Due to personal circumstances, I will not be adding new posts for the next few days.To hold things over until I return, I thought I would post a link to the Q&A I did with Tom Fox on his FCPA Compliance and Ethics Blog last week. The Q&A covers a lot of ground, from my childhood, through college and lawschool, and then straight to how I started my blog and how the “mug shot” series came about. The Q&A can be found here. Special thanks to Tom for inviting me to participate in the Q&A on his blog.

 

 

spainIn an interesting June 11, 2014 Financial Times article entitled “Spain’s Renewal Must Include Governance Improvements” (here), financial journalist and commentator Tony Barber identifies corporate governance issues that he believes Spanish companies have been slow to address. According to Barber, while there may be historical explanations for many of the long-standing corporate governance practices in Spain, Spanish companies’ increasingly international shareholder base will require the companies to meet higher governance standards.

 

Barber acknowledges that corporate governance practices at Spanish companies have improved since the CNMV, the national financial market regulator, published a non-binding code of good governance in 2006. But progress has been slow and “some of the biggest, most internationally active Spanish companies can certainly do better.” According to Barber, the current government has plans to update the 2006 code. It has also sent a bill to parliament that will increase shareholders’ control over executive pay, strengthen the voice of minority shareholders and address potential conflicts of interest.

 

Barber identifies four additional governance issues that, in his view, many Spanish companies need to address. First, he says that “too many combine the roles of chairman and chief executive in one person.” Second, the boards are often “too old and universally old.” Third, many boards are too large. And finally, “some boards contain too few credible independent directors.” Among other things, these practices allow the concentration of power in one person’s hands.

 

The current board practices of many large Spanish companies “have deep roots in Spanish business culture.” This culture is a lingering vestige of practices during the Franco era, when Spain “remained in most respects a self-enclosed world, dominated by a handful of mighty financiers and industrialists.”

 

These old habits die hard, even though in a wide variety of industries Spanish companies “stride the globe” and even though foreign investors hold roughly 40 percent of the equity of the companies in Madrid’s blue-chip Ibex-35 index. Even companies like Banco Santander that have started to make changes still have boards that are almost exclusively Spanish. Even after adding former U.S. banking regulator Sheila Bair to its board in January, the bank’s 16-person board consists of 14 Spaniards, a Chilean and Bair. Three board members belong to one all-powerful family.

 

Barber contends that “national as well as gender-diversity is something that Spanish companies need to get to grips with.” Even when Spanish companies select foreign directors, they tend to turn first to Spanish-speaking countries. Barber comments that “it stretches credulity to suggest that such appointments reflect a meticulously conducted search for the best candidate. “

 

To underscore the importance of these issues for Spanish companies, Barber cites as an example the recent decision of Pemex, the Mexican national oil company, to sell most of its 9.2 percent investment in Repsol, the Spanish energy group. Among other things, Pemex cited Repsol’s governance practices as a reason for the sale. While not meaning to suggest that Pemex’s views on governance represent some sort of a standard, Barber said that “there is no doubt that international investors would welcome higher standards at some of Spain’s best known companies.”

 

Barber closes his article with a reference to the recent abdication of King Juan Carlos, noting that “modern Spain is embarking on a project of national renewal that calls for brave decisions in difficult times.”  Improving corporate governance “will form part of the contribution of Spanish business to this task.”

 

The practices and the resistance to reform in Spain may be best understood by reference to the country’s particular history, but many of the concerns are not unique. Other countries have their own versions of many of these issues. Just the same, it is interesting to consider this country-level perspective on corporate governance practices

aguilarIn a June 10, 2014 speech entitled “Boards of Directors, Corporate Governance and Cyber-Risks: Sharpening the Focus” delivered at the New York Stock Exchange, SEC Commissioner Luis A. Aguilar highlighted the critical importance of the involvement of boards of directors in cybersecurity oversight. In his speech, Aguilar stressed that “ensuring the adequacy of a company’s cybersecurity measures needs to be a part of a board of director’s risk oversight responsibilities.”  He added the warning that “boards that choose to ignore, or minimize the importance of cybersecurity oversight responsibility, do so at their own peril.” A copy of Aguilar’s speech can be found here.

 

Aguilar opened his speech by highlighting the extent of the risks associated with cybersecurity. He emphasized the “widespread and severe impact that cyber-attacks could have on the integrity of the capital markets, infrastructure and on public companies and investors.” In light of these risks, Aguilar said that “effective board oversight of management’s efforts to address these issues is critical to preventing and effectively responding to successful cyber-attacks and, ultimately, to protecting the company and their consumers, as well as protecting investors and the integrity of the capital markets.”

 

Aguilar noted that risk management oversight is an increasingly important board role, adding that “there can be little doubt that cybersecurity also must be considered as part of the board’s overall risk oversight. “ Aguilar specifically referenced the recent effort by proxy advisory firm ISS to oust many directors of Target Corporation for allegedly lax cybersecurity oversight, which, he said, “should put directors on notice to proactively address the risks associated with cyber-attacks.” (It should be noted, however, that at the June 11, 2014 Target Corp. annual meeting all board members were re-elected.)

 

Aguilar emphasized that the threats of a cyber-attack include not only the risk of business disruption and reputational harm but also for directors “the threat of litigation and potential liability for failing to implement adequate steps to protect the company from cyber-threats.” He noted that –“perhaps unsurprisingly” – Target and Wyndham have each recently been hit with shareholder lawsuits relating to those companies’ data breaches, commenting that “boards that choose to ignore, or minimize, the importance of cybersecurity responsibility do so at their own peril.”

 

In discussing what boards can and should be doing on cybersecurity issues, Aguilar said that the place for boards to begin in assessing their company’s cybersecurity readiness is the National Institute of Standards and Technology’s February 2014 report entitled the “Framework for Improving Critical Infrastructure Cybersecurity” (here), which he said is “likely to become a baseline for best practices by companies, including in assessing legal or regulatory exposure to these issues or for insurance purposes.”

 

In order to translate the concepts in the NIST’s Framework into action, boards need to take steps to address the knowledge gap that often exists at the board level on cybersecurity issues. Aguilar recommends that boards create a separate enterprise risk committee at the board level in order to ensure that there is sufficient focus at the board level on the adequacy of resources and overall support provided to company executives responsible for risk management. Boards should also develop “a clear understanding of who at the company has primary responsibility for cybersecurity risk oversight and for ensuring the adequacy of the company’s cyber-risk management practices.”

 

The key, according to Aguilar, is to ensure that the company is appropriately prepared to respond in the event of a cyber-attack. Boards, he said, “should put time and resources into making sure that management has developed a well-constructed and deliberate plan” for responding to a data breach or other cyber incident.  The plan should include, among other things, a framework for determining  “whether and how the cyber-attack will need to be disclose internally and externally.” He added a suggestion that in undertaking this disclosure the company should go beyond the impact on the company and consider the impact on others, including consumers or other groups.

 

Aguilar closed his speech by emphasizing that “given the heightened awareness of these rapidly evolving risks, directors should take seriously their obligation to make sure that companies are appropriately addressing [cybersecurity] risks.”

 

Aguilar’s speech represents yet another confirmation that cybersecurity is a board level issue. He also emphasized that board failure to address these issues represents a liability exposure for directors. While he referred only to the efforts of shareholders to hold board members accountable through litigation, the fact is that – as his speech itself underscores – cybersecurity is an increasingly important issue to the SEC. It is not too much to say that a message implicit in his speech is that the Commission itself may hold boards accountable for their responsibilities as well. At a minimum, Aguilar’s speech underscores that cybersecurity is an issue on which the Commission is focused and about which the Commission is concerned.  

njHas notice of claim been provided “as soon as practicable” if it is sent to the insurer during the policy period but six months after service on the insured of the underlying complaint? Apparently not, at least according to a June 6, 2014 opinion of a New Jersey intermediate appellate court, applying New Jersey law. In addition, the New Jersey appellate court further held that an insurer on a claims made policy does not have to plead or prove that it was prejudiced by the late notice. The appellate court affirmed the trial court’s entry of summary judgment in favor of the insurer.  A copy of the appellate court’s opinion can be found here.

