weilG2_Logo[1]On February 12, 2014, the National Institute of Standards and Technology (NIST), pursuant to an Executive Order from President Obama, released the first version of the Framework for Improving Critical Infrastructure (here), to identify standards and practices to promote the protection of critical infrastructure from cyberattack. In a recent speech, SEC Commissioner said that the NIST Framework is “likely to become a baseline for best practices by companies, including in assessing legal or regulatory exposure” to cybersecurity issues.

 

In the following guest post, Paul A. Ferrillo of the Weil Gotshal law firm and Tom Conkle of G2,Inc. take a detailed look at the NIST Framework and explain why the Framework is so important for companies and for their boards of directors. They also review the steps  companies can take to try to implement the Framework. (To see full-sized versions of the graphical images embedded in this post, please click on the images.)

 

I would like to thank Paul and Tom for their willingness to publish their guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this site. Anyone interested in publishing a guest post should contact me directly. Here is Paul and Tom’s guest post:

*************************************************

 

Why the Cybersecurity Framework was created and why it is so important

Despite the fact that companies are continuing to increase spending on cybersecurity initiatives, data breachs continue to occur. According to The Wall Street Journal, “Global cybersecurity spending by critical infrastructure industries was expected to hit $46 billion in 2013, up 10% from a year earlier according to Allied Business Intelligence Inc.[i]” Despite the boost in security spending, vulnerabilties, threats against these vulnerabilities, data breaches and destruction persist.  To combat these issues, the President on February 12, 2013 issued Executive Order (EO) 13636, “Improving Critical Infrastructure Cybersecurity[ii].” The EO directed NIST, in cooperation with the private sector, to develop and issue a voluntary, risk-based Cybersecurity Framework that would provide U.S. critical infrastructure organizations with a set of industry standards and best practices to help manage cybersecurity risks.

In February 2014, through a series of workshops held throughout the country and with industry input, NIST released the “Framework for Improving Critical Infrastructure Cybersecurity” (“the Framework”)[iii]. For the first time, the Framework provides industry with a risk-based approach for developing and improving cybersecurity programs. It also provides a common language regarding cyber security issues to allow for  important discussions to take place between an organization’s “IT” people, and an organization’s “business” people, some of whom may cringe when hearing complicated terms like “APT” (Advanced Persistent Threat). Its common sense, “English language” approach allows an organization and its directors to both identify and improve upon its current cybersecurity procedures. Though the Framework was developed for the 16 critical infrastructure sectors, it is applicable to all companies – albeit at least today – on a voluntary basis.

What is the Cybersecurity Framework

The Framework contains three primary components: The Core, Implementation Tiers, and Framework Profiles. 

The Framework Core

nist implementation framework updatedThe Framework Core (“Core”) is a set of cybersecurity activities and applicable references established through five concurrent and continuous functions – Identify, Protect, Detect, Respond and Recover – that provide a strategic view of the lifecycle of an organization’s management of cybersecurity risk. Each of the Core Functions is further divided into Categories tied to programmatic needs and particular activities. The outcomes of activities point to informative references, which are specific sections of standards, guidelines, and practices that illustrate a method to achieve the outcomes associated with each subcategory.  The Core principles can be thought of as the Framework’s fundamental “cornerstone” for how an organization should be viewing its cybersecurity practices: (1) identifying its most critical intellectual property and assets; (2) developing and implementing procedures to protect them; (3) having resources in place to timely identify a cybersecurity breach; and (4) having procedures in place to both respond to and (5) recover from a breach, if and when one occurs.

The Framework Implementation Tiers

The Framework Implementation Tiers (“Tiers”) describe the level of sophistication and rigor an organization employs in applying its cybersecurity practices, and provide a context for applying the core functions. Consisting of four levels from “Partial” (Tier 1) to “Adaptive” (Tier 4), the tiers describe approaches to cybersecurity risk management that range from “informal, reactive responses to agile and risk-informed.”

The Framework Profile

The Framework Profile (“Profile”) is a tool that provides organizations a method for storing information regarding their cybersecurity program. A profile allows organizations to clearly articulate the goals of their cybersecurity program. The Framework is risk-based; therefore the controls and the process for their implementation change as the organization’s risk changes. Building upon the Core and the Tiers, a comparision of the Profiles (i.e. Current Profile versus Target Profile), allows for the identification of desired cybersecurity outcomes, and gaps in existing cybersecurity procedures.

 

Why Directors should care about the Framework

Tom Wheeler, Chariman of the Federal Communications Council (FCC), stated that an industry-driven cybersecurity model is preferred over prescriptive regulatory approaches from the federal government.[iv] Nonetheless, it continues to see successful attacks on critical infrastructure organizations.

At some point, if critical infrastructure organizations do not demonstrate that a voluntary program can provide cybersecurity standards that are the same as, if not better than, federal regulations, regulators will likely step in with new laws. In fact, according to SEC Commissioner Luis Aguilar, the Framework has already been suggested as a potential “baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes. At a minimum, boards should work with management to assess their corporate policies to ensure how they match-up to the Framework’s guidelines — and whether more may be needed.”[v] If SEC or other proposed federal regulation of cybersecurity becomes a reality, implementing the Framework could be a mandatory exercise.  By choosing to act now, organizations have the benefit of more flexibility in how they implement the Framework. 

In addition to staying ahead of federal and state regulators and potential Congressional legislation, the Framework provides organizations with a number of other benefits, all of which support a stronger cybersecurity posture for the organization.  These benefits include a common language, collaboration opportunities, the ability to verifiably demonstrate due care by adopting the Framework, ease in maintaining compliance, the ability to secure the supply chain, and improved cost efficiency in cybersecurity spending. Though it would be Herculean to accurately summarize all benefits of the Framework and how to implement them, we pull out its key points below.

Common Language

The Framework, for the first time, provides a common language to standardize the approach for addressing cybersecurity concerns. As we have noted in other articles, including in June 2014 and July 2014, many cyber security principles are not intuitive. They are not based upon well-established principles that Directors (especially audit committee members) are used to hearing, like “revenue recognition.” The Framework allows for cybersecurity programs to be established and shared within an organization and to organizational partners using a common language. For example, the Framework allows for the creation of several types of Profiles: Profiles that provide strategic enterprise views of a cybersecurity program, Profiles that are focused on a specific business unit and its security, or Profiles that describe technologies and processes used to protect a particular system. Despite the number of Profiles that may exist for an organization, directors can quickly and easily understand how corporate guidance is implemented in each Profile since they have a standard language and format for describing an organization’s cybersecurity programs.  

Collaboration

NIST and participants from industry that assisted in the Framework development envision the Framework Profiles as a way for organizations to share best practices and lessons learned. By leveraging the common language and increased community awareness established through the Framework, organizations can collaborate with others through programs such as the Cybersecurity Forum (CForum)[vi]. CForum provides an online forum for organizations to share lessons learned, post questions regarding their cybersecurity challenges, and maintain the conversation to continually improve cybersecurity capabilities and standards.

Demonstrating Due Care

By choosing to implement the Framework (or some part of it) sooner rather than later,  organizations can potentially avoid the inevitable conclusion (or parallel accusation by a plaintiff’s attorney) that they were “negligent” or “inattentive” to cybersecurity best practices following disclosure of a cyber breach. Organizations using the Framework should be more easily able to demonstrate their due care in the event of a cyber attack by providing key stakeholders with information regarding their cybersecurity program via their Framework profile. At the same time, Directors can point to their request that the organization implement the Framework in defense of any claim that they breached their fiduciary duties by failing to oversee the cyber security risk inherent in their Organization.

Maintaining Compliance

Many critical infrastructure organizations are required to meet multiple regulations with overlapping and conflicting requirements. In order to avoid fines and additional fees from regulatory bodies, many operators are forced to maintain multiple compliance documents describing how the organization is complying with each requirement. The standard developed by the Framework enables auditors to evaluate cybersecurity programs and controls in one standard format eliminating the need for mulitple security compliance documents.

