows:

§ 999.317(f)

Aside from this the record-keeping purpose referred to in subsection (e), a business is not required to retain personal information solely for the purpose of fulfilling a consumer request made under the CCPA.

Article 4. Verification of Requests

§ 999.325. Verification for Non-Accountholders

The PWG recommends adding language to § 999.325(c) to allow for electronic signatures, as follows:

§ 999.325(c)

A business’s compliance with a request to know specific pieces of personal information requires that the business verify the identity of the consumer making the request to a reasonably high degree of certainty, which is a higher bar for verification. A reasonably high degree of certainty may include matching at least three pieces of personal information provided by the consumer with personal information maintained by the business that it has determined to be reliable for the purpose of verifying the consumer together with a signed declaration under penalty of perjury that the requestor is the consumer whose personal information is the subject of the request. A signed declaration may be physically signed or electronically signed. Businesses shall maintain all signed declarations as part of their record-keeping obligations.

Article 5. Special Rules Regarding Minors

§ 999.330. Minors Under 13 Years of Age

The PWG recommends adding language to § 999.330.(a)(2)(a) to allow for additional electronic methods for businesses to verify user identities. Recommended changes to

§ 999.330(a)(2)(a) reads as follows:

§ 999.330(a)(2)(a)

Providing a consent form to be signed physically or electronically by the parent or guardian under penalty of perjury and returned to the business by postal mail, electronic mail, electronic form, facsimile, or electronic scan;

We thank you for your consideration of these comments.

Members of the Privacy Working Group that prepared these comments are identified below. Affiliations are provided for identification purposes only.

Stanton Burke, Member of the California Lawyers Association

Christopher James Donewald, Member of the California Lawyers Association Aigerim Dyussenova, Member of the California Young Lawyers Association

Jennifer S. Elkayam, Member of the Antitrust, Unfair Competition, and Privacy Law Section of the California Lawyers Association

Jared Gordon, Past co-chair of the Internet and Privacy Law Committee of the Business Law Section of the California Lawyers Association

Christian Hammerl, Past co-chair of the Internet and Privacy Law Committee of the Business Law Section of the California Lawyers Association

Thomas A. Hassing, Chair of the Internet and Privacy Law Committee of the Business Law Section of the California Lawyers Association

Irene Jan, Member of the Intellectual Property Law Section of the California Lawyers Association

Minji Kim, Member of the Antitrust, UCL and Privacy Section of the California Lawyers Association

Joshua de Larios-Heiman, Executive Committee Member of the Antitrust, UCL and Privacy Section of the California Lawyers Association

Marina A. Lewis, Member of the California Lawyers Association Gayatri Raghunandan, Member of the California Lawyers Association

Mary Stone Ross, Executive Committee Member of the Antitrust, UCL and Privacy Section of the California Lawyers Association

Perry L. Segal, Board Representative, Law Practice Management and Technology Section of the California Lawyers Association

Jeewon Kim Serrato, Executive Committee Member of the Antitrust, UCL and Privacy Section of California Lawyers Association

Kieran de Terra, Executive Committee Member of the Intellectual Property Law Section of the California Lawyers Association

Emily S. Yu, Secretary of the Intellectual Property Law Section of the California Lawyers Association and Chair of the Technology, Internet and Privacy Interest Group

Re-Elected to a Second, Three-Year Term on the Council of State Bar Sections

csbs-tombstoneOn the heels of being awarded a tombstone for completing my three-year term on the Council, I was re-elected to a second term.

This is unprecedented (probably because prior officers had the good sense not to run again!).  My co-officer, Mark Ressa, was also re-elected.  The unanimous view from our colleagues: Gluttons for punishment.

With no fee bill or resolution to the issue of de-unification/separation, these are extremely challenging times for the Sections.  It’s anybody’s guess how we’ll be structured a year from now.

Tombstone, indeed.

Doing the Splits!

Split Moon BWWow…I haven’t posted in two months.  Why not?  Well, the bulk of my *spare* time has been occupied with something called “Deunification“.  This isn’t actually a word, by the way (as your spellchecker will probably tell you), it’s what the State Bar of California – and the legislature – have adopted to describe the prospect of splitting the Bar in two; Regulatory on one side and Voluntary on the other.  If you want, you can refer to it by its official name, “Governance in the Public Interest Task Force“.

