The D&O Diary

The D&O Diary

A PERIODIC JOURNAL CONTAINING ITEMS OF INTEREST FROM THE WORLD OF DIRECTORS & OFFICERS LIABILITY, WITH OCCASIONAL COMMENTARY

D&O Insurance: Eleventh Circuit Holds Insured v. Insured Exclusion’s Applicability to FDIC Failed Bank Claims Ambiguous

Posted in D & O Insurance

eleventh cuircuit sealGoing all the way back to the S&L crisis, a recurring insurance coverage issue that has arisen in the failed bank context has been the question of whether or not coverage for a claim brought by the FDIC in its capacity as receiver of a failed bank against the failed bank’s former directors and officers is precluded under the Insured v. Insured exclusion typically found in most D&O insurance policies. This issue has arisen yet again in connection with the failed bank litigation the FDIC has filed during the current bank failure wave.  

 

A number of district courts have found the question of the Insured v. Insured exclusion applicability to lawsuits brought by the FDIC in its capacity as receiver for a failed bank to be ambiguous, as reflected for example here. However, as discussed here, in September 2013, Northern District of Georgia Judge Richard W. Story, ruling in insurance coverage litigation relating to the failed Community Bank & Trust of Cornelia, Georgia, held that the exclusion’s applicability to claims brought by the FDIC in its capacity as receiver for the failed bank was not ambiguous and precluded coverage under the policy for the FDIC’s claims. 

 

Since it was entered in the Community Bank & Trust case, Judge Story’s ruling has represented arguably the strongest authority supporting  the D&O insurer’s arguments in other  cases that the Insured v. Insured exclusion unambiguously precludes coverage for claims brought by the FDIC in it s capacity as receiver for a failed bank. 

 

However, in a December 17, 2014 decision (here), the Eleventh Circuit, applying Georgia law and relying on the fact of the split authority on this issue, found the exclusion’s applicability to claims brought by the FDIC as receiver to be ambiguous and remanded the case for further evidentiary proceedings to determine the parties’ intent with respect to the exclusion. The Eleventh Circuit’s ruling will have a significant impact not only because it is the first appellate decision on this issue but also because it applies to district courts in Georgia and Florida (among several other states) where so many of the bank closures during the current bank failure wave took place. 

 

Background 

Community Bank & Trust failed on January 29, 2010. As noted here (second item), on February 24, 2012, the FDIC filed an action against two former officers of the bank. The complaint alleges that Charles Miller, the bank’s senior head of retail lending, violated his legal duties in approving loans in violation of the bank’s loan policies. Trent Fricks, the bank’s CEO, is alleged to have breached his duties in failing to supervise the loan officer and in failing to take corrective measures. The FDIC alleges that the defendants’ misconduct cost the bank $15 million in damages.  

 

The bank’s D&O insurer agreed to defend the individual defendants under a reservation of rights and initiated a separate lawsuit seeking a judicial declaration that it had no duty to defend or indemnify the individuals. The insurer moved for summary judgment in the coverage lawsuit seeking a ruling that as a matter of law coverage for the FDIC lawsuit was precluded under the Insured v. Insured exclusion.  The FDIC argued that the policy provisions on which the insurer sought to rely were ambiguous and that it was entitled to further discovery of the insurer’s internal communications about insurer’s own interpretation of the policy provisions. 

 

In moving for summary judgment, the insurer relied on its policy’s Insured vs. Insured exclusion, which, in pertinent part precludes coverage for loss “on account of any Claim made against any Insured … brought or maintained by or on behalf of any Insured or Company in any Capacity.”

 

In his August 19, 2013 opinion, Judge Story held that the FDIC was not entitled to further discovery because the policy’s insured vs. insured exclusion unambiguously precluded coverage. Judge Story noted that under FIRREA, the FDIC as receiver succeeds to “all rights, titles, powers and privileges of the insured depositary institution,” which means, in the language of the U.S. Supreme Court in its 1994 decision in O’Melveny & Myers v. FDIC, that the FDIC, as a failed bank’s receiver, “steps into the shoes” of the failed bank and any defenses that could have been raised against the bank can be raised against the FDIC. The FDIC and the individuals appealed Judge Story’s ruling to the Eleventh Circuit. 

 
The December 17, 2014 Opinion            

On December 17, 2014, in an opinion written by Judge Harvey Schlesinger (a federal district court judge sitting by designation) for a three-judge panel, the Eleventh Circuit reversed Judge Story’s ruling, holding that the question of the applicability of the Insured v. Insured exclusion to claims brought by the FDIC as receiver for a failed bank is ambiguous and therefore that it may be necessary to consider extrinsic evidence to determine the parties’ intent. Accordingly the Eleventh Circuit remanded the case to the district court for further proceedings. 

 

In connection with the question of whether or not the exclusion was ambiguous, the parties had raised a number of legal arguments based on the specifics of the FDIC’s role when it acts as receiver of a failed bank. However, rather than rely on these various legal arguments or on the nature of the FDIC”s role as receiver, the Eleventh Circuit said that “it seems to us that the most compelling argument is that courts who have addressed similarly worded insured vs. insured exclusions have reached different results.” In a footnote, the appellate court added that “the fact remains that there are two schools of thought on how to interpret insured v. insured exclusions, and that seems to make FDIC-R’s point.” 

 

The appellate court referenced, by way of illustration, a separate decision out of the Northern District of Georgia, also applying Georgia law to a nearly identical exclusion, in which the court held, contrary to Judge Story’s ruling in this case, that the exclusion is ambiguous. The Eleventh Circuit said that the fact that Judge Story in this case and that another judge in the same court “reached opposite conclusions about the effect of a nearly identically worded insured v. insured exclusion appears to us to plainly support a finding of ambiguity under Georgia law.”

 

In conclusion, the Court said, “since we conclude that the insured v. insured exclusion is ambiguous, it may be necessary to consider extrinsic evidence to determine the parties’ intent.” The Court remanded the case to the district court “for further consideration in accordance with this opinion.” 

 

Discussion 

The Eleventh Circuit’s ruling in this case is not the first instance in which a court has found the existence of the conflicting case law to be determinative of the question with the insured vs. insured exclusion is ambiguous. For example, in October 2014, a judge in the Central District of California found the exclusion to be ambiguous based on a similar reason (among other considerations). 

 

The various court decisions have indeed gone both ways on this exclusion. As long as there were strong decisions –like Judge Story’s in this case – finding the exclusion to unambiguously preclude coverage for claims asserted by the FDIC in its capacity as receiver, the D&O insurers have been emboldened to continue to try to contest coverage on this basis. However, now that the courts are finding ambiguity based on nothing more than the split in the case law (rather than on whether one side or the other was correctly decided), the game may be up for the D&O insurers. The insurers may still think they can argue on the merits that the exclusion is unambiguous, but if the existence of the case law split alone and without any reference to the merits is enough to establish ambiguity, then there really is not much left on which the insurers can base their argument. They can’t deny that there is a split in the authority on this issue. 

 

The fact that it was a federal appellate court that reached this decision will make this a very difficult decision for the insurers to avoid. To be sure, the court was applying Georgia law, so the carriers can try to argue that the ruling does not apply where the laws of other jurisdictions govern. The carriers can also try to argue against the ruling outside of the Eleventh Circuit. 

 

The carriers will face a number of obstacles in making these arguments. The first is that more banks failed in Georgia than any other state, so the Eleventh’s Circuit’s ruling will be determinative in connection with the largest state grouping of cases. Because Florida is also in the Eleventh Circuit, the ruling in this case will like be determinative, and whether or not determinative, nonetheless followed in cases to which Florida law applies.  Since there were almost as many failed banks in Florida as in Georgia, this case will likely foreclose matters in another of the largest state groupings of cases. And even outside of the Eleventh Circuit, other district courts will be that much less likely to reached a ruling contrary to this appellate court. 

 

It will be interesting to see what happens to this case when it goes back to the district court. I strongly suspect that the evidentiary inquiry to determine the parties’ intent with respect to this exclusion will not be an edifying spectacle. I have in my life lived through the kinds of discovery proceedings that are now going to take place in this case, with various underwriters and brokers having their depositions taken and their emails scrutinized. It is not the sort of thing that anyone who wasn’t getting paid for the exercise would actually want to sit through. I will say this, if the carriers know that they have to go through this sort of discovery exercise in order to try to assert the exclusion against an FDIC claim, they are very quickly going to try to find a different basis on which to try to contest coverage. 

 

In an earlier post, I had said that as long as the carriers think they can persuade a court to reach the same conclusion as Judge Story reached in the district court in this case, they will continue to argue that the insured vs. insured exclusion precludes coverage for claims brought by the FDIC in its capacity as receiver for a failed bank. Now the carriers can no longer rely on Judge Story’s opinion and they have an appellate court decision going against them. We may be approaching the point where the carriers’ position on this coverage question is unsustainable. 

 

Special thanks to a loyal reader for providing me with a copy of the Eleventh Circuit’s opinion.   

 

Guest Post: Second Circuit Rules for Defendants in Landmark Insider Trading Case

Posted in Securities Litigation

pwIn the following guest post, Susanna Buergel, Charles Davidow, Andrew Ehrlich, Brad Karp, Daniel Kramer, Richard Rosen and Audra Soloway, all of whom are litigation partners at Paul, Weiss, Rifkind, Wharton & Garrison LLP who are members of the Firm’s Securities Litigation Practice group explain the significance of the Second Circuit’s decision United States v. Newman. A version of this article previously appeared as a Paul, Weiss client alert. Mark Pomerantz, a retired Paul, Weiss partner, argued the appeal for co-defendant Anthony Chiasson.   

