Ten Things: Ten Questions the Legal Department Should Ask the Business Right Now (2026 Edition)

Hello everyone and hello 2026!  It’s time to kick off another year of “Ten Things You Need to Know as In-House Counsel.”  For a number of years, I started January with my “essential issues” for in-house lawyers post, i.e., things I thought were important for in-house lawyers to watch out for over the upcoming year.  It was something I did as general counsel; a good exercise to go through to help put the legal department at the front of the pack when it came to spotting risk and opportunity for the company. Last year, I changed things up and did my first “New Year’s resolutions” for in-house lawyers where I set out a number of things in-house lawyers could do over the course of the year to make themselves better lawyers and more valuable to the department (and the company).[1]  I enjoyed that one, but since I like to mix things up, I am going to try out something different again this year.

I want to go back to the basics of being an in-house lawyer.  For me, that means being attuned to what is going on at the company and asking lots of questions.  Questions are often the most important tool in your in-house survival kit.  The right questions at the right time can reveal problems that can get solved before they become big problems. Nipping things in the bud is an undervalued skill most in-house lawyers bring to the table.  I think it’s undervalued because many legal departments don’t know how to market why their early intervention is so valuable to the business.  You can find out more about how to solve that problem by reading my post on how to market the legal department.[2]  Besides marketing skills, in-house lawyers need to spend time thinking about what types of problems may be lurking out there that can cost a lot of blood and treasure to fix.  In other words, what questions should I be asking the business here in January 2026?  This is the difference between legal being the brake pedal (reactive) vs. the gas pedal (proactive).  You want to be the latter!  I have been thinking about this over the past several weeks and have come up with a list of questions that I think all in-house lawyers should be asking the business right now.  This edition of “Ten Things” sets those questions out for you, along with why they matter (to legal and to the business) and, more importantly, potential next steps:

1.  Are we texting customers?  The Telephone Consumer Protection Act (TCPA) is one of the most heavily litigated consumer protection laws in the U.S. In short, it regulates telemarketing, automated calls, and text messages, requiring companies to obtain “prior express consent” before using an autodialer or sending a text message. TCPA compliance intersects with the CAN-SPAM Act and the ever-growing list of comprehensive state privacy laws, which may contain more stringent provisions for electronic communications.  Failure to comply with TCPA requirements can lead to big problems:

  • Statutory damages ($500 per violation, trebled to $1,500 if found willful or knowing).
  • Class actions (plaintiffs’ attorneys often aggregate claims into class actions, looking for big paydays).
  • Regulatory Investigations (the FCC can impose fines and mandate corrective action for systemic violations).
  • Vicarious liability (e.g., businesses can be held liable for texts sent by third-party marketers or platforms acting on their behalf).
  • “Evolving” definitions (courts and regulators frequently change their interpretation of the law meaning compliance programs must evolve in real time).

These legal risks translate directly into operational and strategic concerns for the business.  In particular:

  • Reputational harm, where even allegations of spam or unwanted messages can damage customer relationships. Negative media coverage or social media backlash can linger long after the legal matter is resolved.
  • Revenue impact, e.g., marketing campaigns may need to be paused or scrapped if compliance is in question, directly impacting sales and revenue plans.
  • Vendor management, i.e., where the improper practices by third-party vendors can create liability despite indirect control (vendor contracts that lack indemnification or audit provisions can result in uncovered exposure).
  • Lost opportunity, i.e., the fear of non-compliance may prevent the business from exploring new (but  compliant ways) to engage with customers via test or app-based messaging.

Since text message marketing is exploding, it’s time for the legal department to ask the right questions and take the following steps:

  • Inventory all systems used to send messages, i.e., marketing automation, CRM, SMS tools and identify how consent is collected, stored, and retrieved. This includes any integrations with third-party tools and communication platforms.
  • Create or update a TCPA-specific compliance policy covering consent collection, opt-outs, recordkeeping, and vendor oversight.
  • Revise third-party marketing agreements to include TCPA compliance clauses, indemnification, and audit rights.
  • Regularly train employees in marketing, legal, and customer engagement teams on TCPA requirements and company procedures.
  • Assign someone (within legal or compliance) to monitor regulatory updates and case law developments related to TCPA and state-level statutes, like Florida’s Mini-TCPA.[3]
  • Develop a crisis response plan in case of a TCPA lawsuit (and have go-to TCPA counsel identified in advance).
  • Determine if you have insurance to cover a TCPA issue and, if not, should you?

