The liability environment for directors and officers is always in a state of change, but 2019 was a particularly eventful year in the D&O liability arena, with important consequences for the D&O insurance marketplace. The past year’s many developments have significant implications for what may lie ahead in 2020 – and possibly for years to come, as well.  I have set out below the Top Ten D&O Stories of 2019, with a focus on the future implications.

 

 

  1. Federal Court Securities Class Action Filings Remain at Historically High Levels

In 2019, for the third year in a row, there were more than 400 federal court securities class action lawsuits filed. While the total number of filings during the year was inflated by the significant number of federal court merger objection lawsuits, even the traditional securities lawsuit filings alone far exceed historical filing levels. While the number of lawsuit filings is at elevated levels, the rate of litigation (that is, the number of securities suits relative to the number of listed companies) is even higher – indeed, the 2019 litigation arguably was at its highest level ever.

 

There were a total of 404 federal court securities class action lawsuit filings in 2019, which is slightly above the 2018 total of 402 but slightly less than the 2017 total of 412. The 404 federal court securities lawsuit filings is nearly double (199%) the 1997-2017 annual average number of 203 filings. The 404 federal court filings during 2019 is the second highest annual number of filings since 2001, a year in which the total number of filings was inflated by the number of IPO laddering lawsuits.

 

As was the case in 2017 and 2018, the number of federal court securities class action lawsuit filings in 2019 was inflated by the significant number of merger objection lawsuit filings. In 2019, 158 of the 404 federal court securities class action lawsuit filings were merger objection lawsuits, representing about 39% of all federal court securities suit filings during the year.

 

There were 246 traditional federal court securities suit filings in 2019, which is about 21% above the 1996-2017 average annual number of securities suit filings (203) during the period 1997-2017. Thus, while the annual number of federal court securities suit filings has been inflated in recent years by the flood of merger objection lawsuits, the number of federal court securities class action lawsuit filings would still be well above historical levels even if there were no merger objection lawsuit filings.

 

In addition to the significant number of federal court lawsuit filings in 2019, there were also a significant number of state court securities class action lawsuit filings, as detailed in the next section. The number of standalone state court securities suit filings even further increases the total number of securities suits filed during 2019.

 

While the number of lawsuits filed each year is of significant interest to companies, insurers, and other observers, the rate of litigation (that is, number of lawsuit relative to the number of listed companies) arguably is of much greater significance. As the number of lawsuits has increased and the total number of listed companies has decreased, the litigation rate has been going up, especially in comparison to long-term trends.

 

Using the 2018 year-end number of exchange-listed U.S. publicly traded companies (4,406),  and subtracting from the 404 federal court securities class action lawsuits the 22 suits that were filed against non-exchange listed defendants (for example, OTC and cryptocurrency companies), leaving 382 lawsuits against listed defendants, calculates to a 2019 litigation rate of 8.66%. This mean that in 2019 about one out of every eleven U.S. exchange-listed company was hit with a securities suit. A litigation rate of 8.66% represents the highest-ever annual rate of litigation, exceeding even the elevated levels experienced in 2017 and 2018 (when, according to Cornerstone Research, the rate was 8.4%, both years). To put this in the simplest terms, the likelihood of a U.S. exchange-listed company getting hit with a securities suit is the highest it has ever been.

 

Obviously, the high number of merger objection lawsuits (which are discussed further below) significantly inflates the litigation rate. If the merger objection lawsuits are taken out of the equation and only traditional lawsuits against exchange-listed defendants  (of which there were 235 in 2019) are considered, and the 2018 year-end number of publicly traded companies (4406) is used for calculation purposes, the 2019 litigation rate for traditional federal court securities litigation against U.S. exchange-listed companies is 5.24%. This litigation rate implies that in 2019 the chance of a publicly traded company getting hit with a traditional federal court securities suit was about one in twenty.

 

The 2019 traditional securities suit litigation rate of 5.24% is far above historical levels; at the end of 2018, Cornerstone Research calculated the 1997-2017 annual “core” lawsuit litigation rate as 2.9%. In other words, the likelihood in 2019 of a company getting hit with a securities suit was nearly double the long-term average annual likelihood. The 5.24% core litigation rate in 2019 is also the highest it has ever been, exceeding even the elevated levels experienced in 2017 (4.2%) and in 2018 (4.5%).

 

As elevated as the federal court securities litigation rate was during 2019, the federal court litigation rates (as calculated above) do not even take into account the impact on the rate from the possibility of state court securities litigation. Obviously, the litigation rate would be even higher if the state court litigation is taken into account.

 

After three consecutive years with more than 400 federal court securities class action filings, it is clear that the recent elevated levels of securities class action lawsuit filings represent the new normal. Companies and their D&O insurers must now assume that the chance of any given U.S.-listed company getting hit with a securities lawsuit is far greater than was the case in the past – indeed, the chance of a company getting hit with a securities lawsuit arguably is the highest it has ever been.

 

The fact that over 400 federal court securities lawsuits have been filed in each of the last three years means that there is a massive pipeline of cases pending in the courts and swelling the D&O insurers’ claims portfolios. This backlog represents a significant problem for the D&O insurers, as this mass of claims must be managed and adjusted. Reserves must be set for these cases, further undermining current year underwriting results. The sheer number of cases pending has a multiplicative effect on aggregate defense expenses as well, further eroding the D&O insurers’ current year underwriting results.

 

These factors are among the important reasons D&O insurance buyers currently face a disrupted insurance market. As the insurers come to grip with the now well-established trends discussed above, they are struggling to find the right approach. As discussed in the final section below, all insurers, including both primary and excess insurers, are seeking increased rates; many primary insurers are also requiring increased retentions for many companies, and in some cases, offering only significantly altered terms and conditions.

 

For a more detailed analysis of the 2019 federal court securities class action lawsuit filings, refer here.

