Search results for: North Korean

Sarah Abrams

Recent reports have brought to light the disturbing story that many companies may have unwittingly hired North Korean operatives as outsourced IT professionals. In the following guest post, Sarah Abrams, Head of Claims Baleen Specialty, a division of Bowhead Specialty, considers the potential claims exposure that could arise for companies that have hired the North Korean operatives. I would like to thank Sarah Abrams for allowing me to publish her article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Sarah’s article.

Continue Reading Guest Post: North Korean Hiring Exposure
Sarah Abrams

In the following guest post, Sarah Abrams, Head of Claims Baleen Specialty, a division of Bowhead Specialty, takes a look at recent changes in the DOJ’s Data Security Program (DSP) and discusses the D&O liability and insurance implications. I would like to thank Sarah for allowing me to publish her article as guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Sarah’s article.

Continue Reading Guest Post: Company Data Secure? The DOJ is Checking

John Reed Stark

Along with all of the other anxieties about the upcoming Presidential election, there is the concern that someone, somewhere will use some type of cyberattack to interfere with the electoral process. If that were to happen, the immediate question will “Who did it?” In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, underscores the difficulties associated with identifying the actors behind any cyberattack and cautions against jumping to conclusions about who might have been involved. A version of this article previously was published on Cybersecurity Docket. I would like to thank John for allowing me to publish his article as a guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article. Continue Reading Guest Post: Attribution on Election Cyber-Attacks: Don’t Rush to Judgment

Bill Boeck

In June 2017, the food company Mondelez International was one of the companies hit by the major global computer malware attack dubbed NotPetya. According to news reports, the malware caused damage to the company’s network servers and computers in excess of $100 million. Various sources have attributed the malware attack to the Russian military. Mondelez submitted its losses to its property insurer, which denied coverage in reliance on the policy’s war exclusion. Mondelez and its insurer are now in coverage litigation. In the following guest post, Bill Boeck takes a look at the litigation and its implications. Bill is currently Senior Vice President and Insurance and Claims Counsel with the Lockton Companies.  He is Lockton’s global leader for cyber claims and for the development of proprietary cyber wordings and endorsements.  Bill also leads Lockton’s US financial lines claims practice. A version of this article previously was published on the Lockton Cyber Risk Update Blog. I would like to thank Bill for his willingness to allow me to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Bill’s article. Continue Reading Guest Post: War Exclusions and Cyber Attacks

 

Stark Photo
John Reed Stark

Many of us have been following the continuing battle between Apple and the U.S. government on whether the government can required the company to unlock the iPhone of the San Bernardino terrorist, Syed Rizwan Farook, with a combination of confusion and concern. In the following guest post, John Reed Stark, President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement, sorts out the issues involved in the battle between Apple and the government, in light of all the circumstances, including the February 29, 2016 opinion by Eastern District of New York Judge James Orenstein in the separate Apple iPhone unlocking case. A version of this article originally appeared on CybersecurityDocket.com. I would like to thank John for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s guest post. Continue Reading Guest Post: Apple Versus The FBI: Some Common Sense Reflections from “Cool Hand Luke”

weilAlong with the disruption and the reputational damage, a company experiencing a data breach can also find itself attracting the unwanted attention of regulators. Among the federal regulators that has proven to be active in data breach arena has been the Federal Trade Commission. In the following guest post, Robert Carangelo, Eric Hochstadt, and Gaspard Curioni of the Weil Gotshal law firm take a look that the FTC’s cybersecurity enforcement authority and actions, as well as the agency’s track record so far. A version of this guest post previously was published as a Weil client alert.

 

I would like to thank Robert, Eric and Gaspard for their willingness to publish their post on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this site. Please contact me directly if you would like to submit a guest post. Here is Robert, Eric, and Gaspard’s guest post.

 

**********************************************

 

The continued occurrence of serious data breaches, including the hack of Sony Pictures that resulted in the canceled theatrical release of The Interview, a satirical film about North Korean leader Kim Jong-un, and the Target data theft impacting up to 110 million consumers and several financial institutions, has put a spotlight on issues of cybersecurity and the protection of sensitive personal information. With public pressure mounting due to this growing threat, Congress is considering legislative action to bolster American businesses’ resilience to cybersecurity attacks and data theft.[i] But while the political process on Capitol Hill unfolds, other branches of the federal government have not remained idle. In the executive branch, the Federal Trade Commission (FTC) has stepped up its consumer protection enforcement activity in this area and has pursued actions against companies that the agency deems do not sufficiently protect personal data.

 

Overview of the FTC’s Cybersecurity Enforcement Authority and Actions

While the FTC has brought more than 50 enforcement proceedings in the past 15 years relating to data security, the pace of FTC activity has picked up in recent years.[ii] The bulk of the agency’s enforcement has been carried out through administrative actions, which in almost all instances[iii] have been resolved through consent orders that impose data security measures and long-term supervision by the FTC. The remaining dozen or so cases brought by the FTC have been filed in federal courts pursuant to the agency’s injunctive authority under section 13(b) of the Federal Trade Commission Act (FTC Act). As discussed further below, the FTC has brought such an enforcement action against the Wyndham hotel group, a case pending at the Third Circuit which is expected to address the reach of the FTC’s authority in this area. As with administrative actions, the overwhelming majority of these cases settle shortly after filing. For companies under investigation, early settlement may be driven by, among other considerations, a desire to avoid protracted litigation with a federal agency. Administrative and judicial proceedings involve intrusive and costly discovery[iv] and can take years to resolve.[v]

 

The FTC’s enforcement authority derives principally from the FTC Act.[vi] Under section 5(a) of the FTC Act, the FTC may take action against “unfair or deceptive acts or practices in or affecting commerce.” Historically, the agency has leveraged the FTC Act’s “deception” prong to challenge allegedly false data security representations made by companies. Up until 2014, all but one cybersecurity civil action brought by the FTC and more than half of FTC data security administrative actions invoked the deception prong.[vii] More recently, the FTC has challenged cybersecurity practices under the “unfairness” prong of section 5 of the FTC Act. In these enforcement actions, the FTC has developed minimum cybersecurity standards for companies that collect personal information, even in the absence of any allegedly false representations concerning data security.

