The D&O Diary

The D&O Diary

A PERIODIC JOURNAL CONTAINING ITEMS OF INTEREST FROM THE WORLD OF DIRECTORS & OFFICERS LIABILITY, WITH OCCASIONAL COMMENTARY

Second Circuit Splits With Ninth Circuit, Holds Item 303 Omissions Can Be Actionable in Section 10(b) Claims

Posted in Securities Litigation

secondsealOn January 12, 2015, the Second Circuit ruled, “as a matter of first impression” for the appellate court, that a failure to make a disclosure required by Item 303 of Reg. S-K is an omission that can serve as a basis for a Section 10(b) securities fraud claim, but only if the other requirements to state a Section 10(b) claim – such as materiality and scienter – have been met. In ruling that a failure to make an Item 303 disclosure can state an actionable Section 10(b) claim, the Second Circuit reached a different conclusion on the issue than did the Ninth Circuit in an October 2014 decision on the same question. The Second Circuit’s January 12, 2015 opinion in Stratte-McClure v. Morgan Stanley can be found here.

 

Background 

This case involves a claim by Morgan Stanley shareholders that the company and certain of its directors and officers made misleading statements to conceal the company’s exposure to and losses from a massive propriety trade the company had structured involving subprime mortgage backed derivative securities. Among other things, the plaintiffs alleged that the company failed to disclose – as, the plaintiffs’ alleged, the company was required to do by Item 303 of Reg. S-K – that the company’s proprietary subprime mortgage-backed derivative investment would have an unfavorable material effect on revenue. The district court dismissed the plaintiffs’ claims, including the plaintiffs’ claims made in reliance on Item 303, and the plaintiffs appealed.

 

Item 303 of Reg. S-K, entitled “Management’s discussion and analysis of financial condition and results of operations,” imposes disclosure requirements on companies filing SEC-mandated reports, including quarterly filings on Form 10-Q. The requirements include the obligation to “describe any known trends and uncertainties … that the registrant reasonably expects will have a material … unfavorable impact on … revenues or income from continuing operations.”

 

The January 14 Opinion 

On January 14, 2015, in a 32-page opinion by Judge Debra Ann Livingston for a unanimous three-judge panel, affirmed the district court, holding that a failure to make an Item 303 disclosure can be actionable under Section 10(b), but ruling that in this case the plaintiffs’ claim in this case was properly dismissed because the plaintiffs did not adequately plead scienter.

 

In ruling that a failure to make a disclosure required by Item 303 can be actionable, the appellate court reasoned that Item 303 imposed an affirmative disclosure duty on reporting companies. Omitting a required disclosure item, the court said, “can render … financial statements misleading.” The Court said “due to the obligatory nature of these regulations, a reasonable investor would interpret the absence of Item 303 disclosure to imply the nonexistence of ‘known trends or uncertainties… that the registrant reasonably expects will have a material unfavorable impact.’”

 

However, the appellate court added that the failure to make a required Item 303 disclosure “is not by itself sufficient to state a claim for securities fraud under Section 10(b),” noting that the Rule 10b-5 make only ‘material’ omissions actionable.”

 

The court said that the plaintiff must first allege that the defendant failed to comply with the requirements of Item 303, in order to establish that “the defendant had a duty to disclose.” Having established the duty to disclose, the plaintiff must then allege that the omission was material, and further that, as with any Section 10(b) claim, the plaintiff must also sufficiently plead scienter.

 

The appellate court went on to conclude that the plaintiffs had not adequately pled scienter, and affirmed the district court’s dismissal of the case.

 

The Second Circuit expressly acknowledged that in ruling that an omission of a disclosure required under Item 303 can be actionable its conclusion was “at odds with” the Ninth Circuit’s October 2, 2014 opinion in In re NVIDIA Corp. Securities Litigation. In that case, the Ninth Circuit held that Item 303’s duty is not actionable under Section 10(b), in reliance on language in an earlier opinion written by then-Judge (and now Supreme Court Justice) Samuel Alito when he was on the Third Circuit, stating that because the materiality standards for Rule 10b-5 and Item 303 differ significantly, a violation of Item 303 “does not automatically give rise to a material omission under Rule 10b-5.”

 

The Second Circuit felt that this language merely suggested, without deciding, that in certain instances a violation of Item 303 could give rise to a material omission. At a minimum, the Second Circuit noted, the language “is consistent with our decision that failure to comply with Item 303 … can give rise to liability under Rule 10b-5 as long as the omission is material … and the other elements of a Rule 10b-5 have been established.”

 

Discussion

This outcome of this appeal represents something of a win-the-battle-lose-the-war deal for the plaintiffs here. In the face of adverse recent precedent from the Ninth Circuit on the issue, the plaintiffs managed to persuade the appellate court on an issue of first impression for the Second Circuit that an Item 303 omission can be actionable under Section 10(b). But then having established that principle, the appellate court nevertheless affirmed the district court’s dismissal of the case based on the conclusion that the plaintiffs’ scienter allegations were insufficient.

 

The plaintiffs’ bar in general may be heartened by the Second Circuit’s conclusion that an Item 303 omission can be actionable. However, their celebration is likely to be muted, as the Second Circuit included significant limitations on plaintiffs’ ability to assert these kinds of claims. First of all, to make out the omission in the first instance, the plaintiffs are going to have to establish that the allegedly omitted information was actually known to the defendants and significant. Second, as the Paul Weiss law firm noted in its January 14, 2015 about the Second Circuit’s ruling (here), even if the plaintiff can show that the disclosures were inadequate, in many cases, as in this case, “plaintiffs will face significant difficulties showing that the defendants intended to mislead investors by omitting information or were consciously reckless in that respect.”

 

In any event, we now have a split between the Second and the Ninth Circuits on this issue. This case – or at least this issue – could now find its way to the U.S. Supreme Court. As the Paul Weiss firm noted in its memo, “the issue may now be ripe for potential review by the Supreme Court.” The Supreme Court has shown an inexplicable interest in taking up securities cases in recent years, so the plaintiffs in this case may well decide to try their luck. Or as the issue percolates up in another circuit, the disappointed litigant in another case may try to catch the Supreme Court’s attention on the issue. Given the split in the circuits, this could be the kind of securities law issue that might catch the attention of the highest court.

 

It probably should be noted that while the Second Circuit’s opinion in this case is at odds with the Ninth Circuit’s opinion in the NVIDIAcase, it arguably comes as no surprise as the Second Circuit’s holding about Item 303 is  consistent with its2012 opinion in the Panther Partners case, in which the Second Circuit held that an Item 303 omission can state an actionable Section 11 claim, as discussed here.

As Part of White House Cyber Security Initiative, President Proposes Uniform Data Notification Rules

Posted in Cyber Liability

whAs previously discussed on this blog (refer for example here), over the years there have been a number of different responses from the federal government to the threat of cyberattacks on U.S. companies and infrastructure, but overall the government’s track record on the issue is mixed. However, according to a January 12, 2015 Wall Street Journal article entitled “White House Aims to Harden Cyberattack Defense” (here), the White House is about to try again to address the issue, through new legislative proposals to be announced this week and in the President’s upcoming State of the Union address,  and through an executive order to be introduced later this year. These initiatives arise as Department of Homeland Security data show that the number of cyber incidents reported to the agency has more than doubled in two years.

 

In a January 12, 2015 speech at the Federal Trade Commission, President Obama previewed  a number of the initiatives he will be detailing in the State of the Union address, as discussed further below.  According to the Journal, the White House’s proposals overall will focus on improving company disclosures around cyber breach events and on “improving how threats are shared between the U.S. government and companies.” The Journal article notes that “Sharing information [has] long been a thorny project given that companies are reluctant to share details of breaches and government agencies want to keep their own intelligence closely by.”

 

The Journal article also details statistical information from the Department of Homeland Security showing that the number of cyber incidents reported to the agency during the 2013 fiscal year (which ended September 30, 2013), more than doubled compared to the number of reports during the 2011 fiscal year. A graphic accompanying the article shows that in fiscal 2014, there were 228,700 cyber incidents reported to the agency, compared to just over 100,000 in the 2011 fiscal year. A note to the graphic comments that the statistics reflects cyber intrusions targeting government agencies, companies, organizations, and individuals in the U.S, and adds the further comment that “the actual number could be higher.”

 

In his January 12 speech at the Federal Trade Commission (here), President Obama announced his introduction of the Personal Data Notification & Protection Act, in order to implement nationwide, uniform consumer data breach notification rules. (Right now, there are 47 different state laws that govern data breach notifications.) As the President described the legislation in his speech, “under the new standard that we’re proposing, companies would have to notify consumers of a breach within 30 days.  In addition, we’re proposing to close loopholes in the law so we can go after more criminals who steal and sell the identities of Americans —- even when they do it overseas.”

 

The President’s speech also announced the White House’s introduction of the Student Digital Privacy Act, which is meant to stop the sale of sensitive student data for non-education purposes, as well as his support for a Consumer Privacy Bill of Rights. As discussed on a January 12, 2015 CNN article (here), the President’s forthcoming State of the Union address (which he will deliver to Congress on January 20, 2015)will include greater detail on the initiatives he introduced in his speech at the FTC.

 

The Department of Homeland Security data, while perhaps understating the issue, confirm a sense that I think most of us have about this issue, which is that it is quickly growing worse. It is hard to tell now from the publicly available information, but the extent of the White House’s disclosure-related approach to cyber security issues may be restricted to the consumer data breach notification questions.  But it is in any event not a surprise that the White House has chosen to focus on disclosure-related issues. Indeed, a disclosure focus has been among the principal responses of a number of federal agencies that have already tried to grapple with the issue.

 

Certainly that was among the approaches that the SEC took, when it issued guidance on cyber security related issues.  On October 12, 2011, the SEC issued guidance regarding the disclosure obligations of public companies relating to cyber security risks and cyber incidents. The focus of this guidance was on whether information concerning cyber security and cyber incidents rose to the level of a disclosure obligation either as a risk factor under Regulation S-K Item 503(c) or in the MD&A Section of a Company’s mandatory SEC disclosure.

 

The focus of the SEC’s guidance was the question that companies are to ask themselves with respect to cyber security issues – that is, whether the “costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect on the registrant’s results of operations, liquidity, or financial condition.” If this question is answered in the affirmative, then, the agencies guidance specifies, there are a number specific categories of information that the company might address. The discussion of these issues might include the following:

  • Discussion of aspects of the registrant’s business or operations that give rise to material cybersecurity risks and the potential costs and consequences;
  • To the extent the registrant outsources functions that have material cybersecurity risks, description of those functions and how the registrant addresses those risks;
  • Description of cyber incidents experienced by the registrant that are individually, or in the aggregate, material, including a description of the costs and other consequences;
  • Risks related to cyber incidents that may remain undetected for an extended period; and
  • Description of relevant insurance coverage.

As I discussed in another post (here), these disclosure issues have proven to be an area of focus for the SEC’s Division of Corporate Finance. Just the same, as discussed here, a study based on a review of actual disclosures in companies’ periodic filings shows that very few companies are actually including disclosures in their periodic reports about cyber incidents at the companies. The small number of companies including this information represents “a seemingly low number given the number of attacks that appear in the press on a regular basis.” The report notes further that none of the companies that disclosed actual attacks included the associated cost, even though the SEC’s Guidance requests the dollar costs of the attacks that have occurred.

 

It is possible that the White House’s disclosure-related approach to these issues will be limited to the consumer data breach notification requirements, and will not extend or relate to the requirements for breach notifications to investors. However, even if the White House does not go in that direction, I think there will continue to be pressure on these issues, from the SEC as well as from investors themselves.  

 

I also continue to believe that at some point, perhaps in the near future given the administration’s focus on cyber security issues, that the SEC or another enforcement agency will seize upon developments at a particular company as a test case and in order to make an example. Among the many downsides to this approach if it were to be put into action is that the enforcement action could look a lot like kicking a company when it is down or blaming the victim for its misfortune.  In any event, it is clear that cyber security-related disclosure issues will remain a key focus in the months ahead and are likely to continue to be a source of scrutiny and of challenge for companies as they all seek to grapple with the cyber security concerns.

  

Professional Liability Insurance: Two Policies But No Coverage Due to Untimely Notice

Posted in D & O Insurance

8thIn a January 9, 2015 opinion (here), the Eighth Circuit, applying Missouri law, held that there was no coverage under either of two successive professional liability insurance policies issued by the same insurer for a claim against its insured, LSi-Lowry Systems, because the claim was first made before the inception of the second policy and because LSi had not given timely notice of claim under the first policy. The appellate court rejected LSi’s argument that its email exchange with a dissatisfied customer during the policy period of the first of the two policies did not constitute a claim.

 

Background

LSI sold Hodell-Natco Industries business software and software support services. The software went live on March 1, 2007 and software performance issues immediately emerged. In a lengthy series of emails that followed between the two companies, Hodell complained about the performance issues and demanded that LSi remedy the defects. Within days, Hodell threatened legal action. On April 27, 2007, Hodell sent emails asking “who will pay for damages” and advising that the company had retained legal counsel. On June 25, 2007, Hodell demanded that LSi correct the problems “or reimburse Hodell-Natco for the expense.”

