The D&O Diary

The D&O Diary

A PERIODIC JOURNAL CONTAINING ITEMS OF INTEREST FROM THE WORLD OF DIRECTORS & OFFICERS LIABILITY, WITH OCCASIONAL COMMENTARY

Guest Post: Courts Uphold California Privacy Claims Despite Vague Allegations: Opening The Litigation Floodgates?

Posted in Cyber Liability

david danaAmong the many concerns that arise whenever unauthorized appropriation or use of consumer data occurs is the possible violation of the consumers’ privacy that the access may represent. In numerous cases, aggrieved parties have tried to assert claims for these alleged privacy violations, but by and large these attempts have not been successful. However, as Northwestern Law School Professor David A. Dana (pictured) discusses in the following guest post, there has been a series of recent decisions in California that may prove very valuable for future claimants seeking to assert privacy claims for unauthorized disclosure or use. A version of this article previously was published in the May 2015 issue of Internet Law and Business (here).

 

I would like to thank Professor Dana for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Professor Dana’s guest post.

 

*******************************************************

 

A burgeoning area of litigation involves claims that Internet and digital companies like Google, Facebook, and Twitter have insufficiently protected or actively appropriated user’s personal information.  Because of the enormous numbers of users and hence enormous number of potential plaintiffs in such cases, which invariably are framed as putative class actions, potential liability for defendants is enormous. However, the district courts have repeatedly dismissed such suits for lack of Article III standing and/or for failure to state a claim.  This Article addresses a recent quartet of decisions that may reflect a precedential gold mine for plaintiffs bringing claims for unconsented-to disclosure or use of their personal information.  Two of these decisions come from the Ninth Circuit: In re Facebook Litig., _ Fed. App’x _, No. 12-151619, May 8, 2014 (“Facebook”), which is an unpublished memorandum opinion, and Astiana v. Hain Celestial (“Astiana”), No. 12-17596, April 10, 2015, which is an opinion designated for publication.  Two of the decisions come from the Northern District of California: Opperman v. Path, Inc., Case 13-cv-00453-JST, March 23, 2015 (“Opperman”), and Svenson v. Google, Inc., Case No. 13-cv-04080-BLF, April 1, 2015 (“Svenson”).

 

Taken together, these decisions suggest that claims alleging certain California statutory and common law violations involving use or disclosure of the personal information of customers by technology companies can survive a motion to dismiss even with very general, even arguably vague, allegations.  Specifically, claims under California’s Unfair Competition Law (“UCL”) and Consumer Legal Remedies Act (“CLRA”) and claims for common law breach of contract and fraud and perhaps unjust enrichment now appear to be able to survive a motion to dismiss even when (1) there are no allegations of individual plaintiff reliance on alleged misrepresentations; (2) there are no particularized factual allegations backing up general allegations that the services or products received by plaintiffs were worth less than they would have been worth had promised protections for personal information been afforded; and/or (3) there are no particularized factual allegations backing up general allegations plaintiffs lost economic opportunities because they could not sell their personal information for as much or at all once that information was disclosed or shared with others by the technology company whose product or service was purchased.  One of these cases, Opperman, also establishes that partial disclosures by a company of the risk that users’ personal information may be used or disclosed does not eliminate the risk of fraud or other claims against the company, but instead can form the basis of an active concealment claim.

 

This apparent shift in the case law involving California law may be a response to recent attention in the media to the problem of inadequate security for personal information; perhaps the Courts believe that these personal information suits should be allowed to at least proceed to discovery, as a way to help keep corporate giants like Google “on their toes.”

 

Whatever the motivations behind these recent cases, they leave a number of questions open. While these cases can be distilled for the proposition that generalized allegations will suffice for purposes of surviving a motion to dismiss, it is not completely clear where the line is between sufficient, albeit generalized, pleading and excessively generalized and hence insufficient pleading. This is especially the case with respect to the question of when plaintiffs can plead their way of out of needing to allege individual reliance under Opperman.  Moreover, the Ninth Circuit may well choose to revisit the decisions in Facebook, which is only an unpublished memorandum, and Astiana, which is a very thinly reasoned, arguably incoherent opinion.  District courts, at least outside the Northern District of California, may choose not to follow these decisions or seek to distinguish them.  Finally, and most notably, the quartet of decisions discussed below only go the question of whether a complaint will survive a motion to dismiss; they do not suggest that these suits will be successful at the summary judgment phase of litigation.  Courts could allow claims to go past the motion to dismiss phase of litigation, but then hold plaintiffs to a high standard regarding proof of their allegations.

 

Fraud, Misrepresentation, Deceit, And Active Concealment Claims

 

In Opperman, Judge Tigar of the Northern District of California issued an opinion that may invigorate efforts to hold companies accountable for their advertising regarding privacy protections for personal data. In a putative class action alleging violations of the UCL, CLRA, and other statutes, the plaintiffs argued that Apple fraudulently represented that their personal information would be protected by Apple, and that Apple concealed the fact that it knew personal information of users in fact had not been protected as promised.  Ordinarily, in a state law fraud action of this sort, purchasers of a product or service would have to allege individual reliance on particular misrepresentations made by the defendant.   But here Judge Tigar denied the motion to dismiss the fraud claims, even though plaintiffs alleged no individual reliance.  Judge Tigar interpreted California law as allowing fraud actions to proceed without individual-reliance allegations where there was “an extensive and long-term advertising campaign” by the defendant regarding its promises to protect personal information. According to Opperman, Federal Rule of Civil Procedure 9(b) in this context does not require more particular pleading than would be required in a state court.  Moreover, Judge Tigar interpreted “an extensive and long-term advertising campaign” in a way that may be quite useful to future plaintiffs.  The Court also held that plaintiffs had adequately alleged that Apple had acted unlawfully in failing to disclose it exclusive knowledge that personal information was not being protected and in actively concealing those same facts.

 

According to Opperman, even statements made by Apple before the product launch at issue could be counted as part of the advertising campaign.  In addition, statements made by third parties and the media could be considered part of the campaign, given that Apple allegedly sought out such “buzz.”  Even though the statements regarding “security” and the like were varied and directed at different audiences, they could constitute a single campaign.

 

Opperman does not establish a bright line as to how many or what sort of alleged misrepresentations are needed in order to adequately allege that there was “an extensive and long-term advertising campaign” of fraudulent representations. Judge Tigar found that the twenty plus examples of security-related representations were sufficient, and seemed to suggest that far fewer than twenty alleged misrepresentations might be two few. It appeared to help the plaintiffs that at least a few of the alleged misrepresentations were particular enough – for example, “[a]pplications on the device are ‘sandboxed’ so they cannot access data stored by other applications” – that they were “capable of being proven false.”

 

Opperman also appears to open up opportunities for future plaintiffs to make active concealment claims against companies when the companies only partially disclose the risks that personal information actually might not be held secure. In Opperman, Apple contended that the plaintiffs failed to allege active concealment adequately because Apple’s Privacy Policy disclosed that third parties, including those who offer Apps, may collect information such as “data or contact details.” But Judge Tigar found that the plaintiffs had adequately alleged active concealment because they alleged that Apple failed to disclose all the material facts, Apple falsely reassured consumers that its iDevices did not contain security vulnerabilities that Apple knew they contained, and Apple did not disclose that it taught or encouraged App developers to access users’ information.   Partial disclosure of risks that personal information is insecure, in other words, does not protect companies from liability and in fact might only support the claim that the companies actively concealed material information of risks from purchasers of products or services.  When companies disclose risks regarding the security of personal information, Opperman teaches, they would be well-advised to fully disclose those risks and not withhold material information.

 

For technology companies and their lawyers, Opperman creates a kind of quandary. On the one hand, a company may well want to advertise to current and potential customers it personal information/data privacy protections as a way of keeping and wooing customers from possible competitors and increasing sales.   On the other hand, if the company does advertise, advertisements may ex post be deemed “an extensive and long-term advertising campaign” and used as a basis for expensive class action litigation against the company.

 

Breach Of Contract – Deprivation Of The Benefit of The Bargain

 

To state a breach of contract claim, plaintiffs must be able to plead some contract damages, which means they must be able to allege some cognizable economic injury.  Likewise, to the extent that the UCL allows claims based on “unlawful” conduct and conduct in breach of contract is unlawful, plaintiffs bringing a UCL claim based on contract violations also must allege economic injury, because such injury is an explicit requirement for a UCL cause of action.  A concrete injury, which usually would mean an economic injury in the personal information/data security context, is also required for Article III standing.

 

The big question for plaintiffs pursuing claims in the personal information/data security context is how far will the courts go in accepting a “creative” theory of economic injury when there is no very straightforward theory available to the plaintiffs. One such theory that plaintiffs lawyers have offered is a lost-benefit-of-the-bargain or overpayment theory, which contends that when the purchaser of a computer product or service that promises privacy protection buys the product or service but does not receive the promised protection, that person has overpaid for the product or service, and the economic injury consists of the difference between the purchase price that was paid and the lesser price that would have been paid had the good or service been explicitly offered as lacking in privacy protection.

 

One problem with his theory is that plaintiffs may be hard pressed to prove – or even credibly allege – that they paid more for a product or service because of promised  protection.   Indeed, in In re Linked User Privacy Litigation, 932 F.Supp.2d 1089 (2013), Judge Davila of the Northern District of California dismissed privacy-related claims against users of Linked-In’s premium service, in part because Linked-In promised the same protections to premium and non-premium users and hence it could not be presumed premium users paid for promised privacy protection.

 

In Svenson, however, Judge Freeman of the Northern District of California refused to dismiss a breach of contract claim in a case where there was arguably an absence of particularized factual allegations supporting the claim plaintiffs paid more than they would have had they not been promised privacy protections.   The Court pointed to two allegations made by plaintiffs: that “[t]he services Plaintiff and Class Members ultimately received in exchange for Defendants’ cut of the App purchase price – payment processing, in which their information was unnecessarily divulged to an unaccountable third party – were worth quantifiably less than the services they agreed to accept, payment processing in which the data they communicated to Defendants would only be divulged under circumstances which never occurred. . . .” and “[h]ad Plaintiff known Defendants would disclose her Packets Contents, she would not have purchased the ‘SMS MMS to Email’ App from Defendants.” These allegations were deemed “sufficient to show contract damages under a benefit of the bargain theory,” even though the slightly more general allegations in a prior version of the complaint had been deemed insufficient by the same judge.   One alleged fact in the amended complaint that may have been persuasive for Judge Freeman was that Google did receive a share of the payment for an “App” plaintiffs made, and was not providing processing for free.  Overall, at least where the defendant did receive payment for a product or service – which would seem to be most cases – Svenson seems to allow a benefit-of-the-bargain contract claim as long as the plaintiff very explicitly alleges that they regarded privacy or security protections as part of the bargain and would not have paid what they paid had they known privacy or security would not be provided.   Thus, it should be quite easy – and courts one day swamped with suits may find, too easy – for plaintiffs to allege economic injury in the form of deprived benefit of the bargain in the personal information/data security context.