 

Many data security vulnerabilities have drawn the agency’s attention as being “unfair” to consumers, including companies’ alleged failure to:

1) set up robust log-in protocols;[viii]

2) protect against “commonly known or reasonably foreseeable attacks from third parties attempting to obtain access to customer information;”[ix]

3) encrypt data;[x] and

4) provide cybersecurity training.[xi]

Through its consent decrees, the FTC has detailed the various steps that companies must implement to remedy these deficiencies. The typical consent orders, which usually last for 20 years, prohibit prospective misrepresentations concerning data security and prescribe affirmative security measures. A central requirement is the establishment of a comprehensive information security program with administrative, technical, and physical safeguards suitable for the company and the type of protected data. Further, the consent orders usually require independent risk assessments from information technology and security professionals, as well as periodic reporting of the findings to the FTC. Companies must also document their compliance efforts and report material changes affecting their obligations to the agency.

 

FTC v. Wyndham Worldwide Corp.

There has been little judicial scrutiny of the FTC’s exercise of its section 5 power in the cybersecurity space. A notable exception is FTC v. Wyndham Worldwide Corp.,[xii] a case which may at last provide much-needed clarification about the scope of the FTC’s authority to impose cybersecurity standards in the absence of substantive statutes or regulations on the subject.

 

In June 2012, the FTC sued Wyndham, alleging that it failed to maintain “reasonable and appropriate” data security measures. The failure purportedly allowed hackers to gain access to its computer networks, which resulted in the compromise of more than 500,000 payment card accounts and fraudulent charges on hotel guests’ accounts. Because Wyndham allegedly misrepresented that it had implemented reasonable data protection measures on its website, the agency claimed that Wyndham had engaged in deceptive practices under section 5 of the FTC Act. However, the FTC did not stop there. It also claimed that Wyndham violated the unfairness prong of section 5 by failing to implement “reasonable and appropriate” data protection measures in the first place.

 

In seeking dismissal of the unfairness claim, Wyndham contended that section 5’s unfairness prong did not confer the FTC with rulemaking authority over data security. A New Jersey federal judge rejected that argument in April 2014, given section 5’s broad language and the absence of any statutory command carving out cybersecurity from the FTC’s purview. But because of the novelty and importance of the issue, the judge certified the question for immediate appeal to the Third Circuit. On appeal, Wyndham argued that a business’s failure to take “reasonable and appropriate” cybersecurity measures was not an unfair practice under section 5, as it was not an attempt to take advantage of customers; rather, a cyber-attack harmed the company. Wyndham also faulted the FTC for failing to adequately specify what were “reasonable and appropriate” cybersecurity practices. During oral argument on March 3, 2015, the Third Circuit panel questioned whether the unfairness prong covered nonfraudulent negligent cybersecurity conduct and whether the FTC could directly bring an action in court without first issuing cybersecurity rules through rulemaking or adjudication. The court heard oral arguments on the latter issue on March 27, 2015. The upcoming ruling by the Third Circuit will likely provide greater clarification about the scope of the FTC’s unfairness authority over cybersecurity practices.

 

Parallel and Follow-On Litigation

To date, the FTC’s enforcement actions in the cybersecurity arena have not led to a wave of private follow-on litigation. One possible explanation is that the FTC Act, unlike the federal antitrust statutes enforced by the FTC, does not confer a private right of action. Enforcement targets must nevertheless be vigilant. Even if not subject to private litigation under the FTC Act, cybersecurity practices that the FTC deems unfair or deceptive can also lead to private follow-on class action litigation by consumers and other affected parties under state laws, such as consumer protection statutes or specific state data security statutes.[xiii]

 

The CBR Systems controversy is one such example of parallel FTC enforcement and private consumer litigation. CBR is a California-based company that stores stem cells from umbilical cord blood and tissue. In December 2010, a thief broke into a CBR employee’s car and stole a backpack containing a company laptop computer and other electronic storage devices that allegedly held unencrypted personal information on about 300,000 CBR clients, including their names, addresses, social security numbers, medical history, and payment details. The FTC opened an investigation and ultimately filed an administrative complaint in January 2013, asserting that CBR had engaged in deceptive practices by failing to protect its customers’ personal data. Shortly after, CBR entered into a 20-year consent order in which it agreed to establish and maintain a comprehensive information security program, be subject to monitoring from an independent auditor, and report periodically to the FTC about its cybersecurity efforts.[xiv] But the FTC consent order did not end CBR’s travails. In January 2012, clients of CBR filed a putative class action under California privacy and unfair competition law. The case settled in February 2013, with CBR agreeing to reimburse affected clients for identity theft-related losses, pay for class members’ two-year subscription to a credit monitoring program, and pay $600,000 in attorneys’ fees. The full value of the class settlement was estimated at $112 million.[xv]

 

Companies must also watch out for parallel litigation by state attorneys general. Snapchat’s case is illustrative. Snapchat’s mobile messaging application allows users to send photo and video messages (termed “snaps”) that the company claims disappear very shortly after being sent. Despite the claimed “ephemeral” nature of the snaps, recipients were able to use third-party tools to save the snaps indefinitely. In May 2014, the FTC filed a complaint against Snapchat, alleging that the company made false representations about the disappearance of the snaps, the collection of users’ personal data, and the robustness of its data security. Based on these allegations, the FTC asserted that Snapchat had engaged in deceptive practices under section 5 of the FTC Act. In May 2014, Snapchat agreed to settle with the FTC. The consent order prohibited misrepresentations about the company’s data privacy and security, required Snapchat to establish a comprehensive privacy program, and imposed independent monitoring and reporting obligations for 20 years.[xvi] While the FTC enforcement action was pending, the Maryland attorney general advanced similar allegations against Snapchat and claimed violations of Maryland consumer protection law and COPPA. Snapchat agreed to pay $100,000 and take corrective measures in a June 2014 settlement with Maryland.

