REMINDER: Massachusetts Privacy Regulations Launch March 1st. Here is what you need to know.

/

There are only two weeks left to comply with the new Massachusetts privacy regulations.  And before you think that they won't apply to you, think again. I have written before about the new privacy regulations, which will be the toughest and most aggressive privacy rules in the country.  Even though the process has been long and included delays and adjustments, the regs are finally going into effect on March 1st.  And you don't have to be in Massachusetts to worry about them; the new rules will apply to anyone - whether based in Massachusetts or not - that holds certain information about Massachusetts residents.  As a review, here is what you need to know:

Who is covered?

The new law covers any individual, corporation, association, partnership, or other legal entity that handles a Massachusetts resident's personal information in connection with employment or with the provision of goods or services, as long as that information is not otherwise publicly available.  The personal information described here means a Massachusetts resident's name (first name and last name or first initial and last name) in combination with that resident's Social Security number, a driver's license or state ID number, or a financial account or credit card number.

What is required?

Those who are covered must create a comprehensive written information security program (a "WISP") to safeguard the information.  The WISP need only be appropriate to the size, scope, and type of operation the person or business is engaging in, the amount of resources available, the amount of the stored data, and the need for security and confidentiality, but that still means that most people will need to make some adjustments. Your WISP must cover:

  1. Designation of a someone to maintain the WISP.
  2. Identifying and assessing reasonably foreseeable risks (both internal and external) to the confidentiality of the information whether on paper or electronic, and continually evaluating and improving the effectiveness of the safeguards through employee training and means of detecting and preventing security system failures.
  3. Developing security policies for the way the information is stored, accessed, and transported outside of business premises, and especially for the way the information is stored or transmitted on computers or wireless systems, including email.
  4. Imposing disciplinary measures for violations of the WISP rules.
  5. Taking reasonable steps to ensure that third-party service providers are capable of maintaining similar protections and requiring them by contract to implement and maintain appropriate security measures.

What kind of protection is necessary?

For paper records, you must provide for secure storage of materials containing personal information, such as physical restrictions (e.g storage in locked storage facilities or containers) and limiting access.

For electronic records, the WISP must include, to the extent technically feasible, a system to secure control of user IDs, password selection and control, and restricting access to active users.  In addition, all electronic personal information transmitted wirelessly or across a public network, and all personal information stored on a laptop or other portable device must be encrypted.  It is important to note that encryption for this purpose does not mean password protection; the regulation requires the information to be transformed into a "form in which meaning cannot be assigned".  In other words, the information must be unreadable.  Password protection alone does not satisfy the requirement.

Are there standard procedures to follow?

The quick answer is no - each person or company needs to come up with unique procedures and safeguards that are both reasonable and feasible for its specific operation.  A large company will necessarily have more detailed procedures than a smaller company, and one industry may be held to a different standard another on a case-by-case basis.  Your current procedures may be a good starting point and may, in some cases, already comply with the new requirements.  There is ambiguity in the law's use of the terms "technically feasible" and "reasonable" that leave latitude for the specific terms of compliance.  Some of these will be clarified over time through lawsuits and enforcement actions, which simply reinforces the need to re-evaluate your program over time.

However, that ambiguity should not be confused with making compliance optional.  There are real consequences including lawsuits for breaches and in some cases civil penalties and fines imposed for each violation.

The bottom line is that you need to take this new Massachusetts law seriously, even if you are not in Massachusetts.  But you can mitigate the risk by establishing these minimum standards to safeguard the personal information and prevent unauthorized access.

Here are some additional resources for information on the regulations:

What Are the Essential Components of a Business Plan?

