Richmond Journal of Law and Technology

The first exclusively online law review.

Author: JOLT Editor (Page 1 of 16)

Digital Direction for the Analog Attorney – Data Protection, E-Discovery, and the Ethics of Technological Competence

BMS Publication Version PDFpdf_icon

Cite as: Stacey Blaustein et al., Digital Direction for the Analog AttorneyData Protection, E-Discovery, and the Ethics of Technological Competence in Today’s World of Tomorrow, 22 Rich. J.L. & Tech. 10 (2016),

 Stacey Blaustein,* Melinda L. McLellan,** and James A. Sherer***


I.  Introduction

 [1]       Over the past twenty years, the near-constant use of sophisticated technological tools has become an essential and indispensable aspect of the practice of law. The time and cost efficiencies generated by these resources are obvious, and have been for years.[1] And because clients expect their counsel to take full advantage,[2] savvy attorneys understand that they must keep up with ever-evolving legal technologies to stay competitive in a crowded marketplace.[3]

[2]       With increased globalization and exponential growth in the creation, collection, use, and retention of electronic data, the challenges to all lawyers—especially those who may not have tech backgrounds or a natural aptitude for the mechanics of these innovations—are multiplying with breathtaking speed.[4] Nevertheless, many attorneys are either blissfully unaware of the power and potential danger associated with the tools they now find themselves using on a daily basis, or they are willfully avoiding a confrontation with reality. For lawyers, technological know-how is no longer a “nice to have” bonus; it now poses an ethical obligation. Where competent client representation demands a minimum level of tech proficiency, however, many lawyers come up short with respect to this fundamental component of their professional responsibilities.[5]

[3]       What types of privacy and data security threats do various technologies pose to attorneys, their firms, their clients, and the legal profession in general? What rules and regulations govern how attorneys may make use of technology in their practice, and how might clients seek to impose restrictions around such use when it comes to their corporate data? Must attorneys gain mastery over the intricate mechanics of the technological resources they employ, or is basic knowledge sufficient? How can we weigh the potential risks and rewards of cutting-edge, emerging digital products and electronic resources about which clients—and indeed, even the lawyers themselves—may understand very little? These are just a few of the questions that arise when we consider the issue of technological competence in the legal profession and corresponding ethical requirements.

[4]       To begin to answer these questions, we look to the applicable Model Rules issued by the American Bar Association (“ABA”), various state-level professional ethics rules that incorporate the Model Rules, associated ethics opinions and guidance issued by the states, state and federal court decisions, and guidelines issued by sector-specific agencies and organizations.[6] Our focus in this investigation concerning lawyerly “technological competence” will be on privacy and data security risks and safeguards, e-Discovery-related challenges, and the potential perils of various uses of social media in the legal sphere.

 II.  The Threat Landscape: Law Firms as Prime Targets

[5]       In recent years, the volume and severity of attacks on electronically-stored data, and the information systems and networks that house that data, have increased exponentially. The modern-day “threat environment” is “highly sophisticated,” and “massive data breaches are occurring with alarming frequency.”[7] For attorneys, such perils implicate multiple ethical and professional responsibilities with respect to how they handle data, including the duty to protect the confidentiality of client information and the obligation to provide “competent” representation.

[6]       Unfortunately, law firms can provide a proverbial back door for hackers seeking access to a company’s data, as attorneys often are custodians of a veritable “treasure trove” of valuable client information “that is extremely attractive to criminals, foreign governments, adversaries and intelligence entities.”[8] Some hackers even focus their efforts primarily on law firms, especially those firms collecting vast amounts of data from corporate clients in the course of E-Discovery or corporate due diligence.[9] Corporate secrets, business strategies, and intellectual property all may be found in a law firm’s collection of its clients’ data.[10] In some cases, the interceptors may be looking for competitive information relevant to merger negotiations, or trying to suss out evidence of as-yet unannounced deals for insider trading purposes.[11]

[7]       A 2015 report estimated that 80% of the biggest 100 law firms have experienced some sort of data security incident.[12] And as is the case with so many companies that suffer a breach, law firms that have been hacked may not know about it for a considerable period of time. Moreover, unlike other industry sectors subject to various reporting requirements, law firms generally do not have a statutory obligation to publicly report cybercrimes that do not involve personally identifiable information.[13] Lack of obligations notwithstanding, a recent report indicated that “[t]he legal industry reported more “cyber threats” threats in January [2016] than nearly any other sector,” topped only by the retail industry and financial services.[14]

[8]       Although these reported “threats” might not necessarily result in data compromises, the fact that the legal industry frequently is among the most targeted for data theft should concern attorneys.[15] Anecdotal evidence of actual and attempted interference with law firms’ data security systems abounds as well. In 2014, a report indicated that communications between lawyers from the law firm of Mayer Brown and officials with the Indonesian government were intercepted by an Australian intelligence agency that had ties with the U.S. National Security Agency (“NSA”).[16] And the managing partner of the Washington-area offices of Hogan Lovells LLP recently noted that her firm “constantly intercept[s] attacks.”[17]

[9]       The message to law firms seems clear: first, if “you’re a major law firm, it’s safe to say that you’ve either already been a victim, currently are a victim, or will be a victim.”[18] Second, “[f]irms have to make sure they are not a weak link…which at its most basic level means their standards for protecting data need to be at least equivalent to those of the companies they represent.”[19]

[10]     It seems inevitable that client expectations and demands with regard to their legal service providers’ security will continue to evolve and expand. One commentator recently predicted that in the future “clients across the board will demand firms demonstrate they’re prepared for all shapes and sizes of cybersecurity breaches,”[20] while another prophesized that “in the name of risk management and data leakage prevention, a large financial industry corporation will challenge their outside counsel’s [Bring Your Own Device] program.”[21] Indeed, according to a 2014 report in the New York Times:

Banks are pressing outside law firms to demonstrate that their computer systems are employing top-tier technologies to detect and deter attacks from hackers bent on getting their hands on corporate secrets for their own use of sale to others….Some financial institutions are asking law firms to fill out lengthy 60 page questionnaires detailing the [law firm’s] cybersecurity measures, while others are demanding on-site inspections….Other companies are asking law firms to stop putting files on portable thumb drives, to stop emailing non-secure iPad or working on computers linked to a share network in countries like China and Russia.[22]

[11]     In short, lawyers, law firms, and other legal services providers cannot afford to be complacent when it comes to cybersecurity.

A.  Lawyering in the Cloud

[12]     Firm adoption of cloud services is on the rise, especially among boutiques and solo practitioners that previously lacked the resources to compete effectively with larger law firms when it came to technology and data storage.[23] At first, the added value of cloud services created a perception that “nirvana had arrived” in terms of leveling the playing field for smaller firms.[24] Notwithstanding the apparent advantages of the cloud, attorneys were quick to identify concerns associated with the technology and its supporting practices, including “increased sensitivity to cyber-threats and data security.”[25] Some commentators opted for a cautious and conservative approach, noting that the “legal profession has developed many safeguards to protect client confidences,” and that the use of cloud hosting, among other practices, fell on a continuum where, as “an individual attorney gives up direct control of his or her client’s information, he or she takes calculated risks with the security of that information.”[26]

[13]     There is hope for attorneys drawn to the advantages of cloud services, but vigilance and diligence is required. As noted in tech law guidance from March 2014, “[u]sing the cloud to hold data is fine, so long as you understand the security precautions.”[27] Security concerns have put a damper on adoption rates and the development of attorney-specific cloud services lags behind other industries. This reluctance is unsurprising given the slow rate of technological advancements within the profession generally,[28] and a deserved reputation that the tendency of firms is “to be technology followers, not leaders.”[29] That said, lawyers do seem to be embracing the cloud to some extent,[30] with the majority utilizing cloud solutions in some capacity,[31] even if implementation is mostly through “sporadic action and adoption among firms and law departments.”[32]

[14]     With respect to professional obligations, this type of implementation may not require specific technological expertise on the part of the attorneys. New York State Bar Association Opinion 1020, which addressed ethical implications of the “use of cloud storage for purposes of a transaction,” determined that compliant usage “depends on whether the particular technology employed provides reasonable protection to confidential client information and, if not, whether the lawyer obtains informed consent from the client after advising the client of the relevant risks.”[33]

[15]     Further, New Jersey Opinion 701 addresses the reality that it is

[N]ot necessarily the case that safeguards against unauthorized disclosure are inherently stronger when a law firm uses its own staff to maintain a server. Providing security on the Internet against hacking and other forms of unauthorized use has become a specialized and complex facet of the industry, and it is certainly possible that an independent [Internet Service Provider] may more efficiently and effectively implement such security precautions.[34]

[16]     Opinion 701 does include an additional caveat, that

[W]hen client confidential information is entrusted in unprotected form, even temporarily, to someone outside the firm, it must be under a circumstance in which the outside party is aware of the lawyer’s obligation of confidentiality, and is itself obligated, whether by contract, professional standards, or otherwise, to assist in preserving it.[35]

 B.  E-Discovery Tools

 [17]     To begin with, federal judges are unconvinced that many of the attorneys appearing before them understand how to make proper use of the technologies and related strategies associated with E-Discovery. A recent report, “Federal Judges Survey on E-Discovery Best Practices & Trends,”[36] compiled some of the judges’ concerns, noting first “the typical attorney…does not have the legal and technical expertise to offer effective advice to clients on e-discovery.”[37] Some of the judges’ comments were quite blunt, with one noting that “[s]ome attorneys are highly competent; but most appear to have significant gaps in their understanding of e-discovery principles.”[38]

[18]     Legal ethical rules and related opinions and scholarship provide guidance for what attorney E-Discovery competence should look like. At least one author has made the connection between professional responsibility and technological savoir-faire, noting that:

There is growing recognition across the country that the practice of law requires some degree of competence in technology. In the forum of litigation, competence in technology necessarily equates with competence in e-discovery. It is only a matter of time before ethics bodies across the nation call for competence in e-discovery.[39]

[19]     The opinions of courts and bar associations may carry the most weight, but a number of influential professional and industry groups also have offered useful commentary on technological competence. For example, competence is

…highlighted in the very first rule of legal ethics, according to the American Bar Association[’s] Rule 1.1 of the ABA Model Rules of Professional Conduct,” which “specifically recognized the need for technological competence through a significant change in August 2012 that formally notified all lawyers (and specifically those in jurisdictions following the Model Rules) that competency includes current knowledge of the impact of e-Discovery and technology on litigation.[40]

[20]     This guidance predated and perhaps presaged a number of state and federal reactions to technology and the impact of these developments on the practice of law, especially within the realm of E-Discovery. Delaware amended its Lawyers’ Rules of Professional Conduct as they related to technology in 2013;[41] North Carolina[42] and Pennsylvania[43] did the same shortly thereafter.

[21]     California’s relatively recent Formal Opinion No. 2015-193 (the “California Opinion”) addresses a number of issues associated with attorney ethical duties vis-à-vis E-Discovery. Although advisory in nature, the California Opinion states “attorneys have a duty to maintain the skills necessary to integrate legal rules and procedures with ‘ever-changing technology.’”[44] That reads broadly, but the California Opinion has been interpreted to indicate that, because E-Discovery arises “in almost every litigation matter, attorneys should have at least a baseline understanding of it.”[45] Specifically, the California Opinion begins with the premise that E-Discovery requires an initial assessment of its inclusion at the beginning of a matter.[46] If E-Discovery will be a component of a matter,

[T]he duty of competence requires an attorney to assess his or her own e-discovery skills and resources as part of the attorney’s duty to provide the client with competent representation. If an attorney lacks such skills and/or resources, the attorney must try to acquire sufficient learning and skill, or associate or consult with someone with expertise to assist.[47]

[22]     Other commentators have noted that the California Opinion focuses on “nine (9) core competency issues” which would offer “solid guidelines for attorneys…to maintain competency and protect client confidentiality in the era of eDiscovery.”[48] One author notes that one of these core competency issues and its related directive, that of performing data searches, stretches across the entirety of the E-Discovery process “occurring at each of these steps, from preservation and collection to review and redaction.”[49]

[23]     Soon after the California Opinion was decided, Magistrate Judge Mitchell Dembin issued a Southern District of California decision that addressed “counsels’ ethical obligations and expected competency” in HM Electronics, Inc. v. R.F. Technologies, Inc.[50] The HM Electronics case focused both on specific steps the attorneys should have taken (such as implementing a legal hold and doing the legwork necessary to certify discovery responses as true) as well as behavior actively detrimental to the case (instructing client personnel to destroy relevant documents).[51] Of note in Judge Dembin’s excoriation of the misbehaving attorneys is his statement that “a judge must impose sanctions for a violation of the Rule that was without substantial justification.”[52] One article suggests that part of the problem may be simply that “counsel and clients alike…fail to take seriously judges’ expectations for how they conduct themselves throughout the discovery process.”[53]

[24]     New York attorneys followed the California Opinion with interest, first noting that it merely presented “the standard tasks one should engage in and competently execute to properly collect and produce responsive ESI [Electronically Stored Information] to the opposing party.”[54] A 2009 S.D.N.Y. opinion had chastised attorneys who would otherwise disclaim experience, warning that it was “time that the Bar—even those lawyers who did not come of age in the computer era” understood E-Discovery technologies and their application.[55] A recent article indicated that there is “an ample basis to discern a framework for ethical obligations, derived from ethics rules, court rules, and sanctions decisions in the e-discovery context” based in part on the history of New York courts as “leaders in the advancement of e-discovery law.”[56]

[25]     But such a “framework for ethical obligations” might not even be necessary where competence is the ethical rule at issue. Competence “requires that lawyers have the legal knowledge, skill, thoroughness, and preparation to conduct the representation, or associate with a lawyer who has such skills”[57] and that supervision is appropriate to ensure that the work of others “is completed in a competent manner.”[58] The issue of supervision came up in another advisory opinion, Ethics Opinion 362 of the District of Columbia Bar, which indicated that retaining an e-Discovery vendor that provided all of the E-Discovery services was both impermissible (as the unauthorized practice of law on the part of the vendor) as well as a circumstance where the attorney engaging such a vendor was not absolved from understanding and supervising the work performed, no matter how technical.[59]

 1. Metadata in Electronic Files

[26]     A very basic threat to client confidentiality (as well as the secrecy of counsel’s strategy) is the existence of metadata embedded in electronic files exchanged between the parties or produced as evidence. Most frequently this threat exists in the form of automatically created information about a file, including changes made to the file, that can be recovered and viewed by a third party if not removed (or “scrubbed”) prior to disclosing the file. This “application metadata” can include information about the document itself, the author, comments and prior edits, and may also detail when the document was created, viewed, modified, saved or printed.[60] In addition to the fact that access to metadata can provide opposing parties with everything from revealing insights to damning evidence, there’s also a “real danger” that “application metadata may be inaccurate.”[61]

[27]     Further, disputes related to metadata regularly arise in the E-Discovery context. Indeed, one of the “biggest challenges in electronic discovery” concerns “[u]nderstanding when metadata is relevant and needs to be preserved and produced.”[62] To cite just one example, the concurring opinion in State v. Ratcliff noted that judges must determine whether submitted evidence contained more than the information visible on the face of the document, or whether metadata was included as well, where the distinction “is critical, both on an ethical and adjudicative basis.”[63]

[28]     Accordingly, understanding and managing metadata has become a baseline requirement for technological competence when dealing with client data and attorney work product. Numerous products exist to help save lawyers from themselves when it comes to accidental disclosure of metadata, including software applications that may be integrated into email programs to prevent documents from being sent outside the network without first passing through a scrubbing filter. And the e-filing portal in many jurisdictions “contains a warning reminder that it is the responsibility of the e-filer to strip metadata from the electronic file before submitting it through the portal.”[64] Reliance on these tools, however, may not suffice for long as the sophistication and complexity of issues related to the creation and manipulation of metadata continue to evolve.

III. Overview of U.S. Data Privacy and
Information Security Law

 [29]     The sectoral approach to privacy and data security law in the United States often is described as “a patchwork quilt” comprised of numerous state and federal laws and regulations that apply variously to certain types of data, certain industries, the application of particular technologies, or some combination of those elements. These laws may be enforced by a variety of regulators, with state Attorneys General and the Federal Trade Commission often leading the way.[65] Plaintiffs’ lawyers also are prominent actors in this space, bringing an ever-increasing number of class action and other civil suits alleging violations of privacy rights, data protection laws, and information security standards.

[30]     Although there are no federal or state privacy statutes specifically applicable solely to lawyers, numerous data protection laws and regulations may apply to attorneys in their role as service provider to their clients or in other contexts. The obligations associated with these laws often implicitly or explicitly demand that lawyers handling client data (1) have a thorough understanding of the potential privacy and security risks to that data; (2) assess and determine how best to secure the data and prevent unauthorized access to the data; and (3) supervise anyone acting on their behalf with respect to the data to ensure the data is appropriately protected at all times.

[31]     Below we describe a few of the privacy and data security laws that tend to come up frequently for lawyers and impose requirements on their handling of client data that may involve technological competence. This discussion is by no means exhaustive, as technology touches upon virtually every aspect of data protection regulation and information security counseling by attorneys in the field. To provide just a few examples, advising companies on restrictions applicable to cross-border data transfers, data localization requirements, cybersecurity standards and information sharing obligations, and regulatory action around the use of biometrics and geolocation technologies are just a few examples of areas where a lawyer must have an understanding of the underlying technology to effectively assist clients.

 A.  HIPAA – Business Associate Agreements

[32]     The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), is the most significant health privacy law in the United States, imposing numerous obligations on “covered entities” and “business associates” of those “covered entities” to protect the privacy and security of “protected health information” (“PHI”).[66] As required by HIPAA, the Department of Health and Human Services (“HHS”) issued two key sets of regulations to implement the statute: the Privacy Rule[67] and the Security Rule.[68]

[33]     Although attorneys and law firms are not themselves considered covered entities directly subject to HIPAA’s requirements,[69] when attorneys obtain PHI from covered entity clients in the course of a representation, the law firm may be subject to certain HIPAA Privacy Rule requirements[70] in its role as a business associate.[71] The Privacy Rule and the Security Rule apply to a covered entity’s interactions with third parties (e.g., service providers) that handle PHI on the covered entity’s behalf.[72] The covered entity’s relationships with these “business associates” are governed by obligatory contracts known as business associate agreements (“BAAs”) that must contain specific terms.[73] With respect to technological competence specifically, for example, the BAA requires the business associate to implement appropriate safeguards to prevent use or disclosure of PHI other than as provided for by the BAA, and states that the business associate must ensure that any agents/subcontractors that receive PHI from the business associate also protect the PHI in the same manner. And attorneys who “hold HIPAA data or [other PII] may be governed by state or federal law beyond the scope of the proposed rules, which is noted in the new comments”[74] to ABA Rule 1.6, discussed further below.

B.  GLBA Safeguards Rule Requirements

[34]     Pursuant to the Gramm-Leach-Bliley Act (“GLBA”), the primary federal financial privacy law in the United States, various federal agencies promulgated rules and regulations addressing privacy and data security issues.[75] For example, the Safeguards Rule requires financial institutions to protect security of personally identifiable financial information by maintaining reasonable administrative, technical, and physical safeguards for customer information.[76] To comply with the Safeguards Rule, a financial institution must develop, implement, and maintain a comprehensive information security program, and that program must address the financial institution’s oversight of service providers that have access to customers’ nonpublic personal information (“NPI”).[77]

[35]     Again, although a law firm is not a financial institution directly subject to the GLBA, when it acts as counsel to a financial institution, GLBA requirements may apply to its handling of NPI received from that client. To the extent a financial institution’s law firm will have access to such NPI in the course of the representation, the financial institution-client must take reasonable steps to ensure the law firm has the ability to safeguard such data prior to disclosing it to the firm, and require the firm to contractually agree (in writing) to safeguard the NPI. Assuming such data will be stored electronically (a safe assumption in virtually all cases), it is incumbent on the law firm to understand the potential data security risks and how to prevent unauthorized access, use, transfer, or other processing of their clients’ NPI.

 C.  State Data Security Laws

[36]     At the state level, there are numerous laws and regulations regarding the protection of personal information (and other types of data) that apply to all entities that maintain such data, including lawyers, law firms, and other legal service providers.

[37]     A number of states, such as California, Connecticut, Maryland, Nevada, Oregon, and Texas, have enacted laws that require companies to implement information security measures to protect personal information of residents of the state that the business collects and maintains.[78] These laws of general application are relevant to attorneys and law firms with respect to the personal information they maintain—both client data and data relating to their employees. Typically, these laws are not overly prescriptive and include obligations to implement and maintain reasonable security policies and procedures to safeguard personal information from unauthorized access, use, modification, disclosure, or destruction (though most do not offer a definition or description of what is meant by “reasonable” security). Some laws, such as California’s, impose a requirement to contractually obligate non-affiliated third parties that receive personal information from the business to maintain reasonable security procedures with respect to that data.[79]

[38]     Massachusetts was the first state to enact regulations that directed businesses to develop and implement comprehensive, written information security programs (“WISPs”) to protect the personal information of Massachusetts residents.[80] These regulations apply to all private entities (including law firms) that maintain personal information of Massachusetts residents, including those that do not operate in Massachusetts; they also list a number of minimum standards for the information security program.[81] The Massachusetts regulations are relatively prescriptive as compared to other similar state laws of this nature, and they include numerous specific technical requirements.

[39]     These requirements apply to law firms directly, but they also apply to law firms as service providers to businesses that maintain personal information of Massachusetts residents. A compliant WISP must address the vetting of service providers, and the contract must include provisions obligating the service provider to protect the data.[82]

IV.  Applicable Ethical Rules and Guidance

[40]     The myth of the Luddite[83] or caveman[84] lawyer persists, even if this type of anachronism is, in fact, an ethical violation waiting to happen.[85] But even attorneys who “only touch a computer under duress, and take comfort in paper files and legal research from actual books”[86] must deal with technology.[87] The adequate practice—or perhaps simply “the practice” of law does not exist without technology, and there is no longer a place for lawyers who simply “hope to get to retirement before they need to fully incorporate technology into their lives.”[88]

[41]     “Really?” goes the refrain. “Why can’t I just practice the way I always have, without [insert mangled, vaguely-recognizable technology portmanteau] getting in the way?”

[42]     Well, for one thing, to the extent attorneys rely on the protections of privilege to serve their clients, said attorneys must understand how the confidentiality of their communications and work product may be compromised by the technology they use. Technologies introduce complexity that, in turn, may affect privilege—especially when “many lawyers don’t understand electronic information or have failed to take necessary precautions to protect it.”[89] But how much understanding, exactly, may be required to competently represent clients in matters concerning E-Discovery, or data security, or even privacy? At many organizations, “[p]rivacy issues get handled by anyone who wants to do them” because the subject matter area is understaffed or ignored.[90] The key technological issues relevant to E-Discovery versus data privacy may be somewhat different, but the “solutions” companies find are eerily similar: the practitioners that are actually doing the work are often those who have been delegated the work, whose “expertise” is somewhat home-grown and may, in fact, not really represent true technological competence at all.[91]

[43]     What, then, are the requirements for expertise? Perhaps a pragmatic approach is best. Certainly, practitioners who use technology—again, likely all of them—must take some well-defined, initial steps toward acquiring the appropriate skill set. This might be as straightforward as the lawyer familiarizing herself with the relevant technologies at issue. Although it may sound a bit too easy, “just being well-versed enough to understand the issues is a big plus.”[92] That being said, “those considering a career in cybersecurity or privacy will need to spend time developing some level of technical expertise.”[93] In short, the answer is “it depends” and “no one really knows – yet.” In this relatively new space, actual decisions and definitive standards for “technological competence” are thin on the ground. Below we will examine some of the relevant rules and guidelines to consider.

