Although the class action lawsuit is most often associated with the litigious legal culture in the United States, the fact is that in recent years class action and other group litigation procedures have been expanding around the world. Forces of globalization and the rise of organized groups of aggrieved claimants have encourage a host of countries to adopt class, collective or other representative action procedures, and still other countries are currently considering the adoption of these kinds of legal schemes.

 

The availability of these kinds of collective action procedures in many countries is an increasing concern for legal and insurance professionals around the world, as well as for their clients. However, even with the vast resources of the Internet only a mouse click away, it can be very challenging to determine whether any given country has adopted some form of collective action and how any given country’s collective action scheme compares to others.

 

Fortunately, there is now a terrific resource that collects and organizes this information in a single volume. The book, entitled World Class Actions: A Guide to Group and Representative Actions Around the Globe (about which refer here), was edited by Paul Karlsgodt, of the Baker & Hostetler law firm. (Karlsgodt may be familiar to many readers as the author of Classactionblawg.com.) The book consolidates the work of 53 different authors from around the world, whose contributions address the development of collective action procedures across the globe.

 

The book’s various chapters address the availability of class procedures not only in North America and Europe, but Latin America, Asia and even parts of Africa. Each chapter is written by a local attorney familiar with the laws, best practices, legal climate and culture of the jurisdiction. Each of the entries describes the relevant aspects of the country or countries civil court system and surveys the available collective action procedures. Each entry also includes relevant cultural considerations that pertain to the processes and remedies available in the relevant country’s courts.

 

The book also incorporates a separate section of essays on the issues concerning transnational law – that is, issue or actions that span geographic and political boundaries. This portion of the book addresses the challenges surrounding efforts to develop binding global solutions to private disputes. In addition, the book addresses the problems that can arise when  the claimants are not all located in a single country or when there are  parallel actions involving the same defendants proceeding in multiple jurisdictions.

 

This new book is provides a helpful introduction to the incredibly complex and varied topic of collective actions around the world. It will serve as a valuable resource for lawyers and other professionals as they attempt to navigate and develop strategies for litigation and risk management while doing business abroad. This book will be particularly valuable for those whose jobs require them to understand and manage the litigation risks their clients must attempt to manage in their operations around the world. I highly recommend this book.

 

The Class Action Playbook: And speaking of class actions, the same publisher that is responsible for World Class Actions has also recently published the second edition of The Class Action Playbook (about which refer here), a single volume class action litigation resource written by Brian Anderson of the O’Melveny & Myers law firm and Andrew Trask of the McGuire Woods law firm. (Trask may be familiar to readers of this blog as the author of the Class Action Countermeasures blog.)

 

The Playbook is intended as a guide for practitioners and others who must navigate the class action process in the U.S. courts, aiming to provide the requisite information to permit the participants to develop their strategies as the action progresses. The authors explain the importance of the issues at each stage in the process and the factors participants should consider in deciding what actions to take.

 

The publication of the second edition is particularly timely as there have a number of recent significant developments, including for example, the U.S. Supreme Court’s decisions in the Wal-Mart case, the Concepcion case, and the Matrixx Initiatives case. The updated version is a useful practical guide for anyone involved in class action litigation.

 

And Speaking of Collective Actions: A flock of starlings is called a “murmuration,” but that description hardly does justice to what starlings are capable of collectively. As described in a November 2011 post on Time.com (here):

 

No one knows why they do it. Yet each fall, thousands of starlings dance in the twilight above Gretna, Scotland. The birds gather in magical shape-shifting flocks called murmurations, having migrated in the millions from Russia and Scandinavia to escape winter’s bite. Scientists aren’t sure how they do it, either. Even complex algorithmic models haven’t yet explained the starlings’ acrobatics, which rely on the tiny bird’s quicksilver reaction time of under 100 milliseconds to avoid aerial collisions—and predators—in the giant flock. Despite their show of force in the dusky sky, starlings have declined significantly in the UK in recent years, perhaps because of a drop in nesting sites. The birds still roost in several of Britain’s rural pastures, however, settling down to sleep (and chatter) after the evening’s ballet.

 

I confess that until I had seen the video below, sent to me by an industry colleague, I had no idea that starlings were capable of anything remotely interesting. But I have to say that now that I am acquainted with the murmuration of starlings, I have an entirely new appreciation for the birds. Please give your self a treat and watch this video, embedded below.

 

A November 8, 2011 Wired Magazine article entitled “The Startling Science of Starling Murmurations” can be found here.

 

Murmuration from Islands & Rivers on Vimeo.

As I have previously noted (most recently here), the pace of filing of FDIC actions against directors and officers of failed banks has slowed considerably as 2012 has progressed. Indeed, there have only been two new FDIC failed bank lawsuits filed since May, and none at all since mid-July (even though the FDIC has each month continued to increase the number of authorized lawsuits, as reflected on the agency’s website, here).

