The D&O Diary

The D&O Diary

A PERIODIC JOURNAL CONTAINING ITEMS OF INTEREST FROM THE WORLD OF DIRECTORS & OFFICERS LIABILITY, WITH OCCASIONAL COMMENTARY

Corruption Allegations Lead to Securities Lawsuits

Posted in Foreign Corrupt Practices Act

litfundingI was on a panel at a law firm event last week during which I was asked to make some predictions for 2015. Among other things, I said that I thought we would see an increase of securities class action lawsuit filings following in the wake of regulatory investigations, especially bribery investigations. I also said that many of these lawsuits next year will involve bribery investigations being led by governments other than that of the United States. Well, we not yet into the new year, but there has already been a flurry of activity consistent with my predictions.

 

First, on November 30, 2014, plaintiff security holders filed a securities class action lawsuit in the Southern District of Texas against Cobalt International Energy, Inc., certain of its directors and officers, certain investment firms that allegedly controlled the company, and its offering underwriters. In their complaint, which can be found here, the plaintiffs allege that the company, which has oil well operations in Angola, “obtained access to its Angolan wells from the Republic of Angola through apparent bribery and by partnering with shell companies in Angola that were partially owned by high-level Angolan officials, putting the company at serious risk of enforcement action” by the DoJ and the SEC. The complaint alleges further that the company misrepresented the value of its wells in Angola after the Company learned that the wells contained very little or no oil.

 

The complaint further alleges that, in reliance on offering documents allegedly containing these alleged misrepresentations, the company conducted several equity and debt securities offerings between February 2012 and May 2014 involving the sale by the company and selling shareholders of billions of dollars of stock and debt securities. On February 21, 2012, the company disclosed that the SEC was investigating the company for possible FCPA violations with regard to the company’s Angolan operations. On August 5, 2014, the company announced that the SEC had issued the company a Wells Notice stating that the SEC was recommending an enforcement action against the company. An August 5, 2014 Bloomberg article discussing the SEC investigation can be found here.

 

On August 27, 2014, the company announced that the Angolan government had terminated the partnership interests in Cobalt’s Angolan oil projects of two Angolan companies with whom Cobalt had partnered. On November 4, 2014, the company disclosed that based on testing of one of its Angolan well, which it has previously stated was a “large, well-focused high impact well,” the well contained neither oil nor gas. The plaintiffs allege that as a result of these disclosures about the bribery investigation and about the well the companies share price declined. The plaintiffs seek damages under federal securities laws.

 

Second, on December 8, 2014, a plaintiff shareholder filed a securities class action in lawsuit in the Southern District of New York against Petroleo Brasileiro, S.A. (“Petrobras”) on behalf of those who purchased the company’s American Depositary Shares on a U.S. exchange during the period May 20, 2010 through November 21, 2014. The complaint, which can be here, alleges that the company made materially “false and misleading statements” by “failing to disclose a multi-year, multi-billion dollar money-laundering and bribery scheme” allegedly taking place at the Company since 2006. The plaintiff’s lawyer’s December 8, 2014 press release describing the lawsuit can be found here.

 

The corruption and money laundering investigation of Petrobras and its employees and executives by Brazilian officials has been widely reported in the press. For example, as reported a November 14, 2014 Wall Street Journal article entitled “Petrobras Scandal Widens, Earnings Delayed” (here), Brazilian federal police had arrested 18 Petrobras  employees who allegedly  “were part of a bribery and money-laundering scheme that has siphoned hundreds of millions of dollars from the state-owned oil firm into the pockets of employees, contractors and politicians.” The Journal also reported that the investigation, which has been dubbed “Operation Car Wash,” threatens “to upend the second term of recently re-elected President Dilma Rousseff.” The scandal reportedly has also drawn the attention of U.S. investigators as well.

 

The complaint alleges that the company inflated the value of construction contracts with other large Brazilian companies “for the sole purpose of receiving kickbacks.” The complaint also alleges that the company overstated various items on its balance sheet “because the overstated amounts paid on inflated third-party contracts were carried as assets on the balance sheet.” The complaint alleges that as a result of the publicity surrounding the scandal, the arrest of numerous company employees and executives and of the questions about the company’s financial statements the company’s ADS price declined 46% between September 5, 2014 and November 24, 2014. The plaintiff seeks to recover damages under the U.S. federal securities laws.

 

Discussion  

The phenomenon of civil litigation following in the wake of a bribery or corruption investigation is nothing new, as I have previously noted on this blog. Just the same, these new lawsuits are interesting, particularly the lawsuit involving Petrobras. Both of them involve allegations of bribery and other misconduct against multinational oil companies, although in connection with operations in different countries.

 

What is particularly interesting about the Petrobras case is that it represents a securities lawsuit filed against a non-U.S. company based on disclosure surrounding a regulatory investigation outside the United States. As I mentioned at the outset of this blog post, I think we will be seeing more of these kinds of follow on lawsuits in the months ahead. There have already been a number of them this year. For example, as discussed here, in January 2014, Nu Skin Enterprises was hit with a securities class action lawsuit following news of an alleged investigation in China of the company’s allegedly fraudulent sales practices there. Similarly, in June 2014, China Mobile Games and Entertainment Group was hit with a securities class action lawsuit following the news of an anti-bribery investigation in China involving company officials, as discussed here.

 

While these two cases and the Petrobras case involve lawsuits arising following corruption investigations, there have been other U.S. securities lawsuits filed involving other types of investigations by non-U.S. regulators. For example, as discussed here, Jinko Solar, a U.S.-listed Chinese company, is involved in a U.S. securities class action lawsuit filed in 2011 following in the wake of a Chinese environmental enforcement action.

 

I think the number of these kinds of cases growing out of non-U.S. regulatory and enforcement actions will only increase. And while the cases I have referenced all involve investigations by each company’s home country regulator, I suspect that in the future we will see cases following on regulatory investigations outside of companies’ home countries. As I discussed in detail here, for many countries, their most significant regulatory risk may be outside of their home country, and as the $489 million penalty that GlaxoSmithKline paid to Chinese regulators earlier this year demonstrates, the foreign country regulatory exposures increasingly are very substantial.

 

When I first saw the new lawsuit involving Petrobras and involving the company’s huge scandal, it made me think Tesco, the U.K. grocer that is involved in its own scandal in its home country. Both companies are domilciled outside the U.S., but both of them have now been hit by securities lawsuits in the U.S. filed on behalf of plaintiffs who bought their securities in the companies on U.S. exchanges. Because of the Morrison decision, shareholders of the companies who purchased their shares outside the U.S. cannot be a part of the U.S. securities class action. In Tesco’s case, lawyers in the U.K. are now organizing efforts to initiate an action in the U.K. on behalf of shareholders of the company who bought their shares on the London Stock Exchange, as discussed here.

 

These efforts in the U.K. on behalf of Tesco shareholders makes me wonder – might similar efforts develop in Brazil on behalf of Petrobras shareholders who purchased their shares in the company in Brazil? As I noted in a recent post, Brazil’s laws do provide for a form of class action litigation, and as of the last time I looked into the subject, there were additional reforms to the existing procedures pending. Brazil’s procedures may or may not be suitable as a vehicle for aggrieved Brazilian Petrobas shareholders to seek redress, but enterprising attorneys might seek to try to make what they can out of existing procedures and remedies to try to obtain a recovery for the shareholders. I hope that my Brazilian readers will let me know what they think of the possibility of a civil action in Brazil on behalf of Petrobras shareholders and will  let me know if there are any developments in that regards,

 

It is also worth noting that in the last few days there has recently been an absolute rash of new U.S. securities lawsuit filings involving non-U.S. company defendants. By my count, of the eleven new securities lawsuits that have been filed since November 24, 2014, eight have involved non-U.S. companies. Overall during the year, and according to my interim tally, there have been 30 securities class action lawsuits filings involving non-U.S. company defendants  (representing about 18% of all lawsuits) out of a YTD total of about 160 lawsuits so far this year, which is roughly comparable to last year’s percentage but well above longer term levels.

 

One final note. While follow on civil lawsuit often follow in the U.S. after bribery investigations are announced the track record on these kinds of lawsuits arguably is not all that great (refer for example, here and here).

Guest Post: Cyber Security: The Importance of a Battle-Tested Incident Response Plan

Posted in Cyber Liability

weiWith all of the high profile data breaches that have taken place in recent months, cyber security is a critical topic at the top of just about everyone’s agenda. In the following guest post, Paul A. Ferrillo of the Weil Gotshal law firm takes a look at the best approach to the cyber security challenge in the current environment and he also details the critical components of a cyber incident response plan. A version of this article was previously published as a Weil client alert.

 

I would like to thank Paul for his willingness to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you think you would like to submit a guest post for publication. Here is Paul’s guest post.