 A.  Recent Guidelines in the Ethics Rules

[44]     Most attorneys do not have specialized training focused on a particular technological field. Certainly the vast majority do not hold themselves out as experts in cybersecurity, cloud-based storage, social media, biometrics, or any of a variety of related disciplines. However, even in the absence of expertise, there are some basic ethical rules that provide a framework for determining a practitioner’s professional duties and obligations with regard to technology—specifically, rules pertaining to competent client representation, adequate supervision, confidentiality, and communications.[94]

1.  Competent Client Representation (Model Rule 1.1)

[45]     As discussed briefly above, almost four years ago, the America Bar Association formally approved a change to the Model Rules of Professional Conduct to establish a clear understanding that lawyers have a duty to be competent not only in the law and its practice, but also with respect to technology. Detailed below, the passage of this rule contemplated changes in technology and eschewed specifics. Rather than a paint-by-numbers approach, ABA Model Rule 1.1 puts the responsibility on attorneys to understand their own—and their clients’—needs, and how new technologies impact their particular practice.

[46]     ABA Model Rule 1.1 states that:

A lawyer shall provide competent representation to a client. Competent representation requires legal knowledge, skill, thoroughness and preparation reasonably necessary for the representation.[95]

[47]     ABA Model Rule 1.1 was amended in 2012 by Codified Comment 8 as follows:

To maintain the requisite knowledge and skills, a lawyer should keep abreast of changes in the law and its practice, including the benefits and risks associated with relevant technology, engage in continuing study and education and comply with all continuing legal education requirements to which the lawyer is subject.[96]

[48]     Some note that Rule 1.1 “does not actually impose any new obligations on lawyers;”[97] neither does it require perfection.[98] Instead it “simply reiterates the obvious, particularly for seasoned eDiscovery lawyers, that in order for lawyers to adequately practice, they need to understand the means by which they zealously advocate for their clients.”[99] One article noted, in fact, that Comment 8 was evidence of “the ABA’s desire to nudge lawyers into the 21st century when it comes to technology.”[100] It did, however, caution that it was “a very gentle nudge.”[101]

 [49]     Nudge or not, that message has resonated across the United States. In the four years since that amendment was approved and adopted by the ABA, twenty-one states since have adopted the ethical duty of technological competence for lawyers.[102] As for many of the states that have not formally adopted the change to their Model Rules of Professional Conduct, those may still explicitly or implicitly acknowledge this emerging duty to be competent in technology, having a basic understanding of technologies their clients use, and a duty to keep abreast of such changes including a required awareness of regulatory requirements and privacy laws.[103]

2.  Supervision (Model Rules 5.1 and 5.3)

[50]     ABA Model Rule 5.1 also bears on a lawyer’s duties regarding technology insofar as duties aided or supported by technology are performed by someone other than the attorney. This responsibility extends to immediate as well as remote support staff, with ABA Model Rule 5.1 requiring that “[l]awyers must also supervise the work of others to ensure it is completed in a competent manner.”[104] This attempt at establishing “the principle of supervisory responsibility without introducing a vicarious liability concept”[105] has led to considerations regarding inexperience generally,[106] but the implications for technological applications should be clear—an associate or other paralegal professional is much more likely to use technology to support legal work[107] than she is to make a representation before a court or like body.

[51]     ABA Model Rule 5.3 also sets forth responsibilities of partners and supervising attorneys to non-lawyer assistants. This set of ethical considerations further reinforces the responsibilities attorneys have to apply sufficient care in their practice when outsourcing supporting legal work to inexperienced non-professionals, and to ensure that confidentiality is maintained with outsourcing staff.[108] This is not just a matter of supervising specific tasks. It also contemplates knowing which tasks are appropriate for delegation, both within the firm and to third-party vendors. For example, if a delegate of the attorney uses technology to begin an engagement, it’s possible that such an arrangement could be viewed as “establish[ing] the attorney-client relationship,” which may be prohibited under ABA Model Rule 5.5.[109]

3.  Duty of Confidentiality (Model Rule 1.6)

[52]     ABA Model Rule 1.6 states that it is critical that lawyers do not reveal confidential or privileged client information.[110] When information was kept in an attorney’s head, or perhaps committed to a sheet of paper, historical precedent on how to comply with this duty may have been helpful. In the “world of tomorrow,”[111] looking to the past for answers makes little sense, especially in those instances where the attorney is unclear as to how information is stored, accessed, maintained, or utilized.

[53]     Model Rule 1.6 also considers a duty of confidentiality that resides at the core of every attorney’s role and serves as one of the attorney’s most important ethical responsibilities. Model Rule 1.6 generally defines the duty of confidentiality as follows: “A lawyer shall not reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation or the disclosure is permitted [elsewhere].”[112]

[54]     This rule is broad. It encompasses any client information, confidential or privileged, shared or accessible to the attorney and is not limited to just confidential communications. Further, it may only be relinquished under the most onerous of circumstances.[113] A lawyer shall not, therefore, reveal information relating to the representation of a client unless the client gives informed consent, the disclosure is impliedly authorized in order to carry out the representation, or the disclosure is permitted elsewhere in the rules.

[55]     In 2000, the Advisory Committee looked into its crystal ball and considered ESI on various platforms, in different repositories, in various forms. It then added Comment 18 to Rule 1.6, requiring reasonable precautions to safeguard and preserve confidential information. Comment 18 states that, “[A] lawyer [must] act competently to safeguard information relating to the representation of a client against … inadvertent or unauthorized disclosure by the lawyer or other persons who are participating in the representation of the client or who are subject to the lawyer’s supervision.”[114] Indeed, “[p]artners and supervising attorneys are required to take reasonable actions to ensure that those under their supervision comply with these requirements.”[115]

[56]     In addition to the ABA’s commentary, state and local professional organizations have issued guidance as well. In establishing a specific roadmap for lawyers to attain the skills necessary to meet their ethical obligations with respect to relevant technology in the practice of law, and returning to the California Bar’s Formal Opinion 2015-193, there is a sort of checklist that may assist lawyers in meeting their ethical obligations to develop and maintain core E-Discovery competence in the following areas:[116]

  • Initially assessing E-Discovery needs and issues, if any;
  • Implementing or causing (the client) to implement appropriate ESI preservation procedures, (“such as circulating litigation holds or suspending auto-delete programs”);[117]
  • Analyzing and understanding the client’s ESI systems and storage;
  • Advising the client on available options for collection and preservation of ESI;
  • Identifying custodians of potentially relevant ESI;
  • Engaging in competent and meaningful meet and confers with opposing counsel concerning an E-Discovery plan;
  • Performing data searches;
  • Collecting responsive ESI in a manner that preserves the integrity of the ESI; and
  • Producing responsive, non-privileged ESI in a recognized and appropriate manner.

[57]     But this technological competence inherent in the Duty of Competence represents only one third of the ethical duties that govern an attorney’s interaction with technology. This ESI and litigation skills checklist does not address “the scope of an attorney’s duty of competence relating to obtaining an opposing party’s ESI;”[118] nor does it consider the skills required of non-litigation attorneys, which must be inferred from the rule.

[58]     In addition, the State Bar of California’s Standing Committee on Professional Responsibility and Conduct, Formal Opinion 2010-179 states that “[a]n attorney’s duties of confidentiality and competence require the attorney to take appropriate steps to ensure that his or her use of technology in conjunction with a client’s representations does not subject confidential client information to an undue risk of unauthorized disclosure.”[119]

[59]     In reference to the duty of confidentiality, the New York County Lawyer’s Association’s Committee on Professional Ethics examined shared computer services amongst practitioners in Opinion 733, noting that an “attorney must diligently preserve the client’s confidences, whether reduced to digital format, paper, or otherwise. The same considerations would also apply to electronic mail and websites to the extent they would be used as vehicles for communications with the attorney’s clients.”[120] The New York State Bar’s Committee on Professional Ethics Opinion 842 further stated that, when “a lawyer is on notice that the [client’s] information…is of ‘an extraordinarily sensitive nature that it is reasonable to use only a means of communication that is completely under the lawyer’s control,…the lawyer must select a more secure means of communication than unencrypted Internet e-mail.’”[121] 

4.  Communications (Model Rule 1.4)

[60]     ABA Model Rule 1.4 on Communications also applies to the attorney’s use of technology and requires appropriate communications with clients “about the means by which the client’s objectives are to be accomplished,” including the use of technology.[122]

[61]     In construing all of these Model Rules and comments, it is clear that attorneys who are not tech-must (1) understand their limitations; (2) obtain appropriate assistance; (3) be aware of the areas in which technology knowledge is essential; and (4) evolve to competently handle those challenges; or (5) retain the requisite expert assistance. This list applies equally to data security issues, such as being aware of the risks associated with cloud storage, cybersecurity threats, and other sources of potential harm to client data, and can easily be extended to include awareness and understanding with respect to domestic and foreign data privacy issues.

[62]     The ethical obligations to safeguard information require reasonable security, not absolute security. Accordingly, under such rules and related guidance from the Proposal from the ABA Commission on Ethics 20/20,[123] the factors to be considered in determining the reasonableness of the lawyers’ efforts with respect to security include:

(1) The sensitivity of the information;

(2) The likelihood of disclosure if additional safeguards are not employed;

(3) The cost of employing additional safeguards;

(4) The difficulty of implementing the safeguards; and

(5) The extent to which the safeguards adversely affect the lawyer’s ability to represent the client.[124]

As New Jersey Ethics Opinion 701 states, “[r]easonable care however does not mean that the lawyer absolutely and strictly guarantees that the information will be utterly invulnerable against all unauthorized access. Such a guarantee is impossible.”[125]

B.  Ethics and Social Media

[63]     When considering their ethical duties with respect to technology, lawyers today must confront a host of challenges that would have been almost unimaginable even ten years ago. The rise and proliferation of social media as a daily part of most people’s personal and professional lives has created one such challenge.[126] Numerous courts have addressed—and continue to address—attorney duties with respect to social media in the context of spoliation motions when social media evidence has been lost, destroyed, or obfuscated due to negligence, or in accordance with attorney advice.[127] In addition, given the novelty and complexity of the issues, and in the interest of consistency, state bar associations have begun to address issues associated with attorney use of, counseling on, and preservation of social media.

[64]     The Association of the Bar of the City of New York’s Committee on Professional and Judicial Ethics, in Formal Opinion 2010-2, provided some helpful guidelines on attorney access to social media, stating that “[a] lawyer may not use deception to access information from a social networking webpage,” either directly or through an agent.[128] While focused on behaviors that attorneys and their agents should not undertake when developing a case, the opinion does note that the “potential availability of helpful evidence on these internet-based sources makes them an attractive new weapon in a lawyer’s arsenal of formal and informal discovery devices,” and also offers up “the Court of Appeals’ oft-cited policy in favor of informal discovery.”[129] Simply put, the duty is twofold: an attorney must both be aware of social media and know how to use social media to provide effective representation.

 2.  State Bar Association Guidance

[65]     State bar associations are becoming increasingly involved in providing guidance on social media and its implications for the practice of law. For example, in 2014, the New York and Pennsylvania State Bar Associations and the Florida Professional Ethics Committee issued guidance on social media usage by attorneys and addressed the obligations of attorneys to understand how various platforms work, what information will be available to whom, the ethical implications of advising clients to alter or change social media accounts, and the value of ensuring adequate preservation of social media evidence.

i.  New York

[66]     The Social Media Ethics Guidelines of the Commercial and Federal Litigation Section of the New York State Bar Association provide specific guidance for the use of social media by attorneys.[130] Guideline 4, relating to the review and use of evidence from social media, is divided into four subparts, all of which provide specific and pertinent guidance to attorneys:

  • Guideline No. 4.A: Viewing a Public Portion of a Social Media Website, provides that “[a] lawyer may view the public portion of a person’s social media profile or public posts even if such person is represented by another lawyer. However, the lawyer must be aware that certain social media networks may send an automatic message to the person whose account is being viewed which identifies the person viewing the account as well as other information about such person.”[131]
  • Guideline No. 4.B: Contacting an Unrepresented Party to View a Restricted Portion of a Social Media Website, provides that “[a] lawyer may request permission to view the restricted portion of an unrepresented person’s social media website or profile. However, the lawyer must use her full name and an accurate profile, and she may not create a different or false profile to mask her identity. If the person asks for additional information from the lawyer in response to the request that seeks permission to view her social media profile, the lawyer must accurately provide the information requested by the person or withdraw her request.”[132]
  • Guideline No. C: Viewing A Represented Party’s Restricted Social Media Website, provides that “[a] lawyer shall not contact a represented person to seek to review the restricted portion of the person’s social media profile unless an express authorization has been furnished by such person.”[133]
  • Guideline No. 4.D: Lawyer’s Use of Agents to Contact a Represented Party, “as it relates to viewing a person’s social media account,” provides that “[a] lawyer shall not order or direct an agent to engage in specific conduct, or with knowledge of the specific conduct by such person, ratify it, where such conduct if engaged in by the lawyer would violate any ethics rules.”[134]

ii.  Florida

[67]     In Advisory Opinion 14-1, the Florida Bar Association’s Professional Ethics Committee confirmed that an attorney could advise a client to increase privacy settings (as so to conceal from public eye) and remove information relevant to the foreseeable proceedings from social media as long as an appropriate record was maintained—the data preserved—and no rules or substantive laws regarding preservation and/or spoliation of evidence were broken.[135]

iii. Pennsylvania

[68]     In 2014, the Pennsylvania Bar Association issued a Formal Opinion that included detailed guidance regarding an attorney’s ethical obligations with respect to the use of social media. Among other guidelines, the Opinion specifically stated that:

  • Attorneys may advise clients about the content of their Social networking websites, including the removal or addition of information;
  • Attorneys may connect with clients and former clients;
  • Attorneys may not contact a represented person through social networking websites;
  • Although attorneys may contact an unrepresented person through social networking websites, they may not use a pretextual basis for viewing otherwise private information on social networking websites; and
  • Attorneys may use information on social networking websites in a dispute.[136]

3.  ABA Model Rule 3.4

[69]     Finally, although ABA Model Rule 3.4 on Fairness to Opposing Party and Counsel does not directly address social media, the principles behind the rule apply in the social media context. The Rule provides that an attorney shall not “unlawfully obstruct another party’s access to evidence or unlawfully alter, destroy or conceal a document or other material having potential evidentiary value” nor shall the attorney “counsel or assist another person” to undertake such actions.[137]

C.  Guidance on Duties Related to Cybersecurity

[70]     As we discussed above in Section II, attorneys face a complex threat landscape when it comes to security concerns related to the protection of their clients’ data.[138] Although the scope of an attorney’s ethical obligations in this regard remains somewhat unclear, there are several sources of guidance relevant to how lawyers are expected to manage cybersecurity risks.

[71]     One such source that squarely addresses the issue is the Resolution issued by the ABA’s Cybersecurity Legal Task Force. The Resolution contains a detailed Report explaining the ABA’s position regarding the growing problem of intrusions into computer networks utilized by lawyers and law firms, and urges lawyers and law firms to review and comply with the provisions relating to the safeguarding of confidential client information.[139] As the ABA noted in its Report, defending the confidentiality of the lawyer-client relationship and preservation of privilege in communications and attorney work product are fundamental to public confidence in the legal system.[140] Attorneys are directed to (1) keep clients reasonably informed as set forth in the Model Rules of Professional Conduct, as amended in August 2012 and adopted in the jurisdictions applicable to their practice; and (2) comply with other applicable state, federal, and court rules pertaining to data privacy and cybersecurity.[141] The ABA further urges the respect and preservation of the attorney client relationship during the pendency of any actions in which a government entity aims to deter, prevent, or punish unauthorized, illegal intrusions into computer systems and networks used by lawyers and law firms.

[72]     The comment to ABA Model Rule 5.7 states, perhaps somewhat axiomatically, that when “[a] lawyer performs law-related services or controls an organization that does so, there exists the potential for ethical problems.”[142] This, combined with Model Rule 1.6’s requirement for attorneys to safeguard and protect client information, suggests further potential duties associated with cybersecurity.[143] As one author notes

Fulfillment of a law firm’s duty to maintain client confidences in today’s world of cyberattacks requires much more than legal knowledge and legal skills. It requires sophisticated computer knowledge and skills far beyond legal practice. That is why cybersecurity experts should be used to assist in any law firm’s client’s data protection efforts.[144]

Indeed, “[t]raining in security, including cybersecurity should be a part of every lawyer’s education. It is especially important for lawyers who do electronic discovery”.[145]

[73]     On a related subject, in Formal Opinion 2015-3, the New York City Bar Association issued guidance indicating that lawyers do not violate their ethical duties by reporting suspected cybercrime to law enforcement.[146] If an attorney has performed “reasonable diligence” to determine whether a prospective client is actually attempting fraud, the opinion says, then the attorney is free to report.[147] The Opinion continued, highlighting the lack of duty associated with individuals who are not actually clients, stating that an

attorney who discovers that is he the target of an Internet-based trust account scam does not have a duty of confidentiality to the individual attempting to defraud him, and is free to report the individual to law enforcement authorities, because that person does not qualify as a prospective or actual client of the attorney.[148]

V.  Conclusion

[74]     It goes without saying that we live (and work) in interesting times. Cloud technology offers convenience, flexibility, cost savings—and a host of potential security issues that existing “hard-copy world” rules aren’t fit to address. The details of top-secret corporate transactions are now hashed out on collaborative virtual platforms that may be vulnerable to damage, destruction, or unauthorized access. And the increasing ubiquity of social media makes it ever more likely that lawyers and clients alike may post information without appreciating the potential legal ramifications. New technologies have the capacity to enrich our personal lives and enhance our professional lives, but they also create complex and novel challenges for lawyers already subject to a web of ethical duties concerning competence and confidentiality.

[75]     Given the speed with which this dynamic area is changing, the issues raised in this piece may well feel dated within months of publication as the next new product or service revolutionizes another fundamental aspect of human interaction and connectivity. Nevertheless, in this article we have outlined some of the many challenges facing attorneys operating in a threat-laden high-tech landscape, taken a look at the ways in which existing and emerging ethical rules and guidelines may apply to the practice of law in the digital age, and opened a door to further conversation about all of these issues as they continue to evolve.



* Stacey Blaustein is a Senior Attorney – Corporate Litigation with the IBM Corporation.

** Melinda L. McLellan is Counsel in the New York office of Baker & Hostetler LLP.

*** James Sherer is Counsel in the New York office of Baker & Hostetler LLP.


[1] See Roger V. Skalbeck, Computing Efficiencies, Computing Proficiencies and Advanced Legal Technologies, Virginia State Bar – Research Recourses (Oct. 2001),, archived at

[2] See Ed Finkel, Technology No Longer a ‘Nice to Learn’ for Attorneys, Legal Management, Association of Legal Administrators (Oct. 2014),, archived at

[3] See, e.g., Evan Weinberger, Fintech Boom Prompts Lawyers to Add Tech Know-How, Law360 (Sep. 4, 2015, 6:05 PM),, archived at; see also Allison O. Van Laningham, Navigating in the Brave New World of E-Discovery: Ethics, Sanctions and Spoliation, FDCC Q. 327(Summer 2007),, archived at

[4] See Frank Strong, Beautiful Minds: 41 Legal Industry Predictions for 2016, LexisNexis LawBlog (Dec. 17, 2015),, archived at

[5] To further complicate matters, for attorneys and law firms practicing in the financial technology area such as payment, online lending, bitcoin and other virtual currencies, these lawyers need to be competent in “fintech”, financial technology, another outgrowth of the expertise in technology requirement. See Evan Weinberger, Fintech Boom Prompts Lawyers to Add Tech Know-How, Law360 (Sep. 4, 2015, 6:05 PM),, archived at

[6] See infra Part III (explaining that agencies such as the FDA have issued guidance in their arena- Postmarket Management of Cybersecurity in Medical Devices).

[7] Report to the House of Delegates, ABA Cybersecurity Legal Task Force Section of Sci. & Tech. Law 1,, archived at

[8] Ellen Rosen, Most Big Firms Have Had Some Hacking: Business of Law, Bloomberg (Mar. 11, 2015, 12:01 AM),, archived at

[9] See Melissa Maleske, A Soft Target for Hacks, Law Firms Must Step Up Data Security, Law360 (Sep. 23, 2015, 10:09 PM),, archived at

[10] See id.

[11] See Susan Hansen, Cyber Attacks Upend Attorney-Client Privilege, Bloomberg Businessweek (Mar. 19, 2015, 2:56 PM),, archived at

[12] See Rosen, supra note 8.

[13] Id.

[14] Mark Wolski, Report: Legal Industry Was Heavily Targeted with Cyber Threats in January, Bloomberg BNA (Mar. 9, 2016),, archived at

[15] See id.

[16] James Risen & Laura Poitras, Spying by N.S.A. Ally Entangled U.S. Law Firm, N.Y. Times, Feb. 15, 2014,, archived at

[17] See Rosen, supra note 8.

[18] See Hansen, supra note 11.

[19] Blake Edwards, Verizon GC: Law Firms Prime Targets for Hackers, Bloomberg BNA (Feb. 4, 2016),, archived at

[20] Strong, supra note 4.

[21] Id.

[22] Matthew Goldstein, Law Firms Are Pressed on Security for Data, N.Y. Times (Mar. 26, 2014),, archived at

[23] See N.Y. City Bar Comm. on Small Law Firms, The Cloud and the Small Law Firm: Business, Ethics and Privilege Considerations 2 (Nov. 2013),, archived at

[24] Id.

[25] Strong, supra note 4.

[26] Patrick Mohan & Steve Krause, Up in the Cloud: Ethical Issues that Arise in the Age of Cloud Computing, 8 ABI Ethics Comm. News L. 1 (Feb. 2011),, archived at

[27] Sharon D. Nelson & John W. Simek, Why Do Lawyers Resist Ethical Rules Requiring Competence with Technology?, Slaw (Mar. 27, 2015),, archived at

[28] Ed Finkel, Technology No Longer a ‘Nice to Learn’ for Attorneys, Legal Management, Association of Legal Administrators (Oct. 2014), archived at

[29] Leslie Pappas, The Security Concerns Holding Up One Firm’s Cloud Usage, Bloomberg BNA (Jan. 22, 2016),, archived at

[30] See Casey C. Sullivan, Is It Time for a Law Firm Cloud Computing Security Standard?, FindLaw (Feb. 18, 2016),, archived at

[31] See Jonathan R. Tung, Survey: Law Departments Are Warming Up to the Cloud, FindLaw (Feb. 18, 2016),, available at

[32] Strong, supra note 4.