 

On July 24, 2007 Hodell’s lawyer sent LSi a letter stating that the company is “compelled to declare [LSi] in material default of their agreements,” advising that Hodell “will pursue all legal and equitable remedies available to us,” and demanding that LSI have their attorneys contact Hodell’s counsel in order to “discuss an amicable resolution to this matter.” LSi acknowledge receipt of the letter, asking “You are asking for remedies (ie money?) Correct?”

 

On January 23, 2008, Hodell sent LSi an email stating “We are offering you the chance to resolve this situation by refunding the TOTAL funds we’ve paid to LSi,” adding “Don’t you carry professional liability insurance for this type of issue? …In an effort to avoid a dragged-out lawsuit, we made a proposal to resolve this matter in a manner that gave us a small amount of relief, far short of our total cost.”

 

On November 21, 2008, Hodell filed a lawsuit against LSi in the Northern District of Ohio asserting claims for fraud, breach of contract, negligence and negligent misrepresentation arising from the performance issues with the software. On December 8, 2008, LSi first notified its professional liability insurer of the Hodell’s claims.

 

LSi had two successive professional liability insurance policies issued by the same insurer. The first was issued for the policy period April 23, 2007 to April 23, 2008; the second was effective from April 23, 2008 to April 23, 2009. Both policies required LSi to provide notice during the policy period of any “claim made against [it]” or “any circumstance that could reasonably be expected to give rise to a claim.” In the 2007 policy, a “claim” was defined as “a demand receive [sic] by the Insured for money, including the service of suit or institution of arbitration proceedings involving the Insured.” In the 2008 policy, the definition of a “claim” changed to “a demand received by you for money or services, including the service of suit or institution of arbitration proceedings involving you arising from any alleged wrongful act.” (Emphasis added).

 

The insurer denied coverage for Hodell’s lawsuit against LSi and instituted an action in the Eastern District of Missouri seeking a judicial declaration that neither of its policies provided coverage for the lawsuit. The district court granted the insurer’s motion for summary judgment, agreeing with the insurer that LSi did not provide timely notice of claim during the policy period of the 2007 policy, when, the district court held, the claim was first made. LSi appealed.

 

The January 9 Opinion

On January 9, 2014, in an opinion by Judge Jane Louise Kelly for a unanimous three-judge panel, the Eighth Circuit affirmed the district court, holding that there was no coverage for the claim under either of the two professional liability insurance policies.

 

The district court had concluded there was no coverage under the 2007 policy because LSi did not give notice of claim or potential claim to the insurer within the 2007 policy period. The appellate court said “We agree with the district court,” quoting the district court’s statement that “by the plain language of the 2007 policy, there is no coverage.”

 

The district court also found that there was no coverage under the 2008 policy because it concluded that the email communications between LSi and Hodell during the period March 2007 and April 23, 2008, when the 2008 policy incepted, constituted a claim. The appellate court said, quoting with approval from the district court opinion, “We agree with the district court that the communications ‘show that Hodell blamed LSi for the functionality problems of the software, requested that LSi fix the issues, and expected LSi to pay the associated costs.’”

 

The appellate court also rejected LSi’s argument that the district court had erred in relying on the definition of “claim” in the 2008 policy – which included “a demand for money or services” – but rather should have analyzed the question using the definition of “claim” in the 2007 policy, which defined a claim solely as “a demand for money.” LSi argued that Hodell did not make a claim against LSi during the 2007 policy period because Hodell did not make a specific demand for money.

 

The appellate court said “As an initial matter, we question whether the definition of a claim in the 2007 policy would apply when determining coverage under the 2008 policy.” But, the court added, in any event, the term “claim” in both policies included a “demand for money” within the definition. The court reviewed the various statements in the email communications and concluded that “Regardless of which definition applies, the result is the same: The communications between Hodell and LSi prior to the date coverage began under the 2008 policy constituted a ‘demand for money’ and therefore amounted to a ‘claim.’”

 

The appellate court also rejected LSi’s contention that the email correspondence at most reflected Hodell’s dissatisfaction with LSi’s performance of its contract, which would not be covered under the policy, rather than a claim of negligence, and therefore, LSi argued it was not required to give the insurer notice of claim. The court said “While the evidence may support the assertion that Hodell believed LSi had breached its contract, Hodell made it clear to LSi it intended to pursue all legal and equitable remedies – not just a suit premised on breach of contract.”

 

Finally, the appellate court rejected LSi’s argument that the insurer should have been required to show that it was prejudiced in order to rely on the LSi’s failure to give timely notice as a defense to coverage. The appellate court said that “Missouri law does not require an insurer to show prejudice under a claims made policy.”

 

Discussion

It is a common misunderstanding for those not immersed in insurance terminology that a claim is a lawsuit and that if there isn’t a lawsuit there isn’t a claim. Just the other day, the general counsel of one of my clients contested my suggestion that his company should give notice of claim to its insurers, telling me that there was no need to give notice because no lawsuit had been filed or served. (I managed to persuade him otherwise.)

 

Most liability policies define the term “claim” more broadly than just a lawsuit. Indeed, in recent years, there has been a steady evolution of policy language broadening of the definition of the term “claim.” The general industry view is that a broader definition of the term claim is in the policyholder’s interests. But this case is a reminder that if the policy’s definition of claim has been met, the definition has been met for all purposes, including for purposes of the determination of the “claims made” date. In this instance — as in the case I discussed last week (here) where service of a subpoena prior to the policy period was held to be a claim and to establish the date on which a claim was first made — a broader definition of the term “claim” can in some circumstances wind up precluding coverage for the policyholder.

 

It is pretty clear that the district court and the appellate court thought that LSi had sat on its rights. The email correspondence in 2007 and early 2008 does reflect a steady stream of threats of litigation and demands for recompense. The email chain also reflects the claimant’s query – somewhat ironic in retrospect – asking whether LSi had professional liability insurance for this sort of dispute. I will say that this case is a good illustration of the reason for my standard rule of thumb about giving notice , which everyone around me has heard me say a million times, and that is – always give notice. No matter what, put the notice in and worry later about whether there is coverage or what the impact of the notice will be on the renewal.

 

Just the same, there is something frustrating to me about the outcome of this case. The carrier was on the risk throughout the period of the dispute and when the lawsuit was filed. This isn’t a case where the coverage had moved to a different carrier between the first policy period and the second policy period (which was an issue in the case about the SEC subpoena, which I discussed in a post last week). The carrier here had been paid two annual premiums to provide coverage for exactly the kind of lawsuit that was filed against LSi. To be sure, the appellate court said that under applicable law the carrier did not have to show prejudice in order to be able to deny coverage for the untimely notice, but it does seem unsatisfying that the carrier is off the hook for a process delay that caused no harm. The policyholder is deprived of the coverage for which it paid through a simple failure to recognize that circumstances amounted to a claim under the policy though the delay in giving notice caused no harm.

 

In the end, this decision is a reminder that under a liability policy, both the policyholder and the insurer have duties. A liability insurance policy involves more than just an insurer’s duty to pay certain kinds of losses under certain circumstances. It also involves certain duties for the policyholder, too, including the duty to give timely notice in the event of a claim. The policyholder’s provision of timely notice is a prerequisite to coverage. As harsh as it may seem, the risk is on the policyholder that the policyholder might fail to recognize that a given set of circumstances involves a claim and therefore fail to give timely notice. The lesson is that policyholders must be diligent in protecting their interests. (My earlier post about policyholder’s obligations in the insurance policy can be found here.)

 

Guest Post: Changing the Cyber Security Playing Field in 2015

Posted in Cyber Liability

wei As I have noted in a number of recent posts, there have been a host of significant cyber security developments, including among the Sony Pictures Entertainment hack attack. These developments have a number of important implications for the cyber security arena in the year ahead. In the following guest post, Paul Ferrillo of the Weil Gotshal law firm takes a look at the implications of these developments for companies and their executives. A version of this alert was initially distributed as a Weil client alert. 

I would like to thank Paul for h is willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you are interested in submitting a guest post. Here is Paul’s guest post.

****************************************** 

“If this incident [Sony] isn’t a giant wake-up call for U.S. corporations to get serious about cybersecurity, I don’t know what is. I’ve done more than two dozen speaking engagements around the world this year, and one point I always try to drive home is that far too few organizations recognize how much they have riding on their technology and IT operations until it is too late. The message is that if the security breaks down, the technology stops working – and if that happens the business can quickly grind to a halt. But you would be hard-pressed to witness signs that most organizations have heard and internalized that message, based on their investments in cybersecurity relative to their overall reliance on it.”

– Author Brian Krebs, Dec. 20, 2014.[i]

“For those worried that what happened to Sony could happen to you, I have two pieces of advice. The first is for organizations: take this stuff seriously. Security is a combination of protection, detection and response. You need prevention to defend against low-focus attacks and to make targeted attacks harder. You need detection to spot the attackers who inevitably get through. And you need response to minimize the damage, restore security and manage the fallout.”

– Professor Bruce Schneier, Dec. 19, 2014.[ii]

Without a doubt, the last month in the world of cyber security has been tumultuous. It has now been confirmed that two companies in the United States have potentially been the subject of cyber-terrorism. Servers have been taken down or wiped out. Businesses have been significantly disrupted. Personally identifiable employee information has been shoveled by the pound onto Internet credit card “market” sites. The cyber security world has changed. And two of the most respected men in cyber security have both iterated similar messages: it is time for U.S. corporations to take this stuff seriously.

This alert does not aim to recount the parade of horribles of 2014; rather, we write to suggest three modifications that are highly achievable in the corporate world that have the potential to make our cyber security world a little bit better in 2015.

More Cyber Governance – More NIST Discussions – More Information Sharing

On the first day of Christmas, my true love gave to me: the NIST cyber security framework.

In reality, on February 12, 2014, the Obama Administration, through the National Institute of Standards (NIST), announced the NIST Cyber Security Framework to “allow organizations – regardless of size, degree of cyber risk or cybersecurity sophistication – to apply the principles and best practices of risk management to improve the security and resilience of critical infrastructure.”[iii] In sum, the Framework focuses U.S. infrastructure companies on 5 basic principles:

                1) Describing their current cybersecurity posture

                2) Describing their target state for cybersecurity

                3) Identifying and prioritizing opportunities for improvement within the context of a   continuous and repeatable process

                4) Assessing progress toward the target state

                5) Communicating among internal and external stakeholders about cybersecurity risk[iv]

In sum, NIST focuses companies on two simple questions: (1) where are they currently with cybersecurity, and (2) where do they want to be in the future?

Even more elegant is the simple way the Framework steers conversations regarding how a company should review its core processes of protecting its most precious IP, trade secrets or customer information:

  • Identification – Developing the organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities. In other words, what are the most prized IP assets, and where are they located, e.g. off-line servers, network servers, or the cloud.
  • Protection – Developing and implementing systems to protect the company’s most valuable IP assets.
  • Detection – Developing and implementing the appropriate activities to identify the occurrence of a cybersecurity event. An event may be nothing after it is appropriately investigated. An event that is missed or not apprehended as something more severe might turn into a catastrophic incident resulting in a mega-breach.
  • Respond – Developing an Incident Response Plan.
  • Recover – Developing and implementing the appropriate activities to maintain plans for resilience and to restore any capabilities or services that were impaired due to a cybersecurity event.[v]

A thorough reading of the history behind the Framework will point to two conclusions: (1) it was not meant to become the national standard for cyber security best practices here in the United States (the Framework expressly says adoption of its principles is “voluntary,” though many will argue that it is already de facto a national standard being used by the government and its third-party vendors), and (2) the Framework was designed so that executives and employees of any company could, using a common language, determine the “what, who, where, when and how” to protect its most valuable intellectual property assets.

Though some take issue with the lack of specificity regarding implementation of the standard, we would argue that is the point. No company is the same. No IP is the same. Therefore, there is no one perfect method for protecting a company’s data. But there was a need to help companies organize their discussions around cyber security in a way that could be used by all directors, officers, and employees, whether they are technologically savvy not, to better their cyber security posture and defenses. And that is what the Framework is all about.

However, if the Framework has become at the very least a national standard for cyber security, then are companies actually using it to facilitate discussions aimed to better their cyber security posture? How often are they using it? Annually? Quarterly? Are they using it at all? And if companies are not using the de facto national standard for cyber security, then why is that the case?

