sup ct 5ERISA plan fiduciaries have a continuing duty to monitor selected plan investments and to remove imprudent investment selections, according to the U.S. Supreme Court’s unanimous May 18, 2015 opinion in Tibble v. Edison International. Although the Court affirmed the fiduciary duty to monitor, it otherwise left the development of the duty’s contours to be delineated in the lower courts in future cases and rulings. A copy of the Supreme Court’s May 18 opinion can be found here.

 

The Supreme Court’s ruling in this important case decision have a number of implications. Among other things, it may mean an increase in claims alleging that fiduciaries imprudently retained investment selections. The ruling may also make it more difficult for defendants to have claims against them dismissed on statute of limitations grounds.

 

Background

In 2007, certain beneficiaries of Edison’s 401(k) savings plan filed an action under ERISA against plan fiduciaries, alleging that the fiduciaries violated their fiduciary duties with respect to three mutual fund options added to the plan in 1999 and three others added in 2002. The claimants argued that the fiduciaries had acted imprudently by selecting the six retail-class mutual funds when lower cost institutional-class mutual funds were available.

 

The defendants argued that the claims regarding the 1999 selections were untimely because they had been raised more than six years after “the date of the last action which constitutes a part of the breach or omission.” The district court agreed with the defendants and dismissed the claims regarding the 1999 selections because they were included in the plan more than six years before the complaint was filed and that circumstances had not changed enough to put the defendants under an obligation to conduct a review of the mutual funds. The Ninth Circuit agreed that the claimants had not established a change in circumstances that might trigger an obligation to conduct a full due-diligence review of the 1999 funds within the 6 year statute of limitations period.  The U.S. Supreme Court agreed to review the Ninth Circuit’s ruling.

 

The May 18 Decision

On May 18, 2015, in an opinion written by Justice Stephen Breyer for a unanimous court, the U.S. Supreme Court vacated the Ninth Circuit’s opinion and remanded the case to the Ninth Circuit for further proceedings. The Supreme Court said the Ninth Circuit had erred by failing to recognize that under the law of trusts, fiduciaries have a “continuing duty to monitor trust investments and to remove imprudent ones.”  Further, the Court held that this duty “exists separate and apart from the trustee’s duty to exercise prudence in selecting investments.” The trustee must “systematically consider all the investments of the trust at regular intervals to ensure that they are appropriate.”

 

 

The Court went on to say that a plaintiff may allege that a fiduciary breached the duty of prudence “by failing to monitor investments and to remove imprudent ones.” As long as the alleged breach of continuing duty occurred within six years of suit, the claim is timely.

 

 

The Court did not determine whether or not the plaintiffs had sufficiently alleged a breach of the duty to monitor during the six-year limitations period to satisfy the requirements of the statue of limitations. Rather, the Court remanded the case to the Ninth Circuit to determine whether the circumstances alleged required a review of the allegedly improper investments, and if so what kind of review was required.

 

Discussion

It seems probable that the Court’s decision in Tibble v. Edison International will encourage more claims alleging that fiduciaries improperly failed to monitor plan investments. As the Skadden law firm said of the Court’s ruling in its memo about the decision (here), “we fully anticipate an increase in claims alleging fiduciaries imprudently retained investment options, particularly where the original decision to offer the challenged investments under the plan was made more than six years before the filing of the suit.”

 

In any event, and at a minimum, the Court’s ruling will make it considerably harder for plan fiduciaries to establish a statute of limitations defense in breach of fiduciary duty claims based on imprudent investment options.

 

While there will likely be future claims based on these theories, there will also have to be a great deal of additional lower court case law development to fill in many of the issues the Supreme Court declined to address, including: what circumstances are sufficient to require plan fiduciaries to conduct a thorough due diligence review of a plan investment? How frequently must a plan fiduciary review plan investments in the absence of special circumstances requiring a more detailed due diligence review? The lower courts will also have to decide what factor are sufficient to suggest that it would be imprudent not to remove an offered investment from the plan. It can be anticipated that future lower court decisions will provide further definition to plan fiduciaries’ continuing duty to monitor.

 

Even thought the Court’s decision leaves a great deal to future case law development, there nonetheless are a number of important takeaways now for plan fiduciaries.

 

Among other things, it will be important for plan fiduciaries to consider establishing internal guidelines to document that they are regularly reviewing plan investment options and evaluating the continuing prudence of offered plan investment options.  In that regard, it is important to note that the Court’s opinion stressed that trustees of investment trusts must “systematically consider all the investments of the trust at regular intervals.”  The reviews then must be regular and systematic.

 

The Court’s comments also suggest that there is no one-size fits all type of review; rather the review must be “reasonable and appropriate to the particular investments, courses of action, and strategies involved.”

 

Finally, when it comes to an underperforming investment option, the Court said that the fiduciary duties include the duty to remove imprudent investments. In other words, the systemic and regular review of plan investment options should include the removal of investments that have proven to be imprudent.

seventhcircuitsealOn October 17, 2013, when Northern District of Illinois Judge Ronald Guzman entered a $2.46 billion judgment for the plaintiffs in the long-running Household International securities class action lawsuit, it was according to statements at the time the largest judgment ever in a securities fraud trial. However, on May 21, 2015, the Seventh Circuit reversed the verdict on loss causation grounds and remanded the case to the district court for further trial proceedings. Because the appellate court ruling reversed the verdict solely with respect to liability issues, the further trial proceedings will in effect determine whether or not the damages verdict totaling $2.46 billion will or will not be reinstated. A copy of the Seventh Circuit’s May 21 opinion can be found here.

 

Background

As detailed here, the plaintiffs first filed their lawsuit back in 2002 on behalf of all persons who acquired Household International securities between October 23, 1997 and October 11, 2002. The plaintiffs contended that during the class period, the defendants concealed that Household “was engaged in a massive predatory lending scheme.”

 

According to the complaint, Household “engaged in widespread abuse of its customers through a variety of illegal sales practices and improper lending techniques.” Household also reported “false statistics” that were intended to “give the appearance that the credit quality of Household’s borrowers was more favorable that it actually was.” The plaintiffs allege that the “defendants’ scheme” allowed them “to artificially inflate the Company’s financial and operational results.”

 

In the third quarter of 2002, the company took a $600 million charge and restated its financial statements for the preceding eight years, and in October 2002, the company announced that it had entered into a $484 regulatory settlement regarding its lending practices. On November 14, 2002, the company announced that it was to be acquired by HSBC Holdings.

 

The defendants in the lawsuit included Household International and its mortgage finance subsidiary, Household Financial Corporation, and Household’s former CEO and CFO, as well as certain other former officers and directors. The company’s offering underwriters were also initially named as defendants, but they were later dismissed from the case. The plaintiffs also reached a prior settlement with the company’s former auditor, Arthur Anderson.

 

As detailed here, trial in the case commenced on March 30, 2009. Judge Guzman bifurcated the case into two parts, with a damages phase to follow the initial liability phase.

 

As detailed here, on May 7, 2009, the jury returned a mixed verdict in which the jury found for the plaintiff on a number of – but not all – counts. The jurors were asked to make specific findings with respect to 40 allegedly false and misleading statements. The jury found in favor of the defendants with respect to 23 of the statements. However, the jury found in favor of the plaintiffs with respect to 17 of the statements.

 

The ultimate October 2013 judgment order, arriving as it did some four and a half years after the verdict, followed several post-trial defense motions to invalidate the verdict as well as defense objections to thousands of class members’ claims. The Court also considered and ruled on issues concerning the reliance of absent class members on defendants’ statements.

 

The judgment was entered against Household International; its former Chairman and CEO William Aldinger; its former CFO and COO David Schoenholz; and its former Vice-Chair of Consumer Lending Gary Gilmer. The company, Aldinger and Schoenholz were hold jointly and severally liable for the judgment and Gilmer was liable for 10% of the judgment.

 

The defendants appealed the verdict to the Seventh Circuit. The defendants primarily challenged the judgment on loss causation grounds. They also argued that the trial judge had improperly instructed the jury on the basis on which the jury was to determine whether or not a defendant had “made” the misleading statement at issue. Finally, the defendants argued that during the damages phase rulings the trial court made improperly prevented them from challenging individual plaintiffs’ reliance on the misleading statements.

 

The May 21 Opinion

In a May 21, 2015 opinion written by Judge Diane Sykes for a unanimous three judge panel, the Seventh Circuit reversed the trial court judgment with respect to the liability phase and remanded the case to the trial court for further proceedings.

 

In reversing the trial court judgment on the issue of loss causation, the appellate court reviewed at length the relevant law on the issue of loss causation and the evidence that the plaintiffs presented at trial on the loss causation issue. In support of their loss causation case, the plaintiffs had presented the expert testimony of Daniel Fischel, formerly Dean at University of Chicago law school and now a professor at Northwestern Law School (about whom the Seventh Circuit noted in a footnote that “apparently he’s the expert for this kind of financial analysis”).

 

Fischel presented two economic models at trial, the “specific disclosure” model (designed to separate effects on a company’s share price due to misrepresentations from movements in the company’s share price caused by other market factors) and the “leakage” model, which assumes that the truth may “leak” into the marketplace as a result of more gradual exposure of the fraud. The jurors were given tables reflecting the stock price-related inflationary impact from the misleading statements under each of the two models. The jury selected the leakage model and used the table to calculate the class period impact of the statements the jury had concluded were misleading.

 

On appeal, the defendants challenged the leakage model of loss causation, arguing that it improperly and illogically showed that the stock as inflated on the first day of the class period without showing how the stock was inflated in the first place. The appellate court rejected this argument, holding that it was sufficient for plaintiffs to prove that the defendants’ false statements caused the stock price to remain higher than it would have been if the statements had been truthful.

 

The defendants argued further, however, that the leakage model on which the jury had relied did not account for firm-specific non-fraud factors that may have affected the company’s share price. The appellate court noted that in fact the plaintiffs’ expert had not ignored non-fraud factors; he said only that he had looked for company specific non-fraud factors during the relevant period and did not find any significant trend of positive or negative information apart from the fraud-related disclosure. The defendants argued that this was not enough and that under Dura, the plaintiffs needed to eliminate any firm-specific non-fraud factors that might have contributed to the stock’s decline.

 

The appellate court concluded that the plaintiffs’ expert’s trial testimony did not adequately account for the possibility that firm-specific nonfraud related information may have affected the decline in Household’s share price during the relevant period. The record, the appellate court said, reflects only the expert’s general statement that any such information was insignificant, which the court said, is not enough. On remand,, if the plaintiffs’ expert testifies that there were no nonfraud impacts on the share price, the burden shifts to the defendant to identify some “significant, firm-specific, nonfraud related information that could have affected the stock price.” If they cannot, the case goes to the jury. If they can, the burden shifts back to the plaintiff to account for the information or to provide a loss-causation model that does not suffer the same problem.