[33] N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 1020 (Sept. 12, 2014),, archived at

[34] N.J. Advisory Comm. on Prof’l Ethics, Op. 701 (2006),, archived at

[35] Id.

[37] Aebra Coe, Judges Lack Faith in Attys’ E-Discovery Skills, Survey Says, Law360 (Jan. 28, 2016),, archived at

[38] Id.

[39] Bob Ambrogi, California Considers Ethical Duty to Be Competent in E-Discovery, Catalyst Blog (Feb. 27, 2015),, archived at

[40] Karin S. Jenson, Coleman W. Watson & James A. Sherer, Ethics, Technology, and Attorney Competence, The Advanced eDiscovery Inst. (Nov. 2014),, archived at

[41] See Order Amending Rules 1.0, 1.1, 1.4, 1.6, 1.17, 1.18, 4.4, 5.3, 5.5, 7.1, 7.2, and 7.3 of the Delaware Lawyers’ Rules of Professional Conduct, Del. R. Prof’l Conduct (2013),

[42] See N.C. State. Bar Rules of Prof’l Responsibility & Conduct R. 1.1 (2014),, archived at

[43] See Notice of Proposed Rulemaking, 43 Pa. Bull. 1997 (Apr. 13, 2013),, archived at

[44] Bob Ambrogi, California Finalizes Ethics Opinion Requiring Competence in E-Discovery, Catalyst Blog (Aug. 6, 2015),, archived at

[45] Id.

[46] See id.

[47] State Bar of Cal. Standing Comm. on Prof’l Responsibility & Conduct, Formal Op. 2015-193 (2015),, archived at

[48] Adam Kuhn, The California eDiscovery Ethics Opinion: 9 Steps to Competency, Recommind Blog (Aug. 11, 2015),, archived at

[49] Id.

[50] H. Christopher Boehning & Daniel J. Toal, E-Discovery Competence of Counsel Criticized in Sanctions Decision, New York Law Journal (Oct. 6, 2015),, archived at

[51] See generally HM Elecs., Inc. v. R.F. Techs., Inc., 2015 U.S. Dist. LEXIS 104100 (S.D. Cal. Aug. 7, 2015) (arguing the invalidity of the steps that the defendants took in order to certify discovery as true).

[52] Boehning & Toal, supra n. 50.

[53] Id.

[54] Samantha V. Ettari & Noah Hertz-Bunzl, Ethical E-Discovery: Core Competencies for New York Lawyers, New York Law Journal (Nov. 2, 2015),, archived at

[55] William A. Gross Constr. Assocs., Inc. v. Am. Mfrs. Mut. Ins. Co., 256 F.R.D. 134, 136 (S.D.N.Y. 2009).

[56] See Ettari & Hertz-Bunzl, supra n. 54.

[57] See Ettari & Hertz-Bunzl, supra n. 54 (citing New York Rules of Professional Conduct (N.Y. Rule) 1.1.5).

[58] See Ettari & Hertz-Bunzl, supra n. 54 (citing N.Y. Rule 5.1(c)).

[59] See generally D.C. Comm. on Legal Ethics, Formal Op. 362 (2012),, archived at (discussing the permissibility of non-lawyer ownership of discovery service vendors).

[60] See generally The Sedona Conference Working Group, Best Practices Recommendations & Principles for Addressing Electronic Document Production, The Sedona Principles: Second Edition, June 2007, at 60, 61, archived at (explaining the composition and functionality of metadata).

[61] Id. at 4.

[62] Id.

[63] State v. Ratcliff, 849 N.W.2d 183, 196 (N.D. 2014).

[64] See Christian Dodd, Metadata 101 for Lawyers: A 2-Minute Primer, Law360 (Oct. 15, 2015, 4:30 PM),, archived at

[65] See Daniel J. Solove & Woodrow Hartzog, The FTC and the New Common Law of Privacy, 114 Colum. L. Rev. 583, 587 (2014).

[66]See Health Insurance Portability and Accountability Act of 1996 (HIPAA), 42 U.S.C. §§1320d to 1320d-8 (2007) [hereinafter HIPAA].

[67] See Standards for Privacy of Individually Identifiable Health Information, 65 Fed. Reg. 82,462 (Dec. 28, 2000) (codified at 45 C.F.R. pts. 160, 164).

[68] See Security Standards, 68 Fed. Reg. 8333, 8334 (Feb. 20, 2003) (codified at 45 C.F.R. pts. 160, 162, 164).

[69] The health plan within an organization, such as a law firm’s employee health plan, may itself be a “covered entity” for HIPAA compliance purposes, but a firm generally is not, itself, a covered entity. See, e.g., HIPAA, supra note 66.

[70] See John V. Arnold, PRIVACY: What Lawyers Must Do to Comply with HIPAA, 50 Tenn. B.J. 16, 17 (Mar. 2014).

[71] See Lisa J. Acevedo et. al., New HIPAA Liability for Lawyers, 30 GPSolo, no. 4, 2013,, archived at

[72] See Standards for Privacy of Individually Identifiable Health Information, supra note 67; see Security Standards, supra note 68.

[73] Both the Privacy Rule and the Security Rule dictate certain terms that must be included in a BAA.

[74] See Nelson & Simek, supra note 27.

[75] See 15 U.S.C. §§ 6801–6809 (2012).

[76] See 16 C.F.R. §§ 314.2, 314.3(b).

[77] See 16 C.F.R. § 314.4(a-c).

[78] See, e.g., Cal. Civ. Code § 1798.81.5 (Deering 2009); Conn. Gen. Stat. § 42-471 (2010); Md. Code Ann., Com. Law §§ 14-3501 to 14-3503 (LexisNexis 2009); Nev. Rev. Stat. § 603A.210 (2009); Or. Rev. Stat. § 646A.622 (2009); Tex. Bus. & Com. Code Ann. §§ 72.001–72.051 (West 2009).

[79] See Cal. Civ. Code § 1798.81.5 (Deering 2009).

[80] See 201 Mass. Code Regs. 17.01–17.05 (2008).

[81] See id.

[82] See id.

[83] See Debra Cassens Weiss, Lawyers Have Duty to Stay Current on Technology’s Risks and Benefits, New Model Ethics Comment Says, ABA Journal Law News (Aug. 6, 2012, 7:46 PM), archived at

[84] See Unfrozen Caveman Lawyer, Saturday Night Live Transcripts,, archived at (“Sometimes when I get a message on my fax machine, I wonder: ‘Did little demons get inside and type it?’ I don’t know! My primitive mind can’t grasp these concepts.”) (last visited Apr. 5, 2016).

[85] See Megan Zavieh, Luddite Lawyers Are Ethical Violations Waiting to Happen, (last updated July 10, 2015),, archived at

[86] Lois D. Mermelstein, Ethics Update: Lawyers Must Keep Up with Technology Too, American Bar Association – Business Law Today, Business Law Today (Mar. 2013),, archived at

[87] See Blair Janis, How Technology Is Changing the Practice Of Law, GP Solo,, archived at (last visited Apr. 5, 2016).

[88] Kevin O’Keefe, We Need Laws Requiring Lawyers to Stay Abreast of Technology? LEXBLOG: Ethics & Blogging Law (Mar. 28, 2015),, archived at

[89] Attorney-client Privilege: Technological Changes Bring Changing Responsibilities for Attorneys and Legal Departments, Corporate Law Advisory,, archived at (last visited Apr. 5, 2016).

[90] Daniel Solove, Starting a Privacy Law Career, LinkedIn Pulse (Aug. 27, 2013),, archived at

[91] See Peter Geraghty & Sue Michmerhuizen, Think Twice Before You Call Yourself an Expert, Your ABA (Mar. 2013),, archived at .

[92] Solove, supra note 90.

[93] Alysa Pfeiffer-Austin, Four Practical Tips to Succeed in the Cybersecurity and Privacy Law Market, ABA Security Law (Dec. 9, 2015),, archived at

[94] See David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012),, archived at

[95] Model Rules of Prof’l Conduct R. 1.1 (2014).

[96] Model Rules of Prof’l Conduct R. 1.1 cmt. 8 (2014) (emphasis added).

[97] Jenson, Watson & Sherer, supra note 40, at 2.

[98] See James Podgers, You Don’t Need Perfect Tech Knowhow for Ethics’ Sake—But a Reasonable Grasp Is Essential, ABA Journal (Aug. 9, 2014),–but_a_reasonable_grasp, archived at

[99] Jenson, Watson & Sherer, supra note 40, at 2.

[100] Kelly H. Twigger, Symposium, Ethics in Technology and eDiscovery – Stuff You Know, but Aren’t Thinking About, Ark. L. Rev. (Oct. 16, 2014),, archived at

[101] Id.

[102] These states are: Arizona, Arkansas, Connecticut, Delaware, Idaho, Illinois, Iowa, Kansas, Massachusetts, Minnesota, Nebraska, New Hampshire, New Mexico, New York, North Carolina, Ohio, Pennsylvania, Utah, Virginia, West Virginia, and Wyoming. See Robert Ambrogi, 20 States Have Adopted Ethical Duty of Technological Competence, Law Sites (Mar. 16, 2015),, archived at (last updated Dec. 23, 2015) (listing 20 states not including Nebraska); see also Basic Technology Competence for Lawyers, Event Details, Nebraska Bar Assoc. (Apr. 6, 2016),, archived at (“[T]he need to be aware of and have a working knowledge of technology…is ethically required of all lawyers.”).

[103] Ann M. Murphy, Is It Safe? The Need for State Ethical Rules to Keep Pace with Technological Advances, 81 Fordham L. Rev. 1651, 1659, 1665–66 (2013),, archived at

[104] Samantha V. Ettari & Noah Hertz-Bunzl, Ethical E-Discovery: What Every Lawyer Needs to Know, LegaltechNews (Nov. 10, 2015),, archived at (referring to Model Rule of Prof’l Conduct 5.1).

[105] American Bar Association, A Legislative History: the Development of the ABA Model Rules of Professional Conduct, 1982-2005 560 (2006).

[106] Jeffrey P. Reilly, Rule 5.1 of the Rules of Professional Conduct: What Must Corporate General Counsel Do? Association of Corporate Counsel, Baltimore Chapter FOCUS 2Q12 5–6 (2012),, archived at

[107] See Jennifer Ellis, What Technology Does a Modern US Lawyer Generally Use in Practice?, Quora (Mar. 22, 2014),, archived at

[108] See Model Rules of Prof’l Conduct R. 5.3.

[109] Frances P. Kao, No, a Paralegal Is Not a Lawyer, ABA Bus. Law Today, (Jan./Feb. 2007),, archived at

[110] See Model Rules of Prof’l Conduct R. 1.6.

[111] See Jon Snyder, 1939’s ‘World of Tomorrow’ Shaped Our Today, Wired (Apr. 29, 2010, 8:00 PM),, archived at

[112] Model Rules of Prof’l Conduct R. 1.6.

[113] See Saul Jay Singer, Speaking of Ethics: When Tarasoff Meets Rule 1.6, Washington Lawyer (May 2011),, archived at

[114] Model Rules of Prof’l Conduct R. 1.6 cmt. 18.

[115] David G. Ries, Cybersecurity for Attorneys: Understanding the Ethical Obligations, Law Practice Today (Mar. 2012),, archived at

[116] See State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2015-193, 3–4 (2015) [hereinafter Cal. Ethics Op. 2015-193] (discussing what an attorney’s ethical duties are in the handling of discovery of electronically stored information).

[117] Ettari & Hertz-Bunzl, supra note 104.

[118] Cal. Ethics Op. 2015-193, supra note 116, at fn. 7.

[119] State Bar of Cal. Standing Comm. on Prof’l Responsibility and Conduct, Formal Op. 2010-179, 7 (2010) (discussing whether an attorney violates the duties of confidentiality and competence she owes to a client by using technology to transmit or store confidential client information when the technology may be susceptible to unauthorized access by third parties).

[120] N.Y. Cnty. Lawyers’ Ass’n Comm. on Prof’l Ethics, Formal Op. 733, 7 (2004) (discussing non-exclusive referrals and sharing of office space, computers, telephone lines, office expenses, and advertising with non-legal professionals).

[121] N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Formal Op. 842 (2010) (discussing using an outside online storage provider to store client’s confidential information).

[122] Model Rules of Prof’l Conduct R. 1.4 (1983); see also 204 Pa. Code § 81.4 (1988),, archived at (incorporating ABA Model Rule 1.4 into Pennsylvania’s Model Rule 1.4).

[123]See ABA Comm. on Ethics 20/20, Introduction and Overview (Feb. 2013),, archived at

[124] Model Rules of Prof’l Conduct R. 1.6(c) cmt. 18 (1983).

[125] Opinion 701 also highlights, if inadvertently, the challenges attorneys face when trying to modify existing practices to fit new technologies. As part of the inquiry underpinning Opinion 701’s guidance, the opinion notes that “nothing in the RPCs prevents a lawyer from archiving a client’s file through use of an electronic medium such as PDF files or similar formats.” This note is nearly laughable when read in the context of current practice, as it suggests that attorneys were (or are?) concerned about whether PDF files are appropriate for retaining paper documents. N.J. Advisory Comm. on Prof’l Ethics, Formal Op. 701 (2006),, archived at

[126] See Brian M. Karpf, Florida’s Take on Telling Clients to Scrub Social Media Pages, Law 360 (Sept. 15, 2015, 4:33 PM),, archived at

[127] See id.

[128] N.Y.C. Bar Ass’n Comm. on Prof’l. Ethics, Formal Op. 2010-2 (2010),, archived at (discussing lawyers’ obtainment of information from social networking websites).

[129] Id.

[130] Mark A. Berman, Ignatius A. Grande & James M. Wicks, Social Media Ethics Guidelines of the Commercial and Federal Litigation Section of the New York State Bar Association, The New York State Bar Association (June 9, 2015),, archived at

[131] Id.

[132] Id.

[133] Id.

[134] Id.

[135] See Fla. State Bar Comm. on Prof’l Ethics, Proposed Op. 14-1 (2015),$FILE/14-01%20PAO.pdf?OpenElement, archived at

[136] Pa. Bar Ass’n. Comm. on Ethics, Formal Op. 2014-300, 2 (2014),, archived at

[137] Model Rules of Prof’l Conduct R. 3.4 (1983).

[138] See supra Part II.

[139] See ABA Cybersecurity Legal Task Force, Resolution 118, 2 (August 2013),, archived at

[140] See id. at 4.

[141] See id. at 16.

[142] Model Rules of Prof’l Conduct R. 5.7, cmt. 1 (1983).

[143] See Model Rules of Prof’l Conduct R. 1.6.

[144] Ralph C. Losey, The Importance of Cybersecurity in eDiscovery, E-Discovery Law Today (May 9, 2014), archived at

[145] Ralph C. Losey, The Importance of Cybersecurity to the Legal Profession and Outsourcing as a Best Practice – Part Two, e-Discovery Team (May 18, 2014),, archived at

[146] N.Y.C. Bar Ass’n Comm. on Prof’l Ethics, Formal Op. 2015-3, 4–5 (2015),, archived at

[147] Id. at 1.

[148] Id. at 6 (emphasis added).

Addressing Employee Use of Personal Clouds

Favro Publication Versionpdf_icon

Cite as: Philip Favro, Addressing Employee Use of Personal Clouds, 22 Rich. J.L. & Tech. 6 (2016),

Philip Favro*



[1]       Cloud computing is one of the most useful innovations in the digital age.[1] While much of the attention on recent advances has focused on smartphones, tablet computers, and wearable technology, the cloud is perhaps unrivaled in its utility for organizations.[2] From simplified data storage to innovative software platforms, enterprise-grade cloud solutions provide cost-effective alternatives to acquiring expensive computer hardware and software.[3] Enterprise clouds also offer a collaborative work environment for a mobile and widespread work force, enabling businesses to maximize worker productivity.[4]

[2]       Organizations are not alone in reaping the benefits of cloud computing. Individuals have likewise discovered the value that cloud providers offer in their personal lives.[5] With increased storage for digital photos, music, and other files, personal cloud providers help users avoid losing personal data when a computer hard drive inevitably fails.[6] Furthermore, the transfer functionality afforded by personal clouds enables users to seamlessly move data between computers, smartphones, and other mobile devices.[7]

[3]       With such utility at their fingertips, it should come as no surprise that individuals use personal clouds to facilitate work responsibilities.[8] Personal cloud providers like Dropbox, Box, and Google Drive can obviate clunky network storage options and simplify data sharing and teamwork among colleagues.[9] While employees of many organizations could benefit from such functionality, it is particularly advantageous to workers whose employers lag behind the technology curve.[10]

[4]       These and other features seem to make personal clouds an ideal tool for advancing business objectives within the corporate environment.[11] Appearances, however, can be deceiving. That is exactly the case with employee use of personal cloud applications in the workplace.[12] From information retention and information security to litigation readiness and cybersecurity, personal cloud use among employees implicates a range of troubles for organizations.[13] Indeed, the very aspects that make personal clouds so attractive–cheap and unlimited storage, simplified transfers, and increased collaboration–pose serious threats to the enterprise.[14]

[5]       Nevertheless, companies in many instances have taken few, if any, actionable steps to address the proliferation of personal cloud use among their employees.[15] Worse, some organizations have implemented “bring your own cloud” (BYOC) policies that officially sanction employee use of consumer-grade cloud applications in the workplace without sufficient corporate oversight.[16] A BYOC policy that lacks proper measures to ensure compliance may very well result in a disastrous outcome for the enterprise.[17]

[6]       In this article, I address these issues by surveying recent court cases that exemplify the information governance and litigation challenges arising from personal cloud use in the business enterprise. In particular, I discuss the problems with BYOC practices that expressly or implicitly enable employee use of personal clouds. I also spotlight some of the troubles that stealth use of personal clouds creates for organizations. I conclude by suggesting some practices that can help organizations ameliorate these problems.


[7]       Employers are often directly responsible for the difficulties that have resulted from employee use of cloud applications.[18] That employers are at fault does not stem from this being a new trend. Indeed, personal cloud providers have been around since the 2000s,[19] with courts examining the troubles associated with cloud computing beginning in 2011.[20]Organizations previously overlooked the risks of this trend by authorizing their executives or employees to use personal cloud applications in the corporate ecosystem.[21] In addition, they ignored the hazards associated with the stealth use of personal clouds.[22] This Part examines cases that address these aspects of employee use of consumer clouds.

 A. Corporate Approved BYOC Accounts

[8]       In many instances, organizations have openly welcomed the use of personal clouds by their employees.[23] Whether by policy or by practice, corporate IT departments have approved personal cloud use by expressly enabling its functionality.[24] Nevertheless, that is often the extent of corporate oversight.[25] Beyond requiring an employee to sign a perfunctory non-disclosure agreement, little follow up effort is taken to prevent employees from transferring confidential information from company servers to a personal cloud.[26]

[9]       Such corporate inaction can be challenging for cybersecurity initiatives, retention schedules, and preservation requirements in litigation. However, it can be especially problematic when an employee leaves the company with proprietary materials and begins working for an industry competitor.[27] The Selectica v. Novatus[28] and PrimePay v. Barnes[29] decisions are particularly instructive on the need for organizations to abandon their laissez-faire attitude toward employee use of approved BYOC accounts.

  1. Selectica v. Novatus

[10]     In Selectica, plaintiff (Selectica) filed suit against defendant (Novatus), claiming Novatus misappropriated various trade secrets.[30] In particular, Selectica alleged that four of its former sales personnel violated their respective non-disclosure agreements by sharing confidential pricing information with Novatus, their new employer.[31] Those agreements provided that the employees would maintain the confidentiality of Selectica’s proprietary information and return all such materials to the company upon termination of their employment.[32]

[11]     Despite those agreements, one of the employees (Holt) offered to share Selectica’s pricing information to a member of Novatus’ senior management team after joining Novatus.[33] Holt still had access to that information along with other data belonging to Selectica because he maintained it with Box, a cloud storage provider.[34] The Box account was not a stealth cloud drive concealed from Selectica.[35]

[12]     Instead, Selectica expressly recommended and authorized Holt to store that data under a BYOC arrangement with Box: “While employed by Selectica, [Holt] had a company laptop computer which, on Selectica’s recommendation, was configured so that it automatically synced to his personal cloud storage account at This meant that when Holt saved a file to the laptop, the system pushed a copy to his Box account.”[36] Despite having enabled the BYOC arrangement with Holt, Selectica apparently neglected to disable the Box account or remove any proprietary materials upon Holt’s departure.[37] As a result, Holt had full access to the pricing information when he joined Novatus.[38]

[13]     Selectica demonstrates the folly of a lax approach to personal cloud use within the enterprise. While Selectica enabled the Box account for backup purposes, it took no action to protect Selectica’s interest in the corporate information stored in that account. For example, Selectica did not obtain Holt’s login credentials to the Box account.[39] Nor does it appear that Selectica monitored Holt’s use of the account while employed with the company.[40] Selectica did not disable the Box account when Holt left the company.[41] Furthermore, Selectica took no action to confirm that Holt had either returned or destroyed all proprietary company information before going to work for Novatus.[42]

[14]     Any one of these steps—and certainly a combination of them—would likely have prevented the disclosure of Selectica’s product pricing information to an industry competitor.[43] Selectica exemplifies the need for corporate oversight of approved BYOC accounts if organizations are to prevent their trade secrets from falling into the hands of competitors.

  1. PrimePay v. Barnes

[15]     Another exemplary decision on these issues is PrimePay v. Barnes.[44] Like Selectica, PrimePay involves claims of trade secret misappropriation.[45] In PrimePay, the plaintiff (PrimePay) sued one of its former executives (Barnes) that established a competing business entity.[46] PrimePay moved for a preliminary injunction against the operation of Barnes’ business, arguing that Barnes took several categories of confidential PrimePay information and stored it with cloud service provider Dropbox, along with other locations.[47] According to PrimePay, Barnes accessed the Dropbox-stored data to allegedly help start his competing company. He then allegedly destroyed those materials after the plaintiff warned him “to preserve any PrimePay electronically stored information that he possessed.”[48]

[16]     In response to these arguments, Barnes asserted that he never absconded with PrimePay’s proprietary data.[49] Instead, Barnes explained that any PrimePay data in his Dropbox account was from work that he previously performed while at PrimePay.[50] According to Barnes, that data was mostly deleted at the time he left the company.[51] As for the origin of the Dropbox account, it was created far in advance of Barnes’ departure from the company.[52] Its purpose was not to steal proprietary data, Barnes argued, but to allow him to complete work for PrimePay when he was away from the office.[53] Nor was this a stealth account; it was a company-approved BYOC:

Barnes created the Dropbox [account] . . . so that he could transfer and access files when he worked remotely on PrimePay matters if he was away from the office, on vacation or elsewhere and needed access to the PrimePay files, all with the knowledge and approval of [PrimePay owner] Chris Tobin.[54]

[17]     Given that Barnes’ Dropbox account was a company-approved BYOC account, and in light of other evidence suggesting Barnes did not access the Dropbox files or other proprietary PrimePay information after leaving his position with the company, the court did not find evidence of trade secret misappropriation.[55] While the court ordered the destruction of PrimePay’s remaining confidential information stored on the Dropbox, it refused to issue a preliminary injunction against the operation of Barnes’ competing enterprise.[56]

[18]     PrimePay reinforces the lesson from Selectica that a laissez-faire approach to personal clouds may lead to corporate disasters. Because PrimePay did not monitor or disable the Dropbox account, Barnes apparently left the company with a massive trove of proprietary company data. Even though the court accepted Barnes’ explanation that he accessed little, if any, of that data after he left the company, PrimePay’s evidence suggested otherwise.[57] While PrimePay may never know how much of its information was used to start Barnes’ competing enterprise, it is reasonably certain that a more robust compliance program would have quarantined the proprietary data before Barnes left the company.[58] This may have obviated the legal expenses and opportunity costs of the litigation. Like Selectica, PrimePay ultimately teaches that organizations should police approved BYOC environments to better safeguard proprietary corporate information.