If companies are using the Framework, how are they documenting discussions concerning improving their cyber security posture? Or are they just not documenting their cyber related discussions at all? Good cyber governance starts with information and discussion, traveling from bottom to top and then from top to bottom. There is no “run and hide” option here as that could land a board of directors with a major cyber breach on its hands and no documentation to rely upon to show they exercised their fiduciary duties of oversight over the enterprise’s risk management. It could also land the company in further hot water with the plaintiffs’ bar, which is becoming ever more successful, requiring the company to prove it did as best it could regarding cyber security despite the fact that a hacker still accessed its network.[vi]

More (and Better) Employee Training and Education

Employee cyber training and education concepts could themselves be the subject of any number of articles or books. We mention them here in an attempt to raise two points to consider:

          1.       Employee phishing and spearphishing training is imperative.

Some of the most notorious espionage cyber campaigns against companies and industries have started from the most innocent looking emails sent to an unsuspecting company employee or executive under the guise of an email from a bank or credit card company. When the employee unsuspectingly opens the email or its attachment, it drops malware on the company computer, which quickly spreads to the network. “Once on a system, the malware gathers information such as the operating system version, computer name, user name, and local IDs, as well as system drive and volume information. All the data that is collected is encrypted and sent to a cloud account … in an apparent attempt to avoid detection by anti-malware tools.”[vii] Then the hacker goes to work stealing the company’s most valued business information, including business plans, M&A-related information, consumer information, and personally identifiable information.[viii]

The above threat vector is called “phishing,” or its more advanced cousin, “spear phishing,”[ix] when an email “phishes” for an unsuspecting and usually innocent employee to inadvertently wreak havoc on a company by opening it. “91 percent of cyber-attacks start with spear phishing….”[x]“Phishing remains a very real threat to organizations of any size. Symantec research showing a 91% increase in spear-phishing attacks from 2012 to 2013 tells us that much.”[xi] Says another expert, “”The pool of spear phishing targets in 2015 will be larger and not just limited to a select few, like executives….”[xii]

Many companies train their employees monthly using random phishing emails aimed to look like they came from either the company itself or another trusted source. Training employees on anti-phishing techniques should lower the success rate of phishing emails. Indeed one study showed that in one company, “between 26% and 45% of employees at those companies were Phish-prone, or susceptible to phishing emails. Implementation of [training] immediately reduced that percentage by 75%; with subsequent phishing testing over four weeks resulting in a close to zero phishing response rate across all three companies.”[xiii]

Training is a good idea. Investing in more training this year would be an even better idea.

          2.       Employee intrusion detection training is also essential.

Many companies now employ a host of various intrusion detection devices to attempt to detect a cyber-intrusion. These devices generally collect reams and reams of information called “logs,” which could contain evidence of either network anomalies or common host-based artifacts of data theft. These could include:

  • Evidence of abnormal user activity;
  • Evidence of login activity outside expected hours;
  • Odd connection durations;
  • Unexpected connection sources;
  • Evidence of abnormally high CPU or disk utilization;
  • Evidence of File Artifacts associated with the use of common compression tools; and
  • Evidence of recently installed or modified services.[xiv]

These logs are obviously very long and complicated. Given that many data breaches have occurred on a company’s servers long before they are discovered (an average of 229 days), and given that many of the high-end intrusion detection devices companies are employing are very good technically, many argue that there is a perceived mismatch between man and machine.

We are not sure there is good answer to the man v. machine question. Some intrusion detection systems are so sophisticated that a lot of the high-level examination and analytical work can be done automatically, saving time and effort chasing false alerts and highlighting potentially malicious activity. Others are not. We express no opinion other than caveat emptor.

Nevertheless, company employees should be thoroughly trained repeatedly about their intrusion detection systems so that false positives can be ignored and potential dangerous incidents can be identified. Many intrusion detection vendors offer such training routinely, and it should be taken advantage of at all levels, as the more time malware is on company servers, the more time there is for it to wreak havoc on the network.

A Table-Topped, Battle-Tested, Infantry-to-Board of Directors, Incident Response Plan

In previous alerts,[xv] we have spoken at length about the value of Incident Response Plans (IRPs).[xvi] Below are some additional relevant facts:

  • The Ponemon 2014 Cost of Data Breach Study: United States reported that the average cost for each lost or stolen record was $195. However, if a company has a formal incident response plan in place prior to the incident, the average cost of a data breach was reduced as much as $17 per record. Appointing a CISO to lead the data breach incident response team reduced the cost per lost or stolen record by $10.[xvii]

There has been much talk in the industry of the importance of a chief information security officer, or CISO. Though every organization has to make its own determination as to whether such a position is needed within its company, at the very least someone needs to be 100% responsible for network security issues. That role is often filled by the CISO.

According to the above statistics, a CISO can often be an incredible asset to any mid-to-large size company. As noted in one recent retailer breach, the company “didn’t have an advocate at the C-level, as an executive, advocating for IT security investment…..If [the company’s] senior management had known of such risks and what was at stake, they would have “made very different choices” as to how it structured its organization, and how it invested in capabilities to defend the company’s data.”[xviii]

  • IRPs should be practiced at least once a quarter and the owner of the IRP (presumably the CISO) should update the plan as needed to account for new plans, new vendors, or new data protection strategies.
  • IRPs should be practiced by everyone – from IT departmental heads, to CEOs, to board members – and should include vendors, forensic consultants, IR/PR consultants and lawyers to make the training as real as possible. It’s important to practice for the worst.  If something less than that occurs, then everyone should be on the same page when the next incident happens. If something in the IRP doesn’t work, then it would be good to know that beforehand, rather than during an actual data breach.

2015

For many companies, it is probably time to get serious. The events of December 2014 have proved that we have most likely entered into a whole new phase of cyber-intrusions, cyber-attacks and cyber-terrorism. Our network perimeters have plenty of penetration points to attack. And the Emperor’s New Clothes are showing.

The events of late 2014 will require a new round of discussion with boards of directors and their C-Suite executives about company cyber security policies and what companies can do to mitigate the cyber risks involved. The critical IP assets of a company need to be fully and completed identified and protected as best as possible, using a variety of strategies including virtualization and private cloud strategies. History has shown strong perimeter defenses are no barrier to a determined hacker. Board discussions must occur, changes/improvements need to be documented, and incident response plans (including provisions for the absolute destruction of data, not just theft or tampering) need to be reviewed, modified as necessary and practiced. At a minimum, companies can insure for some of their cyber risk exposures through cyber insurance. Network security takes a village, involving every employee of the company. A culture of security needs to be instilled in every person touching a keyboard or a keypad.

Additionally, as cyber breaches have impacted varying industries in the U.S., each has come away with separate lessons to be learned from each event. Because not all malware is one-of-a-kind, information sharing would be incredibly helpful to all organizations.  We cannot defeat this problem alone. We need to work together in a public/private partnership to share threat information. In this vein, Congress should pass the Cybersecurity Information Sharing Act as soon as possible in the coming term.[xix]

By using some of the strategies we outline above, we can hopefully do a better job this year protecting our companies, businesses, and employees.

We need to do better in 2015.

We wish our clients, business colleagues and friends a Happy, Healthy and Safe Cyber New Year.


[i] See “FBI: North Korea to Blame for Sony Hack,” available here.

[ii] Mr. Schneier, a security technologist, is a fellow at the Berkman Center for Internet and Society at Harvard Law School. His recent Op-Ed Essay in the Wall Street Journal is available here.

[iii] See “NIST Releases Cybersecurity Framework Version 1.0,” available here.

[iv] See the Framework, available here.

[v] Id. See generally, “Understanding and Implementing the NIST Cyber Security Framework,” available here.

[vi] See e.g. “Banks’ Lawsuits Against Target for Losses Related to Hacking Can Continue,” available here; “Another Target data-breach lawsuit can proceed, judge says,” available here.

[vii] See “’Inception’ Cyber Espionage Campaign Targets PCs, Smartphones,” available here.

[viii] See “Hackers Stealing Business Secrets to Game the Stock Market,” available here; “ICANN targeted by Spear Phishing attack, several systems impacted,” available here.

[ix] Spear phishing is a psychologically more compelling form of phishing based upon socially engineering the email to the unsuspecting employee.  See e.g. “3 low-tech threats that lead to high-profile breaches,” available here.

[x] See “APT Mitigation: The Human Way,” available here.

[xi] See “Phish Your Own Staff: Arming Employees to Beat Modern Attacks,” available here.

[xii] See “Spear Phishing: A Bigger Concern in 2015,” available here.

[xiii] See “New KnowBe4 Statistics Reveal Security Awareness Training Reduces Phishing Susceptibility by 75%,” available here.

[xiv] See Luttgens, Pepe and Mandia, “Incident Response and Computer Forensics,” (3rd Ed. 2014) at pg. 263-264.

[xv] See “The Importance of a Battle-Tested Incident Response Plan,” available here.

[xvi] See “The Importance of a Battle-Tested Cyber Incident Response Plan,” available here.

[xvii] See “Is Your Company Ready for a Big Data Breach?  The Ponemon Second Annual Study on Data Breach Preparedness,” available here.  

[xviii] See “Target’s Lack of CISO Was ‘Root Cause’ of Systems Breach,” available here.

[xix] See “Eyes turn to the next Congress as Sony hack exposes cybersecurity flaws,” available here.

D&O Insurance: No Coverage for Enforcement Action Because Claim First Made When SEC Subpoena Served Before Policy Inception

Posted in D & O Insurance

massA recurring D&O insurance coverage issue involves the question of whether or not a subpoena constitutes a claim, as I have noted on prior posts (for example, here). When this issue comes up, the dispute is usually over whether or not there is coverage under the policy for the costs of responding to the subpoena and ensuing costs. But there are other implications if a subpoena is a claim, as was demonstrated in a January 6, 2015 decision (here) by District of Massachusetts Judge Rya Zobel.

 

Judge Zobel ruled that there was no coverage under Biochemics, Inc’s D&O insurance policy for defense costs incurred in an SEC investigation and enforcement action against the company and its CEO where the company had been served with an investigative subpoena before the policy commenced. Judge Zobel held that the claim was first made when the subpoena was served before the policy incepted and therefore was not covered under the policy..

 

Background

On May 5, 2011, the SEC entered a formal order of investigation against BioChemics and its officers On May 9, and September 12, 2011, the SEC served Biochemics with document subpoenas. The subpoenas referenced the formal order of investigation. In January 12, 2012 the SEC served deposition subpoenas on the company’s CEO and two other individuals. In March 2012, the SEC served subpoenas for additional documents on the company and its CEO. The 2012 subpoenas referenced the May 2011 formal order. In December 2012, the SEC filed an SEC enforcement action against Biomedics, its CEO, and two stock promoters who had worked with BioChemics.

 

This coverage dispute involves the D&O insurance policy that Biochemics had in place during the period November 13, 2011 and November 13, 2012. Biochemics had D&O insurance in place before November 2011, but the insurance had been issued by a different insurance carrier. Biochemics notified the new D&O insurer of the January and March 2012 subpoenas. The insurer denied coverage, contending that the entire SEC investigation was a single “claim” that has commenced when the SEC issued its first document subpoena in May 2011, before the insurer’s policy went into effect.

 

Biochemics and its CEO initiated a lawsuit against the insurer seeking coverage under the D&O insurance for the defense costs incurred in the investigation and enforcement action. The parties cross-moved for summary judgment.

 

The claims made D&O insurance policy at issue provided that “Coverage under this Policy shall apply only with respect to Claims deemed to have been first made during the Policy Period and reported to the insurer in accordance with the terms herein.”

 

The policy defined “Claim” to mean, among other things, any “civil, arbitration, administrative or regulatory proceeding against any Insured commenced by … the filing of a notice of charge, investigative order or like document.”

 

The policy also specifies that all Claims “arising from the same Wrongful Act and all Interrelated Wrongful Acts shall be deemed to be first made on the earlier date that (1) and of the Claims is first made against an Insured under this Policy or any prior policy.”

 

The January 6 Decision 

In her January 6, 2015 order, Judge Zobel granted the insurer’s motion for summary judgment and denied the plaintiffs’ motion. In reaching this conclusion, Judge Zobel stated that:

 

The triggering events are all part of a single SEC Investigation under the Formal Order. Each subpoena was issued under, and referred to, the original Formal Order, and investigated the same officers and company for the same pattern of security violations through public misstatements. Under the clear language of the policy and on the record before the court, the subpoenas all constituted a single “Claim” under the policy.

 

Because, Judge Zobel said,  the investigation and enforcement action — that is, “the Claim at issue”  –was “’first made’ before the policy period”  it is, “therefore, not covered under the policy.”

 

Discussion

It is interesting to me that this decision reaching the conclusion that the claim was first made when the first subpoenas were served in May 2011 omits the usual debate about whether or not a subpoena is a claim. That probably is because the company was looking for coverage for the defense fees incurred in connection with the January and March 2012 subpoenas, and so couldn’t really take the position that a subpoena is not a claim. Just the same, it is noteworthy that Judge Zobel seemed to accept that a subpoena is a claim, without the usual dispute over whether a subpoena is a “proceeding” or whether a subpoena can trigger coverage without an allegation of a Wrongful Act.