2. Are we engaging sales reps outside the US?  The Foreign Corrupt Practices Act (FCPA) prohibits U.S. companies and individuals from bribing foreign government officials to gain a business advantage.[4] This includes direct payments as well as indirect payments or other actions through third parties like local sales reps, distributors, and agents. The FCPA’s two main components: anti-bribery provisions and accounting provisions, both apply extraterritorially. U.S. enforcement agencies, the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC), vigorously pursue violations[5] and international cooperation among regulators is increasing.

Many U.S. companies actively market in foreign countries and often use local representatives on ground (“sales reps”) vs. their own employees.  While employees are certainly capable of violating the FCPA, the risk goes up dramatically when using foreign nationals to sell your products.  Since companies are liable for the actions of their sales reps, if things go wrong, then you are looking at:

  • Criminal and civil penalties where fines can reach tens or hundreds of millions of dollars. Individuals may face prison time.
  • Enforcement across borders, i.e., even actions taken entirely abroad by foreign intermediaries can create liability.
  • Books and records violations where the failure to document or falsely accounting for bribes can constitute a standalone FCPA violation.[6]
  • Successor liability, i.e., companies acquiring companies inherit the target’s FCPA exposure, making due diligence critical.

The business risks are equally scary:

  • Operational disruption because investigations and audits often paralyze operations and require diversion of leadership and legal resources.
  • Reputational damage when accusations of corruption, even without a conviction, can lead to lost business, a tarnished brand, and stakeholder dissatisfaction.
  • Restricted market access, i.e., FCPA enforcement may lead to debarment from bidding on government contracts or securing local licenses.
  • Compliance costs such as post-incident remediation, e.g., monitorships, new policies, and employee re-training, can be very costly.

Since the company can be liable for the actions of third parties it engages, it is critical that the legal department start asking questions now ensure you have a compliance plan designed to prevent problems, detect problems, and document that the company has been doing the “right things” to comply.  Consider the following:

  • Real-time risk-based due diligence (before engaging a sales rep). Not all sales reps are equal. Be extra leery when they (i) they operate in high-corruption countries; (ii) interact with government customers or regulators; (iii) request unusual compensation (large commissions, cash, offshore payments); or (iv) are recommended by a government official.
  • Practical steps to ensure compliance: (i) background checks (ownership, reputation, sanctions, political connections); (ii) identify beneficial owners; (iii) ask directly about government relationships; and (iv) document why the company is comfortable hiring the sales rep.
  • Your contract is a compliance control tool and it should contain: (i) explicit anti-bribery and FCPA representations; (ii) a commitment to comply with local anti-corruption laws; (iii) audit rights over books and payments; (iv) the right to terminate immediately for violations; and (v) no sub-agents without written approval.
  • Structure sales rep compensation to reduce risk: (i) reasonable, market-based commissions; (ii) pay into the sales rep’s home-country bank account so there is a clear audit trail; (iii) no cash, no “facilitation” funds, and no offshore shell companies; and (iv) payments only after documented services performed.
  • Train everyone at your company and your sales reps because they should know what the FCPA prohibits and that bribes can include gifts, travel, jobs, donations.  Your employees should know how to work with sales reps, how to escalate concerns, and when to say “no” – even if it costs a deal.
  • Monitor continuously (not just at onboarding).  This includes: (i) periodic re-due diligence; (ii) reviewing invoices and expenses; (iii) auditing “high-risk” reps (a refresh certifications annually); and (iv) investigate rumors or complaints immediately.