 B.  Stealth Use of Personal Clouds

[19]     Beyond the problem of a poorly monitored BYOC ecosystem stands the equally troubling scenario of stealth use of personal clouds.[59] Such a scenario involves employees using their personal cloud accounts in connection with their work duties without express company approval.[60] While some employees do so in good faith to facilitate their work, others clandestinely use their cloud accounts to sabotage the organization or to gain a competitive advantage over their former employers after leaving the company.[61] A number of decisions demonstrate the problems with stealth—or “shadow”—use of personal clouds across the spectrum of corporate employees.[62]

  1. Operations-Level Employee

[20]     Operations-level employees are often at the heart of stealth use of personal clouds. For example, in Toyota Industrial Equipment Manufacturing v. Land, a managerial level employee (Land) used Google Drive and other personal cloud applications to steal hundreds of critical documents from his employer (Toyota) before going to work for an industry competitor.[63] Those documents included technical specifications reflecting the proprietary design of certain industrial equipment, along with related pricing and financial information.[64] While authorized to use that data during his employment, Land stored and kept shadow copies of these materials on his Google Drive account so they could be accessible after he left Toyota.[65]

[21]     To facilitate the removal of Toyota’s proprietary information, Land downloaded “GoogleDriveSync.exe” on his work computer.[66] Similar to the corporate-enabled Box account in Selectica, the GoogleDriveSync.exe program enabled Land to simultaneously save documents on his personal Google Drive account that he saved to his company-issued computer.[67] On the eve of his departure from Toyota, Land placed approximately 800 “files and folders” on Google Drive.[68] These actions—Land removing and then retaining Toyota’s proprietary information after his departure from the company in violation of his non-disclosure agreement—resulted in an injunction preventing Land from working for Toyota’s competitor.[69]

[22]     Another case involving stealth cloud use by an operations-level employee is RLI Insurance Company v. Banks.[70] In RLI, the employee (Banks) used a Norwegian cloud provider (Jottacloud)[71] to upload “757 customer claim files and other files containing proprietary information” belonging to her employer (RLI).[72] Banks initially tried to upload the files to her Dropbox account, but RLI’s corporate network denied access to Dropbox.[73] RLI had employed a web filtering software blocking employees from accessing more commonly used cloud providers, such as Dropbox.[74] Undeterred, Banks researched “Dropbox alternatives” that could evade RLI’s filtering protocol, opened a Jottacloud account, and used that service to remove proprietary RLI data in violation of her employment agreement.[75] RLI eventually discovered Banks’ malfeasance, but only after offering her a severance package subsequent to her dismissal from the company.[76]

  1. Company Executives

[23]     Operations-level employees are not alone in their furtive use of personal clouds. Company executives can also be guilty of such conduct. Given the nature of access that executives often have to critical information, such conduct can be particularly problematic. The Frisco Medical Center v. Bledsoe[77] and De Simone v. VSL Pharmaceuticals[78] cases are instructive in this particular scenario.

[24]     In Frisco Medical, the chief operating officer (Bledsoe) for a Texas hospital (Frisco) used Dropbox to obtain several classes of proprietary and patient information before leaving Frisco for a new position elsewhere.[79] More specifically, Bledsoe installed Dropbox on her work computer after she accepted her new position but before she resigned from Frisco.[80] With Dropbox enabled, Bledsoe then transferred “Frisco’s confidential and proprietary information, trade secrets, peer review materials, and statutorily protected patient health information to her personal” cloud account in violation of her employment agreements.[81]

[25]     Frisco did not suspect that Bledsoe surreptitiously removed proprietary information from its computer network until she revealed in an exit interview that “she knew where too many bodies were buried.”[82] It was only then that Frisco began investigating Bledsoe’s computer usage, discovered her use of Dropbox, and determined the extent of the information she had taken from the hospital.[83]

[26]     In contrast to Frisco Medical, De Simone v. VSL Pharmaceuticals involved a chief executive officer (De Simone) who used Dropbox to deprive his company (VSL) of corporate records.[84] De Simone, who served as VSL’s chief executive for more than a decade, became embroiled in a dispute with investors over who rightfully owned VSL’s intellectual property related to the probiotic drug sold by the company.[85] In connection with that dispute, De Simone transferred VSL’s corporate records to his personal Dropbox account.[86] He then wiped the corporate network in order to eliminate any trace of the records and rejected shareholder requests to access the information.[87] After resigning his position as VSL’s CEO a few months later, De Simone began working for a competitive enterprise that manufactured and sold a generic version of VSL’s probiotic drug, taking the corporate records with him.[88]

  1. Analysis of Cloud Jurisprudence

[27]     The cases discussed so far generally involve harm to employers that likely could have been obviated had the organizations taken safeguards to prevent or detect stealth use of personal clouds.[89] Instead, like Selectica, the employers in Toyota Industrial, RLI, and Frisco Medical relied on non-disclosure and other employment agreements to protect their sensitive and proprietary information.[90]

[28]     On the one hand, those agreements successfully enabled the aggrieved parties to obtain injunctions, summary judgment orders, and damages against the cloud-wielding tortfeasors.[91] But at what cost? The employers incurred legal fees and costs for the investigations and court actions they undertook to address the theft of corporate information by their former employees. In addition to those expenses, the organizations sustained substantial opportunity costs. Personnel were likely redirected from business operations to ameliorate the harm caused by the loss of proprietary data. Moreover, industry competitors may have become acquainted with strategic plans, pricing information, design specifications, financial performance, and other proprietary data. All of this may have provided their competitors with an advantage in subsequent business dealings.[92]

[29]     Simply put, the non-disclosure and employment agreements did nothing to stop the perpetrating employees from misappropriating company trade secrets.[93] Beyond the agreements, the only employer that apparently took anything close to a preventative step was RLI, which used a blocking program to prevent personal cloud use.[94] However, even that step proved inadequate as the employee easily circumvented the software filter by using a previously unknown cloud application.[95]

[30]     Just as in Prime Pay, none of the employers appears to have established a process to detect the possible use of personal cloud applications. This is evident from De Simone, as the company did not know that its chief executive used Dropbox to steal its corporate records.[96] That no such process was in place in RLI is confirmed by the company’s initial offering of severance pay to Banks.[97] The Frisco employer only began its search of Bledsoe’s computer activity after she carelessly suggested she knew where the “bodies were buried.”[98] In Toyota Industrial, no efforts were made either to examine Land’s computer activity or to verify his next work destination after he tendered his resignation.[99] Indeed, Toyota allowed Land to work for another two weeks at the company before his termination date.[100]

[31]     With employees now regularly using consumer clouds in connection with their work responsibilities, organizations must be prepared to counteract their potential negative effects. As set forth in Part III, companies should develop proactive measures to address employee use of cloud applications and to mitigate any resulting harm.


[32]     Despite the complexities that personal clouds now present for many organizations, they are not insurmountable. Enterprises can generally manage potential problems through a proactive, common sense approach to information governance. In this Part, I discuss some of the key aspects of an information governance program that can help address the challenges associated with employee use of personal cloud applications.

[33]     A prefatory step that organizations can take in this regard is to create a data map identifying the locations—both on and off the corporate network—where their information resides.[101] While a data map is useful for both information retention and litigation purposes, it is essential for controlling ingress and egress to proprietary information—precisely the data endangered by personal cloud applications.[102] If a company cannot identify the precise areas where it has stored its trade secrets and other sensitive materials, it becomes difficult to establish that it used “reasonable steps” to safeguard that information.[103] In contrast, a current and accurate data map better enables organizations to reasonably account for proprietary records, along with other indispensable business information.[104] Once the data map is in place, organizations can then proceed to develop policies that reasonably ensure the protection of corporate data.[105]

[34]     Those policies should include actionable protocols that address employee use of personal cloud applications.[106] Those protocols should clearly delineate whether personal clouds are permitted and if so, what constitutes an authorized BYOC account.[107] Whether an enterprise chooses to ban the use of personal clouds or to adopt a BYOC-friendly environment, the policy should include audit and enforcement mechanisms to gauge policy observance.[108] At a minimum, those mechanisms ought to include the right to monitor, access, and disable employee use of personal clouds.[109] Related mechanisms will also be required for those organizations that proscribe BYOC use since employees will likely circumvent such a policy.[110] For example, blocking programs like the one used in RLI, while not foolproof, are a practicable first step to preventing some personal cloud use.[111]

[35]     In a BYOC ecosystem, applicable protocols should additionally describe what company data can or cannot be transferred to the cloud.[112] Organizations should also require the disclosure of user login credentials for approved cloud applications to ensure appropriate policy compliance.[113] Upon an employee’s termination, approved BYOC accounts should either be disabled or the company should verify that company data previously maintained in the account has been either returned or destroyed.[114]

[36]     In like manner, non-BYOC organizations should consider examining terminated employees’ computer activity and corporate devices to detect whether there was illicit use of personal clouds.[115] However, such a step may not be practicable for many organizations that lack the resources for a thorough review of every employee device. If a comprehensive sweep is cost prohibitive, organizations should consider conducting a review of those employees whose possible disclosure of corporate information carries the greatest risk to the enterprise.[116] The extent to which a company carries out this step likely depends on the role of the terminated employees, their position in the company, and the nature of the information to which they were privy.[117] Despite the expense of this procedure, such a step would likely have obviated much of the litigation that ensued in Selectica, Novatus, Toyota Industrial, RLI, and Frisco Medical.


[37]     The challenges with personal cloud applications need not be an intractable problem. Following industry best practices like those suggested in Part III should help organizations address many of the troubles associated with approved BYOC accounts. They should also mitigate the harm created by stealth cloud use that may go undetected. While certainly not an elixir, adopting these practices should help companies avoid many of the worst problems associated with personal cloud use in the enterprise.




*Consultant, Discovery and Information Governance, Driven, Inc.; J.D., Santa Clara University School of Law, 1999; B.A., Political Science, Brigham Young University, 1994.


[1] See Joe McKendrick, 5 Benefits of Cloud Computing You Aren’t Likely to See in a Sales Brochure, Forbes (July 21, 2013, 9:04 PM),, archived at

 [2] See Edwin Schouten, 5 Cloud Business Benefits, Wired (Oct. 5, 2012),, archived at

 [3] See Jim Lynch, What Are the Benefits and Drawbacks of Cloud Computing?, TechSoup (Feb. 6, 2015),, archived at

[4] See id.

[5] See Nicholas Lee, Is Your Corporate Data Appearing on Personal Clouds?, CloudTweaks (Sept. 9, 2015),, archived at

[6] See Zack Christenson, Benefits of Cloud Computing, American Consumer Institute (Sept. 30, 2013),, archived at

[7] See Bill Kleyman, What Personal Cloud Means for Consumers and Enterprises, Data Center Knowledge (Sept. 10, 2013),, archived at

[8] See Louis Columbus, How Enterprises Are Capitalizing on the Consumerization of IT, Forbes (Mar. 24, 2014, 06:43 AM),, archived at (“79% [of surveyed enterprises] report that file sharing and collaboration tools including Box, Egnyte, Google Apps, Microsoft Office 365, GroupLogic, ShareFile and others are pervasively used today. 49% are with IT approval and 30% are not.”).

[9] See Andrew Froehlich, The Buck Stops at BYOC, InformationWeek (Jan. 29, 2014, 12:00 PM),, archived at (“Employees are comfortable using services such as DropBox, Google Apps, and Carbonite at home. Because of that comfort level, they naturally want to use those same tools in their business life.”); Intermarine, L.L.C. v. Spliethoff Bevrachtingskantoor, B.V., No. 15-mc-80211-MEJ, 2015 U.S. Dist. LEXIS 112689, at *2 (N.D. Cal. Aug. 20, 2015) (“Dropbox provides a document storage and sharing service through which users can collectively save, share, and edit documents stored ‘in the cloud.’”).

[10] See Froehlich, supra note 9.

[11] See id. (“Lack of IT management and control will quickly put an end to BYOC, even though it has the potential to provide real benefits.”).

[12] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *22–24, *29 (E.D. Tex. Nov. 30, 2015) (discussing defendants’ extensive use of Dropbox to remove vast amounts of proprietary information belonging to plaintiff).

[13] See Susan Miller, New Risk on the Block: Bring Your Own Cloud, GCN (May 23, 2013), archived at

[14] See Robert L. Mitchell, IT’s New Concern: The Personal Cloud, ComputerWorld (May 20, 2013, 7:00 AM),–the-personal-cloud.html, archived at

[15] See discussion infra Part II.

[16] See Froehlich, supra note 9.

[17] See id. (“BYOC presents a nightmare scenario because data can be copied, duplicated, and ultimately lost or stolen via the various cloud services.”).

[18] See Columbus, supra note 8.

[19] See Victoria Barret, Dropbox: The Inside Story of Tech’s Hottest Startup, Forbes (Oct. 18, 2011, 8:30 AM),, archived at; Jonathan Strickland, How Cloud Storage Works, (Apr. 30, 2008),, archived at (Web-based e-mail providers like Yahoo! and Hotmail have been providing their users with a quasi-cloud computing environment through e-mail since the 1990s).

[20] See, e.g., Animators at Law, Inc. v. Capital Legal Solutions, L.L.C., 786 F. Supp. 2d 1114, 1117–18 (E.D. Va. 2011) (explaining that plaintiff’s former employees accessed company files stored in a company Dropbox account through login credentials that plaintiff failed to disable after the employees left the company).

[21] See Columbus, supra note 8.

[22] See Boston Scientific Corp. v. Lee, No. 13-13156-DJC, 2014 U.S. Dist. LEXIS 66220, at *2, *4–7 (D. Mass. May 14, 2014) (enjoining defendant from using proprietary information that he had taken from his prior employer and which he stored both during and after his employment on Google Drive).

[23] See Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-40TBS, 2015 U.S. Dist. LEXIS 30460, at *2 (M.D. Fla. Mar. 12, 2015).

[24] See Columbus, supra note 8.

[25] See Froehlich, supra note 9.

[26] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *7–9 (observing that defendants’ former employer began investigating the possibility that defendants took proprietary company data in violation of their non-disclosure agreements only after one of the defendants mentioned that “she knew where too many bodies were buried.”).

[27] See Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *5–6, *9 (S.D. Ind. July 21, 2014) (explaining that defendant uploaded confidential information from his former employer to his Google Drive account before going to work for an industry competitor).

[28] See Selectica, Inc. v. Novatus, Inc., No. 6:13-cv-1708-Orl-40TBS, 2015 U.S. Dist. LEXIS 30460 (M.D. Fla. Mar. 12, 2015).

[29] See PrimePay, L.L.C. v. Barnes, No. 14-11838, 2015 U.S. Dist. LEXIS 65710 (E.D. Mich. May 20, 2015).

[30] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *4.

[31] See id. at *2.

[32] See id. at *1.

[33] See id. at *3.

[34] See id.

[35] See Selectica, Inc., 2015 U.S. Dist. LEXIS 30460, at *2–3.

[36] Id. at *2 (emphasis added).

[37] See id. at *2.

[38] See id. at *2–3.

[39] See id. at *17.

[40] See Selectica, Inc., 2015 U.S. Dist LEXIS 30460, at *2–3.

[41] See id.

[42] See id.

[43] See Tom Nolle, Bring Your Own Cloud: The Movement Companies Can’t and Shouldn’t Stop, TechTarget (Apr. 8, 2014),, archived at

[44] See PrimePay, L.L.C. v. Barnes, No. 14-11838, 2015 U.S. Dist. LEXIS 65710 (E.D. Mich. May 20, 2015).

[45] See id. at *2.

[46] See id. at *4–5.

[47] See id. at *2, *9–11.

[48] Id. at *8–9.

[49] See PrimePay, L.L.C., 2015 U.S. Dist. LEXIS 65710, at *3.

[50] See id. at *11–13.

[51] See id. at *12.

[52] See id. at *11.

[53] See id.

[54] PrimePay, L.L.C., 2015 U.S. Dist. LEXIS 65710, at *11.

[55] See id. at *64, 66.

[56] See id. at *106–08.

[57] See id. at *34–36, *100–01.

[58] See Lee, supra note 5.

[59] See Danny Palmer, CIOs Worried Cloud Computing and Shadow IT Creating Security Risks, Computing (July 27, 2015),, archived at

[60] See Thoran Rodrigues, Cloud Computing and the Dangers of Shadow IT, TechRepublic (Aug. 16, 2013, 12:48 PM),, archived at

[61] See, e.g., Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *3–4, *8–9 (E.D. Tex. Nov. 30, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *10, *13–14 (S.D. Ind. July 21, 2014).

[62] See Rodrigues, supra note 60.

[63] See Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *3–7.

[64] See id. at *5.

[65] See id. at *5–7.

[66] See id. at *6–8.

[67] See id. at *6–7.

[68] See Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *8.

[69] See id. at *15–16, *22.

[70] See RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, (N.D. Ga. Jan. 27, 2015).

[71] See id at *2; see generally Jottacloud,, archived at (last visited Mar. 17, 2016) (“Jottacloud is a cloud storage service for individuals and companies that lets you backup, synchronize, store and share files from all your devices. The uploaded data is protected by one of the worlds [sic] strongest privacy laws, with all your data stored in Norway.”).

[72] RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *2.

[73] See id.

[74] See id. at *1–2.

[75] Id. at *2.

[76] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 27, 2015) (No. 1:14-CV-1108-TWT) (“Not aware of Defendant’s misappropriation of RLI’s Customer Claim Files and Proprietary Information, RLI offered Defendant a severance package upon her termination. Defendant had not yet accepted the offer of a severance package when RLI discovered the misappropriation. Based on Defendant’s misconduct, RLI revoked its offer of severance to Defendant by letter to Defendant.”).

[77] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915 (E.D. Tex. Nov. 30, 2015).

[78] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *2 (D. Md. Sept. 23, 2015).

[79] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *8.

[80] See id. at *12.

[81] Id. at *11.

[82] Id. at *7.

[83] See id. at *7–9.

[84] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *48 (D. Md. Sept. 23, 2015).

[85] See id. at *1–2.

[86] See id. at *48–49.

[87] See id. at *18.

[88] See id. at *2.

[89] See discussion infra Part III.

[90] See Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *3 (E.D. Tex. Nov. 30, 2015); RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, at *2, *6 (N.D. Ga. Jan. 27, 2015); Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *4–6 (S.D. Ind. July 21, 2014).

[91] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *40–41 (granting Frisco summary judgment against Bledsoe on its trade secret claims); Toyota Indus. Equip. Mfg., Inc., 2014 U.S. Dist. LEXIS 99070, at *21–22 (enjoining Land from working for his new employer).

[92] See Frisco Med. Ctr., L.L.P., 2015 U.S. Dist. LEXIS 159915, at *2 (stating that beyond the problems with industry competitors, such unauthorized disclosures could violate regulatory schemes such as the Health Insurance Portability and Accountability Act, or HIPAA).

[93] See David S. Levine, School Boy’s Tricks: Reasonable Cybersecurity and the Panic of Law Creation, 72 Wash. & Lee L. Rev. 323, 334–35 (2015) (observing that many companies prefer to litigate rather than protect their trade secrets).

[94] See RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[95] See id. at *2.

[96] See De Simone v. VSL Pharm., Inc., No. TDC-15-1356, 2015 U.S. Dist. LEXIS 128209, at *48 (D. Md. Sept. 23, 2015).

[97] See Verified Complaint for Damages and Emergency Injunctive Relief at 15–16, RLI Ins. Co. v. Banks, 2015 U.S. Dist. LEXIS 9396 (N.D. Ga. Jan. 27, 2015) (No. 1:14-CV-1108-TWT).

[98] Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *7 (E.D. Tex. Nov. 30, 2015).

[99] See Toyota Indus. Equip. Mfg. v. Land, No. 1:14-cv-1049-JMS-TAB, 2014 U.S. Dist. LEXIS 99070, at *6 (S.D. Ind. July 21, 2014).

[100] See id.

[101] See David Wetmore & Scott Clary, To Map or Not to Map: Strategies for Classifying Sources of ESI, Information Management (2009),, archived at

[102] See R. Mark Halligan, Protecting U.S. Trade Secret Assets in the 21st Century, 6 Landslide, No. 1, Sept.–Oct. 2013, at 4,, archived at (urging companies to adopt “mapping” approaches to better safeguard trade secrets); see also Sterling Miller, Ten Things: Trade Secrets and Protecting Your Company, Corporate Law Advisory (Apr. 27, 2015),, archived at [hereinafter Miller] (“You need an inventory of all of the company’s trade secrets . . . [a]n inventory helps you identify what steps are needed to keep those specific items confidential and protected and be clear with the business what items are not considered trade secrets . . .”).

[103] See Boston Scientific Corp. v. Lee, No. 13-13156-DJC, 2014 U.S. Dist. LEXIS 66220, at *10, *12–13 (D. Mass. May 14, 2014) (finding the employer used “reasonable means to protect its trade secrets” despite contradictory evidence suggesting an employee openly used a personal Google Drive account to access and store confidential company information).

[104] See Halligan, supra note 102, at 4.

[105] See, e.g., Philip J. Favro, Getting Serious: Why Companies Must Adopt Information Governance Measures to Prepare for the Upcoming Changes to the Federal Rules of Civil Procedure, 20 Rich. J.L. & Tech. 5, 25–35 (2014),, archived at (explaining that a comprehensive information governance plan would take various factors into consideration. They would likely include the length of pertinent retention periods, the ability to preserve data for legal matters, applicable data protection laws, cybersecurity initiatives, and use policies for smartphones and other mobile devices).

[106] See Philip Favro, Do You Know Your BYOCs?, Legal Tech. News (July 13, 2015),, archived at

[107] See Miller, supra note 102.

[108] See Sophie Vanhegan, Legal Guidance: Protecting Company Information in the Cloud-Era, HRZone (Apr. 23, 2013),, archived at

[109] See id. (observing that corporate policies must “allow company monitoring of employees’ IT activity and work email accounts . . .”).