 

While the FDIC has not filed any new failed bank lawsuits recently, that is not to say that the regulatory authorities have not been active. Specifically, on September 25, 2011, the SEC filed enforcement actions in the District of Nebraska against three former officers of the failed TierOne Bank of Lincoln, Nebraska, as well as against the son of one of the three officers. The SEC’s September 25, 2012 press release regarding the enforcement actions can be found here, and the SEC’s two complaints can be found here and here.

 

Banking regulators closed TierOne Bank on June 4, 2012 (refer here). The SEC alleges that prior to the closure, TierOne understated its loan losses  and misstated the value real estate the bank had repossessed. The SEC alleges that as a result of the bank’s expansion into “riskier types” of lending in Las Vegas and other high growth areas, and the resulting increase in problems loans, the Office of Thrift Supervision directed the bank to maintain higher capital ratios. The SEC alleges that in order to comply with these requirements, three TierOne officials – Gilbert Lundstrom, the bank’s Chairman and CEO; James Laphen, the bank’s President and COO; and Don Langford, the bank’s chief credit officer – disregarded information that collateral securing the bank’s loans and real estate the bank had repossessed were significantly overvalued. The SEC alleges that as a result the bank’s losses were understated by millions of dollars in multiple SEC filings.

 

The SEC further alleges that after the OTS required the bank to obtain new appraisals for the collateral and repossessed real estate, the bank disclosed more than $130 million in loan losses. The SEC alleges that had these losses been booked in the appropriate quarters, the bank would have missed the required capital ratios several quarters earlier. Following the announcement of the loan losses, its stock price dropped more than 70%

 

The SEC alleges that Lundstrom communicated inside information to his son about the bank’s intention to sell certain assets. With the benefit of this information, Lundstrom’s son was able to purchase TierOne stock and then later sell it at a profit.

 

The SEC has reached settlements with Lundstrom and with his son, and with Laphen. Lundstrom has agreed to pay a $500,921 penalty. Laphen has agreed to pay a $225,000 penalty. Lundstrom’s son has agreed to pay a $225,921 disgorgement plus a $225,921 penalty. The sole remaining defendant, Langfor, has not settled the charges and the case against him remains pending.

 

The SEC’s press release quotes SEC Enforcement Director Robert Khuzami as saying that the bank’s understatement of its loan losses had the effect of “concealing the bank’s deterioration from shareholders and regulators alike.” The SEC’s press release also expressly acknowledges the “cooperation” of the Office of the Comptroller of the Currency.

 

The SEC enforcement actions relating to TierOne Bank are not the first that the SEC has brought against in the wake of a bank closure as part of the current wave of bank failures. As noted here, in April 2012, the SEC filed a civil enforcement action against two former officers of the publicly traded holding company of the failed Franklin Bank. In addition, as noted previously (here, scroll down), in an October 11, 2011 complaint (here), the SEC filed a civil enforcement action against four former officers of UCBH Holdings, Inc., the holding company for United Commercial Bank, which failed in November 2009.

 

The SEC action against the former TierOne officials serve as a reminder that the former directors and officers of a failed bank face significant additional litigation threats beyond just the possibility of a civil action by the FDIC in its role as receiver of the failed bank. Where, as here, the failed institution or its holding company were publicly traded, the potential liability exposures include the possibility of an SEC enforcement action or even a securities class action lawsuit. Even though the penalty amounts the SEC sought in the enforcement actions would not be covered under a D&O policy, the costs associated with defending this type of enforcement action would likely be covered (assuming that D&O insurance coverage is in fact available). These costs erode the limits of liability of any applicable insurance, reducing the amount of insurance available for any other pending claims. All of which is a reminder of the strains that post-failure litigation can put on the D&O insurance resources of a failed bank.

 

Summary Judgment Denied in Failed Bank Coverage Suit: Readers may recall that in a prior post (here), I described an action that a D&O insurer had filed in the Eastern District of Michigan, seeking a judicial declaration that the policy the insurer had issued to the failed Michigan Heritage Bank did not provide coverage for the claims that the FDIC, as receiver for the failed bank, had filed against a former officer of the bank. The defendants in the insurer’s declaratory judgment action include both the FDIC and the former bank official that the FDIC has separately sued.

 

In its declaratory judgment action, the insurer contends that there is no coverage under its policy for the FDIC’s claim against the former bank officer, arguing that coverage is barred by the “insured vs. insured” exclusion” and that the financial loss alleged in the underling claim does not constitute loss under the policy. The insurer moved for summary judgment.

 

In a September 24, 2012 opinion and order (here), Eastern District of Michigan Judge Bernard Freidman denied without prejudice the insurer’s summary judgment motion. In opposing the summary judgment motion, the FDIC has argued that the motion was premature because the terms on which the carrier seeks to rely are ambiguous and because discovery is required to determine the meaning of the terms.