I would like to thank Richard Rosen of the Paul Weiss law firm for submitting this article as a guest post. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you are interested in submitting a guest post. Here is the guest post from the Paul Weiss law firm. 

*****************************************  

Last week, the United States Court of Appeals for the Second Circuit issued a long-anticipated ruling dismissing with prejudice indictments against two insider trading defendants in United States v. Newman.  Two aspects of the decision are particularly important.  First, the Court ruled that the government must prove that a remote tippee knows of the personal benefit received by a tipper in exchange for disclosing nonpublic information.  Second, the Court held that the government must prove that the personal benefit is “of some consequence,” and determined that the benefits alleged by the government in United States v. Newman were not sufficient to support a conviction.  The ruling likely will have major ramifications for the future prosecutions of insider trading cases in the Second Circuit. 

The Newman and Chiasson Case

In United States v. Newman, the Second Circuit considered appeals from the insider trading convictions of Todd Newman, a former portfolio manager at Diamondback Capital Management, LLC, and Anthony Chiasson, a former portfolio manager at Level Global Investors, LP.[i]  Newman and Chiasson were accused of trading Dell and NVIDIA securities based upon material, nonpublic information they received from their respective analysts.  According to the testimony elicited during trial, the allegedly material, nonpublic information originated within Dell and NVIDIA, but it passed through numerous intermediaries before it was received by Newman and Chiasson, who contended that there was insufficient evidence that the tipper received any personal benefit in exchange for the tip, and, in any event, that they certainly did not know of any such benefit.  Newman and Chiasson were each convicted after a five-week trial.  They appealed to the Second Circuit, arguing, among other points, that they were convicted based on an improper jury instruction and that the evidence was insufficient to support their convictions.

The Supreme Court’s Decision in Dirks v. SEC

The Second Circuit agreed with Newman and Chiasson, concluding that the jury instructions were improper and that the evidence was insufficient to sustain a conviction.  The opinion turned on the Court’s reading of Dirks v. SEC, a thirty-one-year old Supreme Court decision.  463 U.S. 646 (1983). 

In Dirks, the Supreme Court held that, under the “classical theory” of insider trading liability,[ii] tippers are liable—and, by extension, tippees are liable—only when tippers breach a duty to the shareholders of a publicly traded company.  Dirks, 463 U.S. at 660.  Before deciding Dirks, the Supreme Court had held in Chiarella v. United States that, without more, trading on material, nonpublic information is not illegal, as there is no “general duty between all participants in market transactions to forgo actions based on material, nonpublic information.”  445 U.S. 222, 233 (1980).  Dirks built on Chiarella by setting forth when a tippee has a duty to disclose or abstain from trading on material, nonpublic information: a duty arises “only when the insider has breached his fiduciary duty to the shareholders by disclosing the information to the tippee and the tippee knows or should know there has been a breach.”  Dirks, 463 U.S. at 660.  Put another way, the tippee’s duty derives from the tipper’s duty, and the tipper’s duty is created because of a fiduciary relationship with shareholders.

Further, according to Dirks, courts will look to whether the tipper received a personal benefit to determine if the tipper breached a duty by disclosing nonpublic information.  Id. at 662.  Courts have defined “personal benefit” quite broadly.  

The Second Circuit’s Opinion

In directing that the indictment be dismissed, the Court’s opinion clarified the standard set out in Dirks.  The Court— Circuit Judges Ralph K. Winter, Jr., Peter W. Hall, and Barrington D. Parker—held that a tippee must know of the personal benefit received by the tipper.  The Court explained that it was not sufficient for the government to show that the tippee received information that was material and nonpublic, or that the tipper was an insider, or even that the tipper breached a duty to the source of the information.  “[W]hile we have not yet been presented with the question of whether the tippee’s knowledge of a tipper’s breach requires knowledge of the tipper’s personal benefit,” the Court wrote, “the answer follows naturally from Dirks.”  Based on Dirks’s explanation of the nature of an insider’s fiduciary breach, “we conclude that a tippee’s knowledge of the insider’s breach necessarily requires that the insider disclosed confidential information in exchange for personal benefit.” 

In so holding, the Court once again rejected the notion that the federal securities laws require parity of information among investors.  The opinion quoted some of the most important language from Dirks and Chiarella: that there is no “general duty between all participants in market transactions to forgo actions based on material, nonpublic information”; that the law does not require symmetry of information among all participants in the marketplace; that not every instance of “financial unfairness” is punishable under Section 10(b); and that insider trading liability exists only when a duty of confidentiality was breached in exchange for a personal benefit.  As such, the Court held that the district court’s instruction, which did not require the jury to find knowledge of a personal benefit, was erroneous, and, moreover, that the error was not harmless.

Further, the Court concluded that the evidence was insufficient to support the government’s theory that the tipper received any personal benefit in exchange for providing inside information.  Although the government contended that the evidence showed that the Dell tipper had sought career advice from the friend who was the initial tippee and that the NVIDIA tipper was a “family friend” of the initial tippee, the Court held that the “circumstantial evidence in this case was simply too thin to warrant the inference that the corporate insiders received any personal benefit in exchange for their tips.”  If the evidence of personal benefit proffered by the government was enough, the Court explained, “practically anything would qualify.”  For evidence of a personal benefit to be sufficient, the Court wrote, there must be “proof of a meaningfully close personal relationship that generates an exchange that is objective, consequential, and represents at least a potential gain of a pecuniary or similarly valuable nature.”

The Court also rejected the government’s argument that the “specificity, timing, and frequency” of the information received by the defendants were so “overwhelmingly suspicious” that it provided support for the government’s theory that the defendants must have known, or consciously avoided knowing, that the information they were receiving was coming from an insider in breach of his duties and that the tipper must have received a personal benefit.  The Court reasoned that the financial estimates received by the defendants could also be obtained through “legitimate financial modeling using publicly available information and educated assumptions about industry and company trends.”  It noted trial testimony to the effect that companies’ investor relations departments would routinely provide guidance to investment professionals about the accuracy of their models, and evidence showing that companies would routinely “leak” estimates of their earnings data in advance of earnings announcements.  While explaining that there could be cases where a defendant receives information that is so “detailed and proprietary” to support an inference that the information must have come from an insider source, the Court concluded that the inference is “unwarranted” with respect to Newman and Chiasson, as they were several layers removed from the source of information and the information they received was similar to information they regularly received through legitimate means.

Conclusion

After Newman, it will be considerably more difficult for both the Justice Department and the SEC to win cases involving tips.  In particular, the government will likely find it more challenging to prosecute remote tippees for insider trading, especially when the tippees are several levels removed from the source of the information.  The opinion focused specifically on recent prosecutions fitting this description: “The Government’s overreliance on our prior dicta merely highlights the doctrinal novelty of its recent insider trading prosecutions, which are increasingly targeted at remote tippees many levels removed from corporate insiders.”[iii]  Additionally, it will be more difficult for the government to prove cases where the tipper does not receive money or other material consideration, but instead receives only an intangible benefit or the hope of a future benefit.  In future decisions, courts will be forced to grapple with when such benefits support a finding that a trader has engaged in insider trading.

Because of its holdings regarding remote tippees and the personal benefit standard, the opinion has also clarified the rules for investment professionals who regularly trade on information obtained through the marketplace.  It is now clear that the tipper must receive a personal benefit “of some consequence” to support a finding of insider trading liability.  Additionally, the opinion provides that tippee liability exists only when the tippee knows or should know that the information was confidential and divulged for personal benefit.  It is now evident that, going forward, the fact that a remote tippee receives improperly disclosed information, without more, will not be enough to support an insider trading case. 

 


[i][i] Paul, Weiss was counsel for Anthony Chiasson on this appeal and was lead counsel at the Second Circuit argument.

[ii] Two theories of insider trading liability are available to prosecutors: the “classical theory” and the “misappropriation theory.”  The prosecutions of Newman and Chiasson were brought under the “classical theory” of insider trading liability, which applies when a “corporate insider trades in the securities of his corporation on the basis of material, nonpublic information.”  United States v. O’Hagan, 521 U.S. 642, 651-52 (1997).  The “misappropriation theory,” by contrast, applies when an investor “misappropriates confidential information for securities trading purposes, in breach of a duty owed to the source of the information.”  Id. at 652.

[iii] In the passage in the opinion before this sentence, the Court discussed how, in an attempt to demonstrate that it need not prove that tippees know of the personal benefit received by the tipper, the government’s brief had parsed dicta from previous decisions.

Up Next: Cyber Insurance Requirements for Banks?

Posted in Cyber Liability

cyber2As I noted in a post last week, in a speech earlier this month in which she outlined the steps bank boards can take to address cybersecurity issues, Sarah Raskin, the second-ranking official at the U.S. Department of Treasury, laid out the reasons why banking institutions should be investing in cyber insurance. This speech is only one of several recent developments raising the possibility that federal banking regulators may be moving toward requiring banks to carry cyber insurance, according to Tracey Kitten’s December 12, 2014 blog post on the Bank Iinfo Security blog entitled “Will Banks Be Required to Have Cyber-Insurance?” (here).

 

For example, on December 10, 2014, the New York State Department of Insurance Superintendent Benjamin M. Lawsky issued an industry guidance letter to all New York State Department of Financial Services (DFS)-regulated banks outlining the specific issues and factors on which those institutions will be examined as part of the agency’s new targeted cyber security preparedness assessments. The guidance letter expressly states that the department’s cyber security examinations will include “cyber security insurance coverage and other third-party protections.”  The Department’s December 10, 2014 press release about the new industry guidance can be found here. The December 10, 2014 letter sent to banks can be found here.