 

*****************************************************

 

“The scope of [the Sony Pictures Entertainment (SPE)] attack differs from any we have responded to in the past, as its purpose was to both destroy property and release confidential information to the public….The bottom line is that this was an unparalleled and well planned crime, carried out by an organized group, for which neither SPE nor other companies could have been fully prepared.”

 – Remarks by Kevin Mandia, “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime,” Reuters, December 7, 2014[i]

 

“The days of the IT guy sitting alone in a dark corner are long gone. Cybersecurity has become an obvious priority for C-Suites and boardrooms, as reputations, intellectual property and ultimately lots of money are on the line.”

 – Priya Ananda, “One Year after Target’s Breach: What have we learned?” November 1, 2014.[ii]

 

“Resiliency is the ability to sustain damage but ultimately succeed. Resiliency is all about accepting that I will sustain a certain amount of damage.”

 – NSA Director and Commander of U.S. Cyber Command Admiral Mike Rogers, September 16, 2014.[iii]

 

We have definitively learned from the past few months’ worth of catastrophic cyber security breaches that throwing tens of millions of dollars at “preventive” measures is simply not enough. The bad guys are too far ahead of the malware curve for that.[iv] We have also learned that there are no such things as quick fixes in the cyber security world. Instead, the best approach is a holistic approach:  basic blocking and tackling such as password protection, encryption, employee training, and strong, multi-faceted intrusion detection systems[v] really trump reliance on a “50 foot high firewall” alone. But there are also two more things that are critical to a holistic cyber security approach: a strong, well-practiced Incident Response Plan (IRP), and, as Admiral Rogers noted above, the concept of cyber-resiliency, i.e., the ability to take your lumps, but continue your business operations unabated.

 

In this article, we tackle two questions: (1) What are the essential elements of a Cyber IRP? and (2) Why are IRPs so important to your organization?

**

 

The Organizational IRP Paradigm: Basics and Important Initial Questions

For assistance with these questions, it is helpful to review The National Institute of Standards and Technology’s (NIST) “Computer Security Incident Handling Guide,”[vi] which notes:

 

Computer security incident response has become an important component of information technology (IT) programs. Cybersecurity-related attacks have become not only more numerous and diverse but also more damaging and disruptive. New types of security-related incidents emerge frequently. Preventive activities based on the results of risk assessments can lower the number of incidents, but not all incidents can be prevented. An incident response capability is therefore necessary for rapidly detecting incidents, minimizing loss and destruction, mitigating the weaknesses that were exploited, and restoring IT services.

 

In short, the NIST provides the raison d’être for an IRP: preventive measures are necessary, but not sufficient, to sustain operations in the face of the omnipresent cyber threat. A response capability, and a plan for executing it, is a necessity. It is important to note that each element of an effective IRP has multiple sub-elements, and multiple levels of complexity. Resultantly, effective IRPs must not and cannot be “one size fits all.” They will differ depending on an organization’s size, complexity, and industry sector, as well as on the types of personally-identifiable information (PII) stored by the organization, and where that data is stored.

However, prior to examining the intricacies of an effective IRP, we need to focus on the questions that directors, officers, CIOs, partners, and other senior executives must ask about their company’s IRP prior to learning that the inevitable has become reality: that “we’ve been hacked.” Those questions become apparent in light of the ultimate goal of responding to a cyber threat: “get back in the game (safely)” as soon as possible in order to keep your customers, investors, and reputation intact. An attendant goal is to demonstrate to regulators, such as the SEC, OCIE, FINRA, or FTC, that you have paid attention and planned ahead. The questions, then, include, among other things:

 

  •   Does the organization have a standing, written, and enterprise-wide IRP?
  •  Has the IRP been tested, in terms of both its ability to discern between cyber “events” and cyber “incidents,” and the organization’s ability to execute the IRP following an incident?
  •  Does the IRP get the organization back in the game?

 

For the uninitiated, a cyber “event,” according to the NIST, is “an observable occurrence in an information system or network.” A cyber “incident” is a disruptive occurrence, a “violation of computer security policies, acceptable use procedures, or standard security practices”[vii]. In a recent book co-authored by Kevin Mandia – the founder (quoted above) of security consulting firm, Mandiant (now FireEye/Mandiant) – entitled Incident Response and Computer Forensics, Mandia simplifies this definition for today’s cyber environment:

 

An incident is “any unlawful, unauthorized, or unacceptable action that involves a computer system, cell phone, tablet, and any other electronic device with an operating system or that operates on a computer network.”

 

In sum, a cyber “event” may ultimately be ok if it is determined, either by intrusion detection/surveillance systems or trained cyber technicians, that the event is something akin to “normal.” It follows, then, that if following detection, an event rises to the level of a cyber “incident,” it needs to be investigated further according to an IRP. Because if it is not “normal,” it could result in catastrophic consequences if not properly and fully identified (network-wide), promptly addressed, and quickly remediated. Examples of incidents include denial of service attacks launched against a network, spear phishing attempts aimed at distributing malware within a network, nation-state hacks, or cyber extortion attempts.

 

Once the above questions have been asked and answered, an organization and its leadership are ready to respond to the inevitable discovery that “we’ve been hacked.” Instead of “Now what?,” the answer is “Now let’s immediately invoke our IRP.”

 

So, what does an IRP look like?

 

Essential Elements of an IRP

Though there are hundreds of cyber security consultants in the marketplace today that could provide a very complex version of an IRP, here are the basics (as least as we and NIST see them): 

 

1. Preparation, Ownership and Testing of the Incident Response Plan

Just as many high-rise buildings have their own emergency evacuation plans to respond to an event of a fire or another catastrophe, and practice them with their tenants several times a year, all companies should have a table-top tested, written IRP ready to respond to an incident of a cyber attack. Directors and officers should consider the following elements essential to an IRP:

 

A.     Documentation, Management Buy-In, and the IRT: The IRP needs to be in writing, fully documented and regularly updated in order to prevent any surprises when it is invoked after an incident has been detected. For the same reason, it should have full sign-off and approval by senior management. The IRP should explicitly define the professionals (including in-house personnel as well as third-party vendors) who make up the Incident Response Team (IRT).

 

o   The IRT must clearly delegate authority (who does what), and establish sustainable, open lines of communication and workflow (who reports to whom). It should include a legal component (whether in-house or outside counsel, but most likely both) that is skilled in forensic investigations, disclosure obligations, and the preservation of evidence, since law enforcement may ultimately be involved depending upon the severity of the breach. Companies should also consider including both a Human Resources representative and a Finance Department designee on the IRT to anticipate and address issues that may arise after the incident.

 

B.     Ownership: The IRT and IRP should be “owned” by one person in the organization who is designated as the head of the IRT. Reporting to the head of the IRT should be a deputy with strong incident response experience, and who can serve as an alternate owner of the IRP. Underneath the head and the deputy should be skilled incident response handlers with strong technical intrusion detection and forensic skills. The size and shape of the internal IRT may vary from company to company, and are obviously budget- dependent since 24/7 IRT coverage comes with a price.

 

Of course, if the organization is solely based in the U.S., it is possible to have only one owner of the IRP and one head of the IRT. In a global organization, however, the “one owner” policy may not be possible or even practical. Global organizations need to “globalize” their IRPs so that a local “owner” is in place who can be nearer to the action and to the designated third-party vendors. A local owner will also likely be more familiar with local laws relating to cyber and privacy-related disclosures that may be implicated during an investigation of a cybersecurity breach.

 

C.     Identification and Selection of Third-Party Vendors: Many companies rely in part on third-party vendors to help guide them through a data breach.[viii] An IRP should pre-identify and designate these vendors, who should be on a 24/7 retainer in the event of a breach. Outside counsel should be involved in retaining the vendors to preserve any applicable privileges, since evidence of a breach developed by the IRT and its vendors may become necessary if actual data loss is involved.

 

D.     Crisis Communications Capabilities: The IRT should include both internal and external crisis communications strategists because, depending upon the severity of the breach and the potential for severe reputational damage, there will likely be disclosure obligations (both formal and informal) following the breach. Formal disclosure of the breach to law enforcement authorities like the FBI or U.S. Secret Service may be warranted if the company suspects cyber criminality may have played a role in the breach. Notification of any “material” breach to investors may be necessary under U.S. Securities and Exchange Commission guidance, or in any event, may be necessary in order to reassure investors that the company is addressing the cyber breach and doing everything possible to protect investors and consumers. Finally, some sort of formal notification may be required in various local jurisdictions depending upon privacy issues. Because of potential formal notification requirements, it is important to have internal and/or external lawyers involved with, and overseeing, breach notifications.[ix] In short, a good crisis management/investor relations firm with experience in major corporate catastrophic events should be on retainer. There is not much worse that a major hack and the associated costs involved other than losing the faith and trust of customers, clients and patients.  That could cause a “death spiral” that may be insurmountable.