 

I have to admit that I have some issues with this decision, for reasons discussed below.

 

Background

The plaintiffs in the coverage action are assignees of the insured. The plaintiffs operate a church and child care center. The plaintiffs decided to relocate their operations and they entered a contract to buy a piece of land for the purpose. The plaintiffs also entered a separate arrangement to obtain financing for the land purchase from the insured, which is a mortgage financing company. The insured ultimately failed to provide the financing for the land transaction and the transaction fell through. The plaintiffs sued the insured to recover the various costs the plaintiffs had incurred in trying to complete the land transaction and the mortgage financing. Ultimately the insured settled with the plaintiffs for a small cash payment and for the assignment to the plaintiffs of its rights under its D&O insurance policy.

 

The insured’s insurance policy ran for the period from January 1, 2006 to January 1, 2007. The insured was served with the plaintiffs’ complaint in the underlying action on February 21, 2006. However, the insured did not provide notice of the complaint to its insurer until August 28, 2006. The insurer denied coverage on a number of grounds including the ground that the insured had not provided notice of claim to the insurer “as soon as practicable” as required under the policy.

 

The notice provisions of the policy state that:

 

(a) The Company or the Insureds shall, as a condition precedent to the obligations of the Insured under this policy, give written notice to the Insurer of any Claim made against an Insured as soon as practicable and either:

(1) anytime during the Policy Period or during the Discovery Period (if applicable); or

(2)  within [thirty] days after the end of the Policy Period or the Discovery Period (if applicable), as long as such Claim is reported no later than [thirty] days after the date such Claim was first made against an Insured.

 

After the assignment to the plaintiffs of the insured’s right under the policy, the plaintiffs filed an action against the insurer seeking a judicial declaration that the policy covered the underlying claim. The parties filed cross-motions for summary judgment. On February 3, 2013, the trial court granted the insurer’s motion for summary judgment, based in its finding that the insured did not provide the insurer with notice of the underlying claim as soon as practicable and therefore that coverage was barred. The plaintiffs appealed.

 

The June 6 Opinion 

On June 6, 2014, in an unpublished per curiam opinion, the Superior Court of New Jersey, Appellate Division, affirmed the trial court’s ruling.

 

The appellate court observed that the insured had provided the insurer with notice of claim “over six months after plaintiffs served them with the complaint.” The court added that “No explanation for this lengthy delay was provided.”  The appellate court cited with approval its own prior decision in a 1963 case in which the earlier court had held that a delay of five and one-half months in providing notice was not “as soon as practicable” under the terms of a similar policy.

 

The appellate court also noted that the notice provision required notice to be provided to the insurer both within the policy period and as soon as practicable. Because “the insured did not meet both of the notice requirements that were unambiguously expressed in the policy, we conclude that coverage was properly denied to the insureds and by extension, to plaintiffs as their assignees.”

 

In reliance on the New Jersey Supreme Court’s 1985 holding in Zuckerman v. National Union Fire Insurance Co., the appellate court also rejected the plaintiffs’ argument that the insurer had to show that it was prejudiced by the late notice in order to assert the late notice as a defense to coverage. In Zuckerman, the New Jersey Supreme Court had held that with respect to claims made policies (like the one involved here) an insurer need not show that it was prejudiced by an insured’s failure to provide notice as soon as practicable in order to deny coverage. The New Jersey Supreme Court had said in Zuckerman that to require an insurer to make such a showing would constitute an “unbargained-for expansion of coverage, gratis, resulting in the insurance company’s exposure to a risk substantially broader than that expressly insured against in the policy.” The appellate court said that as an intermediate appellate court, “we are bound to follow and enforce the decisions of the Supreme Court.”

 

Discussion

As anyone involved in the insurance business knows, late notice happens. Delayed notice is provided to insurers all the time. The delays in providing notice happen for all sorts of reasons or for no reason at all. Usually, the delay arises because the person within the organization who knows about the lawsuit is not the same person within the organization who knows about the organization’s insurance.  (This problem about the location of insurance knowledge within an organization is the reason why it is a good idea to seek to have the notice provision amended by endorsement to provide that the clock does not start to run on notice issues until certain specified persons find out about a claim.)

 

In the context of an industry in which belated notice is a regular occurrence, a delay of six months is nothing.  For that reason, I simply don’t understand the comment by the court with respect to the timing of the notice here that “no explanation for this lengthy delay was provided.”  In my humble opinion based on over thirty years in the D&O insurance business, it is not even remotely accurate for the appellate court to suggest that a six-month delay in providing notice is “lengthy.” I would describe it as “normal” or “par for the course” or “basically, the kind of thing that happens when any process requires the involvement of people.”

 

Not only was the delay in providing notice here not “lengthy,” but the insurer was provided notice during the policy period. This is not a case where the notice finally came sailing in months after the insurer was off of the risk. The insurer was still on this risk when it received notice.

 

And not only that, the insurer here did not even claim that it was prejudiced in any way by the six month delay in providing notice. What is the point of harshly enforcing a mere procedural requirement in a punitive way given that the condition was fulfilled during the contract period and nothing about the fulfillment of the condition was detrimental to the insurer?

 

And here’s the final issue – the appellate court did not even ask what the word “practicable” means and whether or not in this case the insured did provide notice as soon as was practicable for this insured. One definition of the word “practicable” in an online dictionary is that the word means “capable of being done” or “capable of putting into effect.”  Seems to me that the insured here provided notice as soon as it was capable of providing notice.

 

The term “as soon as practicable” is meant to be both a liberalizing term and to provide flexibility, by contrast to the use in some policies of terms requiring provision of notice within a specified time period (say, 60 or 90 days). The more flexible standard is meant to be less rigid than the precise time requirement – and frankly it is meant to be a looser standard. Basically, the term means that the insured should provide notice of claim as soon as it can.  There is nothing in standard industry practices to suggest that the provision of notice during the policy period and six months from service of the claim is not “as soon as practicable” – unless the six month delay prejudiced the insurer in some way, which is a factor that is not present here.

 

I will say that I don’t know where courts get off with this idea that when a policyholder seeks coverage for a claim that it is trying to get “unbargained-for expansion of coverage.” In this case in particular, the suggestion that the insured’s assignee was looking for unbargained-for coverage is a completely unwarranted statement. To the contrary, the courts’ harsh and unwarranted construction of the notice provisions represents a completely unjustified diminution of coverage.

 

It is hard to question the position that the insurer took in this case with respect to late notice, given that two courts have concluded that under New Jersey law the notice here was not “as soon as practicable.”  Just the same, I have to say that the fact that an insurer would take the position that the insurer took on the notice issue here is a relevant topic in a discussion with a client about the insurer’s claims handing practices.  

sdnysealOn May 8, 2014, Southern District of New York Judge Deborah Batts, applying New York law, held that a there was not a sufficient “factual nexus” between a securities suit filed after the expiration of a failed bank’s D&O insurance policy and an FDIC claim that had been first made during the policy period and therefore — because the subsequent claim did not relate back to the prior claim — it is not covered under the policy. The decision raises interesting questions about degree of overlap required to make different claims interrelated.

 

A copy of the opinion can be found here. This decision is discussed in a June 5, 2014 post on the Sedgwick Insurance Law Blog (here). A May 19, 2014 post on the Wiley Rein law firm’s Executive Summary blog can be found here.

 

Background

State banking authorities closed the Park Avenue Bank on March 12, 2010. Three days after the bank close, Charles Antonucci, the bank’s President and CEO,  was arrested and charged with attempting to defraud the Troubled Asset Relief Program and for self-dealing with bank funds, which included several “round trip transactions” that he claimed were personal investments in the bank.