 

In her blog post, the author suggests that this move “by one of the nation’s largest states” could “foreshadow” cyber insurance requirements to be included in the anticipated cybersecurity guidance of the Federal Financial Institutions Examination Council. (As discussed here, the FFIEC is an organization of federal banking regulators and other institutions to prescribe principles for the uniform supervision of banking institutions.) On November 3, 2014, the FFIEC released the observations from the cybersecurity assessment that a number of its members participated in during the summer of 2014. Among other things, the organization’s observations included a statement that “as a result of the cybersecurity assessment, FFIEC members are reviewing and updating current guidance to align with changing cybersecurity risk.” (For more about the anticipated updated FFIEC cybersecurity guidance, refer here.)

 

Among other things, the blog post quotes one observer as saying, in light of the new concerns following the recent JP Morgan Chase data breach, ‘there’s little doubt that cyber-insurance will be a requirement that the FFIEC includes in its forthcoming cyber guidance.” The observer, a senior official at the Gartner consulting firm, adds the comment that “Cyber-insurance helped Target and Home Depot lower their breach-related costs substantially and, thus, converted market participants from former skeptics to current believers in the cyber-insurance policies.”

 

Whether or not federal regulators implement an express requirement that banking institutions have cyber insurance, it does seem increasingly likely that banking examiners will be reviewing is banking institutions’ cyber insurance program. Even if there is no express requirement, the inclusion of the item on the examination program could create a strong incentive for banking institutions to purchase the insurance.

  

ACA Employer Mandates and Potential Liability Issues

Posted in Affordable Care Act

capitoldomeThe employer mandate provisions of the Affordable Care Act – better known as Obamacare – are among the more controversial parts of the legislation. The mandates were originally scheduled to go into effect in 2014, but after lobbying efforts from various business groups, the mandates’ effective dates were postponed. However,  for many employers, the mandates will go into effect in just a few days, at the beginning of 2015.

 

With the January 1, 2015 effective date approaching for many employers, I have received a number of questions from readers about potential liability issues employers might face as a result of the mandates. As a general matter, I think many of the liability issues that the employer mandates might present will only become apparent over time. However, there are a few areas of potential liability that are apparent now, as discussed below. I note that my observations in this blog post draw on the April 2014 memo from the LeClair Ryan law firm entitled “Emerging ACA Employer Exposure” (here) [.pdf file].

 

There are of course a number of other issues under the ACA beyond those discussed below that have already led to litigation – there is, for example, the ongoing dispute about whether or not religious organizations can be required to offer its employees contraception benefits through their health plans. The point of this review is not to anticipate every litigation issue that might arise under the ACA but rather to discuss particular areas where employer liability related litigation may arise.

 

Background

The ACA’s employer mandate requirements and the challenges the mandates present are discussed in an interesting December 10, 2014 Orange County Register article entitled “Obamacare Year One: D-Day Approaches for Employers” (here). As outlined in the article, the ACA requires employer with more than 50 employees to offer health insurance coverage to its workers who work 30 hours or more a week. If they don’t provide the insurance, the company is liable for a $2,000 penalty on each of its employees. The ACA also specifies that the insurance offered must meet certain requirements – it must be affordable; it must cover, on average, at least 60 percent of the group’s medical expenses; and it must provide Obamacare’s “10 essential health benefits” (such as coverage for inpatient hospital stays, trips to the ER, post-natal care, mental health, prescription drugs, pediatrics and free preventive services).

 

Part of the reason for the delay has been the innumerable questions that arise. How are the hours of employees with seasonable or variable hours to be counted? How should the rules be applied to employers whose employee base fluctuates throughout the year, or to new employers? What about organizations with multiple, corporately separate operating units? The IRS has issued regulations to address many of these issues. But as detailed in the Orange County Register article, for some employers, many questions remain.

 

With the postponements to the mandates’ effective date, one concern facing many employers is the question of when the mandates will now take effect. As detailed in an October 21, 2014 New York Times article entitled “Answering the Hard Questions on the A.C.A.: Does the Employer Mandate Apply to Your Business?” (here), the mandate does not take effect for employers with fewer than 100 employees until 2016, although those smaller employers will still have reporting requirements for 2015. For employers with 100 or more employees, the mandates will take effect on January 1, 2015. The Times article details many the issues employers will face in trying to determine whether or not the mandates will apply to them.

 

Potential Employer Liability Exposures

Along with the challenges employers will face in struggling to understand the applicability and scope of the ACA requirements, the employers will also face, according to the law firm memo to which I linked above, “the added issue of new liability exposures.”  In addition, as employers struggle with questions of whether or not to restructure their workforce in order to change the way they are positioned with respect to the mandates, they could face “potential liability and fiduciary issues not yet resolved by the courts.”

 

The potential liability issues (or at least the potential liability issues that I am going to discuss in detail in this post) fall into three general areas: (1) potential fiduciary liability arising from the applicability of ERISA to the ACA’s requirements; (2) the ACA’s whistleblower protections and anti-retaliation provisions; and (3) potential liability for workplace restricting actions.

 

First, as detailed in the law firm memo, Section 1201 incorporates the ACA’s healthcare coverage mandates into Section 715 of ERISA. To the extent employers continue to sponsor health plans, they must now do so in compliance with the ACA’s requirements (including the Obamacare 10 essential health benefits). To enforce the new coverage mandates, health plan participants can seek to rely on the direct action options under Section 502 of ERISA, which permits health plan participants to bring a civil action to recover benefits; to enforce rights under the plan; or to clarify rights to future benefits under the plan. In reliance on these provisions, a health plan participant might seek to litigate the denial of a benefit or the elimination of a feature of the plan.

 

The key point is that participants have a private cause of action to enforce their rights to ACA benefits, including recovery of attorneys’ fees. .Among other things, claims against plan fiduciaries in many cases potentially could lead to class-wide exposure if ACA benefits are not provided.

 

As health plan fiduciaries struggle to determine whether coverage mandates apply and to select appropriate health plans, litigation by health plan participants and beneficiaries to obtain injunctive or equitable relief or to address violations of statute or of the plan will, according to the law firm memo, “grow exponentially in the next two or three years.” In addition, as has been seen with retirement benefit litigation, it can be anticipated that health plan participants “will challenge choices that arguably limit or curtail health benefits to all or some participants.” In addition, beyond private civil litigation, the Department of Labor and the IRS will be auditing employer health care plans, and will be able to seek civil penalties and impost substantial excise taxes for noncompliance.

 

Second, the ACA provides whistleblower protection for employees who approach regulators regarding an employer’s failure to meet the ACA’s various requirements for reporting, recordkeeping and benefits. Section 1558 of the ACA protects whistleblowing employees from retaliation. An employee who believes he or she has been the subject of retaliation can report a violation to OSHA. A whistleblowing employee may sue in federal court if OSHA does not act within 210 days or fails to enter an order on its findings within 90 days. The employee may also sue in federal court within 90 days of the OSHA decision.

 

With respect to organizations in the healthcare industry, particularly those receiving various subsidies or reimbursements under the ACA, existing laws (such as, for example, the False Claims Act) create “a highly incentivized scheme for whistleblowers to report government overpayments.” For that reason, firms in the healthcare industry, such as physician groups, health insurers, hospital groups, pharmaceutical companies and medical device companies could face a particular risk of whistleblower activities.

 

It is important to note that the ACA whistleblowing protections incorporate an “employee-friendly burden of proof” – that is, if the employee can demonstrate that the protected activity was a “motivating factor” for the retaliation, then the employer must demonstrate by clear and convincing evidence that the employer would have taken the same action in the absence of the protected activity.

 

Third, the ACA’s mandates create obvious incentives for employers to try to restructure to avoid the statute’s requirements. However, as the law firm memo notes, “decisions to restructure workforces to avoid providing health plan benefits are positioning numerous employers for potential litigation in months and years to come.” Section 510 of ERISA prohibits companies from making employment decisions specifically to prevent an employee from obtaining or keeping benefits coverage. The law firm memo notes that courts have generally required a showing of specific intent to deprive a benefit to impose liability based on Section 510, that requirement may not deter prospective claimants where restructuring has clearly been engineered to address ACA requirements.

 

There are, in addition to the issues discussed above, additional features of the ACA that potentially could lead to litigation, including, for instance, the statute’s “civil rights” provisions specifying that no person may be denied participation in a plan or access to health benefits based on improper discrimination; and the “equal coverage” provisions specifying that employers may not provide better benefits to top employees than to other employees. These and other provisions of the ACA may also lead to employer liability litigation.

 

Discussion

It is worth emphasizing that just as there is a lot of uncertainty surrounding the ACA’s scope and requirements, there is also a great deal of uncertainty surrounding the potential liability exposures that employers may face under the ACA. The prospective liability exposures discussed above may not materialize or may prove to be not nearly as serious as suggested. On the other hand, there could be many other liability exposures that have not yet been anticipated but that will only emerge as the employers implement the ACA’s requirements. There can be little doubt at this point that the ACA’s employer mandates present a number of at least potential liability exposures for employers.

 

These potential liability exposures raise a number of insurance-related implications. To the extent that the ACA’s employer mandates create fiduciary liability exposures under ERISA, there could be important implications under employers’ fiduciary liability insurance policies. Whether and to what extent these issues affect the fiduciary liability insurance carriers’ underwriting protocols, or affect the terms and conditions that the insurance carriers are willing to offer, remains to be seen. In any event, this could be a good time for policyholders to review the limits of liability of their fiduciary liability policies and to consider whether the limits are sufficient to address prospective claims that might arise under ACA-related issues.