 

The appellate court also found that the trial court had erroneously instructed the jury as far on what it means to “make” a false statement under the Supreme Court’s holding in the Janus Capital Group case (about which refer here). The trial court had instructed the jury that the plaintiffs must prove that the defendants “made, approved or furnished information” in a false statement of fact. The defendants argued that the “approved or furnished information” language misstated the law and in effect held the defendants liable for statements they did not “make.”

 

The appellate court agreed, ruling that the instruction “directly contradicts Janus.” However, the court held, that the effort cause no prejudice to Household International, as it “made” all of the statements at issue. The court did hold as certain of the statements of the three individual defendants and that the three individuals were entitled to a new trial on the question whether they had “made” the misleading statements, and then to reallocate liability among the three defendants. The court emphasized “for clarity’s sake” that on remand the defendants may not relitigate whether any of the 17 statements were false or material, and that the jury’s secondary liability findings also remain undisturbed.

 

Finally, the defendants argued that during the damages phase various rulings the trial court had made had deprived them of an opportunity to rebut the presumption of reliance as to individual members in the plaintiff class.

 

After a lengthy review of the procedures used in the damages phase, the court rejected the defendants argument, adding that because the proceedings below were “neatly divided into two phases,” there’s “no need to redo anything in Phase II, even though the case was being remanded for a new trial. The appellate court said “assuming the plaintiffs have adequately prove loss causation, the district court may rely on the results from Phase II.”

 

Discussion

This case has already been pending for 13 years, and it now has even further to go. As reported in the media, HSBC (as successor in interest to Household Financial) did indeed succeed in having the trial verdict set aside and securing a new trial, and in that respect there is no doubt that the Seventh Circuit’s ruling represents a significant victory for the defendants.

 

However, even though the largest securities trial verdict ever has now been set aside, it could be argued that the appellate outcome is neither as entirely good for the defendants nor as entirely bad for the plaintiffs as that might sound. The re-trial on remand will be a far different affair than the first trial, as the plaintiffs will not be required to re-establish many of the key factual determinations. Although the question of whether the individual defendants “made” various of the misleading statements will have to be litigated on remand, that will likely result at most in a reallocation of liability amongst the three of them, because the re-trial on that issue will relate for each of them only as to some but not all of the misleading statements.

 

The critical battle on remand will be the loss causation issue; the battle will be whether or not there were significant, company-specific nonfraud factors that affected the company’s share price during the relevant period. At issue in the case is whether or not the results of the first trial’s damages phase (that is, the $2.46 billion judgment) will or will not be reinstated.

 

Either way, this long-running case still has further to go. It is a well-known fact that very few securities class action lawsuits ever go to trial. This case may underscore many of the reasons why. Given the stakes and number of complicated legal issues involved, the cases can be interminable and exhausting for both sides.

 

I will say that for anyone interested in plumbing the depths of the loss causation issue in securities litigation, the Seventh Circuit’s opinion makes for interesting reading. The issue is itself complicated, and the complication is exacerbated by the fact that securities cases so rarely go to trial.

 

An Observation about the Plaintiffs’ Expert Witness: I wonder if I am the only one that sees some irony in the involvement of Daniel Fischel as the expert witness for the plaintiffs in this case. The irony comes from the fact that the lead plaintiffs’ counsel and trial counsel in the case was the Robbins, Geller, Rudman & Dowd law firm, which is of course the successor law firm to the predecessor plaintiffs’ securities class action firm in which Bill Lerach was the lead named partner. (The Lerach law firm in turn was a split off from the former Milberg, Weiss, Bershad, Hynes and Lerach law firm).

 

As detailed in Patrick Dillon and Carl Cannon’s excellent 2010 book, Circle of Greed (about which refer here), Lerach had waged a vendetta against Fischel, that in the end went seriously awry. In a class-action case in 1988 involving Nucorp Energy,  Lerach for the first time faced Fischel and quickly developed a keen dislike of him, saying to a colleague that “someday I’m going to wipe that grin right off” Fischel’s face (although he used a more colorful term to refer to Fischel).

 

When he crossed paths with Fischel in another case two years later, when Fischel introduced himself, Lerach said, “I know who you are. And I will destroy you.” In the Lincoln Savings and Loan case in 1990 Lerach sued Fischel’s consulting firm, Lexecon, as part of the class action. At a Christmas party while the case was pending, Lerach said that he wanted to bury Fischel “under the courthouse steps.”

 

Lerach’s feud with Fischel ultimately led to a defamation suit by Fischel and Lexecon that resulted in a landmark Supreme Court decision about multi-district litigation (Lexecon Inc. v. Milberg Weiss Bershad Hynes & Lerach, 523 U.S. 26 (1998)) and a $50 million settlement. Lerach himself wound up pleading guilty in 2007 to obstruction of justice and was sentenced to two years imprisonment. In 2009 he was disbarred from practicing law in California.

 

So perhaps you can see why I think it is interesting that Daniel Fischel was testifying for the plaintiffs in this case, given that the plaintiff class was represented by the successor firm to the old Milberg Weiss law firm.

 

Despite Blockbuster Plea Deal, Big Banks’ Foreign Exchange Conspiracy Woes Continue: It was big news last week when the U.S. and U.K. authorities announced that five banks (J.P. Morgan, UBS, Barclays, Citigroup and Royal Bank of Scotland) had agreed to fines and penalties totaling over $5.4 billion and to plead guilty (at the parent company level) to criminal charges. While this announcement was big news, last week’s deal is far from the end of the foreign exchange-related woes for the global banks involved in the foreign exchange conspiracy investigation.

 

For starters, regulators from other countries are continuing their investigations of the banks’ foreign exchange operations. And U.S. regulators continue to investigate individuals involved in the foreign exchange price-fixing conspiracy.

 

In addition, all of the banks continue to face private civil litigation. As the Moneybeat blog noted in a May 20, 2015 post (here), the information that the U.S. regulators disclosed as part of its announcement of the recent $5.6 billion deal is a veritable treasure trove for the claimants in the civil litigation. As the blog post notes, the internal documents and emails disclosed in connection with the plea deal show not only that the companies internal controls had serious weaknesses, but also that front line management were involved in many of the efforts to fix prices and suppress competition in the foreign exchange market.

 

As noted in a prior blog post, a consolidated foreign exchange price fixing class action is pending in the Southern District of New York. As noted here, on January 28, 2015, Southern District of New York Judge Laura Schofield denied the defendants’ motion to dismiss in the consolidated lawsuit. Several of the defendant banks, all too aware that the antitrust lawsuit is going to go forward, and even more aware that the recent disclosures in connection with the recent plea deal will likely make matters even worse, recently reached agreements to settle the pending case against them.

 

Specifically, on May 20, 2015, the plaintiffs’ lawyers announced that they had reached a $394 million deal with Citigroup to settle the private civil action that had been filed accusing the bank of conspiring to fix foreign exchange rates.  On May 21, 2015, Bank of New York Mellon announced that it had reached a $180 million deal to settle its slice of the foreign exchange antitrust class action lawsuit.  These settlements follow earlier settlements that had been reached with J.P. Morgan, Bank of America and UBS and bring the total settlement reached in the case to over $800 million.

 

However, while there has been a raft of jumbo settlements in the case, the settlements so far involve just five of the 12 banks that are named as defendants in the case. Last week’s developments have not improved the settlement environment in the case for the remaining defendants. The lead plaintiffs’ counsel in the case has already announced that they intend to amend their complaint in the civil action to incorporate the additional information disclosed in connection with the plea deal.

 

As if that were not enough, on  Thursday May 21, 2015 a plaintiff filed a new lawsuit in the Northern District of California alleging that J.P. Morgan, Bank of America and other large banks have continued to rig the foreign exchange markets. The complaint (here) alleges that the foreign exchange price fixing conspiracy at the heart of the government’s criminal action continues to this day.  The newly filed complaint alleges violations of the Sherman Antitrust Act, the California Cartwright Act, and the California Unfair Competition Law.

 

In other words, despite the massive plea agreement announced last week, the foreign exchange rate-fixing conspiracy woes for the big banks are far from over. And of course, the regulators’ continuing investigation into other market manipulative activities (Libor, etc.) continue as well.

david danaAmong the many concerns that arise whenever unauthorized appropriation or use of consumer data occurs is the possible violation of the consumers’ privacy that the access may represent. In numerous cases, aggrieved parties have tried to assert claims for these alleged privacy violations, but by and large these attempts have not been successful. However, as Northwestern Law School Professor David A. Dana (pictured) discusses in the following guest post, there has been a series of recent decisions in California that may prove very valuable for future claimants seeking to assert privacy claims for unauthorized disclosure or use. A version of this article previously was published in the May 2015 issue of Internet Law and Business (here).

 

I would like to thank Professor Dana for his willingness to publish his article on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Professor Dana’s guest post.

 

*******************************************************

 

A burgeoning area of litigation involves claims that Internet and digital companies like Google, Facebook, and Twitter have insufficiently protected or actively appropriated user’s personal information.  Because of the enormous numbers of users and hence enormous number of potential plaintiffs in such cases, which invariably are framed as putative class actions, potential liability for defendants is enormous. However, the district courts have repeatedly dismissed such suits for lack of Article III standing and/or for failure to state a claim.  This Article addresses a recent quartet of decisions that may reflect a precedential gold mine for plaintiffs bringing claims for unconsented-to disclosure or use of their personal information.  Two of these decisions come from the Ninth Circuit: In re Facebook Litig., _ Fed. App’x _, No. 12-151619, May 8, 2014 (“Facebook”), which is an unpublished memorandum opinion, and Astiana v. Hain Celestial (“Astiana”), No. 12-17596, April 10, 2015, which is an opinion designated for publication.  Two of the decisions come from the Northern District of California: Opperman v. Path, Inc., Case 13-cv-00453-JST, March 23, 2015 (“Opperman”), and Svenson v. Google, Inc., Case No. 13-cv-04080-BLF, April 1, 2015 (“Svenson”).

 

Taken together, these decisions suggest that claims alleging certain California statutory and common law violations involving use or disclosure of the personal information of customers by technology companies can survive a motion to dismiss even with very general, even arguably vague, allegations.  Specifically, claims under California’s Unfair Competition Law (“UCL”) and Consumer Legal Remedies Act (“CLRA”) and claims for common law breach of contract and fraud and perhaps unjust enrichment now appear to be able to survive a motion to dismiss even when (1) there are no allegations of individual plaintiff reliance on alleged misrepresentations; (2) there are no particularized factual allegations backing up general allegations that the services or products received by plaintiffs were worth less than they would have been worth had promised protections for personal information been afforded; and/or (3) there are no particularized factual allegations backing up general allegations plaintiffs lost economic opportunities because they could not sell their personal information for as much or at all once that information was disclosed or shared with others by the technology company whose product or service was purchased.  One of these cases, Opperman, also establishes that partial disclosures by a company of the risk that users’ personal information may be used or disclosed does not eliminate the risk of fraud or other claims against the company, but instead can form the basis of an active concealment claim.