 

 

  1. Fallout from the Cyan Decision Roils the D&O Insurance Market for IPO Companies

One of the top stories in the world of D&O back in 2018 was the U.S. Supreme Court’s March 2018 entry of its opinion in Cyan, Inc. v. Beaver Country Employees Retirement Fund, in which the Court affirmed that state courts retain concurrent jurisdiction for liability actions under the Securities Act of 1933. The concern at the time was that the Court’s ruling could lead both to the proliferation of state court securities class action lawsuits and to the possibility of parallel proceedings in federal and state court. In 2019, these concerns about Cyan materialized and became a reality as state court securities litigation multiplied and parallel state and federal litigation became a frequent occurrence.

 

According to research by Stanford Law Professor Michael Klausner and his Stanford Securities Litigation Analytics colleagues Jason Hegland, Carin LeVine, and Jessica Shin, there were 39 state court securities class action lawsuits filed in the first ten months of 2019, compared to a total of 32 for the full year of 2018. The 39 state court securities suits filed between January 1, 2019 and October 31, 2019 already represent the highest annual total number of state court securities filings ever; the year-end 2019 total undoubtedly is even higher.

 

Not only are there more state court securities lawsuits being filed, but the percentage of Section 11 lawsuit defendants getting hit with parallel lawsuits filed in both state and federal courts has increased as well. This increase in parallel litigation can be seen by comparing Section 11 lawsuit filings before Cyan with the Section 11 lawsuit filings after Cyan.

 

According to the research of Professor Klausner and his colleagues, during the pre-Cyan period of January 1, 2014 through March 20, 2018, fully 66% of all Section 11 liability actions were filed in federal court only, while 18% were filed in state court only, and 16% filed in both state and federal court.

 

By contrast, in the post-Cyan period between March 31, 2018 and October 31, 2019, only 32% of Section 11 liability actions were filed in federal court alone, while 25% were filed in state court only, and a whopping 54% were filed in both federal and state court. In other words, post-Cyan, the majority of Section 11 action defendants face duplicate state and federal litigation.

 

An example from 2019 of a situation involving parallel state and federal court litigation is the post-IPO Section 11 litigation filed against SmileDirectClub. SmileDirect went public in September 2019. Shortly after its IPO, adverse news resulted in a drop of the price of its stock. In September and October 2019, the company, certain of its directors and officers, and its offering underwriters were hit with at least eight IPO-related securities class action lawsuits. The eight lawsuits involved separate actions filed in state courts in Michigan and Tennessee, as well as several other lawsuits filed in federal court.

 

There are mechanisms to consolidate the various actions that were filed in federal court. However, there is no mechanism to consolidate the actions filed in state court with the federal court lawsuits. There is no mechanism to consolidate the actions filed in different states.

 

As things stand, the defendants in the SmileDirect post-IPO litigation must now fight a multi-front war. The fact that the defendants must now defend in multiple jurisdictions adds not only complexity and expense, it adds uncertainty and even the possibility of conflicting or inconsistent procedures and decisions.

 

Among other things, one question that will have to be addressed is whether the state courts will apply the discovery stay applicable in federal court. In addition, another question is whether the state courts will apply a different pleading standards that those that would be applicable in federal court. On a more practical level, if the time were to come when the defendants might seek to settle the litigation, they will struggle reaching settlements that will resolve claims as to all claimants in all putative classes.

 

How all of this will work out in any particular case, or as a general matter, remains to be seen. We are still in the early days following the Cyan decision. To be sure, the situation is not all as bad as it might at first appear. At least some courts have abided by the discovery stay that is applicable in federal court actions. And the courts of at least three states (New York, Connecticut and Texas) have granted the defendants’ motions to dismiss in Section 11 liability actions.

 

However, the post-Cyan prospect for multiplied, parallel litigation has spooked the D&O insurance underwriters. A number of insurers have withdrawn from providing D&O insurance for IPO companies. Others now will write the coverage only on a high attaching excess basis. As the insurers have pulled back, the pricing for D&O insurance for IPO companies has increased significantly, and the self-insured retentions (SIR) that the insurers are requiring in order to provide primary terms have substantially increased. Moreover, these IPO-related pricing trends and increased retention requirements accelerated as 2019 progressed. The upshot is that the amount that IPO companies must pay to secure D&O insurance coverage increased dramatically during 2019. All signs are that these trends will continue as we head into 2020.

 

  1. Merger Objection Litigation Continues to Swell Federal Court Securities Filing Figures

As noted above in the discussion federal court securities class action litigation filings, a major factor driving the overall number of filings during 2019 was the number of federal court merger objection lawsuits. In these lawsuits, the shareholders of an acquisition target allege that the disclosures about or price to be paid in connection with a merger are inadequate. In the past, these kinds of lawsuits were filed in state court, particularly in Delaware state court. However, as a result of a series of rulings in which the Delaware courts evinced their hostility toward these kinds of actions, the plaintiffs’ lawyers are now filing these lawsuits in federal court, rather than in state court.

 

As has been the case for several years now, the vast majority of merger transactions in 2018 (the most recent year for which complete data are available) attracted at least one merger objection lawsuit. According to a June 2019 academic paper by Matthew Cain and Steven Davidoff Solomon of UC Berkley Law School, Jill Fisch of Penn Law School, and Randall Thomas of Vanderbilt Law School, during 2018, 83% of all completed deals attracted at least one lawsuit; of these lawsuits, 92% were filed in federal court.

 

Along with the shift of merger objection lawsuits from state to federal court has come a shift in the way that these kinds of cases are resolved. In the past, the typical pattern was that the case was settled for an agreement by the defendant company to make additional deal disclosures in exchange for a full release and an agreement to pay plaintiffs’ attorneys fees. Now the typical pattern has changed to one in which, in exchange for the defendants’ agreement to make additional disclosures and pay the plaintiffs’ counsel a mootness fee, the plaintiffs lawyers voluntarily dismiss the lawsuit. Prior to 2016, very few cases involved the payment of a mootness fee; in 2018, not only were 100% of all merger objection cases involving completed deals dismissed, but 63% involved the payment to the plaintiffs’ counsel of a mootness fee.

 

The problem with this “mootness fee” case resolution is that the dismissal and fee payments receive little judicial scrutiny — as a result of which, according to the academics cited above, the practice surrounding these mootness fee cases “amounts to a shakedown with little benefit beyond lining attorneys’ pockets.” It is a practice that, as academics note, amounts to “blackmail,” noting that the defendant companies are paying the fees “just to make these cases go away.”