 

Breach of Contract – Loss Of Market Opportunity

 

A second theory for contract damages in the personal information/data security setting is that purchasers of a service or product lost an opportunity to sell their own personal data when a company that promised to preserve the privacy or security of their personal information actually uses or discloses that information for its own purposes.  A line of federal district cases, including ones from the Northern District of California, held that general allegations that the plaintiffs lost an opportunity to sell their own personal information as a result of contractual violations of privacy or data security promises were insufficient to satisfy the requirement that plaintiffs allege Article III economic injury and/or damages as part of a breach of contract claim.  However, in the unpublished memorandum opinion in Facebook, the Ninth Circuit held that where “[p]laintiffs allege[d] that the information disclosed by Facebook . . . harmed” them because they “los[t] the sales value of that information,” the allegations were sufficient to show the element of damages for their breach of contract claim.  In reversing the district court’s dismissal of the contract claim against Facebook, the Ninth Circuit, albeit in an opinion that lacks binding authority under Ninth Circuit rules, signaled that plaintiffs need do no more than allege what the Facebook plaintiffs alleged in order to have a breach of contract claim survive a motion to dismiss.   And the Facebook plaintiffs had not alleged facts supporting their general allegation that they lost an opportunity to sell their own personal information due to Facebook’s alleged misconduct.

 

Judge Freeman in Svenson explained that the case law prior to the Ninth Circuit’s decision in Facebook – case law Google largely relied upon – was inapposite because the Ninth’s Circuit’s decision changed what was required for plaintiffs to allege. For Judge Freeman, the Ninth Circuit’s decision appeared to be governing even though it is a memorandum decision.  Judge Freeman may have taken this position because even though the Facebook memorandum opinion is inconsistent with prior district court rulings, it is not even arguably inconsistent with any other Ninth Circuit opinions, as the Ninth Circuit had not previously addressed this issue.

 

As Judge Freeman explained, the Ninth Circuit in Facebook did not require an explication of precisely how personal information was diminished in value as part of a well-pled contract claim.  Thus, even though the plaintiffs in Svenson alleged only that there is a “robust market” for the information at issue and as a result of Facebook’s actions, plaintiffs were deprived of their ability to sell their own personal data on the market,” those allegations were found to be sufficient.

 

Taken together, the Ninth Circuit’s decision in Facebook and Svenson suggest that, at least in the Northern District of California, bare allegations of loss of value in personal information will suffice.  That is certainly how litigants in that District are treating the current state of the law, as evidenced by both the plaintiffs’ and defendants’ briefs in In re Google, Inc. Privacy Litigation, No. 12-CV-01382 PSG, before Judge Grewal, in which the parties seem to agree that the law has shifted with Facebook and Svenson, but disagree whether diminution in value of personal information is actually at issue in their case or whether their case only relates to alleged loss in battery life and bandwidth.

 

Unjust Enrichment

 

If plaintiffs in personal information/data security cases  can avoid alleging contract claims and can instead allege unjust enrichment, then they might be able to avoid alleging contract damages, which outside of the Northern District of California, can be difficult (although they still need to allege economic injury for Article II purposes).  However, under California law, it has generally been understood that unjust enrichment is not a stand-alone action but rather a remedy that can be sought after a stand-alone claim like breach of contract or fraud is adequately pled.  Nonetheless, the Ninth Circuit’s recent decision in Astiana perhaps suggests plaintiffs in personal information/data security cases could plead unjust enrichment as a distinct clause of action under a quasi-contract theory, even though the unjust enrichment/quasi-contract theory claim would look just like a breach of contract or fraud claim.   The Ninth Circuit’s analysis in Astiana is quite brief, and here is the key passage:

 

As the district court correctly noted, in California, there is not a standalone cause of action for “unjust enrichment,” which is synonymous with “restitution.” . . . .  However, unjust enrichment and restitution are not irrelevant in California law. Rather, they describe the theory underlying a claim that a defendant has been  unjustly conferred a benefit “through mistake, fraud, coercion, or request.” 55 Cal. Jur. 3d Restitution § 2. . . . When a plaintiff alleges unjust enrichment, a court may   “construe the cause of action as a quasi-contract claim seeking restitution.” . . . . Astiana alleged in her First Amended Complaint that she was entitled to relief under  a “quasi-contract” cause of action because Hain had “entic[ed]” plaintiffs to purchase their products through “false and misleading” labeling, and that Hain was  “unjustly enriched” as a result. This straightforward statement is sufficient to state  a quasi- contract cause of action.

 

The Ninth Circuit’s reasoning in Astiana is unpersuasive, in that it seems to sanction exactly what it explicitly states is impermissible under California law – the pleading of a stand-alone, separate cause of action for unjust enrichment.  If all one must do is add the label “quasi-contract” to an unjust enrichment cause of action, then there is no real constraint on the pleading of what are in substance stand-alone unjust enrichment causes of action under California law. Nonetheless, for now, Astiana is good law and it may open up pleading opportunities for plaintiffs in personal information/data security cases.

 

Conclusion

In sum, the quartet of federal cases applying California appear to lower the pleading thresholds for plaintiffs in personal information/data security cases.  Whether these cases lead to more complaints being filed and a consequential rethinking by the courts, or whether the courts will simply winnow suits by requiring proof of general allegations in the summary judgment phase of litigation, remains to be seen.

 

The Anti-Corruption Enforcement Problem

Posted in Foreign Corrupt Practices Act

globe2For many years, the U.S. was the only country actively seeking to use its laws to fight corruption. However, more recently, a number of other countries have enacted their own anti-bribery laws while other countries have become more active in pursuing anti-bribery enforcement – including not only Germany, South Korea and Britain, but also Brazil and China (among many others). This anti-corruption drive unquestionably is a good thing and it is unquestionably right that bribery should be punished. Bribery has a corrosive effect; it distorts economic outcomes and diverts resources into the corrupt officials’ pockets.

 

While the enforcement of anti-corruption laws is to be applauded, at the same time, questions are being asked about whether in at least some cases things might have come too far, as the enforcement process has become astronomically expense and time-consuming.

 

A May 9, 2015 Economist article entitled “Corporate Bribery: The Anti-Bribery Business” (here), as well as a leader article in the same issue (here), refers to what the magazine describes as “a mounting body of evidence that the war on commercial bribery is being waged with excessive vigor, forcing companies to be overcautious in policing themselves,” noting that “some under investigation are starting to fight back.”

 

As evidence of the excess, the article cites the massive amounts that Walmart, Siemens and Avon Products, among many others have spent in fighting corruption allegations. It is not that the charges against the companies were not serious — the charges definitely were and are serious. The problem, the article suggests is that “the cost and complexity of investigations are spiraling beyond what is reasonable, fed by a ravenous ‘compliance industry’ of lawyers and forensic accountants who have never seen a local bribery issue that did not call for an exhaustive global review; and by competing prosecutors, who increasingly run overlapping probes in different countries.”

 

The huge amount of work generated for internal and external lawyers and for compliance staff is the result of firms “bending over backwards to be co-operative in the hope of negotiating reduced penalties.” The article quotes Southern Illinois Law Professor Mike Koehler, the author of the FCPA Professor Blog (here), as saying that the overkill is a by-product of what he calls “FCPA, Inc.,” a very aggressively marketed legal industry niche that has every incentive to convince their clients that the sky is falling. Corporate officials, under pressure to clean house and under the sway of the anti-corruption industry, “will then agree to any measure, however excessive, to demonstrate that they have comprehensively answered” every question.

 

For many companies, the expenses do not even end when they have finally managed to reach a settlement with the regulators and enforcement authorities. The bills can keep coming in for years, as many firms are required to bear the cost of being overseen for several years by an independent compliance monitor. Firms that have been the target of bribery investigations may also find themselves shut out from procurements processes. And there is always the risk of follow-on shareholder litigation as well.

 

Not only have the costs increased, but the time required to conclude a case has lengthened inordinately as well, as detailed in a April 20, 2015 Wall Street Journal article entitled “The Foreign-Bribery Sinkhole at Justice” (here) which of course has exacerbated the problems associated with the overwhelming costs of these types of investigations.

 

Part of the problem for everyone is that because so few bribery prosecutions have ever gone to trial, there is almost no legal authority guiding and informing the regulatory and enforcement process. As the article puts it, “this hands prosecutors a lot of discretion.” The article quotes Professor Koehler as saying that “we have only a façade of enforcement,” and that “the FCPA often means what enforcement agencies say it means.”

 

Some companies have started to push back, as Professor Koehler notes in a May 5, 2015 post on his FCPA Professor blog (here). In his post, Koehler references an April 29, 2015 Wall Street Journal article (here) that discusses efforts by Wall Street banks to resist what the banks describe as the enforcement authorities’ “overaggressive effort” to investigate the banks for hiring children and other relatives of government officials in China.   The problem for everyone is that when the regulators have such wide discretion to decide what conduct violates the law, conduct that was not previously viewed as improper can suddenly turn out to represent a violation.

 

No one is suggesting that anti-bribery enforcement in of itself is the problem. The problem is the excesses to which the enforcement can lead. The Economist suggests four steps to reform the process and to “stop a descent into investigative madness.”

 

First, the magazine suggests, “regulators should rein in the excesses of the compliance industry and take into account the cost to firms of sprawling investigations.” When companies self-report suspected violations, regulators should “tell them what level of investigation they want to that companies are not overzealous out of fear of seeming evasive.” There is reason to hope that regulators may recognize their ability to help here; the article quotes the head of the DoJ’s criminal division as saying that “We do not expect companies to aimlessly boil the ocean.”

 

Second, the article suggests, governments should lower the costs by harmonizing anti-bribery laws and by improving coordination between national probes. There are of course existing efforts to align international efforts, such as the OECD’s ant-bribery convention. There is more that national governments can do to ensure that they are not subjecting companies to multiple investigations and multiple punishments for the same misconduct.

 

The magazine’s third suggestion, while analytically valid, may be prey to an almost inevitable futility. The magazine suggests that more corruption case need to go to trial, so that legal standards that might constrain enforcement authorities are developed. The problem is that companies are scared to fight and risk a criminal indictment. It is, as the magazine itself notes, commercially rational for companies to capitulate. It may be that efforts of the type now being pursued by the Wall Street banks to push back can provide some constraint to prosecutors’ expansive legal interpretations.