 

On September 1, 2010, the FDIC sent certain former directors of the bank a demand letter in which the FDIC asserted claims against the individuals for alleged breaches of fiduciary duty, negligence and gross negligence. The demand letter asserted that the individuals’ acts and omissions caused the bank a loss of approximately $50.7 million. The FDIC’s claim, as Judge Batts later summarized it, “primarily focused on [the individuals’] deficient policies, internal controls, and practices, which ultimately led to PAB’s failure,” such as having inadequate collection procedures and failing to properly supervise employee compensation. However, as Judge Batts also noted, the FDIC demand letter also alleged that the individuals “failed to act on allegations of improper conduct made against [Antonucci], ultimately causing significant financial harm to the bank.”

 

The individuals notified the bank’s D&O insurer of the FDIC claim. The D&O policy in force at the time had a policy period from September 9, 2008 to September 9, 2009, but the period had been extended to November 8, 2010. The D&O insurer accepted the FDIC demand letter as a claim under the policy.

 

On February 12, 2012, well after the expiration of the D&O policy, Bruce Kingsley filed a lawsuit against the bank’s former directors under Arizona securities laws. The Kingsley complaint alleges that Antonucci had made material misrepresentations and omissions in order to induce the Kingsley plaintiffs to make investments in two customers of the bank. The investments were actually used to fund Antonucci’s round-trip transactions. The Kingsley plaintiffs contended that the bank’s former directors should be liable for their “lax oversight” of Antonucci and for the bank’s lack of “sound corporate governance.” The Kinglsey complaint alleged that the directors “did not act in good faith with respect to their control or lack of control of Antonucci” and “did not take reasonable steps to maintain and enforce a reasonable and proper system of appropriate supervision and internal controls.”

 

The directors submitted the Kingsley lawsuit to the bank’s D&O insurer asserting that the FDIC demand letter and the Kingsley lawsuit involved interrelated wrongful acts. The D&O insurer denied coverage for the Kingsley lawsuit contending that the lawsuit had been filed after the policy had expired and that the two claims did not involve interrelated wrongful acts.

 

The directors filed an action in the Southern District of New York seeking a judicial declaration that the two claims involved interrelated wrongful acts and that the D&O insurer had breached the policy when it denied coverage for the Kingsley lawsuit. The D&O insurer filed a motion to for judgment on the pleadings.

 

In the policy, Interrelated Wrongful Acts are defined as “Wrongful Acts which have as a common nexus any fact, circumstance, situation, event, transaction or series of related facts, circumstances, situations events or transactions.”  Under the policy all claims based on Interrelated Wrongful Acts “shall be considered a single Claim” that is “deemed to be first made on the date the earliest of such Claim was first made.”

 

The May 8 Ruling 

In her May 8, 2014 memorandum and order, Judge Batts granted the D&O insurer’s motion for judgment on the pleadings, ruling that the two claims do not present Interrelated Wrongful Acts “because they do not share a sufficient factual nexus.” Because the two claims are not related, the D&O insurer did not breach the policy by declining coverage for the Kingsley Claim.

 

In reaching this conclusion, Judge Batts considered several cases under New York law in which courts had interpreted interrelated wrongful acts provisions and in which the courts had held that for two claims to be related they must “share a sufficient factual nexus.” She observed, based on her review of the cases that “where courts have found a sufficient factual nexus, the two claims had specific overlapping facts.”

 

Here, Judge Batts said, “the factual overlap between the two Claims is tenuous at best; Plaintiffs allegedly failed to act properly with respect to Antonucci, whether it be their control and oversight of him, as alleged in the Kinglsey Complaint, or their failure to investigate allegations of his misconduct, as alleged by the FDIC.”

 

Judge Batts said with respect to these allegations about Antonucci, “if painted in broad strokes, the two Claims may arise out of the same deficient corporate structure or Plaintiff’s lack of oversight.” However, she said, the directors “merely plead in a conclusory manner that the two Claims share common facts and circumstances, yet, as previously explained, the FDIC Claim merely references Antonucci’s general misconduct whereas the Kingsley Claim makes specific allegations of his fraud on the Kingsley plaintiffs.” The directors “bald allegation” that the two Claims arise out of a common set of circumstances “are insufficient to demonstrate a common factual nexus.”

 

Without more, Judge Batts said, “there simply is not a sufficient factual nexus between the FDIC Claim and the Kingsley Claim.” To interpret the two as interrelated “would be to grant the insured more coverage than he bargained for and paid for.”

 

Discussion

In considering Judge Batts’s decision, I will begin where she ends, with her saying that if these two claims were considered to be interrelated, the insureds would be getting more coverage than they bargained and paid for. I find this a curious statement, since the bank had bargained and paid for a policy providing that coverage extended not only to claims made during the policy period but also to claims made subsequent to the policy period if the subsequent claims were related to a claim made during the policy period. The problem is not that the bank did not bargain and pay for the kind of coverage the directors are seeking here; the problem is, as I have frequently noted on this blog, that relatedness issues are notoriously elusive.

 

The difficulty here, as in all coverage cases involving relatedness issues, is determining what degree or quantum of relatedness is sufficient to make alleged wrongful acts interrelated. It is not as if the FDIC Claim and the Kingsley claim were entirely unrelated – there is at least one important area of overlap:  both involve allegations that the board had breached its duties to supervise and control Antonucci. Judge Batts in fact acknowledged the overlap is evident when the picture here  is “painted in broad strokes.”

 

Indeed, I think a reasonable person might easily conclude that the two claims, involving as they do allegations of lack of proper oversight of Antonucci, have “as a common nexus” a “circumstance” or “situation.” In that regard, I note that the policy’s definition of Interrelated Wrongful Acts is written very broadly; it provides that Wrongful Acts are Interrelated if they have as a common nexus “any fact, circumstance, situation, event or transaction.”

 

The word “any” is very comprehensive – if there is any fact circumstance or situation having a common nexus, then the Wrongful Acts are interrelated. Judge Batts faulted the directors’ argument because the overlap on which the directors relied was “painted in broad strokes” – that is, it only appeared at a high level of generalization. However nothing about the policy says that this level of generalization is insufficient. To the contrary, and to reiterate, the policy itself refers to any fact, circumstance, situation, event or transaction

 

The comprehensiveness of this definition communicates that it was intended to be interpreted and applied very broadly. In fact, insurers often are arguing that it should be interpreted very broadly, as for example when arguing that a subsequent claim is related to a prior claim made during a prior policy period in which the insurer did not provide coverage (refer for example here), or when the insurer is arguing that multiple claims made over multiple policy periods triggers only a single policy of insurance, not multiple policies (here).

 

Even recognizing all of the points Judge Batts made in her ruling, I still think it could reasonably be argued that the definition is amply expansive to include both of the claims involved here. And – to turn Judge Batts’s valedictory declamation on its head – since the policyholder expressly bargained and paid for a policy that provided coverage for subsequent claims that are interrelated with claims that are made during the policy period, the insurer here ought to provide coverage for the Kingsley claim, particularly given the breadth of the scope of the definition of Interrelated Wrongful Acts.  

 

As I have said previously about cases interpreting and applying interrelated wrongful act provisions, the cases taken collectively illustrate nothing so much as how elusive these issues can be. This case is a good example of this principle. The problem of course is that this is not some theoretical exercise. The individuals seeking coverage here now have no insurance to rely on to defend themselves against the allegations in the Kingsley complaint.

 

All of that said, I understand the Insurer’s position here as well. The Kingsley complaint was a securities fraud lawsuit relating to the bank CEO’s involvement in a third party (or self-interested) transaction. The FDIC demand letter related to the alleged mismanagement of the bank. I can see why the insurer felt that the two claims were unrelated. That is the problem with interrelatedness disputes. There are no clear answers and the outcomes wind up being a matter of perspective. 