 

The possibility of a whistleblowing retaliation claim raises with respect to the scope and extent of coverage under employers’ employment practices liability policies. However, the activities of whistleblowers raise concerns beyond just the EPL related issues. A whistleblower report could lead to regulatory activity which might potentially raise either fiduciary liability issues that could implicate the fiduciary liability insurance policy, or it could, depending on what actions follow after a whistleblower report, lead to claims that potentially trigger the employer’s D&O insurance policy. The D&O insurance policy could in any event be triggered if, as a result of ACA employer mandate related activity, the company or its directors and officers were to be hit with mismanagement claims or misrepresentation claims.

 

The possibility of litigation arising out of workplace restructuring –where it is alleged that the employer restructured its work force to avoid the ACA employer mandates or to avoid or eliminate the payment of benefits to employees — could present particularly complicated insurance-related issues. The complication arises from the distinction the courts have drawn between liability arising from actions taken in a fiduciary capacity and actions taken in a settlor capacity.  Fiduciary liability arises from actions taken in administering employee plans. Settlor liability arises in connection with actions to establish or discontinue employee plans.

 

In the past, fiduciary liability insurance carriers have taken the position that their policies provide coverage only for fiduciary liability but not for settlor liability (about which refer for example here). More recently a debate has emerged on the question whether or not fiduciary liability insurance policies should provide coverage for settlor liability of for claims that involve both fiduciary liability and settlor liability components (about which refer for example here). Currently, many fiduciary liability carriers will upon request agree to endorse their policies to expressly state that their policies will provide coverage for settlor liability claims, often subject to the payment of additional premium.

 

The possibility of actions claiming that employers improperly restructured their work force to avoid ACA requirements or to eliminate benefits raises the possibility of civil actions involving both fiduciary liability claims and settlor liability claims. This concern could be particularly involved where an employer decides to eliminate health plans and simply pay the penalty, as the decision to eliminate the plan would seem to involve more of a settlor function than a fiduciary function. In light of the possibility of workplace restructuring kinds of claims, it could be particularly important to ensure that employer’s fiduciary liability insurance programs include settlor liability insurance coverage.

 

The ACA potentially involves many other types of potential liability concerns. To cite just one example, health care firms that, in response to incentives in the ACA, form “affordable care organizations” could face potential liability exposures under the antitrust laws, as discussed in a prior post, here.  

 

I know that there likely are many readers who have a much greater familiarity with these issues than I do. I encourage readers who may have additional insights about potential employer liability issue under the ACA to add their thoughts to this post using the blog’s comment feature.

 

From the Magazine Files: Here at The D&O Diary, we read everything so you don’t have to. With that mission in mind, we reviewed and are pleased to recommend a couple of items from this week’s magazine stockpile.

 

First, from the December 6, 2014 issue of The Economist, we note the interesting article entitled “Places Apart: A Planet of Suburbs” (here) which discusses what the author describes as the increasing trend toward suburbanization around the world. The essay takes the contrarian view that the world is better for this move toward suburbanization.  Among other things, the author contends, in support of the growth of suburbs and against restrictions that would constrain that growth, “suburbia, at its heart, is the embodiment of compromise. It is a space for solving puzzles involving cost, space and commuting time, of balancing the needs for work and recreations, privacy and community.”

 

Second, from the December 15, 2014 issue of The New Yorker, we note the absolutely fascinating article entitled “Blood, Simpler” (here) about the 30 year-old, Stanford dropout and entrepreneur Elizabeth Holmes, whose startup Silicon Valley company Theranos is threatening to disrupt the world of medical testing, particularly the testing of blood samples. The article presents an absorbing portrait of a successful and visionary young woman. The article quotes one of her company’s many prestigious board members: “She has sometimes been called another Steve Jobs, but I think that’s an inadequate comparison,” Perry, who knew Jobs, said. “She has a social consciousness that Steve never had. He was a genius; she’s one with a big heart.”

 

Working Out the Stereotypes: Stereotypes often say more about the people who hold them than the people they are meant to describe. That ironic characteristic of stereotypes is neatly and humorously captured in this short video portraying the stereotypes Europeans hold of each other (as well as of the U.S. and the U.K.).  

 

Guest Post: Unexpected Coverage: D&O Insurance and IP Litigation

Posted in D & O Insurance

peterselvinAn insurance coverage issue that frequently recurs is the question of coverage under a D&O insurance policy for intellectual property disputes. In the following guest post, Peter S. Selvin of the TroyGould law firm takes a look at several recent case decisions examining the question of coverage under a D&O insurance policy for IP claims. This article previously appeared in the November 12, 2014 issue of the Daily Journal.

 

I would like to thank Peter for his willingness to publish his guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. I encourage anyone who thinks they might be interested in submitting a guest post to contact me directly. Here is Peter’s guest post.

 

 ************************************

 

Fans of the Bard will remember the scene in which Hamlet chides his friend Horatio about the narrowness of his vision: “There are more things in heaven and earth…Than are dreamt of in your philosophy.” (Hamlet, I, v, 167-68) The same can be said about practitioners, and even some insurance professionals, who associate directors and officers liability insurance (D&O insurance) exclusively with litigation involving shareholders, debt holders or other corporate stakeholders. This is a misconception because the broad definition of the term “wrongful act” (which is the trigger for coverage in virtually all D&O policies) may confer coverage in a variety of contexts, including where companies or individuals are sued for IP infringement.

 

The typical policy definition of a wrongful act ordinarily includes “(a) any actual or alleged error or misstatement or misleading statement or act or omission or breach of duty by directors and officers while acting in their individual or collective capacities; and (b) any matter claimed against them solely by reason of their being directors or officers of the company.” Knepper and Bailey, Liability of Corporate Officers and Directors (8th ed. 2010), Section 24.06 at p. 24.21.   

 

Importantly, a wrongful act is sufficiently broad to cover a wide range of alleged or actual wrongdoing, whether negligent, reckless or even intentional. See, e.g., Independent Sch. Dist No. 697 vs. St. Paul Fire & Marine Ins. Co., 515 N. W. 2d 576, 579 (Minn. 1994) (claim for intentional age discrimination constitutes wrongful act based on “breach of duty”). Thus, where a claim arises from negligent or non-negligent actions allegedly committed by the officer or director, the insurer is obligated to reimburse the corporation for amounts advanced by the corporation to defend the officer or director. See, e.g., FDIC v. Gordinier, 783 F. Supp. 1181, 1183 (D. Minn. 1992) (wrongful act encompassed “losses caused by deliberate, intentional or knowing acts, unless otherwise excluded.”), rev’d on other grounds sub nom, FDIC vs. St. Paul Fire & Marine Ins. Co., 993 F. 2d 155 (8th Cir. 1993).

 

The following recent examples illustrate how coverage has been found under D&O policies for claims arising out of IP litigation.

 

In Acacia Research Corp. vs. National Union Fire Ins. Co. of Pittsburgh, PA, 2008 WL 4179206 (C.D. Cal. 2008), a company (Combimatrix) and one of its officers (Montgomery) were sued by a competitor (Nanogen) for the theft of technology and misappropriation of trade secrets. In essence, Nanogen’s lawsuit alleged that Montgomery had developed certain technology while he had been employed at Nanogen and that he improperly shared that technology with Combimatrix after he became employed at that company.

 

Combimatrix was insured under a D&O policy issued by National Union. After Nanogen filed suit, Combimatrix tendered the case to National Union. After acknowledging receipt of the tender, National Union preliminarily advised that the Nanogen’s theft of trade secrets lawsuit would not be covered under the policy. Apart from this preliminary communication, however, National Union did not issue any formal coverage letter to Combimatrix until nearly three years after the Nanogen litigation was filed.

 

Nineteen months into the litigation, but before National Union issued its first formal coverage letter, Combimatrix settled Nanogen’s lawsuit. Although National Union ultimately denied coverage for the suit, and failed to reimburse Combimatrix for the fees incurred or the settlement costs incurred therein, Combimatrix brought suit against National Union for breach of the policy and for bad faith.

 

One of the key issues in coverage litigation was whether the IP related claims asserted by Nanogen in underlying case met the policy definition of wrongful acts. In addressing this issue, the court in coverage litigation held as follows:

 

“The Court finds that all defense costs incurred by Combimatrix arose out of its indemnification of Montgomery for alleged wrongful acts committed by Montgomery. Specifically, the underlying Nanogen action centered on Nanogen’s accusations that Montgomery stole Nanogen’s technology and brought it to Combimatrix. Accordingly, Combimatrix and Montgomery present a single and joint defense to the Nanogen suit. Because the wrongful acts alleged in the underlying action all involved the alleged wrongful acts of Montgomery, no allocation of defense costs between Combimatrix and Montgomery is needed.”

 

Thus, the court held that because the trade secrets lawsuit brought by Nanogen was covered the D&O policy, National Union was obligated to reimburse Combimatrix for all of its attorneys fees incurred in defending that lawsuit (approximately $2 million) and for the full value of the settlement paid by Combimatrix to resolve the case (approximately $20 million).

 

The principle that D&O policies will respond to IP claims was also upheld in American Century Services Corp. vs. American International Specialty Lines Insurance Co., 2002 WL 1879947 (S.D.N.Y. 2002). In that case an investment management company (American Century) was sued by third parties (Stambler and Katz) for patent infringement.

 

American Century was insured under an investment management insurance policy which provided coverage similar to that contained in a D&O policy. Thus, that policy obligated the insurer to pay on behalf of its insured “all sums which the Insured shall become legally obligated to pay as damages resulting from any claim” for a wrongful act occurring during the Policy period and “solely in the course of the management and/or operation of the [investment] Fund(s).”

 

The underlying patent infringement lawsuit alleged that American Century had used telephone and internet systems covered by the patents owned by Stambler and Katz. The court found that those allegations were sufficient to trigger coverage under the American International policy because those allegations set forth a wrongful act. ‘

 

“Katz and Stambler charged that American Century infringed their patents. Since allegations of wrongdoing are sufficient to trigger coverage under the Policy, it is clear that American Century’s use of the allegedly infringing telephone and internet systems was a Wrongful Act for the purpose of coverage.”