 

The magazine’s final reform suggestion may have the most potential. The magazine suggests that anti-bribery laws should be amended to allow companies a “compliance defense” – that is, if the company had valid anti-bribery policies and were making reasonable efforts to enforce the policies, and self-reported when violations were found, the penalties imposed should be greatly reduced. Although the magazine does not add this point, it would be beneficial if companies qualifying for this defense could also look forward to a more contained and shortened investigative and enforcement process.

 

 

D&O Insurance: The Major Shareholder Exclusion

Posted in D & O Insurance

aus3An exclusion sometimes found in D&O insurance policies precludes coverage for claims made by shareholders who have a specified percentage of ownership in the insured company. This type of exclusion is called a Major Shareholder Exclusion (or, sometimes, the Principal Shareholder Exclusion). An interesting May 6, 2015 decision (here) by the Supreme Court of Victoria (Melbourne) addressed the interesting question of what is the relevant point in time for determining the ownership percentage – at the time the claim is made or at the time the wrongful acts allegedly took place? The considerations discussed in the decision raise a number of issues about this type of exclusion. A May 15, 2015 memo from the Allens law firm about the decision can be found here.

 

Background

Effective June 20, 2008, Oxiana acquired all of the outstanding shares of Zinifex. Following the transaction, Oxiana was renamed OZ Minerals Ltd. (“OZ Minerals”) and Zinifex was renamed Oz Minerals Holdings Ltd. (“OZ Holdings”).

 

In February 2014, an OZ Minerals shareholder filed a representative action in the Federal Court of Australia against OZ Minerals alleging that there were misrepresentations in the merger transaction documents. OZ Minerals in turn filed a separate contribution proceeding against OZ Holdings and certain of its former directors and officers.

 

Prior to the merger transaction, OZ Holding (then Zinifex) had a directors and officers liability insurance policy in place with a policy period from March 31, 2008 to March 31, 2009. In connection with the merger transaction, OZ Holding purchased a discovery period endorsement which extended the policy’s expiration date to June 20, 2015. A run-off exclusion was also added to the policy at the same time providing that the insurer was not liable for any claim with respect to a wrongful act committed after June 20, 2008 (the date of the merger transaction).

 

The defendants in the contribution action submitted the claim to the D&O insurer. The D&O insurer denied coverage for the claim in reliance on the policy’s major shareholder exclusion. OZ Holdings commenced an action in the Supreme Court of Victoria (Melbourne) seeking a judicial declaration that the insurer is obliged to indemnify them against liability arising from the contribution claim.

 

The policy’s Major Shareholder and Board Position Exclusion provided that:

 

The Insurer shall not be liable to make any payment under this policy in connection with any Claim brought by any past or present shareholder or stockholder who had or has:

 

  • Direct or indirect ownership of or control over 15% [or] more of the voting shares or rights of the Company or of any Subsidiary, and
  • A representative individual or individuals holding a board position(s) with the company.

 

The parties agreed that neither of the two conditions were met before June 20, 2008.  The parties agreed that the first condition was met at the time the claim was made (since OZ Minerals acquired all of OZ Holdings shares in the merger transaction). The parties disputed whether the second condition was met at the time the claim was made, but the Court concluded that the second condition had been met at the time the claim was made as well.

 

The crux of the parties’ dispute was their disagreement about the point or points in time at which a claimant is to be assessed against the conditions in the exclusion clause. The declaratory judgment action plaintiffs contended that the exclusion was only intended to apply to exclude coverage for claims brought by claimants who satisfied the conditions at the time of the wrongful acts that gave rise to the contribution claim (that is, before June 20, 2008). The insurer argued that the words in the exclusion disclose an intention that it should operate at both the time of the alleged wrongful acts and the time the contribution claims were brought, so that coverage would be precluded for shareholders holding the specified share percentage either at the time of the wrongful act or at the time of the claim.

 

The May 6 Ruling 

In its May 6, 2015 opinion, the Court agreed with the insurer’s interpretation, holding that the exclusion applied if the two conditions were met either at the time of the wrongful acts or at the time the claim was made.   The court said that the insurer’s interpretation was “grammatical” and “accords with the structure of the policy.”

 

An important part of the Court’s analysis was its consideration of the insurer’s rationale for its interpretation of the exclusion (what the Court called the “commercial rationale”). The insurer had argued that it an insurer could reasonably seek to protect itself from a claim that might be the result of collaboration between a claimant major shareholder and the defendant company or that could involve the misuse of confidential company information to the claimant’s advantage. The insurer also contended that an insurer could reasonably seek to preclude coverage for a claim brought by a shareholder who might have been in a position to influence the company’s operations at the time the wrongful acts occurred. The Court said “the suggested commercial rationale is objectively reasonable.”

 

Discussion

There are several kinds of exclusions that can be found in D&O insurance policies precluding coverage for claims brought by certain claimants. For example, a standard D&O policy exclusion precludes coverage for claims brought by one insured against another insured. Some policies (typically those issued to banking institutions) preclude coverage for claims brought by regulators (the so-called regulatory exclusion). The major shareholder exclusion at issue in this case is another type of exclusion precluding coverage for claims asserted by a specified type of claimant.

 

This case illustrates the fundamental problem with the inclusion of a major shareholder exclusion on a D&O insurance policy. It can wind up precluding coverage for the very type of claim for which the insurance policy was designed. OZ Minerals had filed the contribution claim against OZ Holdings and its former directors and officers because OZ Minerals itself had been sued in a shareholder misrepresentation claim. The contribution claim in turn sought to hold the defendants in that action liable for their alleged responsibility for the misrepresentations alleged in the shareholder claim. Those are the very types of claims and allegations for which policyholders purchase D&O insurance, so that they can be protected from those types of claims.

 

The insurer in this case would no doubt justify the exclusion and its preclusive effect by the fact that OZ Holdings is suing its own 100%-owned subsidiary for contribution – a claim, the insurer might argue, that makes sense only as a mission by OZ Minerals to get access to OZ Holdings’ insurance policy. However, the exclusion at issue here precluded coverage not just for the claim against OZ Holdings but also for the claim against the former directors and officers – that’s what I mean  about the exclusion precluding the very type of claim for which these insurance policies are purchased.

 

From the policyholder perspective, the preferred approach is to have the major shareholder exclusion removed. However, while the preferred approach from the policyholder’s perspective is to remove the exclusion, obtaining a policy without a major shareholder exclusion is not always an option. If the exclusion’s removal is not an available option, there are a variety of ways the exclusion’s preclusive effect might be limited. For example, the ownership percentage could be increased to a higher level (although that would not have made a difference here, as OZ Holdings owned 100% of OZ Minerals).

 

In addition, the exclusion’s operation could be made subject to additional conditions, as was the case with the exclusion at issue here. Many major shareholder exclusions are conditioned only on a requirement that the claimant have a specified ownership percentage. Here, the exclusion was also conditioned on the requirement that the major shareholder also have board representation.

 

Another way the impact of the exclusion can be limited is by narrowing the point or points in time when the conditions can be met. The court here determined that the exclusion at issue was meant to address both past and present shareholders, and as the court found the conditions could be satisfied either if the shareholder had the specified ownership percentage at the time of the Wrongful Act or at the time the claim was made. More typically, the major shareholder’s preclusive effect is addressed to ownership only at the time the claim was made.  Typically, a major shareholder exclusion will not (as the exclusion here did) refer to past shareholders — although there are some standard versions of the exclusion out there in the marketplace that preclude coverage for both present and past shareholders owing the requisite percentage. Narrowing the exclusion’s wording so that it applies only to shareholders that have the requisite ownership percentage at the time the claim is made would at least eliminate the preclusion of coverage for claims by shareholders who previously had the requisite percentage of ownership prior to the claim but who did still have that ownership percentage when the claim is made.

 

2015 ACI D&O Conference in New York: On September 17 and 18, 2015, the American Conference Institute will be holding is 19th Forum on D&O Liability in New York. This annual event features an all-star line-up of speakers and will be co-chaired by my friends, Diane Parker of AWAC and Doug Greene of the Lane Powell law firm. Readers of the D&O Diary are entitled to a $100 discount off registration if they mention discount code DOD100. Information about the event including registration instructions can be found here. The event brochure can be found here.

 

ICYMI: Earlier today I published a post discussing a recent Delaware Supreme Court addressing questions surrounding the liabilities of independent directors in the M&A context. Due to user error (meaning, I goofed) no emails went out about this post. In case you missed it, the post can be found here.

Delaware Supreme Court Trims Independent Directors’ Potential Liabilities in M&A Transactions

Posted in Director and Officer Liability

del1On May 14, 2015, in a landmark ruling with important implications for the potential liabilities of independent directors of companies involved in M&A transactions, the Delaware Supreme Court held that in order to state a claim for damages against directors of a company that has an exculpatory provision in its corporate charter, a plaintiff must plead non-exculpated claims against the directors, even if the  company is involved in an interested transaction subject to “entire fairness” review. The Court’s opinion highlights the importance of the independent directors’ role and also underscores the importance of exculpatory charter provisions. The Court’s opinion in In re Cornerstone Therapeutics, Inc. can be found here.

 

Background

The Court’s ruling involved two different cases in which plaintiff shareholders had filed damages claims against the boards of companies where a controlling shareholder, that had board representation, was acquiring the remainder of the companies’ shares. In each case, the companies involved had formed a special committee of independent directors to review the transaction and to negotiate with the controlling shareholder. In each case, the companies’ minority shareholders had approved the transaction. Nevertheless, plaintiff shareholders filed lawsuits against the companies’ boards – including as defendants both the interested directors and the independent directors – alleging that the directors had breached their fiduciary duties by approving transactions that were unfair to the minority shareholders.

 

In both cases, the independent directors had moved to dismiss the claims against them. Their dismissal motions relied on the fact that each of the companies had an exculpatory clause in their corporate charters. (As discussed here, Delaware Corporations Code Section 102(b)(7) authorizes shareholders to include a clause in a corporation’s charter eliminating personal liability of a director to shareholders for monetary damages for breach of fiduciary duty, provided that such clause does not eliminate liability (1) for “any breach of the director’s duty of loyalty,” (2) “for acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law,” and (3) “for any transaction from which the director derived an improper personal benefit.”) The defendants argued that the plaintiffs had failed to plead non-exculpated allegations against them, and therefore that the claims against them should be dismissed.