 

In denying the insurer’s motion, Judge Friedman said that “the FDIC has shown that some ambiguity exists in the insured vs. insured exemption [sic] due to the ‘security holder exception,’ the omission of a regulatory exclusion, and statements by plaintiff that regulatory suits, which might include the instant action are covered.”

 

Judge Friedman also found “the FDIC has shown that some ambiguity exists in the definition of ‘loss’ because the so-called ‘loan loss carve out’ does not clearly exemption tortious conduct.” Judge Friedman also cited the insurer’s marketing materials “which indicated that charged-off loan losses are covered not excluded.” Judge Friedman denied the summary judgment motion to permit discovery on specified issues.

 

Judge Friedman’s ruling in this case does not represent a determination on the merits. It does not represent a determination that the Insured vs. Insured exclusion does not apply to a claim by the FDIC as receiver of a failed bank against the former officials of the bank.

 

However, there may still be some significance to the fact that Judge Friedman did find “some ambiguity” in the provisions on which the insurer sought to rely to contest coverage. His determination in the regard depended in part on specific factual issues, pertaining in particular to the insurer’s marketing materials. Nevertheless, the ruling does represent to some extent a determination that the question of whether or not the Insured vs. Insured exclusion applies to an FDIC failed bank lawsuit may not be a strictly legal issue but could involve factual issues on which discovery is required. If this coverage question is a factual issue – if there is “some ambiguity” regarding the insured vs. insured exclusion — it could complicate insurer’s efforts to rely on the exclusion in order to contest coverage for FDIC failed bank claims.

 

To be sure, there will likely be another round on the issue of the exclusion’s applicability following discovery. But having to go on to that later round at a minimum could mean that obtaining  the coverage determination might turn out to be more involved than might have initially seemed like it would be.

 

FDIC, Bank Officials Settle Failed Bank Lawsuit: According to press reports, the FDIC and certain former directors and officers of Heritage Community Bank of Glenwood, Illinois have reached a settlement of the failed bank litigation that the FDIC, as receiver for the bank, had filed against the former bank officials. Background regarding the FDIC’s 2012 lawsuit can be found here. The press reports do not disclose the amount or terms of the settlement. The September 10, 2012 settlement stipulation that the parties filed with the court (a copy of which can be found here) does not disclose the terms or amount of the settlement.

 

A March 2012 memo by the Jones Day law firm  discussing the Heritage Community Bank case (among other things) can be found here.

 

FDIC Settles Failed Bank Insurance Coverage Action: A week after the parties to the Heritage Community Bank case filed their settlement stipulation, the parties tothe D&O insurance lawsuit pending in the DIstirct of Puerto Rico involving the failed Westernbank. also filed a stipulation of settlement. As discussed here (refer to the "Update" section in the body of the blog post), in January 2012, the FDIC intervened in an action that the holding company for Westernbank had filed against the bank’s D&O insurance carriers. According to the parties’ September 17, 2012 stipulation  (here), the FDIC and the carriers have reached a settlement. The terms of the settlement are not disclosed in the stipulation. UPDATEA knowledgeable reader who wishes to remain anonymous advises as follow with respect to the Westerbank settlement: "That action actually hasn’t settled. The parties to a parallel proceeding involving fidelity bonds issues by [two insurers] (who also are parties to the Westernbank/FDIC D&O coverage action) did apparently settle, and was confirmed by the motion to dismiss referenced in  your blog post. Very similiar parties, and they involve some of the same underlying loans that assertedly led to the failure of the bank. But the fight goes on in the D&O coverage litigation." 

 

 

As the various forms of social media have become increasingly pervasive, employers have struggled with appropriate responses to employees’ use of the social media sites. One question in particular that has arisen is the extent to which employers can seek to regulate and even discipline employees’ use of social media to comment on the employer or their workplace. A recent decision by a three-judge panel of the National Relations Board, addressing the social media policies of Costco Wholesale Corp. held that the company’s social media policy violated its employees’ rights under the National Labor Relations Act. A copy of the NLRB’s September 7, 2012 Decision and Order can be found here.

 

I should note at the outset that this NLRB ruling was discussed by a panel at the Advisen Management Liability Insights Conference in New York last Thursday. In addition, a work colleague also forwarded me a copy of the Blank Rome law firm’s September 2012 memo about the NRLB’s ruling. I acknowledge here my indebtedness to the conference panel and to my work colleague for identifying this topic and suggesting many of the comments in this post.

 

The NLRB’s Costco ruling arose out of efforts at the company’s Milford, Connecticut facilities to organize the facilities’ meat department employees. In connection with these activities, the concerned union filed charges with NLRB alleging that the company had violated the employees’ rights under the National Labor Relations Act. Among other things, the Union alleged that the company had certain unlawful rules in its employee handbook. Among these rules is one stating that “any communication transmitted, stored or displayed electronically must comply with the policies outlined in the Costco Employment Agreement.”