3. How are we classifying exempt/non-exempt employees? Employee classification is governed by the Fair Labor Standards Act (FLSA) and parallel state labor laws. The FLSA requires most employees in the United States to be paid at least the federal minimum wage and overtime pay at time-and-a-half for hours worked over 40 in a workweek, unless they qualify for an exemption. The most common exemptions apply to executive, administrative, professional, outside sales, and certain computer employees, with strict criteria for salary level, salary basis, and job duties.  State laws can be more stringent. For example, California imposes higher salary thresholds and more detailed job duty tests than federal law. In-house counsel (working with HR) must keep abreast of both federal and local requirements.  If you get it wrong, then bad things can happen quickly, including:

  • Wage and hour violations, i.e., misclassified employees may be entitled to back pay, unpaid overtime, and penalties (and you may owe employment taxes and penalties as well).
  • Misclassification of employees that leads to class or collective actions, significantly magnifying exposure.
  • Department of Labor audits and investigations which may result in fines and the imposition of mandatory compliance measures.
  • Employees who report misclassification and are penalized by the company can file retaliation lawsuits.

On the business side, improper classification can mean:

  • Financial exposure where legal settlements and penalties can reach millions of dollars (not including litigation costs).
  • Disrupted business operations, i.e., investigations or reclassification efforts may impact team structure, performance expectations, and payroll systems.
  • Without standardized classification processes, departments may apply rules inconsistently, leading to the same job classified in differently.

The best place to start is with the HR department, asking them about how the company classifies its employees.  This will likely lead to plans for:

  • A classification audit (partner with HR and employment counsel to review current roles and classifications. Use benchmarks and up-to-date regulatory guidance).
  • Job description alignment (ensure that written job descriptions accurately reflect actual duties, not aspirational roles).
  • Policy updates (develop a written classification policy with clearly defined criteria and documentation requirements).
  • Training and education (train HR personnel, people managers, and payroll staff to understand the distinctions and compliance requirements).
  • Corrective action (where errors are found, remediate quickly through reclassification, retroactive pay, or – potentially – voluntary self-reporting).

4. Have we audited our use of independent contractors? Employers like to use independent contractors because they are generally less expensive than hiring a W-2 employee.  But, there are lots of pitfalls for the unwary.  For example, independent contractor classification is governed by a tricky[7] web of federal and state laws. The IRS applies a control-based test (behavioral, financial, and relationship factors), while the DOL uses an “economic realities” test to determine whether a worker is economically dependent on the company. Several states impose even stricter requirements. These tests all look beyond labels and contracts to the actual substance of the working relationship.  Factors include whether the individual sets their own hours, provides their own tools, works for multiple clients, and bears the risk of profit or loss, and so on.  If you treat an independent contractor like an employee (a common error by managers), then the company faces:

  • Tax exposure if the IRS reclassifies workers and seeks back taxes, including income tax withholding, Social Security, and Medicare contributions, plus interest and penalties.
  • Benefits liability, i.e., misclassified workers may claim entitlement to health insurance, retirement plans, paid leave, and unemployment benefits.
  • Wage and hour claims where individuals may seek unpaid overtime, rest breaks, and other protections afforded to employees.
  • Retroactive reclassification where audits or lawsuits can result in multi-year reclassification and retroactive liability with big dollars on the line.

The business side of the pain is not any better.  Companies often face:

  • Misclassification settlements have cost companies millions, particularly in industries that rely heavily on gig or project-based labor.
  • Accusations of “gaming the system” or exploiting workers can attract media scrutiny and harm employer branding.
  • Without proper contractor agreements, companies may not own the work product, leading to downstream IP disputes.
  • Insurance and indemnity gaps where many policies exclude coverage for misclassification risks or claims by reclassified workers.

This all means that one of the most important questions you can ask the business this year is about how the company is using independent contractors.  Depending on the answer:

  • Conduct a detailed audit of all independent contractor engagements. Categorize by function, geography, and control factors.
  • Apply relevant federal and state tests (e.g., IRS 20-factor test, ABC test) to determine risk level.
  • Update independent contractor agreements to include IP assignment, work-for-hire, confidentiality, non-solicit, no benefits language, and clear scope of work.
  • Require contractors to certify their independent status, use corporate vendors where possible (vs. engaging individuals directly), and submit the correct (1099) tax documentation.
  • Where contractor roles are high-risk or long-term, consider converting them to employee status.
  • If using staffing agencies or platforms, review their classification and indemnity frameworks.
  • Educate hiring managers, finance, and HR on classification standards and the risks of informal arrangements.
  • Establish periodic reviews of contractor usage, especially as roles evolve over time.  Set a trigger for any independent contractor who is providing services for a year or more  – a big red flag.