 

The more practical question here is why Biochemics sought coverage for the SEC investigation and enforcement action from the carrier that issued the November 2011-November 2012 policy, and not from the carrier whose policy was in force prior to November 2011. There is no way to tell from Judge Zobel’s opinion alone, but I am guessing that Biochemics did not give notice to the prior carrier of the May and September 2011 subpoenas, and only sought insurance coverage from any carrier once the January and March 2012 subpoenas were served. At some point, it must have occurred to Biochemics that it should have sought coverage from the prior carrier but perhaps by then it was too late. UPDATE: An alert reader points out that Footnote 1 to Judge Zobel’s opinion may shed some additional light on this issue. Footnote 1 says “Claims are also pending in this action against plaintiffs’ insurance brokerage firm and an individual broker; thay are not at issue at the current juncture.”

 

In any event, the important point here is that if a subpoena is a claim, then it is a claim for al purposes under the policy, including for purposes of determining the claims made date. The usual scenario is that an insured is seeking to establish that a subpoena is a claim in order to be able to establish coverage. Here, the fact that a subpoena is a claim and service of a subpoena establishes the claims made date wound up precluding coverage for this policyholder.

 

Will Investors Sue Over the Sony Hack Attack?

Posted in Cyber Liability

 hollywoodAs I noted in my recent rundown of the top D&O stories of 2014, one of the most important developments during the year just finished was the emergence of cyber security as a D&O liability concern. During 2014, plaintiff shareholders launched cyber breach-related derivative lawsuits against the boards of Target and Wyndham (about which refer here and here, respectively).But arguably the highest profile cyber breach during the year was the hack attack on Sony Pictures Entertainment apparently related to the company’s release of the controversial movie “The Interview.” Though at least six class action lawsuits have been filed on behalf of present and former Sony employees, so far there have been no shareholder lawsuits filed.

 

According to a detailed and interesting analysis published  in an unlikely source, a lawsuit against Sony would be an “an uphill battle” – which of course does not mean that no one will give it a shot, but does mean that any shareholder that wants to try will face a “very difficult exercise.”

 

Here at The D&O Diary, we don’t ordinarily devote much time to reading articles published in the Hollywood Reporter, but then we found Jonathan Handel’s December 23, 2014 article in that publication entitled “Sony Hack: Will Shareholders Sue?” (here) to be particularly interesting. In summary, Handel concludes that it would be very difficult for a plaintiff to pursue a shareholder lawsuit against Sony Pictures Entertainment or its senior officials. The reasons why it would be so difficult fall into two general categories – the difficulties any claimant would faces pursuing derivative suits, and difficulties a shareholder claimant would face that are particular to Sony.

 

First, a little bit of background. Sony Pictures Entertainment (SPE) is a wholly owned subsidiary of Sony Corp. SPE is a Delaware corporation with its principal place of business in California. Sony Corp. is a Japanese corporation whose shares trade in Tokyo and that also has American Depositary Receipts trading in the U.S.

 

Though Sony has ADRs trading on a U.S. exchange, it is unlikely that prospective claimants would seek to file a securities class action lawsuit against the company relating to the hack attack, because, Handel notes, the parent company’s share price “hasn’t moved decisively” as a result of the news surrounding the attack — which means that if shareholder claimants were to try to bring a lawsuit, they would likely have to proceed by way of a shareholder derivative lawsuit.

 

Handel speculates that a prospective derivative lawsuit claimant might want to try to allege what Handel describes as a series of “egregious misjudgments, such as allegedly lax cybersecurity and what plaintiff’s attorneys would no doubt call a reckless – or at least grossly negligent – decision to proceed with The Interview despite North Korean threats earlier this year. A third decision – to pull the movie, at least from major chains – could also come under fire.”

 

A shareholder attempting to bring a derivative lawsuit would of course face all of the hurdles that any derivative plaintiff would face. The prospective plaintiff would first have to make a demand on the company’s board demanding that the board itself launch the lawsuit, or plead in his or her complaint that demand would have been futile. If demand is made and refused, the plaintiff would have to plead that the demand was wrongfully refused.

 

The Sony defendants would also have all of the defenses that other defendants have in these types of cases. First, the defendants can rely on any exculpatory provisions the company may have in its bylaws or other charter documents. Second, the defendants would be able to rely on the business judgment rule to argue that the shareholders and the courts should not absent extraordinary circumstances second guess the board’s business decisions.

 

As if all of these hurdles and defenses were not enough to deter prospective claimants, there are additional considerations owing to the specific circumstances involved here. Because any prospective claimants would own shares (or ADRs) of Sony Corp., the parent company, and not of SPE, the subsidiary, the lawsuit would be filed not against the board of SPE, but would have to be filed against the parent company’s board, in the form of a “double derivative lawsuit.’

 

As Handel explains in his article, a double derivative lawsuit is “a procedural vehicle to remedy the claimed wrongdoing where the parent company board’s decision not to enforce the subsidiary’s claim is unprotected by the business judgment rule.” In other words, any claimant would have to argue not only that SPE board’s conduct falls outside the protection of the business judgment rule, but also that the parent company’s board’s decision not to sue SPE also falls outside the protections of the rule.

 

There are still further complications. Because the investors who bought their Sony securities on U.S. exchanges hold ADRs and not shares, their rights and remedies are further defined by the Deposit Agreement that regulates the administration of the ADRs. Many ADR deposit agreements have choice of law clauses specifying the law that would apply in the event of a dispute between an ADR holder and the company or its executives. Although the deposit agreement provisions vary, the likelihood is that Sony’s deposit agreement specifies that Japanese law governs ADR holder disputes.

 

If Japanese law applies to claims brought by ADR holders, any claimant would face some potentially insurmountable hurdles. First, at least according to sources Handel cites in his article, current Japanese law does not allow double derivative actions. Second, while the Japanese legislature recently adopted revisions to the Companies Act, which governs Japanese corporations, those revisions are not effective until April 1, 2015 and are not retroactive. The new provisions are in any event restrictive, requiring among other things that the claimant hold at least a 1% interest in the company involved.

 

Despite all of these concerns, it is still possible that a claimant might try to file a lawsuit. But for all of the reasons cited above and discussed further in Handel’s article, any claimant would face a very difficult challenge. As one of the commentators cited in the article put it in characterizing the maze of difficulties a claimant would face, this situation is “like a law school exam.”

 

The circumstances surrounding cyber security breaches may yet prove to be a source of significant corporate and securities litigation. But the complicated circumstances surrounding the Sony hack attack underscore that pursuing these kinds of claims is never straightforward. And as I noted in connection with the dismissal of the lawsuit filed last year against Wyndham Worldwide, it remains to be seen whether or not erstwhile plaintiffs will figure out a way to overcome all of the procedural hurdles involved and manage to turn these kinds of lawsuit into a successful exercise.

 

I will say that I never though I would have occasion to link to the Hollywood Reporter here for the publication’s legal analysis, but I have to admit that Handel’s article was interesting and is worth reading in full.

 

 

 

The Top Ten D&O Stories of 2014

Posted in Director and Officer Liability

ten1The year just ended was an eventful one in the world of directors’ and officers’ liability. Many of the year’s key events represented significant changes in the D&O liability environment. Many of the changes during 2014 have important implications for 2015 – and possibly for years to come. The list of the Top Ten D&O Stories of 2014 is set out below with an eye toward these future possibilities.

 

1. Fee-Shifting Bylaws Emerge as a Possible Litigation Reform Tool: For years, defense advocates have sought to try to curb abusive ligation through reform legislation and other means, yet costly and burdensome corporate and securities litigation has continued to vex companies and their executives. However, an interesting new initiative has recently emerged – the attempt to achieve litigation reform through amendments to corporate bylaws.

 

The possibility of litigation reform through bylaw revision received a substantial boost in May 2014, when the Delaware Supreme Court in the ATP Tours, Inc. v. Deutscher Tennis Bund case upheld the facial validity of a bylaw provision shifting attorneys’ fees and costs to unsuccessful plaintiffs in intra-corporate litigation. This development quickly caught the eye of litigation reform advocates, as the adoption of fee-shifting bylaws seemed to offer a way for companies to reduce the costs of and possibly curb burdensome litigation. At the same time, however, shareholder advocates became concerned that these types of bylaws could deter even meritorious litigation.

 

The controversy that quickly followed over fee-shifting bylaws seemed headed for a swift resolution when the Delaware General Assembly quickly moved to enact on a measure that would have limited the Supreme Court’s ruling to non-stock corporations (meaning that it wouldn’t apply to Delaware stock corporations). However, as discussed here, the legislature tabled the measure and now it will not be acted upon until early 2015.

 

While the proposed legislation remains pending, institutional investors are mounting a concerted effort in support of legislative action in Delaware “to curtail the spread of so-called ‘fee-shifting’ bylaws,” while business groups are conducting a campaign opposing the legislation.

 

Despite the current uncertainty in Delaware surrounding the issue, a number of companies have gone ahead and adopted some version of a fee-shifting bylaw. Alibaba, one of 2014’s highest profile IPOs, was among several companies that completed offerings during the year and that had adopted fee-shifting bylaws. These developments have triggered calls for the SEC to take action with regard to fee-shifting bylaws.

 

At the same time, while the debate in Delaware over fee-shifting bylaws has continued, there have been developments in other states suggesting that regardless of what the Delaware legislature ultimately does, the debate over fee-shifting bylaws will go on. Among other things, the Oklahoma legislature has adopted a provision mandating the shifting of fees in derivative suits. The Oklahoma provision specifically applies to derivative suits “instituted by a shareholder” where there is a “final judgment.” In those circumstances, the court “shall require the non-prevailing party or parties to pay the prevailing party or parties the reasonable expenses, including attorney fees . . . incurred as a result of such action.”

 

The larger question is whether or not these developments portend a significant revision of what is known as the American Rule, under which it has been the practice in the U.S. that each litigation party bears its own costs. As companies increasingly seek to introduce their own form of litigation reform through revision of their bylaws, and as courts and legislatures evolve their response to these kinds of bylaw provisions, there is a possibility these developments could work a major change to the traditional American Rule on attorneys’ fees — which in turn could have a significant impact on the corporate litigation environment.

 

The developments in the Delaware legislature with regard to fee-shifting bylaws will be one of the important issues to watch in 2015, as will the action or inaction on the topic by the SEC. It will also be interesting to see whether there are any related developments in other states on this topic as well.

 

2. Cyber Security Emerges as  D&O Liability Concern: In a year that began with unfolding news of  the massive Target data breach and ended with the malicious cyber intrusion at Sony Corporation, cyber security emerged as one of 2014’s overall top stories. It also became clear during 2014 that — along with the reputational risks and operational integrity issues—cyber security also increasingly represents a potential liability exposure for corporate directors and officers, as highlighted by two sets of lawsuits filed this year

 

First, as discussed here, in January 2014, shareholders filed two derivative lawsuits in the United States District Court for the District of Minnesota against certain officers and directors of Target Corp. The two complaints alleged that the defendants were aware of how important the security of private customer information is to customers and to the company, as well the risks to the company that that a data breach could present. The complaints allege that the company “failed to take reasonable steps to maintain its customers’ personal and financial information,” and specifically with respect to the possibility of a data breach that the defendants failed “to implement any internal controls at Target designed to detect and prevent such a data breach.”

 

Second, as discussed here, a shareholder for Wyndham Worldwide Corporation initiated a derivative lawsuit against certain directors and officers of the company, as well as against the company itself as nominal defendant, related to the three data breaches the company and its operating units sustained during the period April 2008 to January 2010. As noted here, the company is already the target of a Federal Trade Commission enforcement action in connection with the breaches. The plaintiff alleges that “in violation of their express promise to do so, and contrary to reasonable expectations,” the company and its subsidiaries “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.”

 

While plaintiffs’ lawyers were quick to file these D&O lawsuits, it isn’t clear that this type of litigation will prove to be successful. Indeed, as discussed here, in an October 20, 2014 opinion, District of New Jersey Judge Stanley Chesler, applying Delaware law, granted the defendants’ motion to dismiss the complaint in the Wyndham Worldwide case. Judge Chesler found that the Wyndham board’s refusal to pursue the plaintiff’s litigation demand was a good-faith exercise of business judgment, made after a reasonable investigation.

 

It remains to be seen whether the plaintiffs’ lawyers will succeed in exploiting the continuing wave of data breaches as a source of D&O liability. However, it is clear that company boards and senior management will continue to face scrutiny for cyber security issues. As discussed here, SEC Commissioner Luis Aguilar underscored these concerns in a June 2014 speech in which he stressed that “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities.” He added the warning that “boards that choose to ignore or minimize the importance of cybersecurity oversight responsibility do so at their own peril.”

 

3. U.S. Supreme Court Sidesteps Potentially Transformative Securities Litigation Issues, But One More Potentially Significant Case Remains on its Docket: For several months in early 2014, all eyes were on the U.S. Supreme Court as we awaited the outcome of the Halliburton case, which potentially could have been a game changer in the world of securities class action litigation. The case raised the possibility that the Court might reconsider or even dump the “fraud on the market” theory, on which the ability of investors to pursue securities claims as a class action significantly depends. In the end, because the Supreme Court left the fraud on the market theory unchanged, the Halliburton case did not have the disruptive effect that it might have. As Doug Greene put it on his D&O Discourse blog (here), Halliburton “may well have the lowest impact-to-fanfare ratio of any Supreme Court securities decision, ever.”