 

This apparent shift in the case law involving California law may be a response to recent attention in the media to the problem of inadequate security for personal information; perhaps the Courts believe that these personal information suits should be allowed to at least proceed to discovery, as a way to help keep corporate giants like Google “on their toes.”

 

Whatever the motivations behind these recent cases, they leave a number of questions open. While these cases can be distilled for the proposition that generalized allegations will suffice for purposes of surviving a motion to dismiss, it is not completely clear where the line is between sufficient, albeit generalized, pleading and excessively generalized and hence insufficient pleading. This is especially the case with respect to the question of when plaintiffs can plead their way of out of needing to allege individual reliance under Opperman.  Moreover, the Ninth Circuit may well choose to revisit the decisions in Facebook, which is only an unpublished memorandum, and Astiana, which is a very thinly reasoned, arguably incoherent opinion.  District courts, at least outside the Northern District of California, may choose not to follow these decisions or seek to distinguish them.  Finally, and most notably, the quartet of decisions discussed below only go the question of whether a complaint will survive a motion to dismiss; they do not suggest that these suits will be successful at the summary judgment phase of litigation.  Courts could allow claims to go past the motion to dismiss phase of litigation, but then hold plaintiffs to a high standard regarding proof of their allegations.

 

Fraud, Misrepresentation, Deceit, And Active Concealment Claims

 

In Opperman, Judge Tigar of the Northern District of California issued an opinion that may invigorate efforts to hold companies accountable for their advertising regarding privacy protections for personal data. In a putative class action alleging violations of the UCL, CLRA, and other statutes, the plaintiffs argued that Apple fraudulently represented that their personal information would be protected by Apple, and that Apple concealed the fact that it knew personal information of users in fact had not been protected as promised.  Ordinarily, in a state law fraud action of this sort, purchasers of a product or service would have to allege individual reliance on particular misrepresentations made by the defendant.   But here Judge Tigar denied the motion to dismiss the fraud claims, even though plaintiffs alleged no individual reliance.  Judge Tigar interpreted California law as allowing fraud actions to proceed without individual-reliance allegations where there was “an extensive and long-term advertising campaign” by the defendant regarding its promises to protect personal information. According to Opperman, Federal Rule of Civil Procedure 9(b) in this context does not require more particular pleading than would be required in a state court.  Moreover, Judge Tigar interpreted “an extensive and long-term advertising campaign” in a way that may be quite useful to future plaintiffs.  The Court also held that plaintiffs had adequately alleged that Apple had acted unlawfully in failing to disclose it exclusive knowledge that personal information was not being protected and in actively concealing those same facts.

 

According to Opperman, even statements made by Apple before the product launch at issue could be counted as part of the advertising campaign.  In addition, statements made by third parties and the media could be considered part of the campaign, given that Apple allegedly sought out such “buzz.”  Even though the statements regarding “security” and the like were varied and directed at different audiences, they could constitute a single campaign.

 

Opperman does not establish a bright line as to how many or what sort of alleged misrepresentations are needed in order to adequately allege that there was “an extensive and long-term advertising campaign” of fraudulent representations. Judge Tigar found that the twenty plus examples of security-related representations were sufficient, and seemed to suggest that far fewer than twenty alleged misrepresentations might be two few. It appeared to help the plaintiffs that at least a few of the alleged misrepresentations were particular enough – for example, “[a]pplications on the device are ‘sandboxed’ so they cannot access data stored by other applications” – that they were “capable of being proven false.”

 

Opperman also appears to open up opportunities for future plaintiffs to make active concealment claims against companies when the companies only partially disclose the risks that personal information actually might not be held secure. In Opperman, Apple contended that the plaintiffs failed to allege active concealment adequately because Apple’s Privacy Policy disclosed that third parties, including those who offer Apps, may collect information such as “data or contact details.” But Judge Tigar found that the plaintiffs had adequately alleged active concealment because they alleged that Apple failed to disclose all the material facts, Apple falsely reassured consumers that its iDevices did not contain security vulnerabilities that Apple knew they contained, and Apple did not disclose that it taught or encouraged App developers to access users’ information.   Partial disclosure of risks that personal information is insecure, in other words, does not protect companies from liability and in fact might only support the claim that the companies actively concealed material information of risks from purchasers of products or services.  When companies disclose risks regarding the security of personal information, Opperman teaches, they would be well-advised to fully disclose those risks and not withhold material information.

 

For technology companies and their lawyers, Opperman creates a kind of quandary. On the one hand, a company may well want to advertise to current and potential customers it personal information/data privacy protections as a way of keeping and wooing customers from possible competitors and increasing sales.   On the other hand, if the company does advertise, advertisements may ex post be deemed “an extensive and long-term advertising campaign” and used as a basis for expensive class action litigation against the company.

 

Breach Of Contract – Deprivation Of The Benefit of The Bargain

 

To state a breach of contract claim, plaintiffs must be able to plead some contract damages, which means they must be able to allege some cognizable economic injury.  Likewise, to the extent that the UCL allows claims based on “unlawful” conduct and conduct in breach of contract is unlawful, plaintiffs bringing a UCL claim based on contract violations also must allege economic injury, because such injury is an explicit requirement for a UCL cause of action.  A concrete injury, which usually would mean an economic injury in the personal information/data security context, is also required for Article III standing.

 

The big question for plaintiffs pursuing claims in the personal information/data security context is how far will the courts go in accepting a “creative” theory of economic injury when there is no very straightforward theory available to the plaintiffs. One such theory that plaintiffs lawyers have offered is a lost-benefit-of-the-bargain or overpayment theory, which contends that when the purchaser of a computer product or service that promises privacy protection buys the product or service but does not receive the promised protection, that person has overpaid for the product or service, and the economic injury consists of the difference between the purchase price that was paid and the lesser price that would have been paid had the good or service been explicitly offered as lacking in privacy protection.

 

One problem with his theory is that plaintiffs may be hard pressed to prove – or even credibly allege – that they paid more for a product or service because of promised  protection.   Indeed, in In re Linked User Privacy Litigation, 932 F.Supp.2d 1089 (2013), Judge Davila of the Northern District of California dismissed privacy-related claims against users of Linked-In’s premium service, in part because Linked-In promised the same protections to premium and non-premium users and hence it could not be presumed premium users paid for promised privacy protection.

 

In Svenson, however, Judge Freeman of the Northern District of California refused to dismiss a breach of contract claim in a case where there was arguably an absence of particularized factual allegations supporting the claim plaintiffs paid more than they would have had they not been promised privacy protections.   The Court pointed to two allegations made by plaintiffs: that “[t]he services Plaintiff and Class Members ultimately received in exchange for Defendants’ cut of the App purchase price – payment processing, in which their information was unnecessarily divulged to an unaccountable third party – were worth quantifiably less than the services they agreed to accept, payment processing in which the data they communicated to Defendants would only be divulged under circumstances which never occurred. . . .” and “[h]ad Plaintiff known Defendants would disclose her Packets Contents, she would not have purchased the ‘SMS MMS to Email’ App from Defendants.” These allegations were deemed “sufficient to show contract damages under a benefit of the bargain theory,” even though the slightly more general allegations in a prior version of the complaint had been deemed insufficient by the same judge.   One alleged fact in the amended complaint that may have been persuasive for Judge Freeman was that Google did receive a share of the payment for an “App” plaintiffs made, and was not providing processing for free.  Overall, at least where the defendant did receive payment for a product or service – which would seem to be most cases – Svenson seems to allow a benefit-of-the-bargain contract claim as long as the plaintiff very explicitly alleges that they regarded privacy or security protections as part of the bargain and would not have paid what they paid had they known privacy or security would not be provided.   Thus, it should be quite easy – and courts one day swamped with suits may find, too easy – for plaintiffs to allege economic injury in the form of deprived benefit of the bargain in the personal information/data security context.

 

Breach of Contract – Loss Of Market Opportunity

 

A second theory for contract damages in the personal information/data security setting is that purchasers of a service or product lost an opportunity to sell their own personal data when a company that promised to preserve the privacy or security of their personal information actually uses or discloses that information for its own purposes.  A line of federal district cases, including ones from the Northern District of California, held that general allegations that the plaintiffs lost an opportunity to sell their own personal information as a result of contractual violations of privacy or data security promises were insufficient to satisfy the requirement that plaintiffs allege Article III economic injury and/or damages as part of a breach of contract claim.  However, in the unpublished memorandum opinion in Facebook, the Ninth Circuit held that where “[p]laintiffs allege[d] that the information disclosed by Facebook . . . harmed” them because they “los[t] the sales value of that information,” the allegations were sufficient to show the element of damages for their breach of contract claim.  In reversing the district court’s dismissal of the contract claim against Facebook, the Ninth Circuit, albeit in an opinion that lacks binding authority under Ninth Circuit rules, signaled that plaintiffs need do no more than allege what the Facebook plaintiffs alleged in order to have a breach of contract claim survive a motion to dismiss.   And the Facebook plaintiffs had not alleged facts supporting their general allegation that they lost an opportunity to sell their own personal information due to Facebook’s alleged misconduct.

 

Judge Freeman in Svenson explained that the case law prior to the Ninth Circuit’s decision in Facebook – case law Google largely relied upon – was inapposite because the Ninth’s Circuit’s decision changed what was required for plaintiffs to allege. For Judge Freeman, the Ninth Circuit’s decision appeared to be governing even though it is a memorandum decision.  Judge Freeman may have taken this position because even though the Facebook memorandum opinion is inconsistent with prior district court rulings, it is not even arguably inconsistent with any other Ninth Circuit opinions, as the Ninth Circuit had not previously addressed this issue.

 

As Judge Freeman explained, the Ninth Circuit in Facebook did not require an explication of precisely how personal information was diminished in value as part of a well-pled contract claim.  Thus, even though the plaintiffs in Svenson alleged only that there is a “robust market” for the information at issue and as a result of Facebook’s actions, plaintiffs were deprived of their ability to sell their own personal data on the market,” those allegations were found to be sufficient.

 

Taken together, the Ninth Circuit’s decision in Facebook and Svenson suggest that, at least in the Northern District of California, bare allegations of loss of value in personal information will suffice.  That is certainly how litigants in that District are treating the current state of the law, as evidenced by both the plaintiffs’ and defendants’ briefs in In re Google, Inc. Privacy Litigation, No. 12-CV-01382 PSG, before Judge Grewal, in which the parties seem to agree that the law has shifted with Facebook and Svenson, but disagree whether diminution in value of personal information is actually at issue in their case or whether their case only relates to alleged loss in battery life and bandwidth.

