The D&O Diary

The D&O Diary

A PERIODIC JOURNAL CONTAINING ITEMS OF INTEREST FROM THE WORLD OF DIRECTORS & OFFICERS LIABILITY, WITH OCCASIONAL COMMENTARY

Another Environmental Disclosures Securities Suit Survives Initial Pleading Hurdles

Posted in Environmental Liability

caliIn recent months, there have been a number of securities class action lawsuits filed based on alleged misrepresentations of the defendant company’s environmental compliance. On August 7, 2014, the securities suit filed against Exide Technologies and certain of its directors and officers based on the defendants’ allegedly misleading statements about the company’s compliance with environmental regulations became the latest environmental disclosure securities suits to overcome the initial pleading hurdles. These cases underscore  the fact that reporting companies’ environmental compliance disclosures are facing increasing scrutiny, making the quality of the environmental disclosures increasingly important.

 

A copy of Central District of California Judge Stephen V. Wilson’s August 7, 2014 order denying the defendants’ motion to dismiss can be found here.

 

Exide is in the business of producing, recycling and distributing lead-acid batteries. The company maintains a large recycling plant in Vernon, California. The plaintiffs in the securities suit allege that the company experienced a series of problems and related regulatory compliance issues regarding the Vernon plant’s alleged emissions of arsenic into the air and regarding an allegedly non-compliant piping system that allegedly was leading hazardous materials into the groundwater. These problems allegedly were not publicly disclosed until the period March through May of 2013, while during the preceding months the defendants allegedly made a number of reassuring statements about the company’s environmental compliance.

 

Judge Wilson granted the defendants’ motion to dismiss the plaintiffs’ initial complaint without prejudice. In February 2013, the plaintiffs filed an amended complaint, and the defendants renewed their motion to dismiss.

 

In his August 7 Order, Judge Wilson denied the defendants’ renewed motion to dismiss. He found that amended complaint pled “allegations sufficient to present a question of fact as to whether Defendants omissions and misrepresentations regarding the Vernon plant’s environmental contamination issues made Defendants’ communications with investors misleading.”

 

In support of their motion to dismiss, the defendants had tried to argue that the company’s SEC filings were sufficient to disclose the company’s environmental risks. As quoted by Judge Wilson in his order, the company’s SEC filings stated that the company could not “be certain that it has been, or will at all time be, in complete compliance with all environmental requirements, or that the Company will not incur additional material costs or liabilities in connection with those requirements in exces of amounts it has reserved.”

 

Judge Wilson said that it is “an issue of fact whether a reasonable investor would consider this boilerplate disclosure sufficient enough that the disclosure of the actual environmental issues at Vernon during the class period would not have significantly altered the total mix of information made available about the company.” Judge Wilson went on to note that “if Defendants general environmental disclosures were sufficient to cover the existing environmental problems at Vernon as a matter of law at the pleading stage, it is difficult to see a logical stopping point to the ability of a company to ‘disclose’ serious environmental or other problems to investors through vague, general or boilerplate statements.”

 

In order to try to satisfy the requirements for pleading scienter, the plaintiffs relied on the allegations based on statements that confidential witnesses who alleged that Exide has a system in place for reporting environmental compliance issues, which the plaintiffs alleged were sufficient to show that individual defendants should have been aware of the Vernon plant’s issues. Taking a “holistic approach” to the scienter issue, including taking consideration of the seriousness of the problems at the Vernon plant and the importance of the Vernon plant to Exide’s operations, Judge Wilson found that the plaintiffs’ scienter allegations, taken in conjunction with the company’s environmental reporting system, “support a cogent inference that Defendants were aware of Vernon’s environmental issues.”

 

Discussion

The survival of the environmental disclosure  securities suit against Exide comes closely after the Secnd Circuit’s recent ruling in the JinkoSolar securities suit, discussed here, in which the appellate court reversed the lower court dismissal of the suit and concluded that the plaintiffs’ allegations concerning the alleged deficiencies of the defendant  company’s environmental compliance disclosures were sufficient. While these are just two cases, it does seem as if the plaintiffs are getting some traction in securities suits based on environmental compliance disclosures.

 

As the derivative lawsuit filled earlier this year against the board of Duke Energy highlights, environmental issues apparently are becoming an area of increasing focus for plaintiffs’ lawyers. As cases like those filed against Exide and JinkoSolar prove to be viable, further cases based on environmental compliance and environmental disclosures may follow.

 

At a minimum, it is clear that companies’ environmental disclosures will face increased scrutiny. In that respect, Judge Wilson’s comments about Exide’s environmental disclosures are interesting. From Judge Wilson’s perspective at least, mere “boilerplate” disclosures or “vague” or “general” statements will not be sufficient to protect companies from allegations that their environmental compliance disclosures were inadequate. The lesson is that it will be increasingly important for companies to ensure that their environmental disclosures avoid use of mere boilerplate and instead incorporate specific and detailed discussion of the circumstances surrounding their environmental compliance.

 

By the same token, D&O insurance underwriters considering companies whose operations may present environmental concerns will want to review the environmental disclosures in the companies’ periodic reports in order to assess the extent to which the disclosures provide  a specific and detailed picture of the company’s environmental compliance circumstances.

 

Finally, and as a I noted in  my recent post about the Second Circuit’s decision in the JinkoSolar case, it clearly is going to be important for policyholders to ensure that their D&O policy contains no pollution exclusion (as is the case in many current policies, which, rather than including a pollution exclusion simply carve out environmental remediation costs from the definition of covered loss), or, they have a pollution exclusion, that the exclusion contains a provision carving back coverage for derivative claims and securities suits.

Second Circuit Affirms Porsche Securities Suit Dismissal; Domestic Transaction Necessary But Not Sufficient to Invoke U.S. Securities Laws

Posted in Securities Litigation

porscheOn August 16, 2014, in a long-awaited decision that is sure to provoke comment and that could fuel disputes in future cases, the Second Circuit affirmed the dismissal of the securities suits hedge fund purchasers of certain swap agreements had filed against Porsche and its executives.

 

The plaintiffs contended that because they had completed the swap contracts transactions in the United States, the swap transactions represented “domestic transactions” within the meaning of the “second prong” of the Supreme Court’s holding in Morrison v. National Australia Bank, in which the Court had said that the U.S. securities laws apply to “domestic transactions in other securities.”

 

In an unsigned  per curiam opinion (which can be found here), the Second Circuit — concerned the application of Morrison as the plaintiffs urged would result in the very kind of extraterritorial extension of U.S. securities laws Morrison had sought to avoid — said that while it is necessary for the U.S. securities laws to apply that a domestic transaction is involved, it is not sufficient.  The court went on to say that the claims in this case are so “predominately foreign as to be impermissibly extraterritorial.” The court stressed that it was not attempting to establish a rule that would govern future cases, but instead emphasized that future courts would have to make determinations on a case by case basis based on the facts presented.

 

While the Second Circuit affirmed the district court’s dismissal of the case, the appellate court nevertheless remanded the case to the lower court for further proceedings to see whether or not the plaintiffs could amend their pleadings to try to satisfy the requirements the appellate court had specified.

 

Background

The plaintiff hedge funds had entered security based swap agreements that referenced the price of VW shares.  The referenced VW shares did not trade on any U.S. exchange. The swaps did not trade on any exchanges. The swap agreements generated gains for plaintiffs as VW’s shares decline and produced losses as the price of VW shares rose.

 

The plaintiffs allege that all of the steps necessary to transact the swap agreements took place in the United States. The swap agreements contain choice of law and forum selection provisions that designate New York law and a New York forum.

 

In the lawsuits, the hedge fund plaintiffs allege that the Porsche defendants had caused a dramatic rise in VW stock prices by buying nearly all of the few freely-traded shares as part of a secret plan to take over the company, while publicly denying that it sought to gain control. The plaintiffs allege that after months of denying that it sought to take over VW, Porsche on October 26, 2008 disclosed the extent of its accumulated holdings in VW stock, as a result of which the VW share price shot up, causing the plaintiffs massive losses on their swap agreements.