 

supct2014Since their 2002 enactment, the whistleblower protections in Section 806 of the Sarbanes-Oxley Act have been presumed to apply only to employees of publicly traded companies. After all, the provisions are entitled “Protection for Employees of Publicly Traded Companies Who Provide Evidence of Fraud.” However, in its March 4, 2014 holding in Lawson v. FMR, LLC (here), the U.S. Supreme Court held that Section 806 protects whistleblowing activity by employees of a private contractor of a public company.

 

The decision has rightfully raised concern, if for no other reason than that the reach of the decision remains unclear. At the same time, the decision does not reach as far as some commentators have suggested. In this post, I take a look at what the court held, what is unclear, and some important distinctions that should be kept in mind when thinking or talking about this case and its implications.

 

Background 

This lawsuit involves the Fidelity family of mutual funds. The Fidelity funds themselves have no employees. Instead they contract with investment advisors that handle their day to day operations. The plaintiffs in these cases were employees of Fidelity Brokerage Services LLC, a subsidiary of FMR Corp. and a private company. The plaintiffs allege that they had been retaliated against by their employer in violation of Section 806 for reporting alleged improprieties involving certain of the Fidelity mutual funds. Their employer moved to dismiss their complaint arguing among other things that Section 806 applied only to publicly traded companies. Following proceedings in the courts below, the case made its way to the U.S. Supreme Court.

 

Section 806 provides in pertinent part that “No [public] company …or any officer, employee, contractor, subcontractor, or agent of such company, may discharge, demote, suspend, threaten, harass, or in any manner discriminate against an employee in the terms and conditions of employment because of [whistleblowing or other protected activities].”

 

In a 6-3 majority opinion written by Justice Ruth Bader Ginsberg, the Court held that based on the statutory text – and in particular Section 806’s reference to “contractor” and “subcontractor” – as well the “mischief” to which Congress was responding in the wake of the Enron and WorldCom scandals, Section 806’s whistleblower protections extend to employees of contractors and subcontractors.

 

In a dissenting opinion, Justice Sotomayor criticized the “stunning reach” of the majority’s opinion, noting that “by interpreting a statute that already protects an expansive class of conduct also to cover a large class of employees, today’s opinion threatens to subject private companies to a costly new form of employment litigation.”  The dissent charged that the court’s holding could authorize a “babysitter to bring a federal case against his employer – a parent who happens to work at the local Walmart (a public company) – if the parent stops employing the babysitter after he expresses concern that the parent’s teenage son may have participated in an Internet purchase fraud.”

 

Discussion 

There is good reason that this decision has raised the alarm in certain quarters. Justice Sotomayor’s comment in her dissent that “today’s opinion threatens to subject private companies to a costly new form of employment litigation” provides ample justification for concern. Private company employers rightfully are concerned to learn that the SOX whistleblower provisions can apply to public companies’ private contractors.

 

As justified as these concerns are, I fear that the concern may be overstated in certain quarters—or rather, that concerns are being raised that even the most alarming parts of the Court’s decision do not justify. For starters, I have heard otherwise responsible commentators summarize the decision as saying that it holds that the SOX whistleblower provisions apply to private companies. This is a correct but incomplete statement. I think the implications of this decision are better understood if we clarify what actually happened here.

 

First of all, though the employees who claimed retaliation were indeed employees of a private company, the company on which they blew the whistle was a publicly traded company. This is not a situation in which private company employees blew the whistle on their own private company employer. The Supreme Court did not say that the Sarbanes Oxley whistleblower provisions apply when a private company employee blows the whistle on a private company. The involvement of the public company, and the fact that the whistle was blown on a public company, are critical considerations here. The majority’s reasoning placed heavy emphasis on the purposes of Sarbanes-Oxley in preventing fraud at public companies. In other words, without this public company involvement, there would appear to be no basis for the SOX whistleblower provisions to apply to a private company.

 

Another critical aspect of this situation is that, while the whistleblowers were employees of a private company, the public company involved had no employees of its own. All of the operations were conducted for the public company by the employees of a private company affiliate. The majority opinion was very concerned that these kinds of arrangements are common in the mutual fund industry and that if the Sarbanes Oxley whistleblower protections were not extended to these employees that mutual fund industry employees would be left without protection from retaliation.  While the lower courts are going to have to interpret the Lawson decision, and while the plaintiffs obviously will want to try to push the limits of the Lawson court’s holding, the circumstances involved in this case were very specific kinds of circumstances. The dissent’s babysitter example rightfully raises concerns, but the context of this decision matters.

 

Unfortunately for all concerned, many questions will now have to be tested in the lower courts. The extent to which private company employers can be dragged into these kinds of cases will have to be developed. Of particular concern is the Court’s holding that private company employers can be subject to the whistleblowing provisions if the private company is a “contractor” or “subcontractor,” which certainly raises questions about what type of a relationship with a public company is sufficient to bring a private employer within the anti-retaliation provision of the Sarbanes-Oxley Act. This may be of particular concern where the private company employer enters long-term arrangements to provide legal, accounting, or financial services to a public company.

 

As the Covington & Burling law firm put it in its June 6, 2014 Law 360 article entitled “Private Employers and Whistleblowing Post-Lawson” (here, subscription required), ”every private company should ask whether it has a business relationship that could qualify it as a contractor or subcontractor of a public company.” This determination “will be straightforward in some cases but murky in others, given the lack of any defining criteria.” Until the courts provide clearer guidance, “prudent companies should act on the assumption that they will be subject to Section 806.”

 

I concur in the view that private companies should proceed on the assumption that they could be subject to Section 806. However, I want to reiterate that even under Lawson, the SOX whistleblowing provisions are not going to apply unless the whistle is blown on a public company. There is nothing about Lawson that says that Section 806 applies if the whistle is blown on a private company.

 

I think the most accurate way to say it is that Lawson extended SOX whistleblower protection to employees of contractors of public companies, whether the contractors are public or private – rather than just saying that the decision extended Sox whistleblower protection to private companies.

 

While I think this distinction is important, I don’t want to suggest that I think Lawson does not represent a significant expansion of the reach of Sarbanes-Oxley whistleblower protections. It does represent a significant expansion. My point is just that it as significant as the extension is, it is not as significant as some commentators have been describing it.

 

The Covington law firm memo has some helpful suggestions about steps employers can take to try to protect themselves in light of these developments.  

 

senegal1A May 31, 2014 article in the Economist magazine entitled “Migration from Africa: No Wonder They Still Try” (here) describes how migrants from further south in Africa are desperately trying to make their way through Libya and across the Mediterranean to Europe. Some migrants pay close to $2,000 for passage on rickety boats to European landing points. As the Economist reports,  “Many do not survive.”  Armed conflict, swelling populations and other factors have driven many to make the attempt to flee, despite the dangers involved. 

 

Many of these migrants come from countries such as Central African Republic, Mali,  northern Nigeria, Somalia and Southern Sudan, which are troubled by civil unrest. Not all of the African countries are as disrupted as these, but even in the more stable countries conditions are difficult for many. As result of an unexpected relationship, I have developed a perspective on the conditions in one of Africa’s more stable countries.

 

Senegal is a francophone country on Africa’s west coast, about the geographic size of South Dakota and with a population about the size of Pennsylvania. The country’s capital, Dakar, is located on the Atlantic Coast, at the country’s westernmost point. Dakar has a population of about 1 million people. In the capital city’s outskirts, there is a high school with a 50 year-old English teacher: an educated, articulate man with a sharp eye and a hard-earned sense of cynicism. Through his words I have been given a glimpse of the very different world in which he lives.

 

I was first introduced to Mamoun Bey (not his real name) four years ago through my eldest daughter, who works for a nonprofit healthcare book publisher. Mr. Bey is effectively his school’s health care officer, and for years he has relied on a medical handbook the nonprofit publishes to provide medical care to the school’s students and their families. He wrote to the nonprofit to ask for a new copy of the book because the one he had was falling apart. Upon request from my daughter, I provided the funding for the organization to supply Mr. Bey several new books. Somehow, Mr. Bey found out about my involvement and he wrote me a long, interesting letter. We have been regular correspondents ever since. Each one of Mr. Bey’s letters provides a window into a world that is even further from my own than geographic distance alone would suggest.