 

Unjust Enrichment

 

If plaintiffs in personal information/data security cases  can avoid alleging contract claims and can instead allege unjust enrichment, then they might be able to avoid alleging contract damages, which outside of the Northern District of California, can be difficult (although they still need to allege economic injury for Article II purposes).  However, under California law, it has generally been understood that unjust enrichment is not a stand-alone action but rather a remedy that can be sought after a stand-alone claim like breach of contract or fraud is adequately pled.  Nonetheless, the Ninth Circuit’s recent decision in Astiana perhaps suggests plaintiffs in personal information/data security cases could plead unjust enrichment as a distinct clause of action under a quasi-contract theory, even though the unjust enrichment/quasi-contract theory claim would look just like a breach of contract or fraud claim.   The Ninth Circuit’s analysis in Astiana is quite brief, and here is the key passage:

 

As the district court correctly noted, in California, there is not a standalone cause of action for “unjust enrichment,” which is synonymous with “restitution.” . . . .  However, unjust enrichment and restitution are not irrelevant in California law. Rather, they describe the theory underlying a claim that a defendant has been  unjustly conferred a benefit “through mistake, fraud, coercion, or request.” 55 Cal. Jur. 3d Restitution § 2. . . . When a plaintiff alleges unjust enrichment, a court may   “construe the cause of action as a quasi-contract claim seeking restitution.” . . . . Astiana alleged in her First Amended Complaint that she was entitled to relief under  a “quasi-contract” cause of action because Hain had “entic[ed]” plaintiffs to purchase their products through “false and misleading” labeling, and that Hain was  “unjustly enriched” as a result. This straightforward statement is sufficient to state  a quasi- contract cause of action.

 

The Ninth Circuit’s reasoning in Astiana is unpersuasive, in that it seems to sanction exactly what it explicitly states is impermissible under California law – the pleading of a stand-alone, separate cause of action for unjust enrichment.  If all one must do is add the label “quasi-contract” to an unjust enrichment cause of action, then there is no real constraint on the pleading of what are in substance stand-alone unjust enrichment causes of action under California law. Nonetheless, for now, Astiana is good law and it may open up pleading opportunities for plaintiffs in personal information/data security cases.

 

Conclusion

In sum, the quartet of federal cases applying California appear to lower the pleading thresholds for plaintiffs in personal information/data security cases.  Whether these cases lead to more complaints being filed and a consequential rethinking by the courts, or whether the courts will simply winnow suits by requiring proof of general allegations in the summary judgment phase of litigation, remains to be seen.

 

globe2For many years, the U.S. was the only country actively seeking to use its laws to fight corruption. However, more recently, a number of other countries have enacted their own anti-bribery laws while other countries have become more active in pursuing anti-bribery enforcement – including not only Germany, South Korea and Britain, but also Brazil and China (among many others). This anti-corruption drive unquestionably is a good thing and it is unquestionably right that bribery should be punished. Bribery has a corrosive effect; it distorts economic outcomes and diverts resources into the corrupt officials’ pockets.

 

While the enforcement of anti-corruption laws is to be applauded, at the same time, questions are being asked about whether in at least some cases things might have come too far, as the enforcement process has become astronomically expense and time-consuming.

 

A May 9, 2015 Economist article entitled “Corporate Bribery: The Anti-Bribery Business” (here), as well as a leader article in the same issue (here), refers to what the magazine describes as “a mounting body of evidence that the war on commercial bribery is being waged with excessive vigor, forcing companies to be overcautious in policing themselves,” noting that “some under investigation are starting to fight back.”

 

As evidence of the excess, the article cites the massive amounts that Walmart, Siemens and Avon Products, among many others have spent in fighting corruption allegations. It is not that the charges against the companies were not serious — the charges definitely were and are serious. The problem, the article suggests is that “the cost and complexity of investigations are spiraling beyond what is reasonable, fed by a ravenous ‘compliance industry’ of lawyers and forensic accountants who have never seen a local bribery issue that did not call for an exhaustive global review; and by competing prosecutors, who increasingly run overlapping probes in different countries.”

 

The huge amount of work generated for internal and external lawyers and for compliance staff is the result of firms “bending over backwards to be co-operative in the hope of negotiating reduced penalties.” The article quotes Southern Illinois Law Professor Mike Koehler, the author of the FCPA Professor Blog (here), as saying that the overkill is a by-product of what he calls “FCPA, Inc.,” a very aggressively marketed legal industry niche that has every incentive to convince their clients that the sky is falling. Corporate officials, under pressure to clean house and under the sway of the anti-corruption industry, “will then agree to any measure, however excessive, to demonstrate that they have comprehensively answered” every question.

 

For many companies, the expenses do not even end when they have finally managed to reach a settlement with the regulators and enforcement authorities. The bills can keep coming in for years, as many firms are required to bear the cost of being overseen for several years by an independent compliance monitor. Firms that have been the target of bribery investigations may also find themselves shut out from procurements processes. And there is always the risk of follow-on shareholder litigation as well.

 

Not only have the costs increased, but the time required to conclude a case has lengthened inordinately as well, as detailed in a April 20, 2015 Wall Street Journal article entitled “The Foreign-Bribery Sinkhole at Justice” (here) which of course has exacerbated the problems associated with the overwhelming costs of these types of investigations.

 

Part of the problem for everyone is that because so few bribery prosecutions have ever gone to trial, there is almost no legal authority guiding and informing the regulatory and enforcement process. As the article puts it, “this hands prosecutors a lot of discretion.” The article quotes Professor Koehler as saying that “we have only a façade of enforcement,” and that “the FCPA often means what enforcement agencies say it means.”

 

Some companies have started to push back, as Professor Koehler notes in a May 5, 2015 post on his FCPA Professor blog (here). In his post, Koehler references an April 29, 2015 Wall Street Journal article (here) that discusses efforts by Wall Street banks to resist what the banks describe as the enforcement authorities’ “overaggressive effort” to investigate the banks for hiring children and other relatives of government officials in China.   The problem for everyone is that when the regulators have such wide discretion to decide what conduct violates the law, conduct that was not previously viewed as improper can suddenly turn out to represent a violation.

 

No one is suggesting that anti-bribery enforcement in of itself is the problem. The problem is the excesses to which the enforcement can lead. The Economist suggests four steps to reform the process and to “stop a descent into investigative madness.”

 

First, the magazine suggests, “regulators should rein in the excesses of the compliance industry and take into account the cost to firms of sprawling investigations.” When companies self-report suspected violations, regulators should “tell them what level of investigation they want to that companies are not overzealous out of fear of seeming evasive.” There is reason to hope that regulators may recognize their ability to help here; the article quotes the head of the DoJ’s criminal division as saying that “We do not expect companies to aimlessly boil the ocean.”

 

Second, the article suggests, governments should lower the costs by harmonizing anti-bribery laws and by improving coordination between national probes. There are of course existing efforts to align international efforts, such as the OECD’s ant-bribery convention. There is more that national governments can do to ensure that they are not subjecting companies to multiple investigations and multiple punishments for the same misconduct.

 

The magazine’s third suggestion, while analytically valid, may be prey to an almost inevitable futility. The magazine suggests that more corruption case need to go to trial, so that legal standards that might constrain enforcement authorities are developed. The problem is that companies are scared to fight and risk a criminal indictment. It is, as the magazine itself notes, commercially rational for companies to capitulate. It may be that efforts of the type now being pursued by the Wall Street banks to push back can provide some constraint to prosecutors’ expansive legal interpretations.

 

The magazine’s final reform suggestion may have the most potential. The magazine suggests that anti-bribery laws should be amended to allow companies a “compliance defense” – that is, if the company had valid anti-bribery policies and were making reasonable efforts to enforce the policies, and self-reported when violations were found, the penalties imposed should be greatly reduced. Although the magazine does not add this point, it would be beneficial if companies qualifying for this defense could also look forward to a more contained and shortened investigative and enforcement process.

 

 

aus3An exclusion sometimes found in D&O insurance policies precludes coverage for claims made by shareholders who have a specified percentage of ownership in the insured company. This type of exclusion is called a Major Shareholder Exclusion (or, sometimes, the Principal Shareholder Exclusion). An interesting May 6, 2015 decision (here) by the Supreme Court of Victoria (Melbourne) addressed the interesting question of what is the relevant point in time for determining the ownership percentage – at the time the claim is made or at the time the wrongful acts allegedly took place? The considerations discussed in the decision raise a number of issues about this type of exclusion. A May 15, 2015 memo from the Allens law firm about the decision can be found here.

 

Background

Effective June 20, 2008, Oxiana acquired all of the outstanding shares of Zinifex. Following the transaction, Oxiana was renamed OZ Minerals Ltd. (“OZ Minerals”) and Zinifex was renamed Oz Minerals Holdings Ltd. (“OZ Holdings”).

 

In February 2014, an OZ Minerals shareholder filed a representative action in the Federal Court of Australia against OZ Minerals alleging that there were misrepresentations in the merger transaction documents. OZ Minerals in turn filed a separate contribution proceeding against OZ Holdings and certain of its former directors and officers.

 

Prior to the merger transaction, OZ Holding (then Zinifex) had a directors and officers liability insurance policy in place with a policy period from March 31, 2008 to March 31, 2009. In connection with the merger transaction, OZ Holding purchased a discovery period endorsement which extended the policy’s expiration date to June 20, 2015. A run-off exclusion was also added to the policy at the same time providing that the insurer was not liable for any claim with respect to a wrongful act committed after June 20, 2008 (the date of the merger transaction).

 

The defendants in the contribution action submitted the claim to the D&O insurer. The D&O insurer denied coverage for the claim in reliance on the policy’s major shareholder exclusion. OZ Holdings commenced an action in the Supreme Court of Victoria (Melbourne) seeking a judicial declaration that the insurer is obliged to indemnify them against liability arising from the contribution claim.

 

The policy’s Major Shareholder and Board Position Exclusion provided that:

 

The Insurer shall not be liable to make any payment under this policy in connection with any Claim brought by any past or present shareholder or stockholder who had or has:

 

  • Direct or indirect ownership of or control over 15% [or] more of the voting shares or rights of the Company or of any Subsidiary, and
  • A representative individual or individuals holding a board position(s) with the company.

 

The parties agreed that neither of the two conditions were met before June 20, 2008.  The parties agreed that the first condition was met at the time the claim was made (since OZ Minerals acquired all of OZ Holdings shares in the merger transaction). The parties disputed whether the second condition was met at the time the claim was made, but the Court concluded that the second condition had been met at the time the claim was made as well.

 

The crux of the parties’ dispute was their disagreement about the point or points in time at which a claimant is to be assessed against the conditions in the exclusion clause. The declaratory judgment action plaintiffs contended that the exclusion was only intended to apply to exclude coverage for claims brought by claimants who satisfied the conditions at the time of the wrongful acts that gave rise to the contribution claim (that is, before June 20, 2008). The insurer argued that the words in the exclusion disclose an intention that it should operate at both the time of the alleged wrongful acts and the time the contribution claims were brought, so that coverage would be precluded for shareholders holding the specified share percentage either at the time of the wrongful act or at the time of the claim.