 

The rule goes on to state that statements “posted electronically (such as [to] online message boards or discussion groups) that damage the Company, defame any individual or damage any person’s reputation, or violate the policies outlined in the Costco Employee Agreement may be subject to discipline, up to and including termination of employment.”

 

The Administrative Law Judge who heard the union’s charges upheld this rule, determining that employees would reasonably conclude that the company’s purpose in devising h the rule was to ensure a “civil and decent workplace.”

 

The NLRB rejected the ALJ’s determination, concluding to the contrary that the rule “allows employees to reasonably assume that it pertains to – among other things—certain protected concerted activities, such as communications that are critical to the Respondent’s treatment of its employees.” The Rule, the NLRB said, “clearly encompasses concerted communications protesting [Costco’s] treatment of its employees.” Costco’s maintenance of the rule therefore “has a reasonable tendency to inhibit employees’ protected activity” and as such “violates” the National Labor Relations Act.”

 

The Blank Rome law firm’s memo comments that the NLRB’s ruling, (the NLRB’s first binding decision on the issue) “serves as a reminder to employers to review the scope of their social media policies and to carefully analyze how they may be construed.”

 

As noted in a September 21, 2012 memorandum from the Franczek Radelet law firm about the ruling (here), the need to review social media policies applies to both union and non-union employers, adding that “now more than ever, all employers should continue to review and update all of their policies to ensure that they are specific, narrowly tailored to their business needs, and do not sweep so broadly so as to interfere with employee rights under federal labor law.”

 

In thinking about the potential EPL insurance implications of this development, it is important to note that many EPL policies have National Labor Relations Act exclusions, precluding coverage for claims based upon alleged violations of the NLRA or similar federal, state and local statutes. However, many insurers are willing upon request to amend this exclusion to provide a carve-back specifying that the NLRA exclusion does not apply to claims for retaliation.

 

A retaliation carve-back to the EPL policy’s NLRA exclusion would not preserve coverage for all claims asserting that a company’s social media policy violates the NLRA. However, Costco’s social media policy not only contemplated discipline for violation of the policy, but expressly allowed for employee termination. The retaliation claim coverage carve-back to the NLRA exclusion might preserve coverage for a claim by an employee that he or she was terminated in retaliation for engaging in activity that contravened a social media policy that violated the NLRA – or to put it more simply, in retaliation for engaging in activity protected by the NLRA. However, even among carriers who are willing to extend the carve-back to the NLRA exclusion, the carriers sometimes restrict the carve-back so that it does not extend to extend coverage to class or mass action claims.

 

Jay Rockefeller’s Cyber Security Letter: On September 19, 2012, John D. Rockefeller, IV, the Democratic Senator from West Virginia, sent a letter to the CEOs of all of the Fortune 500 companies, asking each CEO to voluntarily respond by October 19, 2012 to several broad questions pertaining to the company’s view on cybersecurity and to the federal government’s efforts to promulgate national cybersecurity standards. A copy of hte letter Senator Rockefeller sent to IBM’s CEO can be found here. ,  

 

As detailed in a September 19, 2012 memorandum from the Gibson Dunn law firm (here), Rockefeller’s letter follows his unsuccessful efforts earlier this year to pass legislation intended to impose heightened cybersecurity standards on a national level. (Indeed, a cynical reader might say that the letter is basically just one long gripe to the CEOs that the legislation failed to pass due to a filibuster and the efforts of business lobbyists.)   The law firm memo also points out that the letter follows other efforts Rockefeller has made to focus on cybersecurity outside of the legislative process, including his successful efforts last year to have the SEC provide guidance to pubic companies on what disclosures they should make concerning the companies’ cybersecurity risks and incidents.

 

The letters in and of themselves are unlikely to change anything. However, Rockefeller’s continuing efforts underscore the fact that cybersecuity is likely to remain both a high profile issue and a highly politicized issue. At the same time, other companies will find themselves, as Google recently did, under increased pressure to make disclosures regarding cybersecurity risks and incidents.

 

With increasing public scrutiny on companies’ cybersecurity preparedness and disclosure comes the increasing likelihood comes the increasing possibility that companies experiencing cybersecurity incidents —and their directors and officers — may face claims from shareholders and other constituencies that they failed to implement appropriate cybersecurity measures or made misrepresentations about their cybersecurity preparedness. As recently noted in Rick Bortnick’s Guest Post on this blog, potential D&O liability is one of the significant components of cyber risk. The high-profile nature of these issues and the level of scrutiny increase the likelihood that we will see claims against companies’ directors and officers based on cybersecurity preparedness and cyber disclosure.