 

Finally, FTC investigations and enforcement proceedings may expose companies to follow-on litigation beyond the consumer protection context. For example, as a result of the FTC’s enforcement action against Wyndham, the company was hit with a shareholder derivative suit which alleged that Wyndham’s directors and officers failed to implement adequate data-security measures and timely disclose the data breaches.[xvii] Although the lawsuit was ultimately dismissed at the pleading stage, the case shows the potential spillover effect of FTC enforcement proceedings. A comprehensive defense strategy should include close coordination between data protection and securities counsel.

 

Conclusion

Cybersecurity law enforcement is growing. While legislative momentum is building toward formulating federal data security standards, the FTC has continued to use its enforcement authority over unfair and deceptive trade practices to bring cases against companies with allegedly substandard data security practices. Critics point out that the agency does not have any regulatory authority over data security and that the general principles contained in its various consent orders do not provide sufficient guidance to the industry. The Third Circuit is expected to develop the law in this area in the coming months, but it undoubtedly will not be the final word. In the meantime, companies are well advised to bolster their cybersecurity practices and get ahead of any issues that could subject them to the full panoply of FTC enforcement action followed by state regulatory or private class action litigation.

 _________________________________

[i] See Discussion Draft (Mar. 20, 2015), Data Security and Breach Notification Act of 2015, H.R. ___, 114th Cong. (2015); Personal Data Privacy and Security Act of 2014, H.R. 3990, 113th Cong. (2014).

[ii] Legal Resources, Filtered by Type (Case) and Topic (Data Security), Fed. Trade Comm’n, https://www.ftc.gov/tips-advice/business-center/legal-resources?type=case&field_consumer_protection_topics_ tid=249 (last visited Apr. 1, 2015). Based on a review of publicly available data on the FTC website, twice as many administrative proceedings and court cases were initiated in the last five years as in the previous ten years. See id. A record number – seven administrative proceedings and two federal court cases – were brought in 2014 alone. See id.

[iii] Only one company, LabMD, Inc., has refused to enter into a consent decree with the FTC. See id. The FTC filed an administrative complaint against the company for its alleged failure to establish reasonable data security measures to protect customer information. After the FTC denied LabMD’s motion to dismiss, the company sought review of the decision in federal court. The Court of Appeals for the Eleventh Circuit ultimately rejected LabMD’s challenge as unripe because the FTC’s decision was a non-final agency action. The case has been remanded to the FTC and is currently pending before an administrative law judge. See Case Timeline, In re LabMD, FTC File No. 102 3099, Fed. Trade Comm’n, https://www.ftc.gov/enforcement/cases-proceedings/102-3099/labmd-inc-matter (last updated Feb. 24, 2015).

[iv] See 16 C.F.R. §§ 3.31-40 (setting out the methods, scope, and types of discovery in FTC administrative proceedings).

[v] See Case Timeline, In re LabMD, supra note iii.

[vi] In addition, the FTC is entrusted with enforcing the privacy and data security provisions of specific statutes. Before the creation of the Consumer Financial Protection Bureau in 2011, the FTC was responsible for enforcing the Fair Credit Reporting Act (FCRA) – which ensures that credit reporting agencies protect consumers’ private information – and the Gramm-Leach-Bliley Act (GLBA) – which obliges financial institutions to ensure the security of customer records. Also, the FTC administers the Children’s Online Privacy Protection Act of 1998 (COPPA), which requires Internet companies to obtain parental consent for the collection, use, and disclosure of children’s personal information. Finally, the Safe Harbor Framework program, which allows companies to transfer personal data between the United States and the European Union, provides for FTC enforcement against companies that fail to comply with the program’s requirements.

[vii] See Legal Resources, supra note ii.

[viii] See, e.g., Complaint at 2, In re TJX Cos., FTC File No. 072-3055, Docket No. C-4227 (F.T.C. July 29, 2008), available at https://www.ftc.gov/sites/default/files/documents/cases/2008/08/080801tjxcomplaint.pdf.

[ix] Complaint at 6, United States v. RockYou, Inc., No. 3:12-cv-01487 (N.D. Cal. Mar. 26, 2012).

[x] See, e.g., Complaint at 9, FTC v. LifeLock, Inc., No. 2:10-cv-00530 (D. Ariz. Mar. 9, 2010).

[xi] See, e.g., Complaint at 2, In re EPN, Inc., FTC File No. 112 3143, Docket No. C-4370 (F.T.C. Oct. 3, 2012), available at https://www.ftc.gov/sites/default/files/documents/cases/2012/10/121026epncmpt.pdf.

[xii] No. 2:13-cv-01887 (D.N.J. transferred Mar. 26, 2013). After denying Wyndham’s motion to dismiss, the district court certified its order for interlocutory appeal on June 23, 2014. The case is currently pending before the Third Circuit Court of Appeals. See FTC v. Wyndham Worldwide Corp., No. 14-3514 (3d Cir. argued Mar. 3, 2015).

[xiii] See, e.g., Notice of Removal, Johansson-Dohrmann v. CBR Systems, Inc., No. 3:12-cv-01115 (S.D. Cal. May 7, 2012), ECF No. 1-3 (attaching the class action complaint originally filed in state court, which alleged violations of the California Confidentiality of Medical Information Act and Unfair Competition Law, among other causes of action).