[110] See id. (“Employers may also wish to consider . . . implementing IT measures to prohibit uploading of documents onto web-based applications.”); see also RLI Ins. Co. v. Banks, No. 1:14-CV-1108-TWT, 2015 U.S. Dist. LEXIS 9396, at *2 (N.D. Ga. Jan. 27, 2015).

[111] See, e.g., RLI Ins. Co., 2015 U.S. Dist. LEXIS 9396, at *1–2.

[112] See Vanhegan, supra note 108 (explaining that policies addressing personal cloud usage should “expressly prohibit the removal of company documents and information outside the company’s systems.”).

[113] See Esther Schindler, Protecting Corporate Data…When an Employee Leaves, Druva Blog (Oct. 13, 2014),, archived at

[114] See Rachel Holdgrafer, Fix Insider Threat with Data Loss Prevention, Cloud Security Alliance (Dec. 10, 2015),, archived at

[115] See Miller, supra note 102 (“Departing employees constitute one of your biggest risks for trade-secret theft.”).

[116] See id.

 [117] See id.; see also Frisco Med. Ctr., L.L.P. v. Bledsoe, No. 4:12-CV-37; 4:15cv105, 2015 U.S. Dist. LEXIS 159915, at *5 (E.D. Tex. Nov. 30, 2015).

Big Tech Company v. Federal Government Part 2:

micro soft

By: Biniam Tesfamariam,

Microsoft is also in a legal battle with the U.S. government, but this fight deals with consumer privacy information that can only be accessed in another country. In December 2013, the U.S. government obtained a search warrant requesting information about an email user for an investigation apparently involving drugs and money laundering.[1] Microsoft is refusing to cooperate because the data in question is stored in Ireland, and the company argues that the U.S. government cannot force it to hand over data stored outside American soil.[2]

Users of a Microsoft e-mail account can, with a user name and a password, send and receive email messages as well as store messages in personalized folders. E-mail message data include both content information- the message and subject line. Also non-content information such as: the sender address, the recipient address, and the date and time of the transmission.

Microsoft stores e-mail messages sent and received by its users in its datacenters, once of which is of special interest to the U.S. government. In 2013, the U.S. Department of Justice served Microsoft with a subpoena and a search for emails that live in a data center in Ireland.[3] One of Microsoft’s arguments is that for data held overseas, the U.S. government should abide by its mutual legal assistance treaties, which are agreement between the United States and foreign countries that typically require the requesting government to be in compliance with other government’s laws.[4] Irish law requires authorization from an Irish District Court judge to obtain e-main content from a provider.[5]

The judge in the case, James Francis, agreed with the government, arguing that the search warrant issued in this case applies to data in Ireland because it’s more of a hybrid between a warrant and a subpoena. What this means: the request would be legal since subpoenas have reach outside the U.S.[6]

Nonetheless, it will be interesting to see what occurs when this case goes on appeal, as it has huge implications for the privacy of U.S. citizens who use American internet services.



[1] Lorenzo Bichhierai, Microsoft Fights U.S. Government Over Rights to Data on Foreign Servers, mashable (Jun. 12, 2014),

[2] Id.

[3] In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 15 F. Supp.3d 466, 2014 WL 1661004 (S.D.N.Y. Apr. 25, 2014).

[4] David Goldman, Microsoft is Fighting the DOJ too, CNN (Feb. 23, 2016 6:52 PM),

[5] Criminal Justice Mutual Assistance Act, (Northern Ireland) 2008.

[6] In re Warrant to Search a Certain E-Mail Account Controlled and Maintained by Microsoft Corp., 15 F. Supp.3d 466, 2014 WL 1661004 (S.D.N.Y. Apr. 25, 2014)


Photo Source:

Shaolin In Jeopardy: Possible Fates For the Sole Copy of Wu-Tang Clan’s Latest Album


By: Sean Livesey

In November of 2014, Josh Lepchitz published a blog post entitled “Step Into Shaolin and See Where the Wu-Tang Clan Could Be Taking Music.”[1] The post includes a brief yet incisive appraisal of the current state of the music industry from the artists’ perspective, given the advent and climbing popularity of services like Spotify, Pandora and Youtube.[2] Given this context, the post goes on to address a novel approach to music sale taken by the Wu-Tang Clan: the group recorded and produced a 31-track album in secret, creating one single copy to be sold directly to the highest bidder, with sole rights to the art transferring to the buyer at the time of sale. The album is entitled “Once Upon a Time in Shaolin.” Lepchitz’s post concludes with thoughts on Wu-Tang’s contribution to the music industry, not only as artists, but as market innovators, as well.[3]

Sure enough, Once Upon a Time in Shaolin was sold directly to a single wealthy buyer by the name of Martin Shkreli in May of 2015.[4] Shkreli, also referred to as “pharma bro” by the media, is the 32-year old CEO of a pharmaceutical company. He first “entered the public consciousness…when he announced a price spike in [October 2015]…for Daraprim, a 62-year-old medication used by AIDS and cancer patients to fight life-threatening parasitic infections, that upped the price from $13.50 USD to $750 a pill.[5] The public reacted very negatively to what was perceived as price gouging by Shkreli. When Shkreli bought the coveted Wu-Tang album he tweeted ostentatiously about it:

Figure 1:[6]

WU tang image 1

Martin Shkreli’s plans for the album were immediately unclear. Shortly after purchasing the album and attaining sole ownership of its contents, he teased that he might play part of it for the public. He even said that he’d probably never hear it, and that he “just thought it would be funny to keep it from people.”[7] However, while Shkreli obtained title to and possession of the album, his sole ownership is not entirely without limitations. One key provision the under the contract is that the album’s copyright belongs to the album’s creators, Wu-Tang Clan, for the next 88 years.[8] This means Shkreli will not be legally permitted to distribute the music, or make it “commercially available” for 88 years.[9] VICE later caught up with Shkreli at his midtown apartment. When asked if people would ever be able to hear the album, Shkreli replied, “It depends on the world. I could see myself in a place where I break it, and I’ve seriously considered that – just snap it in half and bury the remains of it so no one tries to reconstruct it. I’ve seen a world where I give it away for free. I’ve seen a world where I charge for it or something… If people want to hear it, I’ll put it out. If people don’t want to hear it – they don’t appreciate Wu Tang for what I think it is – that’s fine, too… Who knows…”[10]

Then, in a major turn of events, Martin Shkreli was arrested on December 17, 2015 for securities fraud and the orchestration of what amounts to a complex Ponzi scheme, wherein he used sham consulting operations to make secret payoffs.[11] “’Federal prosecutors accused Shkreli of engaging in a complicated shell game after his defunct hedge fund, MSMB Capital Management, lost millions,’ Bloomberg reports.”[12] Brooklyn U.S. Attorney Robert Capers stated, “His [Shkreli’s] plots were matched only by efforts to conceal the fraud, which led him to operate his companies, which including a publicly traded company, as a Ponzi scheme…”[13]

Shkreli defended his actions after the fact, saying, “In law, you can be prosecuted for not maximizing profits. In fact, I know people who have. And you have to do everything in your power to make as much money as possible in the system we’ve got. That’s business, you can’t hold back.”[14]

Members of the Wu-Tang clan responded to Shkreli’s arrest. “In a statement mailed to Bloomberg Businessweek, RZA [of the Wu-Tang Clan] wrote, ‘The sale of Once Upon a Time in Shaolin was agreed upon in May, well before Martin Shkreli’s [sic] business practices came to light. We decided to give a significant portion of the proceeds to charity.’”[15] Many were quick to speculate as to the fate of the Wu-Tang album, and whether the album would ever reach the public.

Myths began to surround the prospect of the album’s release to public. The most famous of these myths was probably what I’ll call “the Bill Murray caveat.” At least seven major news outlets released headlines referring to a Bill Murray clause in the contract between Shkreli and Wu-Tang.[16] The clause purportedly states that “the seller may legally plan and attempt to execute one (1) heist or caper to steal back Once Upon A Time In Shaolin, which, if successful, would return all ownership rights to the seller. Said heist or caper can only be undertaken by currently active members of the Wu-Tang Clan and/or actor Bill Murray, with no legal repurcussions…”[17] It turns out, however, that the clause was merely a hoax, and this language never actually existed in the written contract.

Figure 2:[18]

WU tang image 2

Hoaxes aside, there appear to be three legitimate legal possibilities that could release the album from Shkreli’s exclusive ownership. The first possibility is asset forfeiture to the U.S. government.[19] As of now, the feds do not have possession of or access to the Wu-Tank album.[20] The FBI is still investigating Shkreli’s case. If, however, the money that paid for the album can be linked with the money stolen from investors, executive power allows the U.S. government to enact asset forfeiture.[21]

Asset forfeiture would only be a possibility if Shkreli is convicted because this is a criminal case. Civil cases, on the other hand, do not require a civil judgment for asset forfeiture to be enacted by the government. In the event of an FBI discovery of such a link and a subsequent criminal conviction, the government could seize the Wu-Tang album and sell it to the public in order to recover some of the funds Shkreli allegedly stole from his investors. The FBI considers asset forfeiture to be the most effective means of recovering property and funds to compensate innocent victims of white-collar crimes.

The charges in the affidavit state, “The United States hereby gives notice to the defendants that, upon their conviction of any of the offenses charged in Counts One through Seven,[22] the government will seek forfeiture, in accordance with Title 18, United States Code, Section 981(a)(1)(C) and Title 28, United States Code, Section 2461(c), of any property, real or personal, which constitutes or is derived from proceeds traceable to any such offenses.”[23]

The second possibility is related to the first in that it, too, would result in a likely sale of the album to the public. However, it could be done in the absence of an FBI seizure of the album.[24] Mounting financial pressure on Shkreli (due to the pending lawsuit and virtually inevitable fines and penalties) could result in such a “forced sale.”[25] One interesting aspect of this scenario is the speculable market price of the album, now that it has received so much extra media exposure because of its link to the notorious high-profile CEO.[26] Shkreli could theoretically sell the album as an investment with a sizeable return.

The third possibility that could release the album from Shkreli’s exclusive ownership is an internet liberation through a formal request under the Freedom of Information Act.[27] While a somewhat unlikely possibility, a popular enough petition to release the album could carry weight in Washington. In the past, such requests have forced revelation of a great deal of information, including things like the White House beer recipe and the FBI’s Twitter slang dictionary.[28]

Will the public ever hear Once Upon a Time in Shaolin any time soon? That will likely be up to Shkreli. In spite of his accusations, he currently retains the right to sell the album, distribute it for free, or destroy it, without legal repercussions. The possibility of a seizure by the FBI seizure of the album, which is dependent on a criminal conviction, could be years away, and the chances of a revelation under the Freedom of Information Act is probably slim. Perhaps Shkreli will even have a change of heart and return the album to its creators, but I wouldn’t hold my breath.






[3] Id.



















Brooklyn U.S. Attorney Robert Capers stated, “We’re not aware of where he got the funds for the Wu-Tang album.” (



[24] Id.

[25] Id.

[26] Id.

[27] Id.

[28] Id.


Photo Source:

Error 53: The iPhone Error Message Enraging Apple Users Worldwide

image 53

By: Meghan Murphy,

Shattered your iPhone 6 screen? Before having it fixed—beware third-party repairs. iPhone users around the world are outraged at the “Error 53” message appearing on their screens after updating to the newest iOS software.[1] As The Guardian reported recently, iPhone 6, 6S and 6+ users are relating countless stories of needing their shattered screens fixed, and going to a local merchant to have the work done.[2] Sometimes in the course of these repairs, the original home button was damaged and replaced.[3] Repaired well, these phones worked for months—until they attempted to update the iOS software as Apple recommends, and received the “Error 53” message before their phones became unusable.[4]

The problem appears to be in the hardware—often within the course of screen repair, the hardware connecting the fingerprint sensor on the home button could be damaged.[5] When the software attempts to update, it runs a diagnostic to make sure that all of the hardware is intact and working—and if the diagnostic finds a non-original home button, it shuts the entire phone down.[6] Apple claims this is a security measure, to make sure that no one can tamper with the home button or install another fingerprint sensor to gain access to someone else’s phone.[7] Even if this is the case, such an all-encompassing security measure seems extreme, especially considering customers had no notice that it would occur.[8]

Seattle firm PCVA agreed—and filed a class action lawsuit against Apple on February 5th, 2016.[9] As a firm press release stated, “We believe that Apple may be intentionally forcing    users to use their repair services, which cost much more than most third party repair shops. Where you could get your screen replaced by a neighborhood repair facility for $50-80, Apple charges $129 or more. There is incentive for Apple to keep end users from finding alternative methods to fix their products.”[10] However, in the interim, business savvy Apple took a U-turn and now claims now that “[diagnostic] test was designed to check whether Touch ID works properly before the device leaves the factory, and wasn’t intended to affect customers.”[11] As of February 18th, Apple is now providing new software available in iOS update 9.2.1, which they say will restore previously “bricked” devices, and offering reimbursements to those who paid for out-of-warranty device replacements.[12]

The future of the lawsuit is unclear at this juncture. While Apply has clearly attempted to mitigate the damage by restoring old devices and offering reimbursements, surely many loyal Apple customers are still angry at Apple’s actions. It is possible that even with the software fix, miffed customers will still want to proceed with the lawsuit—although perhaps with a different spin. Only time will tell.



[1] Miles Brignall, “‘Error 53’ fury mounts as Apple software update threatens to kill your iPhone,” Guardian (Feb. 5, 2016, 1:59 PM),

[2] Id.

[3] Jack Nicas, “‘Error 53′: Your Repaired iPhone Is Dead,” Wall Street J. Blog (Feb. 5, 2016, 4:07 PM),

[4] Id.

[5] Brignall, supra note 1.

[6] Id.

[7] Chris Johnston, “Apple says iPhone ‘Error 53′ is to protect customers’ security,” guardian (Feb. 6, 2016, 8:57 PM),

[8] Nicas, supra note 3.

[9] Miles Brignall, “Apple under pressure as lawyers pledge action over ‘Error 53’ codes,” Guardian (Feb. 8, 2016, 11:56 AM),

[10] “Class Action Lawsuit: Apple IPhone ‘Error 53,’” PCVA Law Firm (Feb. 5, 2016), (last visited Feb. 23, 2016).

[11] “If you see error 53 and your iPhone or iPad gets stuck on the ‘Connect to iTunes‘ screen,” Apple (last modified Feb. 19, 2016).

[12] Id.


Photo Source:

The Big Potential of Microgrids


By: Ryan Suit,

The United States is approaching a crossroads when it comes to electricity: should we continue with our old grid system that is functional but far from ideal, or reinvest in a new means of generating and transmitting electricity? If we choose the latter, one promising solution is to invest in the construction of microgrids. Microgrids are essentially much smaller versions of the national power grid, but instead of supplying energy to the whole country, microgrids serve towns, neighborhoods, city blocks, or other localized areas.[1]

The Grid

In order to understand the potential benefits of microgrids, one must first know about how the grid in the Unites States currently works. The grid is divided into three parts: the East, the West, and Texas. These sections are connected, but mainly run independent of each other. The power grid consists of three segments of producing and delivering electricity: generation, transmission, and distribution. Electricity is generated at power plants. It is then transmitted across miles, or hundreds-of-miles, of electric transmission lines before reaching a distribution point so that it can be delivered to consumers. Essentially, the grid is a massive web of interconnected transmission lines that get energy pumped into them before the electricity eventually makes its way to homes and into electronics.

The grid must always balance the amount of electricity being supplied with the amount being demanded.[2] If the amount of electricity being supplied does not match the amount being demanded, the grid will crash.[3] This means that there is a constant need for electricity to be generated. The minimum amount of electricity that is always generated is known as the “base load”. As demand for electricity increases, due to higher or lower use during different times of the day or of the year, then more electricity is generated as needed.[4]

The grid was never planned, but rather grew to meet demand as demand increased. There are numerous issues facing the grid today. For one, the grid is relatively inefficient. Power plants from all over the country are generating electricity that, because of the web of transmission lines, may be used by a consumer several states away.[5] On average, there is a 6% loss of the electricity generated simply because it has to be transmitted so far to consumers.[6] Another problem facing the grid is its vulnerability to cyber and terror attacks because of how extended and sprawling it is. Further, the grid is not always reliable because of severe weather and global warming.[7] “Weather events are the number one cause of power outages. Increasing temperatures, decreasing water availability, increasing storms, flooding, rising sea level…and increasing intensity of storm events increases risks to electric transmission and distribution lines.”[8] One of the largest issues the grid must deal with is the amount of carbon dioxide produced by power plants that use coal and natural gas.[9] Already, 87% of the electricity consumed in the United States comes from fossil fuels.[10] Carbon dioxide emissions will only get worse with our current grid because electricity demand is expected to increase substantially by 2050.[11] Clearly, the national power grid is not an ideal way to generate electricity.


A microgrid is a miniature power grid that produces electricity for a localized area.[12] Microgrids can work on or off of the main power grid.[13] There are numerous benefits to building and using microgrids: they are more efficient, they improve reliability of electricity, they can save money, they are less vulnerable to cyber and terror attacks, and they can incorporate more renewable energy.

Microgrids are more efficient because the power used by the consumers on the microgrid is generated locally.[14] Rather than using electricity from several states away, the electricity can be generated across town, or even next door.[15] Microgrids enable the use of “distributed generation”, which is when neighbors rely on each other for electricity.[16] When neighbor A is generating a surplus of power from the solar panels on her house, she can only sell it back to the utility company in our current grid scheme. On a microgrid, however, that extra energy could be sold to neighbor B or neighbor C, depending on which neighbor needed more electricity at the time.[17] There is technology that acts as the central control over a microgrid, and can automatically divert electricity on a microgrid to where it is needed.[18]

Because microgrids generate electricity locally, they also can improve the reliability of electricity.[19] Local power does not need to travel across states, so there would be less loss of electricity due to less transmission. Additionally, severe weather would cause less problems.[20] In 2008 and 2009, a small town in New York suffered multiple power outages due to ice storms knocking down power lines and disconnecting the 5,000 residents from the grid.[21] Without the transmission lines, the town was isolated from the grid, and thus cut off from any electricity.[22] The town has since invested in a microgrid with renewable energy so that they can generate their own power and not be reliant upon the national grid.[23]

Another added benefit to microgrids is that they are less susceptible to cyberattacks.[24] The national power grid is so large and expansive that cyberattacks are a legitimate threat.[25] Microgrids, on the other hand, are localized and can be more easily protected. Plus, if an attack were to happen in a different state, energy customers far away would be safe. That is not necessarily the case with the national grid.

Microgrids can also save money.[26] Because there are fewer customers on a microgrid, there is less electricity demand. Additionally, it is easier to track the energy use of fewer customers. Combining those two, microgrids are able to know how much electricity generate to match demand, rather than generating a constant amount that may not all be used. As such, there is less electricity generated, meaning there is also less electricity wasted. Both of those decrease generation costs and save money for everyone on the microgrid.[27]

The most environmentally-friendly perk of microgrids is that they are more able to incorporate renewable energies.[28] Since there are less customers, the variable electricity provided by wind or solar power causes less problems for a microgrid.[29] For one, less demand for electricity means that renewables may be able to produce enough to provide enough power for all consumers on a microgrid.[30] Second, less demand on a microgrid makes batteries and fuel cells more viable.[31] Currently, renewable energy sources like wind and solar are not easily incorporated into the grid because they do not constantly generate power, meaning that they are not the best sources of energy to balance the supply and demand of electricity. In addition, even the largest batteries are too small to store electricity from renewables on a national scale. Microgrids do not have to deal with this problem. Microgrids are small enough that batteries and fuel cells can store energy for when solar or wind power is not available, which makes microgrids and alternative energy projects much more feasible.

The Law Surrounding Microgrids

Though the benefits of microgrids are numerous and apparent, current energy laws make it difficult for microgrids to be built. Currently, there are few laws that directly regulate microgrids.[32] However, the current legal scheme makes it difficult, if not impossible, for microgrids to be built with any kind of economic viability.[33]

Federal support for microgrids has been growing. Following the destruction and massive power outages caused by Hurricane Sandy in 2012, the Federal government began looking more into microgrids.[34] The “Hurricane Sandy Rebuilding Task Force (Task Force) proposals, which were federally supported proposals to encourage microgrids in New York, are perhaps the most direct source of microgrid support at the federal level.”[35]  The majority of state laws do not speak directly to microgrids, either, and actually serve as a barrier to their development.[36] According to Sara Bronin,


“By far the biggest barrier to the creation of microgrids is contradictory, unclear, or hostile law. State legislatures and state public utility commissions have made it difficult to determine whether a microgrid project can be built. One critical question is whether a microgrid should be considered a public utility. State laws often define “public utility” to include any person or entity furnishing power to another, without regard to the number of recipients of such power and without exceptions for alternative energy or microgrids. Such broad definitions would subject even a microgrid with two users to burdensome regulation, because public utilities must abide by very strict rules that determine allowable technologies, tariffs, technical requirements, and other parameters. No state laws squarely address microgrids, and no comprehensive, publicly-available analysis of possible means to allow microgrids within current state law appears to exist.”[37]

Similar to state laws, local laws do not readily facilitate microgrid development, specifically with renewable energies.[38] Zoning ordinances, aesthetic controls, and historic preservation rules often stand in the way of alternative energy projects that could be used to supply power to microgrids.[39] Overall, the entire legal regime that regulates or would effect microgrids prohibits their development.


Microgrids hold an enormous amount of potential for the future of the electric power grid in the United States. Though the technology to develop an efficient, reliable, more-environmentally-friendly system of microgrids is at our fingertips, the laws are simply not where they need to be for this to happen. Momentum is growing for microgrids, but only time will tell how much is actually invested into solving the United States’ grid issues.




[1] Oak Ridge National Laboratory, Your own energy ‘island’? Microgrid could tandardize small, self-sustaining electric grids, ScienceDaily, (Nov. 5, 2014),

[2] Federal Energy regulatory Commission v. Electric Power Supply Association et al., 577 U.S. ___ (2016).

[3] Federal Energy regulatory Commission v. Electric Power Supply Association et al., 577 U.S. ___ (2016).

[4] Federal Energy regulatory Commission v. Electric Power Supply Association et al., 577 U.S. ___ (2016).

[5] Andrew Landrum, El Nino and the Case for Microgrids, American Security Project, (Oct. 8, 2015),

[6] Andrew Landrum, El Nino and the Case for Microgrids, American Security Project, (Oct. 8, 2015),

[7] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[8] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[9] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[10] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[11] Historic and projected U.S. electricity demand, 1950-2050, (last visited Feb. 22, 2016).