 

E.      Practice, Practice, Practice.: Without it, IRPs and IRTs are no good. An organization needs to conduct drills on a regular basis (we recommend at least quarterly) so that all members of the IRT and associated third-party vendors know exactly what they are supposed to be doing in the event of a major cyber security incident. A good IRT works in together like a crew team rowing a scull. Everyone needs to row in cadence. And in the same direction.

 

2. Detection and Analysis of Threat Vectors, or “Houston, We have a Problem”

No IRP will be effective without the ability to accurately detect and assess events and possible incidents. Typically, this requires a continuously changing array of both software and hardware necessary to detect incidents from a variety of threat vectors. Organizations need to be able, through “continuous monitoring,”[x] to identify “indicators” or “evidence” of an attack through network monitoring systems such as “event-based alert monitoring” and “header and full packet logging.” Both are designed to collect transferred data to help the IRT generate digital signatures, network system activity logs, or identify data that might show evidence of compromise.

 

Because many cyber attacks today are found to flow from a one-time-only use of malware that has no recognized signature to identify it as a threat, many companies are now transitioning to a signature-less intrusion detection system. One long-term industry expert noted in a recent interview, “We don’t know what to look for when nobody else has seen it. The [signature] model breaks down… How you protect yourself from a shotgun blast is very different than how you protect yourself from a sniper’s bullet. Traditional protection mechanisms are geared toward those noisy mass attacks.”[xi]To combat this cyber attack technique, “Rather than relying on detecting known signatures, [many] companies marry big-data techniques, such as machine learning, with deep cyber security expertise to profile and understand user and machine behavior patterns, enabling them to detect this new breed of attacks. And to avoid flooding security professionals in a sea of useless alerts, these companies try to minimize the number of alerts and provide rich user interfaces that enable interactive exploration and investigation.”[xii]

 

Whatever the monitoring system in place (including antivirus software alerts), incident response information may contain evidence of either network traffic anomalies or of actual data theft which could lead one to conclude that there has been a data breach. Today, many monitoring systems are automated (and even outsourced) because large organizations can potentially have tens of thousands of incidents daily that need to be analyzed, correlated, and investigated. Logs should be kept and retained for some defined period (e.g., 30 days) as a matter of good course as they may be needed for a breach investigation.

 

3. Containment

Containment means “how do we stop the bleeding” so that no further damage can be done. As this is a complicated area, both in-house and outside legal experts and third-party vendors should be consulted. A containment program should involve:

 

  •  Removing the attacker’s ability to access the network;
  •  A plan to isolate infected systems, forensically copy them and transfer them to another off-grid environment; and
  •  Triaging and analyzing the infection or malware so that an eradication plan can be formulated.

 

Assuming the company has come to the conclusion that a breach has occurred, and that PII has been compromised, it is important to have the IR/PR/legal team advise the IRT on potential disclosure obligations under federal law (like HIPPA), state law, or under the law of a foreign government (EU/UK directives), where applicable. Similarly, disclosure to the company’s cyber insurance provider will be necessary. Depending on their terms and conditions (which should be continuously reviewed), many cyber insurance policies provide coverage that allows a company to take advantage of forensic and remediation services as well as the services of a “breach coach” and suggested third-party vendors if the company does not have such vendors on retainer.

 

4. Remediation and Eradication

Remediation and Eradication means “fixing the problem” as rapidly as possible after the threat vector is fully identified so that the attacker doesn’t have time to change his method or mode of attack. Eradication efforts could involve:

 

  • Blocking malicious IP addresses identified during the investigation;
  • Changing all passwords;
  • Patching holes in the network architecture that are identified during the investigation; and/or
  • Fixing all vulnerabilities identified during the investigation.

 

5. Lessons Learned Post-Mortem

Cyber post-mortems are like many post-event discussions. Lessons can always be learned about what went right with the IRP (where the company excelled), what went wrong or what didn’t work so well, and what areas can be improved upon by the entire IRT so that it can perform better during the next incident investigation.

 

Why is an Effective Incident Response Plan So Important to Any Organization?

We placed this section here at the end of the article because, frankly, we didn’t want to give away the punchline too early. But we kind of did already with Admiral Roger’s quote above. An effective IRP is absolutely vital to an organization because: (1) it has already been hacked (or doesn’t know it yet), and (2) an organization needs to be able to take a “cyber punch,” and get off the canvas to fight another day. An effective, table-top practiced IRP is important for a variety of other reasons:

 

  • If the company is in a specific industry sector, especially the regulated financial services sector, regulators will specifically ask whether the organization has an IRP.
  • A battle-tested IRP may be evidence of cyber security best practices if the company is later the subject of a lawsuit or regulatory proceeding resulting from disclosure of the breach.
  • A battle-tested IRP will hopefully prevent an organization from having a cyber incident develop into a catastrophic event, either financially, reputationally, or both, which could cause the company’s demise or death if there is a “run on the bank” following disclosure of the cyber incident.

 


[i] See “Sony Investigator Says Cyber Attack ‘Unparalleled’ Crime.”

[ii] See “One Year After Target’s Breach: What Have We Learned?

[iii] See “NSA Director Rogers Urges Cyber-Resiliency.”

[iv] See “Sony Films Are Pirated, and Hackers Leak Studio Salaries;” “Hackers Using Lingo of Wall St. Breach Health Care Companies’ Email;” and “Hacking the Street,” a Fire Eye/Mandiant Special Report.

[v] See “Intrusion Detection FAQ: Can you explain traffic analysis and anomaly detection?

[vi] See NIST “Computer Security Incident Handling Guide,” Special Publication 800-61, (hereinafter, the NIST Incident Handling Guide).

[vii] Id.

[viii] Three of the larger companies that we and our multi-national clients regularly deal with from an incident response perspective are Fire Eye/Mandiant, Verizon, and IBM. See https://www.fireeye.com/; http://www.verizonenterprise.com/products/security/; and http://www-935.ibm.com/services/us/en/it-services/security-services/emergency-response-services/?S_TACT=R02102GW&S_PKG=-&cmp=R0210&ct=R02102GW&cr=google&cm=k&csr=IT+Emergency+Response+Services_UN&ccy=us&ck=security%20services&cs=b&mkwid=sk3dL6Acl-dc_49046510203_4326fb30773. There are certainly other companies in the incident response space that have the ability to respond to domestic breaches, see e.g. http://www.krollcybersecurity.com/

[ix] In some cases, and for some larger companies, it may even be important for companies to consider “off the grid” communications systems, like temporary cellphones and satellite phones so that key IRT members can communicate with each other in the event that the breach also effects a company’s corporate phone lines. See “Spike in Cyber Attacks Requires Specific Business Continuity Efforts.”

[x] “Continuous Monitoring” is the hallmark of an Implementation Tier 4 organization in the NIST cybersecurity framework. See NIST Cyber Security Framework.

[xi] See “On prevention vs. detection, Gartner says to rebalance purchasing.”

[xii] See “Why Breach Detection Is Your New Must-Have, Cyber Security Tool.”

Top Treasury Official’s Speech Urges Adoption of Cyber Risk Insurance

Posted in Cyber Liability

trasOfficials across a range of federal regulatory agencies have made it clear that promoting cyber security is an increasing priority. A critical part of the federal officials’ message has been the message that cyber security should be a corporate governance priority for company executives and corporate boards. For example, in a June 2014 speech, SEC Commission Luis Aguilar highlighted the cyber security oversight responsibilities of corporate boards. Nor are the regulators’ efforts in this regard limited to speech-making; the Federal Trade Commission’s recent action against Wyndham Worldwide related to cyber breaches the company experienced underscores that these regulatory concerns may translate into enforcement action.

 

Deputy Treasury Secretary Sarah Raskin, the second-ranking official at the agency, in a December 3, 2014 speech to the Texas Bankers’ Association (here), reiterated many of these same messages. In her speech, Raskin, who previously served as a member of the Federal Reserve Board, presents ten questions that that company executives and corporate boards should be asking with respect to cybersecurity concerns. Her speech, which is addressed in particular to the cyber security oversight issues that banking institutions face in the current environment, provides a particularly good overview of the topic.

 

The ten questions that Raking poses are organized into three categories of activities: (1) baseline protections; (2) information sharing; and (3) response and recovery.

 

Of particular interest to readers of this blog is one of the questions that Raskin posed within the first category of baseline protections. Among the questions that she asks is what amounts to a ringing endorsement for companies to adopt cyber risk insurance.

 

Her fourth question overall in her list of ten questions suggests that senior officials at banking institutions should be asking “Do we have cyber insurance? And if we do, what does it cover and exclude?” She adds that officials should also be asking “Is our coverage adequate based on our cyber risk exposure?”

