masseyMost senior corporate executive have a general understanding of the importance to them of their corporate indemnification rights. As discussed here, a related but sometimes even more important corporate benefit is the right to advancement – that is, the right to have their defense fees paid on a contemporaneous basis while legal proceedings against them are pending, subject only to the individual director or officer’s undertaking to repay the amounts if it ultimately is determined that the individual is not entitled to indemnification.

 

As I have noted in prior posts (refer for example here), an issue that frequently recurs is question of when the company may withhold advancement. The question is particularly common when new management has come in and the prior management is facing ongoing litigation as a result of their action prior to leaving the company.

 

From the perspective of the Delaware judiciary, corporate attempts to withhold advancement arise all too often, apparently. Delaware Chancellor Andre Bouchard began May 28, 2015 opinion in a case involving former Massey Energy Company CEO Donald Blankenship by saying that the case involves an “all too common scenario” – that is “the termination of mandatory advancement to a former director and officer when trial is approaching and it is needed the most.” In his May 29, 2015 post on his Delaware Corporate and Commercial Litigation Blog (here) about the Blankenship case, Francis Pileggi characterizes Bouchard’s preface to his opinion as “an expression of exasperation,” as if to say, “Here we go again – another company trying to evade its advancement obligations.”

 

Blankenship had been seeking to have the fees he was incurring in defense of a criminal case pending against him, arising out of the April 5, 2010 disaster in Massey’s Upper Big Branch Mine in Montcoal, West Virginia, in which 29 miners were killed. (Further background regarding the Upper Big Branch disaster and the litigation that followed can be found here.) Blankenship was Massey’s CEO at the time. Blankenship retired as Massey’s CEO effective December 31, 2010. On June 1, 2011, Alpha Natural Resources completed a $7.1 billion acquisition of Massey. For several years, Alpha advanced Blankenship’s legal fees incurred in the numerous legal proceedings arising out of the Big Branch Mine disaster.

 

On November 13, 2014, the U.S. Attorney indicted Blankenship in connection with the Upper Big Branch Mine disaster. Among other things, the four count criminal indictment accused Blankenship of conspiracy to willfully violate mandatory mine safety and health standards, conspiracy to defraud the United States by concealing mine safety violations, and making false statements to the U.S. Securities and Exchange Commission, as well as securities fraud for making false public statements. The criminal matter is scheduled to go to trial on July 13, 2015.

 

In early 2015, shortly after the indictment, Alpha stopped advancing Blankenship’s legal fees, primarily in reliance on an undertaking Blankenship had signed in which he acknowledged that his indemnification and advancement rights were contingent upon certain representations and undertakings (the “undertaking”), including a representation that  Blankenship had “no reasonable cause to believe that his conduct was ever unlawful.” The decision to withhold advancement was based on a determination by an officer of Alpha that Blankenship had breached this representation. Blankenship initiated an action against Alpha in Delaware Chancery Court seeking advancement of his unpaid legal expenses. At the time of the April 8, 2015 trial in Chancery Court action, Blankenship’s unpaid legal bills totaled over $5.8 million.

 

In his May 28, 2015 opinion, Chancellor Bouchard concluded that the undertaking cannot reasonably be interpreted as Alpha had and that the company’s conclusion that Blankenship had breached the representation does not provide a valid basis for Alpha to terminate Blankenship’s advancement rights under Massey’s corporate charter. (Indeed, Bouchard concluded that a reasonable person would not have thought Blankenship’s advancement rights could be terminated.) Bouchard not only concluded that Blankenship was entitled to advancement of his legal fees incurred in the criminal action but also that he was entitled to recover the attorneys’ fees he incurred in enforcing his advancement rights.

 

In ruling in Blankenship’s favor, Bouchard noted that while he found the undertaking on which Alpha relied to be unambiguous, even if the undertaking were to be viewed as ambiguous, Delaware law “supports resolving ambiguity in favor of indemnification and advancement.” As Francis Pileggi noted in his blog post about the ruling, if a company is going to try to withhold advancement on the basis of conditions in an agreement, “the terms of that condition must be beyond unambiguous, because all doubts will be resolved in favor of the claimant.”

 

However, even if under Delaware law strongly favors advancement and indemnification, there is no iron clad rule that individual directors and officers are going to prevail when they seek advancement. (For examples of cases where a court, applying Canadian provincial law, determined that a company properly withheld advancement, refer here and here.) As these cases show – and the tone of exasperated weariness with which Bouchard commenced his opinion underscores – all too often companies will try to renege on their advancement obligations when disputes arise.

 

The reason for these advancement disputes is no mystery. By definition, an advancement question will only arise if there is a corporate dispute in the form of legal proceedings pending. Sometimes, as is the case here, the legal proceedings involve significant problems at the company, a factor that can only be exacerbated if, as was also the case here, there has also been a change in management since the time of the conduct that gave rise to the problems. In other words, advancement rights are often construed while a battle is raging. All too often, the hostilities include skirmishing between the corporate executives and the corporate entity.

 

The frequency with which these kinds of dispute arise is one of the most significant reason why well-advices corporate executives will not depend just on the indemnification and advancement provisions of the company charter or by-laws, but will in addition seek to have their rights memorialized in a separate, written indemnification and advancement agreement.

 

One very good reason that directors and officers will seek to put contractual indemnification agreements in place is so that if the individuals are the target of claims after they have left the company, they can claim their rights of indemnification notwithstanding the arrival of new management. The contractual indemnification provides them an extra measure of protection and some level of assurance that their rights will be protected if claims later arise. A separate written indemnification provision can not only provide much greater procedural specificity but it can also provide certain protections against wrongful withholding of indemnification, by providing presumptions in favor of indemnification and providing for “fees on fees” (that is, fees incurred in order to enforce rights to advancement or indemnification).

 

A May 26, 2015 post on the Mintz Levin law firm’s Securities Matters blog (here) details the importance for corporate officers of having a separate written indemnification agreement and discusses the key features that this type of agreement should include. As the blog post notes, written indemnification agreements have several advantages for corporate officers over the indemnification provisions of articles of incorporation or bylaws. Among other things, written agreements are “more easily enforced by D&Os because they are bilateral contracts reflecting bargained-for consideration in the form of an individual’s agreement to accept or continue service with the company.” Written agreements “typically provide broader and more thorough protection of D&O’s indemnity rights than statutes and organizational documents.”

 

As the blog post discusses, among other key provisions, a written agreement will include: definitions of key terms (such as “expenses” and “proceedings,” to ensure that the advancement and indemnification rights apply to the broadest possible range of costs and legal actions); procedures and time-frames for the provision of advancement and the resolution of any disputes that might arise; and the provision for fees-on-fees. In addition, “the indemnification agreement typically will require that the company provide D&O liability insurance that protects the indemnitee to the same extent as the most favorably insured of the company’s and its affiliates’ current D&Os,” to the extent commercially available.

 

In short, the use of a separate written agreement is one way to take steps while times are calm and relationships are cooperative to ensure that the individual directors and officers’ rights will be protected even when things are no longer time and relationships have turned combative.

 

Unfortunately, the most a written indemnification agreement can do is to try and ensure that the rights of directors and officers will be protected if disputes arise; an agreement alone can not prevent disputes from arising.

 

Because these kinds of disputes can and all to often do arise, it is important to keep in mind a critical component that should be a part of every public and sizeable private company’s D&O insurance program. A well-designed D&O insurance program will include within its overall structure a layer of so-called Side A/DIC insurance. These kinds of policies have a number of important features that are available to protect individual directors and officers in certain kinds of catastrophic claims.

 

Among the parts of many of these policies’ “difference in conditions” insurance  protection is a feature by which the Side A/DIC insurer will “drop down” and provide corporate executives first dollar protection if the corporate entity for any reason wrongfully withholds corporate advancement or indemnification. The idea of this insurance protection is that the individual should never be in a position where they cannot defend themselves because the company is withholding advancement. The insurer will step in and advance payment on the individual’s behalf and where appropriate seek to be reimbursed by company that wrongfully withheld advancement.

 

The critical importance of these and other features of a well-designed D&O insurance program underscores the importance for corporate insurance buyers and their executives to have a knowledgeable and experienced insurance broker involved in the corporate insurance acquisition process, so that these kinds of issues are identified and taking into account when the insurance program is put together. A knowledgeable and experience broker will understand how directors’ and officers’ advancement and indemnification rights operate and how the operation of these rights will and should interact with the company’s D&O insurance program.

 

One final note. I know that there will be those who might be outraged that Blankenship is having his defense fees advanced, given the magnitude of the mining disaster and the nature of the criminal allegations against him. However, as I noted in an earlier post in which I discussed BoA’s decision to advance the defense fees of former Countrywide CEO (and poster-child for the excesses that led to the financial crisis) Angelo Mozilo, “under Delaware law and under the legal understandings that BofA reached when it acquired Countrywide, BofA has a legal obligation to advance Mozilo’s expenses. The only outrage would be if BofA refused to do so.”

 

That’s the thing about advancement, the corporate obligation applies even when controversy arises — indeed, the moment when controversy arises often is precisely the moment when advancement is most needed. As I said at the time about the objections to advancing Mozilo’s defense expenses, “the objection about Mozilo’s defense expenses is not to advancement of defense expenses as a general matter, but to advancement for Mozilo in particular. There is no principled basis on which to isolate one individual, no matter how unpopular he may be, and single him out as the one person retroactively disentitled to his otherwise enforceable rights.” As with Mozilo, so too with Blankenship.

 

For a basic description of the the interaction between indemnification and D&O insurance, refer to my prior post here, which was the first installment in my “Nuts and Bolts of D&O Insurance” series. (The entire series can be found here.)

 

Special thanks to the several readers who send me copies of the Delaware Chancery Court’s opinion in the Blankenship case.

floridaIn a coverage dispute arising out of the long-running Rothstein Ponzi scheme scandal, a Southern District of Florida judge, applying Florida law, has held that the professional services exclusion in the Rothstein bank’s D&O insurance policy precluded coverage for claims brought against the bank and certain of its directors and officers by the Rothstein law firm’s bankruptcy trustee. As discussed below, the court’s decision raises questions about the appropriate wording for the professional services exclusion in a service company’s D&O insurance policy. The May 18, 2015 decision in the case can be found here.

 

Background

The Rothstein law firm bankruptcy trustee along with lead feeder fund’s bankruptcy trustee’s filed claims against Gibraltar Private Bank & Trust and certain of its directors and officers alleging that the defendants aided and abetted Rothstein in the perpetration of the Ponzi scheme fraud. The bank submitted the claims to its D&O insurers, which denied coverage for the claims in reliance on the professional services exclusion in the policies.

 

After the D&O insurers denied coverage, the bank and its directors and officers entered a series of settlements and related agreements  (what the court later referred to as “Coblenz agreements”) with the bankruptcy trustees and with the claimants in the underlying actions whereby the bank and the individuals consented to the entry of a judgment against them in exchange for an assignment of their rights under the D&O insurance policies and a agreement not to enforce the judgment against them except as to the insurance policy proceeds. The assignees then filed a coverage lawsuit in the Southern District of Florida against the D&O insurers. The insurers moved to dismiss.

 

The professional services exclusion provided that:

 

The insurer shall not be liable to make any payment for Loss in connection with any Claim made against any Insured alleging, arising out of, based upon, or attributable to the Organization’s or any Insured’s performance of or any failure to perform professional services for others, or any act(s), error(s) or omission(s) relating thereto.

 

The May 18 Opinion

In her May 18, 2015 opinion, Southern District of Florida Judge Kathleen M. Williams granted the defendant insurers’ motion to dismiss with prejudice, ruling that the D&O insurance policies’ professional services exclusion precluded coverage for the underlying claims. In concluding that the professional services exclusion precluded coverage, Judge Williams rejected several arguments that the plaintiffs had raised.