[12] Oak Ridge National Laboratory, Your own energy ‘island’? Microgrid could tandardize small, self-sustaining electric grids, ScienceDaily, (Nov. 5, 2014),

[13] Andrew Landrum, El Nino and the Case for Microgrids, American Security Project, (Oct. 8, 2015),

[14] Alison Lantero, How Microgrids Work,, (June 17, 2014, 10:27 AM),

[15] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[16] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[17] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[18] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[19] Julia Hesse and Sally Jacquemin, Microgrids in the American power network,, (Feb. 8, 2016),

[20] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[21] George Walsh, Power outages lead towns to look at microgrids, Associated Press, (Feb. 8, 2016, 10:00 PM),

[22] George Walsh, Power outages lead towns to look at microgrids, Associated Press, (Feb. 8, 2016, 10:00 PM),

[23] George Walsh, Power outages lead towns to look at microgrids, Associated Press, (Feb. 8, 2016, 10:00 PM),

[24] Andrew Landrum, El Nino and the Case for Microgrids, American Security Project, (Oct. 8, 2015),

[25] Andrew Landrum, El Nino and the Case for Microgrids, American Security Project, (Oct. 8, 2015),

[26] George Walsh, Power outages lead towns to look at microgrids, Associated Press, (Feb. 8, 2016, 10:00 PM),

[27] Ken Silverstein, With a Focus Increasing Reliability and Decreasing Emissions, Microgrids are Stepping Out,, (Feb. 9, 2016),

[28] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[29] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[30] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[31] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[32] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[33] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[34] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[35] Kevin Jones, et al.,The Urban Microgrid: Smart Legal and Regulatory Policies to Support Electric Grid Resiliency and Climate Mitigation, Fordham Urban L.J. (2014 – available on Lexis/Westlaw).

[36] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[37] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[38] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

[39] Sara Bronin, Curbing Energy Sprawl with Microgrids, 43 Conn. L. Rev. 547, (2010).

Photo Source:

Sweeten the Deal: Transfer of Federal Spectrum Through Overlay Licenses

Skorup Publication Version PDFpdf_icon

Cite as: Brent Skorup, Sweeten the Deal: Transfer of Federal Spectrum Through Overlay Licenses, 22 Rich. J.L. & Tech. 5 (2016),

Brent Skorup*

I. Introduction

[1]       The explosion in consumer demand for wireless services that began in the 1990s caught policymakers off guard. Demand for wireless services has only accelerated, as new cellular wireless technologies—such as broadband Internet via 3G and 4G LTE—permit services such as web browsing, video streaming, the Internet of Things, and gaming, necessitating a steady influx of spectrum as an input. However, the traditional Federal Communications Commission (FCC) and National Telecommunications and Information Administration (NTIA) spectrum assignment processes, to nonfederal and federal users respectively, strained to accommodate new demands and cutting-edge services. In traditional assignment, still widely used today, the rights to free use of certain frequencies are awarded by the FCC and NTIA to deserving users.[1] Figuring out who is deserving of frequencies in the absence of the price system, however, is a time-consuming and politicized process. Rent-seeking and economic waste at the FCC became too obvious to ignore in the 1990s, so regulators today increasingly rely on market allocation of nonfederal spectrum through spectrum auctions.[2]

[2]       The new challenge is transferring spectrum from inefficient legacy operators to bandwidth-hungry entrants. Almost no “greenfield” spectrum is left—commercial and government users occupy nearly all valuable spectrum—so policymakers are scouring existing wireless systems for surplus spectrum that can be auctioned. In the past 25 years, various incumbent users, including television broadcasters,[3] public safety agencies,[4] aeronautical systems,[5] and utility companies,[6] have seen their spectrum transferred to new licensees and repurposed for consumer uses such as mobile broadband. Not only are inefficient commercial technologies locked in because of decades of top-down spectrum assignment, but also the growing consensus among experts is that spectrum assigned to federal agencies is lightly used and would be better redeployed for consumer use.[7]

[3]       Slow repurposing of federal spectrum is a hidden public policy crisis with tremendous economic costs. Delayed reassignment of spectrum to efficient use is costly to society,[8] so streamlining the process of quickly transferring swaths of spectrum between users is a policy goal that would yield significant economic benefits. Economists estimate that spectrum in the hands of inefficient incumbents represents hundreds of billions of dollars of lost consumer surplus annually.[9] Delayed deployment of new wireless services results chiefly because few incumbents offer to relinquish their valuable spectrum. Incumbents generally have two undesirable options: either (a) relocate to another band and purchase new, more efficient equipment or (b) mothball operations completely.

[4]       The spectrum shortage is not a market failure; rather, it is a regulatory failure that prevents spectrum from being quickly transferred to its highest-valued uses. First, although some commercial users pay market rates for spectrum through auctions and secondary markets, federal agencies do not pay market rates.[10] The negligible annual fee agencies pay for their frequencies means spectrum is undervalued and agencies have little incentive to economize. Second, because federal agencies cannot sell or transfer their spectrum to commercial users, the resources are locked into inefficient federal systems.[11]

[5]       To paraphrase FCC Commissioner Jessica Rosenworcel, federal agencies need “carrots and sticks” for efficient use.[12] In the next five to ten years, particularly with the hardest-to-reclaim spectrum (such as that of the Department of Defense), a “carrot” may be required. One “carrot” proposal would encourage efficient trades by giving agencies greater rights to the spectrum they possess—a system of transferable spectrum licenses[13]—so that agencies can trade and sell spectrum to commercial users and retain some of the proceeds.

 [6]       Commissioner Rosenworcel proposed that to affect these transactions and to channel spectrum to its highest-valued uses, the FCC and NTIA could auction off “overlay” licenses to commercial users.[14] Overlay licenses here mean flexible-use licenses to use a particular band occupied by another licensee. Overlay licenses grant auction winners (1) primary rights to any unused spectrum in the band, (2) secondary rights to spectrum in the band that is being used by an incumbent, and (3) exclusive rights to bargain with existing users occupying portions of the band.[15] These licenses can be accompanied by a deadline for incumbent users to move out of the band.[16] Before that deadline, overlay licensees must protect existing users in the band, but they also reap rewards (such as faster deployment of 4G LTE services) if they can convince the incumbents to move or repack to another band.

[7]       Purchasing an overlay license is akin to purchasing a city block of real property that has a few tenants with unexpired leases. The existing tenants have a superior possessory right to occupy the property, but they may willingly abandon the property for a high-enough cash payment or trade. The benefit of overlay licenses is that they create residual claimants and encourage voluntary settlements between the incumbent user or users—in this case, a federal agency—and the overlay auction winner. The FCC previously executed successful overlay auctions on the nonfederal side, and Rosenworcel called such auctions an “elegant solution” for a band encumbered by federal users.[17]

[8]       There are several policy alternatives for repurposing federal spectrum. A White House–commissioned study focuses on the deficiencies of these proposals, but largely avoids comparative institutional analysis.[18] For example, the study notes the overlay auction process can be “extremely slow and cumbersome.”[19] The analysis cannot end there, however. The important questions to be answered include (1) are overlays slow and cumbersome compared to the available alternatives and (2) which process is more likely to improve social welfare?

[9]       Economist Ronald Coase pointed out that a policy should (as much as possible) be compared with other real-world policy alternatives and their economic effects.[20] Here, as in many debates, all available policy choices are costly. Regulators must consider how their rules influence relocation decisions relative to other real-world alternatives. In this paper, I make the case that private ordering through overlay auctions performs admirably when compared to the regulation-intensive spectrum-sharing regime recommended in the President’s Council of Advisors on Science and Technology (PCAST) report.[21] By examining how overlay auctions and sharing techniques have worked in practice, regulators have a better understanding of the costs and benefits associated with spectrum policy decisions.[22]

II. Background

[10]     Command-and-control spectrum allocation methods prevailed at the FCC and NTIA for decades, drawing comparisons to the former Soviet Union’s State Planning Committee, known as Gosplan, “which allocated scarce resources by administrative fiat among factories and other producers in the Soviet economy.”[23] Economists such as Ronald Coase pointed out during this era that spectrum has many attributes of real property, and that it might be more efficiently used by private users who (1) internalize the benefits and costs of deploying the input and (2) can sell it to parties who value it more.[24] Market-based spectrum reform—if not always practiced—essentially won the day both on the commercial side and at the FCC since the early 1990s. Auctions are held for spectrum, secondary markets permit license transfers to profit-maximizing firms, and the FCC generally avoids prescribing which wireless services must be provided. Therefore, scholars are increasingly focused on injecting market reform into the reordering of federal spectrum,[25] which the NTIA assigns to agencies through command and control.

[11]     The 3,200 MHz segment of spectrum spanning 300 MHz to 3,500 MHz is in high demand for both government and commercial users. This range of frequencies, or similar approximations to it, represents the so-called “beachfront spectrum” because it has optimal propagation characteristics for many popular wireless services.[26] Lower frequencies in this range permit transmissions over long distances, whereas higher frequencies transmit shorter distances, but have a higher capacity for transmitting things like web data and streaming video. National mobile broadband carriers—the primary purchasers of available spectrum—such as Sprint and AT&T Mobility take a diversified approach. They acquire both low and high bands so that they can provide both good regional coverage (via low bands) and localized high capacity (via high bands).

[12]     NTIA manages federal spectrum, and it estimated in 2012 that federal operations use about 40 percent of the in-demand spectrum.[27] Of the 3,200 MHz of beachfront spectrum, NTIA is currently analyzing close to 1,000 MHz to either share with or transfer to commercial users.[28] To that end, in late 2014, the FCC auctioned off federal spectrum in the AWS-3 auction.[29] The biggest bidders included AT&T Mobility, Verizon Wireless, Dish Network, and T-Mobile.[30] The 50 MHz band of paired spectrum (25 MHz of federal spectrum was paired with another nonfederal 25 MHz block) raised over $40 billion.[31] Several empirical studies show that the annual consumer surplus derived from wireless broadband approximates the auction value of the underlying spectrum.[32] Therefore, the $40 billion paired block of AWS-3 spectrum (when deployed) will provide about $40 billion worth of consumer surplus annually.

[13]     Federal agencies are market participants for many indispensable inputs but not, anomalously, for spectrum. Agencies compete with private firms for supply of most inputs, such as labor, real estate, electricity, automotive fleets, and office supplies. Spectrum, however, is given to federal agencies very cheaply, and underused or excess spectrum cannot be sold to commercial operators.[33] Agency spectrum is removed from market processes, and agencies have little economic incentive to use or manage spectrum efficiently.[34] With little sense of the opportunity costs of the spectrum they use, agencies are largely exempt from economic pressures to use more efficient radios, outsource wireless services to commercial operators, or substitute wireless communications with wired communications.

[14]     Market mechanisms for repurposing federal spectrum are currently unavailable, so members of Congress and the executive branch rely mostly on scrutiny from government audits and congressional hearings, which have limited effectiveness.[35] Policymakers understand the urgency, but the Obama administration’s June 2013 memorandum to federal agencies, like the PCAST report that informed the memorandum, does little about the underlying problem.[36] On the issue of efficient use of federal spectrum, the memorandum merely directs agencies to determine what spectrum could potentially be made available for sharing or clearing and requests that agencies “use the minimum spectrum reasonably necessary to most effectively meet mission requirements.”[37]

[15]     These sorts of requests have been around for decades. The problem is not that a president has not asked for efficient use forcefully enough; rather, the problem is that federal agencies face few economic tradeoffs.[38] Agencies have acceded—slowly—to congressional mandates to clear spectrum for auction. However, agencies are increasingly resistant to relocating their operations.[39] For this reason, the White House is contemplating several spectrum-clearing and spectrum-sharing methods, though no alternative has emerged as the consensus.[40]

III. Rival Approaches

[16]     Repurposing federal spectrum is a pressing economic problem that has received increasing attention. Several solutions have been proposed. A 2014 study commissioned by the White House found, every federal spectrum-repurposing proposal, including overlays, faces implementation challenges.[41] Comparisons between policies are therefore necessary for informed policymaking. Below, the PCAST dynamic sharing proposal is analyzed and compared to recent overlay auctions and the clearing of federal users.

A.    PCAST’s Dynamic Sharing Proposal

[17]     The political difficulties in transferring a valuable resource from one group (federal agencies) to another (commercial wireless operators and consumer device makers) guided the PCAST recommendation to do away with traditional clearing and auctioning procedures such as overlays.[42] Instead, PCAST recommended simply changing the nature of the obligations of spectrum users—a do-no-harm standard—and relying on the future advancement of technologies that enable dynamic spectrum sharing.[43] With dynamic sharing, commercial devices such as smartphones, tablets, and small cells detect and avoid—possibly in real time—interference with federal systems, such as radar and video surveillance, that use the same frequencies at the same time in the same geographic area. The benefit is that dynamic sharing eliminates the need to clear resistant federal users.

[18]     The PCAST recommendations are modeled on the FCC’s TV white spaces proceeding.[44] That permitted unlicensed devices and cognitive radios in the unused “white spaces” that comprise about 240 MHz of the 294 MHz allocated to television broadcasters.[45] Like federal users, television broadcasters are legacy users that, generally speaking, cannot sell their spectrum to mobile carriers.[46] After a 2002 staff recommendation for this type of spectrum sharing, the FCC issued a 2008 order allocating spectrum for white space devices’ use. The first device was approved in 2012.[47] White space devices must protect incumbent broadcasters but can transmit and receive signals in geographic areas and on frequencies that do not contain television broadcasters.

[19]     The device specifications formulated by the FCC have strict power limits and are quite complex because of interference concerns.[48] White space-sharing techniques rely on accurate geolocation information; yet those crucial databases of registered devices contain hundreds of errors.[49] Seven years after the 2008 order, white space–sharing technology has been used only marginally. As of this writing, only about 600 devices are in use,[50] providing data services (e.g., connecting municipal water-monitoring systems) and Wi-Fi-like Internet access (at a handful of libraries and schools).[51]

            B. Auction of Overlay Licenses

[20]     An alternative proposal for spectrum reform (resembling Commissioner Rosenworcel’s proposal) is to auction overlay licenses which permit the commercial use of spectrum currently encumbered by federal users.[52] These licenses are called overlays because they geographically surround an existing spectrum assignment. Overlays have enabled the relocation and clearing of state government systems and public safety systems from a few hundred MHz of spectrum. Overlays have not been used for federal spectrum because agencies cannot directly receive consideration from commercial users.[53]

[21]     Overlay licenses grant auction winners (1) primary rights to any unused spectrum in the band, (2) secondary rights to spectrum in the band that is being used by an incumbent, and (3) exclusive rights to bargain directly with existing users occupying portions of the band. In the case of auctioning spectrum occupied by federal users, the winning overlay licensee is required to protect the incumbent federal users but can negotiate directly with them. Overlay licensees might induce incumbents to use more efficient devices (thereby freeing up spectrum for new uses), to tolerate certain amounts of interference, to move to a different band entirely, or to cease operations altogether.[54]

[22]     The policy innovation lies in combining transferable federal spectrum rights with the overlay auction framework. These rights would give agencies the ability to bargain with potential suitors and to be directly compensated for vacating or otherwise reducing their use of a band. Federal agencies are not profit-maximizing firms, but they do face budget constraints, and tradeoffs are more transparent when agencies are faced with priced assets. If permitted, agencies might improve their input mix by selling unused assets and reinvesting the revenue. For instance (as described later) several agencies have transferable real property rights. That is, they have the authority to lease and sell federal real estate and buildings to private developers and to retain some of the proceeds.[55] Transferable spectrum rights make agencies residual claimants in a similar fashion. Overlay auctions give regulators a process to induce spectrum incumbents to sell their underused assets quickly.

[23]     Although the compensation should be negotiated, successful overlay auctions have featured a command-and-control element. As explained infra, it is likely necessary for federal incumbents to have a deadline to vacate their bands.[56]

                        1. Case Study of the PCS Auction

[24]     Overlays have been used a few times to repurpose encumbered nonfederal spectrum, including the major auctions like the PCS auction and AWS-1 auction.[57] Congress first authorized the FCC to conduct spectrum auctions in 1993 to avoid wasteful command-and-control prescriptions and to permit more spectrum for the nascent cellular phone industry.[58] With that authority, the FCC used overlay auctions for the new Broadband Personal Communications Service (PCS), a type of cellular phone technology, in the mid-1990s.[59] The FCC auctioned 120 MHz of encumbered beachfront spectrum, and cellular phone companies were the major bidders. Incumbent users were mostly public utilities, railroads, and local governments operating thousands of microwave communication links, but they also included state public safety operations such as firefighters, police, and other emergency responders.[60] The auction and clearing proposals faced resistance and, echoing today’s objections from federal agencies, public safety incumbents warned that the FCC’s auction would disrupt their communications reliability and could “have a devastating effect on . . . millions of inhabitants” relying on their services.[61] Nevertheless, the auctions for this encumbered spectrum commenced in 1995.[62] The auction winners could deploy services where there were no incumbents and had secondary rights to the spectrum where incumbents operated.

[25]     To relocate those incumbents and to free up spectrum for PCS, the FCC mandated that the PCS license winners pay the incumbents’ relocation costs. But the FCC also did something novel: it gave the incumbent users transferable spectrum rights. That is, the FCC permitted the incumbent users to bargain with the overlay auction winners and, in exchange for an additional payment or in-kind benefit, move before a relocation deadline.[63]

 [26]     The FCC gave non–public safety users a two-year voluntary negotiation period during which they were not required to negotiate with the PCS overlay winners.[64] This period was followed by a one-year mandatory negotiation period during which the PCS licensee and the incumbent were required to bargain in good faith.[65] After that deadline—three years from commencement—PCS licensees could force the incumbent to move, while compensating it for relocation costs. Public safety users had a three-year voluntary negotiation period followed by a two-year mandatory negotiation period.[66]

[27]     This PCS auction grossed $7.7 billion in bids.[67] There are no public records of the payments made for early relocation, but good-faith negotiations were reportedly the norm.[68] By January 1998, over half of the microwave links had been moved out of the band,[69] and the spectrum was deployed for cellular service. Most incumbent microwave links were upgraded to work on new frequencies, but about 10% shifted to wired connections or ceased operation.[70] Today PCS spectrum supplies about 20% of all licensed spectrum used for mobile broadband and is a major part of each national carrier’s spectrum holdings.[71] Looking back, the concerns about widespread public safety communications disruption never materialized.

2. Case Study of AWS-1

[28]     The 2006 Advanced Wireless Services (AWS-1) auction was an auction of 90 MHz of paired (45 MHz) spectrum that contained nonfederal and federal users.[72] The nonfederal spectrum was auctioned off via overlay licenses; the federal spectrum wasn’t. Post auction, 12 federal agencies in the 1.7 GHz band[73] relocated to other bands and several nonfederal users in the 2.1 GHz band relocated. The nonfederal users included various state and commercial microwave systems, as well as Broadband Radio Service systems—which provided services like two-way broadband and public safety communications.[74]

[29]     The federal users had a clearing deadline with no direct compensation from winning bidders. However, federal users received some indirect compensation. AWS-1 was the first band auctioned under the 2004 Commercial Spectrum Enhancement Act, a law giving federal agencies a limited share of pooled auction proceeds—compensation for their relocation costs.[75] The 45 MHz occupied by nonfederal users, on the other hand, was assigned via an overlay license. The FCC permitted the nonfederal incumbents—much like the incumbents in the PCS bands—to enter into private cost-sharing agreements with the new AWS licensees.[76] Despite the encumbrances, the 1.7 GHz band grossed almost $7 billion.[77] Like the agreements between overlay licensees and incumbents in the PCS auction, the post-auction cost-sharing agreements relocating the nonfederal incumbents in the 2.1 GHz band are unavailable.

[30]     The federal users did not have overlay licensees to bargain with and merely faced relocation deadlines. NTIA tracked the relocation costs of federal systems in the 1.7 GHz band so that agencies could be reimbursed through the relocation fund created by the Commercial Spectrum Enhancement Act.[78] The Government Accountability Office (GAO) estimated that the encumbered 1.7 GHz band grossed almost $7 billion.[79] Relocation costs of federal users totaled around $1.5 billion[80] ($1 billion less than a Congressional Budget Office estimate but exceeding NTIA’s original estimates by about 50 percent),[81] for net revenue of $5.5 billion.

[31]     Once the auction was completed, even though little financial incentive was provided beyond the benefit of upgraded wireless systems, the clearing of agencies happened fairly rapidly. Presumably, overlay licensees paying agencies to relocate would be even more effective. By December 2008, two years after the auction, dozens of federal wireless systems had been moved from the 1.7 GHz band, and licensees had deployed mobile broadband in some cities.[82] Four agencies—the Department of the Treasury, the Department of Homeland Security, the US Postal Service, and the Department of Housing and Urban Development—had vacated the band completely.[83] By late 2010, four years after the completion of the auction, seven agencies representing 81% of eligible systems had been relocated.[84] By 2011, 95% of systems were relocated,[85] and by 2012, six years after the auction, NTIA reported that all seven agencies had ceased operations in the band.[86]

[32]     Representatives from the wireless industry expressed publicly that they were satisfied with the relocation process, but some systems and agencies were more difficult.[87] Representatives from MetroPCS, the fourth-biggest bidder in the auction, with licenses mostly in the West and the Northeast, stated that the relocation process “worked relatively well.”[88] Carriers’ discussions with agencies about information like channel bandwidth, antenna power, and height for each system to be relocated expedited the process.[89] Steve Sharkey, T-Mobile’s chief of engineering and technology policy, said that these technical discussions with federal users “resulted in T-Mobile being able to deploy services years earlier than originally anticipated.”[90]

[33]     Clearing federal agencies and allowing nonfederal incumbents to bargain with the overlay licensees allowed productive use of much of the encumbered AWS-1 bands within a few years. T-Mobile was the top bidder, paying over $4 billion for AWS-1 licenses covering nearly the entire United States,[91] and illustrating the efficacy of overlays and clearing. A mere two years after the auction, T-Mobile—after the clearing of federal users and negotiating with nonfederal incumbents—launched 3G service in 27 markets covering over 100 million people.[92] This included the lucrative San Francisco[93] and New York City[94] markets. By 2010, it completed most of its nationwide mobile broadband network using AWS-1 spectrum. Auction winners like MetroPCS and Leap Wireless covered millions more after clearing their AWS-1 spectrum.[95] Today that 90 MHz of AWS-1 spectrum, now cleared of incumbents, supplies about 15% of licensed mobile broadband spectrum and is used by more than 200 million Americans through technologies such as 4G LTE.[96]

IV. Comparison of Dynamic Sharing and Overlay Auctions

[34]     Decades of assigning spectrum to agencies for free has locked valuable frequencies into inefficient wireless uses. Choosing the superior set of policies for repurposing federal spectrum in a timely manner means capturing tens of billions of dollars annually—from consumer welfare gains, industry investment, and jobs—that would otherwise evaporate.[97] The experiences described suggest that clearing and relocating federal systems through a system of overlay auctions yield greater economic benefit than do dynamic sharing proposals like the one contemplated by PCAST.