5. When was the last time we tested our data breach response plan?  Data privacy and cybersecurity laws impose strict requirements for breach notification, incident response timelines, and internal preparedness.  Under GDPR, for example, controllers must notify regulators within 72 hours of becoming aware of a breach. Many U.S. state laws impose similar timing obligations and require notification to consumers if their personal information is compromised. SEC regulations now require disclosure of material cybersecurity incidents affecting public companies.  A data breach can also lead to regulatory fines, litigation, breach of contract, and a host of other problems.  And, when disaster strikes, it can overwhelm even the best legal departments.  This is why a data breach/crisis response plan is so important.  Equally important is asking whether the business is regularly testing and updating the plan.

There are many non-legal risks as well:

  • Mishandling a crisis can result in long-lasting brand damage, customer churn, and negative media cycles.
  • Breaches (and crises) often disrupt normal operations, delaying projects, stalling sales, and swallowing executive bandwidth.
  • Breaches may expose customer data or violate vendor agreements, potentially triggering indemnity obligations or contract terminations.
  • For public companies, disclosure of data breaches can affect valuation, investor confidence, and shareholder litigation risk.
  • Unprepared or ill-prepared responses may jeopardize cyber insurance coverage and hand plaintiffs’ counsel a road map to success, increasing financial exposure for the company.

Fortunately, the next steps are pretty straight-forward.  If you do not have a data breach response plan, it’s time to put one in place.  And regardless of whether the plan is new or a decade old you must do the following:

  • Conduct annual “table top” simulations involving IT, legal, compliance, communications, and executive teams.
  • Ensure key vendors (cloud services, data processors, PR firms) are integrated you’re your planning and have SLAs that support compliance deadlines.
  • Develop templates and a legal review process for breach notifications. Identify thresholds for notifying regulators vs. individuals.
  • Review your cyber insurance policy’s terms, notification requirements, and exclusions.[8] Ensure your incident response procedures align with insurer expectations.
  • Train staff across all levels on breach awareness, phishing prevention, and immediate response procedures.[9]
  • Ensure your technical infrastructure supports breach detection, evidence preservation, and regulatory reporting requirements.
  • After real or simulated events, conduct a root-cause (post-mortem) analysis and use lessons learned to improve future preparedness.  Review and refine your incident response and crisis management playbook based on what you found.

6. Have we recently reviewed our website terms of use?  Terms of use are often treated as “set and forget” documents and sometimes years pass between reviews.  This is a mistake because for many businesses, their website is a primary customer touchpoint, a sales channel, and a data collection engine. If the terms governing it are outdated, inconsistent, or not in synch with how the business actually operates, the legal exposure can be significant.  For in-house counsel, asking whether the terms of use have been reviewed recently can surface hidden risk across regulatory compliance, litigation exposure, and operational change.  This is true because:

  • The law evolves quickly. Consumer protection, privacy, accessibility, and digital contracting laws change frequently. Terms that were compliant a few years ago may now be unenforceable or non-compliant, particularly where the business operates across multiple jurisdictions.
  • The business rarely stands still. New products, subscription models, online payments, AI-driven features, user-generated content, or international expansion can quietly push the website beyond the scope of its existing terms. When the website terms no longer reflect how the business actually operates, courts tend to side with what users actually experience and not what you wrote in the terms of use.
  • Inconsistencies create risk. Website terms of use often sit alongside privacy policies, sales terms, marketing claims, and customer contracts. Inconsistencies between these documents can weaken limitation-of-liability provisions, undermine dispute resolution clauses, or create ambiguity that plaintiffs and regulators are quick to exploit.
  • Enforcement risk is real. Regulators (think FTC or state attorneys general), plaintiff firms, and even competitors routinely review online terms. Poorly drafted or outdated terms can invite regulatory scrutiny, class action exposure, or reputational damage with very little warning.

