September is here. Labor Day has come and gone. Time to put away the swim trunks, parasols, flip flops, bungee cords, ukuleles, sun screen, boomerangs, bongos, snorkels, vorpal blades, and unicycles, and get back to work. Yes, it is time to answer all those emails and return all of those phone messages. And most importantly of all, it is time to catch up on what has been happening in the world of directors’ and officers’ liability and insurance. Here is what happened while you were out.


Two Appellate Courts Find Crime Policy Coverage for Social Engineering Fraud Losses: One of the recurring coverage disputes is the question of whether or not commercial crime policies cover losses arising when company employees are duped by phony emails into transferring funds to imposters. The insurers take the position that these kinds of scams, often called social engineering fraud or payment instruction fraud, are not covered under their policies’ Computer Fraud section because the funds transfer involves a voluntary action or because the loss does not result directly from the fraud. The insurers have had some success with these arguments. However, in July, two federal appellate courts held that the Computer Fraud sections in the insured companies’ crime policies did cover the companies’ social engineering fraud losses. On July 6, 2018, the Second Circuit ruled in favor of the policyholder in Medidata Solutions, Inc. v. Federal Insurance Company, as discussed here. Then on July 13, 2018, the Sixth Circuit ruled in favor of the policyholder in American Tooling Center v. Travelers Casualty & Surety Company, discussed here. In both cases, the respective appellate courts have denied the insurers’ motion for rehearing.  However, while these decisions are important, they will hardly end the debate. They will at least provide grist for policyholders seeking to establish that their social engineering fraud losses are covered.


Two Companies Hit With GDPR-Related Securities Suits: The EU’s General Data Protection Regulation (GDPR) went into effect in late May. In the lead up to the effective date, commentators warned of the burdens the new privacy regulation could create and suggested the possibility of regulatory action and litigation as companies struggle to comply. In late July, Facebook became the first company to get hit with a GDPR-related securities lawsuit, as discussed here. In its quarterly earnings release, Facebook had revealed that its growth during the quarter had been stalled, among other things, by GDPR-related compliance complications and expense. In trading the following day, Facebook’s market capitalization dropped nearly $120 billion, the largest single day loss in share value ever. The securities class action lawsuits soon followed, including at least one lawsuit alleging the company had misrepresented its GDPR readiness. The Facebook lawsuit was followed days later by a GDPR-related securities suit filed against Nielsen Holdings (discussed here), which also disappointed investors in its quarterly earnings release due in part to difficulties the company and its clients and partners were encountering with the GDPR compliance. These two new lawsuits are the latest evidence that privacy-related issues could be an important source of D&O liability in the months ahead.


California Enacts Privacy Law: In another privacy-related development, in late June, the California General Assembly enacted the California Consumer Privacy Act of 2018, a sweeping privacy bill that imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement, as discussed here. The Act, which is in many respects similar to the GDPR, protects “personal information” of California residents. It applies to any entity doing business in California, subject to certain revenue and data collection thresholds. The Act defines “personal information” broadly as any information that is “capable of being associated … with a particular consumer or household.” The Act provides for enforcement both through private rights of actions for consumers and through administrative enforcement by the state’s Attorney General. California’s enactment of this privacy legislation raises the question whether other states will follow suit. At a minimum, the legislation’s enactment underscores the point that privacy issues are likely to be highly significant concerns for companies and their executives.


Elon Musk’s Take-Private Tweets Draw Security Suit: For about as long as Internet-based social media have existed, there has been a possibility of a securities lawsuit based on an alleged misrepresentation in a Tweet or Facebook post. This possibility was realized in August after Tesla’s Chariman and CEO, Elon Musk, roiled the securities markets with a series of tweets in which he raised the possibility of taking the company private at a substantial premium over the company’s then-current trading price. Among other things, Musk’s tweets suggested that funding for a take-private deal was “secured” and the only action remaining to complete the transaction was a shareholder vote. Although the company’s share price rose on this news, it soon slipped as questions about the deal surfaced. There were reports in the media of an SEC investigation, and securities class action lawsuits followed, as discussed here. These new lawsuits may be the first securities class action lawsuits based on alleged misrepresentations on Twitter. But they surely will not be the last in which claimants alleged the defendants made misrepresentations on social media.