 

Concerns About JOBS Act Fundraising:  Another topic that the Advisen conference in New York addressed last week was whole topic of concerns with fundraising activities enabled by the recently enacted JOBS Act. The Act’s provisions permitting crowdfunding and loosening restrictions on solicitation and advertising for exempted offerings at a minimum create a context within which liability claims could arise and also increase the possibility for fraud. The Act’s provision raising from 500 to 2,000 the number of shareholders a company may have before it takes on SEC reporting obligations not only increases the potential scale of these problems but also ramps up the number of prospective claimants that might object.

 

As the panel at the Advisen conference discussed, these concerns will pose a host of challenges not only for prospective investors but for private company D&O underwriters, as well. A September 22, 2012 Wall Street Journal article entitled “On Crowdfunding and Other Threats” (here) reviews the steps that prospective investors can take to try to avoid getting scammed in a JOBS Act offering. Though the list of steps in the article are addressed to the investors hoping to avoid getting defrauded, the list also provides a useful starting point for D&O underwriters trying to think about and to  underwrite these risks. At a minimum, it seems clear that caution is indicated here, both for investors and for insurance underwriters

.

Readers interested in a more positive perspective on the possibilities of new forms of funding such as “crowdfunding” may want to take a look at the article in this week’s issue of Time Magazine entitled “The Kickstarter Economy” (here, subscription required). The article chronicles the successes of (and challenges for) the Kickstarter, the online fundraising portal. The article optimistically suggests that the online fundraising will support nascent enterprises that are well-intentioned and worthy. At the same time, the article also documents many initiatives that failed to live up to their own aspirations.

 

One of the panelists at the JOBS Act session at last week’s Advisen conference was Carl Metzger of the Goodwin Proctor firm, who pointed out that his firm has a page on its website devoted to JOBS Act- related concerns. The firm’s webpage, which can be found here, is a good one-stop resource on JOBS Act issues and developments.

 

German Court Dismisses Investors’ Porsche Suit: As I have discussed in numerous posts on this blog (most recently here),  aggrieved investors who lost money short-selling VW shares and who claim they were misled by Porsche’s management have been trying to pursue claims against Porsche and its senior officials in U.S. courts. (Background regarding the dispute can be found here.) After their initial U.S. federal court action was dismissed (about which refer here), some investors tried to pursue claims against Porches in Germany’s courts. Now, according to press reports (refer here), the first two of these German lawsuits to be considered have been dismissed.

 

According to the news reports, the Braunschweig regional court determined that the allegedly misleading statements on which the investor claimants sought to rely in support of their claims against Porsche did not amount to “vicious behavior” that would have misled investors A statement on the court’s website about the September 19, 2012 court determination (in German) can be found here. According to the news reports, three additional cases remain pending before the same German court.

 

The outcome of the two German cases highlights why the aggrieved investors tried first to assert their claims in the U.S., and why some investors are continuing to press the U.S. claims. The appeal of the dismissal of the original U.S. federal court lawsuit remains pending in the Second Circuit. In addition, other investors’ New York state court common law claims have survived an initial motion to dismiss (about which refer here). This long-running litigation saga continues to grind on, but the outcome of the two recent German court decisions seems to suggest that whether investors are to have any hope of relief will depend on further developments in the U.S. proceedings, particularly the pending appeal in the Second Circuit.

 

I am pleased to publish below a guest post from my good friend Kimberly M. Melvin and her colleague John E. Howell, both of the Wiley Rein LLP law firm. Kim and John’s article discusses a recent decision from New York’s high court and its implications for the scope of coverage under a fiduciary liability insurance policy. This article was first published by Advisen.

 

I would like to thank Kim and John for their willingness to publish their article on this site. I welcome guest posts from responsible commentators on topics of interest to readers of this blog. Any readers who are interested in publishing a guest post on this site are encourage to contact me directly. Here is Kim and John’s guest post:

 

The Employee Retirement Income Security Act (ERISA) virtually created the market for fiduciary liability insurance because it both expanded potential liabilities for fiduciaries of benefit plans and—crucially—extended liability to the personal assets of individual fiduciaries. The demand for fiduciary liability insurance largely grew out of a desire to protect fiduciaries from such personal liability. This insurance—focused on protecting individual fiduciaries—by design did not cover a plan sponsor’s non-fiduciary acts, such as making business decisions regarding its employee benefit plans. New York’s high court recently issued a decision that recognized and confirmed this basic limitation in Federal Insurance Co. v. International Business Machines Corp., 965 N.E.2d 934 (N.Y. 2012). 

 

Yet, commentators, carriers and insurance buyers alike continue to criticize the IBM decision as creating a new “gap” or marking a sea change in the scope of coverage. Such criticism does not hold up. The IBM decision is really nothing new. It reflects the traditional terms and function of fiduciary liability insurance—to protect fiduciaries. What’s more, the recent market trend toward expanding the scope of fiduciary liability coverage to plan sponsors may not ultimately serve the best interests of insurance buyers and the primary intended beneficiaries of the coverage—individual fiduciaries of employee benefit plans.