 

Raskin’s comments include the observation that though the market for cyber insurance is relatively new, it is growing. She notes that more than fifty carriers now offer some type of cyber insurance, and that cyber insurance products now exist for companies of all sizes. She also noted that “policyholders can now find coverage to match a broad array of cyber risks ranging from liability and costs associated with data breaches to business interruption losses and even tangible property damage caused by cyber events.”

 

Raskin noted that while cyber insurance cannot protect institutions from cyber incidents, it “can provide some measure of financial support in case of a data breach or cyber incident.” She also observed that the underwriting processes for cyber insurance can “help bolster your cybersecurity controls,” because “qualifying for cyber risk insurance can provide useful information for assessing your bank’s risk level and identifying cybersecurity tools and best practices that you may be lacking.”

 

Raskin also notes that officials at the Treasury department have been thinking about how to “encourage an environment where market forces create insurance products that enhance cybersecurity for businesses,” noting that “we can imagine the growth of a cyber insurance market as a mechanism that bolsters cyber hygiene for banks across the board.” (Raskin defines “cyber hygiene” as the engagement in “fundamental practices to bolster the security and resilience of your networks and systems.”)

 

Raskin is far from the first governmental official to suggest that cyber risk insurance should be an important part of companies’ efforts to try to address their cybersecurity exposures. For example, in its October 2011 release provide guidance on cyber risk disclosures (here), the SEC specifically noted that among the things that companies should be disclosing with respect to the company’s cyber risk exposures is a “description of relevant insurance coverage.”

 

While in many respects Raskin’s speech represents a reiteration of messages that other agencies and corporate officials have already made, it is nevertheless a very good summary of the responsibilities of corporate officials with respect to cybersecurity issues. Among other things, her speech emphasizes the fact that the adoption of appropriate cyber risk insurance should be a key part of companies’ response to the growing risk of cyber security exposures.

 

One final observation about Raskin’s speech is to note her emphasis that cybersecurity risk is a problem not just for the largest companies and financial institutions. It is not just a problem for “the other guy,” it is a problem for all companies. She states at the outset of her speech, which is focused on financial institutions, that the threat of a cyber breach “creates a persistent and complex challenge for financial institutions spanning the sector, including financial institutions of all types and sizes.”

 

A December 5, 2014 Law 360 article about Raskin’s speech can be found here (subscription required).

Largest Derivative Lawsuit Settlements

Posted in Shareholders Derivative Litigation

latestgavelMy post earlier this week about the $275 million Activision Blizzard shareholder derivative lawsuit settlement – and in particular my suggestion that the Activision settlement may be the largest derivative suit settlement ever – provoked an interesting flurry of emails and conversations about the lineup of other large derivative lawsuit settlements. To address the various questions I have received on the topic, I have set out below my unofficial list of the derivative suit settlements involving the largest cash components. My purposes in posting this list are two-fold: first, in response to several requests, to share the information I have; and two, to encourage others who may have different or additional information to share the information so that I can update or supplement the list as appropriate.

 

 

Here is my list of the nine largest derivative lawsuit settlements of which I am aware:

 

$275 million       Activision Blizzard (2014)

$139 million       News Corp. (2013)

$130+ million     Freeport-McMoRan (2014)

$122 million       Oracle (2005)

$118 million       Broadcom Corp. (Options Backdating) (2009)

$115 million       AIG (2002 lawsuit) (2008)

$89.4 million        Del Monte Foods (2011)

$75 million           Pfizer (2010) UPDATED

$62.5 million      Bank of America (Merrill Lynch Acquisition) (2012)

 

I suspect strongly that there have been settlements with values between the $62.5 Bank of America settlement and the $110 million El Paso-Kinder Morgan settlement. I am hoping readers that are aware of any derivative suit settlements with values in that range, or any other settlements that ought to be on this list, will please let me know. UPDATE: Several readers reminded me of the $89.4 million Del Monte Foods derivative lawsuit settlement and the $75 million Pfizer shareholder derivative lawsuit settlement, which I have added to the list above. The Pfizer settlement is discussed in greater detail here. FURTHER UPDATE: After receipt of comments from readers, I have removed the $110 milllion El Paso settlemetn from the list as it was originally published. Upon review, I was pursuaded that the case had not been filed as a derivative action bur rather as a direct action on behalf of a shareholder class for damages. (For further detail refer here).

 

These settlements are of course all dwarfed by the $2.876 billion judgment entered in June 2009 against Richard Scrushy in the HealthSouth shareholders’ derivative lawsuit in Jefferson County (Alabama) Circuit Court, but that judgment represents its own peculiar point of reference, It also was of course a judgment following trial rather than a settlement.

 

Another peculiar point of reference is the $1.262 billion judgment that Chancellor Leo Strine entered in October 2011 the Southern Peru Copper Corporation Shareholder Derivative Litigation (about which refer here). That case also represents its own form of litigation reality, and it too represents a derivative suit judgment following trial, rather than a settlement.

 

Another derivative lawsuit resolution that is worth considering in the context of the “largest ever” question is the December 2007 settlement of the UnitedHealth Group options backdating-related derivative lawsuit. As discussed here, the lawsuit settled for a total nominal value of approximately $900 million. However, while the press reports at the time described the settlement as the largest derivative settlement ever, the value contributed to the settlement consisted of the surrender by the individual defendants of certain rights, interests and stock option awards, not cash value in that amount.

 

In the past, going back ten years or so, shareholders’ derivative suits typically did not present the possibility of significant cash payouts, at least in terms of settlements or judgments. The cases did present the possibility of significant defense expense and also of the possibility of having to pay the plaintiffs’ attorneys’ fees, but by and large there was usually not a cash settlement component. As the significant examples above show, that has clearly changed in more recent years.

 

This trend gained particular momentum with the options backdating scandal. Many of the options backdating cases were filed as derivative suits rather than as securities class action lawsuits (largely because the options backdating disclosures did not always result in the kinds of significant share price declines required to support a securities class action lawsuit). Many of the options backdating cases settlements included a cash component, and as illustrated by the Broadcom case mentioned above, some of the options backdating derivative suit settlements included very substantial cash components

 

It is interesting to note how many of the derivative settlements listed above were entered in connection with lawsuits objecting to a merger or acquisition transaction – the Activision Blizzard Settlement, the Freeporr-McMoRan settlement, the El Paso-Kinder Morgan settlement, and the BofA/Merrill Lynch settlement all related to lawsuits arising out of merger or acquisition transactions. Indeed, the News Corp. settlement related at least in part to objection to a transaction involving one of Rupert Murdoch’s children. The rise of merger objection litigation has been the target of a great deal of criticism but the number of recent large settlements involving merger or acquisition transactions highlights the fact that among the many cases that are filed there may be at least a few that are more serious.

 

As I have noted in the past in connection with the increasing numbers of jumbo derivative lawsuit settlements, the upsurge in the number of derivative suit settlements that include a significant cash component undoubtedly is being viewed with alarm by the D&O insurance industry. For many years, D&O insurers have considered that their significant severity exposure consisted of securities class action lawsuits. The undeniable reality now is that in at least some circumstances, derivative suits increasingly represent a severity risk as well. And the settlement amounts themselves represent only part of the D&O insurers’ loss costs. The D&O insurers also incur millions and possibly tens of million of defense cost expense in these derivative suits.

 

The increasing risk of this type of settlement represents a significant challenge for all D&O insurers, but particularly for those D&O insurers concentrating on providing Excess Side A insurance. Those insurers will have to ask how they are to underwrite the risks associated with these kinds of exposures, and how they are to make certain that their premiums adequately compensate them for the risk.

Two Recent Massive Merger Objection Lawsuit Settlements Include Significant D&O Insurer Contributions

Posted in Shareholders Derivative Litigation

gavelOne of the great litigation curses in recent times in the corporate litigation arena has been the rise of merger objection litigation. These kinds of lawsuits, which these days arise in connection with almost every M&A transaction, often are settled for nothing more than an agreement to make additional disclosures and to pay the plaintiffs’ attorneys fees. However, from time to time, there are merger objection lawsuits that settle on more substantial terms.

 

Within the past few days, two merger objection settlements – one involving Activision Blizzard, Inc. and the other involving Freeport-McMoRan, Inc. — have been announced involving massive cash payments, much of it reportedly to be paid by D&O insurers. The Activision settlement may represent the largest cash settlement payment ever in a shareholder derivative lawsuit.

 

The Activision Settlement: On November 19, 2014, Activision, which is the maker of the popular videogames “Call of Duty” and “Worlds of Warcraft,” announced (here) the $275 million settlement of the shareholder derivative lawsuit that had been filed in Delaware Chancery Court. The lawsuit had been filed in connection with the transaction announced in July 2013 whereby Activision and an entity controlled by Activision‘s two senior officers acquired over 50% of Activision‘s outstanding shares from Vivendi S.A., its controlling stockholder, for approximately $8 billion in cash.