 

Finally, in Medassets, Inc. vs. Federal Insurance Company, 705 F.Supp.2d 1368 (N.D. Ga. 2010) the Court addressed whether a D&O policy would provide coverage for a complaint which asserted claims for tortious interference and trade secret misappropriation. In that case, the insured was sued by a third party (Guidant) based on claims that the insured had induced Guidant’s customers to breach their confidentiality agreements with Guidant by revealing confidential pricing information to the insured.

 

In response to Medassets’ tender under the D&O policy, the carrier denied coverage, citing a policy exclusion for trade secrets claims, even though Guidant in its complaint “pled in the alternative that the pricing information was confidential information and/or that it was a trade secret.” Since, as the court noted, information that is confidential may be subject to legal protection even if it does not constitute a trade secret, the court held that the trade secrets exclusion was not a bar to coverage.

 

While the Combimatrix, American Century and MedAssets cases dealt with trade secrets and patent infringement, coverage under a D&O policy may also be afforded for other kinds of tort claims — such as trade libel or false advertising. Thus, one commentator has noted that “[m]ost false advertising lawsuits make allegations about the defendant’s erroneous and suggestive advertising and marketing and thus would be covered under this broad coverage grant of these [i.e., D&O] policies. The policy exclusions for these policies, however, present the greatest impediment to coverage for false advertising suits, and they need to be carefully examined to determine if coverage is available for false advertising claims.” Milone and Ahamd, Insurance Coverage for Lanham Act False Advertising Claims, Intellectual Property & Technology Law Journal (March 2012); emphasis added.

 

The application of D&O Insurance to IP disputes may seem at first glance to be unexpected and counter-intuitive. But this form of insurance could serve as an unanticipated asset in helping to fund both the defense and settlement costs in IP disputes.

 

Peter Selvin is a partner at Los Angeles-based TroyGould PC where he practices civil litigation and insurance coverage. The views expressed in this article are his own and not necessarily those of any of the firm’s clients.

Exceptional 2014 U.S. IPO Activity Strongest in More Than a Decade

Posted in IPOs

ey2014 was a very strong year for IPOs globally, but in the U.S., where there were more IPOs this year than any year since 2000, this was an “exceptional” year, according to the latest quarterly global IPO report from accounting and consulting firm EY. The report, entitled “EY Global IPO Trends: 2014 Q4” can be found here. EY’s December 10, 2014 press release about the report can be found here. The report details not only IPO activity in the U.S. during 2014 but in all major financial markets throughout the world.

 

According to the report, there were 288 IPOs completed in the U.S. during 2014 (through December 4, 2014, inclusive of deals expected to close by year’s end), which represents an increase of 27% over 2013 (when there were 225 IPOs) and also represents the highest number of U.S. IPOs since 2000, during the Internet boom years. The U.S. IPOs raised around $95 billion, which, according to the report represents “new high.” By way of contrast, during the 2013 U.S. IPOs raised about $62 billion. IPO activity in the U.S. remained strong throughout the year, with an average of 24 deals a month despite some brief volatility in October.

 

The U.S. financial markets of course are competing in a global marketplace for offerings, and in that respect it is particularly important to note that non-U.S. companies completed 67 IPOs on U.S. exchanges during 2014, which represents more foreign IPOs than any other market and accounts for 52% of all cross-border deals globally. The non-U.S. companies raised $40.8 billion, which represents 81% of all capital raised in cross-border transactions. The cross-border IPO activity in the U.S. during the year represented the highest levels since 2007. The cross-border deals originated in a number of countries, including China (16 IPOs); Europe (26 IPOs, of which 8 were from the UK); and Israel (8 IPOs).

 

The report notes that a number of factors support this cross-border activity in the U.S., which is likely to continue in 2015; the report notes that “growing familiarity with U.S. accounting regulations, the strength of the U.S. markets and access to capital – together with the success of the Alibaba IPO – are likely to encourage more cross-border IPOs on U.S. exchanges going forward.”

 

Continuing a trend started in 2013, the leading sector for U.S. IPOs was the health care sector, which accounted for 111 deals, or 39% of all IPOs during the year as a whole. Within this sector, pharmaceuticals and biotechnology have been “particularly noteworthy,” with many companies in those sectors taking advantage of JOBS Act provisions in connection with their initial offerings. Technology 47 deals), financials (29 deals) and energy sectors also feature strongly in the 2014 deal activity.

 

The report’s authors predict a strong start for U.S. IPOs in 2015, based on a “combination of low volatility, strong investor confidence and a robust pipeline with more than 100 companies getting ready to list.” The report predicts that around 60 companies will go public in the U.S during the first quarter of 2015, raising an estimated $22 billion. The report contains a number of comments to the effect that concerns that the IPO market in the U.S. may be in a 2000-like bubble are overblown. The companies that are coming to market continue to be substantial operations with longer operating histories.

 

Some interesting statistics from the report with respect to the 2014 U.S. IPOs: 116 of the 2014 IPO deals were listed on NYSE, 172 on NASDAQ. The average first-day return for the 2014 U.S. IPOs was 19.3%, and the increase over the offer price through December 3 for those IPOs was 27.8%. By way of contrast, during the same period the S&P 500 index was up 12.2%. The median post-offering market cap for the 2014 U.S. IPOs was $390 million. PE and VC backed deals accounted for 63% of the 2014 U.S. IPOs and also accounted for 72% of the proceeds.

 

To put the U.S. IPO volume in a global perspective, the 288 IPOs completed in the U.S. during 2014 that raised US$95.2 billion compare with 87 in Hong Kong (raising U.S$30 billion); 75 in Australia (US$16 billion); 76 in Shenzen (US$5.8 billion); 40 on the London Stock Exchange (Main Market) ($19.4 billion); and 72 deals on the London AIM ($4.2 billion).

 

The level of IPO activity globally is obviously a positive sign as it not only represents both impressive levels of economic activity but also demonstrates the health of the global financial markets. The significant numbers of IPOs on U.S. exchanges during 2013 and 2014 are particularly significant, as they mean that the number of companies listed on U.S. exchanges is actually increasing for the first time in many years, as I noted in an earlier post. Since the early 90s, a combination of bankruptcies, mergers and going private transactions, as well as competition from the other financial markets, has meant that the number of U.S. listed companies has been steadily declining. It is good to see such a significant number of companies seeking new listings in the U.S, particularly given that about 23% of the new listings during 2014 involved companies domiciled outside the U.S.  

 

There aren’t many down sides to this story, but if there is one concern worth noting it is that an increase in IPO activity will almost certainly translate into an increase in IPO-related securities litigation, as I also noted in an earlier post (here). Indeed, of the 160 new securities class action lawsuits filed so far during 2014, 16 of them (10%) have involved IPO companies, many of them only having just completed their IPOs in 2013 or 2014. It is worth noting that of the 16 IPO related securities suits filed so far this year, 11 of them were filed in the year’s second half, suggesting (as might be expected) that the IPO-related securities litigation picked up as the year progressed. Given the lag time between the date of an UPO and the date of a securities suit filing, and given the increase in IPO activity, we should expect to see IPO related securities litigation continue to increase in 2015.

 

One interesting note in the report was the suggestion that the IPO activity in the U.S, and in the health care sectors, can be attributed in part to the IPO on-ramp provisions in the JOBS Act. This is an observation that others have made, along with the observation that many of the non-U.S. companies listing on the U.S. exchanges are also taking advantage of the JOBS Act provisions. My detailed discussion of the effect of the JOBS Act provisions on IPO activity can be found here.

 

Corruption Allegations Lead to Securities Lawsuits

Posted in Foreign Corrupt Practices Act

litfundingI was on a panel at a law firm event last week during which I was asked to make some predictions for 2015. Among other things, I said that I thought we would see an increase of securities class action lawsuit filings following in the wake of regulatory investigations, especially bribery investigations. I also said that many of these lawsuits next year will involve bribery investigations being led by governments other than that of the United States. Well, we not yet into the new year, but there has already been a flurry of activity consistent with my predictions.

 

First, on November 30, 2014, plaintiff security holders filed a securities class action lawsuit in the Southern District of Texas against Cobalt International Energy, Inc., certain of its directors and officers, certain investment firms that allegedly controlled the company, and its offering underwriters. In their complaint, which can be found here, the plaintiffs allege that the company, which has oil well operations in Angola, “obtained access to its Angolan wells from the Republic of Angola through apparent bribery and by partnering with shell companies in Angola that were partially owned by high-level Angolan officials, putting the company at serious risk of enforcement action” by the DoJ and the SEC. The complaint alleges further that the company misrepresented the value of its wells in Angola after the Company learned that the wells contained very little or no oil.

 

The complaint further alleges that, in reliance on offering documents allegedly containing these alleged misrepresentations, the company conducted several equity and debt securities offerings between February 2012 and May 2014 involving the sale by the company and selling shareholders of billions of dollars of stock and debt securities. On February 21, 2012, the company disclosed that the SEC was investigating the company for possible FCPA violations with regard to the company’s Angolan operations. On August 5, 2014, the company announced that the SEC had issued the company a Wells Notice stating that the SEC was recommending an enforcement action against the company. An August 5, 2014 Bloomberg article discussing the SEC investigation can be found here.

 

On August 27, 2014, the company announced that the Angolan government had terminated the partnership interests in Cobalt’s Angolan oil projects of two Angolan companies with whom Cobalt had partnered. On November 4, 2014, the company disclosed that based on testing of one of its Angolan well, which it has previously stated was a “large, well-focused high impact well,” the well contained neither oil nor gas. The plaintiffs allege that as a result of these disclosures about the bribery investigation and about the well the companies share price declined. The plaintiffs seek damages under federal securities laws.