Once the question is asked, here’s what you do next:

  • Identify who owns website content and updates (often marketing, product, or IT) and ensure the legal department is embedded in change management rather than reviewing changes after launch.
  • Compare the terms of use against how the website actually operates today, including data collection, cookies, payments, third-party tools, AI features, and user-generated content.
  • Make sure every link in the terms of use works and takes the user to the correct place (and the materials on that landing page is current and accurate).
  • Reassess arbitration provisions, class action waivers, jury waivers, forum selection, and limitations on damages to confirm they reflect current law, align with the company’s risk appetite, and are consistent across related agreements.
  • Confirm that users receive clear notice of the terms and that acceptance mechanisms (clickwrap over browserwrap,[10] sign-up flows, or account creation processes) support enforceability.
  • Ensure consumer rights language, disclaimers, and disclosures reflect current law in all relevant jurisdictions and not just the company’s home market.
  • You should review terms of use yearly. And establish review triggers tied to product launches, geographic expansion, regulatory change, or litigation trends.

7. Are employees using generative AI and, if so, how? The rise of generative AI (GenAI) platforms like ChatGPT, Claude, and others has introduced new legal challenges that strain (or even break) traditional governance structures. Key AI legal issues include intellectual property (IP) ownership and infringement, data privacy, confidentiality, regulatory compliance, and liability for the output generated by AI tools.  For example, uploading sensitive or proprietary company data to public AI tools may result in inadvertent disclosure or even public training on that data.[11] In regulated industries, using AI for decision-making (e.g., in hiring, lending, or healthcare) may violate anti-discrimination laws.

Many business are simply lost at the moment as to what to do even though the risk of problems is great.  That list includes:

  • Employees may be using GenAI tools without approval or oversight (shadow AI), exposing the organization to unknown risks.
  • Overreliance on AI-generated work product (without proper supervision or human intervention) may lead to big errors, inaccuracies, or misleading information being used in external communication or decision-making.
  • Relying on – and contracting with –  third-party AI providers introduces legal and operational dependencies (and risk), especially if contract terms are unclear or unfavorable (think “data use/ownership”).
  • Overly restrictive or unclear policies may stifle beneficial use of AI that could improve productivity or creativity.
  • Public incidents involving AI misuse or harm (e.g., plagiarism, misinformation) can quickly go viral and hurt the company’s brand.

As a result, it’s important that in-house counsel start asking questions about how the business uses AI (officially or unofficially) and take the lead in fixing problems.  Here is the game plan:

  • Conduct a confidential, organization-wide survey to determine who is using GenAI, for what purposes, and through which platforms.
  • Draft and roll out a Generative AI Acceptable Use Policy. Include guidance on input restrictions, output review, vendor selection, and recordkeeping.
  • Identify high, medium, and low-risk use cases based on how the business operates. Prioritize governance for high-risk areas such as legal, HR, and product development.
  • Ensure that data shared with AI tools is anonymized or scrubbed of sensitive identifiers.
  • Examine terms of use for AI platforms used by employees, particularly concerning indemnity, data use, output ownership, and export restrictions.
  • Offer department-tailored training to the business that highlights both opportunities and risks of their specific use of GenAI for that particular group.
  • Establish a cross-functional GenAI task force or working group with representatives from legal, IT, compliance, HR, and innovation to monitor developments and refine governance.
  • Keep current on proposed legislation and court rulings related to AI, such as the EU AI Act, U.S. Executive Orders, and FTC guidance.