 

The plaintiffs contended that because the share purchases represented interested transactions, the “entire fairness” standard of review applied. (As discussed here, the entire fairness standard is Delaware’s “most onerous standard,” which applies when the board “labors under actual conflict of interest.” When the standard applies, the defendants must establish that the transaction “was the product of both fair dealing and fair price.” The transaction must be “objectively fair, independent of the board’s beliefs.”) The plaintiffs argued that because interested parties were involved in the transactions, the possibility of conflict of interest justified a pleading-stage inference of disloyalty – not just as to the interested directors, but as to the independent directors as well.

 

In each case, the trial court judges, relying on prior Delaware Supreme Court case authority, agreed with the plaintiffs and denied the motions to dismiss. However, because they were troubled by the result (that is, that the independent directors had to remain as defendants in the case even though the plaintiffs had pled no non-exculpated misconduct against them), the trial court certified interlocutory appeals of the cases to the Delaware Supreme Court. The two cases were consolidated for purposes of the appeal.

 

 The May 14 Decision

In a unanimous opinion written by Chief Justice Leo E. Strine, Jr., the Delaware Supreme Court reversed the lower court rulings and remanded the cases for further proceedings. The Court said that “even if a plaintiff has pled facts that, if true, would require the transaction to be subject to the entire fairness standard of review, and the interested parties to face a claim for breach of their duty of loyalty, the independent directors do not automatically have to remain defendants.” If the independent directors are “protected by an exculpatory charter provision and the plaintiffs are unable to plead a non-exculpated claim against them, those directors are entitled to have the claims against them dismissed.”

 

In reaching its decision, the Court examined the effect of the exculpatory provisions in the respective companies’ corporate charters. The Court said that “when a director is protected by an exculpatory charter provision, a plaintiff can survive a motion to dismiss by that director defendant by pleading facts supporting a rational inference that the director harbored self-interest adverse to the stockholders’ interests, acted to advance the self-interest of an interested party from whom they could not be presumed to act independently or acted in bad faith.” The mere fact that the plaintiff had pled facts sufficient to support the application of the entire fairness standard does not, by itself, relieve the plaintiff of the requirement to plead a non-exculpated claim against each independent director defendant.

 

In support of its decision, the Court noted, among other things, that a contrary ruling would “increase costs for disinterested directors, corporations and stockholders, without providing a corresponding benefit.” A contrary ruling would also “create incentives for independent directors to avoid serving as special committee members or to reject transactions solely because of their role in negotiating on behalf of shareholders.” The “fear” that directors might face personal liability for “potentially value-maximizing business decisions” might be dissuaded from making those kinds of decisions is the reason that Section 102(b)(7) was adopted in the first place.

 

Discussion

The Court’s opinion underscores the importance of exculpatory charter provisions. The provisions not only provide substantial liability protection for corporate directors but they provide a form of protection may be invoked at the initial pleading stage. It provides a way for directors who qualify for the provision’s protection to extricate themselves from liability lawsuits at the outset.

 

The Court’s opinion also highlights the importance of the independent directors’ role. The Court emphasized the ways in which disinterested directors can protect the interests of the corporation and of minority shareholders, even when the corporation is involved in a transaction with an interested party.

 

It is important to note that the protective effect of the Court’s ruling extends only to the independent directors. The defendants who were the interested parties to the transaction will remain in the case. If it is later established that the interested parties violated their fiduciary duties, they will held liable to the minority shareholders. But where the plaintiffs have alleged no facts to suggest that independent directors had engaged in non-exculpated misconduct, the independent directors are entitled to have the claims against them dismissed – even where the plaintiffs have pled sufficient facts to require the application of the entire fairness standard.

 

The fact that the independent directors can be dismissed even when the entire fairness standard applies is significant. The entire fairness standard is, as the Court itself has said, “onerous.” The requirements to meet the standard are high. But even where the high standard applies, plaintiffs must still present allegations that each director defendant individually engaged in non-exculpated misconduct in order for the claims against that defendant to survive a motion to dismiss.

 

Francis Pileggi’s May 16, 2015 post on his Delaware Corporate & Commercial Litigation Blog about the Supreme Court’s ruling can be found here. Frank Reynolds’ May 15, 2015 Thomson Reuters article about the ruling can be found here.

 

Special thanks to a loyal reader for sending me a copy of the Delaware Supreme Court opinion.

 

ICYMI: Delaware Senate Passes Bill Barring Fee-Shifting Bylaws: On May 12, 2015, the Delaware Senate passed Senate Bill (S.B.) 75 (here) that would amend Delaware law to prohibit Delaware stock-based companies from adopting fee-shifting bylaws. The bill also expressly allows companies to adopt forum-selection clauses that establish Delaware as the exclusive venue for any shareholder litigation.

 

As readers will recall, as discussed here, in May 2014, the Delaware Supreme Court in the ATP Tour, Inc. v. Deutscher Tennis Bund case had upheld the validity of a corporate bylaw provision shifting fees to an unsuccessful litigant in shareholder litigation. The ruling proved to be highly controversial (as discussed, for example, here). Early efforts last year to address the ruling in the legislature ultimately were tabled and in the interim the debate about fee-shifting by laws has continued to rage. Now that the Senate has voted to approve the legislation banning fee-shifting bylaws for Delaware stock corporations, the legislation will now move to the Delaware House for its consideration.

 

A May 13, 2015 memo from the Ballard, Spahr law firm discussion the Delaware Senate’s action on the bill can be found here.

 

D&O Liabilities in China: The potential liabilities of corporate directors and officers are of course dependent on the requirements of applicable law. That means that corporate officials’ liability exposures can vary from state to state. There are even greater variations from country to country. In a global economy, questions about the potential liability of directors and officers in non-U.S. countries arise with increasing frequency. Given China’s huge and growing role in the global economy, questions about the potential liability of directors and officers under Chinese law are increasingly frequent.

 

For that reason, readers may be interested in reviewing this May 8, 2015 article entitled “D&O Liability Insurance: Legal Issues under PRC Law” (here) by Jia Hui of the DeHeng Law Offices. The article provides a good overview of the basic legal duties and liability exposures of directors and officers under Chinese law. As the article points out, in light of the various accounting scandals involving Chinese companies that have arisen, these considerations are increasingly important.

Guest Post: One “Giant Leap” to a Secure Cloud Platform for U.S. Corporations

Posted in Cyber Liability

weilAmong the many concerns arising in the current cybersecurity environment is the question of the security of data housed in “the Cloud.” In the following guest post Paul Ferrillo and Jeffrey Osterman of the Weil, Gotshal & Manges law firm and Grady Summers , SVP, Cloud Analytics at Mandiant/FireEye, take a look at the questions businesses and their boards of directors should be asking before adopting a cloud-based strategy. The post also includes a cloud security checklist. A version of this article previously was published as a Weil client alert.

 

I would like to thank Paul, Jeffrey and Grady for their willingness to publish their article on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Paul, Jeffrey and Grady’s guest post.

 

***************************************

 

It is fitting that just over 40 years after Neil Armstrong walked on the moon and uttered some of the most famous words ever spoken, “one small step for [a] man, one giant leap for mankind,” NASA, along with cloud service provider Rackspace, jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project is intended to help organizations manage cloud-computing resources running on standard hardware. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform. Launched with the intent to provide consumers with a high tech, yet low-cost method to store vast amounts of data off premises in a safe and efficient manner, the cloud has transformed the way global enterprises do business.[i] Yet, despite the cloud’s increasing popularity, hardly a day goes by when industry professionals do not question the security of data kept in the cloud. According to Gilad Parann-Nissany, CEO and co-founder of cloud encryption company Porticor (recently acquired by Intuit):

In the cloud, data security poses new risks and challenges. We are no longer concerned just with burglars breaking into our offices to steal computers, but rather with the data belonging to complete systems deployed to the cloud…Instead, security in the cloud becomes not about protecting our hardware, but rather protecting the sensitive information regardless of its physical location. For this, burglar alarms are irrelevant and firewalls are only one part of the approach for security in the cloud.

A way to visualize the unique challenges of data security in the cloud is that where before we had brick walls and steel locks to keep us safe; we now must construct mathematical walls as barriers to our data.[ii]

As more and more businesses are considering moving some or all of their data storage needs to the cloud, here are three “50,000 foot” questions American businesses and boards of directors are asking themselves (or should be asking their IT security professionals) before adopting a cloud-based strategy:

  1. How can the board assure itself from a governance perspective that the cloud-based environment that it is being asked to approve is acceptably secure, as compared with the company’s previous on-site computer environment, and meets the security, privacy, and regulatory needs of my company?[iii]
  2. What visibility and ability does the company have if there is a cloud-based breach and its information is subject to exfiltration? Does the company have the ability to conduct incident response and remediation or is it totally at the mercy of the cloud service provider (CSP)?[iv]
  3. What is the “best” way to assure that the company’s cloud-based data is as secure as possible given what it knows about the CSP that it has chosen?

90% of All Organizations Have Security Concerns about the Cloud

A recent study noted that “an overwhelming majority of 90% of organizations are very or moderately concerned about public cloud security. Today security is the single biggest factor holding back faster adoption of cloud computing.”[v] The Cloud Security report notes that the top concerns are:

  1. General security concerns over the storage of data in the cloud;
  2. Data loss and leakage risks;
  3. Loss of control over security procedures applied day to day over the company’s data; and
  4. Lack of visibility to assure regulatory compliance.[vi]

How would these concerns potentially materialize? Our experience tells us that, to the extent attackers are targeting data in cloud-hosted environments, they’re doing it in distinctly old-fashioned ways. That is, despite concerns about the cloud being inherently insecure, attackers are using the same methods to compromise cloud resources as they have used for many years for on-site computer systems: the theft of employee credentials generally started via spear phishing attacks. Thus, we recommend that organizations approach cloud security like they would any other environment: by understanding their data and the threats against it, and ensuring that the environment is instrumented to prevent, detect, and respond to attacks. This can be hard, though, when IT security teams lack the necessary visibility to do their jobs.

This lack of visibility was illustrated in a recent Ponemon study entitled “The Cloud Multiplier Effect.” The study, based on a survey of 613 IT and security professionals, found that increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3 times. It also revealed other key findings, including:

  • 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them;
  • 66 percent of respondents believe that their organizations’ use of the cloud diminishes their ability to protect sensitive or confidential information; and
  • 72 percent of respondents don’t believe that their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.[vii]

Cloud-related breaches in 2014 included Dropbox, Google Drive, and the alleged Apple iCloud breach. More recently, SendGrid, the cloud email service, reported it had been hacked through a phishing scheme that compromised an employee’s account.[viii] Certainly these high-profile breaches, such as Dropbox (from which 7 million passwords were reportedly stolen) have left many questioning whether the cloud can be safely used to store sensitive data.