 

After the transaction was announced, several Activision shareholders filed lawsuits challenging the stock purchase. The defendants in the litigation included members of the Activision board (including six members of Activision board that had been designated by Vivendi); the senior Activision officers that were participating in the transaction and the corporate vehicles through which they were purchasing the Activision shares from Vivendi; and Vivendi itself. Among other things, the shareholders contended that the transaction should be put to a vote of the Activision shareholders.

 

The Delaware Chancery Court had put the transaction on hold pending a shareholder vote, but the Delaware Supreme Court, in an interlocutory appeal, reversed the ruling, allowing the transaction to go forward. The lawsuit, seeking damages, went foward. The November 15, 2013 Delaware Supreme Court opinion addressing the interlocutory appeal — and that describes the transaction and the lawsuit in greater detail — can be found here.

 

In its press release, Activision said that the $275 million settlement amount was to be paid to Activision itself by “multiple insurance companies, along with various defendants.”  Ashby Jones’s November 19, 2014 Wall Street Journal article describing the settlement (here) states that Vivendi is among the parties that will be contributing to the settlement payment.

 

The Activision press release also states that as part of the settlement two unaffiliated directors would be added to the company board; the plaintiffs’ attorneys would be paid their “reasonable and customary fees and costs”; and there would be an adjustment made to voting rights. The deal must be approved by Delaware Chancellor Travis Laster.

 

According to the November 19, 2014 Reuters article by Tom Hals (here), the Activision settlement is “the largest of a shareholder derivative lawsuit,” exceeding last year’s $139 million News Corp. settlement.

 

The Freeport-McMorRan Settlement: According to Liz Hoffman’s December 1, 2014 Wall Street Journal article (here), Freeport-McMoRan is nearing a settlement of more than $130 million to resolve a 2013 shareholder derivative lawsuit that had been filed in connection with the company’s  purchase of two oil-and-gas companies.

 

The settlement would resolve allegations by Freeport’s shareholders that the company overpaid when it bought McMoRan Exploration and Plains Exploration & Production companies for a combined $9 billion. The shareholders had alleged that the Freeport board had conflicts of interest while negotiating the company’s summer 2013 purchase of McMoran and Plains.

 

According to the Journal article, the shareholders alleged that the deals had been an effort by Freeport management to rescue struggling McMoRan, in which Freeport, its board members, and key executives owned shares. The shareholder plaintiffs alleged that Freeport had agreed to acquire McMoRan at too high a price as a way to bail out a struggling company. The two companies shared six directors including each company’s CEO. Nine Freeport directors owned about 6% of McMoRan stock between them. The overlap between the two companies was a relic of the companies’ past, as McMoRan had split from Freeport in the 1990s. Plains owned 31% of McMorRan and had the ability to block the sale of the company.

 

The Journal article reports that under the settlement agreement, which is subject to court approval, much of the more than $130 million to be paid in the settlement would be paid to the Freeport shareholders in the form of a special dividend. The total amount of the dividend is likely to exceed $100 million.

 

According to the Journal article, “most of the cost of the settlement would be paid for using a special type of insurance policy that covers directors and executives, according to some of the people. Freeport would pay the rest.”

 

According to a December 1, 2014 WSJ MoneyBeat blog post about the settlement (here), this type of settlement providing for a dividend payment to shareholders is the “first example” of this type of settlement payout.

 

Discussion

One of the main criticisms of the recent wave of merger objection litigation is that the lawsuits often accomplish little except the transfer of cash to the plaintiffs’ lawyers that file the suits. Indeed, until recently, settlements of shareholders’ derivative lawsuits of all kinds rarely involved the payment of significant amounts of cash. However, as I noted at the time of the $139 million News Corp. settlement (here), in more recent times there have been a number of derivative lawsuit settlements that have involved very significant cash payments.

 

These two recent settlements described above show that at least under certain circumstances, even the settlement of shareholder lawsuits involving merger objections can involve the payment of significant cash amounts.

 

The common feature of these two cases that may account for the magnitude of the cash payments seems to be the conflicts of interest that were alleged to be part of the challenged transactions. In the Activision case, two senior Activision officials allegedly were active participants in the acquisition of the company’s shares from Vivendi. In the Freeport-McMoRan case, Freeport’s acquisition of McMoRan and Plains allegedly involved the company’s supposed overpayment for companies in which senior company officials had financial interests and with which the Freeport board had overlapping memberships.

 

Another common element with respect to these two settlements is that at least according to press reports the settlements will involve significant cash contributions by D&O insurers. I have not yet been able to get my hands on the settlement documents for either of these settlements so I have been unable to determine how much of either of these settlements was to be paid by D&O insurers.

 

An interesting question about the D&O insurers’ contribution is – exactly whose D&O Insurance will be making the contribution? In the Activision case, the defendants involved included both Activision and its board but also Vivendi. The Journal article describing the settlement said that Vivendi was contributing to the settlement; it isn’t clear whether or to what extent Vivendi’s D&O insurer might be contributing. The Activision press release about the settlement didn’t say whether the insurers that were contributing were Activision’s insurers or Vivendi’s insurers (or some combination).

 

The information in the Journal about the Freeport-McMoRan settlement doesn’t say whether the D&O insurers that would be making the payment were Freeport’s or if the insurers for one of the target companies are also contributing.

 

The fact that the $275 million cash in the Activision settlement will be paid to Activision itself raises the question whether the D&O insurers’ contribution to the shareholder derivative settlement would be a Side A payment (and, if it is a Side A payment, whether Activision’s Side A/DIC insurers might have been called upon to contribute to the settlement). To the extent Vivendi’s insurers contributed to the settlement, Vivendi’s insurers’ contribution would not likely be a Side A contribution.

 

The fact that most of the settlement cash in the Freeport case will be paid to the Freeport shareholders in the form of a special dividend raises an interesting question about the role of the D&O insurance. I can see that many D&O Insurers would be very uncomfortable with the idea that one of their insured companies might want to finance a special dividend to its shareholders with the proceeds of the D&O insurance policies. Even if the dividend is to be paid in the settlement of a D&O lawsuit, the use of insurance to finance a dividend is a notion that arguably does not sit comfortably with the usual purposes and role of liability insurance. I would be very interested in others’ thoughts about this aspect of the Freeport-McMoRan settlement.

 

In any event, as I said at the time of the $139 million News Corp. settlement, shareholders derivative litigation is becoming a severity risk for companies and their directors and officers – and for their D&O insurers. The News Corp. settlement was funded entirely by D&O insurers and the Activision and Freeport McMoRan settlement were funded at least in part by D&O insurance. There was a time when the severity exposure for D&O insurers did not involved derivative litigation, but those days seem to be gone now. The rise of jumbo shareholder derivative lawsuit settlements has a number of implications. Among other things, it is a topic that will have to be taken into account as D&O insurance buyers consider how much insurance they will need to ensure that their interests are adequately protected.

Battle Builds in Delaware Over Fee-Shifting Bylaws

Posted in Director and Officer Liability

delaware sealEarlier this year, after the Delaware Supreme Court upheld the facial validity of fee-shifting bylaws in the case of ATP Tour, Inc. v. Deutscher Tennis Bund (as discussed here), a legislative initiative quickly emerged to restrict the case’s holding to Delaware non-stock companies. However, the initiative proved to be controversial, and the legislative proposal was tabled until early 2015. It appears that now, while the proposed legislation remains pending, institutional investors are mounting a concerted effort in support of legislative action “to curtail the spread of so-called ‘fee-shifting’ bylaws.”

 

As detailed in Alison Frankel’s November 26, 2014 post on her On the Case Blog entitled “Big Pension Funds Mobilize Against Delaware Fee-Shifting Clauses” (here), the Council of Institutional Investors and a coalition of public pension funds have launched a letter writing campaign to Delaware politicians and other key players. For example, on November 24, 2014, the groups sent a letter to Delaware Governor Jack Markell, in support of the legislative efforts to restrict the use of fee-shifting by law. The letter notes that over 30 companies have already adopted such bylaws, and contends that the bylaws “effectively make corporate directors and officers unaccountable for serious wrongdoing.”

 

The letter urges that the Delaware General Assembly must “act promptly to restore confidence in Delaware’s credibility in developing a balanced corporate law, preserve shareholders’ access to the court system, and make clear that directors and officers cannot insulate themselves from accountability under the guise of unilateral bylaw provisions.”

 

As reflected on the Council of Institutional Investors website (here), the groups also sent letters to a number of legal groups and to investment advisory firms. As Frankel summarized in her blog post, the letters contend that fee-shifting bylaws are bad corporate governance that, in the long run, will discourage investment in Delaware corporations and undermine the legitimacy of Delaware’s courts.