 

Settlor or Fiduciary: The Sponsor of an ERISA Plan May Wear Multiple Hats

A company that sponsors an employee benefits plan can “wear two hats: one as a fiduciary in administering or managing the plan for the benefit of participants and the other as employer in performing settlor functions such as establishing, funding, amending, and terminating the trust.”[1] A plan sponsor acts as a fiduciary when it exercises discretionary authority over the management of a plan or its assets or the administration of the plan. But when a plan sponsor makes business decisions regarding a plan, such as whether to create, fund or terminate a plan, it acts as a settlor, not a fiduciary. 

 

As a settlor, the plan sponsor may pursue the best interests of the company and its shareholders and is not subject to ERISA’s fiduciary duties. As a fiduciary, the sponsor’s overriding concern must be the best interests of the plan participants. Since ERISA does not impose breach of fiduciary duty liability on a plan sponsor acting as a settlor, it may be asked: why do these differing “hats” matter? Because a plan sponsor can—in rare cases—be liable under ERISA for non-fiduciary acts. For example, settlor acts like amending an ERISA plan may violate ERISA’s “anti-cutback” or anti-discrimination rules.

 

The IBM Decision: Fiduciary Liability Coverage for Liability as a Fiduciary

IBM was sued in a class action alleging age discrimination under ERISA in connection with amendments to IBM’s pension plan—a settlor function. IBM settled the litigation and then sought coverage from its fiduciary liability insurance carriers for the settlement. IBM’s first excess insurer, Federal Insurance Company, filed a lawsuit seeking a declaratory judgment that the settlement was not covered because the class action did not allege that IBM acted in a fiduciary capacity. The Federal policy afforded specified coverage in connection with a “Wrongful Act,” defined, in relevant part, as “any breach of the responsibilities, obligations or duties by an Insured which are imposed upon a fiduciary of a Benefit Program by [ERISA].” Because the class action undisputedly did not concern conduct by IBM in its fiduciary capacity under ERISA, Federal maintained that the class action did not involve a “Wrongful Act.” The Court of Appeals of New York agreed, finding that “[a] straightforward reading of . . . the ‘Wrongful Act‘ definition is that it covers violations of ERISA by an insured acting in its capacity as an ERISA fiduciary.”[2] Since “IBM was not acting as an ERISA fiduciary in taking the actions that gave rise to the allegations” in the class action, but instead was acting as a plan settlor, the New York high court held that there was no coverage for the settlement.[3]

 

Reactions to IBM: Separating Fact from Fiction

Despite its clear and straightforward holding, the IBM decision has generated unwarranted criticism from commentators, insurance carriers and insurance buyers:

 

The settlor capacity issue addressed by the IBM court is brand new, and now companies are suddenly left uninsured for something that always was covered.

 

The IBM decision does not create a so-called coverage gap. It recognizes the fundamental purpose of fiduciary liability insurance – to protect fiduciaries from liability for breaches of fiduciary duty under ERISA. Other courts uniformly have agreed that settlor liabilities are not covered by fiduciary liability insurance policies, and IBM cited no cases to the contrary. In fact, as the IBM court noted, IBM’s argument that the policy covered any violation of ERISA whether or not it implicated IBM’s fiduciary capacity, was “strained and implausible” and would expand fiduciary liability coverage to “almost every lawsuit imaginable” against a company that happened also to be an ERISA plan sponsor.[4] 

 

Claims often involve a settlor act where no breach of fiduciary duty is pled, and most fiduciary policies pick up such an exposure

 

ERISA plaintiffs can, in rare cases, sue a plan sponsor solely for acts in its settlor capacity. Typically, though, ERISA litigation concerns the plan sponsor’s acts as both a settlor and a fiduciary: for example, the sponsor’s amendment of a plan (a settlor function) and its disclosures about the amendment (a fiduciary function). Such a “mixed action” would trigger – at least – defense costs coverage. And under the policies at issue in IBM, such a mixed action likely would have been covered subject to other common coverage defenses. Virtually none of the fiduciary liability policies on the market would cover the rare case clearly involving only settlor allegations, because it would not allege a Wrongful Act necessary to trigger coverage. 

 

The primary carrier settled the claim with IBM and paid its entire policy limit toward defense costs and the settlement whereas the excess carrier took a different position and sued the insured.

 

In fact, the primary carrier did not acknowledge coverage for the underlying action or pay the full limits of the primary policy. Rather, the primary carrier advanced IBM’s defense costs subject to a reservation of rights and at all times disputed the availability of indemnity coverage. The primary carrier ultimately settled its coverage dispute with IBM in exchange for a payment that left over 30% of its policy limits untouched. 