 

First, Judge Williams rejected the plaintiffs’ argument that the exclusion operated severally (that is, separately as to each insured person) rather than jointly. Judge Williams said that “a plain reading of the Professional Services Exclusion demonstrates that it bars coverage for any Claim made against any Insured arising out of any Insured’s failure to perform professional services for others.  The exclusion is not limited in its application to each Insured’s performance; instead it jointly bars coverage for all insureds for any Claim arising out of any insured’s performance or failure to perform professional service.” In reaching this conclusion, Judge Williams noted that the policies incorporated a so-called severability provision, which made certain of the policies’ exclusions (but not the professional services exclusion) severable, so that the conduct of one insured would not be applied to preclude coverage under the identified exclusions for other insureds.

 

Judge Williams also rejected the plaintiffs’ argument that because the exclusion did not define the term professional services, the exclusion is ambiguous and should be construed against the insurers. She reviewed several prior case decisions applying Florida law in which the courts had said that were a policy does not define the term “professional services,” the courts have considered whether the service at issue involves specialized skill, requires specialized training, is regulated, requires a degree, and/or whether there is an entity that provides certification or accreditation for individuals in the field. Judge Williams found that the provision of banking services represents the delivery of professional services within the meaning of the exclusion.

 

However, the plaintiff argued that the allegations against the bank and the individual directors and officers arose out of purely internal management and regulatory functions, not services to others. Judge Williams reviewed the allegations in the underlying complaint and concluded that the allegations in the complaint “arise out of, or are attributable to, the Insureds’ performance of or failure to perform professional services for other” – specifically banking services for the benefit of Rothstein and the Rothstein law firm accounts.

 

Finally, Judge Williams rejected the plaintiffs’ allegation that the application of the exclusion to preclude coverage for the delivery of banking services renders the coverage offered under the policy to be illusory, because every activity involved in the bank’s operations involves the delivery of banking services. In rejecting this argument, Judge Williams said that the D&O policies provide coverage for many claims that would not involve the delivery of services for others. She said, for example, the bank provides coverage for wrongful termination and harassment claims or for securities claims made against any insured.

 

Discussion

Within the constraints of the policy language at issue, Judge Williams’s decision on this coverage dispute arguably is unexceptional. (I don’t by that comment mean to suggest that I do not appreciate the work and effort that went into contesting the legal issues involved, which I understand were quite challenging and hotly contested; I am merely reflecting my opinion on Judge Williams’s ruling, not the degree of difficulty that the parties faced in this case.) However, for me, this decision raises more general question about the language used in professional services exclusions in service companies’ D&O insurance policies. I suggest below that the specific exclusionary language used in this policy is not appropriate for companies, such as banks, engaged in a service business.

 

By raising this language concern, I do not mean to suggest in any way that different language should have been used on this particular policy. I have no way of knowing whether or not the alternative, preferred language I identify below would have been available in connection with the placement of this policy. Indeed, the alternative language usually is not available, and the language used in this policy often is viewed as standard – which is the heart of the problem with the language, as far as I am concerned.

 

My objection to the language used in the professional services exclusion in the policy at issue in this case is based upon the purposes for which a professional services exclusion is included in a D&O insurance policy in the first place.

 

The purpose of a professional services exclusion in a D&O insurance policy is to align the various coverages in the policyholders’ liability insurance program, so that the D&O policy does not apply to claims that the policyholder’s E&O insurance policy. Because this is the purpose of the professional services exclusion, in my view the appropriate wording to be used in the exclusion is the “for” wording. I have always felt that the use of the broad “based upon, arising out of or in any way relating to” sweeps far too broadly for the exclusion’s purpose and threatens to extend the exclusion’s preclusive effect far beyond the exclusion’s purpose of keeping the various liability claims in the appropriate insurance lane.

 

But whatever the argument in general about the use of the broad “based upon or arising out of” language in a professional liability exclusion might be, I think the argument that the broad preamble sweeps too broadly is particularly compelling in the context of a business company in the services sector. I think there is merit to the plaintiff’s argument here that the way the broad preamble is interpreted and applied reaches into the very essence of the service company’s day-to-day operations. The plaintiffs’ argument that for a services business all likely claims will arise out of, relate to or in any way involve the company’s delivery of services is legitimate – and that is the reason why the professional services exclusion in a service business’s D&O insurance policy should have the “for” wording, not the “based upon or arising out of wording.”

 

The examples Judge Williams cites for the types of claims that are still covered under the policy notwithstanding the overbroad sweep of the exclusion to me unconvincing. The discrimination and harassment claims examples to which she referred are entirely inapposite. Those kinds of claims are employment practices liability claims not D&O insurance claims; the reference to those types of claims is entirely beside the point and proves nothing. Her reference to securities claims is closer to the mark but of less relevance to a private company; even if true, it leaves the entire remaining universe possible of D&O claims – that is, all of the various types of liability exposures for which a private company might buy D&O insurance – within the reach of the exclusion’s preclusive sweep.

 

Even if at the margins there are theoretical claims for which coverage might be preserved from the exclusion’s overbroad reach, that does not alter the fact that given the purposes for which the exclusion is in the policy, the exclusion should not – particularly for companies in services industries – be worded with the unnecessarily overbroad “based upon or arising out of wording.” Even though the narrower “for” wording  is not available in many instances even in a competitive marketplace, the “for” wording is the wording that should be used, given the purposes for which the exclusion is included in the policy in the first place.

 

In addition, Judge Williams analysis of the “jointly” but not “severally” interpretation of the policy exclusion suggest further to me that the severability clause contained in management liability insurance policies arguably should be extended to preserve coverage for claims against insured persons against whom claims are alleged that do not trigger the professional services exclusion. Even if allegations are made against one insured that triggers the exclusion, there is no reason why coverage should be excluded for other insured persons if the allegations against the other insureds are not “for” alleged wrongful acts allegedly committed in the delivery of professional services.

 

Special thanks to James Kaplan of the Kaplan Zeena law firm for sending me a copy of this opinion. Kaplan represented the primary D&O insurer in this case. I should hasten to add the views I have expressed in this blog post are, of course, entirely my own.

nystate1As I have noted in prior posts, “qui tam actions” under the False Claims Act often fit uncomfortably with typical D&O insurance policy terms and provisions. For example, the procedure whereby qui tam actions are filed but not immediately served raise questions of the claims made date (as discussed here), and with respect to the potential applicability of the prior and pending litigation exclusion (as discussed here).

 

In addition, as discussed in a recent case in the New York Supreme Court Appellate Division (First Department), a “qui tam action” pursued by the “relator” (a private third party claimant pursuing the False Claims Act claim individually) also raises questions about who the real party in interest is and how that could affect the availability of coverage under a D&O insurance policy.

 

In an April 30, 2015 decision (here), the New York intermediate appellate court held that even though the qui tam action claimant was pursuing the action individually, the government was the “real party in interest,” and therefore coverage for the action was precluded under the qui tam action defendant company’s D&O insurance policy’s regulatory exclusion.

 

As discussed below, this case presents yet another example of the problems that qui tam action under the False Claims Act can present for purposes of D&O insurance coverage. As discussed below, the question whether the exclusionary language at issue appropriately could be interpreted to preclude coverage for a qui tam action maintained by a relator is far from clear.

 

A May 19, 2015 post about the ruling can be found on the Wiley Rein law firm’s Executive Summary Blog, here.

 

Background

As discussed here, the federal False Claims Act imposes liability on those who defraud the government. The law also allows third-parties to bring qui tam actions in the form liability claims under the Act; if the qui tam actions are successful, the third-party can receive a portion of the recovery. When a third-party files a qui tam action, the Act requires that the complaint remain under seal for at least sixty days and that it “not be served on the defendant until the court so orders,” so that the government can decide whether it wants to intervene and pursue the action. Even if the government declines to intervene, “the person who initiated the action shall have the right to conduct the action.” The person who pursues this type of claim is referred to as the “relator.”

 

Huron Consulting Group (HCG) was named as a defendant in a qui tam action. The action alleged that HCG had violated the federal False Claim Act and the New York False Claims Act in connection with excessive Medicare and Medicaid billing. The government declined to participate in the action; the relator continued to pursue the action individually.

 

BCG sought coverage under its D&O insurance policy for the defense expenses it incurred in defending the claim. The D&O insurer denied coverage based on the applicable policy’s Regulatory Exclusion. The Regulatory Exclusion provides in pertinent part that there is no coverage for Loss in connection with claims “brought by . . . any federal [or] state . . . governmental entity, in such entity’s regulatory or official capacity.” The insurer filed an action in New York state court seeking a judicial declaration that the exclusion precluded coverage.

 

The trial court denied the insurer’s motion for summary judgment and granted BCG’s cross motion for summary judgment that the insurer was obligated to pay BCG’s defense costs. The insurer appealed.

 

The April 30 Opinion 

In an April 30, 2015 per curiam opinion, a unanimous five-judge panel of the New York Supreme Court Appellate Division reversed the lower court, ruling instead that coverage for the relator’s qui tam action was precluded by the policy’s regulatory exclusion.

 

In reaching its decision, the appellate court said that the trial court had erred in concluding that “the underlying qui tam lawsuit was brought by a private party, not a governmental entity operating in an official or regulatory capacity.” Rather, the appellate court said that while relators indisputably have a stake in the outcome of False Claims Act qui tam cases that they initiate, the Government remains the “real party in interest” in any such action.

 

The appellate court quoted a prior Second Circuit decision in which the federal appellate court said with respect to qui tam actions, even qui tam actions pursued and maintained by a relator rather than by the government, that “It is the government that has been injured by the presentation of such claims; it is in the government’s name that the action must be brought; it is the government’s injury that provides the measure for the damages that are to be trebled; and it is the government that must receive the lion’s share-at least 70%-of any recovery.” Because the U.S. government is the real party in interest, the regulatory exclusion applies to preclude coverage under the policy for the qui tam action.

 

Discussion

As I noted at the outset, and as I have noted in prior posts, qui tam actions fit awkwardly within the terms and conditions found in the typical D&O insurance policy. But while that awkward fit is a recurring problem, the outcome of this case goes beyond the standard awkwardness for these types of claims. The contention that the Regulatory Exclusion precludes coverage here is not self-evident, and a good case could made that the exclusion does not and was not intended to preclude coverage for this type of claim.

 

The exclusion precludes coverage only for claims brought “by” a governmental entity. Under the standard procedures for qui tam actions, the government had the opportunity to decide whether it would participate in the action. If the government had decided to intervene, then the action obviously would have been brought “by” the government. But the government chose not to intervene, and to me that clearly makes a different with respect to the question whether the action the relator continued and maintained was “by” the government.

 

It may well be that in a qui tam action maintained by a relator that the government is the real party in interest. That is, the qui tam action is clearly brought “on behalf of” the government. But the regulatory exclusion doesn’t preclude coverage for claims brought “on behalf of” the government; it only precludes coverage for claims brought “by” the government. The significance of the absence of the “on behalf of” language is underscored  by the fact that other standard D&O exclusions and policy provisions typically refer to actions brought “by or on behalf of” a specified party. The standard policy language used in these other provisions show that when an insurer intends to preclude coverage for claims brought “by or on behalf of” someone, there is language at hand for the insurer to use to do so. The insurer did not use this language in this regulatory exclusion, and that is an important – and to my mind, dispositive – difference.

 

If the insurer omits to include exclusionary language precluding coverage for claims “by or on behalf of” someone,  but instead uses only exclusionary language precluding coverage only for claims brought “by” someone, then the only way the exclusion can or should apply is if the claim was in fact brought “by” the identified person (in this case, a governmental entity). The exclusion should not apply if the action was brought and is maintained by a third party relator,  even if the government is the real party in interest, because even if the relator’s claim is indisputably “on behalf of” the government, the relator’s claim just as indisputably is not “by” the government.