 

Arrayed against the efforts of these institutional investors are the advocacy exertions of the U.S. Chamber of Commerce’s Institute for Legal Reform, which had argued that the use of proposed legislation would “only protect frivolous lawsuits” and that the use of fee-shifting bylaws “gives corporations a way to protect shareholders against these costs of abusive litigation.” A November 14, 2014 Wall Street Journal op-ed piece by the Institute’s President and presenting the Institute’s position can be found here.  

 

In their letter to the governor, the institutional investor groups contend that these arguments in support of fee-shifting bylaws are “directly contrary to the interests of investors in publicly traded Delaware corporations.” Far from protecting against frivolous litigation, the fee-shifting provisions would “effectively bar any judicial oversight of misconduct of corporate directors.” The provisions “undermine the most fundamental premise of the corporate form – that stockholders, simply by virtue of their investment, cannot be responsible for corporate debts.”

 

In conjunction with the campaign, the Kessler Topaz law firm has put together a list of the more than three dozen companies that have already adopted some form of the corporate bylaws. The list underscores the fact that while many companies are holding back awaiting the outcome of the pending Delaware legislative action, other companies have pressed ahead with bylaw changes. Frankel’s blog post quotes an attorney from the Kessler Topaz firm as saying that if the Delaware legislature or judiciary say explicitly that fee-shifting bylaws are legal for companies with public shareholders, “you’ll see a flood of these bylaws.”

 

The institutional investors are not the only ones critical of the advent of fee-shifting bylaws. In a November 24, 2014 post on the CLS Blue Sky Blog (here), Columbia Law School Professor John Coffee expresses a number of concerns about the efforts to advance the adoption of fee-shifting bylaws. First, he notes that many of the bylaws that have been adopted have been drafted “very aggressively” so as to “chill any prospect of litigation of any kind.” Coffee argues that these kinds of bylaws go “beyond a proper purpose” by “intentionally seek[ing] to discourage meritorious litigation,” which “may prove too much for Delaware, which … has little desire to ensure the extinction of intracorporate litigation.”

 

Coffee also argues that the “new theory of shareholder consent” on which the validity of the both fee-shifting and forum selection bylaws has been upheld “could lead to extreme possibilities.” Coffee argues that if the theory is valid, then company boards could adopt all sorts of provisions; Coffee invokes a parade of horribles by suggesting that if the theory is valid, boards could adopt, for example, by law provisions requiring shareholders to subscribe for additional shares or to pay the company’s costs associated with a proxy fight. In the end, Coffee contends, the theory of shareholder consent is fundamentally inconsistent with the basic notion of shareholders’ limited liability because they impose financial liability on shareholders.

 

Coffee suggests that Delaware has a number of alternatives. The state could, he suggests, provide that a “loser pays” provision could only be adopted by shareholder vote. Alternatively, he suggests, the state could place some form of ceiling on fee-shifting, or moderate the bit of the “loser pays” rule by limiting the fee-shifting to costs incurred up to the decision on the motion to dismiss. Coffee concludes by noting that the absence of any action on this issue by the SEC is telling; Coffee notes that “the SEC”s continuing passivity adds to the growing sense that it is not the agency that it once was.” UPDATE: For a presentation of a view that the SEC should not get involved in the fee-shifting bylaw issue, pleease see the October 16, 2014 post of Keith Paul Biship on his California Corporate & Securities Law blog, here.

 

There is definitely as sense in which, in the absence of any action from SEC, the action of the Delaware General Assembly alone will not put an end to this ongoing debate, regardless of what happens there. As I noted in a post discussing the adoption of a fee-shifting bylaw by recent IPO company Alibaba (here), Alibaba is a Grand Cayman company, to whom developments under Delaware law are irrelevant. In addition, legislative and judicial developments in other jurisdictions could have their own impact; as I noted in a recent post, Oklahoma’s legislature recently adopted a provision authorizing Oklahoma corporations to extend loser-pays to all shareholder suits involving board members. It is entirely possible that these kinds of developments could simply overtake legal developments in Delaware, as companies could seek to form or reconstitute themselves in jurisdictions that allow fee-shifting bylaw.

 

As I have noted in prior posts on this topic, the larger issue is whether or not these developments portend a significant revision of what is known as the American Rule, whereby it has been the practice in this country that each litigation party will bear its own costs. As companies increasingly seek to introduce their own form of litigation reform through revision of their own bylaws, and as courts and legislatures evolve their response to these kinds of bylaw provisions, there is a possibility that these developments could work a major change to the traditional American Rule on attorneys’ fees. Which in turn could have a significant impact on the corporate litigation environment.

Law Firm Organizes U.K. Lawsuit Against Tesco, Financed by Litigation Funding Firm

Posted in Securities Litigation

tescoAfter U.K.-based Tesco PLC’s announcements of accounting “irregularities” and the subsequent departure of the company’s Board chair, investor lawsuits soon followed. But as discussed here, these lawsuits were filed in the United States, on behalf of investors who had purchased American Depositary Receipts in the United States. In light of the U.S. Supreme Court’s holding in Morrison v, National Australia Bank – which held that the U.S. securities laws do not apply to securities transactions that take place outside the U.S. – the class of investors on whose behalf the U.S. lawsuits were filed did not include investors who had purchased Tesco shares on London Stock Exchange.

 

The fact that investors who purchased their Tesco shares on the LSE are closed out of the U.S. litigation raised the question of what these investors could do to seek redress. (Indeed, I received emails from several of these investors who were wondering what they could do after they had learned they could not be a part of the U.S. lawsuits.)

 

It was in this context that on November 25, 2014, a London-based law firm announced that it is preparing to file a separate legal action in the U.K. against Tesco. The law firm’s press release can be found here. A post of Tristan Hall of the Sedgwick law firm on the firm’s Insurance Law Blog discussing the lawsuit announcement can be found here.

 

The law firm’s lawsuit press release states that the prospective U.K. lawsuit on behalf of Tesco investors “relates to compensation for shareholders who suffered a loss as a result of the overstatements of profit recently revealed by Tesco.” The claim will allege that “directors and senior management knew or were reckless as to whether Tesco’s statements to the market were untrue or misleading and/or dishonestly concealed the true position, in breach of the Financial Services and Markets Act.”

 

The law firm’s press release quotes one of the firm’s partners as saying that “We expect to issue proceedings against Tesco in the High Court in London within 6 months. We do not intend to await the outcome of the SFO investigation which may take some years.”

 

There are a number of interesting things about the law firm’s announcement of this prospective law suit. The first is that the law firm that made the announcement is already presently involved in the pending group action brought by investors against RBS and certain of its directors and officers (about which refer here). Indeed, the law firm’s own press release states that the firm is “currently acting for over 300 institutional shareholders in the multi-billion pound RBS Rights Issue litigation.” The suggestion is that at least one law firm is committed to exploring the existing U.K. law and attempting to establish that the law supports the rights of aggrieved investors to seek to recover damages for investment losses based on alleged misrepresentations.

 

The second interesting thing about the law firm’s press release is that it includes the disclosure that the initiative to pursue litigation in the U.K. against Tesco is being financed by a litigation funding firm, Bentham Ventures B.V. Indeed, the funding firm itself published its own press release about the lawsuit, which can be found here. According to the funding firm’s press release and associated documents, Bentham Ventures B.V. is a Netherlands-based joint venture company involving Australia-based IMF Bentham Ltd and subsidiary entities of funds managed by Elliot Management Corporation, a US based advisory firm. The press release states that the funding firm has “agreed to fund legal action on behalf of shareholders.”

 

The press release also notes that ”in order for the claim to proceed a sufficient number of shareholders will need to join the action.” The funding firm describes those eligible to participate as “”those who acquired at least 10,000 Tesco shares during the period 17 April 2013 to 22 October 2014 (inclusive) and who had not sold all of those shares prior to the market announcements made by Tesco on 29 August, 22 September or 23 October 2014.” In addition, information on the funding firm’s website states that the funding firm will only fund proceedings on behalf of those investors that enter into the a Tesco Funding Agreement, Stewarts Retainer Agreement and Litigation Funding Agreement Guarantee before the cut-off date of Friday 23 January 2015. The referenced documents are described in an FAQ page on the funding firms website.

 

The funding firm’s involvement is interesting. It shows how the increasing involvement of litigation funding (in the U.K. and elsewhere) is supporting efforts to develop litigation remedies. While there are going to many differences between the UK litigation and the parallel U.S. litigation (for example, the U.K. litigation will not involved a class action procedure and will proceed on the U.K. “loser pays” model), the U.K. litigation does represent a development to try to afford investors outside the U.S. access to remedies of the type available to U.S. investors.

 

Whether or not the remedies will be viable for U.K. investors remains to be seen. As the Sedgwick law firm’s blog post notes, the existing RBS litigation is based on Section 90 of the Financial Services and Markets Act 2000. It seems likely, the blog post notes, that the Tesco claim will also proceed under Section 90 of the SFMA, which covers misstatements or omissions in an issuer’s periodic financial disclosures or in information published in the market by means of a recognized information service. (Indeed, the funding firm’s overview of the prospective claim, here, expressly references Section 90.) The existing RBS case and the projected Tesco case represent the first attempts to test the remedies afforded to investors by the FMSA.