 

There were promising signs during 2019 that courts have taken note of these developments and are starting to try to address the mootness fee problem. As discussed here, in June 2019, Northern District of Illinois Judge Thomas M. Durkin, exercising his “inherent authority” and acting at the urging of an objecting shareholder,  “abrogated” the settlement of the litigation arising out of the acquisition of Akorn, Inc. by Frensenius Kabi AG, and ordered the plaintiffs’ lawyers to return to Akorn their $322,000 mootness fee, ruling that the additional disclosures to which the company agreed were “worthless to shareholders” and that the underlying lawsuits should have been “dismissed out of hand.” (Judge Durkin’s ruling is on appeal.)

 

Similarly, as discussed here, in August 2019, District of Delaware Judge Richard G. Andrews denied the plaintiffs’ fee petition in the merger objection lawsuit filed in connection with the acquisition of DST Systems, Inc. by SS&C Technologies, finding that the plaintiffs had failed to carry their burden in establishing that the supplemental disclosures produced a “substantial benefit “on DST shareholders.  The Court said a review of the supplemental disclosures “reveals that Plaintiffs have failed to carry their burden on materiality of the information.” The plaintiffs, the Court said, “have not established that they provided the stockholders with a substantial benefit so as to warrant an award of attorneys’ fees.”

 

These courts’ rulings represent small steps toward the possibility of putting an end to the merger objection lawsuit mootness fee “racket.” Unfortunately, the fact is that merger objection lawsuits continue be filed in connection with a majority of merger transactions. These lawsuits, which are mostly filed by a very small number of plaintiffs’ law firms, represent a tax on legitimate corporate activity in our country.

 

The litigation frequency and legal expense surrounding these kinds of lawsuits are among the many factors adding to D&O insurers woes (as discussed in the final section below). As these litigation patterns emerged in recent years, many insurers began adding a separate, higher retention for merger related litigation, often $1 million or more. These higher retentions mean that the cost of this litigation often is borne exclusively by the insured companies, a fact that underscores the fact that the plaintiffs’ lawyers filing these kinds of lawsuits are effectively imposing a deal tax on merger lawsuits in this country, a fact that is not lost on those in the business community seeking securities litigation reform.

 

  1. Business Groups, D&O Insurers Raise Call for Securities Litigation Reform

As the three preceding sections all demonstrate, the current state of securities litigation in this country is nothing short of alarming. The numbers of lawsuits being filed, the percentage of companies being sued, and the proliferation of parallel Section 11 lawsuits and of merger objection litigation all suggest that there are serious problems with our securities litigation system. Under these circumstances, it is hardly a surprise that during 2019 calls for securities litigation reform emerged.

 

Among the voices raising the call for renewed securities litigation reform is the U.S. Chamber of Commerce. In February 2019, the Chamber’s Institute for Legal Reform hosted a conference in Washington, D.C., a variety of speakers detailed the growing securities litigation problems and proposed possible solutions. The Chamber itself has published several papers outlining various reform proposals, including calls for increased judicial supervision of securities lawsuit settlements and of plaintiffs’ attorneys’ fee awards.

 

Calls for securities litigation reform have also come from within the D&O insurance industry. In June 2019, Chubb, a leading global insurer, stepped forward to advocate for reform. In a paper entitled “From Nuisance to Menace: The Rising Tide of Securities Class Action Litigation” (here), the company detailed the extent of the current securities litigation mess and set out a number of proposals for securities litigation reform.

 

The Chubb paper sets out a number of surprising and alarming securities litigation statistics. For example, the paper reports that over the last five years, the total cost of securities litigation, including settlements and attorneys’ fees, is $23 billion. Of that astonishing total, half of the amount has gone to the attorneys (plaintiff and defense).

 

The paper also details a number of reform proposals. For example, in order to address the post-Cyan problems detailed above, the paper proposes that Congress revise the jurisdiction provisions of the Securities Act of 1933 to eliminate state court’s concurrent jurisdiction for ’33 Act liability actions.

 

The situation that Cyan has created is obviously a huge mess.  It wasn’t supposed to be this way. The whole idea when Congress passed the Securities Litigation Uniform Standards Act (SLUSA) in 1998 was that class action litigation under the federal securities laws was to go forward in federal court and federal court only. Apparently, and as the Cyan case itself shows, in enacting SLUSA Congress made a hash of it when it comes to the jurisdictional provisions of the ’33 Act.

 

The good news is that it was would be relatively simple fix to amend Section 22 of the ’33 Act to eliminate concurrent state court jurisdiction for ’33 Act liability claims and to provide for the removal to federal court of any ’33 Act liability actions filed in state court. Of course, whether the potential for Congressional action can actually be considered “good news” depends on how your feel about the likelihood of the current divided and distracted Congress actually taking steps to provide a common sense solution to a totally out of control situation.

 

With the possibility for Congressional action at best uncertain, some commentators have called for companies to engage in a little self-help, by adopting bylaw provisions designating federal courts as the exclusive forum for the resolution of claims against the company under the ’33 Act. A number of IPO companies have adopted these kinds of provisions.

 

Unfortunately, as discussed here, in December 2018, the Delaware Chancery Court ruled in Sciabacucchi v. Salzberg that that under Delaware law, federal forum provisions are invalid and ineffective. The Sciabacucchi decision is on appeal to the Delaware Supreme Court; the case will be argued in January 2020. Unless and until the Delaware Supreme Court overturns the Sciabacucchi decision, the adoption of federal forum provisions will not help avoid the problems that Cyan has spawned.

 

For now at least, the possibility of Congressional action, no matter how uncertain, may be the best bet for trying to clean up the securities litigation mess.

 

  1. Cybersecurity Incidents Continue to Draw D&O Lawsuits

For many years, industry observers have predicted we would see a surge of D&O litigation involving companies that have experienced data breaches. Although cybersecurity-related D&O lawsuits have indeed been filed in recent years, the litigation has never accumulated in the volume that some have suggested it might. But the lawsuits do continue to come in – several more were filed in 2019.  As time has gone by, the nature of the allegations has changed as well.