 

If the carrier really does intend to preclude coverage for these types of claims, it should have to either expressly exclude coverage for qui tam actions maintained by relators or specify that its exclusion precludes coverage not only for actions brought “by” the government, but actions brought “on behalf of” the government. In the absence of these kinds of provisions, the policy exclusion should not apply to and there should be coverage under the policy for the relator’s qui tam action.

 

UPDATE: An informed source advises that the exclusion at issue in fact included the “on behalf of” language, which for some reason the court did not seem to think was important. It certainly changes my view of the outcome of this case, although the Court’s analysis standing alone still leaves me cold. 

 

If there is any good news here, it is that it is relatively rare for D&O insurance policies to include a regulatory exclusion of the type involved here. Typically regulatory exclusions are only found in D&O insurance policies of commercial banking institutions and some other types of financial institutions. Indeed, even for commercial banks’ D&O insurance policies, the inclusion of a regulatory exclusion is relatively unusual except for financial troubled institutions. In my view, coverage for a qui tam action maintained by a relator should not be precluded by a regulatory exclusion unless the exclusionary language expressly precludes those types of claims or the exclusion specifically states that coverage is precluded for claims brought “by or on behalf of the government.” Coverage should not be precluded for qui tam actions maintained by a relator where the regulatory exclusion precludes coverage only for claims brought “by” a governmental entity.

sup ct 5ERISA plan fiduciaries have a continuing duty to monitor selected plan investments and to remove imprudent investment selections, according to the U.S. Supreme Court’s unanimous May 18, 2015 opinion in Tibble v. Edison International. Although the Court affirmed the fiduciary duty to monitor, it otherwise left the development of the duty’s contours to be delineated in the lower courts in future cases and rulings. A copy of the Supreme Court’s May 18 opinion can be found here.

 

The Supreme Court’s ruling in this important case decision have a number of implications. Among other things, it may mean an increase in claims alleging that fiduciaries imprudently retained investment selections. The ruling may also make it more difficult for defendants to have claims against them dismissed on statute of limitations grounds.

 

Background

In 2007, certain beneficiaries of Edison’s 401(k) savings plan filed an action under ERISA against plan fiduciaries, alleging that the fiduciaries violated their fiduciary duties with respect to three mutual fund options added to the plan in 1999 and three others added in 2002. The claimants argued that the fiduciaries had acted imprudently by selecting the six retail-class mutual funds when lower cost institutional-class mutual funds were available.

 

The defendants argued that the claims regarding the 1999 selections were untimely because they had been raised more than six years after “the date of the last action which constitutes a part of the breach or omission.” The district court agreed with the defendants and dismissed the claims regarding the 1999 selections because they were included in the plan more than six years before the complaint was filed and that circumstances had not changed enough to put the defendants under an obligation to conduct a review of the mutual funds. The Ninth Circuit agreed that the claimants had not established a change in circumstances that might trigger an obligation to conduct a full due-diligence review of the 1999 funds within the 6 year statute of limitations period.  The U.S. Supreme Court agreed to review the Ninth Circuit’s ruling.

 

The May 18 Decision

On May 18, 2015, in an opinion written by Justice Stephen Breyer for a unanimous court, the U.S. Supreme Court vacated the Ninth Circuit’s opinion and remanded the case to the Ninth Circuit for further proceedings. The Supreme Court said the Ninth Circuit had erred by failing to recognize that under the law of trusts, fiduciaries have a “continuing duty to monitor trust investments and to remove imprudent ones.”  Further, the Court held that this duty “exists separate and apart from the trustee’s duty to exercise prudence in selecting investments.” The trustee must “systematically consider all the investments of the trust at regular intervals to ensure that they are appropriate.”

 

 

The Court went on to say that a plaintiff may allege that a fiduciary breached the duty of prudence “by failing to monitor investments and to remove imprudent ones.” As long as the alleged breach of continuing duty occurred within six years of suit, the claim is timely.

 

 

The Court did not determine whether or not the plaintiffs had sufficiently alleged a breach of the duty to monitor during the six-year limitations period to satisfy the requirements of the statue of limitations. Rather, the Court remanded the case to the Ninth Circuit to determine whether the circumstances alleged required a review of the allegedly improper investments, and if so what kind of review was required.

 

Discussion

It seems probable that the Court’s decision in Tibble v. Edison International will encourage more claims alleging that fiduciaries improperly failed to monitor plan investments. As the Skadden law firm said of the Court’s ruling in its memo about the decision (here), “we fully anticipate an increase in claims alleging fiduciaries imprudently retained investment options, particularly where the original decision to offer the challenged investments under the plan was made more than six years before the filing of the suit.”

 

In any event, and at a minimum, the Court’s ruling will make it considerably harder for plan fiduciaries to establish a statute of limitations defense in breach of fiduciary duty claims based on imprudent investment options.

 

While there will likely be future claims based on these theories, there will also have to be a great deal of additional lower court case law development to fill in many of the issues the Supreme Court declined to address, including: what circumstances are sufficient to require plan fiduciaries to conduct a thorough due diligence review of a plan investment? How frequently must a plan fiduciary review plan investments in the absence of special circumstances requiring a more detailed due diligence review? The lower courts will also have to decide what factor are sufficient to suggest that it would be imprudent not to remove an offered investment from the plan. It can be anticipated that future lower court decisions will provide further definition to plan fiduciaries’ continuing duty to monitor.

 

Even thought the Court’s decision leaves a great deal to future case law development, there nonetheless are a number of important takeaways now for plan fiduciaries.

 

Among other things, it will be important for plan fiduciaries to consider establishing internal guidelines to document that they are regularly reviewing plan investment options and evaluating the continuing prudence of offered plan investment options.  In that regard, it is important to note that the Court’s opinion stressed that trustees of investment trusts must “systematically consider all the investments of the trust at regular intervals.”  The reviews then must be regular and systematic.

 

The Court’s comments also suggest that there is no one-size fits all type of review; rather the review must be “reasonable and appropriate to the particular investments, courses of action, and strategies involved.”

 

Finally, when it comes to an underperforming investment option, the Court said that the fiduciary duties include the duty to remove imprudent investments. In other words, the systemic and regular review of plan investment options should include the removal of investments that have proven to be imprudent.

seventhcircuitsealOn October 17, 2013, when Northern District of Illinois Judge Ronald Guzman entered a $2.46 billion judgment for the plaintiffs in the long-running Household International securities class action lawsuit, it was according to statements at the time the largest judgment ever in a securities fraud trial. However, on May 21, 2015, the Seventh Circuit reversed the verdict on loss causation grounds and remanded the case to the district court for further trial proceedings. Because the appellate court ruling reversed the verdict solely with respect to liability issues, the further trial proceedings will in effect determine whether or not the damages verdict totaling $2.46 billion will or will not be reinstated. A copy of the Seventh Circuit’s May 21 opinion can be found here.

 

Background

As detailed here, the plaintiffs first filed their lawsuit back in 2002 on behalf of all persons who acquired Household International securities between October 23, 1997 and October 11, 2002. The plaintiffs contended that during the class period, the defendants concealed that Household “was engaged in a massive predatory lending scheme.”

 

According to the complaint, Household “engaged in widespread abuse of its customers through a variety of illegal sales practices and improper lending techniques.” Household also reported “false statistics” that were intended to “give the appearance that the credit quality of Household’s borrowers was more favorable that it actually was.” The plaintiffs allege that the “defendants’ scheme” allowed them “to artificially inflate the Company’s financial and operational results.”

 

In the third quarter of 2002, the company took a $600 million charge and restated its financial statements for the preceding eight years, and in October 2002, the company announced that it had entered into a $484 regulatory settlement regarding its lending practices. On November 14, 2002, the company announced that it was to be acquired by HSBC Holdings.

 

The defendants in the lawsuit included Household International and its mortgage finance subsidiary, Household Financial Corporation, and Household’s former CEO and CFO, as well as certain other former officers and directors. The company’s offering underwriters were also initially named as defendants, but they were later dismissed from the case. The plaintiffs also reached a prior settlement with the company’s former auditor, Arthur Anderson.

 

As detailed here, trial in the case commenced on March 30, 2009. Judge Guzman bifurcated the case into two parts, with a damages phase to follow the initial liability phase.

 

As detailed here, on May 7, 2009, the jury returned a mixed verdict in which the jury found for the plaintiff on a number of – but not all – counts. The jurors were asked to make specific findings with respect to 40 allegedly false and misleading statements. The jury found in favor of the defendants with respect to 23 of the statements. However, the jury found in favor of the plaintiffs with respect to 17 of the statements.

 

The ultimate October 2013 judgment order, arriving as it did some four and a half years after the verdict, followed several post-trial defense motions to invalidate the verdict as well as defense objections to thousands of class members’ claims. The Court also considered and ruled on issues concerning the reliance of absent class members on defendants’ statements.

 

The judgment was entered against Household International; its former Chairman and CEO William Aldinger; its former CFO and COO David Schoenholz; and its former Vice-Chair of Consumer Lending Gary Gilmer. The company, Aldinger and Schoenholz were hold jointly and severally liable for the judgment and Gilmer was liable for 10% of the judgment.

 

The defendants appealed the verdict to the Seventh Circuit. The defendants primarily challenged the judgment on loss causation grounds. They also argued that the trial judge had improperly instructed the jury on the basis on which the jury was to determine whether or not a defendant had “made” the misleading statement at issue. Finally, the defendants argued that during the damages phase rulings the trial court made improperly prevented them from challenging individual plaintiffs’ reliance on the misleading statements.

 

The May 21 Opinion

In a May 21, 2015 opinion written by Judge Diane Sykes for a unanimous three judge panel, the Seventh Circuit reversed the trial court judgment with respect to the liability phase and remanded the case to the trial court for further proceedings.

 

In reversing the trial court judgment on the issue of loss causation, the appellate court reviewed at length the relevant law on the issue of loss causation and the evidence that the plaintiffs presented at trial on the loss causation issue. In support of their loss causation case, the plaintiffs had presented the expert testimony of Daniel Fischel, formerly Dean at University of Chicago law school and now a professor at Northwestern Law School (about whom the Seventh Circuit noted in a footnote that “apparently he’s the expert for this kind of financial analysis”).

 

Fischel presented two economic models at trial, the “specific disclosure” model (designed to separate effects on a company’s share price due to misrepresentations from movements in the company’s share price caused by other market factors) and the “leakage” model, which assumes that the truth may “leak” into the marketplace as a result of more gradual exposure of the fraud. The jurors were given tables reflecting the stock price-related inflationary impact from the misleading statements under each of the two models. The jury selected the leakage model and used the table to calculate the class period impact of the statements the jury had concluded were misleading.

 

On appeal, the defendants challenged the leakage model of loss causation, arguing that it improperly and illogically showed that the stock as inflated on the first day of the class period without showing how the stock was inflated in the first place. The appellate court rejected this argument, holding that it was sufficient for plaintiffs to prove that the defendants’ false statements caused the stock price to remain higher than it would have been if the statements had been truthful.

 

The defendants argued further, however, that the leakage model on which the jury had relied did not account for firm-specific non-fraud factors that may have affected the company’s share price. The appellate court noted that in fact the plaintiffs’ expert had not ignored non-fraud factors; he said only that he had looked for company specific non-fraud factors during the relevant period and did not find any significant trend of positive or negative information apart from the fraud-related disclosure. The defendants argued that this was not enough and that under Dura, the plaintiffs needed to eliminate any firm-specific non-fraud factors that might have contributed to the stock’s decline.