 

In his first letter, written after receiving the new medical guides, Mr. Bey explained to me the health care issues facing his school community.  He began with an explanation of “the African way of life.” In the densely populated cities “we share so many things together.” In Senegal in particular there is “an exaggerated tradition of shaking hands with everyone, even with unknown persons (strangers)” which “unfortunately accounts for the high rate of transmission of diseases.” In Africa, the population is threatened with many infectious diseases and with “endemic fatal diseases, like malaria, typhoid and cholera.” The transmission of rabies from dog bites is also a problem as “hordes of dogs roam about with no owner to claim them.”

 

Poor environmental conditions “explain the endemic character of many infectious diseases.” During the rainy season, “pools of water and mud stagnate in most African cities.” In the absence of access to clean drinking water, people drink contaminated well water. A better storm water runoff and sewage system would alleviate many of these conditions, but those improvements would be possible only “if we had responsible and honest statesmen across the continent.”

 

The curse of corrupt politicians is something of a running theme for Mr. Bey. The poor storm water drainage and poor transport systems are “due to the unscrupulous politicians who choose to enrich themselves to the detriment of their respective countries.” The “paradox” is that so many African counties are “rich in natural resources.” However, it is “mostly foreign companies, hitherto mostly Europeans, today Chinese, that exploit them with the complicity of the politicians in power.”  As a result, “little goes to the development of our countries.”

 

The storm water runoff problems present a particularly harsh example of the corrosive effects of corruption.  During the rainy season, many of Dakar’s residential areas flood. Those with money “hire trucks full of sand or soil that they dump in front of their houses thus deflecting the flood water to their neighbors opposite!” The prior national government had started a program to try to relocate people who had built houses in swampy areas during drought years but “much of the funds were embezzled” and less than a thousand of the planned twenty thousand residential units were actually built.

 

While there are many difficulties in living in Dakar, Mr. Bey does have a surprising level of access to the outside world and to technology. He has Internet access at his school and he has an email account, but we both prefer to communicate by regular mail rather than over the Internet. He also has a television and a cell phone.  He follows U.S. and European politics by listening to the BBC. During the 2012 U.S. Presidential elections, he commented to me that he had heard that Ohio was a critical swing state. When he was describing a particular feature of his country to me, he suggested I could learn more about it by looking it up on Google.

 

Mr. Bey, who is University educated, strongly believes in the value of education. His older children are enrolled at the University but he is disappointed that his youngest son “couldn’t cope with studies.” His son now spends his time tending animals and more recently “he has been spending a lot of time in his friend’s home operating computer games.” Mr. Bey says, “I am not happy about this.”

 

Mr. Bey’s letters have told me a great deal about day to day life and important events in Dakar. His second letter to me included a detailed account of the political crisis the country faced when the then-President tried to run for a third term in office, in defiance of a constitutional provision limiting the President to two terms. The crisis led to street protest and ultimately to an internationally monitored election in which the former President was voted out of office. Senegal, for all of its struggles, has functioning democratic institutions, in contrast to so many other African counties.

 

Mr. Bey also told me about a religious festival of the local Mourid community. The festival, held each December and called the Magal de Touba, is a “big gathering of disciples, sympathizers and curious visitors” to commemorate the return of their leader, Cheikh Amadou Bamba, from exile in Gabon where he had fled from the French colonial administration. Many “exploits” are attributed to this leader and he has attracted a following of “fanatics.” The disciples “travel from all parts of the country in huge convoys,” while others come from abroad. For Mr. Bey, who is always concerned about health and safety issues, the burdens this human influx puts on the local transportation create very dangerous conditions. He notes that “there are often severe accidents with heavy casualties,” and this year more than 30 people died during the festival. Many of the accidents are the result of simple mechanical failure, but “most cases are due to human recklessness and greediness.” In order to complete as many trips as possible, the drivers don’t rest sufficiently and their fatigue causes them to lose control of their vehicles, as happened in connection with one particularly horrible head on collision that resulted in 18 deaths.

 

Through our correspondence we are both learning about each other’s cultures; I think I have been able to show Mr. Bey a little bit about our culture in the U.S. For instance, I told him about the annual gathering in my neighborhood to watch the Super Bowl, which he found interesting. He said, “Here, people believe that you there live highly individualized lives like in Europe with little or no contacts with neighbors. At least your Super Bowl account gives a different image. Here, people are very gregarious to the point that they almost step on your feet. There is too much wagging and less productivity, save for craftsmen and farmers.”  Mr. Bey was also surprised to learn that my mother-in-law lives in our home. He said that he had heard that in Europe and America, older folks are “put in institutions” where they live alone.

 

Health-related topics are a recurring theme in Mr. Bey’s letters and often a jumping off point for comparisons between African and American cultures. In discussing the rising incidence of cancer in Africa, Mr. Bey first noted that until recently “cancer was little known in Africa.” Things have changed. He lost the mother of his oldest son to breast cancer. He also described in moving detail the recent death of a neighbor and close friend from cancer. Mr. Bey said “when I went to see my friend in his last days, I could only lay my right hand on his forearm and recite some prayer verses that I know.” As for why there has been a change, “some say it’s due to our countries’ copying the American and European way of life: eating less and less natural food, living in a more and more polluted environment, inhaling cigarette and engine smoke, paint and chemicals.”

 

Not all of Mr. Bey’s observations relate to health and safety concerns.  For example, Mr. Bey provided an interesting description of the Barack Obama’s June 2013 visit to Senegal, as well as an interesting perspective on U.S. relations with Africa:

 

Your President, Barack Obama, spent three days here with his wife, two daughters, mother-in-law, and a very huge delegation made up mainly of businessmen officials and security personnel. Some main roads of Dakar were closed to the public and taken over by the U.S. security forces to avert any attempt by violent gangs in Libya and Mali to infiltrate the joyful welcoming. The most moving moment of his visit was to Gorée Island, a small island close to Dakar from where thousands of slaves were said to have been exported in inhuman conditions to America during the slave trade. Visitors are shown the famous door of no return. … People are very happy and proud to welcome such guests. They do help financially the country. George Bush junior is the most outstanding in giving aid to African countries: He created the Millennium Challenge account award which undertook a lot of road and bridge construction and financed agriculture in a selected number of African countries to encourage them to more democracy. …The enlightened citizens will forever remember his legacy in Africa as John F. Kennedy’s Peace Corps initiative is still remembered today.  

 

Mr. Bey’s life is difficult and full of challenges, many of which are so different than the kinds of things that I have to deal with on a day to day basis. But we also share many concerns. He worries about his children and their futures. He wants to see his country run well and he aspires to a time when the government can properly address the challenges his country faces.

 

I feel very grateful to have gotten to know Mr. Bey through his letters. It is not just that the many challenges that Mr. Bey faces helps me to appreciate the many benefits that I enjoy, often without sufficient awareness. It is that through the words of this articulate, observant man I have come to appreciate the common humanity we all share with people living in a very different culture and under very different conditions.  His comments about and gratitude for the efforts of several American presidents to help his country made me feel proud, and helped me to appreciate that our prosperous country can help others to try to prosper and succeed.

 

I feel very fortunate to be able to call Mr. Bey my friend.

 

 

secondsealOn June 4, 2014, in a long-awaited but not unexpected opinion (here), the Second Circuit ruled that Southern District of New York Judge Jed Rakoff had improperly rejected the $285 million settlement of the SEC’s enforcement action against Citigroup. Because the case involved the question of whether or not parties may enter into “neither admit nor deny” settlements with the SEC, the Second Circuit’s consideration of the case had been very closely watched. The Second Circuit’s decision appears to preserve the ability of litigants in most cases to enter settlements with the SEC without having to admit to liability. The opinion also represents a strong reaffirmation of judicial deference to the SEC’s discretionary authority to settle its cases.