Supreme Court Grants Cert in Scheme Liability Case: In a long line of cases, the U.S Supreme Court has grappled with the question of who can be held liable under the federal securities laws for fraudulent misrepresentations. Most recently, in the Janus Funds case, the Court has said that only a “maker” of a misrepresentation can be held liable in a private securities lawsuit. As discussed here, on June 18, 2018, the U.S. Supreme Court granted a writ of certiorari to consider whether a person who did not “make” a misrepresentation can nevertheless be held liable under the securities laws on a theory of scheme liability. The Supreme Court’s June 18, 2018 order granting the writ of certiorari in the case of Lorenzo v. SEC can be found here. The case presents an interesting opportunity for the Court to consider the requirements to establish scheme liability and in particular to determine whether a financial misrepresentation alone is sufficient to support a scheme liability claim. The case will be heard during the Court’s upcoming October term.


Three More Sexual Misconduct-Related D&O Lawsuits: The #MeToo movement arose last year following a series of public revelations of misconduct by media figures, politicians, and corporate executives. In some instances the process of accountability has included not only actions against the wrongdoers themselves, but also to board members and corporate officials who are alleged to have permitted the misconduct or turned the blind eye. For example, as discussed here, in July 2018, shareholders of National Beverage Corp. filed a securities class action lawsuit against the company and certain of its directors and officers following news reports that the company’s Chairman and CEO allegedly had inappropriately touched company pilots while traveling on the Chairman’s business jet.  In August, a CBS shareholder filed a purported securities class action lawsuit against CBS and certain of its executives following news reports of sexual harassment involving the company’s CEO, Leslie Moonves, as discussed here. Days later, a Papa John’s shareholder filed a securities class action lawsuit against the company and certain of its executives following revelations that the company’s former CEO and Chairman, John Schnatter, and other company executives had engaged in sexual harassment and other sexual misconduct at the company. The steady stream of revelations of misconduct by corporate executives also continued over the summer, suggesting that we could continue to see D&O claims based on alleged sexual misconduct.


Dutch Court Declares $1.5 Billion Collective Investor Settlement Binding: On July 13, 2018, the Amsterdam Court of Appeals finally approved the €1.3 billion ($1.5 billion) settlement of a series of shareholder claims against Fortis in the wake of the global financial crisis, as discussed here.  The settlement, which had first been announced in March 2016 by Ageas, Fortis’s successor-in-interest, faced a number of judicial objections and concerns, resulting in changes to the settlement as originally proposed. The settlement amount, already the largest ever in a European collective investor action, was also increased incrementally from the original amount as well. A settlement of this value in the U.S. would be among the ten largest ever among U.S. securities class action lawsuits settlements. The arrival of collective shareholder settlements of this size outside the U.S. is unprecedented, and underscores the extent to which things have changed. The possibility of massive claims on behalf of allegedly injured shareholders is no longer a phenomenon limited just to the U.S. (and not even just to the U.S., Australia, and Canada).


House Passes JOBS Act 3.0: Since it first enacted the Jumpstart Our Business Startups (JOBS) Act in 2012, Congress has continued to modify the original JOBS Act as part of an ongoing effort to try to boost small businesses and business startups. For example, in 2015, Congress acted to expand a number of the JOBS Act’s provisions. On July 17, 2018, the U.S. House of Representatives passed what has been referred to as the JOBS Act 3.0. By a vote of 406-4, the House passed the JOBS and Investor Confidence Act of 2018, which is designed to further encourage capital formation and market access for small business enterprises. Senate Majority Leader Mitch McConnell reportedly has committed to bring the bill up for a vote in the Senate. The new bill combines a total of 32 different pieces of legislation, designed to make a number of incremental changes, including revisions to Rule 10b5-1 trading plans; changes to the definition of accredited investor; changes to auditor internal control certification for smaller companies; and allowing all companies to make “testing the waters” communications to institutional investors in advance of share offerings.


President Trump Proposes Eliminating Quarterly Reporting: In yet another one of his early morning messages, in early August President Donald Trump stirred up a squall by suggesting in a tweet that the SEC should study doing away with quarterly reporting requirements in favor of a system of semi-annual reports. The suggestion fits within the larger debate about whether or not reporting companies have an excessively short-term focus and the related but separate debate about whether regulatory requirements impose excessive costs on businesses. Institutional investors have come out loudly against the idea. The same day as President Trump released his message, SEC Chair Jay Clayton noted that “encouraging long-term investment in our country” is a key consideration for American companies and that the SEC’s Division of Corporation Finance “continues to study public company reporting requirements, including the frequency of reporting,” and he welcomed input from companies, investors and other market participants.” It remains to be seen what may come of this idea but the support from the President certainly could advance the item on the agenda.


Preview of Coming Attractions: Keep a look out for tomorrow’s post – The D&O Diary’s annual roundup of “What to Watch in the World of D&O.”