Types of Cloud Computing

We refer generally to “cloud computing,” but this can refer to anything from a hosted application to rented servers in a shared facility. It is helpful to recognize the three major categories of cloud computing:

  1. Infrastructure as a Service (IaaS): In this model, the CSP is responsible for basic IT resources (servers) and the networks on which they run. The customer is generally responsible for maintaining the operating systems and software necessary to run the applications, plus the data placed in the cloud environment. Thus, while the CSP is responsible for protecting the infrastructure itself, data security in an IaaS environment is generally the responsibility of the customer.
  2. Platform as a Service (PaaS): Here the CSP provides the infrastructure, the operating system, and a set of services that organizations use to build applications. These building blocks are invoked through Application Programming Interfaces (APIs) and might include services for storage, databases, data processing, machine learning, etc. The customer is responsible for application deployment, and responsibility for security is generally shared between the customer and the CSP.
  3. Software as a Service (SaaS): Here the CSP provides for nearly everything, including the infrastructure and software provided to the customer. Thus, security in an SaaS environment generally is the responsibility of the provider, and it is the consumer’s role to ensure the CSP’s security processes meet the security and compliance requirements of the customer’s business.

Cloud Compliance, Security, and Visibility

As CSPs move “up the stack” to offer robust PaaS and SaaS services, they begin to shoulder more of the burden for securing their customers’ data. However, it will always be the responsibility of the customer to ensure that its constituents’ data is secure. Since a customer can’t always directly participate in securing this data, it must ensure that the service contract, together with any associated statement of work and/or service level agreement (SLA) provided by the CSP meets its needs. The parameters of these contractual arrangements will usually include information about service availability, incident response definitions and services, breach response notifications and timing, technical compliance and vulnerability management, and log management and forensic capabilities, together with an allocation of liability if these standards are not achieved.

While we have found that most large CSPs do an outstanding job of securing their environments – and dedicate tremendous resources to this task – all of the above categories of services must be described in generalities, meaning “here’s how they generally work.” The proof is really in the terms and conditions of the contractual commitments that the CSP agrees to make, and the sad fact is that many cloud service customers do not understand the value of substantive contracts with detailed terms relating to security.

Here are the most important issues to consider when contemplating a migration of important data to the cloud under an SLA:

  1. Breach and incident response – Cloud customers must understand how the CSP defines events of interest vs. security incident, what events/incidents the CSP reports to the cloud customer, and in which way. Customers should understand when and how quickly they will be notified if the CSP: suffers a breach, what information will they will be given by the CSP to help analyze the incident, will they have the opportunity (given the potential SLA in place) to participate in the incident response process, and will they be given the opportunity to contact and interact with the CSP’s own incident response team?
  2. Where is the customer’s data going to be “stored”? This is probably one of the most important questions for a customer, both from a legal perspective (meaning under what circumstances can data be subpoenaed or accessed through a court request or judicial process) and a privacy perspective (meaning how must data, such as personally identifiably information, be stored and protected).
  3. Does the CSP itself adhere to any standardized security practice or protocol, like the NIST cybersecurity framework, or ISO 27001? Does the CSP have FedRamp certification or a certification from the Security Trust and Assurance Registry certification program?
  4. Does the customer have the ability to audit or independently assess the security provided by its CSP to make sure the provider is compliant with various legal, industry, customer and regulatory requirements it may be subject to?
  5. What is the CSP’s patch management process in case software or application vulnerability is discovered, which could then impact the security of the data stored?
  6. What sort of back up procedures does the CSP have in place if the customer’s data is lost, stolen or deleted?

Thinking About Making a Move to the Cloud? Cloud Security Checklist

There is no perfect checklist of how, when, and where to move data to a cloud-based environment. Some factors, such as cost, may make the decision easy, while on the other hand, the perceived lack of control over your data security or your compliance risks may make the decision harder. At the end of the day, it is your business judgement what sort of data you are comfortable moving to the cloud (you might be comfortable moving human resources, payroll, or other specific applications[ix]), and what sort of data you are not comfortable moving to the cloud (you might draw the line at PII or financial records and information). A separate book alone could be written on this sort of balancing act.

From a data security perspective, though, there are certain security measures that should be investigated by potential cloud customers before they make the decision to move their data to a cloud-based environment. This area is highly technical (and thus security professionals and cyber-governance and cybersecurity lawyers should also be consulted before making this decision), but we try below to boil down these measures into objectives for directors and officers to consider when asked to finally approve a move to the cloud:

  1. How is security built into the cloud architecture and applications and data that are going to be moved to the cloud-based environment? Is there a constant lifecycle of updates and vulnerability reviews given that the computing ecosystem is never static?
  2. What data am I putting in the cloud? Is it general company HR data, customer PII, financial records, or something else less sensitive?
  3. Will the data stored in the cloud be encrypted while at rest or only when it is in motion to and from the cloud? What sort of encryption is available at my CSP?
  4. How is suspicious activity monitored on the cloud? By the CSP only, or will the customer have visibility into security monitoring? Will cloud security be continuously monitored by the CSP?
  5. What degree of visibility does the CSP make available to the customer (audit logs and metadata recording administrative changes, account usage, system logs, etc.), and can this data be flexibly consumed into your own internal security monitoring systems?
  6. What sorts of intrusion detection systems are in place to detect threats to the cloud-based environment, such as malware threats, or suspicious network traffic?

So You Are Moving to the Cloud – Governance Issues Ultimately Rule the Day

This article is not meant to dissuade a company from considering using the cloud to increase efficiency in its businesses. On the contrary, our goal is to allow readers to engage in more informed discussions that will ultimately lead to a greater degree of comfort with both the decision to move to the cloud and the risk management tools, procedures, and contractual protections surrounding that move.

The cloud undoubtedly provides businesses with unique opportunities to manage their data in not only a cost efficient manner, but also potentially in a manner which is just as safe and secure as on-site storage systems. The cloud is not, however, a binary solution to data management challenges. And time is slim to consider all the options. Whatever the path you choose, you should consider how things may look at the end of the day if your company is breached, and some constituency (i.e., a regulator, state AG, or investor) looks back to potentially criticize your decision to move to the cloud. Have your checklists answered, discuss the answers to your checklists with your IT staff and outside experts, and document your decisions that balance the business and efficiency needs of the company with the level of security and service being offered by your cloud service provider.

[i] See “The next generation of cloud computing,” available at http://www.pwc.com/en_US/us/increasing-it-effectiveness/assets/next-generation-cloud-computing.pdf (noting “Cloud computing is the fastest-growing trend in enterprise technology today – and for the foreseeable future. Forrester Research predicts the global cloud computing market will mushroom from $40.7 billion this year to $241 billion by 2020.”).

[ii] See “Cloud Computing Issues and Challenges,” available at http://www.porticor.com/2014/11/cloud-computing-security-issues-and-challenges/.

[iii] “Compliance (64%) was seen as the biggest cloud security challenge,” according to one recent report issued by CipherCloud. See “Compliance remains the key cloud security challenge, according to the CipherCloud report,” available at http://www.cloudcomputing-news.net/news/2015/mar/26/compliance-remains-key-cloud-security-challenge-according-ciphercloud-report/.

[iv] See “Majority of firms say they aren’t confident in responding to cloud-based data threats,” available at http://www.cloudcomputing-news.net/news/2015/apr/08/majority-firms-say-they-arent-confident-responding-cloud-based-data-threats/ (noting that 60% of the global respondents in a recent survey were not confident they had the ability to proactively respond to cloud-based data threats).

[v] See “Cloud Security Spotlight Report,” available at http://www.infosecbuddy.com/wp-content/uploads/2015/03/Cloud-Security-Spotlight-Report-2015.pdf (hereinafter, the Cloud Security Report).

[vi] Id.

[vii] See “The Cloud Multiplier Effect on Data Breaches,” available at https://blog.cloudsecurityalliance.org/2014/06/04/the-cloud-multiplier-effect-on-data-breaches/.

[viii] See “SendGrid admits hack, says all customers must reset their passwords,” available at http://venturebeat.com/2015/04/28/sendgrid-admits-hack-says-all-customers-must-reset-their-passwords/.

[ix] See “Navigating security in the cloud,” available at http://www.pwc.com/en_US/us/it-risk-security/assets/pwc-navigating-security-in-cloud.pdf.

 

Thinking About Excess D&O Insurance

Posted in D & O Insurance

insurancefilesIn many cases, companies’ D&O insurance programs are structured in several layers, with one or more policies of excess of insurance written over top of a primary layer. The excess insurance is often said to be written on a “follow form” basis, meaning that the primary policy’s terms govern the operation of the excess policies. However, even in programs that are intended to be “follow form,” the excess policies will sometimes have terms that cause them to operate differently, sometimes in unexpected and even undesirable ways. In addition, there are a number of other considerations to keep in mind when selecting the insurers to include in the excess layers.

 

In an interesting April 2014 article (here), Tom Bentz of the Holland & Knight law firm takes a look at the issues that can arise with excess D&O insurance. As Bentz correctly notes, “few excess D&O policies truly follow the terms and conditions of the primary D&O insurance policy.” Instead, the excess policies include various additional terms and conditions that “have the potential to significantly affect the overall protection” of the D&O insurance program.

 

In order to illustrate his point, Bentz identifies several of the kinds of excess insurance policy features that can be critical in the event of a claim.

 

First, Bentz refers to the excess D&O insurance policy provision that specifies when the excess insurance will “attach” – that is, what is required in order for the excess insurance to be triggered. In many instances, excess D&O insurance policies were written with a provision stating that that the excess insurer’s liability for any loss will attach only after the insurers of the underlying policies have exhausted their limits in payment of loss. The problem with this language is that if, for example, the policyholder is in a dispute with one of the underlying carriers and reaches a compromise to accept less than the full amount of the underlying insurance, there is an uninsured gap.

 

As I have discussed in prior posts (for example, here), a number of courts have now held that even if the policyholder funds the gap, the underlying insurance was not exhausted by the insurers’ payment of loss, and accordingly the excess insurer’s obligations have not been triggered.

 

As Bentz notes in his article “to avoid this unfair result, insureds need to negotiate excess insurance policies so that they recognize payments made by the underlying insurers, the insureds, or other source.” Indeed, this kind of provision has now become fairly standard. But as noted below, these kinds of provisions will not address all of the kinds of gaps that can arise and create questions as to whether the excess insurers’ policies have been triggered.