 

After the Supreme Court released its Halliburton decision, attention shifted to two other securities cases on the Court’s docket, particularly to the IndyMac case. As discussed here, in Public Employees’ Retirement System of Mississippi, v. IndyMac MBS, the Supreme Court was to consider whether the filing of a class action lawsuit tolls the statute of repose under the Securities Act or whether the statute of repose operates as an absolute bar that cannot be tolled. Even though the case raised technical issues involving seemingly arcane legal doctrines, it had potentially significant practical implications. If the filing of a class action lawsuit does not toll the statute of repose, current practices regarding class action opt-outs could be significantly affected.

 

The IndyMac case was scheduled to be argued on Monday, October 6, 2014. However, in an unexpected turn of events, on September 29, 2014, the U.S. Supreme Court entered an order dismissing the writ of certiorari as improvidently granted, based on settlement-related developments in the underlying case, as discussed further here.

 

But while the Halliburton case did not transform the world of securities class action litigation, and though the Court dropped the IndyMac case without addressing the critical statute of repose issues, there is still one more securities case remaining on the Supreme Court’s docket, one that could still prove to be significant.

 

As discussed here, in March 2014, the U.S. Supreme Court agreed to take up the Indiana State District Council of Laborers v. Omnicare case, to determine whether or not it is sufficient to survive a dismissal motion for a plaintiff in a Section 11 case to allege that a statement of opinion was objectively false, or whether the plaintiff must also allege that the statement was subjectively false – that is, that the defendant did not believe the opinion at the time the statement was made.

 

The Supreme Court’s consideration of the Omnicare case will resolve a split in the circuits between those (such as the Second and Ninth Circuits) holding that in a Section 11 case allegations of knowledge of falsity are required; and those (such as the Sixth Circuit, in the Omnicare case) holding that allegations of knowledge of falsity are not required. The case is potentially important because the absence of allegations of knowledge of falsity is a frequent basis for dismissals of Section 11 suits in the Second and Ninth Circuits, where the vast preponderance of securities suits are filed. As it is, the current split would allow cases to go forward in the Sixth Circuit that would not survive in the Second and Ninth Circuits. The D&O Discourse blog commented that “Omnicare likely will have the greatest practical impact of any Supreme Court securities decision since the Court’s 2007 decision in Tellabs.

 

The Court heard argument in the Omnicare case in November 2014 and is expected to issue its decision in the case before the end of the current term in June 2015.

 

4. Largest Ever Shareholder Derivative Suit Settlement Reached, Continuing Recent Emergence of Jumbo Derivative Suit Settlements: Until recently, derivative lawsuit settlements rarely involved a significant cash component. The settlements instead usually consisted of an agreement for the company concerned to adopt corporate governance reforms and the payment of the plaintiffs’ attorneys’ fees. One of the more noteworthy recent developments in the world of corporate and securities litigation has been the emergence of derivative lawsuit settlements involving a significant cash component.

 

This phenomenon was evident in 2013 in the $139 million News Corp. settlement, which was at the time the largest ever cash settlement of a shareholder derivative settlement. This trend continued again in 2014 in two other derivative settlements — one involving Activision Blizzard, Inc. and the other involving Freeport-McMoRan, Inc. — involving massive cash payments, much of it reportedly to be paid by D&O insurers. The Activision settlement may represent the largest cash settlement payment ever in a shareholder derivative lawsuit.

 

As discussed here, on November 19, 2014, Activision, which is the maker of the popular videogames “Call of Duty” and “Worlds of Warcraft,” announced the $275 million settlement of the shareholder derivative lawsuit that had been filed in Delaware Chancery Court. The lawsuit had been filed in connection with the transaction announced in July 2013 whereby Activision and an entity controlled by Activision‘s two senior officers acquired over 50% of Activision‘s outstanding shares from Vivendi S.A., its controlling stockholder, for approximately $8 billion in cash.

 

In its press release, Activision said that the $275 million settlement amount was to be paid to Activision itself by “multiple insurance companies, along with various defendants.”  According to the November 19, 2014 Reuters article by Tom Hals (here), the Activision settlement is “the largest of a shareholder derivative lawsuit,” exceeding 2013’s $139 million News Corp. settlement.(My list of the largest derivative settlements can be found here.)

 

Shortly after the Activision settlement was announced, news of another massive derivative lawsuit settlement emerged. According to Liz Hoffman’s December 1, 2014 Wall Street Journal article (here), Freeport-McMoRan is nearing a settlement of more than $130 million to resolve a 2013 shareholder derivative lawsuit filed in connection with the company’s purchase of two oil-and-gas companies, as discussed here. The settlement would resolve allegations by Freeport’s shareholders that the company overpaid when it bought McMoRan Exploration and Plains Exploration & Production companies for a combined $9 billion. The shareholders had alleged that the Freeport board had conflicts of interest while negotiating the company’s purchase of the companies.

 

The Journal article reports that under the proposed settlement agreement, much of the more than $130 million to be paid in the settlement would be paid to the Freeport shareholders in the form of a special dividend. The total amount of the dividend is likely to exceed $100 million. According to the Journal article, “most of the cost of the settlement would be paid for using a special type of insurance policy that covers directors and executives, according to some of the people. Freeport would pay the rest.”

 

According to a December 1, 2014 WSJ MoneyBeat blog post about the settlement (here), this type of settlement providing for a dividend payment to shareholders is the “first example” of this type of settlement payout.

 

These recent settlements underscore the fact that shareholder derivative litigation has become a significant severity risk for companies and their directors and officers – and for their D&O insurers. The News Corp. settlement was funded entirely by D&O insurers and the Activision and Freeport McMoRan settlements are to be funded at least in part by D&O insurance.

 

The rise of jumbo shareholder derivative lawsuit settlements has a number of implications. Among other things, it is a topic that will have to be considered as D&O insurance buyers consider how much insurance they will need to ensure that their interests are adequately protected.

 

5. IPOs Surge, IPO-Related Litigation Emerges: 2014 was a very strong year for IPOs globally, but in the U.S., where there were more IPOs this year than any year since 2000, this was an “exceptional” year, according to a report from accounting and consulting firm EY (here). According to the report, there were 288 IPOs completed in the U.S. during 2014 (through December 4, 2014, and inclusive of deals then expected to close by year’s end), which represents an increase of 27% over 2013 (when there were 225 IPOs). The U.S. IPOs raised around $95 billion, which, according to the report represents “new high.” By way of contrast, the 2013 U.S. IPOs raised about $62 billion.

 

The surge in IPO activity in the U.S. is, according to recent academic research, due at least in part to the so-called “IPO on-ramp procedures” in the Jumpstart Our Business Start-Ups (JOBS) Act, enacted in 2012. The JOBS Act’s IPO on-ramp procedures are designed to ease the process of going public for “emerging growth companies” (EGCs), which the Act defines as companies with annual revenues less than $1 billion. Under these provisions, EGCs may submit their draft registration statements to the SEC confidentially and only need to disclose their intention to list their shares 21 days before they start investor roadshows. The EGCs can also release just two years of audited financial statements, rather than the standard three, and need only disclose the compensation of the top three executives rather than the standard five.

 

In their paper entitled “The JOBS Act and IPO Value: Evidence that Disclosure Costs Affect the IPO Decision” (here), Michael Dambra of SUNY Buffalo, and Laura Casares Field and Michael Gustafson of Penn State report their findings that, controlling for market conditions, the JOBS Act provisions have boosted listings by 21 companies annually, a 25 percent increase compared to the average number of IPOs from 2001 to 2011, while at the same time IPOs in other developed countries have remained below their pre-2012 numbers.

 

Foreign issuers appear particularly keen to take advantage of the JOBS Act provisions. Non-U.S. companies completed 67 IPOs on U.S. exchanges during 2014, which represents more foreign IPOs than any other market and accounts for 52% of all cross-border deals globally. The non-U.S. companies raised $40.8 billion, which represents 81% of all capital raised in cross-border transactions. The cross-border IPO activity in the U.S. during the year were at the highest levels since 2007. The cross-border deals originated in a number of countries, including China (16 IPOs); Europe (26 IPOs, of which 8 were from the UK); and Israel (8 IPOs).

 

There aren’t many down sides to this story, but if there is one concern worth noting it is that an increase in IPO activity will almost certainly translate into an increase in IPO-related securities litigation, as discussed here. Indeed, of the 170 new securities class action lawsuits filed during 2014, 17 of them (10%) involved IPO companies. Twelve of these IPO-related securities suits were filed in the year’s second half, suggesting that the IPO-related securities litigation picked up as the year progressed. Given the lag time between the date of an IPO and the date of a securities suit filing, and given the increase in IPO activity in 2013 and 2014, we should expect to see IPO-related securities litigation continue to increase in 2015.

 

6. Many Banks Prosper But Problem Institutions Remain and Failed Bank Lawsuits Continue to Accumulate: According to reports from the FDIC, banking institutions in this country continue to improve and are performing better than during the same period a year ago. However, even six years after the height of the financial crisis a significant number of problem institutions remain.

 

According to the FDIC’s latest Quarterly Banking Profile, the agency still rates 329 banks as “problem institutions.” (A “problem institution” is a bank that the FDIC ranks as a 4 or a 5 on its 1-to-5 scale of financial stability. The agency does not release the names of the banks its regards as problem institutions.)  To be sure, the number of problem institutions has declined. The third quarter of 2014 was the 14th consecutive quarter in which the number of problem institutions declined. The number of problem banks is now 63 percent below the post-crisis high of 888 at the end of the first quarter of 2011. The number of problem banks at the end of the third quarter of 2014 represented the lowest number of problem institutions since the end of the third quarter of 2009, when there were 305.

 

The number of banks overall is also declining, as banks fail or merge out of existence and as few new banks emerge. As recently as the end of 2007, there were 8,534 institutions reporting to the FDIC. At the end of the third quarter 2014, the number of reporting institutions was down to 6,589, representing a decline of over 1,945 (a drop of over 22%). While the banking sectors as a whole is improving, the number of problem institutions isn’t necessarily decreasing because the problem banks are getting better; in many cases, the problem banks simply no longer exist due to closures or mergers.

 

The percentage of problem banks remains surprisingly high given that we are now six full years past the peak of the financial crisis. As of the end of the third quarter, fully 5% of all banks continue to be ranked as “problem institutions” — and banks are continuing to fail. A total of 18 banks failed during 2014 (albeit only six during the year’s second half). This does represent fewer failures in 2014 compared to 2013 (when there were 24).

 

As of the latest report on the agency’s website, the FDIC has filed a total of 104 failed bank lawsuits during the current bank failure wave, with 20 suits filed in 2014 alone. The agency’s website notes that it has authorized lawsuits in connection with 148 failed banks, suggesting that there are more lawsuits yet to be filed beyond the 104 filed to date. As the bank closures continue to come in, the period during which the FDIC will be filing new failed bank lawsuits extends further into the future.

 

According to the FDIC, of the 104 lawsuits it has filed, 33 have fully settled and one resulted in a favorable jury verdict. These numbers imply a significant number of pending and as yet unresolved lawsuits that will continue to work their way through the system. There are a number of important implications from this continuing litigation.

 

First, it seems likely that we will continue to see significant judicial decision-making on issues relating to the liabilities of directors and officers. The failed bank litigation has already led to a number of significant D&O decisions. For example, in July 2014, in connection with a failed bank case pending in Georgia, the Georgia Supreme Court issued a landmark decision discussing the protections available under Georgia law to corporate directors and officers under the Business Judgment Rule, as discussed here. As the pending cases continue to work their way through the system we may see further judicial decisions affecting the liability exposures of directors and officers.

 

Second, in connection with insurance coverage litigation that has arisen in conjunction with the FDIC failed bank litigation, we will see further judicial decisions interpreting key D&O insurance policy provisions. For example, as discussed most recently here, there have been a number of interesting decisions addressing the question of whether or not the insured vs. insured exclusion found in most D&O insurance policies precludes coverage for claims brought by the FDIC in its capacity as receiver of a failed bank. So far, the cases have reached differing conclusion on this question, although several recent decisions have held that the exclusion does not preclude coverage. In any event, it seems likely there will be further judicial decisions interpreting D&O insurance policy language as the failed bank insurance coverage litigation unfolds.

 

Third, the pending litigation will continue to weigh on the D&O insurance carriers that are active in providing insurance to commercial banks. The ongoing litigation continues to produce adverse development in these carriers’ prior underwriting year results and to undermine their current calendar year results, a combination that is particularly painful in the current low interest rate environment (when there is less investment income with which to try and offset adverse claims experience).