[xiv] Decision & Order, In re CBR Systems, Inc., FTC File No. 112 3120, Docket No. C-4400 (F.T.C. Apr. 29, 2013), available at https://www.ftc.gov/sites/default/files/documents/cases/2013/05/130503cbrdo.pdf.

[xv] See Order Granting Final Approval of Class Action Settlement, Attorneys’ Fees, Costs, and Incentive Award, Judgment and Dismissal, Johansson-Dohrmann, No. 3:12-cv-01115 (July 24, 2013), ECF No. 35.

[xvi] Decision & Order, In re Snapchat, Inc., FTC File No. 132 3078, Docket No. C-4501 (F.T.C. Dec. 23, 2014), available at https://www.ftc.gov/system/files/documents/cases/141231snapchatdo.pdf.

[xvii] See Palkon v. Holmes, No. 2:14-cv-01234, 2014 WL 5341880, at *6 (D.N.J. Oct. 20, 2014).

 hollywoodAs I noted in my recent rundown of the top D&O stories of 2014, one of the most important developments during the year just finished was the emergence of cyber security as a D&O liability concern. During 2014, plaintiff shareholders launched cyber breach-related derivative lawsuits against the boards of Target and Wyndham (about which refer here and here, respectively).But arguably the highest profile cyber breach during the year was the hack attack on Sony Pictures Entertainment apparently related to the company’s release of the controversial movie “The Interview.” Though at least six class action lawsuits have been filed on behalf of present and former Sony employees, so far there have been no shareholder lawsuits filed.

 

According to a detailed and interesting analysis published  in an unlikely source, a lawsuit against Sony would be an “an uphill battle” – which of course does not mean that no one will give it a shot, but does mean that any shareholder that wants to try will face a “very difficult exercise.”

 

Here at The D&O Diary, we don’t ordinarily devote much time to reading articles published in the Hollywood Reporter, but then we found Jonathan Handel’s December 23, 2014 article in that publication entitled “Sony Hack: Will Shareholders Sue?” (here) to be particularly interesting. In summary, Handel concludes that it would be very difficult for a plaintiff to pursue a shareholder lawsuit against Sony Pictures Entertainment or its senior officials. The reasons why it would be so difficult fall into two general categories – the difficulties any claimant would faces pursuing derivative suits, and difficulties a shareholder claimant would face that are particular to Sony.

 

First, a little bit of background. Sony Pictures Entertainment (SPE) is a wholly owned subsidiary of Sony Corp. SPE is a Delaware corporation with its principal place of business in California. Sony Corp. is a Japanese corporation whose shares trade in Tokyo and that also has American Depositary Receipts trading in the U.S.

 

Though Sony has ADRs trading on a U.S. exchange, it is unlikely that prospective claimants would seek to file a securities class action lawsuit against the company relating to the hack attack, because, Handel notes, the parent company’s share price “hasn’t moved decisively” as a result of the news surrounding the attack — which means that if shareholder claimants were to try to bring a lawsuit, they would likely have to proceed by way of a shareholder derivative lawsuit.

 

Handel speculates that a prospective derivative lawsuit claimant might want to try to allege what Handel describes as a series of “egregious misjudgments, such as allegedly lax cybersecurity and what plaintiff’s attorneys would no doubt call a reckless – or at least grossly negligent – decision to proceed with The Interview despite North Korean threats earlier this year. A third decision – to pull the movie, at least from major chains – could also come under fire.”

 

A shareholder attempting to bring a derivative lawsuit would of course face all of the hurdles that any derivative plaintiff would face. The prospective plaintiff would first have to make a demand on the company’s board demanding that the board itself launch the lawsuit, or plead in his or her complaint that demand would have been futile. If demand is made and refused, the plaintiff would have to plead that the demand was wrongfully refused.

 

The Sony defendants would also have all of the defenses that other defendants have in these types of cases. First, the defendants can rely on any exculpatory provisions the company may have in its bylaws or other charter documents. Second, the defendants would be able to rely on the business judgment rule to argue that the shareholders and the courts should not absent extraordinary circumstances second guess the board’s business decisions.

 

As if all of these hurdles and defenses were not enough to deter prospective claimants, there are additional considerations owing to the specific circumstances involved here. Because any prospective claimants would own shares (or ADRs) of Sony Corp., the parent company, and not of SPE, the subsidiary, the lawsuit would be filed not against the board of SPE, but would have to be filed against the parent company’s board, in the form of a “double derivative lawsuit.’

 

As Handel explains in his article, a double derivative lawsuit is “a procedural vehicle to remedy the claimed wrongdoing where the parent company board’s decision not to enforce the subsidiary’s claim is unprotected by the business judgment rule.” In other words, any claimant would have to argue not only that SPE board’s conduct falls outside the protection of the business judgment rule, but also that the parent company’s board’s decision not to sue SPE also falls outside the protections of the rule.

 

There are still further complications. Because the investors who bought their Sony securities on U.S. exchanges hold ADRs and not shares, their rights and remedies are further defined by the Deposit Agreement that regulates the administration of the ADRs. Many ADR deposit agreements have choice of law clauses specifying the law that would apply in the event of a dispute between an ADR holder and the company or its executives. Although the deposit agreement provisions vary, the likelihood is that Sony’s deposit agreement specifies that Japanese law governs ADR holder disputes.

 

If Japanese law applies to claims brought by ADR holders, any claimant would face some potentially insurmountable hurdles. First, at least according to sources Handel cites in his article, current Japanese law does not allow double derivative actions. Second, while the Japanese legislature recently adopted revisions to the Companies Act, which governs Japanese corporations, those revisions are not effective until April 1, 2015 and are not retroactive. The new provisions are in any event restrictive, requiring among other things that the claimant hold at least a 1% interest in the company involved.