Knowing your Supply Chain

The Framework also provides an opportunity for organizations to better understand the cybersecurity risks imposed through their supply chains. Organizations purchasing IT equipment or services can request a Framework profile, providing the buying organization an opportunity to determine whether or not the supplier has the proper security protections in place. Alternatively, the buying organization can provide a Framework profile to the supplier or vendor to define mandatory protections that must be implemented by the service provider’s organization before it is granted access to the buying organization’s systems.

Spending Security Budgets Wisely

In an environment where cyberthreat information is not readily available, organizations struggle with understanding how much security is enough security, leading to organizations implementing unnecessary cybersecurity protections. Through the use of the Framework, standards for care can be established for each critical infrastructure sector. Organizations can leverage these standards to determine the appropriate level of security protections required, ensuring efficient utilization of security budgets.

nist framework benefits updated

The diagram above provides questions to help determine if and how an organization can benefit from implementing the Framework. Discussing these questions and their responses will help organizations determine how well their current cybersecurity efforts are protecting them against cyber attacks.  Based on the answers to these questions, they will better understand which of the benefits presented in this article will apply to their organization should they implement the Framework. 

Where do you start with implementing the Framework?

A major challenge in adopting the Framework is simply getting started. Organizations typically have limited resources and familiarity with the Framework to help them leverage their existing cybersecurity, compliance and audit programs, policies and processes.

At a minimum, directors and their management should become familiar with the Framework. Additionally, directors (or some committee thereof) should have a deep discussion with management about the organization’s Implementation Tiers. The Implementation Tiers allow an organization to consider current risk management practices, the threat environment, legal and regulatory requirements, business/mission objectives, and organizational constraints.

Educating managers and staff on the Framework to ensure all organizations are on the same page is also an important step toward the successful implementation of a robust cybersecurity program. The previously mentioned CForum is a source for success stories, lessons learned, questions and information useful to organizations implementing the Framwork. This information about existing Framework Implementations may help organizations with their own approaches. Additionally, organizations can seek out cybersecurity service providers skilled in helping organizations with the education, awareness and planning required to implement the Framework across an entire enterprise.

Though “voluntary,” it cannot be overstated that the Framework is “a National Standard” developed with input from industry experts, collaborators and businesses with years of cyber experience. As stated by the Chairman of the House of Intelligence, Mike Rogers, “there are  two kinds of companies. Those that have been hacked and those that have been hacked but don’t know it yet.[vii]” Given that it is almost inevitable that an organization will be hacked, there will be a time and a place where it may need to demonstrate to customers, investors, regulators, and plaintiff’s attorneys that it gave thought to, and implemented, cyber security measures in order to defend its most critical intellectual property assets, or its most critical business and customer information. Implementing the Framework will not only allow organizations to improve cyber security measures, but also to effectively demonstrate due care.

About the Authors: Tom Conkle is the commercial services lead for G2, Inc. He assists clients in developing and improving their cybersecurity programs based on their risk tolerance through the use of the Cybersecurity Framework developed by NIST. Paul Ferrillo is Counsel in the Securities Litigation practice of Weil, Gotshal & Manges LLP in New York City.

 

[i] Companies Wrestle With the Cost of Cybersecurity, February 25, 2014, available at http://online.wsj.com/news/articles/SB10001424052702304834704579403421539734550.

[ii] Executive Order 13636 of February 12, 2013, Improving critical Infrastructure Cybersecurity, available at http://www.gpo.gov/fdsys/pkg/FR-2013-02-19/pdf/2013-03915.pdf.

[iii] The National Institute of Technology and Standards (NIST) “Framework for Improving Critical Infrastructure Cybersecurity version 1.0”, February 12, 2014, available at http://www.nist.gov/cyberframework/upload/cybersecurity-framework-021214.pdf.

[iv] (Sarkar, 2014), available at http://www.fiercegovernmentit.com/story/fcc-chairman-pitches-new-industry-driven-regulatory-model-enhance-cybersecu/2014-06-13.

[v] See “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus,” available at http://www.sec.gov/News/Speech/Detail/Speech/1370542057946.

[vi] The Cybersecurity Forum (CForum) is a not-for-profit, publically available site dedicated to the evolution and implementation of the Cybersecurity Framework, available at http://Cyber.securityFramework.org.

[vii] Graham, Scott, Interview: Greg Toughill, DHS, USA on Cybersecurity, July 28, 2014, available at http://www.globalgovernmentforum.com/brigadier-general-greg-touhill-cybersecurity-department-of-homeland-security-interview/.

roadDue to a combination of favorable circumstances, the number of companies completing initial public offerings is currently at the highest level in years. According to a recent study from Cornerstone Research (here), with the 112 IPOs in the first half of 2014, IPO activity is on pace to increase for the third consecutive year. IPO activity just in the first six months of 2014 equaled 71 percent of total IPO activity in 2013 and exceeded the full years 2009, 2010, 2011 and 2012. The favorable IPO environment has encouraged even more companies move toward an IPO. However, for a company starting down the road toward an IPO, there are a number of risks. Among other things, pre-IPO companies face increased risks of liability and claims, particularly when the planed IPO fails to launch.

 

A recent case filed in New York (New York County) Supreme Court illustrates the kinds of “failure to launch” claims that pre-IPO companies can face. Although the case involves somewhat unusual circumstances specific to the defendant company involved, it does provide an example of a claim arising from a pre-IPO company’s failure to complete its planned IPO.

 

According to the plaintiff’s August 1, 2014 complaint (which can be found here), defendant Westergaard.com is a Delaware corporation with its principal place of business in Fujian, China. In 2011, Westergaard completed a private placement that provided for “automatic redemption” of the units sold in the placement if the company failed to complete an IPO at an offering price of $3.00 or greater within two years of the private offering’s closing date. The redemption amount was specified as $3.00 per share. The complaint alleges that private placement transaction closed on October 24, 2011, but that the company did not complete an IPO within two years of that date nor has it yet completed an IPO. The plaintiff is assignee of investors who had purchased units in the private placement. The plaintiff filed the action as assignee to enforce the redemption provisions in the private placement agreement, as well as to recover its costs of collection.

 

This lawsuit is obviously a reflection of the specific features of the private placement agreement in which the company had undertaken to redeem the units it had sold in the private placement if it did not complete an IPO within two years of the private placement closing.  But while the particulars of this claim may reflect the specific circumstances of the company involved, the situation nevertheless does illustrate how a pre-IPO company’s failure to launch can lead to claims from disappointed investors. To see an earlier example of a situation where claims arising out of a company’s pre-IPO activities arose out after a company’s planned IPO failed to launch, refer here.

 

Because of the possibility of failure to launch claims and other concerns, it is very important that a company contemplating a future IPO structure its D&O insurance coverage to take into account the increased risks and exposures involved with its planned IPO – even if the company does not ultimately complete its IPO.  In that regard, however, this specific case may not be the best example, as the kind of breach of contract claim asserted against an entity defendant likely would not be covered under the typical private company D&O insurance policy. This case does show how pre-IPO activities can give rise to claims, and therefore underscores the importance of taking these kinds of risks into account when structuring the D&O insurance coverage for a Pre-IPO company.

 

One particular concern is the securities offering exclusion found in most private company D&O policies. The pre-IPO company would not want this exclusion to sweep so broadly that it would preclude coverage for claims arising out of the company’s pre-IPO activities. If the company were to fail to complete its planned IPO, the company’s private company D&O insurance policy is the one that would respond to any claims that might arise, so it is very important that the securities offering exclusion is written a way that any “failure to launch” and other claims would not be precluded from coverage. Ideally, the securities offering exclusion would not go into effect unless and until the company actually completes an IPO, at which point the company should have put in place a public company D&O insurance policy to provide liability insurance against the company’s activities as public company.

 

When a company is on a trajectory toward an IPO, there is a natural tendency to focus on the liability exposures the company will face after it goes public. But the process leading up to the IPO often involves circumstances that can create their own set of risks and exposures. As a company readies itself to go public, it often restructures its operations, its accounting, its debt, or other corporate features. The company also makes pre-offering disclosures, for example, in road show statements. The process creates expectations that can create their own set of problems. All of these changes, disclosures and circumstances potentially can lead to claims, particularly  if the offering does not go forward.