 

The defendants moved to dismiss in reliance on Morrison, on the grounds that the swap transactions were not within the ambit of Section 10(b) of the Securities Exchange Act of 1934. As discussed here, in a December 30. 2010 opinion, Southern District of New York Judge Harold Baer granted the defendants’ motion to dismiss, holding that the application of the U.S. securities laws to the swap transactions would be “inconsistent” with the Supreme Court’s intention to “curtail the extraterritorial application” of the U.S. securities laws. The plaintiffs appealed.

 

On March 1, 2012, as discussed here, while the plaintiffs appeal was pending, the Second Circuit issued its opinion in Absolute Activist Value Master Fund Limited v. Ficeto, in which the appellate court examined the requirements under Morrison’s second prong. The Second Circuit held that in order to establish the existence of a “domestic transaction in other securities,” a plaintiff “must allege facts suggesting that either irrevocable liability was incurred or title transferred within the Unites States.”

 

The August 15 Opinion 

On August 15, in a lengthy per curiam opinion, to which Judge Pierre Laval appended a concurring opinion, the Second Circuit affirmed the district court, while also remanding the case back to the district court for the court to determine whether or not the plaintiffs could amend their complaints sufficiently to meet the standards set by the appellate court.

 

The Second Circuit recognized that the plaintiffs had entered their swap transactions in the United States, which would therefore, based on the Absolute Activist decision, seem to suggest that the transactions met Morrison’s second prong. The problem with this conclusion is that “it would subject to U.S. securities laws conduct that occurred in a foreign country, concerning securities in a foreign company, traded entirely on foreign exchanges.” It would subject foreign defendants to potential liability under the U.S. securities laws based on nothing more than an entirely private transaction of which the defendant were entirely unaware.  This result would result in the very extraterritorial application of the U.S. securities laws that the Supreme Court sought to avoid in Morrison.

 

Accordingly, the Court said, adding its own gloss to Morrison, that while it is necessary for U.S. securities laws to apply that a domestic securities transaction is involved, it is not sufficient. The Court said that it need not even determine whether or not the Absolute Activist standards had been met here, because “we think it is clear that the claims in this case are so predominately foreign as to be impermissibly extraterritorial.”

 

The Court stressed that its holding in no way forecloses the application of the U.S. securities laws to govern swap transactions where “the transactions are domestic and where the defendants are alleged to have sufficiently subjected themselves to the statute.” The Court warned that its conclusion in this case cannot be “perfunctorily applied to other cases based on the perceived authority of a few facts.” Rather, courts will have to “carefully make their way with careful attention to the facts of each case.” The Court also suggested that it would be better left to the SEC or to Congress to provide a more comprehensive rule.

 

Discussion 

As the Second Circuit said, this case “illustrates the problem with treating the location of a transaction as the definitive factor in the extraterritorial inquiry.” If the mere fact that the swap transactions –between private parties and entered without  Porsche’s involvement or knowledge — were completed in the U.S. were sufficient to subject Porsche and its executives to potential liability under the U.S. securities laws, it “would seriously undermine Morrison’s insistence that Section 10(b) has no extraterritorial application.”

 

Just the same, it could be argued that the Second Circuit ranged beyond the strict confines of Morrison and extended entirely new guidelines when it stated that it was necessary but not sufficient that a domestic transaction was involved in order for the U.S. securities laws to apply.

 

The difficulty with the Second Circuit’s extension is that it invites further disputes, particularly given the lengths to which the Court went to avoid any suggestion that it was laying down a bright-line rule. (Indeed, Judge Leval’s concurrence was written in defense of the fact that the Second Circuit has taken the Supreme Court’s single-factor “domestic transaction” test and turned it into a multi-factor formulation.) While the Morrison court laid down what is “necessary,” the Second Circuit arguably has now begged the question of what is “sufficient” for U.S. securities laws to apply.

 

The Second Circuit provided little guidance about what may be “sufficient,” except to say that the U.S. securities laws are implicated when a domestic transaction is involved and the defendants “are alleged to have sufficiently subjected themselves to the statute.” But what activities are relevant in consideration of the question whether the defendants have “subjected” themselves to the U.S. securities laws – and doesn’t risk getting courts back into the “conduct” part of the old “conduct and effects” test that the Supreme Court rejected in Morrison? And what degree of activity is enough to say that defendants have “sufficiently subjected” themselves to the U.S. securities laws? Obviously, the Second Circuit standard leaves much for subsequent courts to fill in, which seems to put us back on the slippery slope toward the inconsistent case law the Supreme Court sought to eliminate when it rejected the “conduct and effects” test.

 

By the same token, defendants will now seek to resist the application of the U.S. securities laws by attempting to argue that the transaction in question was “predominately foreign.” Which of course begs the question of what factors establish that something is “foreign” rather than “domestic,” and what degree of showing is required to establish that something is predominately foreign.

 

Perhaps these disputes can be avoided. The Second Circuit’s focus on the fundamental importance of avoiding extraterritorial application of the U.S. securities laws may prove a sufficient guiding principle that many line-drawing disputes can be avoided. Nevertheless, the groundwork seems to be set for future disputes about whether a plaintiff’s allegations have established the elements that are both “necessary” and “sufficient” to warrant the application of the U.S. securities laws.

 

An interesting final question is what the plaintiffs will do next. On the one hand, they could just go back to the district court and try their luck at amending their pleading to try to satisfy the Second Circuit’s standard. The Second Circuit’s opinion states that after the dust settled following Porsche’s disclosure that it was well on the way to acquiring control of VW, short sellers lost a total of $38.1 billion. The plaintiffs, whose losses constitute a part of that $38.1 billion, seem to have substantial financial incentives to try to take their fight to the U.S. Supreme Court. Given the U.S. Supreme Court’s propensity to take up securities cases in recent years, and given the magnitude of the changes that the Second Circuit’s formulation works on Morrison, the Supreme Court might well want to take up this case.

 

The Porsche case presented difficult issues. Based on Morrison, the Second Circuit was correctly concerned about the possible extraterritorial application of the U.S. securities laws. Nevertheless, the basis of its decision could provide fodder for protracted battles as other courts struggle to determine what factors are “sufficient” to warrant the application of the U.S. securities laws.

 

Interruption in the Publication Schedule: Due to my overseas business travel obligations, there will be an interruption in The D&O Diary’s publication schedule over the next several days. The regular publication schedule will resume upon my return at the end of next week. 

 

Dodd-Frank Anti-Retaliation Provisions Do Not Protect Overseas Whistleblowers

Posted in Employment Practices Liability

secondsealIn the latest fiscal year report of the SEC Office of the Whistleblower, the agency reported that as of the end of the 2013 fiscal year it had received  a total of 6,573 whistleblower reports since the the Dodd-Frank whistleblower program’s inception. These figures include not only domestic whistleblower reports but also reports from a total of sixty-eight different countries. During fiscal year 2013, there were 404 whistleblower reports from outside the U.S. representing nearly 12% of all reports during the year. Clearly, whistleblower reports from non-U.S. countries have represented a significant part of the whistleblower program, and foreign whistleblowers have been drawn to the program.

 

However, based on a recent Second Circuit decision, prospective foreign whistleblowers thinking about making a whistleblower report had better be prepared to watch out for themselves, as according to the appellate court’s August 14, 2014 decision in Liu Meng-Lin v. Siemens AG (here), the Dodd-Frank Act’s whistleblower anti-retaliation protections do not apply extraterritorially — that is, they do not protect whistleblowers outside the U.S. This ruling obviously could dampen the interest of prospective foreign tipsters from making whistleblower reports.

 

In this action, a Taiwanese former compliance officer of Siemen’s Chinese healthcare subsidiary alleged that he had been retaliated against for making a whistleblower report. The claimant filed the claim in reliance on provisions of the Dodd-Frank Act that prohibit employers from retaliating against whistleblower employees who make reports protected by the Act. The plaintiff allegedly had discovered that employees of the Chinese subsidiary were making improper payments to officials in North Korea and China in connection with medical equipment sales in those countries. The plaintiff alleged that after reporting this conduct to superiors through internal company procedures, he was demoted and ultimately fired. Two months after being fired, the plaintiff reported the allegedly corrupt conduct to the SEC.

 

The plaintiff filed an action alleging that the employment actions taken against him violated the Dodd-Frank Act’s anti-retaliation provisions. Siemens moved to dismiss the plaintiff’s action, arguing that the anti-retaliation provisions do not apply extraterritorially and that all of the key actions involved here had taken place outside the United States. The district court granted the defendant’s motion to dismiss and the plaintiff appealed.