8.  Have we audited our use of software and software licenses? The use of commercial software is governed by licensing agreements that dictate how software can be installed, accessed, and used. These licenses can vary significantly in scope, ranging from per-user to enterprise-wide to open-source. Violations of the license may constitute copyright infringement, among other things. Many software providers, including Microsoft, Oracle, and Adobe, conduct routine audits of customers to ensure compliance. Using open-source software (OSS) introduces obligations under license types such as GPL. Failing to follow licensing terms can result in the need to disclose proprietary source code or cease distribution of affected products. This means it’s time to ask how the company is using software and how does that use stack-up to the licenses in place?  Common legal problems are:

  • Using more software seats than purchased or deploying them in unauthorized environments (e.g., cloud, offshore teams) breaches license terms.
  • Noncompliance can lead to copyright lawsuit from publishers or rights holders, seeking statutory damages and injunctions.
  • Software vendors may demand back payment, impose penalties, or terminate licenses after an unfavorable audit.
  • Misuse or improper attribution in OSS can result in takedown requests, injunctions, or loss of proprietary protections.
  • Breach of warranties or indemnities in customer/vendor contracts may result from unlicensed or improperly licensed software.

Improper management of software licenses can lead to waste in the form of underutilized licenses or redundant tools, service disruption if a vendors cuts off access to critical tech platforms, and security gaps where unauthorized or pirated software downloaded by employees is vulnerable to security flaws or malware.

Assuming the answer to your question is, “No, we haven’t looked at this in a while,” then the next steps are:

  • Conduct a comprehensive audit of all installed software across company devices, cloud environments, and user accounts. Use auditing software to enhance accuracy.
  • Compare actual usage against license limits. Ensure that all use cases (e.g., development, test, production) are contractually permitted.
  • Audit proprietary codebases for any OSS components. Document OSS licenses, usage, and compliance steps using Software Composition Analysis tools.
  • Require all software acquisitions to go through legal, procurement, or IT to ensure license terms are negotiated and reviewed.
  • Insert software compliance representations and warranties into customer and vendor contracts to mitigate third-party liability.
  • Educate company developers, engineers, and IT teams on proper software usage, license limitations, and approval processes.
  • Implement a centralized license management calendar to align renewals, optimize pricing, and reduce redundancy.
  • Develop and maintain documentation that supports compliance, including proof of purchase, usage logs, and installation records in case you receive an audit request.
  • Explore ways to lock down company computers from unauthorized downloads or other unapproved software.

9. How are we protecting our intellectual property?  Intellectual property (IP) is a broad category that includes trade secrets, trademarks, copyrights, patents, and digital assets such as domain names. Each type of IP is governed by specific legal frameworks, with varying protection strategies and legal enforcement mechanisms.  For example, trade secrets require demonstrable efforts to keep the information confidential,[12] such as NDAs and access restrictions. Trademarks must be registered and actively used to maintain legal protection. Copyrights automatically apply upon creation but benefit from federal registration for enforcement. Patents must be formally filed and granted. Domain names are governed by registrar agreements and can be challenged via ICANN’s UDRP process.

If the company is not taking the right steps to protect its IP, then the following can happen:

  • Failure to register or actively monitor IP can result in loss or protection and forfeiture of rights, leaving the company’s core assets unprotected.
  • Using third-party IP without proper licensing may lead to litigation (and statutory damages).
  • Unchecked third-party use of similar marks or names can weaken brand identity and legal enforceability of trademarks.
  • Inadequate safeguards can result in misappropriation by employees, vendors, or competitors, with limited recourse in court if protections were lax.
  • Missed deadlines or poorly drafted applications can result in patent invalidation or inability to enforce.

From the business angle, IP portfolios can contribute significantly to enterprise value. Without proper IP protection, competitors may replicate innovations, eroding your company’s market share and pricing advantage.  Poor management of IP can lead to a loss in value, e.g., failure to secure or track IP can foreclose revenue opportunities from licensing, franchising, or joint ventures. Gaps in IP protection may alarm investors or strategic partners conducting diligence.