 

Despite all of these concerns, it is still possible that a claimant might try to file a lawsuit. But for all of the reasons cited above and discussed further in Handel’s article, any claimant would face a very difficult challenge. As one of the commentators cited in the article put it in characterizing the maze of difficulties a claimant would face, this situation is “like a law school exam.”

 

The circumstances surrounding cyber security breaches may yet prove to be a source of significant corporate and securities litigation. But the complicated circumstances surrounding the Sony hack attack underscore that pursuing these kinds of claims is never straightforward. And as I noted in connection with the dismissal of the lawsuit filed last year against Wyndham Worldwide, it remains to be seen whether or not erstwhile plaintiffs will figure out a way to overcome all of the procedural hurdles involved and manage to turn these kinds of lawsuit into a successful exercise.

 

I will say that I never though I would have occasion to link to the Hollywood Reporter here for the publication’s legal analysis, but I have to admit that Handel’s article was interesting and is worth reading in full.

 

 

 

When the SEC Whistleblower Office presented its first full fiscal year annual report last November, the agency reported that 324 (or 10.8%) of the 3,001 whistleblower reports the agency received came from whistleblowers outside the United States. This statistic suggested that the Dodd-Frank whistleblower provisions could lead to the revelation of financial misconduct overseas, and also suggested the possibility that these non-U.S. whistleblower reports could lead to increased revelation of FCPA violations. (The report noted that 3.8% of the whistleblower reports involved alleged FCPA violations.)

 

However, a recent decision in the Southern District of New York could put a damper on overseas whistleblowing. In an October 21, 2013 opinion, Judge William H. Pauley held that the Dodd-Frank Act’s whistleblower anti-retaliation provisions do not protect whistleblowers outside the U.S. Judge Pauley’s opinion can be foundhere. Judge Pauley’s decision follows a June 2013 Southern District of Texas decision in the GE Energy (USA) case (here) in which Judge Nancy Atlas held that the anti-retaliation provisions do not apply extraterritorially. Without the protection of the anti-retaliation provisions, prospective overseas whistleblowers could be deterred from submitting reports to the SEC.

 

Meng-Lin Liu, a Taiwanese national, served as Group Compliance Officer for Siemens A.G.’s Chinese healthcare division. He became concerned that the Chinese unit was paying kickbacks to obtain imaging equipment contracts with Chinese and North Korean hospitals. He reported concerns to company officials, including his concern that the payments circumvented compliance procedures put in place following the company’s 2008 guilty plea to FCPA charges. Liu received negative performance reviews he believed were written in retaliation for raising concerns. He was later demoted and in early 2011 his employment contract was terminated.  In May 2011, Liu reported possible FCPA violations to the SEC.

 

Liu instituted a Dodd-Frank Act whistleblower anti-retaliation action against Siemens in the Southern District of New York. Siemens moved to dismiss, arguing that the anti-retaliation provisions do not apply extraterritorially.

 

In his October 21 opinion, Judge Pauley granted the company’s motion to dismiss. Citing the U.S. Supreme Court’s decision in Morrison v. National Australia Bank for the proposition that U.S laws do not apply extraterritorially unless Congress clearly expresses intent for a statute to apply extraterritorially, Judge Pauley found that in enacting the Dodd-Frank Act, Congress had not show an intent for the anti-retaliation provisions to apply extraterritorially.

 

Judge Pauley also rejected Liu’s argument that the anti-retaliation provisions should apply to Siemens merely because Siemens has ADRs that trade on the NYSE, noting that in the Morrison case, National Australia Bank had ADRs trading in the U.S. but that that fact was not determinative of the question of the reach of the securities laws.

 

Judge Pauley said:

 

This is a case brought by a Taiwanese resident against a German corporation for acts concerning its Chinese subsidiary relating to alleged corruption in China and North Korea. The only connection between the United States is the fact that Siemens has ADRs traded on an American exchange, just as in Morrison…There is simply no indication that Congress intended the Anti-Retaliation Provision to apply extraterritorially.

 

Judge Pauley also rejected Liu’s argument that he was entitled to protection under the Sarbanes-Oxley whistleblower provisions. He also considered but concluded that he did not need to decide the question whether or not Liu was even a “whistleblower” to whom anti-retaliation protections would otherwise apply given that he did not file his whistleblower report until after he his employment contract had been terminated.

 

Judge Pauley accepted that overseas employees could be a whistleblower within the meaning of the Dodd-Frank Act. Clearly, given the significant number of whistleblower reports from outside the U.S. in the program’s first full fiscal year, overseas employees have responded to the opportunity to provide whistleblower reports.

 

However, many prospective whistleblowers learning that they would not have the benefit of the anti-retaliation provisions might now be less willing to come forward. In the absence of these protections, the volume of whistleblower reports from outside the U.S. might well decline, which in turn potentially could result in fewer reported violations of the FCPA.

 

The one consideration that might reassure prospective overseas whistleblowers is the extent of the SEC’s effort to protect the anonymity of the whistleblower to whom the agency recently awarded the record-level $14 million whistleblower bounty. At least some prospective overseas whistleblowers might yet come forward even without the anti-retaliation protections if they believe their anonymity will be preserved.

 

Nevertheless, the absence of anti-retaliation protection for non-U.S. whistleblower could deter many prospective overseas whistleblowers from filing reports with the SEC.

 

Hat tip to the S.D.N.Y. Blog (here) for the link to Judge Pauley’s opinion.

 

In the FDIC’s latest lawsuit filed in its role as receiver of a failed bank, the FDIC not only named as defendants nineteen former directors and officers of the failed bank, but also included as defendants seventeen of their spouses and the failed bank’s D&O insurer. A copy of the FDIC’s January 18, 2012 complaint, filed in the agency’s capacity of receiver of the failed R-G Premier Bank of Puerto Rico, can be found here. UPDATE: See also the note below regarding the separate actoin filed in the District of Puerto Rico, involving the directors and officers of teh failed Westernbank Puerto Rico, which also involves D&O insurer defendants.