 

In an August 14, 2014 opinion written by Judge Gerard E. Lynch, a three-judge panel of the Second Circuit affirmed the district court’s dismissal of the action. The Court said, in reliance on the U.S. Supreme Court’s Morrison decision, that in the absence of clear congressional intent to the contrary a statute is presumed, to apply only domestically, and “because there is no evidence that the anti-retaliation provision is intended to have extraterritorial reach, we conclude that that provision does not apply extraterritorially.” The Court said further that because the plaintiff “was a non-citizen employed abroad by a foreign company, and that all events allegedly giving rise to liability occurred outside the United States, applying the anti-retaliation provisions to these facts would constitute an extraterritorial application.”

 

The Court did not reach the question whether or not the protections of the anti-retaliation provisions apply to protect whistleblowers that make their reports internally. There has been a split among various courts on the question of whether or not the provisions protect internal whistleblowers. (For example, in July 2013, the Fifth Circuit held that the anti-retaliation provisions only protect those that make reports directly to the SEC.) The appellate court said only that it “need not reach” that question given its ruling on extraterritoriality.

 

The Second Circuit’s decision clearly will have an impact on prospective whistleblowers outside the United States.  Many may hesitate to make reports out of fear of retaliation.

 

Just the same, the Second Circuit’s decision left many questions unanswered, as discussed in an August 14, 2014 Law 360 article entitled “2nd Circ. Ruling on Overseas Tipsters Dodges Big Issues” (here, subscription required). This case arguably was straightforward, since every aspect of the case took place outside   the U.S. and there were no U.S. connections involved. The Second Circuit’s ruling gives no indication of what the impact on its ruling might have been if the whistleblower were a U.S. citizen or if the whistleblower report had involved a U.S. company operating overseas, or if any of the alleged misconduct had taken place inside the U.S.  These issues will have to be addressed in future cases. In the meantime, it seems probable that the seeming enthusiasm for whistleblower reports from outside the U.S. will be dampened

 

I will say that as I have traveled overseas in recent years, I have heard concerns about the extent of whistleblower reports from  outside the U.S. and the extent to which this whistleblowing activity might lead to enforcement action or claims against the companies involved  in their home countries. These concerns may be relieved to a certain extent by the Second Circuit’s ruling. If prospective overseas whistleblowers know they will not have the benefit of anti-retaliation provisions, there likely will be fewer whistleblower reports, reducing the  risk of the feared possible enforcement action or follow-on claim activity in other jurisdictions.

 

Another concern I have heard as I have travelled around the world is that observers in other countries are alarmed by the extent to which U.S. regulators are willing to try to assert their regulatory authority outside of the U.S. border, a phenomenon about which I recently wrote here. However, this case, and in the Second Circuit’s recent opinion in the Porsche case, about which I commented in an accompanying blog post, seem to reflect the U.S. courts straining to avoid the extraterritorial application of the U.S. laws. While there may be very good reasons for concern about U.S. regulators’ cross-border assertion of their authority, there are also important cross-currents working against the extraterritorial assertion of U.S. laws.

 

Should Bank Directors’ Fiduciary Duties Be Expanded?

Posted in Director and Officer Liability

bankboardA recurring question is whether bank directors should be held to a more stringent fiduciary duty than are the directors of other kinds of companies. The question has been raised in the current wave of failed bank litigation, as the FDIC has tried to argue, for example, that bank directors are not entitled to the same protections of the business judgment rule as are directors of other companies. A recent speech by a Federal Reserve Board governor has once again raised the issue of whether bank boards should face “broadened” fiduciary duties, a suggestion that has provoked a sharp critical response.

 

In a lengthy June 9, 2014 speech (here), Federal Reserve Board Governor Daniel K. Tarullo raised the question whether the fiduciary duties of boards of regulated financial firms should be expanded because of the systemic risks embedded in banking sector.  Gov. Tarullo specifically referred to a “provocative recent paper” by Oxford University Law Professor John Armour and Columbia Law Professor Jeffrey N. Gordon  entitled “Systemic Harm and Shareholder Value” (here), in which the two professors propose board-level oversight responsibility for institutional risk-taking, in order to better align investor interest with societal interest in banking sector stability that could be disrupted by excessive risk-taking.  In their paper, the professors specifically propose that the directors be held liable for losses resulting from breaches of their risk management oversight.

 

As summarized by Gov. Tarullo, the professors argue that bank directors’ duties should be expanded “precisely because diversified shareholders have a strong interest avoiding risk decisions by these institutions that increase systemic risk.” The broadened fiduciary duties that the professors recommend would apply only to “systemically important financial institutions. “

 

These proposals were sharply criticized in an August 7, 2014 American Banker article by John Gorman of the Luse Gorman Pomerenk & Schick law firm entitled “Beware of Expanded Board Duties” (here). Among other things, Gorman notes that broadening bank directors’ fiduciary duties for institutional risk-management would “expose a board to liability for good faith judgments” and would “require boards to function in a management capacity.” These developments would be both “expensive and inefficient” and “would undoubtedly discourage capable persons from serving on bank boards.”

 

According to Gorman, altering bank boards’ fiduciary duties to require directors to take ownership for risk management issues “would merely provide a prima facie basis for the filing of a lawsuit against many boards.” Bank boards are “already significantly exposed to litigation and potential liability to both regulators and shareholders.” Any expansion of boards’ fiduciary duties with respect to risk management “would be a dangerous development for directors of all banks.”

 

The two professors’ recent article to which I linked above is hardly the first instance where it has been argued that, owing to their organizations’ unique roles in the financial system, bank directors should face a heightened standard of liability than do directors of other organizations. Indeed, in his recent speech Gov. Tarullo also cited to earlier academic articles where similar proposals had been suggested.

 

However, it is important to note that the idea that bank directors should face a different standard than directors of other companies has not been confined just to academic articles. Similar arguments have made their way into the current round of bank failure litigation, where, for example, the FDIC has argued that bank directors are not entitled to the same protection of the business judgment rule as are directors of other companies.

 

As noted here, Northern District of Georgia Judge Tom Thrash Jr. raised that very question in an FDIC lawsuit involving the failed Buckhead Community Bank. Among other things, Judge Thrash observed that “there is every reason to treat bank officers and directors differently from general corporate officers and directors.” Ultimately, rather than answer the question of whether bank directors are entitled to the same protection of the business judgment rule as other directors, Judge Thrash certified the question to the Georgia Supreme Court.

 

As discussed here, the Georgia Supreme Court’s answer was not exactly what the bank directors and officers had been hoping for; that is, the Court agreed in the end that the business judgment rule protects bank directors and officers and directors and officers of other corporations in the same way, but that in neither case are directors and officers entitled to absolute immunity from negligence claims. Just the same, Judge Thrash’s question show that it is not just academics and regulators that are struggling with the issue of whether or not different standards should apply to bank directors.

 

It should be emphasized that the academics’ proposal to hold bank directors to a higher standard was limited just to directors of systemically important financial institutions. I share the concerns John Gorman expressed in his American Banker article about this proposal. However, I have additional concerns, which is that there are already theories floating around that bank directors should be held to a different standard than directors of other companies, as shown by Judge Thrash’s remarks in the Buckhead Community Bank case. My concern is that if the idea were accepted that directors of systemically important banks should be held to have expanded fiduciary duties, the idea would quickly expand beyond just systemically important institutions and be applied to many , most, or even all bank directors, without regard to whether or not their institution is systemically important.

 

There undoubtedly are meritorious lawsuits filed against bank directors, particularly where there is evidence of self-dealing or complete abdication of responsibility. Just the same, the overall level of litigation aimed at bank directors is both excessive and socially inefficient, particularly with respect to the litigation that so often follows after banks’ failures. So often the failed bank lawsuit allegations consist of little more than scapegoating and hindsight second-guessing. Creating a liability regime that would encourage further litigation and expand the potential liabilities of bank directors would accomplish little except enlarging the litigation burden that prospective directors would have to consider before accepting a seat on a bank board.

 

I fully recognize that I am stepping into an issue on which there is already a spirited debate and I understand that reasonable minds could have a different view. I encourage those who see these issues differently to add their thoughts to this post using the blog’s comment feature.