 

The highest profile data-breach related securities lawsuit in 2019 was the suit filed against Capital One, which was involved in the largest data breach disclosed during the year.  In late July, the company announced that it had determined that an unauthorized intruder had gained access to its systems. The intruder had obtained the personal information of the bank’s credit card applicants and customers. The company said that the breach involved the personal information of over 100 million customers in the U.S. and another 6 million in Canada. The company’s share price declined 6% on the news.

 

As discussed here, on October 2, 2019, a plaintiff shareholder filed a securities class action lawsuit in the Eastern District of New York against Capital One and certain of its directors and officers.  The complaint alleged that the defendants had misrepresented or omitted to report that “(1) the Company did not maintain robust information security protections, and its protection did not shield personal information against security breaches; (2) such deficiencies heighted the Company’s exposure to a cyber-attack; and (3) as a result, Capital One’s public statements were materially false and misleading at all relevant times.” The complaint seeks to recover alleged damages on behalf of the class of Capital One shareholders.

 

A second data breach-related securities suit filed in 2019 involves the customer support services company Zendesk. As discussed here, the securities class action lawsuit filed in the Northern District of California in October 2019 against the company and certain of its directors and officers combined allegations involving the company’s earnings miss in the prior financial reporting quarter along with allegations relating to a data breach the company had announced. In an early October blog post, the company announced that an intruder had accessed about 15,000 customer and client accounts and that the intruder had accessed some personally identifiable information from the accounts. The company’s share price declined about 4% on the news of the breach (following a prior decline in the share price based on the company’s earnings disappointment). The complaint alleges that the company had failed to disclose the existence of a data breach that allegedly went back to 2016.

 

A third cybersecurity-related securities lawsuit filed in 2019 differed from these other two, as it did not involve a data breach.  The securities class action lawsuit filed in June 2019 against FedEx (discussed here) involved adverse cybersecurity developments in the company’s European operations. In June 2017, the European operations were hit with the NotPetya virus, as part of what has been described as the largest cyberattacks in history. The virus disrupted the European operations, resulting in a revenue decline. The company claimed shortly after the 2017 attack that it had recovered from the disruption and revenue and integration efforts remained on track. However, the securities lawsuit complaint claims, the company had not recovered from the attack and in 2019 disclosed that the fallout from the attack continued to disrupt the integration of the European operations.

 

Though all three of these lawsuits are based upon cybersecurity incidents, the FedEx lawsuit involved a malware virus attack, not a data breach. By contrast to the other two lawsuits, in the FedEx lawsuit there is no allegation that private information was compromised. The fact that the FedEx lawsuit did not involve a data breach is a reminder that there are a wide variety of different types of cybersecurity incidents that might lead to a D&O claim and that the D&O cybersecurity-related risk goes far beyond the risk that a plaintiff might attempt to file a D&O claim in the wake of a data breach.

 

One reason there have not been even more cybersecurity-related D&O lawsuits is that often a company’s disclosure of a cybersecurity incident does not result in a significant decline in the company’s share price, making the circumstances less attractive to plaintiffs’ attorneys. Indeed, even though Capital One’s data breach was massive, the ensuing share price decline was relatively modest.

 

The fact that Capital One was sued notwithstanding the relatively modest size of its share price decline does highlight the fact that at least in some circumstances plaintiff’s lawyers are still going to be interested in filing cybersecurity-related D&O claims. The likelihood is that we are going to continue to see these kinds of claims, although the evidence to date suggests that we unlikely to see a large volume of these claims.

 

  1. Privacy Emerges as a Top Level Corporate Risk

Privacy is a liability exposure that is related to but different than cybersecurity. A data breach may lead to privacy issues, but there doesn’t need to be a data breach for privacy issues to arise. Cybersecurity has to do with the way data is protected; privacy has to do with the way data is used (or misused). A number of developments during 2019 highlighted the growing importance of privacy-related issues as an area of corporate concern.

 

By far the biggest privacy-related development during the year was Facebook’s massive settlement with the Federal Trade Commission (FTC). As discussed here, on July 24, 2019, the FTC announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions and a modified corporate structure. The settlement required Facebook to adopt a number of corporate governance therapeutics, including among other things, the creation of a privacy committee on the company’s board of directors.

 

In a development related to the Facebook FTC settlement, the Securities and Exchange Commission (SEC) announced that Facebook had agreed to a $100 million settlement to resolve the agency’s allegations that the company misled investors regarding the risk of misuse of Facebook user data. Both the FTC and the SEC actions followed the March 2018 revelations that data analytics firm Cambridge Analytica had obtained access to user data of millions of Facebook users.

 

The news of the Facebook settlements came just a few days after the U.K. privacy regulator announced the potential imposition of two massive General Data Protection Regulation (GDPR) fines, as discussed here.

 

The first of these involved a July 8, 2019 announcement from the U.K.’s Information Commissioner’s Office (ICO) of the agency’s intention to fine British Airways £183.39 million ($230 million) for violation of GDPR. The proposed fine relates to a cyber incident that British Airways noticed to the ICO in September 2018. The cyber incident involved the diversion of user traffic from British Airways’ website to a fraudulent site. The ICO concluded that the personal data of approximately 500,000 customers was compromised.

 

The second of the two recent fines relates to Marriott International. On July 9, 2019, the ICO announced that it intends to impose a fine of £99.2 ($124 million) against the company in connection with the high-profile breach involving the company’s Starwood Customer loyalty program website. (The Starwood breach also has been the subject of regulatory investigations and securities litigation in the U.S., as well). The ICO‘s press release about the proposed fine says that the agency concluded that Marriott failed to “conduct proper due diligence” in connection with the company’s 2016 acquisition of Starwood and that Marriott “should have done more to secure its systems.” The breach of the Starwood system exposed as many as 339 million customer records, of which approximately 30 million involved records of customers living in the EU, including 7 million in the U.K.