 

7. SEC Awards Largest Ever Whistleblower Bounty Under the Dodd-Frank Whistleblower Program: According to the latest annual SEC whistleblower program report (about which refer here), there were 3,620 whistleblower reports to the SEC during the 2014 fiscal year (which ended on September 30, 2014).  That represents an increase of 382 (11.8%) over the 3,238 that were filed in the 2013 fiscal year. Overall, there have been a total of 10,193 whistleblower reports since the program commenced at the end of the 2011 fiscal year.

 

The agency still has made relatively few of the whistleblower bounty awards authorized under the Dodd-Frank Act, although the number of awards is slowly increasing. The agency has now made a total of 14 whistleblower awards, nine of which were made during the 2014 fiscal year.  The agency made more awards in the 2014 fiscal year than in all the other years of the program combined.

 

Most significantly, as discussed here, and in what is by far the largest whistleblower bounty award yet under the Dodd-Frank’s whistleblower provisions, on September 22, 2014 the SEC announced an award of between $30 and $35 million to a whistleblower who provided original information that led to a successful SEC enforcement action.

 

One particularly interesting feature of this award is that the whistleblower is a foreign resident. According to the SEC’s press release this is the fourth whistleblower award to a resident of a foreign country, which the agency says “demonstrates the program’s international reach. “ The head of the SEC’s whistleblower office is quoted in an agency press release as saying that the award “shows the international breadth of our program as we effectively utilize valuable tips from anyone, anywhere to bring wrongdoers to justice.’” The whistleblower office head is also quoted as saying that “whistleblowers from all over the world should feel similarly incentivized to come forward with credible information about potential violations of the U.S. securities laws.”

 

A significant number of the whistleblower reports submitted to the SEC come from outside the U.S. During the 2014 fiscal year, the agency received whistleblower reports from a total of 60 foreign countries, and since the program’s inception, the agency has received reports from a total of 83 different countries. The countries with the largest numbers of reports during fiscal 2014 were the United Kingdom (70); India (69); Canada (59); and China (32).

 

While the SEC whistleblower program has attracted numerous reports from overseas whistleblower, the Second Circuit recently held that the Dodd-Frank Act’s anti-retaliation provisions do not protect overseas whistleblowers (as discussed here). It remains to be seen whether the involvement of overseas whistleblowers will remain as active given this absence of anti-retaliation protection.

 

8.  Big Corporate Scandals Make a Comeback: We will probably never again see a spate of massive corporate scandals of the type we saw more than a decade ago, when vivid stories of corporate misconduct involving companies such as Enron and WorldCom dominated the headlines.  There have been a number of other high profile corporate scandals since that time, such as the Satyam accounting scandal and scandal arising out of H-P’s acquisition of Autonomy. But while the emergence of financial scandals may be nothing new, a striking number of corporate scandals came to light during 2014.

 

Among the higher profile scandals is that involving Petroleo Brasileiro, S.A. (“Petrobras”). The massive corruption and money laundering investigation of Petrobras and its employees and executives by Brazilian officials has been widely reported in the global financial press. For example, as reported a November 14, 2014 Wall Street Journal article entitled “Petrobras Scandal Widens, Earnings Delayed” (here), Brazilian federal police had arrested 18 Petrobras employees who allegedly “were part of a bribery and money-laundering scheme that has siphoned hundreds of millions of dollars from the state-owned oil firm into the pockets of employees, contractors and politicians.” The Journal also reported that the investigation, which has been dubbed “Operation Car Wash,” threatens “to upend the second term of recently re-elected President Dilma Rousseff.” The scandal reportedly has also drawn the attention of U.S. investigators as well.

 

The Petrobras scandal emerged shortly after another high-profile scandal involving another prominent non-U.S. company came to light. When Tesco PLC announced on September 22, 2014 that its previously forecast first-half profit had been overstated by £250 ($408.8 million), the news of the accounting irregularities was “serious,” as Tesco plc’s CEO of less than a month’s standing at the time put it.  As bad as the initial announcement was, the news soon grew worse. On October 1, 2014, the company announced that the U.K.’s financial watchdog, the Financial Conduct Authority (FCA), has “commenced a full investigation” of the accounting irregularities at the company. The situation grew bleaker still on October 23, 2014, when the company announced that the amount of the overstatement was actually £263 million pounds ($422 million), rather than the previously announced £250, and that the company’s Board Chair, Richard Broadbent, would be stepping down. An October 23, 2014 Bloomberg article describing the company’s interim results and the Chair’s resignation can be found here.

 

Both the Petrobras and Tesco scandals resulted in the filing of securities class action lawsuit in the U.S. (as noted here and here), as did the October 2014 disclosure of accounting issues at real estate investment trust American Realty Capital Properties.

 

As discussed in detail here with respect to the securities lawsuit filings against the company, on October 29, 2014, American Realty issued a press release (here) in which it disclosed the existence of an accounting error and subsequent cover-up relating to its financial statements for the two quarters of 2014. The press release stated that the “error was identified but intentionally not corrected,” and that other adjusted funds from operations and financial statement errors “were intentionally made,” resulting in an overstatement of adjusted funds from operations and understatement of net loss for first three and six months of the year.

 

According to a December 19, 2014 Wall Street Journal article (here), American Realty’s former Chief Accounting office, whom the company sacked following its disclosure of the accounting issues, has alleged in a defamation lawsuit she filed against the company’s CEO that the CEO “ordered subordinates to manipulate financial results at his firm.”

 

General Motors also experienced a massive scandal over the faulty ignition switches installed in its vehicles, and while that was a scandal of a different sort, it did also result in a securities class action lawsuit, as noted here.

 

These scandals underscore the treacherousness of the landscape in which D&O insurers must operate. It doesn’t take many of these kinds of problems to make D&O underwriters skittish. And though most companies will never become involved in anything like the disaster of the kinds described above, these scandals do create an environment in which even much more modest problems are considered.

 

9. Environmental Issues Re-Emerge as a D&O Liability Concern: During the financial crisis, many issues and concerns that previously loomed large moved further down the agenda. Even though the recovery from the crisis is still uneven, some of the issues that fell by the wayside are moving back up the list of priorities. Environmental liability issues are among these concerns. Among other things, this has meant an uptick in D&O litigation arising from environmental issues.

 

In recent months, there have been a number of lawsuits filed based on alleged misrepresentations of the defendant company’s environmental compliance. As the derivative lawsuit filled in May 2014 against the board of Duke Energy highlights, environmental issues apparently are becoming an area of increasing focus for plaintiffs’ lawyers.

 

In addition, it does seem as if the plaintiffs are getting some traction in securities suits based on environmental compliance disclosures. For example, on August 7, 2014, the securities suit filed against Exide Technologies and certain of its directors and officers based on the defendants’ allegedly misleading statements about the company’s compliance with environmental regulations became the latest environmental disclosure securities suits to overcome the initial pleading hurdles. A copy of Central District of California Judge Stephen V. Wilson’s August 7, 2014 order denying the defendants’ motion to dismiss can be found here.

 

The survival of the environmental disclosure securities suit against Exide comes closely after the Second Circuit’s recent ruling in the JinkoSolar securities suit, discussed here, in which the appellate court reversed the lower court dismissal of the suit and concluded that the plaintiffs’ allegations concerning the alleged deficiencies of the defendant company’s environmental compliance disclosures were sufficient.

 

These cases underscore the fact that reporting companies’ environmental compliance disclosures are facing increasing scrutiny, making the quality of the environmental disclosures increasingly important.

 

In addition to these issues involving traditional environmental liability concerns, there may be reason to be concerned that D&O liability issues could arise from alarms over global climate change. As discussed here, in a series of letters sent to board members of various major energy companies and to a number of participants in the directors and officers liability insurance industry, three environmental groups contend that climate change denial by energy industry representatives presents a risk of personal liability to the individual energy company board members. The letters also contend that “the threat of future civil or criminal litigation could have major implications for D&O liability insurance coverage.” The letters were sent in late May by three environmental organizations – Greenpeace International, the World Wildlife Fund International and the Center for International Environmental Law – to board members at 32 energy companies and to 44 participants in the D&O insurance industry.

 

While one might question the environmental groups’ tactics and methods, it probably is a worthwhile exercise for the D&O industry to think about whether or not climate change related claims might be coming and to think about how the industry should be preparing to respond. The list of items to be considered includes questions about how these possibilities should affect pricing, underwriting and risk selection. The issues also should include terms and conditions – such as, for example, whether the provisions of the typical pollution and environmental liability exclusion found in many policies needs to be revised.

 

10. U.S. Lawsuit Filings in the Wake of Overseas Regulatory Investigations Grew During the Year: The lawsuits investors filed in U.S. courts related to the Petrobras scandal are interesting on many levels. Among other things, the Petrobras lawsuits are representative of the growing phenomenon of U.S. securities litigation following the disclosure of a bribery or corruption investigation. Another securities suit filed about the same time, involving Cobalt International Energy also followed after the announcement of a bribery investigation, as did the lawsuit filed in December 2014 against Sanofi,  the lawsuit filed in August 2014 against Key Energy Services, and the lawsuit filed in March 2014 against Hyperdynamics Corporation. 

 

While as a general matter there is nothing new about the filing of these kinds of follow-on securities lawsuits, there is one aspect of the Petrobras lawsuit filings that is particularly interesting and that may represent an emerging securities litigation filing trend. That is, the Petrobras lawsuits involve U.S. securities suit filings against a non-U.S. company based on disclosure surrounding a regulatory investigation outside the U.S.

 

In the past, the U.S. has been the most active country, particularly with respect to bribery investigations. However, several countries have recently become more active in enforcing their own anti-bribery laws, including, among others, China, Canada, and Brazil. These investigations have not only led to increase in anti-corruption enforcement actions, but also in many cases have led to follow-on civil litigation as well.

 

There were a number of these kinds of follow-on civil actions filed in the U.S during 2014. For example, in addition to the Petrobras lawsuit, and as discussed in greater detail here, in January 2014, Nu Skin Enterprises was hit with a securities class action lawsuit following news of an alleged investigation in China of the company’s allegedly fraudulent sales practices there. Similarly, in June 2014, China Mobile Games and Entertainment Group was hit with a securities class action lawsuit following the news of an anti-bribery investigation in China involving company officials, as discussed here.

 

These cases all involve investigations in the respective companies’ home countries. However, as  discussed in detail here, for many companies, their most significant regulatory risk may be outside of their home country, and as the $489 million fine that GlaxoSmithKline paid to Chinese regulators in September 2014 demonstrates, the foreign country regulatory exposures increasingly are very substantial. Further complicating matters is that regulatory investigations increasingly involve cross-border collaboration and cooperation of multiple countries’ regulatory and enforcement authorities. The Libor interest rate manipulation and the foreign currency manipulation investigations both involved significant cross-border collaboration, as has the many trade sanctions violations investigations.

 

As overseas regulatory activity continues to increase, the incidence of follow-on civil lawsuit filings is likely to continue to grow as well. An interesting related question is whether the increase in regulatory activity will lead to increased civil lawsuit filings in courts outside of the United States. The inaccessibility of U.S. courts to investors who purchased their shares of non-U.S. companies on non-U.S. exchanges (as a result of the U.S. Supreme Court’s Morrison decisions) may cause these investors to seek to pursue remedies in their own countries, or to seek legal reform to reduce procedural barriers to pursuing these kinds of claims.

 

These developments raise important issues about the liability exposures of the potentially affected companies as well as for their directors and officers. The liability exposures include not only the potential regulatory and enforcement risk but also the possibility of follow-on civil actions, brought by shareholders or others. The “others” that might bring claims include supervisory board members in those jurisdictions with the dual-board structure.

 

These issues in turn have important D&O insurance implications. The issues also present a particularly difficult challenge for D&O insurance underwriters involved in underwriting companies outside the U.S. as they must attempt to understand and anticipate these kinds of actions from regulators and how they may affect the companies under consideration.

 

Conclusion

There is always a lot going on in the world of D&O liability and insurance, and 2014 was no exception in that regard. But what is interesting is how so many of 2014’s key developments foreshadow coming events in 2015 and beyond. For example, the Delaware legislature’s ongoing consideration of fee-shifting bylaw legislation and the U.S. Supreme Court’s review of the Omnicare case, among many other pending issues, will only be resolved as 2015 unfolds.

 

For that reason, we will have to wait to see the implications of many 2014’s key events. The one thing that seems certain is that 2015 will be an eventful year.

 

2014 – A Year in Blogging: I am sure that 2014 was an eventful year for many readers. It certainly was an action-packed year for The D&O Diary. One particular aspect of the year just ended highlights just how remarkable the year was for me. 

 

During 2014, my perambulations took me all the way from the shores of the Baltic Sea to the seacoasts of the Arabian Sea. 

 

In late March, I traveled to Stockholm, a beautiful city of fourteen islands on the coast of Sweden, at the mouth of Lake Mälaren, by the Stockholm archipelago and the Baltic sea. As I noted in my blog post about the visit, ‘Stockholm is wreathed in water. With the brilliant blue skies and the waterfront buildings reflecting off the water’s surface, there were times during my visit when the city itself seemed to be floating on the water.” 