 

As discussed here, R-G Premier Bank failed on April 30, 2010. According to the FDIC’s complaint, its closure represented “one of the largest bank failures in Puerto Rico’s history, costing the Deposit Insurance Fund over $1.46 billion in losses.”

 

In its complaint, the FDIC asserts claims for gross negligence against certain former directors and officers of the failed bank, alleging that the bank’s losses and ultimate failure arose from the bank’s aggressive commercial lending. The complaint alleges that the commercial lending operations were essentially unsupervised, even though the commercial lending department “recklessly” pursued “explosive commercial loan growth.” The complaint alleges that the director and officer defendants “ignored numerous warnings from multiple sources about serious problems” in the bank’s management and lending operations.”

 

The complaint alleges that the director and officer defendants “exacerbated and accelerated” the bank’s loan losses “by robotically approving virtually any loan request that crossed their desks, even though such loan requests had been processed through the obviously deficient lending structure they had created at the Bank.” The FDIC bases its claims against the directors and officers on the individuals’ alleged “grossly negligent failure to exercise due care and any business judgment”; “grossly negligent failure to inform themselves about and to exercise adequate oversight over the Bank’s lending functions” and on the allegations that the defendants “knew or should have known” that the alleged problem loans identified in the complaint “were extremely unlikely to be paid back, and also the equally clear risks of injury to the Bank from the Bank’s inappropriate lending structure.”

 

The FDIC seeks to recover damages “in excess of $257 million” the bank allegedly incurred “as a result of the breaches of fiduciary duties and gross negligence” of the director and officer defendants in connection with 77 transactions identified in the complaint. The claims against the 17 spouses and conjugal partners who are also named as defendants “are based on their legal relationship to the Directors and Officers.”

 

The complaint also names as a defendant the insurer that issued two D&O liability insurance policies to the bank’s holding company. The two policies consist of a primary $25 million policy and a $10 million excess policy, both issued by the same insurer. Both policies are alleged to have had policy periods running from November 30, 2008 to December 30, 2009, with an optional extension period until December 30, 2010. The FDIC alleges in its complaint that the optional extension period was exercised on December 29, 2009. The complaint also alleges that on December 23, 2010, the FDIC sent a demand for civil damages to the directors and officers, with a copy of the demand also sent to the D&O insurer.

 

In Count III of the complaint, which is denominated as a “Claim for Direct Relief,” the FDIC alleges that its claims against the directors and officers “fall within the coverage provided” under its policies, and that the insurer is “liable” for “$35 million in damages caused to the Bank by the gross negligence of the Defendants.” The complaint seeks a judgment against the insurer “for at least $35 million.”

 

Discussion

In prior posts discussing the FDIC’s litigation against former director of failed banks, I have suggested that the real battleground for many of these suits may be the FDIC’s coverage disputes with the failed bank’s D&O insurer. This case, in which the FDIC named the D&O insurer as a defendant along with the former directors and officers, seems to make that aspect of these circumstances explicit.

 

This is not the first occasion on which the FDIC has directly named a failed bank’s D&O insurer as a defendant in a liability action. (For a prior example, refer here). Those readers uncertain how the FDIC is purporting to proceed directly against the insurer without first obtaining a judgment against the individual insureds may be interested to know that, at least according to sources I have reviewed online, Puerto Rico has a direct action statute, allowing those claiming injury from a torfeasor’s action to proceed directly against the tortfeasor’s liability insurer. At least based on my quick review of the subject, that would seem to explain the FDIC’s move of including the D&O insurer as a defendant in the suit.

 

Without being able to go behind the scenes it is hard to know for sure what the basis of the coverage action may be. Just based on the date on which the D&O policies originally incepted, it is not unlikely that the policies when issued included a regulatory exclusion. Some insurers have also taken the position that the insured vs. insured exclusion found in most D&O policies precludes coverage for claims brought by the FDIC as receiver, which is an issue that undoubtedly will be litigated heavily in connection with many of these failed bank coverage disputes.

 

It is also possible that the D&O insurer is asserting coverage defenses arising from the fact that the bank did not fail and the FDIC did not assert claims against the directors and officers until after the inception of the policies’ extensions. The insurer may be asserting defenses based on the timing of these various events relative to the policies termination dates and reporting deadlines. At least according to the FDIC’s recitation in the complaint, it appears that the FDIC did assert its claim against the directors and officers prior to the expiration of the extension.

 

The FDIC’s assertion of claims against the spouses and conjugal partners are obviously designed to allow the FDIC to be able to enforce any judgment against property jointly held by the individual directors and officers and their spouses. This is not the first occasion on which the FDIC has asserted claims against spouses of failed bank directors and officers. For example, in connection with the FDIC’s lawsuit against the certain former officers of Washington Mutual, the FDIC also asserted claims there against two of the officers’ spouses. The FDIC’s assertion of claims against the spouses is an illustration of the importance of the language found in many D&O policies which extends the definition of the term “Insured Persons” to include the spouses or domestic partners of the insured entity’s directors and officers, but only to the extent the spouses or partners is a party to a claim as a spouse to the director or officer.

 

One anomalous feature of the bank’s D&O insurance structure is that the both the bank’s primary D&O insurance policy and its excess D&O insurance policy were both  issued by the same D&O insurer. That is an unusual arrangement for many reasons, not the least of which is that many insurers would be reluctant to have such concentrated exposure to any one risk. The extent of the insurer’s exposure is one more reason I suspect that the insurer may considered its insurance of this risk as well defended, for example through the inclusion of a regulatory exclusion or even perhaps the preclusion of coverage for acts that incurred prior to the policies’ November 30, 2008 inception.