 

These various fines represent significant developments, and not just because of their massive size. The fines show that regulators are taking privacy-related issues very seriously and that they intend to actively enforce privacy laws. The proposed penalty against Marriott is particularly significant because it highlights the fact that a company based outside the E.U. is very much subject to regulatory scrutiny under the GDPR.

 

Though it is relatively smaller than the FTC settlement, Facebook’s separate settlement with the SEC is important in its own way. The SEC’s enforcement action was focused on Facebook’s disclosures to investors about the company’s privacy practices. The action highlights the fact that privacy-related disclosures are significant and the failure to provide appropriate disclosures to investors about privacy practices may represent a violation of the federal securities laws. This enforcement action exemplifies the way privacy-related issues might lead to D&O claims.

 

As these massive fines suggest, privacy may represent one of the most significant areas of potential corporate risk exposure going forward. This risk includes not only the possibility of the kinds of massive regulatory fines that the GDPR permits, but it also includes the possibility of follow-on D&O claims, when shareholders claim that company management failed to take appropriate steps to prevent the regulatory fines or that management failed to fully inform investors of the regulatory risks that the company faces.

 

One specific area where privacy-related issues developed into management liability claims during 2019 has to do with biometric data, and in particular with respect to Illinois law regarding biometric information. The Illinois Biometric Information Privacy Act (BIPA) has been on the books for more than a decade. However, as a result of a January 2019 decision by the Illinois Supreme Court, the statute’s requirements and potential liabilities have become a much more serious concern.

 

In a January 25, 2019 decision in Rosenbach v. Six Flags Entertainment Corporation case (here), the Illinois Supreme Court ruled that a plaintiff may be “aggrieved” under BIPA and have standing to sue for statutory damages, even without alleging an “actual injury” caused by the BIPA violation.

 

The decision has significantly encouraged plaintiffs’ lawyers to file BIPA class action lawsuits. In a June 2019 study on the Workplace Class Action Blog (here), which called the BIPA class action litigation the “hottest class action trend” in Illinois, showed that BIPA class litigation had “increased at an exponential and rapid pace” following the Illinois Supreme Court’s decision. Thus, the study found that while there had only been a total of 79 BIPA class actions filed in all of 2018, as of the half-way point in 2019, there had already been 161 BIPA securities class action lawsuits filed in 2019 (151 of which had been filed since the Illinois Supreme Court’s Rosenbach decision).

 

Illinois is not the only state with legislation protecting biometric data. Both Texas and Washington State have long had legislation on the books protecting biometric data privacy. In recent years, a number of other states have enacted legislation protecting biometric data privacy, including Arkansas, California, and New York. In addition, a number of other states are considering legislation to protect biometric data privacy, including Alaska, Delaware, Florida, Arizona, Hawaii, Oregon, Massachusetts, New Hampshire, New Jersey and Rhode Island. While Illinois may be in the vanguagd on the biometric data privacy issues, other states are set to join the bandwagon. Clearly, biometric data privacy is and will remain a hot button privacy issue.

 

As the massive and rapid increase in Illinois BIPA class action litigation shows, privacy-related liability risks may emerge quickly and come from a number of different directions. And as noted above, the potential liability exposure for alleged biometric privacy violations likely will not be limited just to claims under the Illinois laws.

 

One final note about privacy: As active as the issue of privacy was during 2019, it promises to be even more prominent in 2020, as the California Consumer Privacy Act of 2018 took effect on January 1, 2020.

 

 

  1. Delaware Chancery Court Decisions Signal Revival of Duty of Oversight Claims

Since the 1996 Delaware Chancery Court decision in Caremark, Delaware’s courts have recognized that boards of directors’ duties include a duty of oversight. However, though long-recognized, these kinds of claims have proven challenging for plaintiffs to sustain. As the Delaware court themselves have recognized, the pleading burdens for plaintiffs seeking to assert these kinds of claims are “onerous.”

 

Despite the difficulty for plaintiffs in these kinds of cases to surmount pleading hurdles, the Delaware courts in two cases in 2019 found that the plaintiffs involved had sufficiently stated claims breach of the duty of oversight. The outcome in these two 2019 cases suggests at a minimum that oversight duty breach cases can be viable, and could further suggest that plaintiffs might seek to press claims on these kinds of theories, in a variety of contexts.

 

The first of the two cases, Marchand v. Barnhill, involved claims that had been brought against the board of Blue Bell Creameries. Blue Bell is an ice cream manufacturer that has suffered a deadly listeria outbreak. The food contamination crisis in turn led to disruption in the company’s operations and ultimately to financial distress. A plaintiff shareholder sued Blue Bell’s board,  alleging that the directors had breached their duties of care and loyalty by knowingly disregarding contamination risks and failing to oversee the safety of the company’s food-making operations, and that the company’s board of directors had breached their duty of loyalty under Caremark. The Delaware Court of Chancery granted the defendants’ motion to dismiss, and the plaintiff appealed to the Delaware Supreme Court.

 

As discussed here, in a unanimous June 19, 2019 opinion written by Chief Justice Leo E. Strine, Jr.,  the Delaware Supreme Court reversed the lower court’s ruling. The court said that “the complaint supports an inference that no system of board-level compliance monitoring and reporting existed at Blue Bell,” which in turn “supports an inference that the board has not make the good faith effort that Caremark requires.”

 

The court said that the plaintiff met his “onerous pleading burden and is entitled to discovery to prove out his claim” where he pled facts “supporting a fair inference that no reasonable compliance system and protocols were established as to the obviously most central consumer safety and legal compliance issue facing the company” and that “the board’s lack of efforts resulted in it not receiving official notices of food safety deficiencies for several years, and that, as a failure to take remedial action, the company exposed consumers to listeria-infected ice cream, resulting in the death and injury of company customers.”

 

The second of the two Delaware oversight duty cases involved Clovis Oncology. In a shareholder derivative suit, a Clovis shareholder alleged that the company’s board breached their duty of oversight under Caremark by failing to oversee key clinical trials involving a developmental stage company cancer drug. As discussed here, in an October 1, 2019 opinion, Vice Chancellor Joseph R. Slights III denied the defendants’ motion to dismiss the claim.