 

stock1

 

In August, I was half a world away, in Mumbai, which surely is, as I noted in my blog post about my visit, one of the world’s most distinctive cities. Mumbai sits on the Arabian Sea on India’s west coast. The pictures below were taken, respectively, from the upscale Malabar Hill residential area, looking south along the seacoast, and facing the Arabian Sea at Juhu Beach. Mumbai is both the most fascinating and the most complex city I have ever visited.

 

082a

 021a

 

My August trip to Asia included a stop in Singapore, a prosperous, equatorial city located on the Singapore Strait, which connects the Strait of Malacca to the west and the South China Sea to the east. The city’s modern central business district is oriented toward Marina Bay, which connects the Strait to the Singapore River. As I noted in my blog post about my visit, while strolling along the recently redeveloped riverfront, it is easy forget that you are deep in the heart of Southeast Asia.

 

093a

 

101a

 

My travels to Scandinavia in March also included a brief stop in Copenhagen, Denmark’s capital city. Copenhagen faces the Øresund to the east, the strait of water that separates Denmark from Sweden, and which connects the North Sea with the Baltic Sea. Copenhagen has been described as the “world’s most livable city,” and after a short visit there (decribed in my blog post, here), it is easy to see why the city has that reputations. With its many parks, canals and quiet charm, Copenhagen is a very comfortable city.

 

copen

 

I was again near the North Sea in late September, when I visited Edinburgh. As shown below, during the clear weather that prevailed while I was there, the view from the top of Arthur’s Seat afforded a view out the Firth of Forth to the North Sea beyond. While in Edinburgh, I was fortunate enough to hike the footpath that winds along the Water of Leith, a stream that runs from the Pentland Hills to the port city of Leith, on the Firth. Edinburgh proved to be a little bit of surprise, as I noted in my blog post about my visit. Insted of the dark and gloomy domain perched on craggy peaks that I pictured, the city was (at least while I was there) bright, open, and while hilly, an uncommonly pleasant place in which to stroll around.

 

040a

 

 

129a

 

In November, I snuck in a short visit to Paris before heading to London for meetings there. As I noted in my blog post about the visit, here’s the thing you need to know about November in Paris. It can be cloudy, dark, and rainy — but it is still Paris.

 

paris1

 

paris 2

 

Throughout my travels, I had the pleasure of meeting industry colleagues from around the world who follow my blog. It is great fun for me to meet so many people in so many places that read The D&O Diary. I feel tremendously enriched by meeting so many industry colleagues and making so many new friends. I look forward to making many more friends in the upcoming year. Here’s wishing a very happy and prosperous New Year to everyone who follows this blog, on whatever seashore you may call home.   

  

Securities Lawsuit Filings Increase Slightly in 2014

Posted in Securities Litigation

filings piileThe number of securities class action lawsuit filings rose slightly in 2014 compared to 2013, although the number of filings during the year was below longer term annual average number of filings. Companies in the life sciences sector were particularly hard hit, as were companies in the computer services and in the financial services and oil and gas extraction industries.

 

Absolute Number of Lawsuit Filings: There were 170 new securities class action lawsuits filed during 2014, compared to 167 in 2013 and 152 in 2012. While the number of filings increased in 2014 for the second straight year, the 2014 filings were below the 1997-2012 annual average of 191. (Please see the notes at the end of this post regarding data sources and counting methodology.)

 

Relative Number of Lawsuit Filings: While the absolute number of filings in 2014 was below the long-term annual average filing number, the number of filings in 2014 relative to the number of publicly traded companies tells a different story. The fact is that there are many fewer publicly traded companies than there were a few years ago.

 

 According to NERA (here), in 1997, there were 8,884 U.S. listed companies. By the end of 2012, there were only 4,916 U.S.-listed companies, representing a decline of over 44%. Even though the number of listed companies increased during the year as a result of IPO activity, there were still only about 5,100 U.S, listed companies at the end of 2014. That means that with 170 lawsuits filed in 2014, the percentage of U.S. listed companies subject to securities lawsuit during the year was approximately 3.3.%, which is above the 1997-2012 average annual filing rate of 2.85%.

 

This distinction between the absolute and relative filing figures is important. It would be all too easy to look only at the absolute number of filings during 2014 and conclude based on the fact that the 2014 number of filings was below long term annual averages that securities lawsuit filings are down. In fact, however, relative to the number of public companies, the filing rate in 2014 was actually up. Or to state the same thing in a more meaningful way, during 2014 it was likelier that a publicly traded company would get hit with a securities lawsuit than it was during the period 1997-2012.

 

Courts in Which the Lawsuits were Filed: The 2014 securities class action lawsuits were filed in numerous different courts. There was at least one securities lawsuit filed in 39 different U.S. district courts. However, many of the filings during 2014 were concentrated in just a few courts.

 

There were, for example, 50 new securities lawsuits filed in the Southern District of New York, representing 29.4% of all 2014 filings.

 

There were a total of 29 new securities suits filed in the U.S. District Courts in California (including 13 in the Central District of California and 19 in the Northern District of California), represented about 17% of all 2014 filings.

 

Taken together, the filings in the district courts in New York (including both the Southern District of New York and the Eastern District of New York) and the district courts in California accounted for a total of 82 securities lawsuit filings, or more than 48% of all 2014 lawsuit filings.

 

Interestingly, there were also 15 new lawsuit filed in the District of New Jersey, representing about 9% of all 2014 filings.

 

Together, the filings in the district courts in New York, California and New Jersey represented 57% of all 2014 securities lawsuit filings.

 

Industries of Companies Sued: The 2014 securities lawsuit filings were spread across a large number of different industries.  The companies hit with securities suits in 2014 were spread across 89 different Standard Industrial Classification (SIC) codes. There were however certain industries where the filings were concentrated.

 

Companies in the life sciences sector were particularly hard hit. There were a total of 36 securities class action lawsuit filed against companies in the 283 SIC code group (Drugs), representing about 21 percent of all 2014 filings. Among those 36 companies was a subset of 23 companies in the 2834 SIC code category (Pharmaceutical Preparations), representing 13.5% of all 2014 filings in that one SIC code category alone. In addition, there were also seven companies hit in the 3800 SIC Code series (Measuring and Analyzing Instruments), including five in the 384 SIC code group (Surgical, Medical and Dental Instruments and Supplies). There were also two companies hit in the 8731 SIC Code category (Commercial, Physical and Biological Research).

 

Taking all of these lawsuits collectively, there were a total of 45 companies sued in these various life sciences-related SIC categories, meaning that life sciences companies accounted for a total of more than a quarter of all securities lawsuits in 2014 (about 26.4%).

 

Companies in the computer services and semiconductor industries were also hard hit. During 2014, 13 companies in the 737 SIC code group (Computer Programming and Computer Services) were hit with securities suits, as were five companies in the 3674 SIC Code category (Semiconductors). Together these two high tech categories accounted for about 10.5% of all 2014 filings.

 

Together lawsuits against life sciences and high tech companies accounted for well over a third of all 2014 securities lawsuit filings (about 37%).

 

The downturn in oil and gas sector also led to an increase in the number of lawsuit filings against companies in the oil and gas businesses. During 2014, companies in the 1300 SIC code group (Oil and Gas Extraction) were hit with eleven securities class action lawsuits, representing about 6.4% of all 2014 filings.

 

As has been the case in recent years, there were a significant number of lawsuits filed in 2014 against companies in the financial services sector. During 2014, 22 companies in the 6000 SIC Code series (Finance, Insurance, and Real Estate) were hit with securities suits, representing about 13% of all 2014 filings. While these lawsuits represent a significant portion of 2014 suits, the filings against financial companies were down in 2014 compared to recent years. For example, according to Cornerstone Research (here), filings in which financial companies were the primary defendant represented 15% of all 2013 filings. During 2008 and 2009, during the peak of the financial crisis, filings in which financial companies were the primary defendant represented 37% and 34% of all filing in those years, respectively.

 

Lawsuits Against Foreign Companies: According to NERA (here), about 16% of all companies listed on U.S. exchanges are domiciled outside the U.S. During 2014, 32 non-U.S. companies were hit with securities class action lawsuits. These suits involving foreign companies represented about 19% of all 2014 lawsuit filings, meaning that during 2014, foreign-domiciled companies were disproportionately targeted. The percentage of lawsuits filed against foreign companies was up in 2014 compared to 2013, when suits against foreign companies represented about 15% of all suit filings.

 

The 2014 filings against foreign companies included lawsuits filed against companies registered in or with principal places of business in 15 different countries – although this count is complicated by the “Flash Boys” high frequency trading securities lawsuit, in which massive list of defendants includes company defendants from a number of foreign companies. I have made no attempt to account here for the foreign defendants in the high frequency trading lawsuit.

 

The foreign country with the highest number of companies sued in 2014 was China, which had ten companies sued during the year. Indeed, five companies sued in 2014 had the word “China” in the company name. No other country had more than two companies named as defendants in lawsuits during 2014.

 

Merger Lawsuits: In past years, a significant number of securities lawsuit filings have arisen out of merger transactions. The number of merger objection securities lawsuit filed in federal court in 2014 was down compared to recent years. 18 of the 2014 securities suits related to merger activity, representing about 10.5% of all 2014 securities suits.

 

Lawsuits Involving IPO Companies: The numbers of initial public offerings completed in 2013 and 2014 were up significantly compared to recent years. As discussed here, the 288 IPOs completed during 2014 represents the highest annual number of IPOs since the dot com boom year of 2000.

 

Along with the increased numbers of IPOs has come increased numbers of IPO-related securities suits, as discussed in greater detail here. During 2014, there were 17 securities lawsuit filed against IPO companies, representing 10% of all filings during the year. Of the 17 companies sued, two had completed their IPOs in 2012, eight had completed their offerings in 2013 and seven had completed their offerings in 2014.

 

Given the increase in the number of IPOs during 2013 and 2014 and in light of the usual lag time between the IPO date and the date of lawsuit filings, it seems probable that there will continue to be significant numbers of filings in the months ahead involving IPO companies.

 

A Final Note About Data Sources and Methodology: The data used in the analysis above were compiled from a variety of sources, including media outlets (such as Bloomberg and Yahoo Finance), online legal news services (including Law 360 and Advisen), and other online data services (including the Stanford Law School Securities Class Action Clearinghouse). In addition, during the course of the year, I took advantage of opportunities to audit my lawsuit dataset by comparing it to those being compiled by other litigation monitoring services.

 

In counting the securities class action lawsuits, I count each company sued for the same basic set of allegations only once, which is different from the methodology used by other prominent litigation monitoring sources. At least some of these services count each lawsuit separately (at least if the complaint is filed in a separate judicial district), unless and until the separate lawsuits are consolidated. The different methodologies used will not only result in different litigation counts, but it could also result in differing analytical conclusions. It is very important to understand the methodologies used by the different prominent litigation monitoring services and to understand how the methodologies used will affect analyses of the data.  

 

That Time the Entire Cyber Security Exposure Narrative Changed

Posted in Cyber Liability

cyberThe hack attack on Sony Pictures Entertainment was massive, and it had a devastating effect on the company. As detailed in the December 30, 2014 Wall Street Journal article entitled “Behind the Scenes at Sony as Hacking Crisis Unfolded,” (here), the hackers who attacked Sony’s systems didn’t just pilfer the company’s data — they erased the data, rendering the company’s entire computer system and landline phones unusable. The malicious hackers also “created maximum chaos” by leaking five Sony movies onto the Internet, along with thousands of internal documents (including a host of embarrassing emails) and the Social Security numbers and other personal information of over 47,000 people, including current and former employees.

 

While at one level the Sony attack rightly may be described as unprecedented, it was not even the worst corporate attack in 2014. Bloomberg’s Report on the worst 2014 data breaches (here) reported that Sony had 47,000 records stolen, but 83 million records were stolen from J.P. Morgan, affecting 76 million households and seven million small businesses. The Home Depot hack resulted in the theft of 100 million records, including 56 million credit cards and 53 million email addresses. The data breach at eBay, in which hackers stole email addresses, physical addresses and login credentials, may have affected up to 145 million active users.

 

However, as unprecedented as the Sony hack attack was, and as massive as the other breaches during 2014 were, none of these represent the “change” to which I was referring in the title of this blog post.

 

Instead, I as referring to the news about a couple of other cyber incidents that might have been overlooked in all of the hoopla over what a Sony executive may have said about Angela Jolie in an internal email. These two cyber incidents that came to light in December are “downright scary,” in the words of a December 22, 2014 Computerworld article about the incidents and entitled “Cyberwarfare: Digital Weapons Causing Physical Damage” (here), as both incidents resulted in “physical damages in the real world.”  