 

Often pre-IPO company management is reluctant to take the time to address D&O insurance issues at the appropriate time before the company is deep into the IPO process. But claims can and do arise involving companies’ pre-IPO activities. The significance of the pre-IPO period in a company’s life cycle underscores the importance of having a skilled and experienced insurance professional involved well before the time of the IPO. 

 

singaporeOn August 21, 2014, the Professional Liability Underwriting Society (PLUS) will be hosting a regional professional liability symposium in Singapore. This dinner event, which will be held at the Singapore Cricket Club, marks the second year that PLUS has hosted an educational and networking event in Singapore, building on its 25+ year history of hosting industry-leading events in the professional liability market worldwide. The keynote speaker at the event will be Chelva Rajah of the Tan Rajan & Cheah law firm, whose remarks are entitled “Tales from the Corporate Crypt.” I will also be making a presentation at the event entitled “Latest Global and U.S. Trends in D&O Liability Insurance: What’s Hot, What’s Cold!”

 

I already know for talking to friends throughout the region than many industry professionals are planning on attending this event. I hope that all of my readers and friends in the region will be there and will encourage others to attend as well. Details about the event, including registration information, can be found here.

globalreach1One of the most distinctive aspects of the current global regulatory environment has been the increasing willingness of U.S. regulators to try to project U.S. enforcement authority outside the U.S. The cross-border assertion of U.S. regulatory authority has taken place across a broad range of regulatory and compliance issues, including, for example, antitrust, trade sanction, and taxation enforcement as discussed here.

 

One area where the U.S. regulators’ cross-border reach has been most pronounced has been with respect to anti-bribery enforcement.  A July 30, 2014 memorandum by Demme Doufekias and Adam J. Fleisher of the Morrison & Foerster law firm entitled “The Long-Arm of the FCPA: Former BizJet CEO Arrested in Amsterdam, Pleads Guilty in Oklahoma” (here) takes a look at a recent instance where U.S. prosecutors projected their reach outside of the country in order to enforce U.S. antibribery laws. The memo also reviews the many recent instances where the U.S. authorities have reached across the country’s borders to enforce the Foreign Corrupt Practices Act (FCPA). The memo highlights the fact that this cross-border reach is not limited just to FCPA enforcement.

 

The primary focus of the law firm memo is the recent prosecution of Bernd Kowalewski, the former president and CEO of BizJet International Sales and Support, Inc., a U.S.-based subsidiary of Lufthansa Technik AG. The company had its headquarters in Tulsa, Oklahoma. As discussed in the U.S. Department of Justice’s July 24, 2014 press release (here), the DOJ alleged that Kowalewski and three other BizJet officials had engaged in a conspiracy to violate the FCPA by paying bribes to government officials Mexico and Panama, in order to obtain aircraft maintenance contracts in those countries.

 

In 2012, two of the four BizJet officials who were under indictment for the alleged bribery pled guilty to FCPA violations. However, the charges and the guilty pleas were all kept under seal at the DOJ’s request, because, as it was later revealed, the DOJ was trying to locate and arrest Kowalewski and one other BizJet official, who were by then living outside of the U.S. According to the DOJ press release, Kowalewski ultimately was arrested by authorities in Amsterdam on March 13, 2014 on a provisional arrest warrant. He waived extradition on June 20, 2014, and on July 24, 2014, he entered a guilty plea in the Northern District of Oklahoma to conspiracy to violate the FCPA and to one substantive violation in connection with a scheme to pay bribes. The fourth BizJet official remains as a fugitive and is believed to be living abroad.

 

The press release quotes a DOJ official as saying that “though he was living abroad when the charges were unsealed, the reach of the law extends across U.S. borders, resulting in Kowalewski’s arrest in Amsterdam and his appearance in court today in the United States.”  (Emphasis added). Another official is quoted as saying that Kowalewski’s arrest was the result of “investigators and prosecutors …work[ing] together across borders and jurisdictions to vigorously enforce” the FCPA.

 

As the law firm memo states, the government’s approach in the BizJet case shows “the lengths to which the DOJ is willing to go to track, arrest and extradite U.S. and foreign nationals abroad to face FCPA charges in the United States.”’ International businesspeople that depend on their ability to travel “should not be lulled into a false sense of security as a result of their status as foreign nationals or the fact that they live outside the United States.” The memo notes further than individuals involved in FCPA investigations “must be aware that silence from the government may simply be the result of the DOJ striving to keep its enforcement efforts under wraps.”

 

The U.S. government, the memo notes, has a number of means to use to try to apprehend foreign nationals residing outside the U.S. The U.S. can seek to have the individual arrested by going through INTERPOL. The U.S. can try to lure the individual back to the U.S. or simply establish a border watch to alert law enforcement officials if the individual presents himself or herself at the U.S. border. The DOJ can also seek provisional arrest warrants and pursue extradition of individuals from other countries pursuant to extradition treaties.

 

Given the “growing cooperation between U.S. and foreign authorities” on anti-bribery enforcement , the likelihood is that the DOJ’s efforts will be successful, “ensuring that individuals being investigated or charged with FCPA violations or other crimes will not be able to evade the long arm of the U.S. government simply by remaining abroad.”

 

The law firm memo notes that the Kowalewski case is “only one of a growing list of examples where the DOJ has been able to bring individuals living abroad back to the U.S. to face criminal charges.” The memo cites the example of Frederic Pierucci, a French citizen and former official of the French company Alstom SA, who was arrested when his plane landed at JFK Airport in New York, in connection with alleged bribing of Indonesian government officials. The memo cites other examples where foreign nationals were arrested outside of the U.S. and extradited to the U.S. by the governments of the countries where the individuals had been arrested. To be sure, the DOJ is not always successful in apprehending fugitives in FCPA cases. The memo cites to a lengthy list of FCPA fugitives who remain at large. However, the recent events “nevertheless display DOJ’s resolve in pursuing foreign fugitives.”

 

The memo emphasizes that FCPA cases are not the only area where the DOJ has been successful in bringing foreign nationals and others residing outside the United States back to the country to face charges. The memo cites the example of the DOJ’s April 2014 success in extraditing a foreign national to the United States to stand trial for alleged violations of the criminal antitrust laws. The case involved an Italian national and former official of an Italian company who had been under indictment in the U.S. since 2010 for alleged violations of the Sherman Antitrust Act. The individual was extradited to the U.S. from Germany.

 

The law firm memo emphasizes the lengths to which the U.S. authorities will go to bring individuals charged with violations of U.S. laws back to the U.S. to fact prosecution. However, these efforts are just part of the larger U.S. effort to project the enforcement of its laws outside of the country. As discussed here, U.S. authorities are actively asserting their authority outside of the country in a number of different areas, including securities, trade sanctions, taxation, and drug safety. In that regard, it is probably worth noting that though the BizJet case involved alleged misconduct by a U.S. domiciled business operation, many of the examples cited in the law firm memo not only involved foreign nationals, but alleged misconduct that took place outside the U.S. and involving companies domiciled outside the U.S. As the DOJ official quoted in the press release linked above put it, “the reach of the law extends across U.S. border.”

 

One of the reasons the law reaches across borders is the increasing levels of cooperation among regulatory authorities. The willingness of foreign governments to arrest and extradite foreign individuals is one of the key components of the ability of U.S. authorities to bring these individuals to justice in the U.S.

 

It should be noted that the U.S. government is not the only one to extend the enforcement of its laws through cooperation with other governments. To cite but one recent example, on July 24, 2014, the UK Serious Fraud Office recently announced that it had brought corruption charges against the UK subsidiary of Alstom in connection with transportation projects in India, Poland and Tunisia. The UK investigation commenced because of information provided to the SFO by the Office of the Attorney General of Switzerland. The company has already been fined for related activities by the Swiss government. Other recent examples of extensive cross border cooperation include the recent investigation of the alleged manipulation of the Libor benchmark.