/

As I prepare to mentor teams from MIT Sloan as part of the Business Plan Contest of its 100k Competition this month, I was thinking about what companies need to produce.  Business plans out there vary from a single page summary to an excruciatingly long dissertation.  The key to a good business plan is to only have the information you need and forget the rest.  Easier said than done though. However, here are some thoughts for companies as they are preparing their plans.  You can see an overview from some very recognizable entrepreneurs in this video.  The entrepreneurs here stress that the market itself, due primarily to the growth of the Internet, is different today than it was in the past, so the model for preparing a business plan is different.  The key is to know the market and have a good idea.  As Marc Andreessen, founder of Netscape turned venture capitalist, notes:

The process of planning ... is very valuable, but the actual plan that results from it is probably worthless.

And as summed up by Kevin Ryan, CEO of DoubleClick, the questions you have to ask to create a good business plan are (1) is this market big enough, (2) do we have a good idea, and (3) do we have good people.

So what should be included?

HubSpot founders Brian Halligan and Dharmesh Shah also have abandoned the large, detailed business plan because once you start showing it to investors, it won't last.  If you have put all of this effort into a 50-page business plan, you either have to throw much of it out as it evolves, or you will be so invested in it that you won't want to change the plan.  Neither result is a happy one for an entrepreneur.  They prefer to think of the "business plan" as a set of three items:

  1. a PowerPoint deck describing the business and team
  2. An executive summary of the target market and business (see more below)
  3. A three-year pro forma profit & loss document

In the early stages of development and the first round of financing, investors are mostly looking at the team and what they are going to do.  It is only when you get into the later stages of financing that detailed financial data become important.  So focus on the market and the concept rather than getting lost in a complicated document.

For the summary, investors will be looking for the following:

  1. The Team.  The people who will be running the business and developing the product are key.  The best startup teams will feature a mix of strengths working together.
  2. The Market.  You need to describe the size of the target market and the environment to show that you will have customers and they are currently being underserved.  However, no business plan should say that the market is unlimited and there no competitors.  Be realistic.
  3. Your Product.  What is unique about the product or service you are providing.  If you have trouble describing it, you will have trouble with Item #2.
  4. Money and Forecasts.  Give a reasonable view of what you expect your financials to look like for the next few years (again, understanding that this estimate will change) and provide guidelines of what you see as development and customer relationship milestones to meet along the way.

See my previous post for another perspective.

The key to all of this to show that you have thought through your plan realistically but are ready to adjust when it inevitably changes.

What has been your experience with preparing business plans?  What have you found works or does not work?

Can Law Firms Act Like Startups?

/

Listening to a great webinar by Brian Halligan and Dharmesh Shah about "Money, Marketing, & Management with the HubSpot Founders", I was reminded about a discussion that has been floating around the Web recently and on this blog as well.  Can law firms act more like startups? One of the themes in the webinar was how companies (particularly a tech startup like HubSpot) should change the typical management philosophy in order to grow and thrive.  Among other things (and to paraphrase a bit):

  1. An organization should break down the pyramid and flatten the org chart.
  2. Extend the "open door" policy to eliminate doors altogether.
  3. Trust your employees and don't try to over-structure company policies.
  4. Be transparent and include your employees.

So everyone sits together and moves around every three months.  Online collaboration tools allow employees to contribute to tools, products, and presentations.  Employees are given latitude and flexibility, drive productivity.  These things work well in a tech startup where the emphasis is on agility and growth, but does that lend itself to a more "traditional" setting like a law firm?

Why not?

Large law firms have traditionally employed a pyramid structure - from the large pool of new associates at the bottom up to the few very managing partners on top.  Nothing is transparent and firm policies are monitored very closely.  Deals at large law firms get staffed with a range of partners and associates, which is sometimes more beneficial for the growth of the law firm (and higher bills) than for the sake of the deal.

Recently though, driven in part by a changing economy, clients, VCs, and even lawyers have reacted negatively to this seemingly outdated structure and have called for some changes.  As companies evolve, shouldn't their law firms?

I have seen a number of new firms pop up in the last few years that seem to embrace this new model - my firm, Trinity Law Group is one of them - by leveraging technology to focus on clients rather than high-rent office space, billable hours, and expensive marketing.  By emulating the companies we represent, law firms can provide better value while adapting to a 21st century business model.