 

Special thanks to a loyal reader for sending me a link to the American Banker article.

 

 

Guest Post: Cybersecurity and Cyber Governance: Understanding and Implementing the NIST Cybersecurity Framework

Posted in Uncategorized

weilG2_Logo[1]On February 12, 2014, the National Institute of Standards and Technology (NIST), pursuant to an Executive Order from President Obama, released the first version of the Framework for Improving Critical Infrastructure (here), to identify standards and practices to promote the protection of critical infrastructure from cyberattack. In a recent speech, SEC Commissioner said that the NIST Framework is “likely to become a baseline for best practices by companies, including in assessing legal or regulatory exposure” to cybersecurity issues.

 

In the following guest post, Paul A. Ferrillo of the Weil Gotshal law firm and Tom Conkle of G2,Inc. take a detailed look at the NIST Framework and explain why the Framework is so important for companies and for their boards of directors. They also review the steps  companies can take to try to implement the Framework. (To see full-sized versions of the graphical images embedded in this post, please click on the images.)

 

I would like to thank Paul and Tom for their willingness to publish their guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this site. Anyone interested in publishing a guest post should contact me directly. Here is Paul and Tom’s guest post:

*************************************************

 

Why the Cybersecurity Framework was created and why it is so important

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breachs continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.[i]” Despite the boost in security spending, vulnerabilties, threats against these vulnerabilities, data breaches and destruction persist.  To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity[ii].” The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.

In February 2014, through a series of workshops held throughout the country and with industry input, NIST released the “Framework for Improving Critical Infrastructure Cybersecurity” (“the Framework”)[iii]. For the first time, the Framework provides industry with a risk-based approach for developing and improving cybersecurity programs. It also provides a common language regarding cyber security issues to allow for  important discussions to take place between an organization’s “IT” people, and an organization’s “business” people, some of whom may cringe when hearing complicated terms like “APT” (Advanced Persistent Threat). Its common sense, “English language” approach allows an organization and its directors to both identify and improve upon its current cybersecurity procedures. Though the Framework was developed for the 16 critical infrastructure sectors, it is applicable to all companies – albeit at least today – on a voluntary basis.

What is the Cybersecurity Framework

The Framework contains three primary components: The Core, Implementation Tiers, and Framework Profiles. 

The Framework Core

nist implementation framework updatedThe Framework Core (“Core”) is a set of cybersecurity activities and applicable references established through five concurrent and continuous functions – Identify, Protect, Detect, Respond and Recover – that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Each of the Core Functions is further divided into Categories tied to programmatic needs and particular activities. The outcomes of activities point to informative references, which are specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.  The Core principles can be thought of as the Framework’s fundamental “cornerstone” for how an organization should be viewing its cybersecurity practices: (1) identifying its most critical intellectual property and assets; (2) developing and implementing procedures to protect them; (3) having resources in place to timely identify a cybersecurity breach; and (4) having procedures in place to both respond to and (5) recover from a breach, if and when one occurs.

The Framework Implementation Tiers

The Framework Implementation Tiers (“Tiers”) describe the level of sophistication and rigor an organization employs in applying its cybersecurity practices, and provide a context for applying the core functions. Consisting of four levels from “Partial” (Tier 1) to “Adaptive” (Tier 4), the tiers describe approaches to cybersecurity risk management that range from “informal, reactive responses to agile and risk-informed.”

The Framework Profile

The Framework Profile (“Profile”) is a tool that provides organizations a method for storing information regarding their cybersecurity program. A profile allows organizations to clearly articulate the goals of their cybersecurity program. The Framework is risk-based; therefore the controls and the process for their implementation change as the organization’s risk changes. Building upon the Core and the Tiers, a comparision of the Profiles (i.e. Current Profile versus Target Profile), allows for the identification of desired cybersecurity outcomes, and gaps in existing cybersecurity procedures.

 

Why Directors should care about the Framework

Tom Wheeler, Chariman of the Federal Communications Council (FCC), stated that an industry-driven cybersecurity model is preferred over prescriptive regulatory approaches from the federal government.[iv] Nonetheless, it continues to see successful attacks on critical infrastructure organizations.

At some point, if critical infrastructure organizations do not demonstrate that a voluntary program can provide cybersecurity standards that are the same as, if not better than, federal regulations, regulators will likely step in with new laws. In fact, according to SEC Commissioner Luis Aguilar, the Framework has already been suggested as a potential “baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes. At a minimum, boards should work with management to assess their corporate policies to ensure how they match-up to the Framework’s guidelines — and whether more may be needed.”[v] If SEC or other proposed federal regulation of cybersecurity becomes a reality, implementing the Framework could be a mandatory exercise.  By choosing to act now, organizations have the benefit of more flexibility in how they implement the Framework. 

In addition to staying ahead of federal and state regulators and potential Congressional legislation, the Framework provides organizations with a number of other benefits, all of which support a stronger cybersecurity posture for the organization.  These benefits include a common language, collaboration opportunities, the ability to verifiably demonstrate due care by adopting the Framework, ease in maintaining compliance, the ability to secure the supply chain, and improved cost efficiency in cybersecurity spending. Though it would be Herculean to accurately summarize all benefits of the Framework and how to implement them, we pull out its key points below.

Common Language

The Framework, for the first time, provides a common language to standardize the approach for addressing cybersecurity concerns. As we have noted in other articles, including in June 2014 and July 2014, many cyber security principles are not intuitive. They are not based upon well-established principles that Directors (especially audit committee members) are used to hearing, like “revenue recognition.” The Framework allows for cybersecurity programs to be established and shared within an organization and to organizational partners using a common language. For example, the Framework allows for the creation of several types of Profiles: Profiles that provide strategic enterprise views of a cybersecurity program, Profiles that are focused on a specific business unit and its security, or Profiles that describe technologies and processes used to protect a particular system. Despite the number of Profiles that may exist for an organization, directors can quickly and easily understand how corporate guidance is implemented in each Profile since they have a standard language and format for describing an organization’s cybersecurity programs.  

Collaboration

NIST and participants from industry that assisted in the Framework development envision the Framework Profiles as a way for organizations to share best practices and lessons learned. By leveraging the common language and increased community awareness established through the Framework, organizations can collaborate with others through programs such as the Cybersecurity Forum (CForum)[vi]. CForum provides an online forum for organizations to share lessons learned, post questions regarding their cybersecurity challenges, and maintain the conversation to continually improve cybersecurity capabilities and standards.

Demonstrating Due Care

By choosing to implement the Framework (or some part of it) sooner rather than later,  organizations can potentially avoid the inevitable conclusion (or parallel accusation by a plaintiff’s attorney) that they were “negligent” or “inattentive” to cybersecurity best practices following disclosure of a cyber breach. Organizations using the Framework should be more easily able to demonstrate their due care in the event of a cyber attack by providing key stakeholders with information regarding their cybersecurity program via their Framework profile. At the same time, Directors can point to their request that the organization implement the Framework in defense of any claim that they breached their fiduciary duties by failing to oversee the cyber security risk inherent in their Organization.

Maintaining Compliance

Many critical infrastructure organizations are required to meet multiple regulations with overlapping and conflicting requirements. In order to avoid fines and additional fees from regulatory bodies, many operators are forced to maintain multiple compliance documents describing how the organization is complying with each requirement. The standard developed by the Framework enables auditors to evaluate cybersecurity programs and controls in one standard format eliminating the need for mulitple security compliance documents.

Knowing your Supply Chain

The Framework also provides an opportunity for organizations to better understand the cybersecurity risks imposed through their supply chains. Organizations purchasing IT equipment or services can request a Framework profile, providing the buying organization an opportunity to determine whether or not the supplier has the proper security protections in place. Alternatively, the buying organization can provide a Framework profile to the supplier or vendor to define mandatory protections that must be implemented by the service provider’s organization before it is granted access to the buying organization’s systems.

Spending Security Budgets Wisely

In an environment where cyberthreat information is not readily available, organizations struggle with understanding how much security is enough security, leading to organizations implementing unnecessary cybersecurity protections. Through the use of the Framework, standards for care can be established for each critical infrastructure sector. Organizations can leverage these standards to determine the appropriate level of security protections required, ensuring efficient utilization of security budgets.

nist framework benefits updated

The diagram above provides questions to help determine if and how an organization can benefit from implementing the Framework. Discussing these questions and their responses will help organizations determine how well their current cybersecurity efforts are protecting them against cyber attacks.  Based on the answers to these questions, they will better understand which of the benefits presented in this article will apply to their organization should they implement the Framework. 