 

The increased activity of regulatory authorities around the world had important implications for companies and their officials. While this activity can mean that companies face a heightened risk of regulatory scrutiny, risks these companies face may also include the possibility of regulatory and enforcement action by U.S. authorities. As the law firm memo underscores, U.S. regulators are actively asserting their authority outside of the U.S. In an environment where there already is a growing perception of increasing regulatory risk, the U.S. authorities’ vigorous assertion of regulatory authority outside the U.S. represents a particularly hazardous part.

 

These developments not only have important compliance implications for many non-U.S. companies. They also raise important issues about the liability exposures of the potentially affected companies as well as for their directors and officers. The liability exposures include not only the potential regulatory and enforcement risk but also the possibility of follow on civil actions, brought by shareholders or others. The “others” that might bring claims include supervisory board members in those jurisdictions with the dual-board structure.

 

These issues in turn have important D&O insurance implications. The issues also present a particularly difficult challenge for D&O insurance underwriters involved in underwriting companies outside the U.S. as they must attempt to understand and anticipate these kinds of actions from U.S. regulators and how they may affect the companies under consideration. Emerging issues involving the enforcement of trade sanctions laws and the Foreign Account Tax Compliance Act (FATCA) highlight the potential significance of these challenges. Questions regarding the cross-border enforcement of regulatory authority are likely to remain both difficult important in the months ahead.

 

London PLUS Symposium on the Dangers of Cross-Border Enforcement: In light of the kinds of concerns I have noted above, an upcoming Professional Liability Underwriting Society regional symposium to be held in London is particularly topical and timely. The luncheon event, which is entitled “Dangers of Long Arm Enforcement in a World Without Borders” will take place on Monday, September 29, 2014, at Gibson Hall in London. I will be presenting at the event on the topic of “The Dangerous Cross-Border Regulatory Environment.” The event keynote speaker will be the author and consultant David Bermingham, who is best known as one of the NatWest three, and who will presenting his own personal perspective on cross-border enforcement based on his extradition to the U.S. on charges related to the Enron scandal. Following the keynote address, Bermingham and I will discuss the evolving challenges in an increasingly global regulatory environment.

 

Background regarding the event, including registration information, can be found here. I have participated on a panel with David Berminham in the past, and I can assure everyone that this will be a lively and interesting event. I hope all of my UK readers and friends will plan on attending.

 

031aThe long-running and ever-popular D&O Diary mug shot show may just about have reached the end. I have only three remaining unpublished mug shots, which I have been holding onto for a while in the hope that perhaps some other readers might send in the pictures. But I don’t want these pictures to get stale, so I have published below this short form mug shot gallery. It is entirely possible that these pictures may be the last in the series.

 

Readers will recall that early last year , I offered to send out a D&O Diary coffee mug to anyone who requested one – for free – but only if the recipient agreed to send me back a picture of the mug and a description of the circumstances in which the picture was taken. In previous posts (here, here, here, here, here, here, here, here , here, here, here, here, here, here, here, here and here), I published prior rounds of readers’ pictures. I have posted the latest round of readers’ pictures below.

 

The first pictures in this collection come to us from Peter Hui of ACE USA in New York. The first picture, which was taken in early July, depicts a sunny scene in New York’s Bryant Park. The second picture is taken from an office overlooking Times Square.

 

bryntparksmall[1]

 

 

 

 

 

 

 

 

 

 timesquaresmall[1]

 

 

 

 

 

 

 

 

 

The next picture was taken in Brazil by Guido Cosenza of A.J. Gallagher in Glendale, CA. Here is Guido’s description of his picture: “I had the privilege of attending the World Cup in Brazil and one of the matches I attended was the quarterfinal match between Argentina and Belgium in Brasilia. My colleague, Ryan Davis, had ordered a D&O Diary mug from you so I grabbed it from his desk before I left and took it with me to Brazil. Attached is a picture inside the stadium about 2 hours before kickoff. I know you are a big futbol fan so I’m sure you’ll enjoy it.”

 

worldcupsmall[1]

 

 

 

 

 

 

 

Thanks to Peter and Guido for their great pictures. Guido, you are right, I really did enjoy your picture (and I am deeply envious of you for having been able to attend the World Cup).

 

My thanks to everyone sent in a mug shot. It has been great fun receiving the pictures and seeing the amazing diversity of locations where people took their mug shots. There is still time for anyone who still wants to send along their own mug shot; nothing would make me happier than to be able to publish another round of pictures.

 

Cheers to everyone who helped make this series so much fun.

 

029a

montanaAs part of our beat here at The D&O Diary, we read a lot of judicial opinions. We like nothing better than to read an appellate opinion where a dissenting justice and the majority really mix thing up. For that reason alone, we read the recent insurance coverage decision out of the Montana Supreme Court with great interest. But regardless of how you feel about spirited dissents, if you find the Court’s majority’s conclusion that a management liability insurer’s duty to defend appropriately may be determined without reference to the allegations in the underling complaint or to the terms of policy as surprising as we do, read on.

 

The Montana Supreme Court’s August 1, 2014 opinion in the Tidyman’s Management Services, Inc. v. Davis case can be found here.

 

Background

The dispute underlying this insurance coverage action arises out of a merger between Tidyman’s Management Services, Inc. (TMSI) and SuperValu, which created Tidyman’s LLC. Employee shareholders own TMSI. In January 2007, certain of the employee shareholders filed a federal court lawsuit alleging that in connection with the merger the TMSI directors and officers had breached their duties under ERISA. They also alleged that the individual defendants had breached their corporate fiduciary duties. The plaintiffs eventually settled with all of the individual defendants except Michael A. Davis and John Maxwell. After the settlements, the federal court judge dismissed the federal court action without prejudice after declining to exercise supplemental jurisdiction.

 

The plaintiffs then filed a separate action in Montana state court against Davis and Maxwell. In their state court complaint, the plaintiffs added TMSI as a party plaintiff and filed their action against the two individuals in their capacities as directors and officers of the LLC – of which TMSI was a member. As the dissenting opinion later summarized with respect to the insurance coverage implications of this state court complaint, “(1) five of the plaintiffs here are directors of the insured (Tidyman’s LLC) and they have sued defendants Davis and Maxwell, who are also directors of the LLC; and (2) plaintiff TMSI, as a 60 percent security holder of the LCC, brought this lawsuit against two directors of the LLC (Davis and Maxwell) with the assistance of other insureds (five plaintiffs who are also directors of the LLC).”

 

The relevant directors and officers insurance policy had been issued to Tidyman’s LLC in 2006. During the pendency of the federal court litigation, the insurer funded the defense of Davis and Maxwell under the policy. On August 5, 2010, after the state court litigation commenced, a claims representative for the insurer sent counsel for Davis and Maxwell a letter stating that in light of the policy’s Insured v. Insured exclusion, the state court complaint “does not implicate the policy.”  On August 12, 2010, after counsel for Davis and Maxwell received the coverage letter, the plaintiffs amended their complaint in the state court action and added the insurer as a defendant, seeking a declaratory judgment that the state court claims against Davis and Maxwell are covered under the policy. In September 2010, the insurer moved to dismiss the claim that had been filed against it.

 

During the fall of 2010, counsel for Davis and Maxwell made several attempt to reach the insurer to clarify whether or not the insurer would continue to find the defense for the two individuals. On October 28, 2010, a representative for the insurer advised counsel that “since there is no coverage, [the insurer] is not going to continue to pay the costs of defense in this matter.”

 

The individual defendants entered a stipulation reciting the insurer’s refusal to defend, specifying the $29 million in damages sought in the state court lawsuit, assigning the individual defendants’ rights under the policy to the plaintiffs, and agreeing that the plaintiffs would not seek to execute any judgment against the assets of the two individual defendants. After the first of the two stipulations had been reached, a representative of the insurer sent the defense counsel a letter referring to “changes” in the insurer’s position, and stating that the insurer would continue to advance defense costs subject to a reservation of rights. The insurer later claimed that at no time did it actually withhold payment of the individuals’ defense expenses.