 

Another excess D&O insurance policy term that Bentz discusses in his article is the provision found in some policies requiring disputes between the insured and the insurer to be resolved by arbitration. This can be a problem if the separate excess policies in the different layers of insurance have separate arbitration provisions. It is possible that different policies could require that the arbitration take place in different geographic locations, using different arbitration processes and applying different jurisdiction’s laws. As Bentz notes, “the type of inconsistency could force an insured to fight multiple battles on multiple fronts with potentially inconsistent results.” Bentz suggests first attempting to have all of the arbitration provisions removed. If that is not possible he suggests  that “an insured should seek to have all of the insurers agree to one arbitration method with only on choice of law provisions and one required venue to resolve any potential coverage disputes.”

 

In addition to the items that Bentz identified in his article, there are several additional considerations that should be kept in mind with respect to excess D&O insurance.

 

The first is the excess carrier’s financial strength. All too often, excess D&O insurance is viewed as generic and fungible. However, the ability of any given excess D&O insurer to pay claims when the time comes should not be overlooked. It doesn’t happen often, but carriers do become insolvent, and when that happens, it makes a big mess. There are still cases working their way through the system because of the insolvency in the early 2000s of Reliance National and The Home. When a carrier in insurance program is insolvent and unable to pay a claim, it not only creates an uninsured liability exposure, but it also creates the kind of “gap” that avoids coverage for any carriers that were above the insolvent insurer in the insurance tower.

 

For example, as discussed here, in June 2013, the Second Circuit held in the Commodore International case that excess D&O insurance is not triggered even if losses exceed the amount of the underlying insurance, where the underlying amounts have not been paid due to the insolvency of underlying insurers. (Commodore had both Reliance and The Home in its insurance tower.)

 

It is important to think about the problems that can arise from this type of insolvency gap. This is not an issue that can be “fixed” with the type of wording cited above, which provides that the excess D&O insurance will be triggered if the underlying amount is paid by the underlying insurer, the insured, or any other source. When the underlying insurer is insolvent, there is just an underlying uninsured gap. The excess carriers will take the position that they have to obligation to “drop down” to take the place of or attach at the underlying carrier’s attachment point. For that reason, the financial stability of all of the carriers in the insurance program should be an important consideration. In particular, excess D&O insurance should not be viewed as generic and fungible. The excess carrier’s financial ability to honor its payment obligations is an important and potentially differentiating consideration.

 

It is also important to keep in mind that in the event of a significant D&O claim, the excess D&O insurer(s) may be directly involved in the claims resolution. The excess carriers’ responsiveness and claims handling capabilities could well affect whether or not a claim is resolved expeditiously. The claims handling capabilities of the primary D&O carriers are often considered and discussed, as they should be, because the primary carrier will take the lead in handling any claims that will arise. However, because of the role that excess insurers can play in the resolution of claims, the excess insurers’ claims handling experience and reputation should be kept in mind as well.

 

There is one final thing that should be considered with respect to the excess insurers. It is often a good idea to try to include in the line up of carriers on a D&O insurance program excess insurers who might be willing to move the primary position in subsequent years, if the primary carrier were to change its appetite for the risk or seek to get off the account. It is just a good idea to have an excess insurer as a reserve to take the primary position if the need should arise.

 

Another set of issues to keep in mind with respect to excess D&O insurance are the considerations involved in deciding how the excess insurance should be layered and structured, as I discussed in an earlier post, here.

Creditors’ Rights to Pursue Derivative Claims against Company Directors Under Delaware Law

Posted in Shareholders Derivative Litigation

del1In a detailed May 4, 2015 opinion (here), Vice Chancellor Travis Laster of the Delaware Chancery Court extensively reviewed the rights of an insolvent company’s creditors to pursue derivative claims against the company’s directors. As Francis Pileggi put it in a May 6, 2015 post on his Delaware Corporate and Commercial Litigation blog (here), Laster’s opinion in Quadrant Structured Products Company, Ltd. v. Vincent Vertin et al. is “destined to be cited as a seminal ruling for its historical and doctrinal analysis of important principles of Delaware corporate law.”

 

Background  

Prior to the credit crisis, Athilon Capital Corp. guaranteed credit default swaps that one of its subsidiaries wrote on senior tranches of collateralized debt obligations. To fund its operations, Athilon raised debt financing by issuing various notes. Athilon suffered significant losses during the financial crisis. In the wake of these events, one of Athilon’s debt holders (EBF) acquired all of Athilon’s outstanding equity securities. As the company’s sole stockholder, EBF reconstituted the board, after which it made a number of moves to address Athilon’s financial situation.

 

In October 2011, Quadrant Structured Products Company, another of Athilon’s noteholders, filed a derivative lawsuit in Delaware Chancery Court against Athilon’s board. Quadrant contended that the directors’ actions, which Quadrant alleged were made to benefit EBF and to the detriment of the company, breached their fiduciary duties. Quadrant argued that under Delaware law, it had the right as a creditor to assert a derivative claim against the Athilon directors because the company was insolvent.  In an earlier post (here), I discussed Vice Chancellor Laster’s October 2014 ruling in the Quadrant lawsuit, in which Laster denied in part the defendants’ motion to dismiss.

 

Following the motion to dismiss denial, Athilon made a number of additional financial moves that the defendants contend returned the company to solvency. The defendants then moved for summary judgment. The defendants argued that for a creditor to have standing to maintain a derivative action, the corporation on whose behalf the creditor sues must be insolvent at the time of the suit and continuously thereafter. The defendants argued that whether or not Athilon was insolvent at the time Quadrant filed suit, Athilon’s current balance sheet shows that it is now solvent, and therefore that Quadrant no longer had standing to pursue the derivative lawsuit.

 

The May 4 Ruling  

In his May 4, 2015 opinion, Vice Chancellor Laster denied the defendants’ motion for summary judgment. He said that the question of whether or not Delaware imposes a continuous insolvency requirement in order for creditors to have standing to assert a derivative claim is a “question of first impression.” In his ruling, he rejected “the defendants’ attempt to impose a continuous insolvency requirement for creditor derivative claims.”

 

He said that “to bring a derivative action, a creditor-plaintiff must plead and later prove that the corporation was insolvent at the time the suit was filed.” Because he found that Quadrant had introduced sufficient material to support a reasonable inference that Athilon was insolvent at the time Quadrant filed suit, and therefore he denied the defendants’ motion for summary judgment.

 

In making these determinations, Laster broadly surveyed the legal principles underpinning derivative litigation in Delaware, including the rights of creditors to assert derivative claims under some circumstances. He reduced the various principles pertaining to these issues to a succinct bullet point list:

 

  • There is no legally recognized “zone of insolvency” with implications for fiduciary duty claims. The only transition point that affects fiduciary duty analysis is insolvency itself.

 

  • Regardless of whether a corporation is solvent or insolvent, creditors cannot bring direct claims for breach of fiduciary duty. After a corporation becomes insolvent, creditors gain standing to assert claims derivatively for breach of fiduciary duty.

 

  • The directors of an insolvent firm do not owe any particular duties to creditors. They continue to owe fiduciary duties to the corporation for the benefit of all of its residual claimants, a category which now includes creditors. They do not have a duty to shut down the insolvent firm and marshal its assets for distribution to creditors, although they may make a business judgment that this is indeed the best route to maximize the firm’s value.

 

  • Directors can, as a matter of business judgment, favor certain non-insider creditors over others of similar priority without breaching their fiduciary duties.

 

  • Delaware does not recognize the theory of “deepening insolvency.” Directors cannot be held liable for continuing to operate an insolvent entity in the good faith belief that they may achieve profitability, even if their decisions ultimately lead to greater losses for creditors.

 

  • When directors of an insolvent corporation make decisions that increase or decrease the value of the firm as a whole and affect providers of capital differently only due to their relative priority in the capital stack, directors do not face a conflict of interest simply because they own common stock or owe duties to large common stockholders. Just as in a solvent corporation, common stock ownership standing alone does not give rise to a conflict of interest. The business judgment rule protects decisions that affect participants in the capital structure in accordance with the priority of their claims.

 

In summarizing his ruling on the issues raised in the defendants’ summary judgment motion, Laster said “in my view … to maintain standing to sue derivatively, a creditor must establish that the corporation was insolvent at the time the creditor filed suit. The creditor need not demonstrate that the corporation continued to be insolvent until the date of judgment.” Laster then added a note of modesty, with his observation that “to state the obvious, this is the opinion of one trial judge. The Delaware Supreme Court may well disagree.”

 

By contrast to Delaware law, courts applying Pennsylvania law have applied the “deepening insolvency” theory to hold that directors of a company in the zone of insolvency have duties for which the company’s creditors may seek to hold them liable. For a recent post discussing a decision in which the Third Circuit applied these principles in holding the directors of nonprofit entity liable, refer here.

U.S. Trade Sanctions and D&O Insurance

Posted in D & O Insurance

ofacAs part of its conduct of foreign affairs and of its national security program, the U.S. government has instituted a series of economic and trade sanctions against a number of countries and a long list of designated individuals. The various sanctions programs are administered by the Office of Foreign Asset Control (OFAC) within the U.S Department of Treasury.  The sanctions programs OFAC administers include broad trade embargoes of Iran, North Korea, Sudan, Syria, Crimea and Cuba.

 

As part of its enforcement power, OFAC has authority to file civil liability actions. In collaboration with the U.S. Department of Justice, OFAC can also pursue criminal actions. OFAC’s exercise of its enforcement authority has recently resulted in a number of high profile penalties and settlements. These settlements have a number of significant implications, and, among other things, may raise concerns about the possibility of D&O insurance coverage for the companies involved.

 

Since 2008, OFAC has filed nearly 250 civil enforcement actions that have resulted in penalties or settlements. The aggregate amount of the enforcement action penalties and settlements during that period is over $3.8 billion. In 2014, the agency’s enforcement actions resulted in penalties and settlements of over $1.2 billion, the agency’s highest annual total.

 

Two recent enforcement actions illustrate the nature and scope of the government’s sanctions enforcement efforts.

 

On March 25, 2015, the U.S. Department of Justice announced that a subsidiary of Schlumberger Ltd. had entered a guilty plea and agreed to pay a $232.7 million penalty for conspiring to violate sanction programs by “willfully facilitating transactions and engaging in trade with Iran and Sudan.” Under the plea agreement, the subsidiary agreed to submit to a three-year probationary period during which it would agree to various types of government supervision. The DoJ’s March 25, 2015 press release can be found here.