What do you think?  Have you noticed a change in they way you interact with your lawyers?

"Is VC Past Its Prime?" or "Five Things I learned at the MIT VC Conference"

/

The keynote speaker at the MIT VC Conference, Alan Patricof of Greycroft Partners, was clear:  venture capital funds are getting 'inappropriately' large and change is coming.  Mr. Patricof is a legendary pioneer in the VC world (but note: while he is fine with being termed a "generational figure", compare him to Bono or Sting but never Tony Bennett), but the current market is not sustainable.  Because of the investment metrics and their need for certain returns, LPs writing larger checks means that VCs are forced to make larger investments into companies that don't need that much money.  The prevailing winds in the VC industry are heading toward capital efficiency and VC2.0, which he summed up as: "small is beautiful".  VCs, said Patricof, need smaller, more targeted investing; smaller funds will find the most success in this economy. Overall, the MIT VC Conference was, in my view, a big success.  MIT always does a great job bringing together talented and accomplished speakers and attendees to advance learning.  And it is always good to reconnect with friends in the industry as well as new many new faces.  While I could go on at some length about the information presented at the conference, here are a few points that I thought were valuable:

  1. Capital Efficiency is Key.  As Alan Patricof noted in the keynote, which was echoed by several of the presenters, the trend of ever increasing VC funds is not sustainable.  Oversized funds investing $20-50MM in companies will become the exception rather than the trend.  The current economic environment will force VCs to focus on targeting their investments and using more discipline.  That could be good news for early stage companies.  I will note that not all of the VCs on the panels agreed that funds are too large.  Some argued that they invest their funds in different ways, or have founded new efforts like Dogpatch Labs or Start@Spark to bring seed capital to startups, but nonetheless did agree that the market is applying new pressures on VCs.
  2. Will This Bring New Relief to the Funding Gap? The effect of this pressure on VCs in relation to angel investors was touched upon at the conference, but will likely be looked at in more detail as the market develops.  As VC funds increased in size over the past few years and angel investors increasingly formed angel groups to invest larger amounts, a capital gap increased for early stage companies struggling to locate seed funding.  If VCs retreat to smaller funds, angel groups may have to do the same, which may alleviate the situation and provide much needed seed capital to entrepreneurs.
  3. Entrepreneurs Need to Focus on the Problem.  More discipline in the VC market means that entrepreneurs will need to be ready.  As Rich Wong of Accel Partners noted, it is not enough to pitch the next best thing as a solution - VCs need more than just a cool app.  To paraphrase, "entrepreneurs need to spend more time on articulating the problem rather than just pitching the solution".  If you are not focused on solving a problem, your solution will come up short.  True.
  4. Mobile Hardware Doesn't Matter.  An interesting discussion about the future of mobile devices showed that in the greater scheme of things, mobile hardware design is not the future - unless of course it solves a new problem.  Humphrey Chen of Verizon noted that it has 66 mobile devices in its catalog, each of which is pretty similar in functionality in relation to its competitors.  But that means there are 66 different ways for which developers have to design solutions.  That is not sustainable.  As mobile communications develop and people begin to move more services into the cloud, your mobile device will not matter as much.  It is the software that will drive innovation.  But even there, where apps are currently selling for an average price of $2.78, innovation is needed to propel the industry forward.  John Backus of New Atlantic Ventures noted that the current "chaos in the mobile market is a great fertile opportunity for entrepreneurs".
  5. Be Bold, Fail FastChaCha CEO Scott Jones presented important tips for entrepreneurs to remember: you have to be bold in your vision and be sure to fail fast.  Don't be afraid to try new things.  If they don't work, stop doing them.  But also be willing to come back to them later - maybe it was the timing that wasn't right.  The key is that entrepreneurs need to be focused on solving problems and taking risks to provide the right solutions.
  6. Oh, and Hubspot can really throw a party.  Thanks Brian and Dharmesh!

What do you think?  Is venture capital working for entrepreneurs?  Can something new provide a better solution?