 

The plaintiffs then moved for summary judgment against the insurer, alleging that the insurer had breached its duty to defend and therefore was liable for the full amount of the stipulated settlement. The insurer filed a motion for summary judgment on the grounds that the plaintiffs’ claims were not covered under the policy and that the plaintiffs lacked standing. On January 4, 2013, the trial court judge granted the plaintiffs’ motion for summary judgment and entered judgment in the full amount of the stipulated settlement, and awarded prejudgment interest. The insurer appealed.  

 

The August 1, 2014 Opinion

In an August 1, 2014 majority opinion written by Justice Michael E. Wheat, the Montana Supreme Court affirmed the trial court’s grant of summary judgment on the issue of whether or not the insurer had breached its duty to defend, but reversed and remanded the case on the issue of the reasonableness of the amount of the judgment. Justice Laurie McKinnon concurred with respect to the majority’s rulings on choice of law and prejudgment interest issues, but dissented from the court’s rulings on the duty to defend and part of the court’s rulings on the amount of the judgment.

 

The insurer had argued on appeal that the trial court erred in concluding that the insurer had breached its duty to defend without analyzing policy coverage. As the majority opinion put it, the insurer “attempts to persuade us to impose a requirement that a district court must analyze policy coverage before finding breach of a duty to defend,” noting that the dissent would accept that argument. The Court said that “our case law, however, makes it clear that the threshold question, instead, is whether the complaint against the insured alleges facts that, if proven, would trigger coverage.”

 

It doesn’t matter, the court said, that whether the claims against Davis and Maxwell were the same in the state and federal lawsuits, “all that matters is whether [the insurer] was on notice that the Policy was potentially implicated.” The Court concluded that the “facts” show that the insurer was on notice that the policy was potentially implicated. The “facts” that the Court cited were that the insurer had defended the two individuals in the federal court lawsuit; that the insurer had sent a letter after the state court lawsuit was filed that “there is no longer coverage under the Policy” (which the Court read to mean that there had been coverage before); and that the carrier later withdrew its coverage denial and agreed to defend under a reservation of rights. The Court noted that “where the insurer itself recognized the complaint potentially implicated the Policy and required it to provide a defense, we can see no need for further analysis to conclude that the duty to defend was invoked.’

 

In explaining its ruling, the Supreme Court said “if we were to hold the District Court in error for failing to analyze coverage, as the Dissent urges, we would be providing insurers with an avenue to circumvent the clear requirement imposed by our precedent that where the insurer believes a policy exclusion applies, it should defend under a reservation of rights and seek a determination of coverage through a declaratory judgment action.” The carrier “took its chances” by refusing to defend the individuals and cannot avoid liability for the stipulated settlement “by attempting to convince this Court it was necessary to analyze coverage under the Policy before determining it had breached its duty to defend,” when the proper approach is to defend under a reservation and filed a declaratory judgment action. Since the carrier “unjustifiably refuse to defend, it is now estopped from denying coverage.”

 

The majority did agree with the insurer that the trial court had improperly refused to hold an evidentiary hearing on the reasonableness of the amount of the $29 million stipulated settlement. The appellate court remanded the case for further consideration of the reasonableness of the settlement amount. However, the majority rejected the insurer’s argument that the evidentiary hearing should also address the issue of whether the settlement was collusive. Finally, the majority also concluded that the trial court had not properly calculated the application of prejudgment interest.

 

The starting point for the dissent was that the majority had “failed, in a fundamental respect, to appreciate the difference” between the type of reimbursement insurance policy involved here and the “more common form of casualty insurance,’ such as automobile or homeowners insurance. This error caused the Court to disregard Montana precedent and to hold that the carrier had a duty to defend “without examining whether the plaintiffs’ complaint alleged facts representing a risk covered by the terms of the Policy.” In essence, the dissent said, the court denied “the insurer the right to contest a duty to defend in these proceedings by holding that the insurer should have brought a separate action to determine coverage.” We thus, the dissent said, “foreclose the insurer from having a judicial determination of the existence of a duty to defend, which is distinct from a duty to indemnify, based on an actual examination of the allegations of the complaint and the terms of the Policy.”

 

 

The majority, the dissent said, found “without any examination of the Policy or the instant complaint” that the insurer had a duty to defend because the complaint “potentially implicated” the Policy. The dissent said, “I disagree that with what appears to be a new standard for determining the existence of a duty to defend when we previously have been clear that a duty to defend may be found only after examining the allegations of the particular complaint to determine whether facts have been alleged representing a risk covered by the terms of the insurance policy.”

 

The “crux’ of the majority’s confusion is the “false notion” that the pleadings in the subsequent state court lawsuit were the same as in the federal court lawsuit. The dissent showed by its analysis of the allegations in the state court complaint (which I recited above) that the state court complaint appeared to involve allegations of insured persons against insured persons, in apparent contravention of the Policy’s insured vs. insured exclusion. “We cannot” the dissent said, “hold the insurer liable for the stipulated judgment in the absence of some examination of the Policy and of the complaint.”

 

The dissent then noted that even if there were a duty to defend here, there is a substantial factual question about whether the duty was in fact breached. The dissent cited evidence that the insurer had presented showing that the insurer had continued to pay the defense expenses throughout the proceedings. The dissent argued that there were at least sufficient disputed facts to preclude summary judgment. The dissent said that the majority had instead chosen to credit only the plaintiffs’ allegations. The Court’s approach, the dissent said, was “clearly in error,” adding that “it is inappropriate for a court deciding a motion for summary judgment to weigh evidence, to choose one disputed fact over another, or to assess the credibility of witnesses.”

 

Finally, the dissent disagreed that the facts as alleged by the insurer did not create a genuine issue of material fact on the issue whether the stipulated settlement was collusive. The dissent added that “I find it truly a sad day for justice in this State and very likely a huge blow for the public’s belief that the courts provide fair resolution of disputes, when this Court dismissively says ‘so what’ to a stipulated judgment that allegedly was obtained by collusion.” The dissent finished by adding that “Courts exist to administer justice fairly, regardless of whom and what a particular party represents. In my opinion, there is never a place for collusion in the administration of justice.”

 

Discussion

There is no doubt that the insurer mismanaged its communications during the period after the state court complaint was filed, and that the mismanagement occasioned some of the problems that followed for the insurer.  (And in fairness, for blogging purposes I have compressed the retelling of events, which arguably may have the effect of oversimplifying). But all of that said, it is a surprising proposition that a court might appropriately determine that a carrier has a duty to defend a lawsuit without either reviewing the allegations in the lawsuit or the provisions of the policy. The majority’s idea that somehow the insurer was obligated to defend the state court lawsuit — without any reference to what the state court lawsuit alleged — because the insurer had defended the prior federal court lawsuit is a truly odd proposition.

 

Based only on the appellate opinions, I have no way of knowing for sure whether or not the carrier was correct in disputing coverage for this claim. But based on the recitation of the facts in the dissenting opinion, there certainly does seem to be a sufficient basis upon which the question of coverage appropriately might be raised. The rather nonsensical effect of the majority opinion’s ruling is that it is entirely possible that the court has concluded that the insurer has breached a duty to defend in connection with a claim for which there is no coverage under the policy. The majority seems to think that this doesn’t matter.

 

The real problem I have with the majority’s conclusion is that it seemingly flies in the face of the usual “eight corners”  analysis by which the insurer’s duty to defend is to be determined. Under this approach, the duty to defend is determined by looking within the four corners of the complaint and the four corners of the policy. Even in those jurisdictions that do not follow the eight corners rule because they require insurers to consider factors still considered critical to the analysis. The majority here seems to suggest that what is within the eight corners may not even be relevant to the analysis, which is a surprising conclusion, to say the least. The majority opinion’s analysis also seems to fly in the fact of the usual rule that coverage cannot be created by estoppel.