Where do you start with implementing the Framework?

A major challenge in adopting the Framework is simply getting started. Organizations typically have limited resources and familiarity with the Framework to help them leverage their existing cybersecurity, compliance and audit programs, policies and processes.

At a minimum, directors and their management should become familiar with the Framework. Additionally, directors (or some committee thereof) should have a deep discussion with management about the organization’s Implementation Tiers. The Implementation Tiers allow an organization to consider current risk management practices, the threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

Educating managers and staff on the Framework to ensure all organizations are on the same page is also an important step toward the successful implementation of a robust cybersecurity program. The previously mentioned CForum is a source for success stories, lessons learned, questions and information useful to organizations implementing the Framwork. This information about existing Framework Implementations may help organizations with their own approaches. Additionally, organizations can seek out cybersecurity service providers skilled in helping organizations with the education, awareness and planning required to implement the Framework across an entire enterprise.

Though “voluntary,” it cannot be overstated that the Framework is “a National Standard” developed with input from industry experts, collaborators and businesses with years of cyber experience. As stated by the Chairman of the House of Intelligence, Mike Rogers, “there are  two kinds of companies. Those that have been hacked and those that have been hacked but don’t know it yet.[vii]” Given that it is almost inevitable that an organization will be hacked, there will be a time and a place where it may need to demonstrate to customers, investors, regulators, and plaintiff’s attorneys that it gave thought to, and implemented, cyber security measures in order to defend its most critical intellectual property assets, or its most critical business and customer information. Implementing the Framework will not only allow organizations to improve cyber security measures, but also to effectively demonstrate due care.

About the Authors: Tom Conkle is the commercial services lead for G2, Inc. He assists clients in developing and improving their cybersecurity programs based on their risk tolerance through the use of the Cybersecurity Framework developed by NIST. Paul Ferrillo is Counsel in the Securities Litigation practice of Weil, Gotshal & Manges LLP in New York City.

 


[i] Companies Wrestle With the Cost of Cybersecurity, February 25, 2014, available at http://online.wsj.com/news/articles/SB10001424052702304834704579403421539734550.

[ii] Executive Order 13636 of February 12, 2013, Improving critical Infrastructure Cybersecurity, available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.

[iii] The National Institute of Technology and Standards (NIST) “Framework for Improving Critical Infrastructure Cybersecurity version 1.0”, February 12, 2014, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

[iv] (Sarkar, 2014), available at http://www.fiercegovernmentit.com/story/fcc-chairman-pitches-new-industry-driven-regulatory-model-enhance-cybersecu/2014-06-13.

[v] See “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946.

[vi] The Cybersecurity Forum (CForum) is a not-for-profit, publically available site dedicated to the evolution and implementation of the Cybersecurity Framework, available at http://Cyber.securityFramework.org.

[vii] Graham, Scott, Interview: Greg Toughill, DHS, USA on Cybersecurity, July 28, 2014, available at http://www.globalgovernmentforum.com/brigadier-general-greg-touhill-cybersecurity-department-of-homeland-security-interview/.

The Pre-IPO Company and “Failure to Launch” Claims

Posted in IPOs

roadDue to a combination of favorable circumstances, the number of companies completing initial public offerings is currently at the highest level in years. According to a recent study from Cornerstone Research (here), with the 112 IPOs in the first half of 2014, IPO activity is on pace to increase for the third consecutive year. IPO activity just in the first six months of 2014 equaled 71 percent of total IPO activity in 2013 and exceeded the full years 2009, 2010, 2011 and 2012. The favorable IPO environment has encouraged even more companies move toward an IPO. However, for a company starting down the road toward an IPO, there are a number of risks. Among other things, pre-IPO companies face increased risks of liability and claims, particularly when the planed IPO fails to launch.

 

A recent case filed in New York (New York County) Supreme Court illustrates the kinds of “failure to launch” claims that pre-IPO companies can face. Although the case involves somewhat unusual circumstances specific to the defendant company involved, it does provide an example of a claim arising from a pre-IPO company’s failure to complete its planned IPO.

 

According to the plaintiff’s August 1, 2014 complaint (which can be found here), defendant Westergaard.com is a Delaware corporation with its principal place of business in Fujian, China. In 2011, Westergaard completed a private placement that provided for “automatic redemption” of the units sold in the placement if the company failed to complete an IPO at an offering price of $3.00 or greater within two years of the private offering’s closing date. The redemption amount was specified as $3.00 per share. The complaint alleges that private placement transaction closed on October 24, 2011, but that the company did not complete an IPO within two years of that date nor has it yet completed an IPO. The plaintiff is assignee of investors who had purchased units in the private placement. The plaintiff filed the action as assignee to enforce the redemption provisions in the private placement agreement, as well as to recover its costs of collection.

 

This lawsuit is obviously a reflection of the specific features of the private placement agreement in which the company had undertaken to redeem the units it had sold in the private placement if it did not complete an IPO within two years of the private placement closing.  But while the particulars of this claim may reflect the specific circumstances of the company involved, the situation nevertheless does illustrate how a pre-IPO company’s failure to launch can lead to claims from disappointed investors. To see an earlier example of a situation where claims arising out of a company’s pre-IPO activities arose out after a company’s planned IPO failed to launch, refer here.

 

Because of the possibility of failure to launch claims and other concerns, it is very important that a company contemplating a future IPO structure its D&O insurance coverage to take into account the increased risks and exposures involved with its planned IPO – even if the company does not ultimately complete its IPO.  In that regard, however, this specific case may not be the best example, as the kind of breach of contract claim asserted against an entity defendant likely would not be covered under the typical private company D&O insurance policy. This case does show how pre-IPO activities can give rise to claims, and therefore underscores the importance of taking these kinds of risks into account when structuring the D&O insurance coverage for a Pre-IPO company.

 

One particular concern is the securities offering exclusion found in most private company D&O policies. The pre-IPO company would not want this exclusion to sweep so broadly that it would preclude coverage for claims arising out of the company’s pre-IPO activities. If the company were to fail to complete its planned IPO, the company’s private company D&O insurance policy is the one that would respond to any claims that might arise, so it is very important that the securities offering exclusion is written a way that any “failure to launch” and other claims would not be precluded from coverage. Ideally, the securities offering exclusion would not go into effect unless and until the company actually completes an IPO, at which point the company should have put in place a public company D&O insurance policy to provide liability insurance against the company’s activities as public company.

 

When a company is on a trajectory toward an IPO, there is a natural tendency to focus on the liability exposures the company will face after it goes public. But the process leading up to the IPO often involves circumstances that can create their own set of risks and exposures. As a company readies itself to go public, it often restructures its operations, its accounting, its debt, or other corporate features. The company also makes pre-offering disclosures, for example, in road show statements. The process creates expectations that can create their own set of problems. All of these changes, disclosures and circumstances potentially can lead to claims, particularly  if the offering does not go forward.

 

Often pre-IPO company management is reluctant to take the time to address D&O insurance issues at the appropriate time before the company is deep into the IPO process. But claims can and do arise involving companies’ pre-IPO activities. The significance of the pre-IPO period in a company’s life cycle underscores the importance of having a skilled and experienced insurance professional involved well before the time of the IPO. 

 

PLUS Regional Professional Liability Symposium in Singapore, August 21, 2014

Posted in Professional Liability

singaporeOn August 21, 2014, the Professional Liability Underwriting Society (PLUS) will be hosting a regional professional liability symposium in Singapore. This dinner event, which will be held at the Singapore Cricket Club, marks the second year that PLUS has hosted an educational and networking event in Singapore, building on its 25+ year history of hosting industry-leading events in the professional liability market worldwide. The keynote speaker at the event will be Chelva Rajah of the Tan Rajan & Cheah law firm, whose remarks are entitled “Tales from the Corporate Crypt.” I will also be making a presentation at the event entitled “Latest Global and U.S. Trends in D&O Liability Insurance: What’s Hot, What’s Cold!”