 

In denying the defendants’ motion to dismiss, Vice Chancellor Slights referenced the Marchand decision, which, he said, “underscores the importance of the board’s oversight function when the company is operating in the midst of a ‘mission critical’ regulatory compliance program.” He said that Marchand “makes clear” that where a company operates in a “mission critical” regulatory environment, “the board’s oversight function must be more rigorously exercised.” In order to show fulfillment of this oversight function, the board must show “a good faith effort to implement and oversight system and then to monitor it.”

 

Vice Chancellor Slights found that the plaintiffs in the Clovis case had alleged that “the Board consciously ignored red flags that revealed a mission critical failure to comply” with the rigorous clinical trial protocols and associated FDA regulations, and that “this failure of oversight caused monetary and reputational harm to the Company.”  The Vice Chancellor specifically found that the plaintiffs had alleged that the “Board ignored multiple warning signs that management was inaccurately reporting” the cancer drug’s efficacy.

 

Both Marchand and Clovis Oncology emphasized that the board’s oversight responsibilities are particularly important with respect to “mission critical” regulatory requirements. Both claims arose out of circumstances that involved compliance requirements that the board had to be watching given the importance of the requirements to the company’s operations and business success.

 

These considerations could be relevant with respect to any number of challenges a company might face, but could be particularly relevant in connection with cybersecurity and privacy. It is no accident that as a part of its recent massive settlement with the FTC on privacy-related issues, Facebook not only agreed that its CEO would have specific oversight and reporting responsibilities, but also that the company’s board must establish a privacy committee and maintain oversight responsibilities.

 

For many companies, data security and privacy concerns are every bit as mission critical as food safety is for Blue Bell Creameries.  The Marchand decision suggests that at least in certain circumstances shareholders might attempt to hold directors accountable for data and privacy breaches by filing a Caremark claim alleging a breach of the duty of oversight. Yes, the pleading hurdles for this type of claim are “onerous.” But unless boards can demonstrate that they made a good faith effort to oversee mission critical areas of risk like data and privacy security, claimants may be able to establish a Caremark claim.

 

The implication of the Marchand opinion is that in order to demonstrate that they have fulfilled their duty of oversight boards must be able to show that they have made a good faith effort to monitor a critical area of company risk. Data security and privacy clearly are two areas of company risk that for many companies are absolutely critical. The lesson for boards is not just that boards can be held liable for breaches of their duty of oversight. The lesson here is also that boards should take steps to ensure that they can demonstrate a good faith effort to oversee and monitor company risks – which for many companies will include a company’s data and privacy security concerns.

 

  1. Companies Face D&O Claims Based on Environmental and Climate-Change Related Disclosures

At a time when litigation involving corporate disclosures regarding cybersecurity, privacy, and other hot topics dominates the discussion, potential corporate exposure arising from environmental liabilities and disclosures does not always receive the attention it deserves. However, environmental disclosures can be and frequently are the subject of D&O litigation, both in the form of securities class action litigation and shareholder derivative litigation.

 

There were a number of claims filed during 2019 based on environmental disclosures, underscoring the continuing exposure that companies face, particularly those in certain industrial sectors. In a related area, there were also claims filed in 2019 relating to climate change-related disclosures as well. These developments suggest that environmental and climate change related disclosures represent an important area of potential corporate liability exposures.

 

In the first of these lawsuits, on July 29, 2019, a plaintiff shareholder filed a securities class action lawsuit in the United States District Court for the District of New Jersey against 3M Corporation and certain of its directors and officers, as discussed here.  The gist of the complaint is the plaintiff’s allegation that the defendants engaged in a scheme to defraud investors by issuing false and misleading statements “to conceal the truth about the Company’s exposure to legal liability associated with its most lucrative product offerings: man-made chemicals known as per- and polyfluoroalkyl substances (PFAS).”

 

The timeline of events in plaintiff’s complaint begins in 2010, when the State of Minnesota sued 3M for environmental damage caused in the state. The securities lawsuit complaint alleges that on the eve of trial in the Minnesota lawsuit, 3M settled the suit for $850 million, the third largest natural damage claim settlement in history (behind only the Deepwater Horizon and Exxon Valdez oil spill settlements).

 

The securities lawsuit complaint alleges that “while publicly denying that PFAS cause harm to humans and the environment,” the defendants concealed and misrepresented that: “(i) 3M’s vast internal evidence dating back decades confirming that PFAS are toxic (which was first publicly revealed in February 2018 by Minnesota’s Attorney General); (ii) 3M’s decades-long history of suppressing negative information and/or damaging data about PFAS; and (iii) 3M’s legal exposure to state, county, and local governments and individuals around the country as a result of its knowledge and intentional concealment of the toxic harm caused by the use of PFAS.”

 

The second of the environmental-disclosure related lawsuits filed in 2019 involves The Chemours Company, a chemical company that spun out of E.I. du Pont de Nemours and Company (“DuPont”) in July 2015. As discussed here, one of the extraordinary things about the Chemours securities suit is that it draws heavily on allegations Chemours itself raised in a 2019 Delaware Chancery Court lawsuit it filed against DuPont, in which, among other things, Chemours alleges that when DuPont spun out the company, its environmental liabilities reserves were “spectacularly” inadequate.

 

The securities complaint alleges that in connection with the spin-off, Chemours itself concealed these facts, instead marketing the spin-off by saying that its environmental liabilities were “well understood [and] well-managed” and that the possibility of incurring environmental liabilities greater than its accruals was “remote.” The securities complaint further alleges that throughout the Class Period, Chemours had reassured investors that any potential environmental liability exposures exceeding the accrual amounts would not be material to the company’s financial position.

 

The securities complaint alleges that “in reality, the Company’s accruals were woefully insufficient and Chemours knowingly and systematically understated its known environmental liabilities exposure.” The complaint alleges that in the company’s August 1, 2019 press release and its August 2, 2019 SEC filing on Form 10-Q, the company disclosed significant increases in the Company’s estimated environmental liabilities. The complaint alleges that on these disclosures, the company’s share price declined 19% (after having already declined 10% following the unsealing of the Delaware Chancery Court complaint).