Can a Court Rewrite Your LLC Agreement? You Might Be Surprised.

/

What do you do if you never put a limited liability company operating agreement on paper?  In some cases, the answer may be decided against your wishes by a court. I was recently speaking with a small business owner who ran into trouble with the other member of his limited liability company.  The two had formed the LLC six years ago by filing with the Commonwealth but never put an operating agreement on paper.  However, he indicated that they had an oral agreement on a variety of things that would normally be in an operating agreement - how the LLC is managed, how the profits and losses are divided, how to buyout a member who leaves, etc.  Now he wanted to use some of those agreements to resolve the conflict.

In Massachusetts (as well as many other states), a written operating agreement is not required; members can have an oral agreement on how their company is structured and operated.  But that flexibility can bring risk.  Here's why.

States have a common law concept called the "statute of frauds".  (For those of you who eyes are immediately starting to glaze over at the sight of technical legal talk, you can skip to the paragraph that begins "So what does this mean for your company?" to understand the practical implications.) State laws vary, but generally the statute of frauds states that certain contracts must be in writing and signed if you are going to enforce them.  In addition to other things, this common law principal includes any contract that cannot by its terms be performed within a year.  Note that an agreement that happens to take more than a year is not automatically subject unless the agreement specifically states that it will take more than a year.  If so, the contract is not automatically void, but one party can raise the statute of frauds in order to have the contract voided.  Remember that this is a complex topic because there are some exceptions, but as a general principal, long-term unwritten agreements carry some uncertainty.

This issue became much more relevant to LLCs last year when the Delaware Chancery Court ruled that an oral LLC agreement was subject to the statute of frauds.  In Olson v. Halvorsen, C.A. No. 1884-VCL (Del. Ch. Dec. 22, 2008), a hedge fund founder who was removed by the other members demanded that the court enforce a multi-year earnout agreement that was included in their unsigned draft of an LLC agreement - an earnout worth well over $100 million!  The court held that because the earnout was to be paid over the course of six years, it falls within the statute of frauds and was therefore unenforceable.  The former hedge fund manager's claim for the payout was rejected.

The applicability of this case in Delaware adds some uncertainty to the operating agreements of LLCs formed there.  Other states, including Massachusetts, have yet to decide this issue definitively, but the Delaware courts often serve as a model for other courts when they are facing corporate and LLC issues.  So this decision may eventually have implications for your agreement.

So what does this mean for your company? If your LLC is operating under an oral operating agreement, many of the provisions with respect to management and such may be enforceable because they can be performed within a year.  However, as the court decided in Delaware, if you have an oral agreement with the other members that entitles you to some benefit that extends beyond one year, you may lose that right in a dispute.  For example, if the members agree that if you were to be hit by a bus tomorrow, the other members would buy back your membership interest with installment payments over five years, the other members might be able to successfully void that provision upon your untimely demise under the statute of frauds.

So here are some tips with respect to operating agreements in light of this case law:

  1. Put your LLC operating agreement in writing.  Operating Agreements do not have to be fancy.  You can write the provisions of your agreement in any way that expresses the true intent of the parties.  Working with a lawyer may help save a tremendous amount of agony since they have experience in drafting agreements that will be enforceable.  But don't get caught up in the formalities - just get it in writing.
  2. Make sure everyone signs the agreement.  A critical element of the statute of frauds is that the agreement must be signed by the person against whom it will be enforced.  As in the Olson case described above, the members wrote out the provisions of an agreement, but the courts did not enforce it because the parties never signed it.  I have dealt with other situations where clients "forget" to sign a document.  It may be easily overlooked a the end of a negotiation, a critical issue to protecting your rights.
  3. Revisit your agreement periodically.  Companies that have been operating for several years might be surprised by what is in their operating agreements because the needs of the members and the company may change over time.  This is even more important if you are operating with an oral agreement.  After a few years, the members may have very different recollections of your agreement, which may lead to messy disputes down the road.  I would recommend that you take a fresh look at your agreement annually when you have an annual meeting.