 

Of course, I could be wrong about the presence of these defensive features, but I still think it is unusual that the insurer would have take a full $35 million exposure to one financial institution, especially given the events that were taking place in the global financial marketplaces at that time.

 

The FDIC’s lawsuit against the former directors and officers of R-G Premier Bank of Puerto Rico is the nineteenth lawsuit the FDIC has filed in connection with the current wave of bank failures, and the second so far during 2012. The FDIC undoubtedly will be filing many more suits in the months ahead. Indeed, on the FDIC’s website page providing information about the agency’s litigation efforts, the FDIC states that as of January 18, 2012, the FDIC has authorized suits in connection with 44 failed institutions against 391 individuals for D&O liability with damage claims of at least $7.7 billion. This includes 19 filed D&O lawsuits (2 of which have been dismissed after settlement with the named directors and officers) naming 161 former directors and officers. In other words, even just looking at the suits authorized so far, there are many law suits yet to come. And the FDIC has been authorizing increased numbers of suits every month, so the likelihood is that many more lawsuits will be authorized and filed as we head forward in 2012 and beyond.

 

UPDATE: Following my initial publication of this post, a loyal reader provided me with a copy of the January 20, 2012 Amended and Restated Complaint in Intervention that the FDIC filed in the District of Puerto Rico in an action involving both the former directors and officers of the failed Westernbank and certain of their spouses, as well as the D&O insurers for Westernbank’s holding company. A copy of the FDIC’s complain can be found here.

 

Regulators closed Westernbank on April 30, 2010, which according to the FDIC’s complaint, cost the insurance fund $4.25 billion. In October 2011, certain of the former Westernbank directors and officers had sued the bank’s primary D&O insurer in state court in Puerto Rico. The FDIC as receiver for Westernbank moved ot intervene in the state court action, and on December 30, 2011, removed the state court action to the District of Puerto Rico. On January 20, 2012, the FDIC filed its amended complaint in intervention, in which it named as defendants certain additional directors and officers, as well as the excess D&O insurers in the bank’s D&O insurers program. The FDIC expressly asserts its claims against the D&O insurers under Puerto Rico’s direct action statute. Certain of the individual direcrors and officers have moved to remand the action back to state court.

 

The FDIC’s action against the former directors and officers of Westernbank represents the twentieth action that the agency has filed so far as part of the current wave of bank failures, and also represents yet another example of a case where the real battleground may be the D&O insurance coverage dispute.

 

The First Bank Closures of 2012:  This past Friday night, the FDIC also took control of the first three failed banks of 2012, as reflected here. The FDIC closed banks in Florida, Pennsylvania and Georgia, the first three banks to fail in over a month. The presence of a Georgia bank among the first group of bank failures is hardly a surprise, as the bank’s 74 bank failures during the period January 1, 2008 through December 31, 2011 is by far the highest total for any state during the period. Florida, with 58 bank failures during that period, has the second highest total.

 

Is Morrison the "Global Securities Case of the Decade"?: In a very interesting and thorough January 20, 2012 article on the Am Law Litigation Daily (here), Michael Goldhaber asks the qustion whether or not the Supreme Court’s 2010 decision in Morrison v. National Australia Bank is the Global Securities Case of the Decade (so far, at least). Among other things, Goldhaber reviews the wide swath that Morrison has cut through cases pending in the district courts, noting that "perhaps no other precedent has ever cut down so many claims of such value so rapidly." The article details the effects that the Morrison opinion has had and is likely to continue to have.

 

Teaching Fellowship at UCLA Law School: Some readers of this blog may be very interested to know that the Lowell Milken Institute for Business Law and Policy at the UCLA Law School is now accepting applications for the Lowell Milken Institute Law Teaching Fellowship. The fellowship is a full-time, year-round, one or two-year academic year-position beginning in July 2012. The position involves teaching, research and writing, as well as other duties. Applicants must already hold a JD. The application deadline is March 1, 2012. Further information about the fellowship program can be found here.

 

Now for Something Different: For today’s musical interlude, and as a complete contrast to the North Korean Kindergarten Guitar Quintet whose oddly disturbing video I posted a few days ago, here is a video of a very different kind of guitar quintet, involving as it does one guitar and ten hands. I understand this video and the song are both very popular in certain circles. I suspect it would not catch on in North Korea. The song is “Somebody That I Used to Know” by the group Walk Off the Earth.

 

For policyholders whose interests are insured in London, it can be critically important to understand the Lloyd’s claims processes. In the following guest post, my good friend Perry Granof  (pictured) takes a look at recent changes to the Lloyd’s claims processes effective January 1, 2012 that will affect a wide variety of professional liability claims.  Perry is Managing Director of Granof International Group LLC, an insurance consulting and claims service firm specializing in global executive, professional and financial institutions liability. He is also also Of Counsel at the Williams Kastner law firm in Seattle, Washington.

 

 

Many thanks to Perry for his willingness to publish his article here. I welcome guest posts from responsible commentators on topics relevant to this blog. Any readers who are interested in publishing a guest post on this site are encouraged to contact me directly.

 

 

Here is Perry’s guest post.  

 

 

 

 

I travelled to London in late November 2011 where I met with Lloyd’s claims representatives and first learned about the Lloyd’s Claims Transformation Programme (CTP). According to Lloyd’s, CTP is intended to provide improved customer service and greater flexibility for managing agents.

 

 

CTP was introduced to the Lloyd’s market on January 1, 2010, as a pilot program for marine hull, property, and casualty treaty classes of business. The pilot was deemed successful, achieving a 40% average improvement in claims transaction time.  According to Market Bulletin Y45221, dated September 30, 2011, the program was expanded to new claims in Financial Institutions (FI), Professional Indemnity (PI), which includes D&O, and medical malpractice, to be effective as of January 1, 2012.