 

Second, on December 8, 2014, a plaintiff shareholder filed a securities class action in lawsuit in the Southern District of New York against Petroleo Brasileiro, S.A. (“Petrobras”) on behalf of those who purchased the company’s American Depositary Shares on a U.S. exchange during the period May 20, 2010 through November 21, 2014. The complaint, which can be here, alleges that the company made materially “false and misleading statements” by “failing to disclose a multi-year, multi-billion dollar money-laundering and bribery scheme” allegedly taking place at the Company since 2006. The plaintiff’s lawyer’s December 8, 2014 press release describing the lawsuit can be found here.

 

The corruption and money laundering investigation of Petrobras and its employees and executives by Brazilian officials has been widely reported in the press. For example, as reported a November 14, 2014 Wall Street Journal article entitled “Petrobras Scandal Widens, Earnings Delayed” (here), Brazilian federal police had arrested 18 Petrobras  employees who allegedly  “were part of a bribery and money-laundering scheme that has siphoned hundreds of millions of dollars from the state-owned oil firm into the pockets of employees, contractors and politicians.” The Journal also reported that the investigation, which has been dubbed “Operation Car Wash,” threatens “to upend the second term of recently re-elected President Dilma Rousseff.” The scandal reportedly has also drawn the attention of U.S. investigators as well.

 

The complaint alleges that the company inflated the value of construction contracts with other large Brazilian companies “for the sole purpose of receiving kickbacks.” The complaint also alleges that the company overstated various items on its balance sheet “because the overstated amounts paid on inflated third-party contracts were carried as assets on the balance sheet.” The complaint alleges that as a result of the publicity surrounding the scandal, the arrest of numerous company employees and executives and of the questions about the company’s financial statements the company’s ADS price declined 46% between September 5, 2014 and November 24, 2014. The plaintiff seeks to recover damages under the U.S. federal securities laws.

 

Discussion  

The phenomenon of civil litigation following in the wake of a bribery or corruption investigation is nothing new, as I have previously noted on this blog. Just the same, these new lawsuits are interesting, particularly the lawsuit involving Petrobras. Both of them involve allegations of bribery and other misconduct against multinational oil companies, although in connection with operations in different countries.

 

What is particularly interesting about the Petrobras case is that it represents a securities lawsuit filed against a non-U.S. company based on disclosure surrounding a regulatory investigation outside the United States. As I mentioned at the outset of this blog post, I think we will be seeing more of these kinds of follow on lawsuits in the months ahead. There have already been a number of them this year. For example, as discussed here, in January 2014, Nu Skin Enterprises was hit with a securities class action lawsuit following news of an alleged investigation in China of the company’s allegedly fraudulent sales practices there. Similarly, in June 2014, China Mobile Games and Entertainment Group was hit with a securities class action lawsuit following the news of an anti-bribery investigation in China involving company officials, as discussed here.

 

While these two cases and the Petrobras case involve lawsuits arising following corruption investigations, there have been other U.S. securities lawsuits filed involving other types of investigations by non-U.S. regulators. For example, as discussed here, Jinko Solar, a U.S.-listed Chinese company, is involved in a U.S. securities class action lawsuit filed in 2011 following in the wake of a Chinese environmental enforcement action.

 

I think the number of these kinds of cases growing out of non-U.S. regulatory and enforcement actions will only increase. And while the cases I have referenced all involve investigations by each company’s home country regulator, I suspect that in the future we will see cases following on regulatory investigations outside of companies’ home countries. As I discussed in detail here, for many countries, their most significant regulatory risk may be outside of their home country, and as the $489 million penalty that GlaxoSmithKline paid to Chinese regulators earlier this year demonstrates, the foreign country regulatory exposures increasingly are very substantial.

 

When I first saw the new lawsuit involving Petrobras and involving the company’s huge scandal, it made me think Tesco, the U.K. grocer that is involved in its own scandal in its home country. Both companies are domilciled outside the U.S., but both of them have now been hit by securities lawsuits in the U.S. filed on behalf of plaintiffs who bought their securities in the companies on U.S. exchanges. Because of the Morrison decision, shareholders of the companies who purchased their shares outside the U.S. cannot be a part of the U.S. securities class action. In Tesco’s case, lawyers in the U.K. are now organizing efforts to initiate an action in the U.K. on behalf of shareholders of the company who bought their shares on the London Stock Exchange, as discussed here.

 

These efforts in the U.K. on behalf of Tesco shareholders makes me wonder – might similar efforts develop in Brazil on behalf of Petrobras shareholders who purchased their shares in the company in Brazil? As I noted in a recent post, Brazil’s laws do provide for a form of class action litigation, and as of the last time I looked into the subject, there were additional reforms to the existing procedures pending. Brazil’s procedures may or may not be suitable as a vehicle for aggrieved Brazilian Petrobas shareholders to seek redress, but enterprising attorneys might seek to try to make what they can out of existing procedures and remedies to try to obtain a recovery for the shareholders. I hope that my Brazilian readers will let me know what they think of the possibility of a civil action in Brazil on behalf of Petrobras shareholders and will  let me know if there are any developments in that regards,

 

It is also worth noting that in the last few days there has recently been an absolute rash of new U.S. securities lawsuit filings involving non-U.S. company defendants. By my count, of the eleven new securities lawsuits that have been filed since November 24, 2014, eight have involved non-U.S. companies. Overall during the year, and according to my interim tally, there have been 30 securities class action lawsuits filings involving non-U.S. company defendants  (representing about 18% of all lawsuits) out of a YTD total of about 160 lawsuits so far this year, which is roughly comparable to last year’s percentage but well above longer term levels.

 

One final note. While follow on civil lawsuit often follow in the U.S. after bribery investigations are announced the track record on these kinds of lawsuits arguably is not all that great (refer for example, here and here).

Guest Post: Cyber Security: The Importance of a Battle-Tested Incident Response Plan

Posted in Cyber Liability

weiWith all of the high profile data breaches that have taken place in recent months, cyber security is a critical topic at the top of just about everyone’s agenda. In the following guest post, Paul A. Ferrillo of the Weil Gotshal law firm takes a look at the best approach to the cyber security challenge in the current environment and he also details the critical components of a cyber incident response plan. A version of this article was previously published as a Weil client alert.

 

I would like to thank Paul for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you think you would like to submit a guest post for publication. Here is Paul’s guest post.

 

*****************************************************

 

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public….The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

 – Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014[i]

 

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

 – Priya Ananda, “One Year after Target’s Breach: What have we learned?” November 1, 2014.[ii]

 

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

 – NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014.[iii]

 

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that.[iv] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach:  basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems[v] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

 

In this article, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

**

 

The Organizational IRP Paradigm: Basics and Important Initial Questions

For assistance with these questions, it is helpful to review The National Institute of Standards and Technology’s (NIST) “Computer Security Incident Handling Guide,”[vi] which notes:

 

Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.

 

In short, the NIST provides the raison d’être for an IRP: preventive measures are necessary, but not sufficient, to sustain operations in the face of the omnipresent cyber threat. A response capability, and a plan for executing it, is a necessity. It is important to note that each element of an effective IRP has multiple sub-elements, and multiple levels of complexity. Resultantly, effective IRPs must not and cannot be “one size fits all.” They will differ depending on an organization’s size, complexity, and industry sector, as well as on the types of personally-identifiable information (PII) stored by the organization, and where that data is stored.

However, prior to examining the intricacies of an effective IRP, we need to focus on the questions that directors, officers, CIOs, partners, and other senior executives must ask about their company’s IRP prior to learning that the inevitable has become reality: that “we’ve been hacked.” Those questions become apparent in light of the ultimate goal of responding to a cyber threat: “get back in the game (safely)” as soon as possible in order to keep your customers, investors, and reputation intact. An attendant goal is to demonstrate to regulators, such as the SEC, OCIE, FINRA, or FTC, that you have paid attention and planned ahead. The questions, then, include, among other things:

 

  •   Does the organization have a standing, written, and enterprise-wide IRP?
  •  Has the IRP been tested, in terms of both its ability to discern between cyber “events” and cyber “incidents,” and the organization’s ability to execute the IRP following an incident?
  •  Does the IRP get the organization back in the game?

 

For the uninitiated, a cyber “event,” according to the NIST, is “an observable occurrence in an information system or network.” A cyber “incident” is a disruptive occurrence, a “violation of computer security policies, acceptable use procedures, or standard security practices”[vii]. In a recent book co-authored by Kevin Mandia – the founder (quoted above) of security consulting firm, Mandiant (now FireEye/Mandiant) – entitled Incident Response and Computer Forensics, Mandia simplifies this definition for today’s cyber environment:

 

An incident is “any unlawful, unauthorized, or unacceptable action that involves a computer system, cell phone, tablet, and any other electronic device with an operating system or that operates on a computer network.”

 

In sum, a cyber “event” may ultimately be ok if it is determined, either by intrusion detection/surveillance systems or trained cyber technicians, that the event is something akin to “normal.” It follows, then, that if following detection, an event rises to the level of a cyber “incident,” it needs to be investigated further according to an IRP. Because if it is not “normal,” it could result in catastrophic consequences if not properly and fully identified (network-wide), promptly addressed, and quickly remediated. Examples of incidents include denial of service attacks launched against a network, spear phishing attempts aimed at distributing malware within a network, nation-state hacks, or cyber extortion attempts.

 

Once the above questions have been asked and answered, an organization and its leadership are ready to respond to the inevitable discovery that “we’ve been hacked.” Instead of “Now what?,” the answer is “Now let’s immediately invoke our IRP.”