 

As the blog post notes, the outcome of the RBS and Tesco cases will be of significant interest to UK publicly traded companies, their directors and their D&O insurers, as they cases represent significant efforts to determine the viability of the remedies available under Section 90. If one or both of these two lawsuits succeed, other investors in other cases may be encouraged to try to pursue their own claims for redress.

 

It is significant that these efforts to test the viability of these statutory remedies are being financed by the litigation funding firms. The involvement of the funding firm in these cases underscores how the growth of litigation funding is shaping and driving legal developments, in the U.K. and elsewhere. To the extent the RBS and the Tesco cases succeed, they could encourage future litigation funding opportunities for the firms that financed these litigation efforts (and for the funding firms’ own investors as well).

 

As interesting as is the prospective Tesco litigation in the UK courts, the role of the investment funding firm arguably is even more interesting. The growing involvement of and importance of litigation funding in corporate and securities litigation is one of those behind-the-scenes that has great potential significance for future developments in the corporate and securities litigation arena.

 

D&O Diary Named to American Bar Association Journal’s List of Top 100 Law Blogs: I am pleased to report that once again The D&O Diary has been voted onto the American Bar Association Journal’s list of the top 100 law blogs, as detailed here. I am very honored to be included on this list once again as the list includes many of the blogs that I regularly follow. It is quite privilege to be included in the same list as all of the other fine blogs.

Now that the 2014 top law blawg list has been decided, what comes next is the voting for the best in category. The D&O Diary is contending for the title of best in the Niche blog category (for some reason the ABA Journal’s editors seem to think that D&O liability and insurance is niche topic). I would be grateful for any readers who would be willing to take the time to vote for my blog as the best of the Niche category. Best in category voting ends at the close of business on December 19, 2014. TO vote, please refer here.

 

Thanks to everyone who already voted for my blog to be included in the ABA Top 100 Blawg list for 2014. Congrats to all of the 2014 honorees.  

 

FDIC: Banks Prosper, Problem Institutions Remain

Posted in Failed Banks

fdicThe banking industry had a “positive quarter” in the third quarter of 2014, according to the FDIC”s latest Quarterly Banking Profile. Banks continue to improve and are performing  better than during the same period a year ago. In the aggregate during the quarter, banks reported income growth based on growing revenue rather than just lower loan-loss provisions. However, the challenges of operating in a low interest rate environment continue. And even six years after the height of the financial crisis a significant number of problem institutions remain. The FDIC’s Quarterly Banking Profile for the third quarter of 2014 can be found here. The FDIC’s November 25, 2014 press release about the publication can be found here.

 

According to the FDIC, almost two thirds of all reporting institutions reported year-over-year growth in quarterly earnings during the third quarter. The proportion of banks that were unprofitable during the quarter fell to 6.4 percent from 8.7 percent a year earlier. In the aggregate, total loan balances increased and noninterest income was higher. Asset quality indicators also continued to improve as banks charged off $2.4 billion less from a year earlier and as noncurrent loans flee by 5.3 percent during the quarter.

 

The FDIC’s Chairman is quoted in the agency’s press release as saying that despite the continued improvement there are “challenges ahead.” Among other things, margins remain under pressure due to the low interest rate environment, which in turn is motivating institutions to extend asset maturities, creating vulnerabilities due to interest rate risk. Many banks, the Chairman also noted, are “increasing higher-risk loans to commercial borrowers.” All of these concerns, the Chairman noted, are “matters of ongoing supervisory attention.”

 

In addition, despite the positive news and the passage of six full years since the peak of the financial crisis, a significant number of problem institutions remain. According to the latest report, there are still 329 “problem institutions” on the agency’s list. (A “problem institution” is a bank that the FDIC ranks as a 4 or a 5 on its scale of financial stability. The agency does not release the names of the banks its regards as problem institutions.)

 

To be sure, the number of problem institutions has continued to decline. The third quarter of 2014, when the number of problem banks decreased to 329 from 354 at the end of the year’s second quarter (a decline of 7%), represents the 14th consecutive quarter that the number and assets of problem institutions has declined. The number of problem banks is now 63 percent below the post-crisis high of 888 at the end of the first quarter of 2011 and the number of problem banks at the end of the third quarter of 2014 is the lowest number of problem institutions since the end of the third quarter of 2009, when there were 305.

 

However, it is important to keep in mind that the number of banks overall is also declining, as banks fail or merge out of existence and as few new banks emerge. As recently as the end of 2007, there were 8,534 institutions reporting to the FDIC. At the end of the third quarter 2014, the number of reporting institutions was down to 6,589, representing a decline of over 1,945 (a decline of over 22%). While the banking sectors as a whole is improving, the number of problem institutions isn’t necessarily decreasing because the problem banks are getting better; in many cases, the problem banks simply no longer exist due to closures or mergers.

 

So, while the absolute number of problem institutions is down, because the overall number of reporting institutions is also declining, the percentage of problem banks remains surprisingly high given that we are now six full years past the peak of the financial crisis. As of the end of the third quarter, fully 5% of all banks continue to be ranked as “problem institutions.”

 

And indeed while the number of bank failures also continues to decline, banks are continuing to fail. The quarterly banking profile notes that there were only two bank failures during the third quarter, three others have failed so far during the fourth quarter, and 17 total have failed so far this year (albeit only five so far during the year’s second half). To be sure, the industry is on track for fewer bank failures this year than last year (when there were 24) – yet the problem institutions persist as do the bank failures, even as the number of failures continues to decline.

 

Though the number of bank failures is indeed declining, as the bank closures continue to come in, the period during which the FDIC will continue to be filing new failed bank lawsuits will also extend out into the future. As of the latest report on the agency’s website, the agency has already filed a total of 102 failed bank lawsuits, with 18 filed this year alone (although none since September). The agency’s website notes that it has authorized lawsuits in connection with 146 failed banks, suggesting that there are many more lawsuits yet to be filed. As the banks continue to fail, the number of authorized and filed lawsuits seems likely to continue to increase for some time to come.

 

The quarterly banking profile contains a wealth in interesting information. Among other things, the report details the distribution of U.S. banking institutions by size. Interesting, it turns out that 89.6 of all U.S. banks have assets less than $1 billion. Only 113 banks, representing 1.7 percent of all institutions, have assets greater than $10 billion. The problem of “too big to fail” is a serious issue, but there may also be problems in our banking industry owing to the sheer number of banks, particularly small banks. (For my prior discussion of a possible “too small to succeed” issue, refer here.)

Guest Post: Cyber Security Indeed: Derivative Action Dismissed Where Board Proactively Addressed Cyber Risks and Exposures

Posted in Cyber Liability

Richard Bortnick (2)The derivative lawsuit filed against the board of Wyndham Worldwide Corporation in connection with the series of cyber breaches the company had experienced was being closely watched as possibly representative of a potential new area liability exposure for corporate directors and officers. However, as I discussed in a prior post (here), on October 20, 2014, the Court granted the defendants’ motion to dismiss the complaint.

 

In the following guest post, Rick Bortnick of the Traub Lieberman law firm takes a look at the court’s dismissal of the Wyndham Worldwide derivative suit. This post previously appeared on the CyberInquirer blog (here). I would like to thank Rick for his willingness to publish his post on this site. I welcome guest post contributions from responsible authors on topics of interest to this blog’s readers. If you think you would like to submit a guest post, please contact me directly. Here is RIck’s guest post.

 

****************************

 

In the first of what is certain to become a cottage industry of derivative lawsuits involving alleged inadequate cybersecurity and deficient public disclosures, on October 20, 2014, a New Jersey federal court granted a motion to dismiss filed by Wyndham Worldwide Corporation’s directors and officers based on its finding that Wyndham’s Board has duly considered and dismissed the plaintiff’s demand that the company sue its directors and officers.  Palkon v. Holmes, et al, Case 2:14-cv-01234-SRC-CLW.

 

In Palkon, plaintiff presented the demand following a series of three security breaches through which hackers obtained personal information of over 600,000 Wyndham customers. (This is the same series of events that gave rise to the well-known lawsuit where Wyndham is challenging the FTC’s jurisdiction).

 

Wyndham’s Board met to discuss plaintiff’s demand as well as the status of the FTC action. At that time, the Board voted unanimously not to pursue a fiduciary duty lawsuit and thereby rejected plaintiff’s demand.

 

Plaintiff thereafter sued, alleging that the security breaches, together with the Board’s and management’s inadequate handling, damaged Wyndham’s reputation and cost it significant fees.