 

The appellate court concluded that the plaintiffs’ expert’s trial testimony did not adequately account for the possibility that firm-specific nonfraud related information may have affected the decline in Household’s share price during the relevant period. The record, the appellate court said, reflects only the expert’s general statement that any such information was insignificant, which the court said, is not enough. On remand,, if the plaintiffs’ expert testifies that there were no nonfraud impacts on the share price, the burden shifts to the defendant to identify some “significant, firm-specific, nonfraud related information that could have affected the stock price.” If they cannot, the case goes to the jury. If they can, the burden shifts back to the plaintiff to account for the information or to provide a loss-causation model that does not suffer the same problem.

 

The appellate court also found that the trial court had erroneously instructed the jury as far on what it means to “make” a false statement under the Supreme Court’s holding in the Janus Capital Group case (about which refer here). The trial court had instructed the jury that the plaintiffs must prove that the defendants “made, approved or furnished information” in a false statement of fact. The defendants argued that the “approved or furnished information” language misstated the law and in effect held the defendants liable for statements they did not “make.”

 

The appellate court agreed, ruling that the instruction “directly contradicts Janus.” However, the court held, that the effort cause no prejudice to Household International, as it “made” all of the statements at issue. The court did hold as certain of the statements of the three individual defendants and that the three individuals were entitled to a new trial on the question whether they had “made” the misleading statements, and then to reallocate liability among the three defendants. The court emphasized “for clarity’s sake” that on remand the defendants may not relitigate whether any of the 17 statements were false or material, and that the jury’s secondary liability findings also remain undisturbed.

 

Finally, the defendants argued that during the damages phase various rulings the trial court had made had deprived them of an opportunity to rebut the presumption of reliance as to individual members in the plaintiff class.

 

After a lengthy review of the procedures used in the damages phase, the court rejected the defendants argument, adding that because the proceedings below were “neatly divided into two phases,” there’s “no need to redo anything in Phase II, even though the case was being remanded for a new trial. The appellate court said “assuming the plaintiffs have adequately prove loss causation, the district court may rely on the results from Phase II.”

 

Discussion

This case has already been pending for 13 years, and it now has even further to go. As reported in the media, HSBC (as successor in interest to Household Financial) did indeed succeed in having the trial verdict set aside and securing a new trial, and in that respect there is no doubt that the Seventh Circuit’s ruling represents a significant victory for the defendants.

 

However, even though the largest securities trial verdict ever has now been set aside, it could be argued that the appellate outcome is neither as entirely good for the defendants nor as entirely bad for the plaintiffs as that might sound. The re-trial on remand will be a far different affair than the first trial, as the plaintiffs will not be required to re-establish many of the key factual determinations. Although the question of whether the individual defendants “made” various of the misleading statements will have to be litigated on remand, that will likely result at most in a reallocation of liability amongst the three of them, because the re-trial on that issue will relate for each of them only as to some but not all of the misleading statements.

 

The critical battle on remand will be the loss causation issue; the battle will be whether or not there were significant, company-specific nonfraud factors that affected the company’s share price during the relevant period. At issue in the case is whether or not the results of the first trial’s damages phase (that is, the $2.46 billion judgment) will or will not be reinstated.

 

Either way, this long-running case still has further to go. It is a well-known fact that very few securities class action lawsuits ever go to trial. This case may underscore many of the reasons why. Given the stakes and number of complicated legal issues involved, the cases can be interminable and exhausting for both sides.

 

I will say that for anyone interested in plumbing the depths of the loss causation issue in securities litigation, the Seventh Circuit’s opinion makes for interesting reading. The issue is itself complicated, and the complication is exacerbated by the fact that securities cases so rarely go to trial.

 

An Observation about the Plaintiffs’ Expert Witness: I wonder if I am the only one that sees some irony in the involvement of Daniel Fischel as the expert witness for the plaintiffs in this case. The irony comes from the fact that the lead plaintiffs’ counsel and trial counsel in the case was the Robbins, Geller, Rudman & Dowd law firm, which is of course the successor law firm to the predecessor plaintiffs’ securities class action firm in which Bill Lerach was the lead named partner. (The Lerach law firm in turn was a split off from the former Milberg, Weiss, Bershad, Hynes and Lerach law firm).

 

As detailed in Patrick Dillon and Carl Cannon’s excellent 2010 book, Circle of Greed (about which refer here), Lerach had waged a vendetta against Fischel, that in the end went seriously awry. In a class-action case in 1988 involving Nucorp Energy,  Lerach for the first time faced Fischel and quickly developed a keen dislike of him, saying to a colleague that “someday I’m going to wipe that grin right off” Fischel’s face (although he used a more colorful term to refer to Fischel).

 

When he crossed paths with Fischel in another case two years later, when Fischel introduced himself, Lerach said, “I know who you are. And I will destroy you.” In the Lincoln Savings and Loan case in 1990 Lerach sued Fischel’s consulting firm, Lexecon, as part of the class action. At a Christmas party while the case was pending, Lerach said that he wanted to bury Fischel “under the courthouse steps.”

 

Lerach’s feud with Fischel ultimately led to a defamation suit by Fischel and Lexecon that resulted in a landmark Supreme Court decision about multi-district litigation (Lexecon Inc. v. Milberg Weiss Bershad Hynes & Lerach, 523 U.S. 26 (1998)) and a $50 million settlement. Lerach himself wound up pleading guilty in 2007 to obstruction of justice and was sentenced to two years imprisonment. In 2009 he was disbarred from practicing law in California.

 

So perhaps you can see why I think it is interesting that Daniel Fischel was testifying for the plaintiffs in this case, given that the plaintiff class was represented by the successor firm to the old Milberg Weiss law firm.

 

Despite Blockbuster Plea Deal, Big Banks’ Foreign Exchange Conspiracy Woes Continue: It was big news last week when the U.S. and U.K. authorities announced that five banks (J.P. Morgan, UBS, Barclays, Citigroup and Royal Bank of Scotland) had agreed to fines and penalties totaling over $5.4 billion and to plead guilty (at the parent company level) to criminal charges. While this announcement was big news, last week’s deal is far from the end of the foreign exchange-related woes for the global banks involved in the foreign exchange conspiracy investigation.

 

For starters, regulators from other countries are continuing their investigations of the banks’ foreign exchange operations. And U.S. regulators continue to investigate individuals involved in the foreign exchange price-fixing conspiracy.

 

In addition, all of the banks continue to face private civil litigation. As the Moneybeat blog noted in a May 20, 2015 post (here), the information that the U.S. regulators disclosed as part of its announcement of the recent $5.6 billion deal is a veritable treasure trove for the claimants in the civil litigation. As the blog post notes, the internal documents and emails disclosed in connection with the plea deal show not only that the companies internal controls had serious weaknesses, but also that front line management were involved in many of the efforts to fix prices and suppress competition in the foreign exchange market.

 

As noted in a prior blog post, a consolidated foreign exchange price fixing class action is pending in the Southern District of New York. As noted here, on January 28, 2015, Southern District of New York Judge Laura Schofield denied the defendants’ motion to dismiss in the consolidated lawsuit. Several of the defendant banks, all too aware that the antitrust lawsuit is going to go forward, and even more aware that the recent disclosures in connection with the recent plea deal will likely make matters even worse, recently reached agreements to settle the pending case against them.

 

Specifically, on May 20, 2015, the plaintiffs’ lawyers announced that they had reached a $394 million deal with Citigroup to settle the private civil action that had been filed accusing the bank of conspiring to fix foreign exchange rates.  On May 21, 2015, Bank of New York Mellon announced that it had reached a $180 million deal to settle its slice of the foreign exchange antitrust class action lawsuit.  These settlements follow earlier settlements that had been reached with J.P. Morgan, Bank of America and UBS and bring the total settlement reached in the case to over $800 million.

 

However, while there has been a raft of jumbo settlements in the case, the settlements so far involve just five of the 12 banks that are named as defendants in the case. Last week’s developments have not improved the settlement environment in the case for the remaining defendants. The lead plaintiffs’ counsel in the case has already announced that they intend to amend their complaint in the civil action to incorporate the additional information disclosed in connection with the plea deal.

 

As if that were not enough, on  Thursday May 21, 2015 a plaintiff filed a new lawsuit in the Northern District of California alleging that J.P. Morgan, Bank of America and other large banks have continued to rig the foreign exchange markets. The complaint (here) alleges that the foreign exchange price fixing conspiracy at the heart of the government’s criminal action continues to this day.  The newly filed complaint alleges violations of the Sherman Antitrust Act, the California Cartwright Act, and the California Unfair Competition Law.

 

In other words, despite the massive plea agreement announced last week, the foreign exchange rate-fixing conspiracy woes for the big banks are far from over. And of course, the regulators’ continuing investigation into other market manipulative activities (Libor, etc.) continue as well.

david danaAmong the many concerns that arise whenever unauthorized appropriation or use of consumer data occurs is the possible violation of the consumers’ privacy that the access may represent. In numerous cases, aggrieved parties have tried to assert claims for these alleged privacy violations, but by and large these attempts have not been successful. However, as Northwestern Law School Professor David A. Dana (pictured) discusses in the following guest post, there has been a series of recent decisions in California that may prove very valuable for future claimants seeking to assert privacy claims for unauthorized disclosure or use. A version of this article previously was published in the May 2015 issue of Internet Law and Business (here).

 

I would like to thank Professor Dana for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Professor Dana’s guest post.

 

*******************************************************

 

A burgeoning area of litigation involves claims that Internet and digital companies like Google, Facebook, and Twitter have insufficiently protected or actively appropriated user’s personal information.  Because of the enormous numbers of users and hence enormous number of potential plaintiffs in such cases, which invariably are framed as putative class actions, potential liability for defendants is enormous. However, the district courts have repeatedly dismissed such suits for lack of Article III standing and/or for failure to state a claim.  This Article addresses a recent quartet of decisions that may reflect a precedential gold mine for plaintiffs bringing claims for unconsented-to disclosure or use of their personal information.  Two of these decisions come from the Ninth Circuit: In re Facebook Litig., _ Fed. App’x _, No. 12-151619, May 8, 2014 (“Facebook”), which is an unpublished memorandum opinion, and Astiana v. Hain Celestial (“Astiana”), No. 12-17596, April 10, 2015, which is an opinion designated for publication.  Two of the decisions come from the Northern District of California: Opperman v. Path, Inc., Case 13-cv-00453-JST, March 23, 2015 (“Opperman”), and Svenson v. Google, Inc., Case No. 13-cv-04080-BLF, April 1, 2015 (“Svenson”).

 

Taken together, these decisions suggest that claims alleging certain California statutory and common law violations involving use or disclosure of the personal information of customers by technology companies can survive a motion to dismiss even with very general, even arguably vague, allegations.  Specifically, claims under California’s Unfair Competition Law (“UCL”) and Consumer Legal Remedies Act (“CLRA”) and claims for common law breach of contract and fraud and perhaps unjust enrichment now appear to be able to survive a motion to dismiss even when (1) there are no allegations of individual plaintiff reliance on alleged misrepresentations; (2) there are no particularized factual allegations backing up general allegations that the services or products received by plaintiffs were worth less than they would have been worth had promised protections for personal information been afforded; and/or (3) there are no particularized factual allegations backing up general allegations plaintiffs lost economic opportunities because they could not sell their personal information for as much or at all once that information was disclosed or shared with others by the technology company whose product or service was purchased.  One of these cases, Opperman, also establishes that partial disclosures by a company of the risk that users’ personal information may be used or disclosed does not eliminate the risk of fraud or other claims against the company, but instead can form the basis of an active concealment claim.