 

The $232.7 penalty includes a $77.5 million criminal forfeiture and a $155 million criminal fine. According to a March 26, 2015 FCPA Blog post (here), the fine is the largest ever criminal fine in connection with a prosecution under the International Emergency Economic Powers Act.

 

In the Schlumberger action, the government alleged that between 2004 and 2010, a business unit of the subsidiary provided oilfield services to customers in Iran and Sudan. The government also alleged that while the subsidiary had policies and procedures to ensure that it did not violate U.S. sanctions, it failed to train its personnel to ensure that they complied with the sanctions requirements. As a result, the company approved capital expenditure requests from Iran and Sudan, made business decisions specifically concerning Iran and Sudan, and provided technical service and expertise in connection with drilling projects in Iran and Sudan.

 

In a separate sanctions-related enforcement action, on March 25, 2015, OFAC announced that PayPal, Inc. had agreed to pay the agency $7.65 million settle the company’s potential civil liability for processing 486 transactions totaling $43,934 in alleged violation of U.S. sanctions programs. Specifically, the company was alleged to have mailed to ensure that its payment processing operations blocked prohibited transactions with sanctioned countries (including Iran, Sudan, Cuba) and sanction-designated individuals. The company was also alleged to have processed 136 transactions for a PayPal account registered to Kursad Zafar Cire, an individual designated under a sanction program relating to “Weapons of Mass Destruction Proliferators and Their Supporters.” The agency’s March 25, 2015 press release regarding the PayPal settlement can be found here. The FCPA Blog’s March 27, 2015 post about the settlement can be found here.

 

The types of fines and penalties entered in these sanctions enforcement actions would not be covered by D&O insurance, as the typical D&O insurance policy definition of Loss covered under the policy expressly provides that Loss does not include fines, penalties and matters deemed uninsurable under applicable law.

 

However, as discussed in a May 8, 2015 post on the Orrick law firm’s Policyholder Insider blog (here), there may be coverage for the costs incurred in connection with the investigation that precedes the settlement or penalty. As the blog post puts it, “companies forced to incur costs responding to and defending against these investigations should closely inspect their D&O policies to determine whether they provide coverage.”

 

Depending on the specific nature of the sanctions enforcement investigation involved, the government’s investigation may constitute a “Claim” triggering the policy’s coverage. However, it should be noted that public company D&O insurance policies provide entity or company coverage only for “Securities Claims.” In most circumstances, a sanctions violation investigation or enforcement action would not meet the policy’s definition of a Securities Claim. Many carriers would like take the position that because a sanctions violation investigation or enforcement action does not meet the definition of a “Securities Claim,” there is no coverage under the policy’s entity coverage for the investigation or enforcement action.

 

As the blog post also notes, even if there is no formal proceeding and no subpoenas have been issued  the  “Pre-Claim Inquiry” costs coverage found in many more up-to-date D&O insurance policies these days could be triggered. This policy feature provides coverage for costs associated with interviews and responses to document requests from an “Enforcement Body,” as defined in the policy. The scope of the coverage available will of course depend both on the nature of the governmental inquiries and the specific policy wording involved. However, it should be noted that this coverage is typically available only to Insured Persons – that is, individual directors and officers. It is typically not available to the corporate entity itself.

 

Because there may be possibilities to find at least some coverage under the D&O insurance policy, the law firm blog post suggests, “policyholders should not assume that simply because the fines imposed for failure to adhere to economic sanctions would not be covered, other associated costs incurred by the company in connection with the OFAC investigations also are not.” As the blog post concludes, it always pays to think carefully about coverage and to read the policy carefully.

 

In addition to possible coverage for sanction-related investigative costs, the D&O insurance could also become relevant in the event of a follow-on civil lawsuit asserting claims against company officials in connection with a sanctions investigation and penalty. As noted in an earlier post  (here), there are examples of shareholders filing derivative lawsuits against company officials after the company has paid a sanctions-related penalty or settlement. The earlier post described a shareholder derivative lawsuit filed against the board of J.P. Morgan Chase after the company reached an $88.3 million settlement with OFAC. The company’s D&O insurance could be called upon to fund the defense of a claim of this type. In addition, the D&O insurance potentially could fund a settlement of the lawsuit as well, although, as I noted in my earlier post, there are some potentially interesting questions about the possibility of insurance funding the settlement of this this type of claim.

 

On a different but somewhat related topic, in an earlier post (here) I examined the personal liability of corporate officials under U.S. import laws.

 

Petrobras Scandal Roils Brazilian D&O Market: According to a May 6, 2015 article in Global Insurance Intelligence (here), the Petrobras scandal (discussed in a prior post, here) is “forcing the insurance industry in Brazil to rethink how it supplies directors and officers liability insurance (D&O) cover amid fears that loss ratios to rise.”

 

In the wake of the Petrobras scandal, demand for D&O insurance is soaring as buyers are becoming aware of the need for the product. At the same time, a debate has emerged on the question whether the policy should protect those who have admitted to bribery or even to those merely accused of bribery. At a minimum loss ratios are sure to rise as the costs associated with the scandal spill through the insurance market. So, the article concludes, “the future of D&O in Brazil looks turbulent. Demand will increase, yet higher loss ratios could also become the norm. Insurers and reinsurers alike will need to tread carefully to balance these two factors.”

Guest Post: Wham, Bam, Thank You Spam! Don’t Click on the Link!

Posted in Cyber Liability

weilBy now, everyone knows that the Internet can be a dangerous place. But while just about everyone knows about the pervasiveness of Internet scams, many users still fall prey to the tricksters’ latest ploys. In this guest post, Paul Ferrillo and Randi Singer of the Weil, Gotshal & Manges law firm take a look at the latest scams and how they succeed. They also discuss the steps that companies can take to try to protect themselves from these kinds of things. A version of this article previously was published as a Weil client alert

 

I would like to thank Paul and Randi for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Randi’s guest post.

 

****************************************

 

It seems that just like in old times (in cyberspace that means last year) the existence of “snake-oil” salesmen[i] on the Internet is getting worse, not better.  Rather than selling something medicinal or at the very least useful, these snake-oil salesmen of today have one intent only:  to steal your personal information or worse, to distribute malware to your computer.  One recent report issued by Symantec in April 2015[ii] literally details scores of scams all designed to steal information and potentially ruin your computer (and others’ as well) and steal your personal information.  We detail them not out of morbid curiosity of the utter gall of the snake-oil salesmen, but to hopefully inform and prevent the inadvertent “click on the link” circumstances which you and your company would rather avoid. We also point to other recently issued reports noting that other scams like phishing and spear phishing continue to be a bothersome and dangerous component of company emails.[iii] At the end of the day, as we discussed in our last article,[iv] continuous employee training and awareness of these sorts of scams is truly a strong part of the Holy Grail of Cybersecurity, along with certain network hardware components that can help stop “bad” emails before they get to your employees’ desktops.

Social Media Scams

“Where attacks of yesteryear might have involved a foreign prince and promises of riches through shady exchanges of currency,…. today’s phishers scan social media for birthdays, job titles and anything else that can be used to create the appearance an email request is coming from a legitimate source.”[v] As the Symantec Report points out, a lot of these email scams and offers are now generated through the explosive growth of social media sites such as Facebook, Twitter, and Pinterest. Here are some of them:

  • Manual Sharing – These rely on victims to actually do the work of sharing the scam by presenting them with intriguing videos, fake offers, or messages that they can then share with their friends;[vi]
  • Fake Offerings – These scams invite social network users to join fake events or groups with incentives such as free gift cards. Joining often requires the users to share credentials with the attacker or send a text message to a premium rate number;[vii]
  • Likejacking – Using fake “Like” buttons, attackers trick users into clicking website buttons that install malware and may post updates on a user’s newsfeed, thereby spreading the attack;
  • Fake Applications – Users are invited to subscribe to an application that appears to be integrated for use with a social network, but is not as described and may be used to steal credentials or harvest other personal data; and
  • Affiliate programs – When you click on the link, these might allow you to get a free smartphone, airline ticket, or gift card. Caveat emptor: Nothing in life is free, especially when malware is attached thereto.

Phishing Attacks – Email Scams – Email Hijacking

We have talked in the past about the prevalence of phishing or spear phishing attacks against U.S. public companies. As noted in the recently issued 2015 Verizon Data Breach Investigation Report,[viii]

Social engineering has a long and rich tradition outside of computer/network security, and the act of tricking an end user via e-mail has been around since AOL installation CDs were in vogue…

The first “phishing” campaigns typically involved an e-mail that appeared to be coming from a bank convincing users they needed to change their passwords or provide some piece of information, like, NOW. A fake web page and users’ willingness to fix the nonexistent problem led to account takeovers and fraudulent transactions.[ix]

Phishing campaigns have evolved in recent years to incorporate installation of malware as the second stage of the attack. Lessons not learned from the silly pranks of yesteryear and the all-but-mandatory requirement to have e-mail services open for all users has made phishing a favorite tactic of state-sponsored threat actors and criminal organizations, all with the intent to gain an initial foothold into a network.

Some of the statistics set forth in the Verizon Report are cause for concern:

  • 23% of recipients now open phishing messages and 11% click on the links;
  • 50% of the recipients open emails and click on the links within the first hour;
  • The median time to first click on the link: one minute, 22 seconds!![x]

How Do You Stop Malicious Social Media/Spear Phishing/Email Campaigns

Obviously there are no good answers to these questions, especially in an era when the bad guys are sending such socially engineered emails that they look like they could come from your husband, wife, son, or daughter. They are that good. But here are some points to consider:

  1. Anti-phishing training: As we noted in our previous article, many argue that the weakest link in cybersecurity is the person who is sitting in the chair in front of his or her computer. As such, we strongly advocate a consistent training program, as provided by various organizations,[xi] which can provide tailored solutions to your employee base, or specific sections of your employee base (like your IT department or your finance department), to help them change their behavior and discern between “good” emails and potential “really, really bad” emails which may contain malware packages just waiting to go off when someone opens the email or clicks on the link. Choose a program which can provide metrics and reports to either your compliance or IT security department, which might point out areas of risk such as divisions, departments, or employees who need further training.
  2. Increase user training and advise workers on safe practices when using Facebook, Twitter, Snapchat, and other online services: Simply put, there are bad actors out there who will attempt to lure your employees into doing things or sharing information which may, at its core, contain or share malicious code with others. Adopt policies and procedures to educate your employees on social media website scams, which may include limiting use of such sites to their own devices. “It is key that all staff receive security awareness training covering your acceptable usage policy for social networking. Promoting good practice and improving user behavior are the best methods of reducing the risks from this form of communication.”[xii]
  3. Employ DMarc Based Technology: Many companies have chosen to employ a technology-based solution founded on DMarc, or “Domain-based Message Authentication, Reporting & Conformance.”[xiii] “DMarc is an Internet protocol specification that … provides visibility into email flows, and can tell receiving servers to delete spoofed messages immediately upon receipt, thus ensuring that only legitimate emails are delivered to inboxes.”[xiv] Dmarc allows companies to “pre-qualify” email providers who are “approved” to send your employees emails from those who may be attempting to spoof or clone domain names to send your employees malicious emails.
  4. Sandboxing: Deploy a solution that checks the safety of an emailed link when a user clicks on it. The hardware solution that is employed[xv] examines the link-driven email and analyzes it against known malicious email threats and URLs and then “quarantines” them using anti-spam and anti-virus threat engines to see if those emails exhibit “bad” characteristics. These solutions can be used both “on premises” and if your email is handled by cloud mailboxes.[xvi] It is better to check and stop the email before it gets to an employee’s desk where it could be inadvertently opened and spread malware to your network. Beware that not all sandboxing technology works the same, and it may not be 100% effective against all threat vectors, especially as bad actors get more and more sophisticated in masking their attacks.