Every time I hear the word “Deunification”, I think of the Moonies.

Needless to say, this is by no means a simple process, and the educational Sections are caught in the middle of it.  The debate – as you can probably figure out – is over which side the Sections should occupy.

To put this in the form of an essay question on the Bar exam, it would be followed by this simple word:

“Discuss!” [‘bang’ added]

And we have been.  And we are.  And we will be, into the foreseeable future…

Guest Post – John Sadler: What Can You Learn About Teamwork By Playing in a Band?

John Sadler - Teamwork PNG

As a (former, recovering, retired) musician, I relate to this post by my friend, John Sadler:

Playing music in a band is a team activity that can be complicated by the ego issues and creative preferences of the band members, as well as role ambiguity. Over many years of playing music with other people, I’ve learned some behaviors that help a group work well together musically, and others that can make it fall apart. Many of those lessons port nicely to other team activities.

The biggest element of success in a band is to show respect for your bandmates. Other necessary conditions include:

Show up, on time – Clarinetist (among other vocations) Woody Allen has been quoted as saying that “Eighty percent of success is showing up”. It’s important to be dependable and do what you say you’re going to do. It’s equally important to pick bandmates who do the same.

Come prepared and in tune – don’t waste your bandmates’ time by playing your part poorly or wrong if you could have practiced it beforehand. Similarly, nobody wants to stand around while you set up and tune your instrument. If you have a complex kit, show up early and be ready to go when everyone else is.

Listen to the band – not just yourself. A great bandmate is a great listener, and will adapt his or her performance to make the band sound as good as possible. There is a lot to this. When you accompany, your job is to make the soloist sound great. What you don’t play is at least as important as what you do play. Leave space! (AKA silence). Get used to hearing yourself in the context of the band to get a feel for the right volume level. If you’re accompanying a soloist or a singer, make sure you’re not too loud – you may even lower your volume so the featured performer stands out in the mix. What sounds like the right volume when you practice may be way too loud in the context of a band. When you solo, you need to be a bit louder; more importantly, others need to back off. If in doubt. record the performance and listen carefully.

No drunks, no jerks – it’s hard enough to make great music without impairing your ability to think and perform. Give yourself every chance to have sound judgement and the best possible control over your actions. Check your ego at the door as much as possible – there needs to be honest give and take to make great music. You may think that you are a creative genius, but the odds are against it. Few team efforts are improved by verbal abuse, ego games, or infliction of emotional distress. A great band can rise above the limitations of its individual members if everyone is working well together.

Take mistakes in stride – the audience notices how you react to mistakesmuch more than the mistakes themselves. It’s OK to make a mistake. It’s not OK to call attention to it while performing. If someone makes a mistake (and everyone will) during practice, keep playing and have a critique at the end of the song. Remember that you will make mistakes as well – treat people kindly. They’re supposed to be your friends.

Everyone should have a chance to contribute ideas to improve the sound and performance. Everyone should be able to try ideas, especially during practice, that might result in a better sound. So mistakes have to be OK in order to perform at the highest possible level.

Expecting mistakes to happen and handling them with grace is a huge life skill. As bassist Victor Wooten points out in his excellent book The Music Lesson, a “good” note is never more than one fret away. Did you know that you can practice recovering from mistakes, the same as an astronaut practices dealing with emergencies?

Discuss and align your goals together – this one issue is responsible for the demise of many bands. You and your bandmates must agree on goals, whatever they may be, in order to form a cohesive team. If one person needs income or commercial success while the rest want to jam on the porch on a Sunday afternoon, you have a problem. You must decide what kinds of music you will play, what the roles of the members are – to name a few:

  • Who selects the material?
  • Who is the band leader?
  • How many soloists or lead singers are there?
  • Who are the song writers?
  • Who buys the beer? (Just kidding)

Finally, a couple of ideas for performance:

Play it the way you practiced it – Conversely, if you practice poorly, you will perform poorly. Good practice skills are highly underrated! Here’s one pointer that is easy to miss and hard to learn, but works exceptionally well: go slow to go fast. Practice only as fast as you can play smoothly and without mistakes. Speed up the tempo gradually. If you practice too fast, you will be teaching your muscle memory to make mistakes, and you will never play your part well. This general principle applies to almost any physical activity.

By the way, most great soloists practice their solos. Really. They don’t just step up and fake it unless they have to. Yes, there are exceptions, but I’ll bet they worked very hard to become exceptions.