 

This apparent shift in the case law involving California law may be a response to recent attention in the media to the problem of inadequate security for personal information; perhaps the Courts believe that these personal information suits should be allowed to at least proceed to discovery, as a way to help keep corporate giants like Google “on their toes.”

 

Whatever the motivations behind these recent cases, they leave a number of questions open. While these cases can be distilled for the proposition that generalized allegations will suffice for purposes of surviving a motion to dismiss, it is not completely clear where the line is between sufficient, albeit generalized, pleading and excessively generalized and hence insufficient pleading. This is especially the case with respect to the question of when plaintiffs can plead their way of out of needing to allege individual reliance under Opperman.  Moreover, the Ninth Circuit may well choose to revisit the decisions in Facebook, which is only an unpublished memorandum, and Astiana, which is a very thinly reasoned, arguably incoherent opinion.  District courts, at least outside the Northern District of California, may choose not to follow these decisions or seek to distinguish them.  Finally, and most notably, the quartet of decisions discussed below only go the question of whether a complaint will survive a motion to dismiss; they do not suggest that these suits will be successful at the summary judgment phase of litigation.  Courts could allow claims to go past the motion to dismiss phase of litigation, but then hold plaintiffs to a high standard regarding proof of their allegations.

 

Fraud, Misrepresentation, Deceit, And Active Concealment Claims

 

In Opperman, Judge Tigar of the Northern District of California issued an opinion that may invigorate efforts to hold companies accountable for their advertising regarding privacy protections for personal data. In a putative class action alleging violations of the UCL, CLRA, and other statutes, the plaintiffs argued that Apple fraudulently represented that their personal information would be protected by Apple, and that Apple concealed the fact that it knew personal information of users in fact had not been protected as promised.  Ordinarily, in a state law fraud action of this sort, purchasers of a product or service would have to allege individual reliance on particular misrepresentations made by the defendant.   But here Judge Tigar denied the motion to dismiss the fraud claims, even though plaintiffs alleged no individual reliance.  Judge Tigar interpreted California law as allowing fraud actions to proceed without individual-reliance allegations where there was “an extensive and long-term advertising campaign” by the defendant regarding its promises to protect personal information. According to Opperman, Federal Rule of Civil Procedure 9(b) in this context does not require more particular pleading than would be required in a state court.  Moreover, Judge Tigar interpreted “an extensive and long-term advertising campaign” in a way that may be quite useful to future plaintiffs.  The Court also held that plaintiffs had adequately alleged that Apple had acted unlawfully in failing to disclose it exclusive knowledge that personal information was not being protected and in actively concealing those same facts.

 

According to Opperman, even statements made by Apple before the product launch at issue could be counted as part of the advertising campaign.  In addition, statements made by third parties and the media could be considered part of the campaign, given that Apple allegedly sought out such “buzz.”  Even though the statements regarding “security” and the like were varied and directed at different audiences, they could constitute a single campaign.

 

Opperman does not establish a bright line as to how many or what sort of alleged misrepresentations are needed in order to adequately allege that there was “an extensive and long-term advertising campaign” of fraudulent representations. Judge Tigar found that the twenty plus examples of security-related representations were sufficient, and seemed to suggest that far fewer than twenty alleged misrepresentations might be two few. It appeared to help the plaintiffs that at least a few of the alleged misrepresentations were particular enough – for example, “[a]pplications on the device are ‘sandboxed’ so they cannot access data stored by other applications” – that they were “capable of being proven false.”

 

Opperman also appears to open up opportunities for future plaintiffs to make active concealment claims against companies when the companies only partially disclose the risks that personal information actually might not be held secure. In Opperman, Apple contended that the plaintiffs failed to allege active concealment adequately because Apple’s Privacy Policy disclosed that third parties, including those who offer Apps, may collect information such as “data or contact details.” But Judge Tigar found that the plaintiffs had adequately alleged active concealment because they alleged that Apple failed to disclose all the material facts, Apple falsely reassured consumers that its iDevices did not contain security vulnerabilities that Apple knew they contained, and Apple did not disclose that it taught or encouraged App developers to access users’ information.   Partial disclosure of risks that personal information is insecure, in other words, does not protect companies from liability and in fact might only support the claim that the companies actively concealed material information of risks from purchasers of products or services.  When companies disclose risks regarding the security of personal information, Opperman teaches, they would be well-advised to fully disclose those risks and not withhold material information.

 

For technology companies and their lawyers, Opperman creates a kind of quandary. On the one hand, a company may well want to advertise to current and potential customers it personal information/data privacy protections as a way of keeping and wooing customers from possible competitors and increasing sales.   On the other hand, if the company does advertise, advertisements may ex post be deemed “an extensive and long-term advertising campaign” and used as a basis for expensive class action litigation against the company.

 

Breach Of Contract – Deprivation Of The Benefit of The Bargain

 

To state a breach of contract claim, plaintiffs must be able to plead some contract damages, which means they must be able to allege some cognizable economic injury.  Likewise, to the extent that the UCL allows claims based on “unlawful” conduct and conduct in breach of contract is unlawful, plaintiffs bringing a UCL claim based on contract violations also must allege economic injury, because such injury is an explicit requirement for a UCL cause of action.  A concrete injury, which usually would mean an economic injury in the personal information/data security context, is also required for Article III standing.

 

The big question for plaintiffs pursuing claims in the personal information/data security context is how far will the courts go in accepting a “creative” theory of economic injury when there is no very straightforward theory available to the plaintiffs. One such theory that plaintiffs lawyers have offered is a lost-benefit-of-the-bargain or overpayment theory, which contends that when the purchaser of a computer product or service that promises privacy protection buys the product or service but does not receive the promised protection, that person has overpaid for the product or service, and the economic injury consists of the difference between the purchase price that was paid and the lesser price that would have been paid had the good or service been explicitly offered as lacking in privacy protection.

 

One problem with his theory is that plaintiffs may be hard pressed to prove – or even credibly allege – that they paid more for a product or service because of promised  protection.   Indeed, in In re Linked User Privacy Litigation, 932 F.Supp.2d 1089 (2013), Judge Davila of the Northern District of California dismissed privacy-related claims against users of Linked-In’s premium service, in part because Linked-In promised the same protections to premium and non-premium users and hence it could not be presumed premium users paid for promised privacy protection.

 

In Svenson, however, Judge Freeman of the Northern District of California refused to dismiss a breach of contract claim in a case where there was arguably an absence of particularized factual allegations supporting the claim plaintiffs paid more than they would have had they not been promised privacy protections.   The Court pointed to two allegations made by plaintiffs: that “[t]he services Plaintiff and Class Members ultimately received in exchange for Defendants’ cut of the App purchase price – payment processing, in which their information was unnecessarily divulged to an unaccountable third party – were worth quantifiably less than the services they agreed to accept, payment processing in which the data they communicated to Defendants would only be divulged under circumstances which never occurred. . . .” and “[h]ad Plaintiff known Defendants would disclose her Packets Contents, she would not have purchased the ‘SMS MMS to Email’ App from Defendants.” These allegations were deemed “sufficient to show contract damages under a benefit of the bargain theory,” even though the slightly more general allegations in a prior version of the complaint had been deemed insufficient by the same judge.   One alleged fact in the amended complaint that may have been persuasive for Judge Freeman was that Google did receive a share of the payment for an “App” plaintiffs made, and was not providing processing for free.  Overall, at least where the defendant did receive payment for a product or service – which would seem to be most cases – Svenson seems to allow a benefit-of-the-bargain contract claim as long as the plaintiff very explicitly alleges that they regarded privacy or security protections as part of the bargain and would not have paid what they paid had they known privacy or security would not be provided.   Thus, it should be quite easy – and courts one day swamped with suits may find, too easy – for plaintiffs to allege economic injury in the form of deprived benefit of the bargain in the personal information/data security context.

 

Breach of Contract – Loss Of Market Opportunity

 

A second theory for contract damages in the personal information/data security setting is that purchasers of a service or product lost an opportunity to sell their own personal data when a company that promised to preserve the privacy or security of their personal information actually uses or discloses that information for its own purposes.  A line of federal district cases, including ones from the Northern District of California, held that general allegations that the plaintiffs lost an opportunity to sell their own personal information as a result of contractual violations of privacy or data security promises were insufficient to satisfy the requirement that plaintiffs allege Article III economic injury and/or damages as part of a breach of contract claim.  However, in the unpublished memorandum opinion in Facebook, the Ninth Circuit held that where “[p]laintiffs allege[d] that the information disclosed by Facebook . . . harmed” them because they “los[t] the sales value of that information,” the allegations were sufficient to show the element of damages for their breach of contract claim.  In reversing the district court’s dismissal of the contract claim against Facebook, the Ninth Circuit, albeit in an opinion that lacks binding authority under Ninth Circuit rules, signaled that plaintiffs need do no more than allege what the Facebook plaintiffs alleged in order to have a breach of contract claim survive a motion to dismiss.   And the Facebook plaintiffs had not alleged facts supporting their general allegation that they lost an opportunity to sell their own personal information due to Facebook’s alleged misconduct.

 

Judge Freeman in Svenson explained that the case law prior to the Ninth Circuit’s decision in Facebook – case law Google largely relied upon – was inapposite because the Ninth’s Circuit’s decision changed what was required for plaintiffs to allege. For Judge Freeman, the Ninth Circuit’s decision appeared to be governing even though it is a memorandum decision.  Judge Freeman may have taken this position because even though the Facebook memorandum opinion is inconsistent with prior district court rulings, it is not even arguably inconsistent with any other Ninth Circuit opinions, as the Ninth Circuit had not previously addressed this issue.

 

As Judge Freeman explained, the Ninth Circuit in Facebook did not require an explication of precisely how personal information was diminished in value as part of a well-pled contract claim.  Thus, even though the plaintiffs in Svenson alleged only that there is a “robust market” for the information at issue and as a result of Facebook’s actions, plaintiffs were deprived of their ability to sell their own personal data on the market,” those allegations were found to be sufficient.

 

Taken together, the Ninth Circuit’s decision in Facebook and Svenson suggest that, at least in the Northern District of California, bare allegations of loss of value in personal information will suffice.  That is certainly how litigants in that District are treating the current state of the law, as evidenced by both the plaintiffs’ and defendants’ briefs in In re Google, Inc. Privacy Litigation, No. 12-CV-01382 PSG, before Judge Grewal, in which the parties seem to agree that the law has shifted with Facebook and Svenson, but disagree whether diminution in value of personal information is actually at issue in their case or whether their case only relates to alleged loss in battery life and bandwidth.

 

Unjust Enrichment

 

If plaintiffs in personal information/data security cases  can avoid alleging contract claims and can instead allege unjust enrichment, then they might be able to avoid alleging contract damages, which outside of the Northern District of California, can be difficult (although they still need to allege economic injury for Article II purposes).  However, under California law, it has generally been understood that unjust enrichment is not a stand-alone action but rather a remedy that can be sought after a stand-alone claim like breach of contract or fraud is adequately pled.  Nonetheless, the Ninth Circuit’s recent decision in Astiana perhaps suggests plaintiffs in personal information/data security cases could plead unjust enrichment as a distinct clause of action under a quasi-contract theory, even though the unjust enrichment/quasi-contract theory claim would look just like a breach of contract or fraud claim.   The Ninth Circuit’s analysis in Astiana is quite brief, and here is the key passage:

 

As the district court correctly noted, in California, there is not a standalone cause of action for “unjust enrichment,” which is synonymous with “restitution.” . . . .  However, unjust enrichment and restitution are not irrelevant in California law. Rather, they describe the theory underlying a claim that a defendant has been  unjustly conferred a benefit “through mistake, fraud, coercion, or request.” 55 Cal. Jur. 3d Restitution § 2. . . . When a plaintiff alleges unjust enrichment, a court may   “construe the cause of action as a quasi-contract claim seeking restitution.” . . . . Astiana alleged in her First Amended Complaint that she was entitled to relief under  a “quasi-contract” cause of action because Hain had “entic[ed]” plaintiffs to purchase their products through “false and misleading” labeling, and that Hain was  “unjustly enriched” as a result. This straightforward statement is sufficient to state  a quasi- contract cause of action.