 

So, what does an IRP look like?

 

Essential Elements of an IRP

Though there are hundreds of cyber security consultants in the marketplace today that could provide a very complex version of an IRP, here are the basics (as least as we and NIST see them): 

 

1. Preparation, Ownership and Testing of the Incident Response Plan

Just as many high-rise buildings have their own emergency evacuation plans to respond to an event of a fire or another catastrophe, and practice them with their tenants several times a year, all companies should have a table-top tested, written IRP ready to respond to an incident of a cyber attack. Directors and officers should consider the following elements essential to an IRP:

 

A.     Documentation, Management Buy-In, and the IRT: The IRP needs to be in writing, fully documented and regularly updated in order to prevent any surprises when it is invoked after an incident has been detected. For the same reason, it should have full sign-off and approval by senior management. The IRP should explicitly define the professionals (including in-house personnel as well as third-party vendors) who make up the Incident Response Team (IRT).

 

o   The IRT must clearly delegate authority (who does what), and establish sustainable, open lines of communication and workflow (who reports to whom). It should include a legal component (whether in-house or outside counsel, but most likely both) that is skilled in forensic investigations, disclosure obligations, and the preservation of evidence, since law enforcement may ultimately be involved depending upon the severity of the breach. Companies should also consider including both a Human Resources representative and a Finance Department designee on the IRT to anticipate and address issues that may arise after the incident.

 

B.     Ownership: The IRT and IRP should be “owned” by one person in the organization who is designated as the head of the IRT. Reporting to the head of the IRT should be a deputy with strong incident response experience, and who can serve as an alternate owner of the IRP. Underneath the head and the deputy should be skilled incident response handlers with strong technical intrusion detection and forensic skills. The size and shape of the internal IRT may vary from company to company, and are obviously budget- dependent since 24/7 IRT coverage comes with a price.

 

Of course, if the organization is solely based in the U.S., it is possible to have only one owner of the IRP and one head of the IRT. In a global organization, however, the “one owner” policy may not be possible or even practical. Global organizations need to “globalize” their IRPs so that a local “owner” is in place who can be nearer to the action and to the designated third-party vendors. A local owner will also likely be more familiar with local laws relating to cyber and privacy-related disclosures that may be implicated during an investigation of a cybersecurity breach.

 

C.     Identification and Selection of Third-Party Vendors: Many companies rely in part on third-party vendors to help guide them through a data breach.[viii] An IRP should pre-identify and designate these vendors, who should be on a 24/7 retainer in the event of a breach. Outside counsel should be involved in retaining the vendors to preserve any applicable privileges, since evidence of a breach developed by the IRT and its vendors may become necessary if actual data loss is involved.

 

D.     Crisis Communications Capabilities: The IRT should include both internal and external crisis communications strategists because, depending upon the severity of the breach and the potential for severe reputational damage, there will likely be disclosure obligations (both formal and informal) following the breach. Formal disclosure of the breach to law enforcement authorities like the FBI or U.S. Secret Service may be warranted if the company suspects cyber criminality may have played a role in the breach. Notification of any “material” breach to investors may be necessary under U.S. Securities and Exchange Commission guidance, or in any event, may be necessary in order to reassure investors that the company is addressing the cyber breach and doing everything possible to protect investors and consumers. Finally, some sort of formal notification may be required in various local jurisdictions depending upon privacy issues. Because of potential formal notification requirements, it is important to have internal and/or external lawyers involved with, and overseeing, breach notifications.[ix] In short, a good crisis management/investor relations firm with experience in major corporate catastrophic events should be on retainer. There is not much worse that a major hack and the associated costs involved other than losing the faith and trust of customers, clients and patients.  That could cause a “death spiral” that may be insurmountable.

 

E.      Practice, Practice, Practice.: Without it, IRPs and IRTs are no good. An organization needs to conduct drills on a regular basis (we recommend at least quarterly) so that all members of the IRT and associated third-party vendors know exactly what they are supposed to be doing in the event of a major cyber security incident. A good IRT works in together like a crew team rowing a scull. Everyone needs to row in cadence. And in the same direction.

 

2. Detection and Analysis of Threat Vectors, or “Houston, We have a Problem”

No IRP will be effective without the ability to accurately detect and assess events and possible incidents. Typically, this requires a continuously changing array of both software and hardware necessary to detect incidents from a variety of threat vectors. Organizations need to be able, through “continuous monitoring,”[x] to identify “indicators” or “evidence” of an attack through network monitoring systems such as “event-based alert monitoring” and “header and full packet logging.” Both are designed to collect transferred data to help the IRT generate digital signatures, network system activity logs, or identify data that might show evidence of compromise.

 

Because many cyber attacks today are found to flow from a one-time-only use of malware that has no recognized signature to identify it as a threat, many companies are now transitioning to a signature-less intrusion detection system. One long-term industry expert noted in a recent interview, “We don’t know what to look for when nobody else has seen it. The [signature] model breaks down… How you protect yourself from a shotgun blast is very different than how you protect yourself from a sniper’s bullet. Traditional protection mechanisms are geared toward those noisy mass attacks.”[xi]To combat this cyber attack technique, “Rather than relying on detecting known signatures, [many] companies marry big-data techniques, such as machine learning, with deep cyber security expertise to profile and understand user and machine behavior patterns, enabling them to detect this new breed of attacks. And to avoid flooding security professionals in a sea of useless alerts, these companies try to minimize the number of alerts and provide rich user interfaces that enable interactive exploration and investigation.”[xii]

 

Whatever the monitoring system in place (including antivirus software alerts), incident response information may contain evidence of either network traffic anomalies or of actual data theft which could lead one to conclude that there has been a data breach. Today, many monitoring systems are automated (and even outsourced) because large organizations can potentially have tens of thousands of incidents daily that need to be analyzed, correlated, and investigated. Logs should be kept and retained for some defined period (e.g., 30 days) as a matter of good course as they may be needed for a breach investigation.

 

3. Containment

Containment means “how do we stop the bleeding” so that no further damage can be done. As this is a complicated area, both in-house and outside legal experts and third-party vendors should be consulted. A containment program should involve:

 

  •  Removing the attacker’s ability to access the network;
  •  A plan to isolate infected systems, forensically copy them and transfer them to another off-grid environment; and
  •  Triaging and analyzing the infection or malware so that an eradication plan can be formulated.

 

Assuming the company has come to the conclusion that a breach has occurred, and that PII has been compromised, it is important to have the IR/PR/legal team advise the IRT on potential disclosure obligations under federal law (like HIPPA), state law, or under the law of a foreign government (EU/UK directives), where applicable. Similarly, disclosure to the company’s cyber insurance provider will be necessary. Depending on their terms and conditions (which should be continuously reviewed), many cyber insurance policies provide coverage that allows a company to take advantage of forensic and remediation services as well as the services of a “breach coach” and suggested third-party vendors if the company does not have such vendors on retainer.

 

4. Remediation and Eradication

Remediation and Eradication means “fixing the problem” as rapidly as possible after the threat vector is fully identified so that the attacker doesn’t have time to change his method or mode of attack. Eradication efforts could involve:

 

  • Blocking malicious IP addresses identified during the investigation;
  • Changing all passwords;
  • Patching holes in the network architecture that are identified during the investigation; and/or
  • Fixing all vulnerabilities identified during the investigation.

 

5. Lessons Learned Post-Mortem

Cyber post-mortems are like many post-event discussions. Lessons can always be learned about what went right with the IRP (where the company excelled), what went wrong or what didn’t work so well, and what areas can be improved upon by the entire IRT so that it can perform better during the next incident investigation.

 

Why is an Effective Incident Response Plan So Important to Any Organization?

We placed this section here at the end of the article because, frankly, we didn’t want to give away the punchline too early. But we kind of did already with Admiral Roger’s quote above. An effective IRP is absolutely vital to an organization because: (1) it has already been hacked (or doesn’t know it yet), and (2) an organization needs to be able to take a “cyber punch,” and get off the canvas to fight another day. An effective, table-top practiced IRP is important for a variety of other reasons:

 

  • If the company is in a specific industry sector, especially the regulated financial services sector, regulators will specifically ask whether the organization has an IRP.
  • A battle-tested IRP may be evidence of cyber security best practices if the company is later the subject of a lawsuit or regulatory proceeding resulting from disclosure of the breach.
  • A battle-tested IRP will hopefully prevent an organization from having a cyber incident develop into a catastrophic event, either financially, reputationally, or both, which could cause the company’s demise or death if there is a “run on the bank” following disclosure of the cyber incident.

 


[i] See “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime.”

[ii] See “One Year After Target’s Breach: What Have We Learned?

[iii] See “NSA Director Rogers Urges Cyber-Resiliency.”

[iv] See “Sony Films Are Pirated, and Hackers Leak Studio Salaries;” “Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email;” and “Hacking the Street,” a Fire Eye/Mandiant Special Report.

[v] See “Intrusion Detection FAQ: Can you explain traffic analysis and anomaly detection?

[vi] See NIST “Computer Security Incident Handling Guide,” Special Publication 800-61, (hereinafter, the NIST Incident Handling Guide).

[vii] Id.