 

The May 6 Ruling 

In its May 6, 2015 opinion, the Court agreed with the insurer’s interpretation, holding that the exclusion applied if the two conditions were met either at the time of the wrongful acts or at the time the claim was made.   The court said that the insurer’s interpretation was “grammatical” and “accords with the structure of the policy.”

 

An important part of the Court’s analysis was its consideration of the insurer’s rationale for its interpretation of the exclusion (what the Court called the “commercial rationale”). The insurer had argued that it an insurer could reasonably seek to protect itself from a claim that might be the result of collaboration between a claimant major shareholder and the defendant company or that could involve the misuse of confidential company information to the claimant’s advantage. The insurer also contended that an insurer could reasonably seek to preclude coverage for a claim brought by a shareholder who might have been in a position to influence the company’s operations at the time the wrongful acts occurred. The Court said “the suggested commercial rationale is objectively reasonable.”

 

Discussion

There are several kinds of exclusions that can be found in D&O insurance policies precluding coverage for claims brought by certain claimants. For example, a standard D&O policy exclusion precludes coverage for claims brought by one insured against another insured. Some policies (typically those issued to banking institutions) preclude coverage for claims brought by regulators (the so-called regulatory exclusion). The major shareholder exclusion at issue in this case is another type of exclusion precluding coverage for claims asserted by a specified type of claimant.

 

This case illustrates the fundamental problem with the inclusion of a major shareholder exclusion on a D&O insurance policy. It can wind up precluding coverage for the very type of claim for which the insurance policy was designed. OZ Minerals had filed the contribution claim against OZ Holdings and its former directors and officers because OZ Minerals itself had been sued in a shareholder misrepresentation claim. The contribution claim in turn sought to hold the defendants in that action liable for their alleged responsibility for the misrepresentations alleged in the shareholder claim. Those are the very types of claims and allegations for which policyholders purchase D&O insurance, so that they can be protected from those types of claims.

 

The insurer in this case would no doubt justify the exclusion and its preclusive effect by the fact that OZ Holdings is suing its own 100%-owned subsidiary for contribution – a claim, the insurer might argue, that makes sense only as a mission by OZ Minerals to get access to OZ Holdings’ insurance policy. However, the exclusion at issue here precluded coverage not just for the claim against OZ Holdings but also for the claim against the former directors and officers – that’s what I mean  about the exclusion precluding the very type of claim for which these insurance policies are purchased.

 

From the policyholder perspective, the preferred approach is to have the major shareholder exclusion removed. However, while the preferred approach from the policyholder’s perspective is to remove the exclusion, obtaining a policy without a major shareholder exclusion is not always an option. If the exclusion’s removal is not an available option, there are a variety of ways the exclusion’s preclusive effect might be limited. For example, the ownership percentage could be increased to a higher level (although that would not have made a difference here, as OZ Holdings owned 100% of OZ Minerals).

 

In addition, the exclusion’s operation could be made subject to additional conditions, as was the case with the exclusion at issue here. Many major shareholder exclusions are conditioned only on a requirement that the claimant have a specified ownership percentage. Here, the exclusion was also conditioned on the requirement that the major shareholder also have board representation.

 

Another way the impact of the exclusion can be limited is by narrowing the point or points in time when the conditions can be met. The court here determined that the exclusion at issue was meant to address both past and present shareholders, and as the court found the conditions could be satisfied either if the shareholder had the specified ownership percentage at the time of the Wrongful Act or at the time the claim was made. More typically, the major shareholder’s preclusive effect is addressed to ownership only at the time the claim was made.  Typically, a major shareholder exclusion will not (as the exclusion here did) refer to past shareholders — although there are some standard versions of the exclusion out there in the marketplace that preclude coverage for both present and past shareholders owing the requisite percentage. Narrowing the exclusion’s wording so that it applies only to shareholders that have the requisite ownership percentage at the time the claim is made would at least eliminate the preclusion of coverage for claims by shareholders who previously had the requisite percentage of ownership prior to the claim but who did still have that ownership percentage when the claim is made.

 

2015 ACI D&O Conference in New York: On September 17 and 18, 2015, the American Conference Institute will be holding is 19th Forum on D&O Liability in New York. This annual event features an all-star line-up of speakers and will be co-chaired by my friends, Diane Parker of AWAC and Doug Greene of the Lane Powell law firm. Readers of the D&O Diary are entitled to a $100 discount off registration if they mention discount code DOD100. Information about the event including registration instructions can be found here. The event brochure can be found here.

 

ICYMI: Earlier today I published a post discussing a recent Delaware Supreme Court addressing questions surrounding the liabilities of independent directors in the M&A context. Due to user error (meaning, I goofed) no emails went out about this post. In case you missed it, the post can be found here.

del1On May 14, 2015, in a landmark ruling with important implications for the potential liabilities of independent directors of companies involved in M&A transactions, the Delaware Supreme Court held that in order to state a claim for damages against directors of a company that has an exculpatory provision in its corporate charter, a plaintiff must plead non-exculpated claims against the directors, even if the  company is involved in an interested transaction subject to “entire fairness” review. The Court’s opinion highlights the importance of the independent directors’ role and also underscores the importance of exculpatory charter provisions. The Court’s opinion in In re Cornerstone Therapeutics, Inc. can be found here.

 

Background

The Court’s ruling involved two different cases in which plaintiff shareholders had filed damages claims against the boards of companies where a controlling shareholder, that had board representation, was acquiring the remainder of the companies’ shares. In each case, the companies involved had formed a special committee of independent directors to review the transaction and to negotiate with the controlling shareholder. In each case, the companies’ minority shareholders had approved the transaction. Nevertheless, plaintiff shareholders filed lawsuits against the companies’ boards – including as defendants both the interested directors and the independent directors – alleging that the directors had breached their fiduciary duties by approving transactions that were unfair to the minority shareholders.

 

In both cases, the independent directors had moved to dismiss the claims against them. Their dismissal motions relied on the fact that each of the companies had an exculpatory clause in their corporate charters. (As discussed here, Delaware Corporations Code Section 102(b)(7) authorizes shareholders to include a clause in a corporation’s charter eliminating personal liability of a director to shareholders for monetary damages for breach of fiduciary duty, provided that such clause does not eliminate liability (1) for “any breach of the director’s duty of loyalty,” (2) “for acts or omissions not in good faith or which involve intentional misconduct or a knowing violation of law,” and (3) “for any transaction from which the director derived an improper personal benefit.”) The defendants argued that the plaintiffs had failed to plead non-exculpated allegations against them, and therefore that the claims against them should be dismissed.

 

The plaintiffs contended that because the share purchases represented interested transactions, the “entire fairness” standard of review applied. (As discussed here, the entire fairness standard is Delaware’s “most onerous standard,” which applies when the board “labors under actual conflict of interest.” When the standard applies, the defendants must establish that the transaction “was the product of both fair dealing and fair price.” The transaction must be “objectively fair, independent of the board’s beliefs.”) The plaintiffs argued that because interested parties were involved in the transactions, the possibility of conflict of interest justified a pleading-stage inference of disloyalty – not just as to the interested directors, but as to the independent directors as well.

 

In each case, the trial court judges, relying on prior Delaware Supreme Court case authority, agreed with the plaintiffs and denied the motions to dismiss. However, because they were troubled by the result (that is, that the independent directors had to remain as defendants in the case even though the plaintiffs had pled no non-exculpated misconduct against them), the trial court certified interlocutory appeals of the cases to the Delaware Supreme Court. The two cases were consolidated for purposes of the appeal.

 

 The May 14 Decision

In a unanimous opinion written by Chief Justice Leo E. Strine, Jr., the Delaware Supreme Court reversed the lower court rulings and remanded the cases for further proceedings. The Court said that “even if a plaintiff has pled facts that, if true, would require the transaction to be subject to the entire fairness standard of review, and the interested parties to face a claim for breach of their duty of loyalty, the independent directors do not automatically have to remain defendants.” If the independent directors are “protected by an exculpatory charter provision and the plaintiffs are unable to plead a non-exculpated claim against them, those directors are entitled to have the claims against them dismissed.”

 

In reaching its decision, the Court examined the effect of the exculpatory provisions in the respective companies’ corporate charters. The Court said that “when a director is protected by an exculpatory charter provision, a plaintiff can survive a motion to dismiss by that director defendant by pleading facts supporting a rational inference that the director harbored self-interest adverse to the stockholders’ interests, acted to advance the self-interest of an interested party from whom they could not be presumed to act independently or acted in bad faith.” The mere fact that the plaintiff had pled facts sufficient to support the application of the entire fairness standard does not, by itself, relieve the plaintiff of the requirement to plead a non-exculpated claim against each independent director defendant.

 

In support of its decision, the Court noted, among other things, that a contrary ruling would “increase costs for disinterested directors, corporations and stockholders, without providing a corresponding benefit.” A contrary ruling would also “create incentives for independent directors to avoid serving as special committee members or to reject transactions solely because of their role in negotiating on behalf of shareholders.” The “fear” that directors might face personal liability for “potentially value-maximizing business decisions” might be dissuaded from making those kinds of decisions is the reason that Section 102(b)(7) was adopted in the first place.

 

Discussion

The Court’s opinion underscores the importance of exculpatory charter provisions. The provisions not only provide substantial liability protection for corporate directors but they provide a form of protection may be invoked at the initial pleading stage. It provides a way for directors who qualify for the provision’s protection to extricate themselves from liability lawsuits at the outset.

 

The Court’s opinion also highlights the importance of the independent directors’ role. The Court emphasized the ways in which disinterested directors can protect the interests of the corporation and of minority shareholders, even when the corporation is involved in a transaction with an interested party.

 

It is important to note that the protective effect of the Court’s ruling extends only to the independent directors. The defendants who were the interested parties to the transaction will remain in the case. If it is later established that the interested parties violated their fiduciary duties, they will held liable to the minority shareholders. But where the plaintiffs have alleged no facts to suggest that independent directors had engaged in non-exculpated misconduct, the independent directors are entitled to have the claims against them dismissed – even where the plaintiffs have pled sufficient facts to require the application of the entire fairness standard.

 

The fact that the independent directors can be dismissed even when the entire fairness standard applies is significant. The entire fairness standard is, as the Court itself has said, “onerous.” The requirements to meet the standard are high. But even where the high standard applies, plaintiffs must still present allegations that each director defendant individually engaged in non-exculpated misconduct in order for the claims against that defendant to survive a motion to dismiss.

 

Francis Pileggi’s May 16, 2015 post on his Delaware Corporate & Commercial Litigation Blog about the Supreme Court’s ruling can be found here. Frank Reynolds’ May 15, 2015 Thomson Reuters article about the ruling can be found here.

 

Special thanks to a loyal reader for sending me a copy of the Delaware Supreme Court opinion.