 

The Ninth Circuit’s reasoning in Astiana is unpersuasive, in that it seems to sanction exactly what it explicitly states is impermissible under California law – the pleading of a stand-alone, separate cause of action for unjust enrichment.  If all one must do is add the label “quasi-contract” to an unjust enrichment cause of action, then there is no real constraint on the pleading of what are in substance stand-alone unjust enrichment causes of action under California law. Nonetheless, for now, Astiana is good law and it may open up pleading opportunities for plaintiffs in personal information/data security cases.

 

Conclusion

In sum, the quartet of federal cases applying California appear to lower the pleading thresholds for plaintiffs in personal information/data security cases.  Whether these cases lead to more complaints being filed and a consequential rethinking by the courts, or whether the courts will simply winnow suits by requiring proof of general allegations in the summary judgment phase of litigation, remains to be seen.

 

globe2For many years, the U.S. was the only country actively seeking to use its laws to fight corruption. However, more recently, a number of other countries have enacted their own anti-bribery laws while other countries have become more active in pursuing anti-bribery enforcement – including not only Germany, South Korea and Britain, but also Brazil and China (among many others). This anti-corruption drive unquestionably is a good thing and it is unquestionably right that bribery should be punished. Bribery has a corrosive effect; it distorts economic outcomes and diverts resources into the corrupt officials’ pockets.

 

While the enforcement of anti-corruption laws is to be applauded, at the same time, questions are being asked about whether in at least some cases things might have come too far, as the enforcement process has become astronomically expense and time-consuming.

 

A May 9, 2015 Economist article entitled “Corporate Bribery: The Anti-Bribery Business” (here), as well as a leader article in the same issue (here), refers to what the magazine describes as “a mounting body of evidence that the war on commercial bribery is being waged with excessive vigor, forcing companies to be overcautious in policing themselves,” noting that “some under investigation are starting to fight back.”

 

As evidence of the excess, the article cites the massive amounts that Walmart, Siemens and Avon Products, among many others have spent in fighting corruption allegations. It is not that the charges against the companies were not serious — the charges definitely were and are serious. The problem, the article suggests is that “the cost and complexity of investigations are spiraling beyond what is reasonable, fed by a ravenous ‘compliance industry’ of lawyers and forensic accountants who have never seen a local bribery issue that did not call for an exhaustive global review; and by competing prosecutors, who increasingly run overlapping probes in different countries.”

 

The huge amount of work generated for internal and external lawyers and for compliance staff is the result of firms “bending over backwards to be co-operative in the hope of negotiating reduced penalties.” The article quotes Southern Illinois Law Professor Mike Koehler, the author of the FCPA Professor Blog (here), as saying that the overkill is a by-product of what he calls “FCPA, Inc.,” a very aggressively marketed legal industry niche that has every incentive to convince their clients that the sky is falling. Corporate officials, under pressure to clean house and under the sway of the anti-corruption industry, “will then agree to any measure, however excessive, to demonstrate that they have comprehensively answered” every question.

 

For many companies, the expenses do not even end when they have finally managed to reach a settlement with the regulators and enforcement authorities. The bills can keep coming in for years, as many firms are required to bear the cost of being overseen for several years by an independent compliance monitor. Firms that have been the target of bribery investigations may also find themselves shut out from procurements processes. And there is always the risk of follow-on shareholder litigation as well.

 

Not only have the costs increased, but the time required to conclude a case has lengthened inordinately as well, as detailed in a April 20, 2015 Wall Street Journal article entitled “The Foreign-Bribery Sinkhole at Justice” (here) which of course has exacerbated the problems associated with the overwhelming costs of these types of investigations.

 

Part of the problem for everyone is that because so few bribery prosecutions have ever gone to trial, there is almost no legal authority guiding and informing the regulatory and enforcement process. As the article puts it, “this hands prosecutors a lot of discretion.” The article quotes Professor Koehler as saying that “we have only a façade of enforcement,” and that “the FCPA often means what enforcement agencies say it means.”

 

Some companies have started to push back, as Professor Koehler notes in a May 5, 2015 post on his FCPA Professor blog (here). In his post, Koehler references an April 29, 2015 Wall Street Journal article (here) that discusses efforts by Wall Street banks to resist what the banks describe as the enforcement authorities’ “overaggressive effort” to investigate the banks for hiring children and other relatives of government officials in China.   The problem for everyone is that when the regulators have such wide discretion to decide what conduct violates the law, conduct that was not previously viewed as improper can suddenly turn out to represent a violation.

 

No one is suggesting that anti-bribery enforcement in of itself is the problem. The problem is the excesses to which the enforcement can lead. The Economist suggests four steps to reform the process and to “stop a descent into investigative madness.”

 

First, the magazine suggests, “regulators should rein in the excesses of the compliance industry and take into account the cost to firms of sprawling investigations.” When companies self-report suspected violations, regulators should “tell them what level of investigation they want to that companies are not overzealous out of fear of seeming evasive.” There is reason to hope that regulators may recognize their ability to help here; the article quotes the head of the DoJ’s criminal division as saying that “We do not expect companies to aimlessly boil the ocean.”

 

Second, the article suggests, governments should lower the costs by harmonizing anti-bribery laws and by improving coordination between national probes. There are of course existing efforts to align international efforts, such as the OECD’s ant-bribery convention. There is more that national governments can do to ensure that they are not subjecting companies to multiple investigations and multiple punishments for the same misconduct.

 

The magazine’s third suggestion, while analytically valid, may be prey to an almost inevitable futility. The magazine suggests that more corruption case need to go to trial, so that legal standards that might constrain enforcement authorities are developed. The problem is that companies are scared to fight and risk a criminal indictment. It is, as the magazine itself notes, commercially rational for companies to capitulate. It may be that efforts of the type now being pursued by the Wall Street banks to push back can provide some constraint to prosecutors’ expansive legal interpretations.

 

The magazine’s final reform suggestion may have the most potential. The magazine suggests that anti-bribery laws should be amended to allow companies a “compliance defense” – that is, if the company had valid anti-bribery policies and were making reasonable efforts to enforce the policies, and self-reported when violations were found, the penalties imposed should be greatly reduced. Although the magazine does not add this point, it would be beneficial if companies qualifying for this defense could also look forward to a more contained and shortened investigative and enforcement process.

 

 

aus3An exclusion sometimes found in D&O insurance policies precludes coverage for claims made by shareholders who have a specified percentage of ownership in the insured company. This type of exclusion is called a Major Shareholder Exclusion (or, sometimes, the Principal Shareholder Exclusion). An interesting May 6, 2015 decision (here) by the Supreme Court of Victoria (Melbourne) addressed the interesting question of what is the relevant point in time for determining the ownership percentage – at the time the claim is made or at the time the wrongful acts allegedly took place? The considerations discussed in the decision raise a number of issues about this type of exclusion. A May 15, 2015 memo from the Allens law firm about the decision can be found here.

 

Background

Effective June 20, 2008, Oxiana acquired all of the outstanding shares of Zinifex. Following the transaction, Oxiana was renamed OZ Minerals Ltd. (“OZ Minerals”) and Zinifex was renamed Oz Minerals Holdings Ltd. (“OZ Holdings”).

 

In February 2014, an OZ Minerals shareholder filed a representative action in the Federal Court of Australia against OZ Minerals alleging that there were misrepresentations in the merger transaction documents. OZ Minerals in turn filed a separate contribution proceeding against OZ Holdings and certain of its former directors and officers.

 

Prior to the merger transaction, OZ Holding (then Zinifex) had a directors and officers liability insurance policy in place with a policy period from March 31, 2008 to March 31, 2009. In connection with the merger transaction, OZ Holding purchased a discovery period endorsement which extended the policy’s expiration date to June 20, 2015. A run-off exclusion was also added to the policy at the same time providing that the insurer was not liable for any claim with respect to a wrongful act committed after June 20, 2008 (the date of the merger transaction).

 

The defendants in the contribution action submitted the claim to the D&O insurer. The D&O insurer denied coverage for the claim in reliance on the policy’s major shareholder exclusion. OZ Holdings commenced an action in the Supreme Court of Victoria (Melbourne) seeking a judicial declaration that the insurer is obliged to indemnify them against liability arising from the contribution claim.

 

The policy’s Major Shareholder and Board Position Exclusion provided that:

 

The Insurer shall not be liable to make any payment under this policy in connection with any Claim brought by any past or present shareholder or stockholder who had or has:

 

  • Direct or indirect ownership of or control over 15% [or] more of the voting shares or rights of the Company or of any Subsidiary, and
  • A representative individual or individuals holding a board position(s) with the company.

 

The parties agreed that neither of the two conditions were met before June 20, 2008.  The parties agreed that the first condition was met at the time the claim was made (since OZ Minerals acquired all of OZ Holdings shares in the merger transaction). The parties disputed whether the second condition was met at the time the claim was made, but the Court concluded that the second condition had been met at the time the claim was made as well.

 

The crux of the parties’ dispute was their disagreement about the point or points in time at which a claimant is to be assessed against the conditions in the exclusion clause. The declaratory judgment action plaintiffs contended that the exclusion was only intended to apply to exclude coverage for claims brought by claimants who satisfied the conditions at the time of the wrongful acts that gave rise to the contribution claim (that is, before June 20, 2008). The insurer argued that the words in the exclusion disclose an intention that it should operate at both the time of the alleged wrongful acts and the time the contribution claims were brought, so that coverage would be precluded for shareholders holding the specified share percentage either at the time of the wrongful act or at the time of the claim.

 

The May 6 Ruling 

In its May 6, 2015 opinion, the Court agreed with the insurer’s interpretation, holding that the exclusion applied if the two conditions were met either at the time of the wrongful acts or at the time the claim was made.   The court said that the insurer’s interpretation was “grammatical” and “accords with the structure of the policy.”

 

An important part of the Court’s analysis was its consideration of the insurer’s rationale for its interpretation of the exclusion (what the Court called the “commercial rationale”). The insurer had argued that it an insurer could reasonably seek to protect itself from a claim that might be the result of collaboration between a claimant major shareholder and the defendant company or that could involve the misuse of confidential company information to the claimant’s advantage. The insurer also contended that an insurer could reasonably seek to preclude coverage for a claim brought by a shareholder who might have been in a position to influence the company’s operations at the time the wrongful acts occurred. The Court said “the suggested commercial rationale is objectively reasonable.”

 

Discussion

There are several kinds of exclusions that can be found in D&O insurance policies precluding coverage for claims brought by certain claimants. For example, a standard D&O policy exclusion precludes coverage for claims brought by one insured against another insured. Some policies (typically those issued to banking institutions) preclude coverage for claims brought by regulators (the so-called regulatory exclusion). The major shareholder exclusion at issue in this case is another type of exclusion precluding coverage for claims asserted by a specified type of claimant.

 

This case illustrates the fundamental problem with the inclusion of a major shareholder exclusion on a D&O insurance policy. It can wind up precluding coverage for the very type of claim for which the insurance policy was designed. OZ Minerals had filed the contribution claim against OZ Holdings and its former directors and officers because OZ Minerals itself had been sued in a shareholder misrepresentation claim. The contribution claim in turn sought to hold the defendants in that action liable for their alleged responsibility for the misrepresentations alleged in the shareholder claim. Those are the very types of claims and allegations for which policyholders purchase D&O insurance, so that they can be protected from those types of claims.