Don’t stop until the song is over – Starting and stopping together are the second steps to sounding like a band (the first step is to play the same song together in the same key and tempo). You need to agree as a band on how you will know the song and tempo, how it will start, and how you will know when to end it. These things do not happen by magic. They happen by agreement, by knowing the material cold, and possibly by years of playing together.

Those are a few lessons I’ve learned the hard way by playing bands since I was a kid. I think many port nicely to the workplace. What do you think?

************************************************

About the Author

Reprinted by Permission.  Photo credit: Tomasz Budzyński.

1st Things 1st: The Litigation Hold Letter (A Blast from the Past)

J0309498 All – as part of my ‘repairs’, I’ve looked at some of the blog logs (say that 3x fast) and since this item was posted over six years ago, it’s still ranked as #1 on the site!  So, it seemed like this was the perfect opportunity to republish it.  The letter itself is slightly updated, but the post is reproduced verbatim:

Wow…this is my 100th post!  Who knew I could pontificate this long?

In analyzing the new California Electronic Discovery Act (I’m going to start calling it “CEDA” for short), I might as well start at the beginning.

The first thing that will occur if litigation arises?  There’ll be a bunch of litigation hold letters going around.  I say a bunch because it could manifest several ways; outside counsel to your adversary, outside counsel to inside counsel, inside counsel to the enterprise, the CIO/CTO to the IT department, the CEO to the CIO/CTO…you get the idea.  In some cases, as illustrated above, the letter may not even be coming from an attorney.

What might the letter look like?  Here’s an example of a litigation hold letter theoretically issued from outside counsel to an adversary (in PDF format).  The names were changed to protect the innocent (and the guilty, for that matter).

This is only a sample to give you an idea of what a letter of this kind might look like.  The purpose is to illustrate items you may or may not have thought about.  Like snowflakes, no two letters will ever be exactly the same.  Only a professional with personal knowledge of your specific requirements should ever create and/or issue a litigation hold letter.

Enough disclaimers?  Ok then…chew on this for a Monday.

LTWC 2015: From LA to SF!

 LTWC 2015
Have you heard?  Big changes are afoot for Legaltech West Coast 2015:

  1. The dates are July 13-14, 2015
  2. It's relocated to the Hyatt Regency
  3. That's the Hyatt Regency…in San Francisco!

How accommodating of them to move it to my new city.  I didn't realize I had that much pull.  Actually, it was great news when I found out about it a few weeks back because in 2014, I had to skip the conference for the first time in years – and it was looking the same way for 2015.

Registration is open.  Mark your calendars…and see you there!

Co-Chair of the Council of State Bar Sections

Bored-kitty

Geez.  Last year I was much more excited.  This year, my attitude is akin to that old football proverb; when you reach the endzone, act like you've been there before.

Still, for a guy who grew up in Calgary, Canada, it's an honor and privilege to ascend to the position of Co-Chair of the State Bar of California Council of State Bar Sections.  Even better?  My Co-Chair is the very talented Family Law atty Mark Ressa.

I look forward to a very challenging and exciting term ahead!

Yahoo! and the Robot (not Remote) Employee

MP900427654

Wouldn't the world be a perfect place if we simply followed every talking head who pontificates on a subject (yours truly excluded…)?  Of course, the goal doesn't usually involve the content of the story, but to create a bait headline that'll compel a reader to click-through (the shortest way to accomplish this: make them angry).  And what a perfect subject to select for this purpose; Yahoo! CEO Marissa Mayer rescinds remote privileges!

* * * * * * * * * * * *

Then, the experts swoop in to tell us what she's really doing:

  1. Implementing a stealth layoff by pissing-off employees, who will then quit on their own,
  2. Discriminating against working moms (what about dads?),
  3. Taking us back to draconian times!

You get the idea…and you know what?  Every one of these claims might be true!  But, perhaps she is:

  1. Putting her arms around a human resources issue that's grown out of control,
  2. Fostering improved inter-company relations,
  3. Trying to better-assess a situation she can't see.