 

ICYMI: Delaware Senate Passes Bill Barring Fee-Shifting Bylaws: On May 12, 2015, the Delaware Senate passed Senate Bill (S.B.) 75 (here) that would amend Delaware law to prohibit Delaware stock-based companies from adopting fee-shifting bylaws. The bill also expressly allows companies to adopt forum-selection clauses that establish Delaware as the exclusive venue for any shareholder litigation.

 

As readers will recall, as discussed here, in May 2014, the Delaware Supreme Court in the ATP Tour, Inc. v. Deutscher Tennis Bund case had upheld the validity of a corporate bylaw provision shifting fees to an unsuccessful litigant in shareholder litigation. The ruling proved to be highly controversial (as discussed, for example, here). Early efforts last year to address the ruling in the legislature ultimately were tabled and in the interim the debate about fee-shifting by laws has continued to rage. Now that the Senate has voted to approve the legislation banning fee-shifting bylaws for Delaware stock corporations, the legislation will now move to the Delaware House for its consideration.

 

A May 13, 2015 memo from the Ballard, Spahr law firm discussion the Delaware Senate’s action on the bill can be found here.

 

D&O Liabilities in China: The potential liabilities of corporate directors and officers are of course dependent on the requirements of applicable law. That means that corporate officials’ liability exposures can vary from state to state. There are even greater variations from country to country. In a global economy, questions about the potential liability of directors and officers in non-U.S. countries arise with increasing frequency. Given China’s huge and growing role in the global economy, questions about the potential liability of directors and officers under Chinese law are increasingly frequent.

 

For that reason, readers may be interested in reviewing this May 8, 2015 article entitled “D&O Liability Insurance: Legal Issues under PRC Law” (here) by Jia Hui of the DeHeng Law Offices. The article provides a good overview of the basic legal duties and liability exposures of directors and officers under Chinese law. As the article points out, in light of the various accounting scandals involving Chinese companies that have arisen, these considerations are increasingly important.

weilAmong the many concerns arising in the current cybersecurity environment is the question of the security of data housed in “the Cloud.” In the following guest post Paul Ferrillo and Jeffrey Osterman of the Weil, Gotshal & Manges law firm and Grady Summers , SVP, Cloud Analytics at Mandiant/FireEye, take a look at the questions businesses and their boards of directors should be asking before adopting a cloud-based strategy. The post also includes a cloud security checklist. A version of this article previously was published as a Weil client alert.

 

I would like to thank Paul, Jeffrey and Grady for their willingness to publish their article on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. Please contact me directly if you would like to submit a guest post. Here is Paul, Jeffrey and Grady’s guest post.

 

***************************************

 

It is fitting that just over 40 years after Neil Armstrong walked on the moon and uttered some of the most famous words ever spoken, “one small step for [a] man, one giant leap for mankind,” NASA, along with cloud service provider Rackspace, jointly launched an open-source cloud-software initiative known as OpenStack. The OpenStack project is intended to help organizations manage cloud-computing resources running on standard hardware. The early code came from NASA’s Nebula platform as well as from Rackspace’s Cloud Files platform. Launched with the intent to provide consumers with a high tech, yet low-cost method to store vast amounts of data off premises in a safe and efficient manner, the cloud has transformed the way global enterprises do business.[i] Yet, despite the cloud’s increasing popularity, hardly a day goes by when industry professionals do not question the security of data kept in the cloud. According to Gilad Parann-Nissany, CEO and co-founder of cloud encryption company Porticor (recently acquired by Intuit):

In the cloud, data security poses new risks and challenges. We are no longer concerned just with burglars breaking into our offices to steal computers, but rather with the data belonging to complete systems deployed to the cloud…Instead, security in the cloud becomes not about protecting our hardware, but rather protecting the sensitive information regardless of its physical location. For this, burglar alarms are irrelevant and firewalls are only one part of the approach for security in the cloud.

A way to visualize the unique challenges of data security in the cloud is that where before we had brick walls and steel locks to keep us safe; we now must construct mathematical walls as barriers to our data.[ii]

As more and more businesses are considering moving some or all of their data storage needs to the cloud, here are three “50,000 foot” questions American businesses and boards of directors are asking themselves (or should be asking their IT security professionals) before adopting a cloud-based strategy:

  1. How can the board assure itself from a governance perspective that the cloud-based environment that it is being asked to approve is acceptably secure, as compared with the company’s previous on-site computer environment, and meets the security, privacy, and regulatory needs of my company?[iii]
  2. What visibility and ability does the company have if there is a cloud-based breach and its information is subject to exfiltration? Does the company have the ability to conduct incident response and remediation or is it totally at the mercy of the cloud service provider (CSP)?[iv]
  3. What is the “best” way to assure that the company’s cloud-based data is as secure as possible given what it knows about the CSP that it has chosen?

90% of All Organizations Have Security Concerns about the Cloud

A recent study noted that “an overwhelming majority of 90% of organizations are very or moderately concerned about public cloud security. Today security is the single biggest factor holding back faster adoption of cloud computing.”[v] The Cloud Security report notes that the top concerns are:

  1. General security concerns over the storage of data in the cloud;
  2. Data loss and leakage risks;
  3. Loss of control over security procedures applied day to day over the company’s data; and
  4. Lack of visibility to assure regulatory compliance.[vi]

How would these concerns potentially materialize? Our experience tells us that, to the extent attackers are targeting data in cloud-hosted environments, they’re doing it in distinctly old-fashioned ways. That is, despite concerns about the cloud being inherently insecure, attackers are using the same methods to compromise cloud resources as they have used for many years for on-site computer systems: the theft of employee credentials generally started via spear phishing attacks. Thus, we recommend that organizations approach cloud security like they would any other environment: by understanding their data and the threats against it, and ensuring that the environment is instrumented to prevent, detect, and respond to attacks. This can be hard, though, when IT security teams lack the necessary visibility to do their jobs.

This lack of visibility was illustrated in a recent Ponemon study entitled “The Cloud Multiplier Effect.” The study, based on a survey of 613 IT and security professionals, found that increasing use of cloud services can increase the probability of a $20 million data breach by as much as 3 times. It also revealed other key findings, including:

  • 36 percent of business-critical applications are housed in the cloud, yet IT isn’t aware of nearly half of them;
  • 66 percent of respondents believe that their organizations’ use of the cloud diminishes their ability to protect sensitive or confidential information; and
  • 72 percent of respondents don’t believe that their cloud service provider would notify them immediately if they had a data breach involving the loss or theft of their intellectual property or business confidential information.[vii]

Cloud-related breaches in 2014 included Dropbox, Google Drive, and the alleged Apple iCloud breach. More recently, SendGrid, the cloud email service, reported it had been hacked through a phishing scheme that compromised an employee’s account.[viii] Certainly these high-profile breaches, such as Dropbox (from which 7 million passwords were reportedly stolen) have left many questioning whether the cloud can be safely used to store sensitive data.

Types of Cloud Computing

We refer generally to “cloud computing,” but this can refer to anything from a hosted application to rented servers in a shared facility. It is helpful to recognize the three major categories of cloud computing:

  1. Infrastructure as a Service (IaaS): In this model, the CSP is responsible for basic IT resources (servers) and the networks on which they run. The customer is generally responsible for maintaining the operating systems and software necessary to run the applications, plus the data placed in the cloud environment. Thus, while the CSP is responsible for protecting the infrastructure itself, data security in an IaaS environment is generally the responsibility of the customer.
  2. Platform as a Service (PaaS): Here the CSP provides the infrastructure, the operating system, and a set of services that organizations use to build applications. These building blocks are invoked through Application Programming Interfaces (APIs) and might include services for storage, databases, data processing, machine learning, etc. The customer is responsible for application deployment, and responsibility for security is generally shared between the customer and the CSP.
  3. Software as a Service (SaaS): Here the CSP provides for nearly everything, including the infrastructure and software provided to the customer. Thus, security in an SaaS environment generally is the responsibility of the provider, and it is the consumer’s role to ensure the CSP’s security processes meet the security and compliance requirements of the customer’s business.

Cloud Compliance, Security, and Visibility

As CSPs move “up the stack” to offer robust PaaS and SaaS services, they begin to shoulder more of the burden for securing their customers’ data. However, it will always be the responsibility of the customer to ensure that its constituents’ data is secure. Since a customer can’t always directly participate in securing this data, it must ensure that the service contract, together with any associated statement of work and/or service level agreement (SLA) provided by the CSP meets its needs. The parameters of these contractual arrangements will usually include information about service availability, incident response definitions and services, breach response notifications and timing, technical compliance and vulnerability management, and log management and forensic capabilities, together with an allocation of liability if these standards are not achieved.

While we have found that most large CSPs do an outstanding job of securing their environments – and dedicate tremendous resources to this task – all of the above categories of services must be described in generalities, meaning “here’s how they generally work.” The proof is really in the terms and conditions of the contractual commitments that the CSP agrees to make, and the sad fact is that many cloud service customers do not understand the value of substantive contracts with detailed terms relating to security.

Here are the most important issues to consider when contemplating a migration of important data to the cloud under an SLA:

  1. Breach and incident response – Cloud customers must understand how the CSP defines events of interest vs. security incident, what events/incidents the CSP reports to the cloud customer, and in which way. Customers should understand when and how quickly they will be notified if the CSP: suffers a breach, what information will they will be given by the CSP to help analyze the incident, will they have the opportunity (given the potential SLA in place) to participate in the incident response process, and will they be given the opportunity to contact and interact with the CSP’s own incident response team?
  2. Where is the customer’s data going to be “stored”? This is probably one of the most important questions for a customer, both from a legal perspective (meaning under what circumstances can data be subpoenaed or accessed through a court request or judicial process) and a privacy perspective (meaning how must data, such as personally identifiably information, be stored and protected).
  3. Does the CSP itself adhere to any standardized security practice or protocol, like the NIST cybersecurity framework, or ISO 27001? Does the CSP have FedRamp certification or a certification from the Security Trust and Assurance Registry certification program?
  4. Does the customer have the ability to audit or independently assess the security provided by its CSP to make sure the provider is compliant with various legal, industry, customer and regulatory requirements it may be subject to?
  5. What is the CSP’s patch management process in case software or application vulnerability is discovered, which could then impact the security of the data stored?
  6. What sort of back up procedures does the CSP have in place if the customer’s data is lost, stolen or deleted?

Thinking About Making a Move to the Cloud? Cloud Security Checklist

There is no perfect checklist of how, when, and where to move data to a cloud-based environment. Some factors, such as cost, may make the decision easy, while on the other hand, the perceived lack of control over your data security or your compliance risks may make the decision harder. At the end of the day, it is your business judgement what sort of data you are comfortable moving to the cloud (you might be comfortable moving human resources, payroll, or other specific applications[ix]), and what sort of data you are not comfortable moving to the cloud (you might draw the line at PII or financial records and information). A separate book alone could be written on this sort of balancing act.