 

The insurer in this case would no doubt justify the exclusion and its preclusive effect by the fact that OZ Holdings is suing its own 100%-owned subsidiary for contribution – a claim, the insurer might argue, that makes sense only as a mission by OZ Minerals to get access to OZ Holdings’ insurance policy. However, the exclusion at issue here precluded coverage not just for the claim against OZ Holdings but also for the claim against the former directors and officers – that’s what I mean  about the exclusion precluding the very type of claim for which these insurance policies are purchased.

 

From the policyholder perspective, the preferred approach is to have the major shareholder exclusion removed. However, while the preferred approach from the policyholder’s perspective is to remove the exclusion, obtaining a policy without a major shareholder exclusion is not always an option. If the exclusion’s removal is not an available option, there are a variety of ways the exclusion’s preclusive effect might be limited. For example, the ownership percentage could be increased to a higher level (although that would not have made a difference here, as OZ Holdings owned 100% of OZ Minerals).

 

In addition, the exclusion’s operation could be made subject to additional conditions, as was the case with the exclusion at issue here. Many major shareholder exclusions are conditioned only on a requirement that the claimant have a specified ownership percentage. Here, the exclusion was also conditioned on the requirement that the major shareholder also have board representation.

 

Another way the impact of the exclusion can be limited is by narrowing the point or points in time when the conditions can be met. The court here determined that the exclusion at issue was meant to address both past and present shareholders, and as the court found the conditions could be satisfied either if the shareholder had the specified ownership percentage at the time of the Wrongful Act or at the time the claim was made. More typically, the major shareholder’s preclusive effect is addressed to ownership only at the time the claim was made.  Typically, a major shareholder exclusion will not (as the exclusion here did) refer to past shareholders — although there are some standard versions of the exclusion out there in the marketplace that preclude coverage for both present and past shareholders owing the requisite percentage. Narrowing the exclusion’s wording so that it applies only to shareholders that have the requisite ownership percentage at the time the claim is made would at least eliminate the preclusion of coverage for claims by shareholders who previously had the requisite percentage of ownership prior to the claim but who did still have that ownership percentage when the claim is made.

 

2015 ACI D&O Conference in New York: On September 17 and 18, 2015, the American Conference Institute will be holding is 19th Forum on D&O Liability in New York. This annual event features an all-star line-up of speakers and will be co-chaired by my friends, Diane Parker of AWAC and Doug Greene of the Lane Powell law firm. Readers of the D&O Diary are entitled to a $100 discount off registration if they mention discount code DOD100. Information about the event including registration instructions can be found here. The event brochure can be found here.

 

ICYMI: Earlier today I published a post discussing a recent Delaware Supreme Court addressing questions surrounding the liabilities of independent directors in the M&A context. Due to user error (meaning, I goofed) no emails went out about this post. In case you missed it, the post can be found here.

del1On May 14, 2015, in a landmark ruling with important implications for the potential liabilities of independent directors of companies involved in M&A transactions, the Delaware Supreme Court held that in order to state a claim for damages against directors of a company that has an exculpatory provision in its corporate charter, a plaintiff must plead non-exculpated claims against the directors, even if the  company is involved in an interested transaction subject to “entire fairness” review. The Court’s opinion highlights the importance of the independent directors’ role and also underscores the importance of exculpatory charter provisions. The Court’s opinion in In re Cornerstone Therapeutics, Inc. can be found here.

 

Background

The Court’s ruling involved two different cases in which plaintiff shareholders had filed damages claims against the boards of companies where a controlling shareholder, that had board representation, was acquiring the remainder of the companies’ shares. In each case, the companies involved had formed a special committee of independent directors to review the transaction and to negotiate with the controlling shareholder. In each case, the companies’ minority shareholders had approved the transaction. Nevertheless, plaintiff shareholders filed lawsuits against the companies’ boards – including as defendants both the interested directors and the independent directors – alleging that the directors had breached their fiduciary duties by approving transactions that were unfair to the minority shareholders.

 

In both cases, the independent directors had moved to dismiss the claims against them. Their dismissal motions relied on the fact that each of the companies had an exculpatory clause in their corporate charters. (As discussed here, Delaware Corporations Code Section 102(b)(7) authorizes shareholders to include a clause in a corporation’s charter eliminating personal liability of a director to shareholders for monetary damages for breach of fiduciary duty, provided that such clause does not eliminate liability (1) for “any breach of the director’s duty of loyalty,” (2) “for acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law,” and (3) “for any transaction from which the director derived an improper personal benefit.”) The defendants argued that the plaintiffs had failed to plead non-exculpated allegations against them, and therefore that the claims against them should be dismissed.

 

The plaintiffs contended that because the share purchases represented interested transactions, the “entire fairness” standard of review applied. (As discussed here, the entire fairness standard is Delaware’s “most onerous standard,” which applies when the board “labors under actual conflict of interest.” When the standard applies, the defendants must establish that the transaction “was the product of both fair dealing and fair price.” The transaction must be “objectively fair, independent of the board’s beliefs.”) The plaintiffs argued that because interested parties were involved in the transactions, the possibility of conflict of interest justified a pleading-stage inference of disloyalty – not just as to the interested directors, but as to the independent directors as well.

 

In each case, the trial court judges, relying on prior Delaware Supreme Court case authority, agreed with the plaintiffs and denied the motions to dismiss. However, because they were troubled by the result (that is, that the independent directors had to remain as defendants in the case even though the plaintiffs had pled no non-exculpated misconduct against them), the trial court certified interlocutory appeals of the cases to the Delaware Supreme Court. The two cases were consolidated for purposes of the appeal.

 

 The May 14 Decision

In a unanimous opinion written by Chief Justice Leo E. Strine, Jr., the Delaware Supreme Court reversed the lower court rulings and remanded the cases for further proceedings. The Court said that “even if a plaintiff has pled facts that, if true, would require the transaction to be subject to the entire fairness standard of review, and the interested parties to face a claim for breach of their duty of loyalty, the independent directors do not automatically have to remain defendants.” If the independent directors are “protected by an exculpatory charter provision and the plaintiffs are unable to plead a non-exculpated claim against them, those directors are entitled to have the claims against them dismissed.”

 

In reaching its decision, the Court examined the effect of the exculpatory provisions in the respective companies’ corporate charters. The Court said that “when a director is protected by an exculpatory charter provision, a plaintiff can survive a motion to dismiss by that director defendant by pleading facts supporting a rational inference that the director harbored self-interest adverse to the stockholders’ interests, acted to advance the self-interest of an interested party from whom they could not be presumed to act independently or acted in bad faith.” The mere fact that the plaintiff had pled facts sufficient to support the application of the entire fairness standard does not, by itself, relieve the plaintiff of the requirement to plead a non-exculpated claim against each independent director defendant.

 

In support of its decision, the Court noted, among other things, that a contrary ruling would “increase costs for disinterested directors, corporations and stockholders, without providing a corresponding benefit.” A contrary ruling would also “create incentives for independent directors to avoid serving as special committee members or to reject transactions solely because of their role in negotiating on behalf of shareholders.” The “fear” that directors might face personal liability for “potentially value-maximizing business decisions” might be dissuaded from making those kinds of decisions is the reason that Section 102(b)(7) was adopted in the first place.

 

Discussion

The Court’s opinion underscores the importance of exculpatory charter provisions. The provisions not only provide substantial liability protection for corporate directors but they provide a form of protection may be invoked at the initial pleading stage. It provides a way for directors who qualify for the provision’s protection to extricate themselves from liability lawsuits at the outset.

 

The Court’s opinion also highlights the importance of the independent directors’ role. The Court emphasized the ways in which disinterested directors can protect the interests of the corporation and of minority shareholders, even when the corporation is involved in a transaction with an interested party.

 

It is important to note that the protective effect of the Court’s ruling extends only to the independent directors. The defendants who were the interested parties to the transaction will remain in the case. If it is later established that the interested parties violated their fiduciary duties, they will held liable to the minority shareholders. But where the plaintiffs have alleged no facts to suggest that independent directors had engaged in non-exculpated misconduct, the independent directors are entitled to have the claims against them dismissed – even where the plaintiffs have pled sufficient facts to require the application of the entire fairness standard.

 

The fact that the independent directors can be dismissed even when the entire fairness standard applies is significant. The entire fairness standard is, as the Court itself has said, “onerous.” The requirements to meet the standard are high. But even where the high standard applies, plaintiffs must still present allegations that each director defendant individually engaged in non-exculpated misconduct in order for the claims against that defendant to survive a motion to dismiss.

 

Francis Pileggi’s May 16, 2015 post on his Delaware Corporate & Commercial Litigation Blog about the Supreme Court’s ruling can be found here. Frank Reynolds’ May 15, 2015 Thomson Reuters article about the ruling can be found here.

 

Special thanks to a loyal reader for sending me a copy of the Delaware Supreme Court opinion.

 

ICYMI: Delaware Senate Passes Bill Barring Fee-Shifting Bylaws: On May 12, 2015, the Delaware Senate passed Senate Bill (S.B.) 75 (here) that would amend Delaware law to prohibit Delaware stock-based companies from adopting fee-shifting bylaws. The bill also expressly allows companies to adopt forum-selection clauses that establish Delaware as the exclusive venue for any shareholder litigation.

 

As readers will recall, as discussed here, in May 2014, the Delaware Supreme Court in the ATP Tour, Inc. v. Deutscher Tennis Bund case had upheld the validity of a corporate bylaw provision shifting fees to an unsuccessful litigant in shareholder litigation. The ruling proved to be highly controversial (as discussed, for example, here). Early efforts last year to address the ruling in the legislature ultimately were tabled and in the interim the debate about fee-shifting by laws has continued to rage. Now that the Senate has voted to approve the legislation banning fee-shifting bylaws for Delaware stock corporations, the legislation will now move to the Delaware House for its consideration.

 

A May 13, 2015 memo from the Ballard, Spahr law firm discussion the Delaware Senate’s action on the bill can be found here.

 

D&O Liabilities in China: The potential liabilities of corporate directors and officers are of course dependent on the requirements of applicable law. That means that corporate officials’ liability exposures can vary from state to state. There are even greater variations from country to country. In a global economy, questions about the potential liability of directors and officers in non-U.S. countries arise with increasing frequency. Given China’s huge and growing role in the global economy, questions about the potential liability of directors and officers under Chinese law are increasingly frequent.

 

For that reason, readers may be interested in reviewing this May 8, 2015 article entitled “D&O Liability Insurance: Legal Issues under PRC Law” (here) by Jia Hui of the DeHeng Law Offices. The article provides a good overview of the basic legal duties and liability exposures of directors and officers under Chinese law. As the article points out, in light of the various accounting scandals involving Chinese companies that have arisen, these considerations are increasingly important.

weilAmong the many concerns arising in the current cybersecurity environment is the question of the security of data housed in “the Cloud.” In the following guest post Paul Ferrillo and Jeffrey Osterman of the Weil, Gotshal & Manges law firm and Grady Summers , SVP, Cloud Analytics at Mandiant/FireEye, take a look at the questions businesses and their boards of directors should be asking before adopting a cloud-based strategy. The post also includes a cloud security checklist. A version of this article previously was published as a Weil client alert.

 

I would like to thank Paul, Jeffrey and Grady for their willingness to publish their article on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Paul, Jeffrey and Grady’s guest post.