 

I already know for talking to friends throughout the region than many industry professionals are planning on attending this event. I hope that all of my readers and friends in the region will be there and will encourage others to attend as well. Details about the event, including registration information, can be found here.

The Long Arm of U.S. Regulatory Enforcement and the Cross-Border Reach of U.S. Laws

Posted in Regulatory Enforcement

globalreach1One of the most distinctive aspects of the current global regulatory environment has been the increasing willingness of U.S. regulators to try to project U.S. enforcement authority outside the U.S. The cross-border assertion of U.S. regulatory authority has taken place across a broad range of regulatory and compliance issues, including, for example, antitrust, trade sanction, and taxation enforcement as discussed here.

 

One area where the U.S. regulators’ cross-border reach has been most pronounced has been with respect to anti-bribery enforcement.  A July 30, 2014 memorandum by Demme Doufekias and Adam J. Fleisher of the Morrison & Foerster law firm entitled “The Long-Arm of the FCPA: Former BizJet CEO Arrested in Amsterdam, Pleads Guilty in Oklahoma” (here) takes a look at a recent instance where U.S. prosecutors projected their reach outside of the country in order to enforce U.S. antibribery laws. The memo also reviews the many recent instances where the U.S. authorities have reached across the country’s borders to enforce the Foreign Corrupt Practices Act (FCPA). The memo highlights the fact that this cross-border reach is not limited just to FCPA enforcement.

 

The primary focus of the law firm memo is the recent prosecution of Bernd Kowalewski, the former president and CEO of BizJet International Sales and Support, Inc., a U.S.-based subsidiary of Lufthansa Technik AG. The company had its headquarters in Tulsa, Oklahoma. As discussed in the U.S. Department of Justice’s July 24, 2014 press release (here), the DOJ alleged that Kowalewski and three other BizJet officials had engaged in a conspiracy to violate the FCPA by paying bribes to government officials Mexico and Panama, in order to obtain aircraft maintenance contracts in those countries.

 

In 2012, two of the four BizJet officials who were under indictment for the alleged bribery pled guilty to FCPA violations. However, the charges and the guilty pleas were all kept under seal at the DOJ’s request, because, as it was later revealed, the DOJ was trying to locate and arrest Kowalewski and one other BizJet official, who were by then living outside of the U.S. According to the DOJ press release, Kowalewski ultimately was arrested by authorities in Amsterdam on March 13, 2014 on a provisional arrest warrant. He waived extradition on June 20, 2014, and on July 24, 2014, he entered a guilty plea in the Northern District of Oklahoma to conspiracy to violate the FCPA and to one substantive violation in connection with a scheme to pay bribes. The fourth BizJet official remains as a fugitive and is believed to be living abroad.

 

The press release quotes a DOJ official as saying that “though he was living abroad when the charges were unsealed, the reach of the law extends across U.S. borders, resulting in Kowalewski’s arrest in Amsterdam and his appearance in court today in the United States.”  (Emphasis added). Another official is quoted as saying that Kowalewski’s arrest was the result of “investigators and prosecutors …work[ing] together across borders and jurisdictions to vigorously enforce” the FCPA.

 

As the law firm memo states, the government’s approach in the BizJet case shows “the lengths to which the DOJ is willing to go to track, arrest and extradite U.S. and foreign nationals abroad to face FCPA charges in the United States.”’ International businesspeople that depend on their ability to travel “should not be lulled into a false sense of security as a result of their status as foreign nationals or the fact that they live outside the United States.” The memo notes further than individuals involved in FCPA investigations “must be aware that silence from the government may simply be the result of the DOJ striving to keep its enforcement efforts under wraps.”

 

The U.S. government, the memo notes, has a number of means to use to try to apprehend foreign nationals residing outside the U.S. The U.S. can seek to have the individual arrested by going through INTERPOL. The U.S. can try to lure the individual back to the U.S. or simply establish a border watch to alert law enforcement officials if the individual presents himself or herself at the U.S. border. The DOJ can also seek provisional arrest warrants and pursue extradition of individuals from other countries pursuant to extradition treaties.

 

Given the “growing cooperation between U.S. and foreign authorities” on anti-bribery enforcement , the likelihood is that the DOJ’s efforts will be successful, “ensuring that individuals being investigated or charged with FCPA violations or other crimes will not be able to evade the long arm of the U.S. government simply by remaining abroad.”

 

The law firm memo notes that the Kowalewski case is “only one of a growing list of examples where the DOJ has been able to bring individuals living abroad back to the U.S. to face criminal charges.” The memo cites the example of Frederic Pierucci, a French citizen and former official of the French company Alstom SA, who was arrested when his plane landed at JFK Airport in New York, in connection with alleged bribing of Indonesian government officials. The memo cites other examples where foreign nationals were arrested outside of the U.S. and extradited to the U.S. by the governments of the countries where the individuals had been arrested. To be sure, the DOJ is not always successful in apprehending fugitives in FCPA cases. The memo cites to a lengthy list of FCPA fugitives who remain at large. However, the recent events “nevertheless display DOJ’s resolve in pursuing foreign fugitives.”

 

The memo emphasizes that FCPA cases are not the only area where the DOJ has been successful in bringing foreign nationals and others residing outside the United States back to the country to face charges. The memo cites the example of the DOJ’s April 2014 success in extraditing a foreign national to the United States to stand trial for alleged violations of the criminal antitrust laws. The case involved an Italian national and former official of an Italian company who had been under indictment in the U.S. since 2010 for alleged violations of the Sherman Antitrust Act. The individual was extradited to the U.S. from Germany.

 

The law firm memo emphasizes the lengths to which the U.S. authorities will go to bring individuals charged with violations of U.S. laws back to the U.S. to fact prosecution. However, these efforts are just part of the larger U.S. effort to project the enforcement of its laws outside of the country. As discussed here, U.S. authorities are actively asserting their authority outside of the country in a number of different areas, including securities, trade sanctions, taxation, and drug safety. In that regard, it is probably worth noting that though the BizJet case involved alleged misconduct by a U.S. domiciled business operation, many of the examples cited in the law firm memo not only involved foreign nationals, but alleged misconduct that took place outside the U.S. and involving companies domiciled outside the U.S. As the DOJ official quoted in the press release linked above put it, “the reach of the law extends across U.S. border.”

 

One of the reasons the law reaches across borders is the increasing levels of cooperation among regulatory authorities. The willingness of foreign governments to arrest and extradite foreign individuals is one of the key components of the ability of U.S. authorities to bring these individuals to justice in the U.S.

 

It should be noted that the U.S. government is not the only one to extend the enforcement of its laws through cooperation with other governments. To cite but one recent example, on July 24, 2014, the UK Serious Fraud Office recently announced that it had brought corruption charges against the UK subsidiary of Alstom in connection with transportation projects in India, Poland and Tunisia. The UK investigation commenced because of information provided to the SFO by the Office of the Attorney General of Switzerland. The company has already been fined for related activities by the Swiss government. Other recent examples of extensive cross border cooperation include the recent investigation of the alleged manipulation of the Libor benchmark.

 

The increased activity of regulatory authorities around the world had important implications for companies and their officials. While this activity can mean that companies face a heightened risk of regulatory scrutiny, risks these companies face may also include the possibility of regulatory and enforcement action by U.S. authorities. As the law firm memo underscores, U.S. regulators are actively asserting their authority outside of the U.S. In an environment where there already is a growing perception of increasing regulatory risk, the U.S. authorities’ vigorous assertion of regulatory authority outside the U.S. represents a particularly hazardous part.

 

These developments not only have important compliance implications for many non-U.S. companies. They also raise important issues about the liability exposures of the potentially affected companies as well as for their directors and officers. The liability exposures include not only the potential regulatory and enforcement risk but also the possibility of follow on civil actions, brought by shareholders or others. The “others” that might bring claims include supervisory board members in those jurisdictions with the dual-board structure.

 

These issues in turn have important D&O insurance implications. The issues also present a particularly difficult challenge for D&O insurance underwriters involved in underwriting companies outside the U.S. as they must attempt to understand and anticipate these kinds of actions from U.S. regulators and how they may affect the companies under consideration. Emerging issues involving the enforcement of trade sanctions laws and the Foreign Account Tax Compliance Act (FATCA) highlight the potential significance of these challenges. Questions regarding the cross-border enforcement of regulatory authority are likely to remain both difficult important in the months ahead.