 

Background

In its enforcement action, the SEC alleged that Citigroup had made misrepresentations in its marketing of collateralized debt obligations. At the same time the SEC filed its complaint, the parties filed a consent judgment for court approval. Among other things, Citigroup agreed to pay $285 million into a fund to be distributed to CDO investors.

 

In a November 28, 2011 order (about which, refer here), Judge Rakoff rejected the proposed settlement, holding that it was not fair, adequate, reasonable, or in the public interest because Citigroup had not admitted or denied the SEC’s allegations. Among other things, Judge Rakoff contended that without the admission of liability he was not in a position to assess the settlement. He also characterized the $285 million settlement as “pocket change” for Citigroup. Judge Rakoff put the action on track for trial on the merits. The parties jointly filed motions with the Second Circuit seeking to stay the District Court proceedings and for an interlocutory appeal of Judge Rakoff’s rejection of the settlement.

 

As discussed at length here, on March 15, 2012, in a sharply worded per curiam opinion, a three judge panel granted the motions to stay and for interlocutory appeal, finding that the parties had carried their burden of showing a substantial likelihood of success on the merits on appeal because the district court did not accord the SEC’s judgment adequate deference. This initial three judge panel did not rule on the merits of the appeal, but set the case on the court’s schedule. Because of the unusual circumstance in which both parties to the case joined together on the appeals issues, the Second Circuit appointed pro bono counsel to advocate for the district court’s order in the appeal.

 

The Second Circuit’s Opinion 

In a June 4, 2014 opinion by Judge Rosemary S. Pooler for a three judge panel, with a concurring opinion by Judge Raymond Lohier, the Second Circuit held that the district court had “abused its discretion by applying an incorrect legal standard in its review.” The appellate court vacated Judge Rakoff’s ruling and remanded the case for further proceedings. (In his concurring opinion, Judge Lohier agreed with the reasoning of the Court but indicated that he thought that the record was sufficient for the appellate court to reverse and to direct the district court to enter the consent decree.)

 

At the outset, the Second Circuit concluded first that Rakoff had not conditioned his approval of the settlement on a requirement for an admission of liability and that he did not do so “with good reason—there is no basis in the law for the district court to require an admission of liability as a condition for approving a settlement between the parties.”

 

The court then addressed what it called the “far thornier question – that is, what deference the district court owes an agency seeking a consent decree.” After reviewing its own case law on the issue, the Second Circuit said that

 

Today we clarify that the proper standard for reviewing a proposed consent judgment involving an enforcement agency requires that the district court determine whether the consent decree is fair and reasonable, with the additional requirement that the ‘public interest would not be disserved’ in the event the consent decree includes injunctive relief. Absent a substantial basis in the record for concluding that the proposed consent decree does not meet those requirements, the district court is required to enter the order. (Citations omitted)

 

The primary focus of the inquiry should be “on ensuring that the consent decree is procedurally proper … taking care not to infringe on the SEC’s discretionary authority to settle on a particular set of terms.”

 

Having articulated the standard for district court review of a proposed consent order, the Court then specified the three ways in which it believed that Judge Rakoff went wrong.

 

First, the Court said that:

 

It is an abuse of discretion to require, as the district court did here, that the SEC establish the ‘truth’ of the allegations against a settling party as a condition for approving the consent decree. Trials are primarily about the truth. Consent decrees are primarily about pragmatism…. It is not within the district court’s purview to demand ‘cold, hard, solid facts established either by admissions or by trials’ as to the truth of the allegation in the complaint as a condition for approving a consent decree.

 

With respect to the absence of admissions or denials, the Second Circuit specifically said that “in many cases, setting out the colorable claims, supported by factual averments by the SEC, neither admitted nor denied by the wrongdoer, will suffice to allow the district court to conduct its review.” Other cases may require an additional showing, as, for example where the district court is concerned that the settlement was the result of improper collusion.

 

Second, the Second Circuit said that Judge Rakoff had also erred in the way in which he considered the “public interest” in his review of the injunctive relief sought in the consent decree. The Court said that “the district court made no findings that the injunctive relief proposed in the consent decree would disserve the public interest, in part because it defined the public interest as ‘an overriding interest in knowing the truth.’ The district court’s failure to make the proper inquiry constitutes legal error.” (Citations omitted) In making its public interest determination, the district court may not “find the public interest is disserved based on its disagreement with the SEC’s decisions on discretionary matters of policy, such as deciding to settle without an admission of liability.”

 

Third, the appellate court said that “to the extent the district court withheld approval of the consent decree on the ground that it believed the SEC failed to bring the proper charges against Citigroup, that constituted an abuse of discretion.” The “exclusive right” to decide which charges to bring rests with the SEC.

 

The appellate court closed its opinion with a reminder that if the SEC chooses to file a civil action and then seeks court approval of a settlement of the action, the agency “must be willing to assure the court that the settlement proposal is fair and reasonable.” Because the district court’s power is required to enforce the settlement, “for the court to simply accept a proposed SEC consent decree without any review would be a dereliction of the court’s duty to ensure the orders it enters are proper.”

 

Discussion 

Notwithstanding the appellate court’s closing words about the importance of judicial review of the SEC’s consent decrees, the opinion overall is a pronounced endorsement of the need for judicial deference to the SEC’s authority and discretion in deciding whether or not and how to settle an enforcement action. At a minimum, the opinion reaffirms the SEC’s discretionary authority to enter, if it so chooses, into settlements in which the target of the enforcement action neither admits nor demies liability. The court not only said at the outset that “there is no basis in the law for the district court to require an admission of liability as a condition for approving a settlement between the parties,” but throughout the opinion signaled that the agency may appropriately use its discretion to enter into a settlement in which the other party neither admits nor denies liability.

 

Of course, on its own, the agency, under its new Chairman, Mary Jo White, has adopted a new policy in which it has declared that at least in certain cases it will require parties to provide admissions of liability as a condition of settlement, as discussed here. But while the agency may now in certain cases and on its own require the settling party to provide admissions, the Second Circuit’s opinion reaffirms the agency’s authority to enter if it so chooses into a settlement in which the settling party neither admits nor denies the allegations.

 

Even though the Second Circuit rejected Judge Rakoff’s refusal to accept the Citigroup settlement, his unwillingness to accept the settlement has had a significant impact. It is arguable that the SEC might not have adopted its new policy requiring admissions of liability if Judge Rakoff had not forced the issue onto the enforcement agenda. Judge Rakoff’s concerns have also encouraged other judges to scrutinize SEC settlements and to ask hard questions about the terms on which the SEC has settled.

 

But while Judge Rakoff’s rejection of the Citigroup settlement may have elevated the debate on these issues, in the end the appellate court flatly rejected Rakoff’s perspective on court’s role in reviewing SEC settlements. Rakoff’s opinion rejecting the settlement was emotional, projected a high moral tone, and reflected a theoretical consideration of the issues. The appellate court’s perspective, by contrast, was (it said itself of agency settlements) “pragmatic.” The appellate court’s opinion also reflected a more restrained and deferential conception of the role of the district court.

 

While compromises of disputed claims are less satisfying than a determination of issues of fault and liability, the system might grind to a halt if parties cannot compromise, The practical reality is that if the SEC is not free to compromise disputed claims without an admission of liability, then the parties are going to be far less likely to compromise, an outcome that would impose enormous costs on the litigants and burdens on the courts.  

 

 

 

weiAs I have frequently noted on this site (refer, for example, here), cyber security issues increasingly are a board level concern, and indeed, recent shareholder litigation has shown that investors intend to hold board members accountable when data breaches cause problems for their companies.  In the following guest article, which was previously published as a Weil alert, Paul A. Ferrillo of the Weil Gotshal law firm take a look at the issues surrounding cyber security and corporate governance from a board level perspective. Paul first examines the board duties in connection with cyber security issues; he then reviews the basic questions for board members to consider; and then examines the availability of insurance to address cyber security related issues.  