 

The first of these two incidents, as reported on in a December 10, 2014 Bloomberg article (here), involved a 2008 cyber attack on a Turkish pipeline. The hackers, believed to be Russian, exploited a vulnerability in the pipeline’s surveillance camera software to infiltrate the pipeline’s internal network. The hackers shut down alarms, cut off communications and super=pressurized the crude oil in the line, resulting in a fiery explosion. The blast managed to put the pipeline out of commission without triggering a single alarm and, resulted in massive losses for the private companies and governments with interests in the pipeline. Among other things, this incident is significant from an historical perspective, as it preceded the 2010 Stuxnet cyber incident in which Iran’s nuclear centrifuges were damaged.

 

The second of the two incidents was disclosed in a December 2014 report by Germany’s Federal Office for Information Security. According to the report (here, in German), a German steel factory suffered massive damage when hackers managed to access the factory’s production networks, allowing the hackers to tamper with the controls of a blast furnace. After the system was compromised, individual system components began to fail. As a result of the failures, one of the plant’s blast furnaces could not be shut down, resulting in “massive damage” to the plant. A December 19, 2014 PC World article about the incident can be found here.

 

As disturbing as the malicious hack attack at Sony was, these physical damage incidents represent an entirely different category of cyber security threat. There are a host of implications from these threats, among which are the problems this type of cyber breach physical damage presents from an insurance perspective. Property insurers are moving quickly to make it clear that they do not intend to provide insurance for property damage arising from this type of peril. For their part, the cyber insurance carriers are not interested in expanding their coverage to pick up this type of exposure either; right now, they are so spooked from the losses associated with the Target and Home Depot breaches that they have little appetite for picking up coverage for an exposure of unknown but potentially devastating scope.

 

If nothing else, these cyber breach property damage incidents underscore the fact that it is a dangerous world out there. The scope of the threat posed by the possibility of these types of incidents recurring is uncertain, but it certainly doesn’t help that the possible damage that another incident like this might involve may not be insurable in the current insurance marketplace.

 

One more note about the Sony cyber incident. Sony’s experience following the cyber attack highlights the importance of one aspect of the coverage that privacy and network security policies do offer — that is, the coverage for business interruption following a cyber breach. The Journal article to which I linked above details the way that Sony’s business processes and operations were completely disrupted by the breach. Among other things, the article (published a month after the attack commenced) states that Sony’s network is “expected to be fully operating again with eight weeks.” Business interruption may be one of the most significant effects of a disruptive cyber attack – in Sony’s case, that may even have been among the objectives of the hackers’ malicious attack on the company.

 

Mind Blowing Fact of the Day: I thought it was pretty interesting to read in a January 3, 2015 article in The Economist entitled “Robber Barons and Silicon Sultans: Self-Made Wealth in America” (here) that “Each iPhone contains the same amount of computing power as was housed in MIT in 1960.”

 

But what really blew me away was the following statement in another article in the same issue of the magazine entitled ‘There’s an App for That: The Future of Work” (here): “According to Benedict Evans of Andreessen Horowitz, the new iPhones sold over the weekend of their release in September 2014 contained 25 times more computing power that the whole earth had at its disposal in 1995.”  

 

All that computing power so phone owners can take selfies, play Candy Crush Saga, and post pictures of their cats on Facebook.

 

In thinking about the cyber security stories discussed above and about this information about growing availability of computing power, there is much to contemplate concerning the lack of data security over digital domains as our world become increasingly digital.  

 

Securities Litigation: A Double Whammy for Foreign Investors When U.S. Securities Suit Claimants Recover Financial Misrepresentations Losses?

Posted in Uncategorized

brazilAfter investors recently launched a securities class action lawsuit against Petrobras and certain of its directors and officers on behalf of those who purchased the company’s ADSs on U.S. exchanges, I speculated on whether or not investors who purchased their Petrobras shares in Brazil and are therefore precluded from participating in the U.S. lawsuit might try to file their own separate action in Brazil, subject to whatever procedural limitations might apply there.

 

This speculation in turn triggered an email exchange with Brazilian readers who alerted me about the press coverage in Brazil following the filing of the U.S. lawsuit. Among other things, the Braziian press coverage has raised the question whether the ADS investors have avenues to seek redress under U.S. law that are simply not available to those who purchased their Petrobras shares on the Brazilian exchange.

 

According to a December 14, 2014 post on the CLS Blue Sky blog (here), this discrepancy in the remedies available to investors for the same essential alleged wrongdoing and harm depending on where they bought their shares has arisen in Brazil before.

 

The blog post, by Érica Gorga, a Professor at Fundação Getulio Vargas São Paulo Law School and a research scholar at Yale Law School, takes a look at two prior situations in which Brazilian companies with securities listed on U.S. securities exchanges were sued in U.S. securities class action lawsuits, while Brazilian investors were left out with respect to their personal investment losses. (The blog post presents a summary of the author’s longer scholarly paper, which can be found here.)

 

According to Gorga’s analysis, not only did the U.S. investors in those two prior cases recover compensation for their losses while the Brazilian investors did not, but the company’s settlement payments to the U.S. investors left Brazilian investors even worse off in a sort of double-whammy Gorga calls a “double circularity.”

 

The two prior situations that the author examined involved Sadia S.A. and Aracruz Celulose S.A. Both of these companies and certain of their directors and officers were sued in securities class action lawsuits in the U.S. on behalf of investors who purchased the companies’ American Depositary Receipts on U.S. exchanges. The Sadia U.S. lawsuit, which is described here, settled for $27 million. The Aracruz U.S. lawsuit, which is described here, settled for $37 million.

 

Shareholders of these two companies who purchased their shares on Brazilian exchanges also tried to initiate litigation in Brazil, relying on the same alleged wrongdoing alleged in the U.S. lawsuits. However, the author notes, “because of the lack of private class actions” in Brazil, the Brazilian investors “had to rely on derivative suits, which provided only a small recovery to one of the companies, rather than to harmed investors.”

 

The author says that the Sadia and Aracruz cases “provide concrete examples of the financial value distribution that characterizes the current system of transnational securities litigation.” The current state of affairs where investors who purchase their shares on U.S. exchanges can attempt to seek redress of their investment losses for alleged financial misrepresentations while investors who purchased their shares elsewhere cannot underscores the “costs borne by foreign investors” when non-U.S. companies cross-list in the U.S. As she puts it, the non-U.S. investors “who usually don’t enjoy the same antifraud protections overseas – due to the lack of appropriate law or enforcement mechanisms – are compelled to accept wealth transfers to U.S. investors.” These phenomena, the author suggests, are “aggravated” by the U.S. Supreme Court’s decision in Morrison v. National Australia Bank,

 

In commenting on this “wealth transfer,” the author suggests that the investors who purchased their shares in cross-listed companies on non-U.S. exchanges are hit with a sort of double whammy. This phenomenon is due in part to the so-called “circularity problem” in securities litigation, which refers to the fact that innocent shareholders who did not participate in the securities fraud bear the cost of compensating investors who lost value.

 

When a cross-listed company is involved, there is an extra layer of costs imposed on foreign shareholders, beyond those associated with the circularity problem. In what the author calls a “double circularity” problem, the shareholders who purchased their shares of the company on a non-U.S. exchange “bear twice the costs of failures in a company’s corporate governance practices: first, when their shares lost value due to the wrongdoing per se; second, when they bear the costs of indemnification paid exclusively to U.S. security holders.”

 

While the author’s analysis of these issues is focused particularly on the two Brazilian examples, these “foreign-bearer” costs are “likely to be generalized to foreign investors in all jurisdictions.” And while some jurisdictions have developed forms of aggregate litigation to provide avenues for redress for harmed investors, “there remain serious doubts whether these actions will provide an effective institutional framework that fully supports collective litigation and financial recovery.”

 

The general direction of the author’s analysis would seem to be a prelude to a call for other jurisdictions to provide investors who purchase shares on the jurisdiction’s exchanges with remedies equivalent to those available in the U.S. Indeed, she does note that there has been speculation in the wake of Morrison that the restriction on the availability of remedies in U.S courts for non-U.S. investors might lead to the expansion of investor remedies elsewhere. However, she also notes there are a host of structural restrictions – the absence of contingency fees, the loser pays model — that cut against the adoption of these kinds of reforms in many jurisdictions. Indeed, she notes, if there were a jurisdiction where the need for development of new remedies would seem to be apparent, it would be Brazil in the wake of the Sadia and Aracruz cases — but nothing along those lines has developed there, at least so far.

 

After reviewing a number of academic reform proposals, the author comes out in favor of a “system of adjudication of transnational securities litigation providing equal treatment for securities holders subject to the same wrongdoing regardless of the national of the purchasers or the location of the purchase/sale,” which could be achieved “through issuer or investor choice of applicable legal regime.”

 

Discussion

Before the U.S. Supreme Court’s Morrison decision, it was a frequent topic of discussion whether so called f-cubed lawsuits – involving claims by foreign investors who bought their shares in foreign companies on foreign exchanges – were appropriately being heard in the U.S. However, when the U.S. Supreme Court made it clear in the Morrison case that the U.S securities laws do not apply to f-cubed cases, the practical impact arguably may have been – at least from the perspective of this academic’s article – to substitute one problem for another.

 

The author’s paper describes what she calls the transnational securities litigation problem, in which different investors have different remedies (or some investors have no remedies) for similar wrongdoing based solely on where the investors bought their shares. Her paper emphasizes not just that the different investors have different remedies, but that the availability of remedies to one group of investors arguably comes at the expense of the other investors. This is an interesting and valuable insight.

 

While I appreciate the value of the authors’ observations, I nonetheless believe certain additional considerations need to be taken in to account

 

 

First, the presence of D&O insurance may ameliorate the concern the author describes. As the author acknowledges in her longer academic paper, most of the cost of one the U.S. securities suit against the two Brazilian companies (Aracruz) was paid for by the company’s D&O Insurers, and thus was not borne by non-U.S. investors. (The author notes that the costs of the D&O insurance was borne by all investors, but inured to the benefit only of the investors who purchased shares on U.S. exchanges)

 

Because in many cases U.S. class action securities litigation settlements are funded in whole or in part by D&O insurance, the magnitude of the adverse financial impact on non-U.S. investors from the settlement of U.S. securities litigation often arguably will be significantly less than the author suggests. The frequent role of D&O insurance in these kinds of settlements is a factor that adds a layer of complexity to the analysis of these issues and arguably reduces the magnitude of the “double circularity” issue the author describes.

 

Second, the “transnational securities litigation problem” the author describes arguably is at least in part a side-effect of advantages that the U.S. securities markets have in the global financial marketplace. To be sure, the availability of securities litigation remedies to investors who purchase securities on the U.S. exchanges means that companies with securities listed on the U.S. exchanges face a heightened risk of litigation. This litigation risk is well known and often decried, both within and outside the U.S. Yet despite these well- recognized litigation risks, non-U.S. companies continue to list their shares on U.S. exchanges. Indeed, as I noted in a recent post on 2014 IPOs, 23% of all IPOs on U.S. exchanges during 2014 involved non-U.S. companies, and these non-U.S. company IPOs represented 52% of all cross-border IPO deals globally during the year.

 

There are of course a host of reasons why non-U.S. companies seek to list their shares on U.S. exchanges. I would argue that among other reasons companies seek U.S listings is that because of the requirements for transparency and accountability, a U.S. listing  communicates a willingness to be subject to a certain level of scrutiny. One of the elements of the increased scrutiny prevailing in U.S. securities markets is the ability of investors who purchase their shares to collectively seek damages for financial misrepresentations. The increased level of accountability supports transparency, which in turn supports overall market confidence.

 

 

 

The absence of remedies to investors who purchase shares elsewhere is of course a detriment to those investors, but the availability of remedies is a clear advantage to investors who purchase shares on the U.S. exchanges. The availability of these remedies in turn helps support the U.S. markets’ reputation for transparency that makes the U.S. exchanges an attractive place for companies to list their shares. From that perspective, then, the circumstances of which the author complains are part of the features that make the U.S. exchanges attractive to issuers and to investors.

 

Third, I have long thought that the absence of equivalent investor remedies in other countries sooner or later would motivate investors to agitate for reform in their home countries. Change has been slow in coming. But despite the lack of progress to date on these issues, the prospect for the development of mechanisms for redress within individual countries seems likelier to occur than the development of complex mechanisms of the kind the author supports that would require cross-border collaboration of securities regulators.

 

Finally, there is the possibility that certain existing mechanisms could also provide investors with avenues for redress. It is beyond the scope of this blog post, but there have been developments in the Netherlands that suggest means by which global investors could seek to recover investment losses.  In addition, there have been class action developments in other countries (including in particular Canada and Australia) that could also allow for global class actions where jurisdictional requirements in those countries are otherwise met. In other words, there may be other forces at work that could help ameliorate the transnational securities litigation problem that the author describes.

 

A final note. It may be that the two prior cases to which the author refers may not have been sufficient to provoke a chance in the remedies available to Brazilian investors. I wonder whether the scope and scale of the new Petrobras scandal might be enough to bring about change. Brazil only recently adopted strong antibribery laws yet authorities have moved quickly to move against corruption. Could the same kind of thing develop with respect to allegations of securities fraud?