From a data security perspective, though, there are certain security measures that should be investigated by potential cloud customers before they make the decision to move their data to a cloud-based environment. This area is highly technical (and thus security professionals and cyber-governance and cybersecurity lawyers should also be consulted before making this decision), but we try below to boil down these measures into objectives for directors and officers to consider when asked to finally approve a move to the cloud:

  1. How is security built into the cloud architecture and applications and data that are going to be moved to the cloud-based environment? Is there a constant lifecycle of updates and vulnerability reviews given that the computing ecosystem is never static?
  2. What data am I putting in the cloud? Is it general company HR data, customer PII, financial records, or something else less sensitive?
  3. Will the data stored in the cloud be encrypted while at rest or only when it is in motion to and from the cloud? What sort of encryption is available at my CSP?
  4. How is suspicious activity monitored on the cloud? By the CSP only, or will the customer have visibility into security monitoring? Will cloud security be continuously monitored by the CSP?
  5. What degree of visibility does the CSP make available to the customer (audit logs and metadata recording administrative changes, account usage, system logs, etc.), and can this data be flexibly consumed into your own internal security monitoring systems?
  6. What sorts of intrusion detection systems are in place to detect threats to the cloud-based environment, such as malware threats, or suspicious network traffic?

So You Are Moving to the Cloud – Governance Issues Ultimately Rule the Day

This article is not meant to dissuade a company from considering using the cloud to increase efficiency in its businesses. On the contrary, our goal is to allow readers to engage in more informed discussions that will ultimately lead to a greater degree of comfort with both the decision to move to the cloud and the risk management tools, procedures, and contractual protections surrounding that move.

The cloud undoubtedly provides businesses with unique opportunities to manage their data in not only a cost efficient manner, but also potentially in a manner which is just as safe and secure as on-site storage systems. The cloud is not, however, a binary solution to data management challenges. And time is slim to consider all the options. Whatever the path you choose, you should consider how things may look at the end of the day if your company is breached, and some constituency (i.e., a regulator, state AG, or investor) looks back to potentially criticize your decision to move to the cloud. Have your checklists answered, discuss the answers to your checklists with your IT staff and outside experts, and document your decisions that balance the business and efficiency needs of the company with the level of security and service being offered by your cloud service provider.

[i] See “The next generation of cloud computing,” available at http://www.pwc.com/en_US/us/increasing-it-effectiveness/assets/next-generation-cloud-computing.pdf (noting “Cloud computing is the fastest-growing trend in enterprise technology today – and for the foreseeable future. Forrester Research predicts the global cloud computing market will mushroom from $40.7 billion this year to $241 billion by 2020.”).

[ii] See “Cloud Computing Issues and Challenges,” available at http://www.porticor.com/2014/11/cloud-computing-security-issues-and-challenges/.

[iii] “Compliance (64%) was seen as the biggest cloud security challenge,” according to one recent report issued by CipherCloud. See “Compliance remains the key cloud security challenge, according to the CipherCloud report,” available at http://www.cloudcomputing-news.net/news/2015/mar/26/compliance-remains-key-cloud-security-challenge-according-ciphercloud-report/.

[iv] See “Majority of firms say they aren’t confident in responding to cloud-based data threats,” available at http://www.cloudcomputing-news.net/news/2015/apr/08/majority-firms-say-they-arent-confident-responding-cloud-based-data-threats/ (noting that 60% of the global respondents in a recent survey were not confident they had the ability to proactively respond to cloud-based data threats).

[v] See “Cloud Security Spotlight Report,” available at http://www.infosecbuddy.com/wp-content/uploads/2015/03/Cloud-Security-Spotlight-Report-2015.pdf (hereinafter, the Cloud Security Report).

[vi] Id.

[vii] See “The Cloud Multiplier Effect on Data Breaches,” available at https://blog.cloudsecurityalliance.org/2014/06/04/the-cloud-multiplier-effect-on-data-breaches/.

[viii] See “SendGrid admits hack, says all customers must reset their passwords,” available at http://venturebeat.com/2015/04/28/sendgrid-admits-hack-says-all-customers-must-reset-their-passwords/.

[ix] See “Navigating security in the cloud,” available at http://www.pwc.com/en_US/us/it-risk-security/assets/pwc-navigating-security-in-cloud.pdf.

 

insurancefilesIn many cases, companies’ D&O insurance programs are structured in several layers, with one or more policies of excess of insurance written over top of a primary layer. The excess insurance is often said to be written on a “follow form” basis, meaning that the primary policy’s terms govern the operation of the excess policies. However, even in programs that are intended to be “follow form,” the excess policies will sometimes have terms that cause them to operate differently, sometimes in unexpected and even undesirable ways. In addition, there are a number of other considerations to keep in mind when selecting the insurers to include in the excess layers.

 

In an interesting April 2014 article (here), Tom Bentz of the Holland & Knight law firm takes a look at the issues that can arise with excess D&O insurance. As Bentz correctly notes, “few excess D&O policies truly follow the terms and conditions of the primary D&O insurance policy.” Instead, the excess policies include various additional terms and conditions that “have the potential to significantly affect the overall protection” of the D&O insurance program.

 

In order to illustrate his point, Bentz identifies several of the kinds of excess insurance policy features that can be critical in the event of a claim.

 

First, Bentz refers to the excess D&O insurance policy provision that specifies when the excess insurance will “attach” – that is, what is required in order for the excess insurance to be triggered. In many instances, excess D&O insurance policies were written with a provision stating that that the excess insurer’s liability for any loss will attach only after the insurers of the underlying policies have exhausted their limits in payment of loss. The problem with this language is that if, for example, the policyholder is in a dispute with one of the underlying carriers and reaches a compromise to accept less than the full amount of the underlying insurance, there is an uninsured gap.

 

As I have discussed in prior posts (for example, here), a number of courts have now held that even if the policyholder funds the gap, the underlying insurance was not exhausted by the insurers’ payment of loss, and accordingly the excess insurer’s obligations have not been triggered.

 

As Bentz notes in his article “to avoid this unfair result, insureds need to negotiate excess insurance policies so that they recognize payments made by the underlying insurers, the insureds, or other source.” Indeed, this kind of provision has now become fairly standard. But as noted below, these kinds of provisions will not address all of the kinds of gaps that can arise and create questions as to whether the excess insurers’ policies have been triggered.

 

Another excess D&O insurance policy term that Bentz discusses in his article is the provision found in some policies requiring disputes between the insured and the insurer to be resolved by arbitration. This can be a problem if the separate excess policies in the different layers of insurance have separate arbitration provisions. It is possible that different policies could require that the arbitration take place in different geographic locations, using different arbitration processes and applying different jurisdiction’s laws. As Bentz notes, “the type of inconsistency could force an insured to fight multiple battles on multiple fronts with potentially inconsistent results.” Bentz suggests first attempting to have all of the arbitration provisions removed. If that is not possible he suggests  that “an insured should seek to have all of the insurers agree to one arbitration method with only on choice of law provisions and one required venue to resolve any potential coverage disputes.”

 

In addition to the items that Bentz identified in his article, there are several additional considerations that should be kept in mind with respect to excess D&O insurance.

 

The first is the excess carrier’s financial strength. All too often, excess D&O insurance is viewed as generic and fungible. However, the ability of any given excess D&O insurer to pay claims when the time comes should not be overlooked. It doesn’t happen often, but carriers do become insolvent, and when that happens, it makes a big mess. There are still cases working their way through the system because of the insolvency in the early 2000s of Reliance National and The Home. When a carrier in insurance program is insolvent and unable to pay a claim, it not only creates an uninsured liability exposure, but it also creates the kind of “gap” that avoids coverage for any carriers that were above the insolvent insurer in the insurance tower.

 

For example, as discussed here, in June 2013, the Second Circuit held in the Commodore International case that excess D&O insurance is not triggered even if losses exceed the amount of the underlying insurance, where the underlying amounts have not been paid due to the insolvency of underlying insurers. (Commodore had both Reliance and The Home in its insurance tower.)

 

It is important to think about the problems that can arise from this type of insolvency gap. This is not an issue that can be “fixed” with the type of wording cited above, which provides that the excess D&O insurance will be triggered if the underlying amount is paid by the underlying insurer, the insured, or any other source. When the underlying insurer is insolvent, there is just an underlying uninsured gap. The excess carriers will take the position that they have to obligation to “drop down” to take the place of or attach at the underlying carrier’s attachment point. For that reason, the financial stability of all of the carriers in the insurance program should be an important consideration. In particular, excess D&O insurance should not be viewed as generic and fungible. The excess carrier’s financial ability to honor its payment obligations is an important and potentially differentiating consideration.

 

It is also important to keep in mind that in the event of a significant D&O claim, the excess D&O insurer(s) may be directly involved in the claims resolution. The excess carriers’ responsiveness and claims handling capabilities could well affect whether or not a claim is resolved expeditiously. The claims handling capabilities of the primary D&O carriers are often considered and discussed, as they should be, because the primary carrier will take the lead in handling any claims that will arise. However, because of the role that excess insurers can play in the resolution of claims, the excess insurers’ claims handling experience and reputation should be kept in mind as well.

 

There is one final thing that should be considered with respect to the excess insurers. It is often a good idea to try to include in the line up of carriers on a D&O insurance program excess insurers who might be willing to move the primary position in subsequent years, if the primary carrier were to change its appetite for the risk or seek to get off the account. It is just a good idea to have an excess insurer as a reserve to take the primary position if the need should arise.

 

Another set of issues to keep in mind with respect to excess D&O insurance are the considerations involved in deciding how the excess insurance should be layered and structured, as I discussed in an earlier post, here.

del1In a detailed May 4, 2015 opinion (here), Vice Chancellor Travis Laster of the Delaware Chancery Court extensively reviewed the rights of an insolvent company’s creditors to pursue derivative claims against the company’s directors. As Francis Pileggi put it in a May 6, 2015 post on his Delaware Corporate and Commercial Litigation blog (here), Laster’s opinion in Quadrant Structured Products Company, Ltd. v. Vincent Vertin et al. is “destined to be cited as a seminal ruling for its historical and doctrinal analysis of important principles of Delaware corporate law.”

 

Background  

Prior to the credit crisis, Athilon Capital Corp. guaranteed credit default swaps that one of its subsidiaries wrote on senior tranches of collateralized debt obligations. To fund its operations, Athilon raised debt financing by issuing various notes. Athilon suffered significant losses during the financial crisis. In the wake of these events, one of Athilon’s debt holders (EBF) acquired all of Athilon’s outstanding equity securities. As the company’s sole stockholder, EBF reconstituted the board, after which it made a number of moves to address Athilon’s financial situation.