  • Depending on the answer to your question, these are the things in-house lawyers should do next around IP:
  • Conduct a comprehensive audit of all existing IP assets, including marks, patents, copyrights, trade secrets, and domains. Map ownership and registration status.
  • Ensure that key trademarks and patents are registered in relevant jurisdictions and that renewal deadlines are tracked.
  • Implement NDAs, access controls, encryption, and employee exit protocols to preserve trade secret status.
  • Educate employees about the value of IP and how to protect it (especially trade secrets).
  • Use monitoring tools to detect unauthorized use of trademarks, logos, or brand names online and in commerce.
  • Educate content creators (e.g., marketing, design, product teams) on copyright rights, licensing, and registration best practices.
  • Align patent filings with R&D priorities and product roadmaps. Consider international filings for key markets.
  • Ensure that codebases incorporating OSS components comply with license terms and do not expose proprietary IP.
  • Ensure employees are signing the right types of agreements around ownership of IP (and preventing them from stealing company IP).[13]
  • Maintain centralized control over domain portfolios. Use auto-renew features and watch services for typo-squatting or spoofing.
  • Include robust IP clauses in contracts with vendors, customers, and partners to ensure proper assignment and usage rights.
  • Develop a playbook for addressing IP infringement, including cease-and-desist protocols, takedown requests, and litigation options.

10. Have we reviewed our insurance policies lately?  Insurance is a key component of a company’s overall risk management and legal defense strategy. Various lines of coverage – general liability, D&O, E&O, cyber liability, property, employment practices liability (EPLI), and others – offer protection against legal claims, regulatory fines, business interruptions, and third-party disputes. Policy language, however, is complex and can vary significantly by carrier and jurisdiction. Critical issues include exclusions, sub-limits, retroactive dates, duty to defend, notice provisions, and definitions of insured events. As legal risks evolve (e.g., ransomware, regulatory fines, AI liability), insurance policies must evolve too. Courts frequently interpret exclusions and coverage ambiguities in ways that surprise insureds (and their lawyers).

If your company has gotten it wrong, well, you know…  For example:

  • Inadequate or outdated policies may not cover key events such as cyberattacks or third-party IP claims.
  • Misaligned policies may exclude new operational risks, such as remote work losses or cross-border data incidents.
  • Policies often have strict notice requirements. Failing to report an incident on time may forfeit coverage.
  • Poorly drafted contracts may waive subrogation rights or fail to align with policy requirements.
  • Acquisitions can create tail liability or gaps if policies aren’t coordinated and reviewed.
  • Conceding choice of counsel to defend the company or agreeing to unrealistic rates can hamper the quality of your defense when the claim is covered by insurance.

All of these can lead to major headaches for the business: (i) unexpected out-of-pocket losses, (ii) operational delays – where post-incident recovery efforts may be delayed without proper insurance coverage, (iii) board and investor pressure where they expect the business to have the right risk mitigation strategies in place, including effective insurance; (iv) contract problems failing to obtain specific coverages can jeopardize deals or relationships; and (v) over paying, i.e., without proper oversight, companies may pay for redundant or unused coverage.

In-house lawyers have two obligations here.  The first is knowing how to read an insurance policy.  The second is to ask a lot of questions about the company’s insurance coverage (because odds are good that managing insurance policies has been delegated to the backwater of the finance department but any problems will blow back on the legal department):

  • Work with finance, risk management, and your brokers to audit all current insurance policies. Identify gaps, overlaps, and outdated provisions.
  • Align coverage with current operations, including international exposure, digital assets, intellectual property, and workforce structure.
  • Review key vendor, customer, and lease agreements for insurance obligations and ensure policy compliance.[14]
  • Evaluate the adequacy of your cyber coverage. Understand exclusions for ransomware, third-party breaches, or regulatory penalties.
  • Clarify internal processes for identification, notification, documentation, and legal involvement of insured claims.
  • Schedule annual strategy sessions with your brokers to benchmark coverage and receive updates on market trends before it’s time to renew.
  • Regularly reassess the scope of director and officer coverage and employment practices policies based on litigation trends.
  • Ensure that legal, finance, operations, and security teams are aligned on policy coverage and limitations.
  • Centralize storage of policy documents, endorsements, and contact information for emergency retrieval.

*****

I know this was a long post, but there was a lot of cover, especially when you start asking the hard questions.  And don’t feel you need to tackle all ten at once.  You can pick one or two and just get started.  To make it easy for you, here they are in a handy list!