 

The insurer did at least win the right to try to challenge the reasonableness of the amount of the stipulated settlement. However, I am troubled by the dissent’s comments about the refusal of the majority to allow the insurer to argue that the settlement was collusive. I do not know what the actual facts are here and I have no basis on which to suggest that any of the parties acted collusively. However, I have seen enough of these kinds of deals in my life and I share enough of the same concerns of the dissent that I completely agree that the factual issue of whether or not there was collusion should be subject to an evidentiary review.

 

While I think the majority here is confused in general, I also agree with the dissent that the majority was specifically confused about the differences between the type of management liability policy here –where the carrier reimburses the policyholder for the costs of defense –and the typical policy liability policy, where the insurer has the duty to provide the actual defense. This distinction mattered in this case. If the insurer continued to fund the defense throughout these proceedings, then there was no breach of the insurer’s defense duties, regardless of what the carrier said in its various communications. The dissent appears to be correct by saying that the insurer has raised a genuine issue of material fact on this issue.

 

Whatever else might be said about this decision, I know for sure that insurers doing business in Montana are going to struggle with the “potentially implicated” standard for the duty to defend, particularly if the question whether or not the standard has been met can (as apparently seems to be the case) be decided without reference either to the allegations in the complaint or the terms of the Policy. I am sure that hands will be smacking foreheads in insurers’ claims department around the country about this decision.

 

Time for Nominations to the ABA Journal’s Annual Blawg 100: It is once again time for nominations to the ABA Journal’s annual list of the top 100 law blogs. Everyone should take a moment to nominate their favorite law blogs for inclusion in the list. I would be humbled and grateful if any reader would be willing to nominate my blog. Nominations can be made here. Don’t delay, nominations are due by 5:00 pm EDT on Friday August 8, 2014. 

 

latinamericaAmong the features of the U.S. legal system that foreign observers often single out for concern is the availability of class action litigation procedures. The fact is, however, that many countries around the world have adopted some form of class action procedure, at least for consumer-oriented litigation. According to a recent report, Latin America is among the regions where many countries have adopted differing local versions of class action procedures. However, in adopting class action procedures, these Latin American countries have not followed the U.S. class action litigation model, but rather have tended to model their approach on the procedures first adopted in Brazil.

 

According to a second recent report, the fact that the Latin American countries have in the past looked to Brazil may be a cause for concern in light of certain proposed legislative revisions to the Brazilian procedures that are now pending.

 

The first of these two August 2014 reports, which is entitled Following Each Other’s Lead: Law Reform in Latin America, and which provides an overview of class action procedures in Latin America, can be found here. A Spanish language version of the report can be found here. The second of the two reports, which is entitled Class Action Evolution: Improving the Litigation Environment in Brazil and which takes a look at the development of class action procedures in Brazil and analyzes pending legislative proposals to revise those procedures, can be found here. A Portuguese language version of the report can be found here.

 

Together these two reports, issued by the U.S. Chamber of Commerce Institute for Legal Reform “highlight the growing danger of litigation abuse in Latin America,” according to the Institute’s August 5, 2014 press release describing the reports.

 

 

According to the first of these two reports, several Latin American countries, following the Brazilian model, have adopted some form of class action procedures. Legislation allowing class actions for damages has been enacted in Chile, Colombia, and Mexico. What the report describes as “de facto class actions” exist in other countries, such as Argentina and Costa Rica. There is legislation pending now in several countries to create a new class action system or to modify existing legislation, for example, in Argentina, Brazil, Costa Rica, Ecuador, and Mexico. The report reviews the current state of play in each of these countries.

 

According to the report, the pending changes in these various countries could impact the litigation risk environment in those countries for years to come. For that reason, the first of these two reports advocates that “businesses should take it upon themselves to monitor these developments as they arise,” and advocates further that as proposed changes are under consideration “private industry should express its concerns, not to hinder development of the law, but to ensure a level playing field for all members of society.”

 

While these reports are written as advocacy, they provide some balanced consideration of the role of class action litigation in a system of civil justice. The reports acknowledge that in some countries around the world, the need for greater access to justice is a fact. Accordingly, the first of the two reports states that “there is a strong argument in some countries that class actions … would improve access to justice,” adding that “in those places, it is simply not credible to oppose the creation of a class action mechanism.” However, the report also notes, “it is fair and appropriate to oppose class action systems that change the meaning of justice under the guise of creating access to it. If a claim is not viable individually, it should not become viable simply because it is joined with other claims.”

 

The system currently in place in Brazil, which has served as the starting point for the approach to class action procedures in other Latin American countries, has, according to the reports, its positive features, although the report notes that  the addition some form of class certification procedure would be even more beneficial. The report notes that one of the positive elements of the U.S. class action system is that it provides a tool for settling mass claims. Without a class certification mechanism, the Brazilian model involves a two-step process wherein liability may be established on a class wide basis in the first phased, but damages must be established in the second phase in a series of individual cases, with no means to settle the cases collectively.

 

For that reason, there are good grounds  for Brazil to look into reforming its procedures, and indeed there are proposals to reform the Brazilian procedures pending in that country’s  legislature. However, as the second of these two report notes, rather than address the areas where legislative reform could introduce some improvements, the reform proposals now under consideration in Brazil are focused on “providing additional tools for plaintiffs to succeed rather than improving the existing law to make it more faire and reasonable.” The current reform proposal, known as Bill 282, “seems to be inspired not only by the assumption that class actions should become more popular, but that they should invariably result in judgments favorable to plaintiffs.”

 

According to the reports, the Brazilian reform bill and other pending measures if adopted would, among other things, essentially allow for nationwide class actions, grant standing to political parties, allow the judge to shift the burden of proof at any time before the decision, and allow for financial compensation to the class advocates as a stimulus for litigation. The proposals would create financial incentives for outside groups to file class actions by allowing them to receive legal fees no less than 20% of any award.  As summarized in the Institute’s press release, these reforms, while intended to “expand fairness” in Brazil’s civil justice system ‘can lead to undermining it.” According to a statement by Lisa Rickard, the Institute’s President, “if implemented, current proposals could have costly unintended economic consequences.”

 

The reports unquestionably represent advocacy and must be read and understood on that basis. Nevertheless, the reports provide a thorough and interesting overview of the state of class action litigation in Latin America. Though possibly provocative for some readers, the reports will make interesting reading for anyone interested in developing an understanding of the current evolution of class action procedures in Latin American countries.

 .  

cornerAccording to the latest report from Cornerstone Research, the number of securities class action lawsuit filings during the first half of 2014 were down compared to historical filings semiannual filing levels although slightly higher than the number of filings in the first half of 2013. The report, which is entitled Securities Class Action Filings – 2014 Midyear Assessment, and which can be found here, notes that the number of large dollar-loss cases and the number of cases against S&P 500 firms is far off of historical levels. Cornerstone Research’s August 6, 2014 press release about the report can be found here.

 

Consistent with my own tally and analysis of securities class action lawsuit filings during the first six months of 2014, the Cornerstone Research study reports that there were 78 new securities class action lawsuit filing in 2014’s first half. This number of filings is well below the 91 filings in the second half of 2013 and is 18 percent below the historical semiannual average of 95 filings during the period 1997 to 2013. However, the 78 filings in 2014’s first half is slightly higher than the 75 filings in the first half of 2013. The 78 filings do represent an increase from the low-water mark of 64 filings in the second half of 2012.

 

What the report characterizes as a “traditional filing” – that is, excluding merger objection suits and Chinese reverse merger cases – decreased 17 percent to 68 in the first half of 2014 from 82 filings in the second half of 2013. Eight of the first half filings involved merger objection allegations and two involved Chinese reverse merger companies.

 

The annualized rate of securities class action lawsuit filings projects to a year-end 2014 total number of securities suits of 156, which would be below the 2013 total of 166, but above the 2012 total of 152. A year-end total of 156 would be 17 percent below the 1997-2013 historical annual average of 189 filings. Were 2014 to end up at that level, this year would represent the sixth consecutive year with below-average filing activity and would be the third lowest total in the last 18 years.