 

In addition to these two environmental disclosure-related lawsuits, the 2019 securities class action lawsuit filings also included at least one filing based on climate change-related disclosures.

 

As discussed here, on October 25, 2019, a plaintiff shareholder filed a securities class action lawsuit in the Northern District of California against three PG&E executives in the wake of the severe 2019 California wildfires. (The company itself, which filed for Chapter 11 bankruptcy on January 19, 2019, is not named as a defendant.)

 

In addition to the company’s various statements about its wildfire safety measures, the PG&E securities class action complaint also quotes at length the company’s statements about why wildfires have in recent years have become both a serious and growing problem.

 

For example, the complaint quotes at length from the company’s December 10, 2018 press release, which, among other things, quotes the company’s then-CEO as saying that Californians are “all faced with the devastating realities of extreme weather and the growing wildfire threat,” adding that “in recent years, we’ve made significant changes and additions to our business to combat these weather events, but the climate is changing faster.”

 

The complaint also quotes the company’s December 13, 2018 press release, which refers to a company official as saying “As California experiences more frequent and intense wildfires and other extreme weather events, we must take necessary, bold, and urgent steps to protect our customers.”

 

The 2019 securities lawsuit against PG&E directors and officers is also just the latest lawsuit involving  PG&E relating to California wildfires occuring due to changed operating conditions arising from global climate change. As I noted at the time, PG&E was hit with a climate change-related securities class action lawsuit in the wake of the 2018 wildfires. The company was also hit with a separate shareholder derivative lawsuit after the 2018 wildfires.

 

Although these climate change-related lawsuits relate specifically to PG&E, the risk exposure obviously does not relate just to a single company. To the contrary, companies whose operations will be affected by the changing physical conditions arising from climate change could find themselves the target of claims from investors and other constituencies for failure to anticipate and guard against climate change-related conditions — not just with respect to wildfires, but also, for example, relating to coastal flooding, drought, supply chain disruption, political unrest, and the many other kinds of effects and consequences that climate change may cause.

 

Though the potential exposure to companies arising from climate change-related disclosure is substantial, one other development in 2019 suggests that plaintiffs may face significant hurdles in trying to sustain these kinds of claims.

 

As discussed here, on December 10, 2019, New York (New York County) Supreme Court Justice Barry Ostrager ruled in a lengthy and detailed post-trial opinion that the New York Attorney General (NYAG) had failed to establish that ExxonMobil Corporation made material misrepresentations in its public disclosures concerning how the company accounted for climate change risk. The NYAG complaint had alleged that ExxonMobil maintained a different internal measure for its anticipated future costs arising from climate change-related developments than was disclosed externally to investors and regulators. Justice Ostrager concluded that the NYAG “failed to prove by a preponderance of evidence that any alleged misrepresentations” on which the NYAG sought to rely were false and material in the context of the total mix of information available to the public.

 

While some commentators have argued that the outcome of the NYAG’s lawsuit against ExxonMobil can be interpreted to suggest that the other plaintiffs will not succeed in trying to assert securities law violations based on climate change disclosures, it is important to keep in mind that Justice Ostrager did not say that climate change-related disclosures could not serve as the basis of a securities claim. Rather, he said only that in this case the NYAG has not sustained its evidentiary burden. Whether a future claimant in a different case might sustain its burden will of course depend on the circumstances and allegations involved.

 

  1. Wells Fargo Settlement Signals the Elevated Severity Risk from Shareholders Derivative Actions

There was a time not long ago when settlements of shareholder derivative lawsuits rarely involved a significant cash component. This pattern has changed in recent years, as there has been a series of high-profile shareholder derivative lawsuit settlements involving significant cash payments. This recent pattern continued in 2019 with the massive settlement in the Wells Fargo derivative litigation.

 

The Wells Fargo derivative suit arose out of the bank’s phony customer account scandal. The scandal arose out of the bank’s high-pressure sales strategy that led to as many as 2.1 million deposit and credit card accounts being created using fictitious or unauthorized customer information. In September 2016, fines and penalties totaling $185 million were imposed on the bank, including a $100 million fine by the Consumer Financing Protection Bureau, $35 million penalty to the Office of the Comptroller of the Currency, and another $50 million to the City and County of Los Angeles. In addition, in late March 2017, the bank agreed to a $110 million settlement of the consolidated class action that had been filed on behalf of bank customers who were affected by the improper sales practices.

 

Beginning in September 2016, a number of Wells Fargo shareholders filed a series of shareholder derivative lawsuits in the Northern District of California. The consolidated amended derivative complaint alleged that the bank’s board and senior executives “perpetuated” a business-model based on aggressively cross-selling additional products to existing customers. These practices “effectively forced” its employees to open over two million unauthorized accounts. The company senior officials allegedly “knew or consciously disregarded that Wells Fargo employees were illicitly creating millions of deposit and credit card accounts for their customers, without these customers’ knowledge or consent.”

 

The amended complaint contends that the defendants knew about and permitted these activities notwithstanding complaints to the company’s ethics line, several wrongful termination lawsuits, a whistleblower lawsuits, and a Los Angeles Times article that reported the fraudulent account creation activity.

 

In late February 2019, the parties agreed to settle the consolidated shareholder derivative litigation for a variety of cash and non-cash benefits with a stated value to the company of $320 million, inclusive of a cash payment of $240 million. The $240 million cash portion of the settlement will be paid by the bank’s D&O insurers, in what is, according to the plaintiffs’ counsel, “the largest insurer-funded cash component of any shareholder derivative settlement in history.” The settlement includes an agreement and understanding that the lead plaintiffs’ counsel will apply to the court for an award of fees and expenses not to exceed $68 million to be paid by Wells Fargo.