Mix & match as you like.  Does that mean I support the decision?  It's not about that.  I, like you, can easily cite detriments as well:

  1. More hours/dollars wasted on fuel, time and wear & tear sitting in traffic (I've been wondering whether the increase in traffic would actually be noticeable to outsiders),
  2. Less quality/leisure time with family, friends or hobbies,
  3. More pressure on significant other/spouse/parent to 'pick up the slack' of the Yahoo! employee (i.e. What I'm getting at is, suppose this particular employee is also a caregiver to an elderly parent; it ain't only about children, is it?)
  4. More pressure on single, unattached employee for similar reasons (there are only so many hours in the day for grocery shopping, errands and of course, appointments).
  5. Don't even get me started on morale…at least in the short term.
  6. Higher costs for Yahoo! as well; supporting all of these additional bodies on-site will have a marked effect on resources, such as electricity, maintenance, space allocation, furniture & supplies, etc.

I hate to quote Facebook, but:  It's complicated.

This is why it's extremely difficult to be a manager; too many cooks and Monday-morning quarterbacks.  My favorite is the propensity to quote studies about the benefits/detriments of working remotely.  You know what?  It's irrelevant except as it pertains to Yahoo!! (So, when I want to add a 'bang' to a sentence ending in the word "Yahoo!", is that how I do it?).

Of course, there is a place for statistics and studies as a general guide.  But what matters most is, how do these statistics and studies relate to the specific situation at Yahoo!?  There are a lot of factors involved, and I don't see too many of these articles wading very far into the weeds.

Last point; substitute any other name for Yahoo!  Same rules apply.

P.S.  I've included articles from people who do know the subject well – a lot better than I do, anyway (e.g. Richard Branson) but I think his particular comments answer his own concerns:

"To successfully work with other people, you have to trust each other. A
big part of this is trusting people to get their work done wherever they
are, without supervision
." [Italics added].

Two questions:

  1. Is it possible that Yahoo! harbors irrational mistrust of their employees?
  2. Is it possible that some employees have abused Yahoo!'s trust?

It could be one, both or neither.  I wonder how this will play out in the months leading up to implementation?  I wonder what things will look like six months after implementation?

Did Netflix CEO Violate Regulation “FB”?

MP900422415If you've already seen the headlines, you know that Reed Hastings, CEO of Netflix, has received a Wells Notice from the SEC.  They're considering taking action on a violation of Regulation FD due to an alleged 'material' disclosure on Facebook that Hastings posted to his 200,000+ subscribers back in July 2012.

The gist of the issue?  The SEC claims that those subscribers received an unfair advantage because they had access to the information in advance of the general public; and presumably traded based on that information.  Naturally, Hastings' view is contra.

Is it a violation?  I dunno.  We're going to see more of these issues arise as social media continues to wend its way into the corporate mainstream.

CalBar Board Committee of Member Oversight Clarifies Definition of Acceptable MCLE


MP900403638As I wrote on July 24th, 2012:

"The State Bar of California Board Committee on Member Oversight seeks
to amend the definition of what qualifies for proper MCLE credit in the
state of California.  Apparently, some confusion has arisen regarding
whether CLE programs may only contain substantive law versus whether they may encompass other ares of law practice and/or law practice management."

On November 15th, 2012, the Board of Member Oversight voted to amend the education standards in MCLE rules 2.52(A) and 3.601(A), effective January 1st, 2013.  To be specific, they voted to change one
word, as illustrated below:

“The activity must relate to legal
subjects directly relevant to members of the State Bar and or
have significant current professional and practical content.”

This is great news for MCLE providers in the State of California – and my Law Practice Management and Technology Section, specifically – because effective January 1st, 2013, we may provide to you,
State Bar membership at large and the public:

  • Topics related to business or financial management of a law firm;
  • Topics
    related to law office operation, including but not limited to facilities, staffing,
    systems and equipment;
  • Topics
    related to creation and improvement of legal case work and work flow
    management, including time management of attorneys and support staff, and
    delegation of responsibility;
  • Topics
    related to the competent delivery of legal services and/or the establishment
    and maintenance of effective law office management;
  • Topics
    related to communications by and between attorneys and support staff
  • Topics
    related to the use of computer and/or Internet technology in the practice of
    law
    or the management of a law office
    .
  • Topics
    related to the lawful and ethical management of a law office’s financial
    accounts including client trust accounts.
  • Topics
    relating to lawful and ethical client fee agreements, fee sharing and referral
    arrangements.

My favorite is highlighted; considering this is a law technology blog, of course.  It's a win-win for all concerned.