 

However, as I noted in detail in my analysis of first half filing, the relative decline in the absolute number of filings is attributable at least in part to the overall decline in the number of publicly traded companies. Indeed, Figure 6 in the Cornerstone Report shows that notwithstanding the decline in the absolute numbers of lawsuits filed, as a percentage of U.S. listed companies, the percentage of companies sued (about 3.2%) remains above the 1997-2013 average of 2.9%

 

The report also notes that during the course of the last year, the number of publicly traded companies increased for the first time since 1988, due to increased IPO activity. There were 112 IPOs on U.S. exchanges in the first half of 2014, which already represents 71 percent of the IPO activity in 2013 and already exceeds the full years of 2009, 2011 and 2012. However, IPO activity still remains well below the elevated IPO filings levels seen during the 1996-2000 period. The report includes a detailed analysis of the susceptibility of IPO companies to securities litigation and concludes that IPOs following the credit crisis have faced an increased litigation exposure compared to both the pre-credit crisis IPOs and the IPOs during the 1996-2000 period.

 

Of the 78 first half securities lawsuit filings, 9 cases (or twelve percent) involved non-U.S. domiciled companies, compared to 18 percent of all filings during the full-year of 2013. During 2013, the filings against non-U.S. companies declined for the third consecutive year, and at least based on the first half filings, it looks as if the number of filings against foreign companies will decline again in 2014, to roughly pre-2010 levels.

 

The filings in the first six months of the year seem to reflect a decline in the number of lawsuits against companies with larger market capitalizations. Of the companies listed in the S&P 500 at the beginning of the year, approximately 2.4 percent were hit with a securities class action lawsuit in the year’s first six months. This annualized rate is the lowest since 2000 when Cornerstone Research first bean tacking the rate. The 2000-2013 annual average for class action lawsuit filings against S&P 500 companies is 5.7%.

 

The first-half filings involve “some of the lowest aggregate market capitalization losses in recent years” according to a statement in the Cornerstone Research press release by Dr. John Gould.  The maximum dollar loss for filings in the first half is the lowest semiannual total in 16 years. In addition, there were no filings in the year’s first six months involving maximum dollar losses over $10 billion, the first time that has happened in a semiannual period since the second half of 1997. Obviously, the absence of the mega cases could have an impact on settlement levels as these 2014 cases work their way toward settlement in future years. The absence of mega settlements and the lower overall valuation levels are likely to translate into lower overall levels of settlement.

 

Healthcare, biotechnology and pharmaceutical companies together accounted for 21 percent of total filings in the first half of 2014. The pace of filings against biotechnology companies doubled compared with the two previous semiannual periods.

 

For another midyear review of securities class action litigation, see the August 4, 2014 report by Jonathan Dickey of the Gibson Dunn law firm posted on the Harvard Law School Forum on Corporate Governance and Financial Regulation, here.

aigAIG has agreed to pay $960 million to settle the consolidated securities class action lawsuit that had been filed against the company and certain of its directors and officers in the wake of the company’s near collapse at the peak of the credit crisis. The settlement, which AIG disclosed in its August 4, 2014 filing on Form 10-Q (here, see footnote 10 to the financial statements), is one of the largest to arise out of the wave of litigation that followed the global financial crisis. While other credit crisis related lawsuits remain pending, this settlement may represent just about the last of the major credit crisis-related securities lawsuits to be resolved. The settlement is subject to court approval

 

In the plaintiffs’ lawyers’ August 4, 2014 press release about the settlement (here) the amount of the “settlements” in the case are described as  “totaling $970.5 million.”  According to a statement by one of the plaintiffs’ lawyers quoted in Law 360’s August 4, 2014 article about the settlement (here, subscription required), the additional amount above the $960 million to be paid by AIG represents a payment from a defendant  (not identified in the article) against whom the plaintiffs’ claims had already been dismissed.

 

 

As discussed here, the consolidated AIG litigation has a long history going all the way back to May 2008, when the first of the lawsuits were filed. After the company’s near collapse and massive government bailout in September 2008, the company’s share price plummeted and further securities class action litigation ensued.  In their consolidated amended complaint (here), the plaintiffs alleged that the defendants violated the securities laws through various disclosures and omissions related to the company’s securities lending program and its credit default swap portfolio.

 

Both the credit default swap portfolio and the securities lending program entailed exposures to subprime mortgages. In many instances, the CDSs were placed in connection with securities backed by subprime mortgages. In the securities lending business, the cash received in exchange for the loaned securities was invested in mortgage-backed securities. Additional collateral requirements for these transactions triggered by the subprime mortgage meltdown led to the government bailout. The plaintiffs contend that these exposures were not adequately disclosed. The defendants moved to dismiss.

 

As discussed here, on September 27, 2010, Southern District of New York Judge Laura Taylor Swain denied the defendants’ motions to dismiss. Judge Swain held that the plaintiffs’ allegations were “adequate to plead material misrepresentations and omissions on the part of AIG,” particularly with respect to the company’s exposure through its CDS portfolio to subprime mortgages.

 

Judge Swain rejected the defendants’ contention that the allegedly misleading statements were forward-looking statements protected by the bespeaks caution doctrine, observing that “generic risk disclosures are inadequate to shield defendants from liability for failing to disclose known specific risks” and that “statements of opinion and predictions may be actionable if they are worded as guarantees or supported by specific statements of fact.” Judge Swain cited in particular the defendants’ alleged failure to disclose a litany “of hard facts critical to appreciating the magnitude of the risks described.”  

 

With respect to scienter, Judge Swain, after reciting a list of adverse undisclosed facts and developments allegedly known to defendants, concluded that the plaintiffs had “satisfied their burden of alleging facts giving rise to a strong inference of fraudulent intent,” adding that “no opposing inference is more compelling.”

 

Finally, Judge Swain also denied the defendants’ motion to dismiss on loss causation grounds. The defendants had argued that AIG’s stock price decline was “attributable to the decline experienced in the stock market generally, and in the financial services sector specifically.” Judge Swain found that “the sharp drop in AIG’s stock price in response to certain corrective disclosures, and the relationship between the risks allegedly concealed and the risks that subsequently materialized, are sufficient to overcome the argument at the pleading stages” – although she added that the defendants ultimately may be able to prove that “some or all” of plaintiffs’ losses are “attributable to forces other than AIG.”

 

According to AIG’s recent 10-Q, further proceedings followed after Judge Swain’s ruling on the motion to dismiss. The case had been stayed earlier this year at the parties request during the pendency of the Supreme Court’s reconsideration of the fraud on the market theory and class certification issues in the Halliburton case.

 

The 10-Q also states that on July 15, 2014, the parties accepted a mediator’s proposal to settle the consolidated litigation for a cash payment by AIG of $960 million. The plaintiffs’ lawyers’ press release states that the mediation process had been spread over a period of two years.

 

According to the company’s SEC filing, the amount of AIG’s settlement contribution “has been accrued.” Neither the SEC filing nor the plaintiffs’ lawyers’ press release makes any mention of a contribution to the settlement by AIG’s insurers or, for that matter, by any other named defendant. There are as yet no filings related to the settlement available on the electronic court docket.

 

A settlement of $970.5 million obviously is massive, but it is still not large enough to crack the Top Ten list of all-time largest securities class action settlements. As reflected on the Stanford Law School Securities Class Action Lawsuit Clearinghouse list of the Top Ten securities class action settlements (here), a settlement would have to exceed $1.1 billion to crack the Top Ten list.

 

The plaintiffs’ lawyers’ press release does assert that ““the proposed securities class action settlement is one of the largest ever achieved in the absence of a criminal indictment or an SEC enforcement action.”

 

The $970.5 million is, in any event, one of the largest settlements to arise out of the wave of securities litigation that followed in the wake of the global financial crisis. By my reckoning, this settlement is exceeded among credit crisis-related securities suit settlements only by the $2.43 billion BofA/Merrill Lynch securities suit settlement (about which refer here). This latest AIG securities suit settlements far exceeds the other credit crisis-related securities suit settlements, including the $730 million Citigroup bondholders’  action settlement (about which refer here), the $627 million Wachovia Preferred Securities and Bondholder action settlement  (refer here) and the $624 Countrywide securities suit settlement (here).