A proactive legal department is always better than a reactive department.  As business complexity increases, legal departments must stay one step ahead of the problems that complexity will likely spawn.  The good news is that it’s not complicated, it really boils down to figuring out what are the right questions to start asking the business.  You have my list, but yours may be different.  That’s fine.  What matters is that you (alone or with others) do the thinking to come up with your list and then get out there and start asking those questions.

Sterling Miller

January 31, 2026

My newest book (number seven), More Slow-Cooker Savant, is out now!  The United Nations has declared this book essential to its mission of world peace and ensuring delicious slow-cooking recipes are available to everyone.  Don’t cheap out on the UN, but the book!

The Productive In-House Lawyer: Tips, Hacks, and the Art of Getting Things Done, is available for sale.  You can buy it here: Buy The Book!

My fifth book, Showing the Value of the Legal Department: More Than Just a Cost Center is available now, including as an eBook!  You can buy a copy HERE.

Two of my books, Ten Things You Need to Know as In-House Counsel – Practical Advice and Successful Strategies and Ten (More) Things You Need to Know as In-House Counsel – Practical Advice and Successful Strategies Volume 2, are also on sale at the ABA website (including as e-books).

I have published two other books: The Evolution of Professional Football, and The Slow-Cooker Savant.  I am also available for speaking engagements, webinars/CLEs, coaching, training, pet sitting, bartending, and consulting.

Connect with me on Twitter @10ThingsLegal and on LinkedIn where I post articles and stories of interest to in-house counsel frequently.  

“Ten Things” is not legal advice nor legal opinion and represents my views only.  It is intended to provide practical tips and references to the busy in-house practitioner and other readers.  If you have questions or comments, or ideas for a post, please contact me at sterling.miller@sbcglobal.net, or if you would like a CLE for your in-house legal team on this or any topic in the blog, contact me at smiller@hilgersgraben.com.

[1] I still did the “essential issues” post, I just did it in March after I had some time to see how the crazy of early 2025 might play out a bit.  I still plan on doing one for 2026 but it may be even later as the level of crazy front and center here in January 2026 is 10x the crazy of 2025.  So, stay tuned on that one.

[2] And buying my book, “Showing the Value of the Legal Department: More Than Just a Cost Center.”  Yes, this is a shameless plug but if I don’t get a few these books flying off the shelves the ABA is going to send its goon squad after me.  And those bastards are mean. So, help a guy out and buy a book (or ten).

[3] Sorry, but to do this right you need to factor in all of the state laws as they as often different that the federal law.  See, e.g., A Clear Guide to Telemarketing Laws: State by State for 2025.

[4] Does this mean you can bribe them for a business disadvantage?  I’m not sure.  I would stick with not bribing anyone at all.

[5] Even under the Trump administration FCPA “pause,” enforcement continues and most predict a swing back toward even more vigorous enforcement in 2026.  See FCPA Year-in-Review: 2025 Developments and Predictions for 2026.

[6] Which I guess means that if you are going to bribe someone, be sure to note it properly in the general ledger as “Bribes.”  Not sure that is an actual GAAP requirement.

[7] I don’t know about you, but whenever I see the word “tricky,” I think of Run DMC!

[8] And if you do not have cyber-risk insurance, go get it!  See Five Reasons Why Your Business Needs Cyber Risk Insurance.

[9] Training employees about data security is likely the single best thing you can do to help prevent a data breach.  That and not using the internet ever again, which may be a tough sell internally at the company.

[10] Getting the business to move to clickwrap is a hill I would gladly die on.  It is worth expending your political capital on getting this change if your company is dumb enough to still be using browserwrap agreements and expecting them to hold up in court.

[11] And if you don’t think your competitors are running your company’s name through a myriad of generative AI prompts to see what they might dig up, I have a bridge near Brooklyn, NY that I am willing to sell you.

[12] Business leaders are often shocked to learn what they think of as a “trade secret” isn’t one in the eyes of the court.  Educating the business on what it really takes to claim something as a trade secret is a good investment of the department’s time.

[13] And work with HR to ensure the proper offboarding of employees and contractors to protect company IP (and remind them about their IP obligations).

[14] An excellent task for the right generative AI tool and the right prompt!

Leave a Reply