[35]     Direct comparison of unlicensed dynamic sharing with overlays is difficult because, as mentioned, dynamic sharing technologies do not have widespread deployment. This is a red flag given the substantial costs for every year that implementation is delayed. NTIA has proposed the use of dynamic sharing strategies since at least 1991.[98] But to date these technologies have permitted very little sharing between commercial and government users.[99] The PCAST authors are aware of some of these difficulties and therefore predict that its proposed overhaul of policy would take “perhaps two to three decades.”[100]

[36]     That prediction is a best-case scenario. It would likely take much longer to implement a widespread complex sharing regime. Even if it becomes technically feasible to share spectrum across a wide band of frequencies in real time, the regulatory process either halts or substantially delays inter-organization sharing.[101] The unlicensed sharing approach shifts the tasks of devising certifications and regulating spectrum-sharing etiquette from market actors to regulators.[102] Nearly all wireless operators, including government agencies and commercial licensees, vigorously resist sharing spectrum with other users and technologies. There have been costly episodes of agencies and licensees fiercely objecting to even minute possibilities of interference to their own wireless operations.[103]

[37]     The multitude of federal systems with vastly different performance characteristics—radar, satellite communications, air-to-ground communications, video surveillance, unmanned aircraft systems, to name a few—means that the complex challenges for consumer device makers are multiplied. No amount of engineering ingenuity can tell regulators what the “correct” probability of harmful radio interference is. In sharing disputes, the incumbents invariably commission technical analyses that highlight remote, worst-case interference scenarios. The entrants respond with their own studies showing “typical” scenarios in which their systems pose little interference threat to existing users. Regulators are caught in the middle of a tug-of-war of competing technical papers and have no propensity to make a decision that optimizes wireless output between the systems. Even after a decision is made to allow shared use, a federal system technology upgrade or a change in federal supplier could simply restart the process anew (at best) or stymie necessary and life-saving agency upgrades (at worst).

[38]     Incumbents present delays and resistance toward any scheme. However, overlays and clearing have an established history of delivering spectrum to private markets, where millions of subscribers can use it productively in a few years’ time. It is too early to say, as the PCAST report intimates, that clearing federal users is impractical.[104] As the PCS and AWS-1 examples show, much of the spectrum cleared by overlay auctions and clearing deadlines is typically redeployed commercially in under five years.[105]

[39]     By giving agencies greater rights to their spectrum and a mechanism—overlay auctions—that allows the agencies to transfer those rights and to retain revenues, federal spectrum could be repurposed for consumer uses. Overlay auctions have been completed before and represent an off-the-shelf technique that FCC staff members have experience implementing.[106] Overlays present great flexibility in auction design because licenses can be nationwide, regional, or can cover narrow geographic locations. Importantly, overlays rationalize band usage by creating residual claimants who internalize the gain from spectrum investments.[107] When an overlay licensee moves an agency to another band or medium, its spectrum is more valuable. It is this increase in value that gives the parties room to negotiate.

[40]     After 25 years of forecasts that dynamic sharing is right around the corner, dynamic sharing is still largely in the research and development stage.[108] Dynamic sharing depends on complex cognitive radios or central database look-up functions that may never be deployed en masse. Despite access to some 240 MHz of prime spectrum, only 600 or so unlicensed devices in the market use TV white spaces, utilizing a crude sharing technology.[109] I am not aware of any reliable estimates, but the total investment in the white space ecosystem seven years after its 2008 allocation likely totals only a few million dollars and attracts only a few thousand users.

[41]     In contrast, clearing incumbents with overlays in similar swaths of spectrum leads to investment and consumer welfare gains orders of magnitude larger, sometimes within months of auction. Hazlett et al. estimated in 2004 that the repurposing of 120 MHz of spectrum for PCS induced over $45 billion of network investment in the five-year period following the auction, from 1994 to 1998.[110] The 220 MHz of spectrum freed by the combined broadband PCS and AWS-1 auctions supplies about one-third of spectrum holdings of mobile carriers,[111] an essential input for an industry that in 2014 had revenues of nearly $188 billion and capital investment of $32 billion.[112]

[42]     Dynamic sharing technology simply will not enable similar economic benefits in the next several years. Given the tremendous opportunity costs of inaction in the interim, waiting for dynamic technology to be widespread is a speculative and costly option relative to clearing alternatives.[113]

V. Final Notes

A. Response to the Counter that Federal Agencies May Not Respond to Financial Incentives

[43]     Some scholars argue that giving agencies self-funding ability through transferable spectrum rights would be ineffective.[114] They counter that any gain in revenue from spectrum sales would be viewed by Congress as a windfall and would be offset in subsequent rounds of appropriations, thereby diminishing the incentive of agencies to sell their spectrum.[115]

[44]     The logic is sensible, but existing evidence appears to undermine that theory. Admittedly, the literature on agency self-funding is limited,[116] and literature on the incentive effects from agency self-funding through asset sales is even scarcer. Therefore, predictions about how Congress and agencies will respond to the vestment of additional spectrum rights are largely conjectural. However, existing programs indicate that agencies (1) do not generally believe they will be penalized in the appropriations process for perceived windfalls from asset sales and (2) can be incentivized to relinquish property if they can pocket some of the gains.

[45]     The examples where agencies self-fund indicate that agencies favor such arrangements, provided that they have significant control over distributing the revenue.[117] For instance, GAO analysis of financial regulatory agencies that self-fund through examination fees and the like indicates that self-funded agencies generally prefer self-funding to funding through the appropriations process.[118]

[46]     More to the point, in responding to the notion that Congress will penalize agencies for monetary windfalls provided by asset sales, Dorothy Robyn—who was in an excellent position to view such dynamics while at the General Services Administration and the Department of Defense—concluded in her influential spectrum policy paper, “[t]hat has emphatically not been my experience.”[119] Robyn points out that it was the agencies themselves that lobbied Congress for agency retention of revenue from land sales during a round of painful military base closures.[120] These sales can occasionally be quite large. The Navy, for instance, sold two Marine Corps bases for $850 million[121]—likely substantial enough to receive congressional notice—but there is no evidence the Navy saw decreased appropriations as a result.

[47]     Further, Congress authorizes the secretaries of the military departments to lease underused real property and personal property that the department controls in exchange for cash and in-kind consideration.[122] The military has used that authority to enter into complex leases, called enhanced use leases, which might grant, for example, a 50-year lease of military land to a private developer.[123] A 2011 GAO report noted that there were 17 enhanced use leases in place, with in-kind consideration valued at hundreds of millions of dollars, and dozens more were either under review or in negotiation.[124] On the basis of agency use of these programs, Robyn concluded “the ability to retain the proceeds from the disposal of property is a key motivator for federal agencies.”[125]

[48]     There are risks, such as improper incentives and decreased accountability to Congress and to the president, when agencies self-fund.[126] Self-funding programs should be monitored and perhaps have mandatory sunsets, but there is some real-world evidence that allowing agencies to retain some proceeds of asset sales motivates the types of behaviors intended—namely, disposition of underused public assets into private markets, where the assets can be used more productively.

B. Need for Mandatory Clearing Deadlines for Federal Users after an Overlay Auction

[49]     One lesson from the PCS overlay auction, identified by Cramton, Kwerel, and Williams, was that relocating state government systems was significantly slowed when the agencies were permitted to stay indefinitely.[127] Such delays led the scholars to conclude that, in fact, government agencies may need weaker rights to stay than do nongovernment incumbents “because they [government users] may be too likely to stay when they should terminate or relocate.”[128]

 [50]     Absent a deadline, economically efficient improvements tend to be underproduced or substantially delayed because incumbents have an incentive to reject the bidder’s offers indefinitely.[129] Incumbents know that their consent is required and that they can extract a portion of the producer surplus in excess of their opportunity costs—the so-called holdout problem.[130] This problem is likely exacerbated when public agencies are involved. Further, for an appreciating asset like spectrum, hoarding may be a lucrative strategy.[131]

[51]     The benefit of a deadline to move wireless systems is that negotiations focus on the relocation costs (with a premium paid for speedy relocation) and not on the value to the entrant of clearing the spectrum.[132] Incumbent users thus have an incentive to settle early.[133] In the broadband PCS and AWS-1 auctions involving federal and nonfederal incumbents, deadlines helped make relocations largely successful in encouraging positive-sum settlements.[134]

C. Role of Political Entrepreneurship in Spectrum Reallocation

[52]     Overlay licenses of encumbered federal spectrum would represent uncertain investments with substantial risk discounting, so economic modeling is challenging. Information about many defense and law enforcement systems is difficult to acquire and stymies bargaining between commercial bidders and agencies. Hence, knowledgeable former federal officials will likely need to use their expertise to make deals possible between agencies and commercial bidders.

[53]     Such political entrepreneurship has a storied history in spectrum allocation. In the 1980s and 1990s a former wireless regulator at the FCC, acquired wireless licenses held by taxi and pizza delivery dispatchers.[135] The FCC agreed to waive rules regarding the licenses, and the purchaser aggregated the new, flexible licenses that enabled cellular phone technology.[136] His actions increased the economic value of those fragmented licenses and led to the creation of Nextel, which was one of the nation’s largest mobile phone companies when it was acquired by Sprint.[137]

[54]     Since 2000, following the financial failures of several satellite communications operators, the FCC has waived rules requiring satellite communications in certain bands so that the same spectrum can be used instead for ground-based cellular mobile broadband. In the mid-2000s, though they were less successful at navigating the regulatory issues than was O’Brien, financier Phil Falcone and his business partners acquired spectrum licensed to satellite communications firms SkyTerra and Inmarsat. They devoted billions of dollars to developing a new wireless network.[138] The company, LightSquared, petitioned the government for waivers, and the FCC agreed to loosen its rules to permit traditional mobile phone service in that spectrum.[139] Likewise, in 2011 Dish Network acquired 40 MHz of satellite spectrum through a fire sale purchase of two bankrupt satellite communications companies.[140] The FCC again waived most of its satellite rules and permitted traditional mobile broadband services.

[55]     Finally, most relevantly, in the AWS-1 auction, T-Mobile hired defense experts, including a former general and former director of the Defense Information Systems agency, to assist in negotiating with federal agency heads.[141] Successful political entrepreneurship requires institutional knowledge of federal systems and of the idiosyncratic personalities and hierarchies that may otherwise confound successful transactions.[142] Political entrepreneurship is difficult to identify and to model formally, but it will likely play an important role if agencies are vested with spectrum rights that they can transfer for payment.

VI. Conclusion

[56]     Overlay auctions are one of several tools policymakers should consider for repurposing federal spectrum. There are several plans for approaching the problem of inefficient government use, but all, to various degrees, are time consuming and costly. If overlays and clearing deadlines are time consuming because relocations typically take two to six years, what does that imply for PCAST-style unlicensed dynamic sharing that take decades to fully implement? No other reform proposal has enabled widespread consumer use and economic investment as rapidly as have overlay auctions combined with clearing deadlines. Federal agencies lack some of the incentives that private firms have to use resources efficiently. Nevertheless, when spectrum users have the ability to sell their rights and overlay auctions are used, experience suggests that spectrum can be repurposed from legacy government systems to high-value commercial uses within a few years.


* The author is a research fellow at the Mercatus Center at George Mason University. He has an economics degree from Wheaton College and a law degree from the George Mason University School of Law. He extends thanks to Ted Bolema and two anonymous reviewers for helpful comments on earlier drafts, and special thanks to Thomas Hazlett, whose conversation precipitated this article.


[1] See 47 U.S.C. § 309(a) (2012) (the FCC “shall determine, in the case of each application filed with it . . . whether the public interest, convenience, and necessity will be served by the granting of such application.”); see also Nat’l Telecomms. & Info. Admin., U.S. Dep’t of Commerce, Manual of Regulations and Procedures for Federal Radio Frequency Management 8.1.1 (May 2013, rev. 2014),, archived at (describing NTIA’s spectrum assignment procedures).

[2] See Thomas W. Hazlett, Assigning Property Rights to Radio Spectrum Users: Why Did FCC License Auctions Take 67 Years?, 41 J.L. & Econ. 529, 532–33 (1998).

[3] See Robert M. Rast, The Dawn of Digital TV, IEEE Spectrum (Oct. 3, 2005, 4:18 AM),, archived at (describing the clearing of analog broadcast television systems to allow for the 700 MHz auction).

[4] See infra Part B(1) (describing the PCS auction).

[5] See Gregory L. Rosston, Increasing the Efficiency of Spectrum Allocation, 45 Rev. Indus. Org. 221, 231 (2014).

[6] See infra Part B(1) (describing the PCS auction).

[7] President Barack Obama concurs with this assessment. In June 2010, he issued a memorandum directing the NTIA to identify federal spectrum that can be made available for wireless broadband by 2020. See Unleashing the Wireless Broadband Revolution, 3 C.F.R. 348, 348–49 (2011); see also Thomas M. Lenard, Lawrence J. White & James L. Riso, Increasing Spectrum for Broadband: What Are the Options? 23 (Tech. Pol’y Inst.. Working Paper, 2010),, archived at (“There appears to be a widespread consensus that spectrum in government hands is likely not being used efficiently . . . .”); Jeffrey A. Eisenach, Spectrum Reallocation and the National Broadband Plan, 64 Fed. Comm. L.J. 87, 130 (2011); Harvey J. Levin, The Radio Spectrum Resource, 11 J.L. & Econ. 433, 434 (1968) (“Most other users (like those in public safety and local or federal government radio) are not directly constrained in their use of spectrum by pressures in any ‘markets’ for their end products or services.”); Kenneth R. Carter & J. Scott Marcus, Improving the Effectiveness and Efficiency of Spectrum Use by the Public Sector: Lessons from Europe (Sept. 27, 2009),, archived at (“To a significant degree, these [efficiency] improvements have not worked their way into spectrum use by public sector users, including the military, emergency services, or aeronautical or maritime transport.”); James Losey & Sascha Meinrath, Free the Radio Spectrum, IEEE Spectrum (June 28, 2010, 7:59 PM),, archived at (stating that “the 270 000 [assignments] held by government agencies . . . are woefully underutilized.”).

[8] See Coleman Bazelon & Giulia McHenry, LocustPoint Networks, Staying on Track: Realizing the Benefits from the FCC’s Incentive Auction Without Delay ii (2015),;ECFSSESSION=Kk3QJpkhFvcQwklx1G3Rz6tF8p3LBhxBWph1ZmjDp4nkr60XTZRG!156529071!809722108?id=60001031918, archived at (estimating that the social costs of delaying the “Incentive Auction” of TV bands two or three years could approach $200 billion).

[9] See, e.g., Harold Furchtgott-Roth, Hudson Inst., Granting Licensed Spectrum Flexibility: How to Spur Economic Growth and Innovation in America 6 (2012),–spectrumflexibility–dec12.pdf, archived at; see also Thomas W. Hazlett & Roberto E. Muñoz, A Welfare Analysis of Spectrum Allocation Policies, 40 RAND J. of Econ. 424, 425 (2009).

[10] Agencies pay only a small, annual fee for their spectrum—$122 for each frequency assignment. See U.S. Gov’t Accountability Office, GAO-13-7, Spectrum Management: Incentives, Opportunities, and Testing Needed to Enhance Spectrum Sharing 11 n.14 (2012),, archived at

[11] The Miscellaneous Receipts Act requires “an official or agent of the Government receiving money for the Government from any source” to “deposit the money in the Treasury as soon as practicable without deduction for any charge or claim.” 31 U.S.C. § 3302(b) (2012). Thus, under current law, any payment to agencies would have to be submitted to the Treasury rather than be retained by the agency receiving the payment for relocation purposes. Once revenue is submitted to the Treasury, it may only be disbursed pursuant to a specific congressional directive. See Commerce Spectrum Mgmt. Advisory Comm., Recommendations for Improving the Process for Identifying Spectrum for Future Reallocation or Sharing 25 n.55 (2008),, archived at

[12] One meritorious “stick” proposal is to charge agencies approximately the opportunity cost of their spectrum, much like the United Kingdom does. Long-term spectrum fees should be budgeted for as an operating expense so that agencies can sensibly weigh the tradeoffs between acquiring spectrum and other inputs that further their agency mission. This proposal resembles a “GSA for spectrum.” See Lenard, White, & Riso, supra note 7, at 26; see also Brent Skorup, Reclaiming Federal Spectrum: Proposals and Recommendations, 15 Colum. Sci. & Tech. L. Rev. 90, 110–12 (2013). For a thoughtful analysis on the merits of this proposal, see generally Dorothy Robyn, Econ. Studies at Brookings, Buildings and Bandwidth: Lessons for Spectrum Policy from Federal Property Management 2 (2014),, archived at

[13] My thanks are extended to an anonymous reviewer for suggesting this term.

[14] Comm’r Jessica Rosenworcel, Remarks at CTIA 2013–The Mobile Marketplace 4 (May 22, 2013),, archived at (“So I propose we auction 2155–2180 MHz along with an additional right . . . the exclusive right to negotiate with federal incumbents [in the 1755–1780 MHz band].”).

[15] See Brent Skorup, Getting Away From GOSPLAN, 36 Reg. 14, 18 (Winter 2013–2014),, archived at

[16] See id. at 18.

[17] Rosenworcel, supra note 14, at 4.

[18] See Karen D. Gordon et al., IDA Sci. & Tech. Policy Inst., A Review of Approaches to Sharing or Relinquishing Agency-Assigned Spectrum 2 (2014),, archived at

[19] Id. at 54.

[20] See Ronald H. Coase, The Problem of Social Cost, 3 J.L. & Econ. 1, 43 (1960) (“A better approach would seem to be to start our analysis with a situation approximating that which actually exists, to examine the effects of a proposed policy change and to attempt to decide whether the new situation would be, in total, better or worse than the original one.”).

[21] See President’s Council of Advisors on Sci. & Tech., Exec. Office of the President, Realizing the Full Potential of Government-Held Spectrum to Spur Economic Growth ix (July 2012) [hereinafter PCAST],, archived at

[22] See Thomas W. Hazlett, Efficient Spectrum Reallocation with Hold-Ups and Without Nirvana 31 (George Mason Univ. Law & Econ. Research Paper Series, No. 14-16),, archived at

[23] See Skorup, supra note 15, at 14.

[24] See, e.g., Yochai Benkler, Some Economics of Wireless Communications, 16 Harv. J.L. & Tech. 25, 29–30 (2002) (citing the property rights and auctions framework as “the standard economists’ view”); Thomas W. Hazlett, The Wireless Craze, the Unlimited Bandwidth Myth, the Spectrum Auction Faux Pas, and the Punchline to Ronald Coase’s “Big Joke”: An Essay on Airwave Allocation Policy, 14 Harv. J.L. & Tech. 335, 532 (2001); Eli Noam, Spectrum Auctions: Yesterday’s Heresy, Today’s Orthodoxy, Tomorrow’s Anachronism, Taking the Next Step to Open Access Spectrum, 41 J.L. & Econ. 765, 766 (1998).

[25] See, e.g., Eisenach, supra note 7, at 89; Lenard, White & Riso, supra note 7, at i.

[26] See PCAST, supra note 21, at 141–42.

[27] NTIA defined “high-value spectrum” as “spanning 225 MHz to 3,700 MHz.” Mark . Goldstein, Dir. Phys. Infrastructure Issues, Testimony before the H. Comm. on Energy & Commerce, Subcomm. on Commc’n & Tech., Spectrum Management: Federal Government’s Use of Spectrum and Preliminary Information on Spectrum Sharing 3 (Sept. 13, 2012) (transcript on file with U.S. Gov’t Accountability Office) [hereinafter Goldstein Testimony],, archived at

[28] See Penny Pritzker & Lawrence E. Strickling, U.S. Dep’t of Commerce, Fifth Interim Progress Report on the Ten-Year Plan and Timetable 6, table B-1 (2015),, archived at

[29] See id. at 3.

[30] See Phil Goldstein, AWS-3 Auction Results: AT&T Leads with $18.2B, Verizon at $10.4B, Dish at $10B and T-Mobile at $1.8B, FierceWireless (Jan. 30, 2015),, archived at

[31] The paired spectrum grossed $42.5 billion, and the unpaired 15 MHz of federal spectrum grossed $2.43 billion. See George S. Ford & Lawrence J. Spiwak, Auction 97 and the Value of Spectrum, Phoenix Center 1, 2 (Feb. 4, 2015),, archived at

[32] See Bazelon & McHenry, supra note 8, at 9.

[33] Agencies pay only a small, annual fee for their spectrum—$122 for each frequency assignment. Goldstein Testimony, supra note 27, at 12 & n.13.

[34] PCAST concluded that, “[f]ederal users currently have no incentives to improve the efficiency with which they use their own spectrum allocation.” PCAST, supra note 21, at ix. Some of the inefficiency is undoubtedly to be expected. Any large organization has bureaucratic friction, and federal agencies—particularly defense agencies—are especially risk averse. A lack of transparency regarding federal uses of spectrum and the fragmented authority over federal spectrum management certainly contributed to the government failure. Transparency in spectrum use is generally unrewarded and is therefore undersupplied. See Harold Feld & Gregory Rose, Breaking the Logjam: Some Modest Proposals for Enhancing Transparency, Efficiency and Innovation in Public Spectrum Management 6 (2010),, archived at The fragmentation of authority over federal spectrum may unfortunately be intractable. A 1994 effort to consolidate Department of Defense spectrum management lasted only a year because the chiefs of Army, Navy, Air Force, and intelligence organizations all wanted to retain their own spectrum management office. U.S. Gov’t Accountability Office, GAO-NSIAD-97-131, Defense Communications: Federal Frequency Spectrum Sale Could Impair Military Operations 15 (June 1997),, archived at

[35] The slow relocation of government systems leads to verbal haranguing of federal administrators and to visible frustration. See Carl Franzen, Congress blasts military and national telecom agency for not sharing wireless spectrum faster, Verge (June 27, 2013),, archived at (“Do you [NTIA and Department of Defense administrators] sit down and talk to each other? Why wouldn’t the two of you sit down and talk about it. Why am I even having to ask this question again?”) (quoting Rep. Eshoo).

[36] See Presidential Memorandum on Expanding America’s Leadership in Wireless Innovation (June 14, 2013), 78 Fed. Reg. 37,431 (June 20, 2013),, archived at

[37] Id. at 37,433.

[38] See Federal Management of Radio Spectrum: Hearing Before the Subcomm. on Telecomm. & Fin. of the H. Comm. on Commerce, 104th Cong. 10 (1995) (statement of James L. Gattuso, Vice President, Citizens for a Sound Economy).

[39] See PCAST, supra note 21, at 9 (discussing the increasing difficulties of relocating incumbent federal systems).

[40] See Gordon et al., supra note 18, at 61.

[41] See id. at 13 (noting the significant challenges implementing, for example, spectrum use fees).

[42] See PCAST, supra note 21, at 1 (“Clearing and reallocation of Federal spectrum for exclusive use is not a sustainable basis for spectrum policy.”).

[43] See id. at 11 (“T]he key to the new architecture is to create very wide bands and implement dynamic, real-time, spectrum sharing.”).

[44] See id. at 24 (“We envisage that access to large Federal bands authorized for shared use can be coordinated primarily by registering and communicating with a management database, similar in concept to the White Space Databases certified by the FCC to provide permission to transmit in the TV Bands.”).

[45] See Thomas W. Hazlett & Evan T. Leo, The Case for Liberal Spectrum Licenses: A Technical and Economic Perspective, 26 Berkeley Tech. L.J. 1037, 1049 n.50 (2011) (explaining the strict rules for unlicensed devices mean much of the available frequencies cannot be exploited).