 

London PLUS Symposium on the Dangers of Cross-Border Enforcement: In light of the kinds of concerns I have noted above, an upcoming Professional Liability Underwriting Society regional symposium to be held in London is particularly topical and timely. The luncheon event, which is entitled “Dangers of Long Arm Enforcement in a World Without Borders” will take place on Monday, September 29, 2014, at Gibson Hall in London. I will be presenting at the event on the topic of “The Dangerous Cross-Border Regulatory Environment.” The event keynote speaker will be the author and consultant David Bermingham, who is best known as one of the NatWest three, and who will presenting his own personal perspective on cross-border enforcement based on his extradition to the U.S. on charges related to the Enron scandal. Following the keynote address, Bermingham and I will discuss the evolving challenges in an increasingly global regulatory environment.

 

Background regarding the event, including registration information, can be found here. I have participated on a panel with David Berminham in the past, and I can assure everyone that this will be a lively and interesting event. I hope all of my UK readers and friends will plan on attending.

 

The Last of the Mug Shots?

Posted in Blogging

031aThe long-running and ever-popular D&O Diary mug shot show may just about have reached the end. I have only three remaining unpublished mug shots, which I have been holding onto for a while in the hope that perhaps some other readers might send in the pictures. But I don’t want these pictures to get stale, so I have published below this short form mug shot gallery. It is entirely possible that these pictures may be the last in the series.

 

Readers will recall that early last year , I offered to send out a D&O Diary coffee mug to anyone who requested one – for free – but only if the recipient agreed to send me back a picture of the mug and a description of the circumstances in which the picture was taken. In previous posts (here, here, here, here, here, here, here, here , here, here, here, here, here, here, here, here and here), I published prior rounds of readers’ pictures. I have posted the latest round of readers’ pictures below.

 

The first pictures in this collection come to us from Peter Hui of ACE USA in New York. The first picture, which was taken in early July, depicts a sunny scene in New York’s Bryant Park. The second picture is taken from an office overlooking Times Square.

 

bryntparksmall[1]

 

 

 

 

 

 

 

 

 

 timesquaresmall[1]

 

 

 

 

 

 

 

 

 

The next picture was taken in Brazil by Guido Cosenza of A.J. Gallagher in Glendale, CA. Here is Guido’s description of his picture: “I had the privilege of attending the World Cup in Brazil and one of the matches I attended was the quarterfinal match between Argentina and Belgium in Brasilia. My colleague, Ryan Davis, had ordered a D&O Diary mug from you so I grabbed it from his desk before I left and took it with me to Brazil. Attached is a picture inside the stadium about 2 hours before kickoff. I know you are a big futbol fan so I’m sure you’ll enjoy it.”

 

worldcupsmall[1]

 

 

 

 

 

 

 

Thanks to Peter and Guido for their great pictures. Guido, you are right, I really did enjoy your picture (and I am deeply envious of you for having been able to attend the World Cup).

 

My thanks to everyone sent in a mug shot. It has been great fun receiving the pictures and seeing the amazing diversity of locations where people took their mug shots. There is still time for anyone who still wants to send along their own mug shot; nothing would make me happier than to be able to publish another round of pictures.

 

Cheers to everyone who helped make this series so much fun.

 

029a

Montana Supreme Court: Not Necessary to Consider Underlying Allegations or Policy Terms to Determine Insurer’s Defense Duty

Posted in D & O Insurance

montanaAs part of our beat here at The D&O Diary, we read a lot of judicial opinions. We like nothing better than to read an appellate opinion where a dissenting justice and the majority really mix thing up. For that reason alone, we read the recent insurance coverage decision out of the Montana Supreme Court with great interest. But regardless of how you feel about spirited dissents, if you find the Court’s majority’s conclusion that a management liability insurer’s duty to defend appropriately may be determined without reference to the allegations in the underling complaint or to the terms of policy as surprising as we do, read on.

 

The Montana Supreme Court’s August 1, 2014 opinion in the Tidyman’s Management Services, Inc. v. Davis case can be found here.

 

Background

The dispute underlying this insurance coverage action arises out of a merger between Tidyman’s Management Services, Inc. (TMSI) and SuperValu, which created Tidyman’s LLC. Employee shareholders own TMSI. In January 2007, certain of the employee shareholders filed a federal court lawsuit alleging that in connection with the merger the TMSI directors and officers had breached their duties under ERISA. They also alleged that the individual defendants had breached their corporate fiduciary duties. The plaintiffs eventually settled with all of the individual defendants except Michael A. Davis and John Maxwell. After the settlements, the federal court judge dismissed the federal court action without prejudice after declining to exercise supplemental jurisdiction.

 

The plaintiffs then filed a separate action in Montana state court against Davis and Maxwell. In their state court complaint, the plaintiffs added TMSI as a party plaintiff and filed their action against the two individuals in their capacities as directors and officers of the LLC – of which TMSI was a member. As the dissenting opinion later summarized with respect to the insurance coverage implications of this state court complaint, “(1) five of the plaintiffs here are directors of the insured (Tidyman’s LLC) and they have sued defendants Davis and Maxwell, who are also directors of the LLC; and (2) plaintiff TMSI, as a 60 percent security holder of the LCC, brought this lawsuit against two directors of the LLC (Davis and Maxwell) with the assistance of other insureds (five plaintiffs who are also directors of the LLC).”

 

The relevant directors and officers insurance policy had been issued to Tidyman’s LLC in 2006. During the pendency of the federal court litigation, the insurer funded the defense of Davis and Maxwell under the policy. On August 5, 2010, after the state court litigation commenced, a claims representative for the insurer sent counsel for Davis and Maxwell a letter stating that in light of the policy’s Insured v. Insured exclusion, the state court complaint “does not implicate the policy.”  On August 12, 2010, after counsel for Davis and Maxwell received the coverage letter, the plaintiffs amended their complaint in the state court action and added the insurer as a defendant, seeking a declaratory judgment that the state court claims against Davis and Maxwell are covered under the policy. In September 2010, the insurer moved to dismiss the claim that had been filed against it.

 

During the fall of 2010, counsel for Davis and Maxwell made several attempt to reach the insurer to clarify whether or not the insurer would continue to find the defense for the two individuals. On October 28, 2010, a representative for the insurer advised counsel that “since there is no coverage, [the insurer] is not going to continue to pay the costs of defense in this matter.”

 

The individual defendants entered a stipulation reciting the insurer’s refusal to defend, specifying the $29 million in damages sought in the state court lawsuit, assigning the individual defendants’ rights under the policy to the plaintiffs, and agreeing that the plaintiffs would not seek to execute any judgment against the assets of the two individual defendants. After the first of the two stipulations had been reached, a representative of the insurer sent the defense counsel a letter referring to “changes” in the insurer’s position, and stating that the insurer would continue to advance defense costs subject to a reservation of rights. The insurer later claimed that at no time did it actually withhold payment of the individuals’ defense expenses.

 

The plaintiffs then moved for summary judgment against the insurer, alleging that the insurer had breached its duty to defend and therefore was liable for the full amount of the stipulated settlement. The insurer filed a motion for summary judgment on the grounds that the plaintiffs’ claims were not covered under the policy and that the plaintiffs lacked standing. On January 4, 2013, the trial court judge granted the plaintiffs’ motion for summary judgment and entered judgment in the full amount of the stipulated settlement, and awarded prejudgment interest. The insurer appealed.  

 

The August 1, 2014 Opinion

In an August 1, 2014 majority opinion written by Justice Michael E. Wheat, the Montana Supreme Court affirmed the trial court’s grant of summary judgment on the issue of whether or not the insurer had breached its duty to defend, but reversed and remanded the case on the issue of the reasonableness of the amount of the judgment. Justice Laurie McKinnon concurred with respect to the majority’s rulings on choice of law and prejudgment interest issues, but dissented from the court’s rulings on the duty to defend and part of the court’s rulings on the amount of the judgment.

 

The insurer had argued on appeal that the trial court erred in concluding that the insurer had breached its duty to defend without analyzing policy coverage. As the majority opinion put it, the insurer “attempts to persuade us to impose a requirement that a district court must analyze policy coverage before finding breach of a duty to defend,” noting that the dissent would accept that argument. The Court said that “our case law, however, makes it clear that the threshold question, instead, is whether the complaint against the insured alleges facts that, if proven, would trigger coverage.”