 

The Landscape of Fiduciary Liability Insurance: Changing for the Better?

Even before the IBM decision, the fiduciary liability insurance marketplace has been moving toward providing limited coverage for settlor functions – limited to defense costs only or to particular types of settlor conduct. Whether such expansions of coverage will be beneficial for insurance buyers and viable in the long term for the carriers remains to be seen. It is not self-evident that such expansions will really benefit individual fiduciaries, whom the insurance was principally intended to protect. 

 

Costly investigations or litigation focused on settlor issues may drain or completely exhaust the insurance limits available to protect individual fiduciaries from personal liability. Limits adequacy therefore should be a paramount consideration for the insurance buyer in reviewing these newer policy forms. In addition, the settlor coverage afforded under these newer forms may frequently provide very little additional protection. First, claims involving purely settlor issues are rare and, as noted above, mixed cases likely would be covered already. Second, the additional coverage likely extends only to defense costs because the damages recoverable in pure settlor cases are likely to be benefits that would have been due but for the assertedly improper conduct. Such damages would be excluded from coverage by the policy’s “benefits due” exclusion or carved out from the definition of covered Loss. Thus, while insurance buyers often presume “the more coverage the better,” buyers should closely review these newer forms and consider the practical effects of the so-called extensions of coverage and the primary purpose of obtaining fiduciary liability insurance in the first place when selecting the appropriate coverage.

 

About the Authors

Kimberly M. Melvin is a partner in the Insurance Practice at Wiley Rein LLP in Washington, DC. She represents insurers in connection with coverage issues, including liability policies issued to directors and officers, financial institutions, mutual funds, investment advisors, Real Estate Investment Trusts (REITs), rating agencies, insurance companies, insurance brokers and lawyers. Ms. Melvin can be reached at 2.719.7403 or kmelvin@wileyrein.com.

 

John E. Howell is an associate in the Insurance Practice at Wiley Rein. He represents insurers in connection with coverage issues arising under directors and officers, financial institution, lawyers and other professional liability coverages. Mr. Howell can be reached at 202.719.7047 or jhowell@wileyrein.com.

* * *

[1] Hunter v. Caliber Sys., Inc., 220 F.3d 702, 718 (6th Cir. 2000) (citations omitted).

[2] Fed. Ins. Co. v. Int’l Business Machines Corp., 965 N.E.2d 934, 937 (N.Y. 2012). 

[3] Id.

[4] Id.

Two more courts have joined the growing line of cases holding that excess insurer’s payment obligations were not triggered where the policyholder funded part of the loss below the excess insurer’s limit.

 

First, on September 12, 2012, New York (New York County) Supreme Court Judge Melvin Schweitzer, applying New York law, ruled in favor of a top level excess insurer where the two underlying excess insurers had paid less then their full policy limits and Forest Laboratories, the policyholder, had funded the gap. A copy of Judge Schweitzer’s opinion can be found here.

 

Second, on September 17, 2012, the Sixth Circuit, applying Ohio law, affirmed the district court’s entry of summary judgment in favor of the excess insurer, holding that the excess insurer’s policy limit had not been triggered when the insured, Goodyear Tire and Rubber Company, had reached a compromise with the primary carrier in which the primary carrier had paid less than its full policy limit. The Sixth Circuit’s opinion can be found here.

 

The Forest Labs Case

Forest Laboratories had a $70 million D&O insurance tower, consisting of a primary $10 million layer and six excess layers of $10 million each. Forest Labs became involved in securities class action litigation, which it ultimately settled for $65 million. Defense and claims expense added several million dollars more of cost. Forest Labs’ primary insurer and the first three excess carriers paid their full policy limits. However the fourth and fifth level excess insurers reached compromises with the policyholder in which each paid only a part of its limit and Forest Labs “filled in the gaps.” Forest Labs then sought payment from the top level excess insurer.

 

The top level excess insurer contended that because of Forest Labs’ compromise with the underlying excess insurers, the payment obligations under its excess policy had not been triggered. In making this argument, the top level excess insurer relied on language in its policy specifying that it is obligated to pay only when the underlying coverage has been exhausted “solely as a result of actual payment of a Covered Claim pursuant to the terms conditions of the underlying insurance.” The top level excess insurer also sought to rely on exhaustion trigger language in one of the underlying excess policies, which the top level excess insurer argued was incorporated by reference into its excess policy.

 

Forest Labs relied on the venerable Second Circuit decision in Zeig v. Massachusetts Bonding & Insurance Company, arguing that the top level excess insurer’s policy language was ambiguous and therefore should not be interpreted to preclude coverage. In response to Forest Labs’ reliance on Zeig, the top level excess insurer relied on the growing list of cases in which  courts had found that excess insurer’s payment obligations had not been triggered where, like here, the policyholder had funded part of the underlying loss amounts out of pocket. Among other cases, the top level excess insurer relied on the Comerica case (about which refer here), the Qualcomm case (refer here), the Bally Total Fitness Case (here), and the J.P.Morgan case (refer here).