 

 

CTP is intended to modernize, add quality and streamline the Lloyd’s claims handling process. However, it may give way to new disputes and potential opportunities for conflict resolution. Among the various procedural guidelines introduced by CTP is a streamlining of the triage categories from three to two. They are now “Standard” and “Complex” claim categories. The threshold is a specified dollar amount of exposure plus a sundry of other factors such as a potential or actual denial of coverage or allegations of fraud.

 

 

All complex claims, unlike Standard claims under the new Lloyd’s protocol, additionally have a second tier lead Managing Agent called a “Second”, which functions in conjunction with the “Lead” Managing Agent. Previously the Second underwriter only played a claims agreement role in certain circumstances, and an oursourced service provider represented the interests of the followers on every claim. The Second helps to ensure that an appropriate strategy is in place to help facilitate a proper resolution of the claim and that the other Managing Agents on the slip that make up the following market are fully represented and kept abreast of developments.

 

 

The Second  reviews the documentation and other considerations, which the Lead relied on in its recommendations to the market, and confers with the Lead in connection with: the “Handling of the Claim”; the “Ongoing management of the Claim”; the “Contingent Financial Planning (Reserves, Costs, etc.)”; Experts” and the “Settlement Process." The protocol also makes it clear that the “Followers”, are entitled to “contact the Lead (or Second) to raise queries or share their views on the proposed strategy to resolve the claim.”

 

 

A review of the relevant Market Bulletins, in particular Ref: 4522 and 4531, certainly justifies Lloyd’s optimism in touting the advantages of CTP. CTP will lead to an open and more effective claims handling regime among syndicates engaged in the adjustment of Complex claims. However, it could also lead to an increase in conflicts arising between the Lead, the Second and the Follower Lloyd’s syndicates, by giving non-Lead syndicates more voice and responsibilities.

 

 

Under the CTP, non-Lead syndicates clearly have standing to raise queries and share their views and can offer platforms for followers in which to dissent to positions offered by Lead carriers. Some emerging conflicts that I can foresee, especially in the PI/FI and D&O classes of business include drop down issues. When an exposure potentially exceeds the available insurance program, a lead insurer may propose a drop down arrangement to save policy limits for itself and possibly throughout the entire tower of coverage. A Second or Follower may respond arguing that the Lead must fully exhaust its coverage before the rest of the market begins contributing to the resolution of the claim. This issue has recently been addressed in the case of Citigroup, Inc. v. Federal Ins. Co., 10-20445, 2011 U.S. App. LEXIS 16316 (5th Cir. Aug. 5, 2011). In Citigroup, the Court held that the excess policies unambiguously required that the primary carrier pay its full policy limit as a condition precedent to the excess carriers filling the gap by dropping down and providing coverage. Still, Citigroup is only binding in the 5th Circuit and the case was determined by the specific policy wordings at issue.

 

 

Another source of conflict could involve situations where a Lead, a Second or Followers disagree over the placement of claims in an insurance tower covering one particular policy year, over another. This may become contentious where participating insurers have different reinsurance treaties covering different policy years, impacting their net exposures. Also, if the exposure is significant, it can become a dispute, which may not be easily soluble.

 

 

A third source of conflict could involve situations where Second and Followers may perceive a given policy limits claim, directed by the Lead resulting in disproportionate and inequitable payments of insurance proceeds, constituting a waste, and possibly giving rise to extra – contractual damages.

 

 

All of these situations, and others that I am unable to currently foresee, may require an efficient and effective dispute resolution mechanism to insure that disagreements among the syndicate companies to a tower are resolve quickly cheaply and confidentially. In reviewing Section 5.0 "Resolution of Disagreements" under Market Bulletin Ref: Y4531, which describes the 2010 “Claims Scheme Process Guidelines," there does not appear to be any mention of a disputes resolution process, other than a meet and confer provision. Also Lloyd’s underwriters are required to use their best endeavours to reach a consensus under Market Bulletin Ref: Y4522 which also makes reference to a mediation and arbitration process as "prescribed by Lloyd’s from time to time". These provisions are designed to make it easier for Lloyd’s co-insurers as opposed to non-Lloyd’s co-insurers to resolve issues amongst themselves without recourse to formal dispute resolution proceedings. Although it represents an effort to address future disputes among Lloyd’s co-insurers, this may not entirely avoid the risk of formal proceedings, especially considering the types of disputes that could arise from the issues I set forth above.

 

 

The CTP may require a new and expedited regime to resolve FI, PI & D&O coverage disputes among Lloyd’s carriers, quickly, quietly and efficiently, minimizing any disruptions of the claims handling process. This may ultimately give rise to mediation and arbitration opportunities in the United States and abroad to resolve disputes among Lloyd’s syndicates in connection with US and non-US venued claims.

 

 

Cornerstone Releases M&A Related LItigatoin Study: Iin a recent post (here), I previewed a then-forthcoming study from Cornerstone Research with regard to M&A related litigation. Cornerstone Research has now released its study, entitled "Recent Developments in Sharholder Litigation Involving Mergers and Acquisitions" (here). The final report contains additional information beyond the specific items I reviewed in my prior blog post. Special thanks to Cornerstone Research for sending me a link to the final report.

 

 

 

The North Korean Kindergarten Quintet: For today’s music interlude we are featuring a video that is simultaneously impressive and deeply disturbing. Watch these children perform and see if, in addition to being slowly but completely creeped out, you don’t find yourself gaining a little insight into the reason there were real tears when Kim Jong-Il died in December. The more basic question is why they aren’t crying all the time.

 

https://youtube.com/watch?v=gsiYtsSQYfA