 

By any measure, this settlement is one of the largest shareholder derivative settlements ever. Just exactly where it fits on the derivative settlement league tables depends on how you look at it. The settlement’s stated value of $320 million would seem on its face to make it the largest derivative settlement ever, far exceeding the 2014 Activision Blizzard derivative settlement of $275 million. However, notwithstanding the settlement’s stated value of $320 million, the cash value of the Wells Fargo settlement is $240 million. Whether or not the Wells Fargo settlement is or is not bigger than the Activision Blizzard settlement is a matter of interpretation and perspective with respect to the settlement’s stated $320 million value. It is in any event noteworthy that, as the plaintiffs’ press release states, the settlement represents the derivative suit settlement with the largest insurer-funded cash component.

 

In any event, the Wells Fargo derivative suit settlement represents a very significant development. Among other things, it is the latest example of the way in which shareholder derivative settlements now increasingly involve a significant cash component. Typically, derivative settlements in the past involved only an agreement to adopt corporate therapeutics and the payment of plaintiffs’ attorneys’ fees. In the last ten years, it has become increasingly common for high-profile derivative suit settlements to involve a significant cash component. It is clear that derivative lawsuits now present a severity risk for companies and their insurers, which was not the case in the past.

 

As the massive amount of insurance money that is going toward the Wells Fargo settlement demonstrates, the advent of a significant cash contribution component in derivative settlements represents a very serious problem for D&O insurers. The massive increase in the cash component of derivative settlements is one more change in the D&O litigation arena that significantly increases the D&O insurers’ potential exposure. This arguably is a particular concern for excess D&O insurers, as these massive losses now push into the high attaching excess layers in a way they would not have in the past.

 

The one thing that seems certain is that given the plaintiffs’ lawyers’ $68 million payday in the Wells Fargo derivative suit settlement, the plaintiffs’ bar will certainly have incentives to pursue more claims of this type.

 

  1. Policyholders and Insurance Buyers Face a Disrupted D&O Insurance Marketplace

As the above discussion shows, corporate directors and officers and their insurers face a claims environment that can only be described as challenging. The current claims environment has developed at the same time that the insurers are recognizing poor prior underwriting year results stemming from more than a decade of depressed premiums brought about by intense competition. Across the board, the D&O insurers are under pressure from senior management to reorient their portfolios toward profitability. As a result, policyholders and insurance buyers increasingly face a disrupted D&O insurance marketplace.

 

The pace of change in the D&O insurance marketplace has been swift, and the shifts have been significant. The market correction, which started in the second half of 2018, accelerated during 2019. The changes in the public company D&O insurance marketplace have included not only steep premium increases, but also higher retentions, and, at times, a reduction in capacity, the addition of restrictive terms, and, in some cases, nonrenewal. The hardening market has been most pronounced for IPO companies and in certain industrial sectors — healthcare, life science, technology, communications, and financial services companies have experienced the most drastic changes.

 

The public company D&O insurance market is hardening even though the total insurance capacity available has remained more or less steady. What has changed is the deployment of that capacity. Fewer insurers are competing for the primary position within D&O insurance towers. Excess insurers are requiring higher increased limit factors (that is, higher percentages of the premium in the underlying layer) than has been the case for many years. The rise in the excess insurers’ increased limit factors in effect multiplies the primary insurer’s premium increases throughout the rest of the program.

 

As a result, public company insurance buyers are facing substantial increases in their D&O insurance costs. In addition, many buyers are also seeing substantial increases in their retentions, as insurers are requiring companies to assume much more risk before policy coverage responds. For example, an IPO company that in the past might have had a $2 million retention now might have a retention of as much as $10 million – or more.

 

The marketplace for private company D&O insurance is also changing, although not to the same degree as the public company D&O space. In the first quarter, private company D&O insurers were generally seeking premium increases of 5% to 10% (absent any material exposure changes). However, since mid-2019, many private company D&O insurers have shifted toward double-digit increases. Certain sectors are seeing the largest increases. Some companies in the healthcare sector, for example, are seeing 20% to 30% premium increases at renewal, as well as substantially increasing retentions. Pricing for so-called “unicorn” companies (private companies with valuations over $1 billion) has skyrocketed as many insurers have shied away from these companies.

 

One frequent question that comes up when the current disrupted marketplace conditions are under discussion is – how long will this last? The pattern in the past has been that almost as soon as pricing gets to levels that are comfortable for D&O insurers, competitive instincts kick in and pricing gains give way to pricing declines. The harder market for D&O insurance that emerged following 9/11 and during the era of corporate scandals lasted only from the end of 2001 until about the middle-to-end of 2003.

 

It is difficult to know how long the current period of price hardening will last. At this point, none of the signs that might signal the return of competition – the emergence of significant new players, old-line carriers stepping off the sidelines – have yet appeared. To the contrary, as we head into 2020, all signs are that, at least for now, the current disrupted market will continue. Indeed, there are some predictions that the disruption will accelerate further in 2020.

 

At a time when the insurers are rapidly changing their approach and in many cases restricting the terms and conditions they are willing to offer, it is particularly important for policyholders and insurance buyers to ensure that they have a knowledgeable and experienced insurance advisor involved to help them through what could be a very fraught insurance purchase process.

 

Until recently, when premiums declined and coverage expanded every year no matter what, it may have sufficed for insurance buyers to rely on an insurance consultant lacking specific D&O insurance expertise. That approach will not work now.

 

Policyholders and insurance buyers will need to understand the significance of the changes they are having to confront as well as all of the full range of alternatives available.

 

Now more than ever it is critically important for policyholders and insurance buyers to enlist the assistance of an experienced D&O insurance specialist in the placement of their D&O insurance.

 

Top Ten D&O Stories of 2019 Webinar: On January 14, 2020, at 11: 00 am EST, I will be conducting a free, hour-long webinar on the Top Ten D&O Stories of 2019. My colleague and friend Marissa Streckfus will be moderating the event. To register for this event, please click here. I hope everyone will plan on attending this January 14 webinar.

 

Top Ten 2019 Travel Pictures: In case you did not see it, over the holidays, I published a post with my Top Ten Favorite Travel Pictures of 2019, here. In my travel pictures post, I invited readers to submit their favorite pictures from their own 2019 travels. I published the first installment of readers’ pictures last week, here. Readers are invited to continue to submit their pictures, I enjoy receiving the pictures and I also enjoy the chance to publish them as well.