[viii] Three of the larger companies that we and our multi-national clients regularly deal with from an incident response perspective are Fire Eye/Mandiant, Verizon, and IBM. See https://www.fireeye.com/; http://www.verizonenterprise.com/products/security/; and http://www-935.ibm.com/services/us/en/it-services/security-services/emergency-response-services/?S_TACT=R02102GW&S_PKG=-&cmp=R0210&ct=R02102GW&cr=google&cm=k&csr=IT+Emergency+Response+Services_UN&ccy=us&ck=security%20services&cs=b&mkwid=sk3dL6Acl-dc_49046510203_4326fb30773. There are certainly other companies in the incident response space that have the ability to respond to domestic breaches, see e.g. http://www.krollcybersecurity.com/

[ix] In some cases, and for some larger companies, it may even be important for companies to consider “off the grid” communications systems, like temporary cellphones and satellite phones so that key IRT members can communicate with each other in the event that the breach also effects a company’s corporate phone lines. See “Spike in Cyber Attacks Requires Specific Business Continuity Efforts.”

[x] “Continuous Monitoring” is the hallmark of an Implementation Tier 4 organization in the NIST cybersecurity framework. See NIST Cyber Security Framework.

[xi] See “On prevention vs. detection, Gartner says to rebalance purchasing.”

[xii] See “Why Breach Detection Is Your New Must-Have, Cyber Security Tool.”

Top Treasury Official’s Speech Urges Adoption of Cyber Risk Insurance

Posted in Cyber Liability

trasOfficials across a range of federal regulatory agencies have made it clear that promoting cyber security is an increasing priority. A critical part of the federal officials’ message has been the message that cyber security should be a corporate governance priority for company executives and corporate boards. For example, in a June 2014 speech, SEC Commission Luis Aguilar highlighted the cyber security oversight responsibilities of corporate boards. Nor are the regulators’ efforts in this regard limited to speech-making; the Federal Trade Commission’s recent action against Wyndham Worldwide related to cyber breaches the company experienced underscores that these regulatory concerns may translate into enforcement action.

 

Deputy Treasury Secretary Sarah Raskin, the second-ranking official at the agency, in a December 3, 2014 speech to the Texas Bankers’ Association (here), reiterated many of these same messages. In her speech, Raskin, who previously served as a member of the Federal Reserve Board, presents ten questions that that company executives and corporate boards should be asking with respect to cybersecurity concerns. Her speech, which is addressed in particular to the cyber security oversight issues that banking institutions face in the current environment, provides a particularly good overview of the topic.

 

The ten questions that Raking poses are organized into three categories of activities: (1) baseline protections; (2) information sharing; and (3) response and recovery.

 

Of particular interest to readers of this blog is one of the questions that Raskin posed within the first category of baseline protections. Among the questions that she asks is what amounts to a ringing endorsement for companies to adopt cyber risk insurance.

 

Her fourth question overall in her list of ten questions suggests that senior officials at banking institutions should be asking “Do we have cyber insurance? And if we do, what does it cover and exclude?” She adds that officials should also be asking “Is our coverage adequate based on our cyber risk exposure?”

 

Raskin’s comments include the observation that though the market for cyber insurance is relatively new, it is growing. She notes that more than fifty carriers now offer some type of cyber insurance, and that cyber insurance products now exist for companies of all sizes. She also noted that “policyholders can now find coverage to match a broad array of cyber risks ranging from liability and costs associated with data breaches to business interruption losses and even tangible property damage caused by cyber events.”

 

Raskin noted that while cyber insurance cannot protect institutions from cyber incidents, it “can provide some measure of financial support in case of a data breach or cyber incident.” She also observed that the underwriting processes for cyber insurance can “help bolster your cybersecurity controls,” because “qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you may be lacking.”

 

Raskin also notes that officials at the Treasury department have been thinking about how to “encourage an environment where market forces create insurance products that enhance cybersecurity for businesses,” noting that “we can imagine the growth of a cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board.” (Raskin defines “cyber hygiene” as the engagement in “fundamental practices to bolster the security and resilience of your networks and systems.”)

 

Raskin is far from the first governmental official to suggest that cyber risk insurance should be an important part of companies’ efforts to try to address their cybersecurity exposures. For example, in its October 2011 release provide guidance on cyber risk disclosures (here), the SEC specifically noted that among the things that companies should be disclosing with respect to the company’s cyber risk exposures is a “description of relevant insurance coverage.”

 

While in many respects Raskin’s speech represents a reiteration of messages that other agencies and corporate officials have already made, it is nevertheless a very good summary of the responsibilities of corporate officials with respect to cybersecurity issues. Among other things, her speech emphasizes the fact that the adoption of appropriate cyber risk insurance should be a key part of companies’ response to the growing risk of cyber security exposures.

 

One final observation about Raskin’s speech is to note her emphasis that cybersecurity risk is a problem not just for the largest companies and financial institutions. It is not just a problem for “the other guy,” it is a problem for all companies. She states at the outset of her speech, which is focused on financial institutions, that the threat of a cyber breach “creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and sizes.”

 

A December 5, 2014 Law 360 article about Raskin’s speech can be found here (subscription required).

Largest Derivative Lawsuit Settlements

Posted in Shareholders Derivative Litigation

latestgavelMy post earlier this week about the $275 million Activision Blizzard shareholder derivative lawsuit settlement – and in particular my suggestion that the Activision settlement may be the largest derivative suit settlement ever – provoked an interesting flurry of emails and conversations about the lineup of other large derivative lawsuit settlements. To address the various questions I have received on the topic, I have set out below my unofficial list of the derivative suit settlements involving the largest cash components. My purposes in posting this list are two-fold: first, in response to several requests, to share the information I have; and two, to encourage others who may have different or additional information to share the information so that I can update or supplement the list as appropriate.

 

 

Here is my list of the ten largest derivative lawsuit settlements of which I am aware:

 

$275 million       Activision Blizzard (2014)

$139 million       News Corp. (2013)

$130+ million     Freeport-McMoRan (2014)

$122 million       Oracle (2005)

$118 million       Broadcom Corp. (Options Backdating) (2009)

$115 million       AIG (2002 lawsuit) (2008)

$110 million       El Paso-Kinder Morgan (merger related) (2012)

$89.4 million        Del Monte Foods (2011)

$75 million           Pfizer (2010) UPDATED

$62.5 million      Bank of America (Merrill Lynch Acquisition) (2012)

 

I suspect strongly that there have been settlements with values between the $62.5 Bank of America settlement and the $110 million El Paso-Kinder Morgan settlement. I am hoping readers that are aware of any derivative suit settlements with values in that range, or any other settlements that ought to be on this list, will please let me know. UPDATE: Several readers reminded me of the $89.4 million Del Monte Foods derivative lawsuit settlement and the $75 million Pfizer shareholder derivative lawsuit settlement, which I have added to the list above. The Pfizer settlement is discussed in greater detail here.

 

These settlements are of course all dwarfed by the $2.876 billion judgment entered in June 2009 against Richard Scrushy in the HealthSouth shareholders’ derivative lawsuit in Jefferson County (Alabama) Circuit Court, but that judgment represents its own peculiar point of reference, It also was of course a judgment following trial rather than a settlement.

 

Another peculiar point of reference is the $1.262 billion judgment that Chancellor Leo Strine entered in October 2011 the Southern Peru Copper Corporation Shareholder Derivative Litigation (about which refer here). That case also represents its own form of litigation reality, and it too represents a derivative suit judgment following trial, rather than a settlement.

 

Another derivative lawsuit resolution that is worth considering in the context of the “largest ever” question is the December 2007 settlement of the UnitedHealth Group options backdating-related derivative lawsuit. As discussed here, the lawsuit settled for a total nominal value of approximately $900 million. However, while the press reports at the time described the settlement as the largest derivative settlement ever, the value contributed to the settlement consisted of the surrender by the individual defendants of certain rights, interests and stock option awards, not cash value in that amount.

 

In the past, going back ten years or so, shareholders’ derivative suits typically did not present the possibility of significant cash payouts, at least in terms of settlements or judgments. The cases did present the possibility of significant defense expense and also of the possibility of having to pay the plaintiffs’ attorneys’ fees, but by and large there was usually not a cash settlement component. As the significant examples above show, that has clearly changed in more recent years.

 

This trend gained particular momentum with the options backdating scandal. Many of the options backdating cases were filed as derivative suits rather than as securities class action lawsuits (largely because the options backdating disclosures did not always result in the kinds of significant share price declines required to support a securities class action lawsuit). Many of the options backdating cases settlements included a cash component, and as illustrated by the Broadcom case mentioned above, some of the options backdating derivative suit settlements included very substantial cash components

 

It is interesting to note how many of the derivative settlements listed above were entered in connection with lawsuits objecting to a merger or acquisition transaction – the Activision Blizzard Settlement, the Freeporr-McMoRan settlement, the El Paso-Kinder Morgan settlement, and the BofA/Merrill Lynch settlement all related to lawsuits arising out of merger or acquisition transactions. Indeed, the News Corp. settlement related at least in part to objection to a transaction involving one of Rupert Murdoch’s children. The rise of merger objection litigation has been the target of a great deal of criticism but the number of recent large settlements involving merger or acquisition transactions highlights the fact that among the many cases that are filed there may be at least a few that are more serious.

 

As I have noted in the past in connection with the increasing numbers of jumbo derivative lawsuit settlements, the upsurge in the number of derivative suit settlements that include a significant cash component undoubtedly is being viewed with alarm by the D&O insurance industry. For many years, D&O insurers have considered that their significant severity exposure consisted of securities class action lawsuits. The undeniable reality now is that in at least some circumstances, derivative suits increasingly represent a severity risk as well. And the settlement amounts themselves represent only part of the D&O insurers’ loss costs. The D&O insurers also incur millions and possibly tens of million of defense cost expense in these derivative suits.

 

The increasing risk of this type of settlement represents a significant challenge for all D&O insurers, but particularly for those D&O insurers concentrating on providing Excess Side A insurance. Those insurers will have to ask how they are to underwrite the risks associated with these kinds of exposures, and how they are to make certain that their premiums adequately compensate them for the risk.