Cybersecurity as a D&O Liability Issue: I have noted in prior posts on this site (refer for example here) that cybersecurity represents, among other things, a D&O liability exposure. The recent lawsuits filed against Target (refer here) and Wyndham Worldwide (refer here) underscore this point. In addition, at least according to a July 7, 2014 Bloomberg article entitled “Hacked Companies Face SEC Scrutiny Over Disclosure” (here), several companies are now facing SEC investigative action related to cybersecurity issues.
According to the article, which cites undisclosed sources, the agency is investigating whether the companies “properly handled and disclosed a growing number of cyberattacks.” The investigations are “focused on whether the companies adequately guarded data and informed investors about the impact of the breaches.” The SEC is “also investigating companies’ internal controls in cases where the value of assets could have been affected by a breach.”
The article says that the prospect of enforcement activity focused on the cyberattack targets “marks a new front in the agency’s efforts to combat the rising threat hackers pose to public companies.” Previously the SEC had focused more on providing guidance to public companies about how to disclose its cybersecurity risks.
Other than Target Corp., which previously disclosed in public filings that it was the subject of an SEC investigation, as well as of investigations by the Federal Trade Commission and states’ attorneys general, the article does not identify other companies that are the subject of SEC scrutiny.
This news about SEC investigative activity follows after the June 10, 2014 speech of SEC Commissioner Luis Aguilar (about which refer here), in which Aguilar said “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities” and that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.”
The possibility of SEC enforcement activity related to cybersecurity seems increasingly likely, which reinforces the conclusion that cybersecurity represents a D&O liability exposure.
Companies Adopting Fee-Shifting Bylaws: In May, when the Delaware Supreme Court upheld the validity of a fee-shifting bylaw, the possibility arose that companies might be able to adopt these kinds of bylaws as a way to try to deter abusive shareholder litigation, as discussed here. The bylaws shift attorneys’ fees and costs to unsuccessful plaintiffs in intra-corporate litigation. The opportunity to adopt this type of bylaw quickly seemed to be short-lived, as the Delaware legislature got active and took up a measure that would have limited the Supreme Court’s ruling to non-stock companies, meaning that most Delaware corporations would be unable to take advantage of a fee-shifting bylaw. However, as discussed here, the Delaware legislature has now tabled the measure until 2015, leaving the status of this type of bylaw in an uncertain state.
Despite the uncertainty, at least some companies are going ahead and adopting fee-shifting bylaws. According to a July 7, 2014 Reuters article by Tom Hals entitled “US Companies Adopt Bylaws that could Quash Some Investor Lawsuits” (here), “a handful of mostly tiny U.S. companies have become the first to adopt controversial by laws that would shift legal fees to investors who sue and lose.” Six companies have adopted the bylaws in recent weeks. At least two of the companies adopting the bylaws were sued earlier this year about the make-up of their boards. All but one of the companies are planning or recently completed initial public offerings.
The article quotes one commentator as saying that “I think it’s notable that we’re not seeing the well-established, large-cap companies” adopt the bylaws, adding that most companies “are probably reluctant to adopt the bylaw because of the potential harm to investor relations.”
It also seems likely that the uncertain state of play in Delaware also is discouraging some companies from acting. The Delaware legislature could act next year to undercut the validity of fee-shifting bylaws for stock corporations. Until the Delaware legislature’s action, if any, becomes clear, some companies may be reluctant to adopt the bylaws. However, as the Reuters article makes clear, at least some companies are going ahead, in a self-help version of litigation reform.
D&O Diary Discount for the ACI D&O Liability Conference: On September 30 and October 1, 2014, the American Conference Institute will be hosting its Eighteenth Forum on D&O Liability in New York. The event features a stellar line up of speakers and will be co-chaired by my good friends Carol Zacharias of ACE North American and Doug Greene of the Lane Powell law firm. Information about the event can be found here.
Through this Thursday, July 10, 2014, readers of the D&O Diary can obtain a $200 discount on the event registration fee, by using the code DOD200. I hope as many readers as possible will take advantage of this discounted rate.