I would like to thank Paul for his willingness to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to readers of this blog. If you are interested in publishing a guest post, please contact me directly. Here is Paul’s guest post.  

****************** 

                The number, severity, and sophistication of cyber attacks – whether on our retail economy, our healthcare sector, our educational sector or, in fact, our government and defense systems – grows worse by the day.[1]   

              Among the most notable cyber breaches in the public company sphere was that hitting Target Corporation (40 million estimated credit and debit cards allegedly stolen, 70 million or more pieces of personal data also stolen, and a total estimated cost of the attack to date of approximately $300 million).[2] Justified or not, ISS has just issued a voting recommendation against the election of all members of Target’s audit and corporate responsibility committees – seven of its ten directors – at the upcoming annual meeting. ISS’s reasoning is that, in light of the importance to Target of customer credit cards and online retailing, “these committees should have been aware of, and more closely monitoring, the possibility of theft of sensitive information.”[3]  

                Unlike many other aspects of directing the affairs of a public company (e.g., like overseeing its financial reporting function and obligations), “cyber” is new for many directors, and is certainly far from intuitive. For this reason, this article will focus specifically on the responsibilities of public company directors to oversee their company’s cyber security program (within the framework of the company’s enterprise risk management structure); the basic questions directors should be asking about a company’s cyber security, incident response, and crisis management program; and lastly, the potential value of a stand-alone cyber insurance policy to transfer some of the risk of a cyber attack to a reputable insurance carrier. 

Directors’ Duty of Oversight with Respect to Cyber Security/Other Duties and Regulations Lurking About for Directors 

                A public company director’s “duty of oversight” generally stems from the concept of good faith. As noted in the seminal case, In re Caremark Int’l, Inc. Derivative Litigation, 698 A.2d 959 (Del.Ch. 1996), as a general matter “a director’s obligation includes a duty to attempt in good faith to assure that a corporate information and reporting system, which the board concludes is adequate, exists, and that the failure to do so in some circumstances, may, in theory, at least render a director liable for losses caused by non-compliance with applicable legal standards.” 

                However, the business judgment rule protects a director’s “informed” and “good faith” decisions unless the decision cannot be attributed to any rational business purpose. 

                In today’s world it would be hard to question that cyber security should not be part of any organization’s enterprise risk management function, and thus, by inference, part of any director’s duty of oversight. Indeed, the plaintiffs’ securities class action bar has recently filed two shareholder derivative actions against the boards of directors of both Target and Wyndham Worldwide Hotels as a result of their publicly reported cyber breaches. In these complaints, the plaintiffs alleged, among other things, that the directors “failed to take reasonable steps to maintain their customers’ personal and financial information in a secure manner.”[4] 

                As was made clear by the questioning of the panelists in the recent SEC Cyber Roundtable, on March 26, 2014,[5] there are other reasons for directors to be intimately involved with decisions concerning a company’s cyber security, i.e. “the regulators.” Over the last several months, not only has the SEC been more involved generally with cyber “thinking” and security issues, but also the Office of Compliance, Inspections and Examinations of the SEC (governing investment advisors and asset managers), and the Financial Industry Regulatory Authority (FINRA) are all in the game.[6] So is the Federal Trade Commission, as well as state regulators, such as, the New York State Department of Financial Services. Each of these organizations has their own exhaustive list of factors or areas of examination/consideration. They are long and extensive. And we have yet to see whether the SEC will issue additional guidance to public companies concerning what information is required to be disclosed to investors concerning cyber security incidents.[7] 

Cyber Governance Questions for Directors to Consider 

                Here are some basic questions public company directors should be asking about when reviewing their company’s cyber security framework:  

                1. What part of the Board should handle examination of cyber security risks? Should it be the whole Board? Should this responsibility be assigned to the Audit Committee? The Risk Committee (if there is one)? Should the Board create a “Cyber Committee” to exclusively deal with these issues? Should additional Board members be recruited who have specific cyber security experience? 

                2. How often should the Board (or Committee) be receiving cyber security briefings? In this world, which moves at light-speed and in which cyber breaches are reported daily, are quarterly briefings enough? Should the Board be receiving monthly briefings? Or more (given the industry type of the Company on whose board they sit, e.g. tech/IP company)? 

                3. Given the sheer complexity and magnitude of many cyber security issues, should the Board hire its own “cyber advisers” to consult on cyber security issues, and to be available to ask questions of the Company’s senior management, CTOs, and CIOs? 

                4. What are the greatest threats and risks to the Company’s highest-value cyber assets? Does the Company’s human and financial capital line up with protecting those high-value assets? 

                5. What is the Company’s volume of cyber incidents on a weekly or monthly basis? What is the magnitude/severity of those incidents? What is the time taken and cost to respond to those incidents? 

                6. What would the worst-case cyber incident cost the company in terms of lost business (because of downtime of systems that were attacked and need to be brought back and because of the harm to the Company’s reputation as a result of the attack)? 

                7. What is the Company’s specific cyber incident plan, and how will it respond to customers, clients, vendors, the media, regulators, law enforcement, and shareholders? Does the Company have a crisis management plan to respond to all these various constituencies, as well as the media (both print and electronic/high activity bloggers)? Finally, has the cyber incident plan been tested (or “war-gamed”) so that it is ready to be put into place on a moment’s notice? 

                8. What cyber security training does the Company give its employees? 

                9. What sort of “cyber due diligence” does the Company perform with respect to its third-party service providers and vendors?[8] 

                10. In a mergers and acquisitions context, what is the level of cyber due diligence that is done as part of the consideration of any acquisition? 

                11. Has the Company performed an analysis of the “cyber-robustness” of the company’s products and services to analyze potential vulnerabilities that could be exploited by hackers? 

                12. Finally, should the Company consider adopting, in whole or in part, the NIST cyber security framework as a way or method of showing affirmative action to protect the company’s IP assets? 

                This list could go on for pages. But it won’t, since we believe it serves its purpose, i.e. there are plenty of tough questions that directors need to ask of its senior management and senior IT staff. And directors may need their own advisors and professionals to help them fulfill their oversight duties in helping to assess and ask the tough questions. 

Availability of Cyber Insurance to Mitigate Cyber-related Risks and Costs 

                Given the past two years of major cyber breaches, one additional question directors should consider is whether or not the Company should be purchasing cyber insurance to mitigate its cyber risk, including its forensic costs, incident and crisis management response costs, and the litigation costs, expenses, and settlements that could be incurred as a result of a major cyber breach. 

                Though in the past many companies tried to insure cyber breaches through their comprehensive general liability policies, today’s “gold” standard is to purchase stand-alone cyber insurance coverage. Though some in the industry have called the area of cyber insurance the “Wild West,” rules of thumb have started to emerge regarding coverages frequently found in standalone cyber insurance policies. For example, such policy may cover: 

                1.            Loss arising from third party claims resulting from a security or data breach (i.e., a lawsuit by a financial institution against a retailer following a breach for damages, or regulatory actions in connection with a cyber breach); 

                2.            The direct first party costs of responding to a breach, like the forensic costs of determining what caused the cyber breach; 

                3.            Loss income and operating expenses (“business interruption insurance”) resulting from a cyber breach; 

                4.            Cyber extortion threats against a Company. 

                The better stand-alone cyber insurance policies go even further. Some will provide a rapid response team staffed by IT experts to consult with a company and help manage their response to the cyber incident. Some have a 24/7 hotline that is available to help guide companies through a cyber breach.  Additionally some policies will help reimburse the costs attendant to the incident itself, including paying the costs of required customer notification, as well as the cost of a crisis management team to help the Company communicate with its key customers and vendors after a breach to help minimize reputational harm. 