[46] See PCAST, supra note 21, at 16.

[47] See id. at 11–13.

[48] See Evaluation of the Performance of Prototype TV-Band White Space Devices Phase II, Office of Engineering & Tech., FCC/OET 08-TR-1005, iv (Oct. 14, 2008), document/view; jsessionid=7qp3P1VbdnpcVyFWySl2N52n318pmkvNznfvhcyWdnPhqGTpyhzP!1471562840!-321460796?id=6520183093, archived at

[49] See Robert McDowell, The FCC Should Fight for Our Right to TV White Space, Wired (Apr. 17, 2015),, archived at; see also Mike Dano, FCC promises to clean up error-ridden TV white space databases, FierceWireless (Mar. 20, 2015), fcc-promises-clean-error-ridden-tv-white-space-databases/2015-03-20, archived at

[50] See McDowell, supra note 49.

[51] See Lyndsey Gilpin, White Space broadband: 10 communities doing big projects, TechRepublic (Mar. 19, 2014),, archived at

[52] See Richard M. Nunno, Cong. Research Serv., SPR 97-218, Radiofrequency Spectrum Management 23 (1998) (A wireless industry association opposed this proposal in the AWS-3 auction, but the crux of its opposition was that the federal users were not required to relocate by a certain date).

[53] See Comments of 4G Americas in the Matter of Amendment of the Commission’s Rules with Regard to Commercial Operations in the 1695-1710 MHz, 1755-1780 MHz, and 2155-2180 MHz Bands 8, GN Docket. No. 13-185 (2013),, archived at

[54] Theoretically, overlay licensees could also bargain with incumbents to share spectrum by the millisecond or by the hour, but it is unlikely, at present, that the economics of spectrum sharing permit such agreements in practice.

[55] See U.S. Gov’t Accountability Office, GAO-11-574, Defense Infrastructure: The Enhanced Use Lease Program Requires Management Attention 1–2 (2011),, archived at

[56] See Peter Cramton, Evan Kwerel & John Williams, Efficient Relocation of Spectrum Incumbents, 41 J.L. & Econ. 647, 649 (1998) (Overlays, then, may not be appropriate for bands where shutdown deadlines are especially unpredictable or long term).

[57] See id. at 661.

[58] See id. at 660.

[59] See Nunno, supra note 52, at 13 (“Overlay licenses were auctioned in the PCS auctions since there were already incumbent licensees . . . using that spectrum.” The auctioned spectrums were 1850–1910 MHz and 1930–1990 MHz. Id.

[60] See Cramton et al., supra note 56, at 660, 668.

[61] Reply Comments of the Los Angeles County Sheriff’s Dept., In the Matter of Redevelopment of Spectrum to Encourage Innovation in the Use of New Telecommunications Technologies, ET Docket No. 92-9 (July 6, 1994), at 2,, archived at

[62] See Cramton et al., supra note 56, at 660–61 (FCC rulemaking for the auction commenced in 1993, and the PCS auctions were carried out in 1995, 1996, and 1997).

[63] See id. at 668–69 (“[T]here have been reports of incumbents demanding premiums of several times actual relocation costs to relocate before the involuntary relocation period.”).

[64] See id. at 663, 666 (noting that in 1997, this voluntary period was shortened to one year).

[65] See id. at 665–66.

[66] See Cramton et al., supra note 56, at 665–66 (noting these negotiation periods and conditions were occasionally fine-tuned by the FCC.).

[67] Evan R. Kwerel & Gregory L. Rosston, An Insiders’ View of FCC Spectrum Auctions, 17 J. Reg. Econ. 253, 275 (2000).

[68] See Cramton et al., supra note 56, at 668.

[69] See id.

[70] See id.

[71] See Federal Commc’n Commission, Seventeenth Report, in Matter of Annual Report and Analysis of Competitive Market Conditions with Respect to Mobile Wireless, Including Commercial Mobile Services 50, WT Docket No. 13-135 (2014),, archived at (estimating there is about 580 MHz of spectrum used for mobile broadband and 120 MHz (PCS spectrum) out of 580 MHz is a little over 20%.).

[72] See Rosston, supra note 5, at 235–36 (“The Commission adopted procedures by which new AWS licensees may relocate incumbent [nonfederal] BRS and fixed microwave service operations in a manner similar to that developed for clearing the PCS band.”); see also Hazlett & Leo, supra note 45, at 1072.

[73] See U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Second Annual Progress Report 2 (Mar. 2009),, archived at (listing those agencies: Department of Agriculture, the Department of Defense, the Department of Energy, the Department of Homeland Security, the Department of Housing and Urban Development, the Department of the Interior, the Department of Justice, the Department of Transportation, the Department of the Treasury, the National Aeronautics and Space Administration, the Tennessee Valley Authority, and the United States Postal Service).

[74] See FCC, Ninth Report and Order and Order in the Matter of Service Rules for Advanced Wireless Services in the 1.7 GHz and 2.1 GHz Bands 5, WT Docket No. 02-352 (Apr. 21, 2006),, archived at

[75] See 47 U.S.C. § 928(c) (2012).

[76] See, e.g., 47 C.F.R. §§ 27.1160; 27.1170 (2015).

[77] U.S. Gov’t Accountability Office, GAO-13-472, Spectrum Management: Federal Relocation Costs and Auction Revenues 16 (2013),, archived at

[78] See id. at 15–16.

[79] See id. at 16.

[80] See Howard Buskirk, NTIA Says Cost of Clearing AWS Spectrum Will Be Below $1 Billion, Comm. Daily (Dec. 29, 2005),, archived at (Estimates for relocation costs and for upgrading technologies like outdated analog surveillance systems varied widely before the auction. On the low end, NTIA projected in a report that the cost of 2,240 frequency assignments across 12 agencies would be $936 million. In 2005, the Congressional Budget Office estimated that costs could run as high as $2.5 billion. Agencies included the Department of Defense (mostly the Navy), Department of Energy, Department of Homeland Security, and Federal Aviation Administration. The Forestry Service had 579 assignments and the Department of Energy had 596.).

[81] See GAO, supra note 75, at 11–12; see generally U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Sixth Annual Progress Report 2–3 (Mar. 2013) [hereinafter NTIA Relocation],, archived at (estimating relocation costs set by the NTIA and Dep’t of Commerce).

[82] See NTIA Relocation, supra note 79, at 1.

[83] Id. at 2.

[84] See U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Fourth Annual Progress Report 2 (Mar. 2011) [hereinafter NTIA Relocation Fourth],, archived at

[85] See U.S. Dep’t. Of Commerce, NTIA, Relocation of Federal Radio Systems from the 1710–1755 MHz Spectrum Band, Fifth Annual Progress Report 2 (Mar. 2012) [hereinafter NTIA Relocation Fifth],, archived at

[86] See NTIA Relocation Fourth, supra note 82, at 2–3; see also NTIA Relocation Fifth, supra note 85, at B-11 (The types of federal wireless systems varied widely in terms of services and relocation costs. The Department of Housing and Urban Development had only five systems, for instance, that transmitted video and communications. The total relocation costs were around $21,000.); Id. at B-14 (The Department of Justice’s Bureau of Alcohol, Tobacco, Firearms and Explosives likewise had five systems (mostly for video communications), but it had many more components, and the estimated relocation outlays totaled over $48 million); Id. at B-16 (The Drug Enforcement Agency had a single system, identified only as “video surveillance,” that was estimated to take three years and $75 million to relocate.); Id. at B-21 (The U.S. Postal Service also had a single video surveillance system consisting of about 500 devices that took one year and $1.8 million to relocate.).

[87] See Dep’t of Commerce, Comments of T-Mobile in the Matter of Relocation of Federal Systems in the 1710–1755 MHz Frequency Band: Review of the Initial Implementation of the Commercial Spectrum Enhancement Act 1, 5, Docket. No. 0906231085-91085-01 (Aug. 21, 2009),, archived at (supporting the idea that some regions were difficult to clear, T-Mobile representatives noted in 2009 to NTIA that “T-Mobile’s launch of service in the AWS band was delayed by several months, if not longer, in many markets. Indeed, even today—nearly three years after Auction No. 66—there are certain parts of the country such as the southeast w[h]ere no wireless carrier has been given access to AWS frequencies. Such delays jeopardize investment, hinder broadband deployment, and harm consumers”).

[88] Dep’t of Commerce, Comments of MetroPCS, In the Matter of Relocation of Federal Systems of 1710-1755 MHz Frequency Band: Review of the Initial Implementation of the Commercial Spectrum Enhancement Act 2, Docket No. 0906231085-91085-01 (Aug. 21, 2009),, archived at

[89] See Comments of T-Mobile, supra note 87, at 5.

[90] Creating Opportunities Through Improved Government Spectrum Efficiency: Hearing Before the Subcomm. on Comm’n & Tech. of H. Comm. on Energy & Commerce, 112th Cong. 6 (2012) (statement of Steve Sharkey, Director, Chief Engineering & Tech. Policy, T-Mobile USA, Inc.); Howard Buskirk, Spectrum Shortfall Tops Concerns at CTIA, But Signs Growing Carriers Might Embrace Sharing, Comm. Daily (May 11, 2012) (“‘I think we’re at the point of let’s get engineers into a room to figure out and solve the problems,’ [Sharkey] said. ‘Neither side has a complete understanding of the way each other’s systems work and operate.’ During AWS-1 clearance when industry first tried to clear spectrum on the West Coast, the immediate reaction of government users was ‘no way, it’s all redlined out and it’ll be a long time,’ [Sharkey] said. ‘But we gave them more information about how our systems really operate and the power levels that they would expect—it cleared up practically a whole coast almost immediately.’”).

[91] See Press Release, T-Mobile USA, Statement on the Conclusion of Bidding in the FCC Auction of Advanced Wireless Services (Sept. 18, 2006),, archived at

[92] See Global View Partners, Mobile Broadband in the Americas: Momentum Building in the AWS Band 14 (2009),, archived at

[93] See Comments of T-Mobile, supra note 87, at 6.

[94] See Katherine Noyes, T-Mobile’s 3G Network Touches Down in NYC, TechNewsWorld (May 5, 2008),, archived at

[95] See Global View Partners, supra note 92, at 14–15.

[96] See FCC, supra note 69, at 50, 62 (showing that the 90 MHz of cleared AWS-1 spectrum constitutes around 15.5% of the total amount (580.5 MHz) of spectrum).

[97] See Bazelon & McHenry, supra note 8, at 13 (attachment A) (discussing the economic costs of delay in the TV broadcaster incentive auction).

[98] See NTIA, U.S. Spectrum Management Policy: Agenda for the Future 6 (1991),, archived at

[99] See Gerald R. Faulhaber, Commentary on “The Spectrum Opportunity: Sharing as the Solution to the Wireless Crunch,” 8 Int’l J. Comm. 116, 119 (2014).

[100] PCAST, supra note 21, at v, ix.

[101] See Thomas W. Hazlett & Brent Skorup, Tragedy of the Regulatory Commons: LightSquared and the Missing Spectrum Rights, 13 Duke L. & Tech. Rev. 1, 21 (2014).

[102] See Jerry Brito, The Spectrum Commons in Theory and Practice, 2007 Stan. Tech. L. Rev. 1, P36–37, P54 (2007).

[103] See, e.g., Hazlett & Skorup, supra note 99, at 3–4 (discussing the LightSquared-GPS dispute); Examination of the Government’s Spectrum Management Process: Hearing Before the Subcomm. on Telecomm. and the Internet of H. Comm. on Energy and Commerce, 107th Cong. 42–43 (2002),, archived at (Ultrawideband (UWB) users struggled for more than a decade to coordinate with federal users, NTIA, and the FCC to share spectrum: “It took 13 years, including three and one half years of intensive efforts, to gain regulatory approval for UWB.”); Brito, supra note 100, at P64 (describing how satellite incumbents objected to the FCC’s exclusion zone sizes when permitting unlicensed devices).

[104] PCAST Report, supra note 21, at 1.

[105] The PCS auctions took place from 1995 to 1997. See Cramton et al., supra note 56, at 660–61. Sprint was the largest bidders and by the end of 1996 had already deployed PCS operations in several major markets, including Washington, D.C. and San Diego, with planned deployments in several more markets by mid-1997. Press Release, Qualcomm, Sprint PCS Launches Advanced Wireless Service in San Diego (Dec. 27, 1996),, archived at T-Mobile was the largest bidder in the 2006 AWS-1 auction and by the end of 2008 had deployed 3G networks that covered over 100 million Americans by using AWS-1 bands. See Global View Partners, supra note 92.

[106] Overlay auctions include the PCS and AWS-1 auctions described supra, as well as smaller auctions like the BRS auction. See Cramton et al., supra note 56, at 660–61; Rosston, supra note 5, at 235–36.

[107] See Hazlett, supra note 22, at 18 (“Overlay licenses empower private [decision] agents, who internalize substantial gains [from spectrum reassignment] . . .These actors not only have superior information and incentives to those of government administrators . . .but they bring a different tool kit to the task at hand. In particular, private firms can write contracts and access capital markets.”).

[108] See GAO, supra note 77, at 24; Paul Barbagallo, For TV “White Spaces,” the Global Outlook is Hopeful but Cautious, Bloomberg BNA (July 16, 2014),, archived at (noting that “spectrum sensing, is still nascent”).

[109] See McDowell, supra note 47.

[110] Thomas W. Hazlett et al., Report to U.S. Chamber of Commerce, Sending the Right Signals: Promoting Competition through Telecommunications Reform 1, 103 (Sept. 2004),, archived at

[111] FCC, supra note 69, at 50 (estimating that there is about 580 MHz of spectrum used for mobile broadband).

[112] CTIA, Annual Wireless Industry Survey, (2015),, archived at

[113] Regulators in the recent past ignored the huge consumer welfare losses that delay inflicts. See Jerry A. Hausman, Valuing the Effect of Regulation on New Services in Telecommunications, 28 Brookings Papers on Econ. Activity: Microeconomics 1, 24 (1997),, archived at (“It appears that delay in cellular service was the commission’s way to avoid confronting a very difficult decision. Potential losses in consumer welfare did not appear to figure into the FCC’s regulatory approach.”).

[114] See, e.g., Thomas Lenard & Lawrence White, Digital Age Communications Act: Report from the New Spectrum Policy Working Group, Tech. Pol’y Inst. 1, 20 (Mar. 2006),, archived at; Dorothy Robyn, Making Waves: Alternative Paths to Flexible Use Spectrum, Aspen Inst. 1, 36 (2015),, archived at (“[The argument against transferable federal spectrum rights] that has gotten the most traction in the spectrum community—is that the ability to retain the proceeds will not motivate federal agencies to transfer their spectrum because of the nature of the budget process . . . . In anticipation of this zero-sum dynamic, agencies would forego the opportunity to trade spectrum for money.”).

[115] See Robyn, supra note 114, at 42.

[116] See Charles Kruly, Self-Funding and Agency Independence, 81 Geo. Wash. L. Rev. 1733, 1737 (2013).

[117] U.S. Gov’t Accountability Office, GAO-02-864, SEC Operations: Implications of Alternative Funding Structures 11–12 (2002),, archived at

[118] See id. at 12–13 (stating that, if self-funding agencies in fact do receive more punitive scrutiny from Congress, the drawbacks are likely diminished in the case of spectrum sales, where agencies are merely supplementing their budgets. Presumably, Congress is more likely to scrutinize totally self-funded agencies than partially self-funded agencies).

[119] Robyn, supra note 12, at 14.

[120] See id.

[121] See Robyn, supra note 114, at 37.

[122] See 10 U.S.C. § 2667(a) (2012); T. Randolph Beard et al., Market Mechanisms and the Efficient Use and Management of Scarce Spectrum Resources, 66 Fed. Comm. L.J. 263, 291 (2013) (stating that leasing spectrum has been proposed, but the government’s inefficient management of spectrum leads scholars to conclude that it is preferable for agencies to sell spectrum rather than to lease it).

[123] See GAO, supra note 55, at 2, 8 (stating that these leases often include revenue sharing between the private developer and the agency).

[124] See id. at 2.

[125] Robyn, supra note 12, at 14.

[126] See Kruly, supra note 116, at 1737.

[127] See Cramton et al., supra note 56, at 664­–65.

[128] Id. at 665.

[129] See generally Lloyd Cohen, Holdouts and Free Riders, 20 J. Legal Stud. 351 (1991),, archived at

[130] See Glen Whitman, Law & Economics Lecture 2: Externalities, Cal. St. Univ. Northridge,, archived at (last visited Jan. 27, 2016).

[131] See Robyn, supra note 114, at 35.

[132] See Cramton et al., supra note 56, at 649–50.

[133] See id. at 658.

[134] See id. at 649.

[135] See Thomas W. Hazlett, Inching Toward Wireless Capitalism, Wall Street J. Europe (Jan. 12, 2004),, archived at

[136] See id.

[137] See id.

[138] See Daniel Fisher, Lightscrewed, Forbes (Jan. 3, 2012),, archived at

[139] See id.

[140] See FCC, Report and Order and Order of Proposed Modification in the Matter of Service Rules for Advanced Wireless Services in the 2000–2020 MHz and 2180–2200 MHz Bands, WT Docket. No. 12-70, 2, 8 (Dec. 11, 2012),, archived at

[141] T-Mobile Lobbies on Wireless Airwaves (Dec. 12, 2007), Yahoo!,, archived at T-Mobile’s lobbyists included those at the Cohen Group, headed by former Clinton defense secretary William Cohen. Id.

[142] Political entrepreneurship admittedly resembles and likely overlaps with the notorious revolving door phenomenon in politics. It is beyond the purposes of this paper to distinguish between damaging rent-seeking and socially beneficial deal-making. Suffice it to say that in some circumstances former insiders, possessing a depth of knowledge that disinterested outsiders cannot reasonably attain, can effect Pareto improvements in regulated industries. The analysis presented supra suggests that Pareto improvements here are fairly easy to identify—it is likely that most transfers of spectrum from agencies to the private sector result in substantial social welfare gains. See also Bazelon & McHenry, supra note 8, at 9 (citing economics research that suggests the consumer benefits generated by spectrum deployed for wireless broadband are 10 to 20 times the value of the spectrum to producers).


Merger and Acquisition Due Diligence Part II – The Devil in the Details

Regulating Healthcare Robots: Maximizing Opportunities While Minimizing Risks

No More Safe Harbor, U.S. Companies Should Tread Lightly

ECJ v. USA 1

By: Corinne Moini,

“Depending on whom you talk to and what month it is, the United States and the European Union are either on the brink of a digital trade war or reaching a historic e-commerce deal.”[1] The current state of disarray between the two parties is due to a landmark European Court of Justice (“ECJ”) decision. More specifically, on October 16, 2015, the ECJ invalidated the fifteen-year U.S.-EU Safe Harbor Framework, a data-storage agreement between the United States and the European Union.[2] The case in which the ECJ’s groundbreaking decision came from is Maximillian Schrems v Data Protection Commissioner.[3] Where Schrems, an Austrian law student, filed a complaint with the Irish Data Protection Commissioner (“DPC”) about Facebook transferring large amounts of his personal information to the United States.[4] The complaint was filed in a post-Snowden era, expressing concern for how little data protection existed against surveillance by the United States.[5] The DPC rejected his complaint and Schrems appealed his claim to the Irish High Court, which was referred to the ECJ for clarifications.[6]

The ECJ issued a much broader holding, answering the immediate question about DPC authority and invalidating the U.S.-EU Safe Harbor Agreement.[7] The ECJ held that the Safe Harbor agreement does not provide adequate protection. This agreement allowed American companies “to self-certify” that they were providing “adequate protection” for the data of European users.[8] The Court suggests that the Safe Harbor agreement “enables interference, by United States public authorities, with the fundamental rights of persons,”[9] and to permit this agreement to continue would be “compromising the essences of the fundamental respect for private life…and of the fundamental right to the rule of law.”[10]

Even more unsettling to the United States, is the looming legal enforcement against American companies, if they do not implement protections that align with European data security laws. The Working Party 29, an association of European Data Protection Commissioners,[11] has threatened to begin legal enforcement after February 1, 2016, if a new agreement between the two parties cannot be made.[12] The end of the safe harbor agreement affects over 4,000 U.S. companies that outsource data from the EU to the United States.[13] As we are entering the third week of February, it is clear that deadline for a new agreement has passed. However, the European national data protection agencies have delayed legal enforcement against American companies because the European Commission announced a tentative agreement called the EU-U.S. Privacy Shield.[14] The deal makes several changes to the previous agreement; but most of which are “toothless…including expedited dispute resolution requirements, [and] [additional] layers of annual reviews and expand[ed] privacy bureaucracies at both the Department of Commerce and the Federal Trade Commission.”[15] The European data agencies are currently reviewing the EU-U.S. Privacy Shield and anticipate a decision regarding the new agreement by the end of March. Until then U.S., privacy lawyers remain wary. Brian Hengesbaugh, a lawyer at Baker & McKenzie, who helped negotiate the original safe harbor deal in 2000, commented, that “the ruling is so sweepingly broad that any mechanism used to transfer data from Europe could be under threat.”[16] For now, American companies that collect data from the EU should implement new data protection laws and tread lightly.


[1] Abraham Newman, After Safe Harbor: Bridging the EU-U.S. Data-Privacy Divide, World Politics Review (Feb. 9, 2016),

[2] See U.S.-EU Safe Harbor Framework, Federal Trade Comm’n, (last updated Nov. 6, 2015).

[3] See Case C-362/14, Maximillian Schrems v. Irish Data Protection Commissioner, InfoCuria, (last visited Feb. 15, 2016).

[4] See id.

[5] See Max Schrems v Irish Data Protection Commissioner (Safe Harbor), Elec. Privacy Info. Ctr., (last visited Feb 15, 2016).

[6] See id.

[7] See Donald G. Aplin, Views on the Invalidation of the U.S.-EU Safe Harbor From James H. Koenig, Of Counsel, Paul Hastings, Bloomberg BNA (Nov. 23, 2015)

[8] BBC

[9] Press Release, Court of Justice of the European Union, The Court of Justice declares that the Commission’s US Safe Harbour Decision is Invalid (Oct. 6, 2015)
(available at

[10] Id.

[11] See EU Data Protection Directive, Elec. Privacy Info. Ctr., (last visited Feb 15, 2016).

[12] See Kelli Clark, The EU Safe Harbor Agreement Is Dead, Here’s What To Do About It, Forbes (Oct. 27, 2015)

[13] See Mark Scott, Data Transfer Pact Between U.S. and Europe Is Ruled Invalid, NY Times (Oct. 6, 2015)

[14] Press Release, European Commission, EU Commission and United States agree on new framework for transatlantic data flows: EU-US Privacy Shield (Feb. 2, 2016)

[15] Larry Downes, The Business Implications of the EU-U.S. “Privacy Shield,” Harvard Business Review (Feb. 10, 2016)

[16] Mark Scott, supra note 12.


Photo Source:

Page 1 of 16

Powered by WordPress & Theme by Anders Norén