 

***************************************

 

It is fitting that just over 40 years after Neil Armstrong walked on the moon and uttered some of the most famous words ever spoken, “one small step for [a] man, one giant leap for mankind,” NASA, along with cloud service provider Rackspace, jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project is intended to help organizations manage cloud-computing resources running on standard hardware. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform. Launched with the intent to provide consumers with a high tech, yet low-cost method to store vast amounts of data off premises in a safe and efficient manner, the cloud has transformed the way global enterprises do business.[i] Yet, despite the cloud’s increasing popularity, hardly a day goes by when industry professionals do not question the security of data kept in the cloud. According to Gilad Parann-Nissany, CEO and co-founder of cloud encryption company Porticor (recently acquired by Intuit):

In the cloud, data security poses new risks and challenges. We are no longer concerned just with burglars breaking into our offices to steal computers, but rather with the data belonging to complete systems deployed to the cloud…Instead, security in the cloud becomes not about protecting our hardware, but rather protecting the sensitive information regardless of its physical location. For this, burglar alarms are irrelevant and firewalls are only one part of the approach for security in the cloud.

A way to visualize the unique challenges of data security in the cloud is that where before we had brick walls and steel locks to keep us safe; we now must construct mathematical walls as barriers to our data.[ii]

As more and more businesses are considering moving some or all of their data storage needs to the cloud, here are three “50,000 foot” questions American businesses and boards of directors are asking themselves (or should be asking their IT security professionals) before adopting a cloud-based strategy:

  1. How can the board assure itself from a governance perspective that the cloud-based environment that it is being asked to approve is acceptably secure, as compared with the company’s previous on-site computer environment, and meets the security, privacy, and regulatory needs of my company?[iii]
  2. What visibility and ability does the company have if there is a cloud-based breach and its information is subject to exfiltration? Does the company have the ability to conduct incident response and remediation or is it totally at the mercy of the cloud service provider (CSP)?[iv]
  3. What is the “best” way to assure that the company’s cloud-based data is as secure as possible given what it knows about the CSP that it has chosen?

90% of All Organizations Have Security Concerns about the Cloud

A recent study noted that “an overwhelming majority of 90% of organizations are very or moderately concerned about public cloud security. Today security is the single biggest factor holding back faster adoption of cloud computing.”[v] The Cloud Security report notes that the top concerns are:

  1. General security concerns over the storage of data in the cloud;
  2. Data loss and leakage risks;
  3. Loss of control over security procedures applied day to day over the company’s data; and
  4. Lack of visibility to assure regulatory compliance.[vi]

How would these concerns potentially materialize? Our experience tells us that, to the extent attackers are targeting data in cloud-hosted environments, they’re doing it in distinctly old-fashioned ways. That is, despite concerns about the cloud being inherently insecure, attackers are using the same methods to compromise cloud resources as they have used for many years for on-site computer systems: the theft of employee credentials generally started via spear phishing attacks. Thus, we recommend that organizations approach cloud security like they would any other environment: by understanding their data and the threats against it, and ensuring that the environment is instrumented to prevent, detect, and respond to attacks. This can be hard, though, when IT security teams lack the necessary visibility to do their jobs.

This lack of visibility was illustrated in a recent Ponemon study entitled “The Cloud Multiplier Effect.” The study, based on a survey of 613 IT and security professionals, found that increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3 times. It also revealed other key findings, including:

  • 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them;
  • 66 percent of respondents believe that their organizations’ use of the cloud diminishes their ability to protect sensitive or confidential information; and
  • 72 percent of respondents don’t believe that their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.[vii]

Cloud-related breaches in 2014 included Dropbox, Google Drive, and the alleged Apple iCloud breach. More recently, SendGrid, the cloud email service, reported it had been hacked through a phishing scheme that compromised an employee’s account.[viii] Certainly these high-profile breaches, such as Dropbox (from which 7 million passwords were reportedly stolen) have left many questioning whether the cloud can be safely used to store sensitive data.

Types of Cloud Computing

We refer generally to “cloud computing,” but this can refer to anything from a hosted application to rented servers in a shared facility. It is helpful to recognize the three major categories of cloud computing:

  1. Infrastructure as a Service (IaaS): In this model, the CSP is responsible for basic IT resources (servers) and the networks on which they run. The customer is generally responsible for maintaining the operating systems and software necessary to run the applications, plus the data placed in the cloud environment. Thus, while the CSP is responsible for protecting the infrastructure itself, data security in an IaaS environment is generally the responsibility of the customer.
  2. Platform as a Service (PaaS): Here the CSP provides the infrastructure, the operating system, and a set of services that organizations use to build applications. These building blocks are invoked through Application Programming Interfaces (APIs) and might include services for storage, databases, data processing, machine learning, etc. The customer is responsible for application deployment, and responsibility for security is generally shared between the customer and the CSP.
  3. Software as a Service (SaaS): Here the CSP provides for nearly everything, including the infrastructure and software provided to the customer. Thus, security in an SaaS environment generally is the responsibility of the provider, and it is the consumer’s role to ensure the CSP’s security processes meet the security and compliance requirements of the customer’s business.

Cloud Compliance, Security, and Visibility

As CSPs move “up the stack” to offer robust PaaS and SaaS services, they begin to shoulder more of the burden for securing their customers’ data. However, it will always be the responsibility of the customer to ensure that its constituents’ data is secure. Since a customer can’t always directly participate in securing this data, it must ensure that the service contract, together with any associated statement of work and/or service level agreement (SLA) provided by the CSP meets its needs. The parameters of these contractual arrangements will usually include information about service availability, incident response definitions and services, breach response notifications and timing, technical compliance and vulnerability management, and log management and forensic capabilities, together with an allocation of liability if these standards are not achieved.

While we have found that most large CSPs do an outstanding job of securing their environments – and dedicate tremendous resources to this task – all of the above categories of services must be described in generalities, meaning “here’s how they generally work.” The proof is really in the terms and conditions of the contractual commitments that the CSP agrees to make, and the sad fact is that many cloud service customers do not understand the value of substantive contracts with detailed terms relating to security.

Here are the most important issues to consider when contemplating a migration of important data to the cloud under an SLA:

  1. Breach and incident response – Cloud customers must understand how the CSP defines events of interest vs. security incident, what events/incidents the CSP reports to the cloud customer, and in which way. Customers should understand when and how quickly they will be notified if the CSP: suffers a breach, what information will they will be given by the CSP to help analyze the incident, will they have the opportunity (given the potential SLA in place) to participate in the incident response process, and will they be given the opportunity to contact and interact with the CSP’s own incident response team?
  2. Where is the customer’s data going to be “stored”? This is probably one of the most important questions for a customer, both from a legal perspective (meaning under what circumstances can data be subpoenaed or accessed through a court request or judicial process) and a privacy perspective (meaning how must data, such as personally identifiably information, be stored and protected).
  3. Does the CSP itself adhere to any standardized security practice or protocol, like the NIST cybersecurity framework, or ISO 27001? Does the CSP have FedRamp certification or a certification from the Security Trust and Assurance Registry certification program?
  4. Does the customer have the ability to audit or independently assess the security provided by its CSP to make sure the provider is compliant with various legal, industry, customer and regulatory requirements it may be subject to?
  5. What is the CSP’s patch management process in case software or application vulnerability is discovered, which could then impact the security of the data stored?
  6. What sort of back up procedures does the CSP have in place if the customer’s data is lost, stolen or deleted?

Thinking About Making a Move to the Cloud? Cloud Security Checklist

There is no perfect checklist of how, when, and where to move data to a cloud-based environment. Some factors, such as cost, may make the decision easy, while on the other hand, the perceived lack of control over your data security or your compliance risks may make the decision harder. At the end of the day, it is your business judgement what sort of data you are comfortable moving to the cloud (you might be comfortable moving human resources, payroll, or other specific applications[ix]), and what sort of data you are not comfortable moving to the cloud (you might draw the line at PII or financial records and information). A separate book alone could be written on this sort of balancing act.

From a data security perspective, though, there are certain security measures that should be investigated by potential cloud customers before they make the decision to move their data to a cloud-based environment. This area is highly technical (and thus security professionals and cyber-governance and cybersecurity lawyers should also be consulted before making this decision), but we try below to boil down these measures into objectives for directors and officers to consider when asked to finally approve a move to the cloud:

  1. How is security built into the cloud architecture and applications and data that are going to be moved to the cloud-based environment? Is there a constant lifecycle of updates and vulnerability reviews given that the computing ecosystem is never static?
  2. What data am I putting in the cloud? Is it general company HR data, customer PII, financial records, or something else less sensitive?
  3. Will the data stored in the cloud be encrypted while at rest or only when it is in motion to and from the cloud? What sort of encryption is available at my CSP?
  4. How is suspicious activity monitored on the cloud? By the CSP only, or will the customer have visibility into security monitoring? Will cloud security be continuously monitored by the CSP?
  5. What degree of visibility does the CSP make available to the customer (audit logs and metadata recording administrative changes, account usage, system logs, etc.), and can this data be flexibly consumed into your own internal security monitoring systems?
  6. What sorts of intrusion detection systems are in place to detect threats to the cloud-based environment, such as malware threats, or suspicious network traffic?

So You Are Moving to the Cloud – Governance Issues Ultimately Rule the Day

This article is not meant to dissuade a company from considering using the cloud to increase efficiency in its businesses. On the contrary, our goal is to allow readers to engage in more informed discussions that will ultimately lead to a greater degree of comfort with both the decision to move to the cloud and the risk management tools, procedures, and contractual protections surrounding that move.

The cloud undoubtedly provides businesses with unique opportunities to manage their data in not only a cost efficient manner, but also potentially in a manner which is just as safe and secure as on-site storage systems. The cloud is not, however, a binary solution to data management challenges. And time is slim to consider all the options. Whatever the path you choose, you should consider how things may look at the end of the day if your company is breached, and some constituency (i.e., a regulator, state AG, or investor) looks back to potentially criticize your decision to move to the cloud. Have your checklists answered, discuss the answers to your checklists with your IT staff and outside experts, and document your decisions that balance the business and efficiency needs of the company with the level of security and service being offered by your cloud service provider.

[i] See “The next generation of cloud computing,” available at http://www.pwc.com/en_US/us/increasing-it-effectiveness/assets/next-generation-cloud-computing.pdf (noting “Cloud computing is the fastest-growing trend in enterprise technology today – and for the foreseeable future. Forrester Research predicts the global cloud computing market will mushroom from $40.7 billion this year to $241 billion by 2020.”).

[ii] See “Cloud Computing Issues and Challenges,” available at http://www.porticor.com/2014/11/cloud-computing-security-issues-and-challenges/.

[iii] “Compliance (64%) was seen as the biggest cloud security challenge,” according to one recent report issued by CipherCloud. See “Compliance remains the key cloud security challenge, according to the CipherCloud report,” available at http://www.cloudcomputing-news.net/news/2015/mar/26/compliance-remains-key-cloud-security-challenge-according-ciphercloud-report/.

[iv] See “Majority of firms say they aren’t confident in responding to cloud-based data threats,” available at http://www.cloudcomputing-news.net/news/2015/apr/08/majority-firms-say-they-arent-confident-responding-cloud-based-data-threats/ (noting that 60% of the global respondents in a recent survey were not confident they had the ability to proactively respond to cloud-based data threats).

[v] See “Cloud Security Spotlight Report,” available at http://www.infosecbuddy.com/wp-content/uploads/2015/03/Cloud-Security-Spotlight-Report-2015.pdf (hereinafter, the Cloud Security Report).

[vi] Id.

[vii] See “The Cloud Multiplier Effect on Data Breaches,” available at https://blog.cloudsecurityalliance.org/2014/06/04/the-cloud-multiplier-effect-on-data-breaches/.

[viii] See “SendGrid admits hack, says all customers must reset their passwords,” available at http://venturebeat.com/2015/04/28/sendgrid-admits-hack-says-all-customers-must-reset-their-passwords/.

[ix] See “Navigating security in the cloud,” available at http://www.pwc.com/en_US/us/it-risk-security/assets/pwc-navigating-security-in-cloud.pdf.