 

There is of course further credit crisis-related securities litigation that remains pending. However, with the settlement of the consolidated AIG securities litigation, all or almost all of the highest-profile securities suits to arise out of the credit crisis have now been resolved. Or at least it seems unlikely that there will be many further settlements of securities suits from that era that would rival the size of the largest credit crisis-related settlements.

 

 

caliIn a July 31, 2014 opinion (here), Central District of California Judge Fernando M. Olguin, applying California law, granted a professional liability insurer’s motion for summary judgment in a coverage lawsuit brought by the Blum Collins LLP law firm and Craig M. Collins dba the Collins Law Firm for breach Judge Olguin agreed that because of a material misrepresentation in law firm’s application for insurance, coverage was precluded under the policy.

 

The plaintiffs contended that the insurer had wrongfully refused to defend and indemnify them in a legal malpractice lawsuit brought by Cynthia Beck, whom Collins had represented in a property dispute.  In her lawsuit, Beck alleged that Collins’s negligence has resulted in a $7 million judgment against her. Judge Olguin ruled that coverage under the policy for the malpractice claim was precluded due to the Blum Collins law firm’s omission from  its insurance application of the existence of a tolling agreement that had been entered with Beck ten months before the application was completed.

 

Background

In December 2004, Cynthia Beck retained Craig Collins in his capacity as a partner of the Collins Law From to represent her in a property dispute. In September 2007, Beck and Collins terminated their attorney-client relationship and entered into an Agreement (the “September 2007 Agreement”) whereby “Collins agreed to furnish Beck with time to evaluate her assertions [of malpractice] and her potential damages without filing an action during the time period are in place.” In October 24, 2007 judgment was entered against Beck in the property dispute. The judgment was affirmed on appeal in January 2009. In February 2009, Beck’s representative sent Collins an email alleging that the judgment against Beck had been caused by Collins’s malpractice. In March 2009, the plaintiffs gave notice of Beck’s claims to its professional liability insurer.

 

Collins had completed an application for the professional liability insurance on July 23, 2008 (that is about ten months after the entry into the September 2007 Agreement). Application Question 10.C. asked the following question: “After enquiry, are any persons listed on Supplement 1 aware of any circumstances, allegations, tolling agreements or contentions as to any incident which may result in a claim being made against the Applicant or any of its past or present Owners [or] Partners ….?”  The response given to Question 10.C. was “No.”

 

On July 27, 2008, the insurer issued a professional liability insurance policy, designating Blum Collins LLP as the “Named Assured.” The policy defined the term “Named Assured” as the partnership as such, as well as “any lawyers who are partners in the Named Assured.”

 

The application stated in pertinent part that the insurer “reserve[s} the right to deny or rescind coverage on any Policy that is issued as a result of this Application if, in the statements set forth herein and in any attachments made hereto it is found that material information has been omitted, suppressed or misstated.” Policy Exclusion I precludes coverage for any loss arising from any Claim “arising out of any acts, errors, or omissions which took place prior to the effective date of this insurance, if any Assured on the effective date knew or could have reasonably foreseen that such acts, errors, or omissions might be expected to be the basis of a Claim.”

 

In January 2011, Beck filed a professional negligence lawsuit against Craig Collins and Blum Collins LLP. The law firm sent the complaint to its insurer seeking a defense to the lawsuit and seeking indemnification. The insurer denied coverage for the claim. In June 2012, the plaintiffs filed their coverage lawsuit against the insurer. The parties filed cross-motions for summary judgment.

 

The July 31 Order

In his July 31, 2014 order, Judge Olguin granted the insurer’s summary judgment motion and denied the plaintiffs’ motion.

 

In their motion papers, the plaintiffs had disputed whether or not the plaintiffs’ alleged failure to give the insurer notice of the potential lawsuit was such a material omission as to warrant the insurer’s refusal to defend, arguing that the refusal to defend was a breach of contract.

 

In support of this position, the plaintiffs made three arguments. The plaintiffs’ first argument was based on the fact that application question 10.C. had asked whether “any persons listed in Supplement 1 are aware of any … tolling agreements … as to any incidents which may result in a claim.” The plaintiffs argued that they were not provided with Supplement 1 and “thus it would be impossible for Plaintiffs to know how to have answer the question.”

 

Judge Olguin characterized these arguments as “utterly meritless.” He noted that “Plaintiffs provide no authority or evidence to support their argument that the absence of Supplement 1 excuses any misstatement or omission in their response to Question 10.C.” He also noted that “Despite the absence of Supplement 1, plaintiffs answered both questions that referenced it. Had the absence of Supplement 1 truly affected plaintiffs understanding of the question, plaintiffs, a law firm with several experienced attorneys, would not have answered the questions.”

 

Second, the plaintiffs argued that Blum Collins LLP did not represent Beck and had not entered the September 2007 Agreement with her, and thus was not related to any potential claim for “the Assured” to disclose in the application. Judge Olquin rejected this argument as well, noting that Question 10.C. “clearly contemplates the possibility that claims might be brought against owners or partners of the applicant law firm arising from different associations or employment.”

 

Third, the plaintiffs argued that Question 10.C. only asked for the disclosure of incidents that “may result in a claim” and since no claim had materialized, they were not aware of any incident that may result in a claim. Judge Olguin said that this argument “ignores the plain language of the September 2007 Agreement,” which, he said, “unequivocally gave plaintiffs notice that there were contentions that ‘may result in a claim’ against one of the ‘Owners [or] Partners’ of Blum Collins LLP…” Judge Olguin added that “any expectation or understanding to the contrary stretches the bounds of credulity.”

 

Judge Olguin also concluded that not only was the answer to Question 10.C. a misrepresentation or omission, but it was material as well, citing affidavit evidence the insurer provided declaring that a truthful answer to the question would have altered whether the insurer would have issued the policy or the terms that would have been offered. The plaintiffs did not really dispute this, but instead they tried to argue that the insurer had waived the right to rescind the policy. In response to this contention, Judge Olguin cited with approval to case law holding that “established law clearly affords the insurer the right to avoid coverage by way of cross-claims and affirmative defenses when the insured files an action on the contract before the insurer can filed its action for rescission.”

 

Finally, Judge Olguin also found that coverage for the plaintiffs’ claim was precluded by several policy exclusions, including in particular the exclusion precluding coverage based on the insureds’ knowledge on the policy’s effective date of “acts, errors or omissions” that “might be expected to be the basis of a Claim.” In response to the plaintiffs’ efforts to resist this exclusion based on arguments about which of the plaintiffs’ did or didn’t know about Beck’s assertions and the September 2007 Agreement, Judge Olguin noted that the plaintiffs were taking “contradictory positions,” since on the one hand, they assert that there was not an application misrepresentation “because the September 2007 Agreement as not between Blum Collins LLP and Beck, but rather between the Collins Law Firm and Beck,” while on the other hand, “Blum Collins LP argues that [the insurer] had a duty to defend it in Beck’s lawsuit, because, at the time, Collins was a partner at Blum Collins.”

 

Discussion

It is pretty clear that Judge Olguin had very little patience for the plaintiffs’ arguments based on the law firms’ and Collins’s multiple shifting identities. It is also clear that the bottom line for Judge Olguin is that if Blum Collins LLP wanted to argue that it had a sufficient connection to this set of circumstances to expect the insurer to provide a defense to Beck’s claim, then Blum Collins had a sufficient connection to the representation of Beck and to the September 2007 Agreement that the Agreement should have been disclosed in response to the application question.

 

Readers can reach their own conclusions about the responses the law firm provided to the application questions. For me, this case does provide a reminder of the importance of making sure that all relevant information is provided in response to application inquiries. In most circumstances, that will entail a careful survey of all persons proposed to be insured under the insurance that is being sought. Of course, the failure to fully survey everyone was hardly the problem in this case, as the person completing the application was the very person who was in best position to know about the problems with Beck and about the September 2007 Agreement — which may have been the source of the many problems Judge Olguin obviously had with the plaintiffs’ arguments here.