 

In moving to dismiss, defendants relied on the business judgment rule. They also asserted that plaintiff had failed to state a claim and that the damages alleged were speculative in any event.

 

Ruling on Delaware law, the court granted Wyndham’s motion, finding that plaintiff had failed to meet his burden of rebutting the business judgment rule. In other words, plaintiff was unable to raise a reasonable doubt as to whether Wyndham’s D&Os had acted (1) in good faith, or (2) based on a reasonable investigation.

 

In so doing, the court identified the following facts as relevant to its determination that Wyndham’s D&Os’ investigation had been reasonable:

 

The Board discussed cyber-related issues, including the company’s security policies and proposed enhancements, at fourteen meetings between October 2008 and August 2012 (the breaches occurred between April 2008 and January 2010):

 

  • The Board’s Audit Committee reviewed the same matters in at least sixteen meetings during the relevant period;
  • During its series of ongoing meetings, Wyndham’s Board addressed and affirmed the implementation of recommendations from the company’s retained technology firms;
  • Wyndham’s Board was well-versed in the substance of both the FTC litigation and plaintiff’s demand;
  • There was “ample information” that that Board had at its disposal when it rejected plaintiff’s demand; and
  • The Board already had investigated the issues presented by plaintiff’s demand, as his attorney himself had presented an identical demand which had been rejected for the same reasons.

 

From the inside looking out, there is nothing special or unique about Palkon. It affirms the business judgment rule’s presumption of propriety and enumerates the types of facts that one court found relevant as to whether an internal investigation was reasonable.

 

From the outside looking in, however, the decision sets precedent as to the types of activities of which a Board should be mindful when evaluating and implementing information governance and cybersecurity regimes as well as in responding to a cyber breach (including through public disclosures). We regularly hear from clients asking about pre-breach avoidance strategies. Now there is court guidance ratifying the value of a proactive approach in the context of a derivative litigation.

 

As we’ve said before, you can pay now or pay more later And as should now be self-evident, whether or not you’re the director or officer of a private company or a public company, it will be far more costly to postpone and/or delay the employment of a robust cybersecurity regime. There no longer is an excuse for waiting. Unless, of course, you like to pay lawyers and other vendors more to be reactive as opposed to what it would have cost had management been proactive.

 

 

Calculating Damages in Securities Class Action Lawsuits

Posted in Securities Litigation

cornerstone reserach pdfBecause securities class action lawsuits under Section 10 of the Securities Exchange Act of 1934 and Rule 10b-5 so rarely go to trial (a topic I addressed in a recent post, here), questions about how damages are calculated are not often addressed directly. Section 28(a) of the ’34 Act specifies that no plaintiff shall “recover … a total amount in excess of [that person’s] actual damages.” However, the statute does not define “actual damages” and courts have adopted a variety of approaches to the question.

 

A November 19, 2014 paper published by Cornerstone Research and the Goodwin Proctor law firm entitled “Limiting Rule 10b-5 Damages Claims” (here) takes a look at the way that courts have addressed this issue. As discussed in the paper, the beginning point for analysis of the damages issues is the amount of “inflation” – that is, the difference between the defendant company’s actual stock price and what the price would have been absent the alleged fraud. The authors note that the administrative processes following a settlement, or more rarely, a verdict, involve several adjustments. These adjustments can reduce individual class members’ claims as well as plaintiffs’ estimates of classwide damages. However, the authors found, there are inconsistencies in the ways that courts apply these adjustments.

 

The authors suggest that the aggregate effect of these adjustments “can be quite large and may often be underestimated or overlooked by defendants.”  The authors contend that these adjustments can be inform defense strategies in settlement negotiations and could be influential on prospective settlement opt-outs on their decision whether or not to participate in class settlements.

 

In order to analyze these issues, the authors reviewed the plans of allocation reflected in publicly available settlement claims forms and notices for sixty-five Rule 10b-5 class action settlements occurring during 2012 and 2013. They also review the verdicts in the Vivendi and Household Financial cases, both of which cases resulted in jury trial verdicts. The authors also drew upon their own experience in the post-judgment proceedings in the Apollo Group securities litigation.

 

Based on this analysis, the authors identified three approaches to adjusting damages:

 

1. Offsetting recognized losses with gains from price inflation caused by the alleged fraud. (Inflation Gains Offset)

2.  Adjusting recognized losses with nominal gains. (Nominal Gains Offset)

3. Limited per-share recognized losses to nominal losses. (Nominal Loss Cap)

 

The starting point of the authors’ analysis is the recognition that an investor suffers a loss if he or she purchases a share at an inflated price and then later sells the share after a corrective disclosure eliminates the share price inflation. Say, for example, the investor purchases a share at a price of $27 with a $7 price inflation, and then after the corrective disclosure sells the share for $20, realizing a $7 dollar loss.

 

The authors suggest that this calculation should be adjusted to take other possible factors into account.

 

First, the investor’s losses on the sale of the share should be offset by any gains the investor realized as a result of the share inflation. Say, for example, the same investor purchased a share prior to the class period at $20 and then sold it during the class period at the price of $27 (reflecting the increased price due to the inflation.). The authors argue that the investor’s $7 loss on the post disclosure sale should be offset by the investor’s $7 gain during the class period, resulting in a conclusion that the investor suffered $0 in losses.

 

The authors contend that it is “economically rational” to subtract the gains from inflation from losses from inflation in calculating the harm to an investor. The authors found that the courts in the Household Finance case recognized the need to offset losses from gains from inflation. However, they also noted that “this seemingly well-recognized legal principle does not, however, explicitly appear in any of the sixty-five settlements the authors reviewed.” This offset can be calculated only when an individual investors’ purchase and sale information are available, as would usually be the case in opt-out litigation or sometimes for lead plaintiffs.

 

The gains from inflation cannot always be calculated accurately when performing plaintiff-style aggregate damages calculation. What can be calculated using publicly available information is the maximum adjustment to a plaintiff-style aggregate damages calculation. The “bank “of these available offsets is “often substantial and perhaps underestimated in the settlement negotiations.” The “economic logic and legal basis for this adjustment is strong and provides an argument for defendants negotiating smaller settlements.”

 

Second, the authors contend that recognized losses should be offset with nominal gains. In this example, the investor that experienced the $7 post disclosure loss also purchased a share during the class period at $27 dollars a share, reflecting the $7 price inflation, and sold the share during the class period at $28 per share, also reflecting the $7 per share price inflation. The authors contend the investors $1 gain on the class period transaction should be offset against the $7 loss, resulting in a net loss of $6. The authors note that a nominal gain offset was not mentioned in either the Household Finance or Vivendi verdicts, perhaps, the authors note, because “a nominal gains offset is likely to be smaller than a gain from inflation offset.”

 

The authors note that the while the nominal gains offset can be calculated when an investor’s trading data are available (for example with opt-outs or named plaintiffs), the adjustment cannot be determined reliably for the class using plaintiff-style aggregate damages models. The authors contend, however, that nominal gains from shares purchased during the class period are able to be offset against losses from inflation. While the nominal gains will not exceed losses from inflation, calculating the maximum reduction in damages due to nominal gains can “still be helpful for settlement discussion purposes.”

 

Third, the authors also contend that per-share recognized losses should be limited to nominal losses. This calculation takes in to account the PLSRA’s 90 day look-back period, which limits a plaintiff’s damages to the difference between the purchase price and the mean trading price of the security during the 90 days following a corrective disclosure. In this example, if the investor purchased a share with a $7 price inflation during the class period at $27 and sold the share after the corrective disclosure at $25, the damages are only $2, not $7. The 90-day rule creates what the authors call a “nominal loss cap.”

 

The nominal loss cap can be applied with respect to investors, such as opt-out claimants and named plaintiffs, where trading data are available. The authors also contend that “an estimate of the effect of nominal loss caps can and should also be applied to plaintiff-style damages estimates.”

 

The authors contend that all three of these adjustments can and should be applied in settlement negotiations to estimate recognized losses. The authors contend that the incorporation of these types of adjustments into class settlement could influence prospective opt-outs decision whether or not to remain in the settlement class.

 

In my view, the authors’ analysis should be of interest not only to defendants engaged in settlement negotiations, but also to the D&O Insurers whose financial interests could be affected by the negotiations. In the press release accompanying the report’s release, Dan Tyukody of the Goodwin Proctor law firm is quoted as saying “Besides lawyers and judges, these findings should definitely be of considerable interest to the insurance industry” – a statement that is clearly correct. I think that D&O insurers’ claims managers will want to review this report closely, to understand the authors’ analysis and to consider how this analysis could be incorporated into securities lawsuit settlement negotiations. The authors’ analysis clearly seems to suggest settlement negotiations approaches that could be used to argue for lower settlements reflecting the kinds of damages adjustments the report details.

 

Special thanks to Katie Galley of Cornerstone Research for sending me a copy of this report.