 

It doesn’t matter, the court said, that whether the claims against Davis and Maxwell were the same in the state and federal lawsuits, “all that matters is whether [the insurer] was on notice that the Policy was potentially implicated.” The Court concluded that the “facts” show that the insurer was on notice that the policy was potentially implicated. The “facts” that the Court cited were that the insurer had defended the two individuals in the federal court lawsuit; that the insurer had sent a letter after the state court lawsuit was filed that “there is no longer coverage under the Policy” (which the Court read to mean that there had been coverage before); and that the carrier later withdrew its coverage denial and agreed to defend under a reservation of rights. The Court noted that “where the insurer itself recognized the complaint potentially implicated the Policy and required it to provide a defense, we can see no need for further analysis to conclude that the duty to defend was invoked.’

 

In explaining its ruling, the Supreme Court said “if we were to hold the District Court in error for failing to analyze coverage, as the Dissent urges, we would be providing insurers with an avenue to circumvent the clear requirement imposed by our precedent that where the insurer believes a policy exclusion applies, it should defend under a reservation of rights and seek a determination of coverage through a declaratory judgment action.” The carrier “took its chances” by refusing to defend the individuals and cannot avoid liability for the stipulated settlement “by attempting to convince this Court it was necessary to analyze coverage under the Policy before determining it had breached its duty to defend,” when the proper approach is to defend under a reservation and filed a declaratory judgment action. Since the carrier “unjustifiably refuse to defend, it is now estopped from denying coverage.”

 

The majority did agree with the insurer that the trial court had improperly refused to hold an evidentiary hearing on the reasonableness of the amount of the $29 million stipulated settlement. The appellate court remanded the case for further consideration of the reasonableness of the settlement amount. However, the majority rejected the insurer’s argument that the evidentiary hearing should also address the issue of whether the settlement was collusive. Finally, the majority also concluded that the trial court had not properly calculated the application of prejudgment interest.

 

The starting point for the dissent was that the majority had “failed, in a fundamental respect, to appreciate the difference” between the type of reimbursement insurance policy involved here and the “more common form of casualty insurance,’ such as automobile or homeowners insurance. This error caused the Court to disregard Montana precedent and to hold that the carrier had a duty to defend “without examining whether the plaintiffs’ complaint alleged facts representing a risk covered by the terms of the Policy.” In essence, the dissent said, the court denied “the insurer the right to contest a duty to defend in these proceedings by holding that the insurer should have brought a separate action to determine coverage.” We thus, the dissent said, “foreclose the insurer from having a judicial determination of the existence of a duty to defend, which is distinct from a duty to indemnify, based on an actual examination of the allegations of the complaint and the terms of the Policy.”

 

 

The majority, the dissent said, found “without any examination of the Policy or the instant complaint” that the insurer had a duty to defend because the complaint “potentially implicated” the Policy. The dissent said, “I disagree that with what appears to be a new standard for determining the existence of a duty to defend when we previously have been clear that a duty to defend may be found only after examining the allegations of the particular complaint to determine whether facts have been alleged representing a risk covered by the terms of the insurance policy.”

 

The “crux’ of the majority’s confusion is the “false notion” that the pleadings in the subsequent state court lawsuit were the same as in the federal court lawsuit. The dissent showed by its analysis of the allegations in the state court complaint (which I recited above) that the state court complaint appeared to involve allegations of insured persons against insured persons, in apparent contravention of the Policy’s insured vs. insured exclusion. “We cannot” the dissent said, “hold the insurer liable for the stipulated judgment in the absence of some examination of the Policy and of the complaint.”

 

The dissent then noted that even if there were a duty to defend here, there is a substantial factual question about whether the duty was in fact breached. The dissent cited evidence that the insurer had presented showing that the insurer had continued to pay the defense expenses throughout the proceedings. The dissent argued that there were at least sufficient disputed facts to preclude summary judgment. The dissent said that the majority had instead chosen to credit only the plaintiffs’ allegations. The Court’s approach, the dissent said, was “clearly in error,” adding that “it is inappropriate for a court deciding a motion for summary judgment to weigh evidence, to choose one disputed fact over another, or to assess the credibility of witnesses.”

 

Finally, the dissent disagreed that the facts as alleged by the insurer did not create a genuine issue of material fact on the issue whether the stipulated settlement was collusive. The dissent added that “I find it truly a sad day for justice in this State and very likely a huge blow for the public’s belief that the courts provide fair resolution of disputes, when this Court dismissively says ‘so what’ to a stipulated judgment that allegedly was obtained by collusion.” The dissent finished by adding that “Courts exist to administer justice fairly, regardless of whom and what a particular party represents. In my opinion, there is never a place for collusion in the administration of justice.”

 

Discussion

There is no doubt that the insurer mismanaged its communications during the period after the state court complaint was filed, and that the mismanagement occasioned some of the problems that followed for the insurer.  (And in fairness, for blogging purposes I have compressed the retelling of events, which arguably may have the effect of oversimplifying). But all of that said, it is a surprising proposition that a court might appropriately determine that a carrier has a duty to defend a lawsuit without either reviewing the allegations in the lawsuit or the provisions of the policy. The majority’s idea that somehow the insurer was obligated to defend the state court lawsuit — without any reference to what the state court lawsuit alleged — because the insurer had defended the prior federal court lawsuit is a truly odd proposition.

 

Based only on the appellate opinions, I have no way of knowing for sure whether or not the carrier was correct in disputing coverage for this claim. But based on the recitation of the facts in the dissenting opinion, there certainly does seem to be a sufficient basis upon which the question of coverage appropriately might be raised. The rather nonsensical effect of the majority opinion’s ruling is that it is entirely possible that the court has concluded that the insurer has breached a duty to defend in connection with a claim for which there is no coverage under the policy. The majority seems to think that this doesn’t matter.

 

The real problem I have with the majority’s conclusion is that it seemingly flies in the face of the usual “eight corners”  analysis by which the insurer’s duty to defend is to be determined. Under this approach, the duty to defend is determined by looking within the four corners of the complaint and the four corners of the policy. Even in those jurisdictions that do not follow the eight corners rule because they require insurers to consider factors still considered critical to the analysis. The majority here seems to suggest that what is within the eight corners may not even be relevant to the analysis, which is a surprising conclusion, to say the least. The majority opinion’s analysis also seems to fly in the fact of the usual rule that coverage cannot be created by estoppel.

 

The insurer did at least win the right to try to challenge the reasonableness of the amount of the stipulated settlement. However, I am troubled by the dissent’s comments about the refusal of the majority to allow the insurer to argue that the settlement was collusive. I do not know what the actual facts are here and I have no basis on which to suggest that any of the parties acted collusively. However, I have seen enough of these kinds of deals in my life and I share enough of the same concerns of the dissent that I completely agree that the factual issue of whether or not there was collusion should be subject to an evidentiary review.

 

While I think the majority here is confused in general, I also agree with the dissent that the majority was specifically confused about the differences between the type of management liability policy here –where the carrier reimburses the policyholder for the costs of defense –and the typical policy liability policy, where the insurer has the duty to provide the actual defense. This distinction mattered in this case. If the insurer continued to fund the defense throughout these proceedings, then there was no breach of the insurer’s defense duties, regardless of what the carrier said in its various communications. The dissent appears to be correct by saying that the insurer has raised a genuine issue of material fact on this issue.

 

Whatever else might be said about this decision, I know for sure that insurers doing business in Montana are going to struggle with the “potentially implicated” standard for the duty to defend, particularly if the question whether or not the standard has been met can (as apparently seems to be the case) be decided without reference either to the allegations in the complaint or the terms of the Policy. I am sure that hands will be smacking foreheads in insurers’ claims department around the country about this decision.

 

Time for Nominations to the ABA Journal’s Annual Blawg 100: It is once again time for nominations to the ABA Journal’s annual list of the top 100 law blogs. Everyone should take a moment to nominate their favorite law blogs for inclusion in the list. I would be humbled and grateful if any reader would be willing to nominate my blog. Nominations can be made here. Don’t delay, nominations are due by 5:00 pm EDT on Friday August 8, 2014.