High profile attacks in 2014 and 2015 all have seemed to contain one common element: some employee, either high-level, low-level, or one targeted specifically for his or her password and administrative privileges information, opened a malicious email which set off a catastrophic set of consequences for a company. Though there are many solutions that can be potentially employed to stop this pattern of doom and gloom, not one can be said to be entirely effective. Instead, the set of approaches described above, when used jointly, may help companies reduce the risk of potentially being spear phished “to death” by bad actors.

[i] The existence of the first “snake-oil salesmen” date back at least to the time of the First Intercontinental Railroad in 1863.

[ii] See “Symantec Internet Threat Report 2015,” available at http://www.symantec.com/index.jsp (hereinafter, the “Symantec Report”).

[iii] See e.g. “Phishing Email Baits Indiana Medical Center, Health Data Exposed,” available at http://www.nextgov.com/cybersecurity/threatwatch/2015/04/breach/2233/; “SendGrid: Employee Account Hacked, Used to Steal Customer Credentials,” available at https://krebsonsecurity.com/2015/04/sendgrid-employee-account-hacked-used-to-steal-customer-credentials/.

[iv] See “Is Employee Awareness and Training the Holy Grail of Cybersecurity?” available at http://www.dandodiary.com/2015/03/articles/cyber-liability/guest-post-is-employee-awareness-and-training-the-holy-grail-of-cybersecurity/.

[v] See “Data Breach Methods Getting More Sophisticated, Report Says,” available at http://www.govtech.com/data/Data-Breach-Methods-Getting-More-Sophisticated.html.

[vi] See “Beware of Nepal charity scams,” available at http://www.usatoday.com/story/money/personalfinance/2015/05/03/weisman-nepal-charity-scams/26755507/ (highlighting that “Email and text message solicitations for charities as well as solicitations you find on social media are also not to be trusted. Once again, you cannot be sure as to who is actually contacting you and these solicitations carry the additional danger of having links or attachments that, if clicked on or downloaded, will install malware on your computer or smartphone that will steal the personal information from your device and use it to make you a victim of identity theft.”).

[vii] See “5 Scams to Watch for in 2015,” available at https://www.allclearid.com/blog/5-scams-to-watch-for-in-2015.

[viii] See 2015 Verizon Data Breach Investigations Report,” available at http://www.verizonenterprise.com/DBIR/2015/ (hereinafter, the “Verizon Report”).

[ix] See “Banking Malware Taps Macros,” available at http://www.databreachtoday.com/banking-malware-taps-macros-a-8186 (describing the Bartalex macro malware scheme, in which a social-engineering attack tells recipients that their Automated Clearing House electronic-funds transfer was declined, and invites the recipient to click a link to “view the full details,” which leads to a Dropbox page that lists specific instructions, including the need to enable Microsoft Office macros).

[x] See Verizon Report.

[xi] See, e.g. the comprehensive anti-phishing training services offered by www.phishme.com.

[xii] See “Social networking best practices for preventing social network malware,” available at http://searchsecurity.techtarget.com/answer/Social-networking-best-practices-for-preventing-social-network-malware.

[xiii] See “DMARC – What is it?” available at http://dmarc.org/.

[xiv] See “How To Reduce Spam & Phishing With DMARC,” available at http://www.darkreading.com/application-security/how-to-reduce-spam-and-phishing-with-dmarc/a/d-id/1319243.

[xv] For instance, one of these solutions is the FireEye EX prevention series. See “Threat Prevention Platforms that Combat Email-Based Cyber Attacks,” available at https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye-ex-series.pdf.

[xvi] See e.g. “Email Threat Prevention Cloud,” available at https://www.fireeye.com/content/dam/fireeye-www/global/en/products/pdfs/fireeye-email-threat-prevention-cloud.pdf.

Guest Post: D&O Insurance on the Agenda of Shareholders’ Meetings in Germany

Posted in International D & O

Burkhardniklasrahlmeyer_ProfilePictureIn the following guest post, Dr. Burkhard Fassbach and Dr. Niklas Rahlmeyer imagine a possible shareholder presentation about D&O insurance at an annual meeting of shareholders in Germany.  Fassbach is an Of Counsel with the Dusseldorf based D&O-Specialist Law Firm Hendricks. Rahlmeyer is an attorney in the corporate practice group of the Dusseldorf office of Field Fisher Waterhouse LLP. I would like to thank both for their willingness to publish their guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Here is the guest post.

 

***********************************

 

In the wake of a significant increase of D&O claims, (activist) shareholders are determined to meticulously scrutinize D&O policies at shareholders’ meetings. The chairs presiding at such meetings as well as members of the supervisory and the executive board should be prepared accordingly.

 

The shareholders are likely to chime in with the following:

 

“Dear Mr. Chair, dear supervisory and executive board members,

 

as a stockholder of this corporation, I rise to speak at our today’s shareholder meeting so as to discuss the topic of D&O insurance. As you are all well aware, the D&O insurer’s promise to defend its insureds against unfounded claims for damages is at the heart of the insurance contract. If these claims turn out to be valid, the insurer’s ensuing duty is to indemnify its insureds by effecting payment to the policyholder. According to case law, the insurer’s promises to both defend and indemnify are conterminous and based on equal legal footing.

 

As a shareholder, I am deeply troubled with whether the D&O insurance coverage taken out for our company is going to protect our corporation’s assets when the chips are down. Please recall the slush funds at Siemens. In that case, where the damage amounted to EUR 1.6 billion and the insurance sum was set at EUR 250 million, the insurance carriers eventually paid out the petty amount of EUR 100 million. I, personally, am incapable of discerning asset protection here. Likewise, the shareholders of Deutsche Bank will have to dig deep into their pockets. When former chair Breuer, during a Bloomberg TV interview, rendered detrimental comments relating to media entrepreneur Kirch, this cost Deutsche Bank EUR 925 million. It is the shareholders who are most likely going to have to foot the bill resulting from this squander of capital.

 

As you all know: Executive board members and supervisory board members who commit a breach of duty are jointly and severally liable to the corporation for such damages as result from their breach of duty. Don’t get me wrong, dear members of the executive board: I have complete trust in the way you are conducting business. However, as a shareholder, I ought not to lose sight of the worst-case scenario. Since the worst case did not spare former icons of the German economy, it is potentially not going to halt here.

 

My first inquiry is this: Do you deem the insurance sum of the D&O policy that is currently in place appropriate with respect to the risks our company is exposed to? Secondly: Have you concentrated on analyzing current developments in the D&O insurance arena in Germany? Please bear with me while I would like to render some background information in this regard:

 

The product of D&O insurance has its origin in the U.S. Unlike German law, U.S. law does not know an institutionalized separation of monitoring and management.  As a consequence of the nonreflecting adoption of American coverage concepts in Germany, both the executive and the supervisory board members are insured persons that are commonly insured under the roof of the identical insurer.

 

Can this work? I raise this question, because, in a D&O damage event, members of the supervisory board and members of the executive board are potentially prone to having colliding interests. Reasoning that attack is the best form of defense, defendant members of the executive board, in a virtual routine of behavior, serve third-party notices on their supervisory board colleagues. To put it crudely: The D&O insurer then ‘represents’ two opposing parties. In this case, the insurer is ensnared in an inherent conflict of interest.  The only viable solution is to separate one party from the representing insurer.

 

This flows from the precept that, in accordance with the legal precedents set forth by Civil Division IV of the German Federal Supreme Court in charge of insurance law matters, the insurer shall protect the interests of the insured person in the same way a lawyer retained by that person would do. On these grounds, insurance coverage concepts are under debate in Germany that forestall conflicts of interest between executive and supervisory board members. Following those concepts, insurance coverage for both organs is separately placed with different carriers. In D&O lingo this is called ‘Twin-Tower’ or ‘Two-Tier-Trigger’-concept.

 

There are strong arguments backing this concept: It is upon the supervisory board to monitor management. The inherent crux of this duty to monitor has been appositely couched in an expert opinion to the 70th German Legal Colloquium. May I quote: ‘As the monitoring of management rests with the supervisory board, any mistake made by management is theoretically susceptible to being converted into a mistake by the supervisory board’, which amounts to the statement that, had the supervisory board lived up to its monitoring duty, the mistake would have been averted in the first place.

 

According to the German Federal Supreme Court’s ‘ARAG doctrine’, a supervisory board is subject to the duty to independently investigate the viability of a corporation’s compensation claims against executive board members. If the supervisory board does not fulfill its duty to pursue viable claims, this constitutes a breach of duty vis-à-vis the corporation, and the corporation, in turn, has a claim against the blundering supervisory board members.

 

The question inevitably becomes: Is it apt to perceive the supervisory board as a huntsman such as would reflect the ideal laid down by the German Federal Supreme Court? Or does the supervisory board feel inhibited due to potentially becoming the hounded through third-party notices? Indeed, the supervisory board’s independence with respect to the review of potential claims and their out-of-court assertion is most naturally heavily compromised for ‘fear of third-party notices’.

 

The residual risk bearers, the shareholders, take the greatest interest in the replenishment of the assets of the damaged corporation. Accordingly, we, the shareholders, take a fundamental interest in a supervisory board’s acting independently. For that matter, separate D&O coverage for members of the supervisory board works as a valuable contribution to effective corporate governance, because the supervisory board’s independence in pursuing claims against executive board members is ensured at the level of D&O insurance. Thus, I ask you: Do you share my view in light of a shareholder-value concept?

 

Thank you very much for your attention.”