 

In October 2011, Quadrant Structured Products Company, another of Athilon’s noteholders, filed a derivative lawsuit in Delaware Chancery Court against Athilon’s board. Quadrant contended that the directors’ actions, which Quadrant alleged were made to benefit EBF and to the detriment of the company, breached their fiduciary duties. Quadrant argued that under Delaware law, it had the right as a creditor to assert a derivative claim against the Athilon directors because the company was insolvent.  In an earlier post (here), I discussed Vice Chancellor Laster’s October 2014 ruling in the Quadrant lawsuit, in which Laster denied in part the defendants’ motion to dismiss.

 

Following the motion to dismiss denial, Athilon made a number of additional financial moves that the defendants contend returned the company to solvency. The defendants then moved for summary judgment. The defendants argued that for a creditor to have standing to maintain a derivative action, the corporation on whose behalf the creditor sues must be insolvent at the time of the suit and continuously thereafter. The defendants argued that whether or not Athilon was insolvent at the time Quadrant filed suit, Athilon’s current balance sheet shows that it is now solvent, and therefore that Quadrant no longer had standing to pursue the derivative lawsuit.

 

The May 4 Ruling  

In his May 4, 2015 opinion, Vice Chancellor Laster denied the defendants’ motion for summary judgment. He said that the question of whether or not Delaware imposes a continuous insolvency requirement in order for creditors to have standing to assert a derivative claim is a “question of first impression.” In his ruling, he rejected “the defendants’ attempt to impose a continuous insolvency requirement for creditor derivative claims.”

 

He said that “to bring a derivative action, a creditor-plaintiff must plead and later prove that the corporation was insolvent at the time the suit was filed.” Because he found that Quadrant had introduced sufficient material to support a reasonable inference that Athilon was insolvent at the time Quadrant filed suit, and therefore he denied the defendants’ motion for summary judgment.

 

In making these determinations, Laster broadly surveyed the legal principles underpinning derivative litigation in Delaware, including the rights of creditors to assert derivative claims under some circumstances. He reduced the various principles pertaining to these issues to a succinct bullet point list:

 

  • There is no legally recognized “zone of insolvency” with implications for fiduciary duty claims. The only transition point that affects fiduciary duty analysis is insolvency itself.

 

  • Regardless of whether a corporation is solvent or insolvent, creditors cannot bring direct claims for breach of fiduciary duty. After a corporation becomes insolvent, creditors gain standing to assert claims derivatively for breach of fiduciary duty.

 

  • The directors of an insolvent firm do not owe any particular duties to creditors. They continue to owe fiduciary duties to the corporation for the benefit of all of its residual claimants, a category which now includes creditors. They do not have a duty to shut down the insolvent firm and marshal its assets for distribution to creditors, although they may make a business judgment that this is indeed the best route to maximize the firm’s value.

 

  • Directors can, as a matter of business judgment, favor certain non-insider creditors over others of similar priority without breaching their fiduciary duties.

 

  • Delaware does not recognize the theory of “deepening insolvency.” Directors cannot be held liable for continuing to operate an insolvent entity in the good faith belief that they may achieve profitability, even if their decisions ultimately lead to greater losses for creditors.

 

  • When directors of an insolvent corporation make decisions that increase or decrease the value of the firm as a whole and affect providers of capital differently only due to their relative priority in the capital stack, directors do not face a conflict of interest simply because they own common stock or owe duties to large common stockholders. Just as in a solvent corporation, common stock ownership standing alone does not give rise to a conflict of interest. The business judgment rule protects decisions that affect participants in the capital structure in accordance with the priority of their claims.

 

In summarizing his ruling on the issues raised in the defendants’ summary judgment motion, Laster said “in my view … to maintain standing to sue derivatively, a creditor must establish that the corporation was insolvent at the time the creditor filed suit. The creditor need not demonstrate that the corporation continued to be insolvent until the date of judgment.” Laster then added a note of modesty, with his observation that “to state the obvious, this is the opinion of one trial judge. The Delaware Supreme Court may well disagree.”

 

By contrast to Delaware law, courts applying Pennsylvania law have applied the “deepening insolvency” theory to hold that directors of a company in the zone of insolvency have duties for which the company’s creditors may seek to hold them liable. For a recent post discussing a decision in which the Third Circuit applied these principles in holding the directors of nonprofit entity liable, refer here.

ofacAs part of its conduct of foreign affairs and of its national security program, the U.S. government has instituted a series of economic and trade sanctions against a number of countries and a long list of designated individuals. The various sanctions programs are administered by the Office of Foreign Asset Control (OFAC) within the U.S Department of Treasury.  The sanctions programs OFAC administers include broad trade embargoes of Iran, North Korea, Sudan, Syria, Crimea and Cuba.

 

As part of its enforcement power, OFAC has authority to file civil liability actions. In collaboration with the U.S. Department of Justice, OFAC can also pursue criminal actions. OFAC’s exercise of its enforcement authority has recently resulted in a number of high profile penalties and settlements. These settlements have a number of significant implications, and, among other things, may raise concerns about the possibility of D&O insurance coverage for the companies involved.

 

Since 2008, OFAC has filed nearly 250 civil enforcement actions that have resulted in penalties or settlements. The aggregate amount of the enforcement action penalties and settlements during that period is over $3.8 billion. In 2014, the agency’s enforcement actions resulted in penalties and settlements of over $1.2 billion, the agency’s highest annual total.

 

Two recent enforcement actions illustrate the nature and scope of the government’s sanctions enforcement efforts.

 

On March 25, 2015, the U.S. Department of Justice announced that a subsidiary of Schlumberger Ltd. had entered a guilty plea and agreed to pay a $232.7 million penalty for conspiring to violate sanction programs by “willfully facilitating transactions and engaging in trade with Iran and Sudan.” Under the plea agreement, the subsidiary agreed to submit to a three-year probationary period during which it would agree to various types of government supervision. The DoJ’s March 25, 2015 press release can be found here.

 

The $232.7 penalty includes a $77.5 million criminal forfeiture and a $155 million criminal fine. According to a March 26, 2015 FCPA Blog post (here), the fine is the largest ever criminal fine in connection with a prosecution under the International Emergency Economic Powers Act.

 

In the Schlumberger action, the government alleged that between 2004 and 2010, a business unit of the subsidiary provided oilfield services to customers in Iran and Sudan. The government also alleged that while the subsidiary had policies and procedures to ensure that it did not violate U.S. sanctions, it failed to train its personnel to ensure that they complied with the sanctions requirements. As a result, the company approved capital expenditure requests from Iran and Sudan, made business decisions specifically concerning Iran and Sudan, and provided technical service and expertise in connection with drilling projects in Iran and Sudan.

 

In a separate sanctions-related enforcement action, on March 25, 2015, OFAC announced that PayPal, Inc. had agreed to pay the agency $7.65 million settle the company’s potential civil liability for processing 486 transactions totaling $43,934 in alleged violation of U.S. sanctions programs. Specifically, the company was alleged to have mailed to ensure that its payment processing operations blocked prohibited transactions with sanctioned countries (including Iran, Sudan, Cuba) and sanction-designated individuals. The company was also alleged to have processed 136 transactions for a PayPal account registered to Kursad Zafar Cire, an individual designated under a sanction program relating to “Weapons of Mass Destruction Proliferators and Their Supporters.” The agency’s March 25, 2015 press release regarding the PayPal settlement can be found here. The FCPA Blog’s March 27, 2015 post about the settlement can be found here.

 

The types of fines and penalties entered in these sanctions enforcement actions would not be covered by D&O insurance, as the typical D&O insurance policy definition of Loss covered under the policy expressly provides that Loss does not include fines, penalties and matters deemed uninsurable under applicable law.

 

However, as discussed in a May 8, 2015 post on the Orrick law firm’s Policyholder Insider blog (here), there may be coverage for the costs incurred in connection with the investigation that precedes the settlement or penalty. As the blog post puts it, “companies forced to incur costs responding to and defending against these investigations should closely inspect their D&O policies to determine whether they provide coverage.”

 

Depending on the specific nature of the sanctions enforcement investigation involved, the government’s investigation may constitute a “Claim” triggering the policy’s coverage. However, it should be noted that public company D&O insurance policies provide entity or company coverage only for “Securities Claims.” In most circumstances, a sanctions violation investigation or enforcement action would not meet the policy’s definition of a Securities Claim. Many carriers would like take the position that because a sanctions violation investigation or enforcement action does not meet the definition of a “Securities Claim,” there is no coverage under the policy’s entity coverage for the investigation or enforcement action.

 

As the blog post also notes, even if there is no formal proceeding and no subpoenas have been issued  the  “Pre-Claim Inquiry” costs coverage found in many more up-to-date D&O insurance policies these days could be triggered. This policy feature provides coverage for costs associated with interviews and responses to document requests from an “Enforcement Body,” as defined in the policy. The scope of the coverage available will of course depend both on the nature of the governmental inquiries and the specific policy wording involved. However, it should be noted that this coverage is typically available only to Insured Persons – that is, individual directors and officers. It is typically not available to the corporate entity itself.

 

Because there may be possibilities to find at least some coverage under the D&O insurance policy, the law firm blog post suggests, “policyholders should not assume that simply because the fines imposed for failure to adhere to economic sanctions would not be covered, other associated costs incurred by the company in connection with the OFAC investigations also are not.” As the blog post concludes, it always pays to think carefully about coverage and to read the policy carefully.

 

In addition to possible coverage for sanction-related investigative costs, the D&O insurance could also become relevant in the event of a follow-on civil lawsuit asserting claims against company officials in connection with a sanctions investigation and penalty. As noted in an earlier post  (here), there are examples of shareholders filing derivative lawsuits against company officials after the company has paid a sanctions-related penalty or settlement. The earlier post described a shareholder derivative lawsuit filed against the board of J.P. Morgan Chase after the company reached an $88.3 million settlement with OFAC. The company’s D&O insurance could be called upon to fund the defense of a claim of this type. In addition, the D&O insurance potentially could fund a settlement of the lawsuit as well, although, as I noted in my earlier post, there are some potentially interesting questions about the possibility of insurance funding the settlement of this this type of claim.

 

On a different but somewhat related topic, in an earlier post (here) I examined the personal liability of corporate officials under U.S. import laws.

 

Petrobras Scandal Roils Brazilian D&O Market: According to a May 6, 2015 article in Global Insurance Intelligence (here), the Petrobras scandal (discussed in a prior post, here) is “forcing the insurance industry in Brazil to rethink how it supplies directors and officers liability insurance (D&O) cover amid fears that loss ratios to rise.”

 

In the wake of the Petrobras scandal, demand for D&O insurance is soaring as buyers are becoming aware of the need for the product. At the same time, a debate has emerged on the question whether the policy should protect those who have admitted to bribery or even to those merely accused of bribery. At a minimum loss ratios are sure to rise as the costs associated with the scandal spill through the insurance market. So, the article concludes, “the future of D&O in Brazil looks turbulent. Demand will increase, yet higher loss ratios could also become the norm. Insurers and reinsurers alike will need to tread carefully to balance these two factors.”