                Because stand-alone cyber insurance policies are relatively new phenomena, it would be important to check if your cyber carrier has a good claims-handling and claims-paying reputation, or a reputation as a “strict constructionist” of exclusions. No two policies are alike, so offered terms, exclusions, and endorsements should also be compared. Experts like sophisticated insurance brokers or insurance coverage lawyers can be consulted here to make sure the Company gets the best policy that it can. Further, as certain very large scale cyber security breaches have also resulted in shareholder derivative actions alleging breach of fiduciary claims against directors, it would be wise for directors to consider the sufficiency of the Company’s directors and officers liability insurance program. 

                Finally, given the reported costs of certain companies that have had to respond to cyber breaches, directors should question how much cyber insurance is available in the marketplace for a company to purchase. The Company’s insurance broker should be consulted, and bench-marking information may be available on a company or industry specific basis to advise how much insurance other similarly situated companies are purchasing. We are told by the brokerage community that up to $300 million in cyber insurance may be available for a Company to purchase if it truly wants to transfer some of its cyber-related risk to a good insurance carrier. Risk transfer mechanisms like cyber insurance are certainly no substitute for a robust cyber security and battle-tested incident response plan, along with rigorous training of all employees, but it can be an important component of a company’s overall cyber risk mitigation plan.

 NOTES:

1. Report: Growing Risk of Cyber Attacks on Banks (noting that “A yearlong survey of New York bank security has found that cyber thieves are using increasingly sophisticated methods to breach bank accounts”), The Wall Street Journal, May 6, 2014, available here.

2.   See “The Target Breach: By the Numbers,” available here.

3. Paul Ziobro and Joann S. Lublin, ISS’s View on Target Directors Is a Signal on Cybersecurity, The Wall Street Journal, May 28, 2014, available here.

4. Kevin LaCroix, Wyndham Worldwide Board Hit with Cyber Breach-Related Derivative Lawsuit, The D&O Diary, May 7, 2014, available here.

5. See Webcast of SEC Cybersecurity Roundtable, March 26, 2014, available here.

6. John Reed Stark, Cybersecurity and Financial Firms: Bracing for the Regulatory Onslaught, April 21, 2014, available here.

7. CF Disclosure Guidance: Topic No. 2, October 13, 2011, available here.

8. Trustwave 2013 Global Security Report (noting that 63% of all investigations showed that a cyber breach emanated from a third-party vendor or IT administrator), available here.

 

 

 

delIn light of the recent legislative initiative to restrict Delaware stock corporations’ use of fee-shifting bylaws, companies incorporated in Delaware have, as described in a recent Law 360 article (here, subscription required) a “smaller more defined toolbox” to reduce the burdens involved with shareholder suits.  As it stands, the article notes, the “sharpest tool in the arsenal is boards’ ability to define where cases will be heard.” As the Jones Day law firm noted in a May 2014 memo (here), the use of exclusive forum provisions has become “mainstream.”  An increasingly large number of companies are adopting forum selection by laws and courts outside of the selected forum are showing a consistent willingness to enforce the provisions.

 

As discussed here, in June 2013, the Delaware Chancery Court upheld the validity of a bylaw adopted by Chevron’s board that designated Delaware as the exclusive forum for adjudication of various shareholder disputes. Although the plaintiffs in that case withdrew their appeal, so that there was no Supreme Court review of the Chancery Court ruling, the “overwhelming view of corporate law experts,” according to the Jones Day memo, is that “exclusive forum provisions are valid and enforceable under Delaware law.”

 

A May 28, 2014 memo from the Sullivan & Cromwell law firm entitled “Exclusive Forum Bylaws Gain Momentum” (here) takes a detailed and comprehensive look at the ways that companies and courts have become increasingly comfortable with these exclusive forum provisions.

 

First, the Sullivan & Cromwell memorandum details the benefits that these kinds of provisions afford.  An exclusive forum bylaw can “discourage forum shopping by plaintiffs and the practice of litigating similar or identical claims in multiple jurisdictions.” The bylaws “remove the need to hire multiple counsel and make filings in different jurisdictions.”  These kinds of provisions “reduce the risk of inconsistent outcomes.” And they allow companies to designate a court with “particular expertise in corporate matters” – for example, the Delaware Court of Chancery.

 

Second, the memo details the extent to which an increasing number of companies are adopting these kinds of provisions. Just in the first six months after the Chancery Court ruling in the Chevron case, as many as 112 Delaware corporations adopted or announced plans to adopt exclusive forum bylaws. A detailed appendix to the memo examines the 32 S&P 500 corporations that have adopted exclusive forum bylaws.  These kinds of provisions increasingly are included in the charters or bylaws of companies conducting initial public offerings. As the memo notes, while the various shareholder proxy advisory services have recommended against bylaw proposals, shareholders themselves “do not appear to have resisted their adoption or punished directors or companies that have adopted them”

 

Third, and perhaps most significantly for these bylaws to be useful, “all state courts that have considered the enforceability of exclusive forum provisions have upheld them, including courts in California, New York, Illinois and Louisiana.”  These decisions, the memo notes, “demonstrate a judicial willingness to honor exclusive forum bylaws.” If the trend of enforcement of forum provisions by non-Delaware courts continues, the need to litigate the question outside of Delaware “may become less of a burden.”

 

In light of these developments and the benefits the bylaws can afford by reducing the costs of multi-jurisdictional litigation, “companies should give serious consideration to adopting such a bylaw.” Companies considering whether or not to adopt a forum selection bylaw may want to consider whether or not to adopt the provision in the bylaws or to take the further step of amending the corporate charter and whether to include express carve-out provisions when the chosen forum does not have personal-  or subject-matter jurisdiction.

 

The memo also suggests that in order to avoid undermining the potential effectiveness of the provision, it would be “prudent” for companies to “adopt an exclusive forum provision well before any corporate event that could reasonably be anticipated to give rise to litigation.” A company adopting a forum selection bylaw “should ensure that the company’s public disclosure approximately explains the rationale for the adoption, including any excessive costs that the company has incurred from multi-jurisdictional litigation.”

 

The memo helpfully includes some sample language for companies to review in connection with their adoption of a forum selection bylaw. The table appended to the memo includes a detailed review of the provision that various S&P 500 companies have adopted, and with respect to each example, the table notes the company involved; the forum selected; whether or not the bylaw allows for an alternative forum; the kinds of claims to which the bylaw applies; and whether or not the bylaw includes a jurisdictional consent provision.

 

As various academic and research studies have well documented, virtually every M&A transaction these days attracts litigation. All too often, this litigation entails a multi-jurisdictional battle. Indeed, as Cornerstone Research  detailed in its 2013 study of M&A-related litigation, 62% of mergers and acquisitions in 2013 were litigated in more than one court. The adoption of a forum selection provision provides companies a way to fight back against the curse of multi-jurisdiction litigation. As the Jones Day memo to which I linked above puts it, “an exclusive forum bylaw is not intended to prevent plaintiffs from bringing deal-related litigation, but instead to prevent forum-shopping, to avoid the costs and expenses of multi-forum litigation, and to ensure that the litigation is heard in Delaware by Delaware judges.”

 

While, as I noted at the outset, a forum selection bylaw may be the “sharpest tool in the arsenal” for corporate boards trying to reduce the burdens and expense of shareholder litigation, there is yet another bylaw innovation that is in play. As discussed at length here, several court rulings have now upheld the enforceability of a bylaw provision requiring the arbitration of shareholder disputes.  While the developments in this area are at most nascent, the possibility of a bylaw provision containing a class action litigation waiver potentially could significantly alter the shareholder litigation environment. In other words, there could be at least one or two other tools in the arsenal for companies to use to try to avoid the burdens and expense of shareholder litigation.

 

Readers intereseted in the topic of forum selection bylaws will want to review the January 15, 2014 article entitled “Trends if Exclusive Forum Bylaws” (here) by Claudia H. Allen of the Katten Muchin Rosenman law firm.