 

Judge Schweitzer said, referring to the many cases on which the top level insurer sought to rely, that “these examples,” along with the more specific trigger language in the underlying excess policies, “evince a clarity unfortunately missing from the [top level excess insurer’] policy language.” He added, however, that this “does not render [the top level excess insurer’s] policy ambiguous, as in Zeig.”

 

Citing the top level excess insurer’s policy language providing that its payment obligations are triggered only when the underlying insurance is exhausted “solely as a result of actual payment of a Covered Claim pursuant to the terms and conditions of the Underlying Insurance,” which Judge Schweitzer found is “not ambiguous,” Judge Schweitzer concluded that the top level excess insurer was obligated to pay “only after the insurance has been paid under the provisions of the underlying policies … which provisions necessarily include their term limits.” Thus, Judge Schweitzer added, the top level excess insurer “pays only after the underlying insurers pay up to their policy limits.”

 

Judge Schweitzer commented that while the top level excess insurer “certainly could have done a better job of drafting its policy, and has many examples of better language to refer to [sic] accomplish that, the language it chose still protects [the top level excess insurer] in the situation, as here where the underlying insurers never paid their full policy amounts, due to settlements with plaintiff.”

 

The Goodyear Case

In 2003, Goodyear, following a restatement of its previously released financial statements, became involved in securities class action litigation and related SEC investigation. The lawsuits ultimately were dismissed and the SEC terminated its investigation. Goodyear incurred about $30 million in legal and accounting costs in connection with these matters.

 

Goodyear carried $25 million in D&O insurance, consisting of a primary layer of $15 million and an excess layer of $10 million. The insurers disputed coverage for Goodyear’s $30 million in expenses, particularly the costs associated with the SEC investigation. Goodyear ultimately reached a compromise with the primary carrier, in which the primary carrier paid only $10 million of its $15 million limit. The excess carrier then contended that its payment obligations had not been triggered, relying on the language in its excess policy providing that “Coverage hereunder shall attach only after [the Underlying Insurer] shall have paid in legal currency the full amount of the [Underlying limit].”

 

The dispute over the excess insurer’s payment obligation ultimately wound up in litigation. The district court entered summary judgment in the excess insurer’s favor.

 

On September 17, 2012, in an opinion applying Ohio law and written by Judge Raymond Kethledge for a three-judge panel of the Sixth Circuit, affirmed the district court’s summary judgment grant. The Sixth Circuit’s opinion opens by observing that the parties’ dispute represents the “latest in a series of recent cases in which one corporation asks us to disregard the plain terms of an insurance agreement with another corporation.” (The Sixth Circuit opinion does not identify the other cases in the recent series to which it was referring.) The appellate court said that relevant provision in the excess carrier’s policy is “undisputedly clear and unambiguous.”

 

Goodyear had argued that, notwithstanding the provision, that the Court should enforce the excess insurer’s payment obligation, because of public policy favoring settlements and because the excess insurer had not been prejudiced by Goodyear’s compromise with the underlying insurer. The Sixth Circuit rejected both of these arguments.

 

In rejecting the public policy argument, the Sixth Circuit said that, by contrast to the uninsured motorist cases on which Goodyear relied, “what we have here, instead, is an insurance agreement into which sophisticated parties have freely entered,” adding that the Court “will enforce the agreement according to its terms.” 

 

In rejecting Goodyear’s argument that the excess insurer’s payment obligations should be enforced because Goodyear’s deal with the primary carrier had not prejudiced the excess carrier, the appellate court said that “this case does not concern a mere notice or cooperation requirement, which perhaps we could waive off without any harm to the insurer.” Rather, the court said, adding a note of supposed humor that I am sure Goodyear did not appreciate, “the provision at issue here is where the rubber hits the road,” adding that “the agreement’s Insuring Clause, under whose terms [the excess carrier] undisputedly did not agree to provide coverage that Goodyear now seeks.” Goodyear’s arguments, the Court concluded, are “meritless.”

 

Discussion

As I noted at the outset, and as the citations on which Forest Labs’ top level excess insurer relied demonstrate, there is a growing list of cases reaching the same conclusion that an excess D&O insurers payment obligations are not triggered where as here the underlying insurers paid less than their full policy limits and the policyholder funded the gap. The latest case in this line of cases can be found here.

 

There is a troubling aspect of this growing line of cases. If you take this line of cases as a whole, what you have are an awful lot of excess insurers walking away from their payment obligations. They agreed to take on the risk and they collected their premiums and in a disputed claims situation where losses clearly pierced their layer, they are successfully fighting off their payment obligations. This effort now apparently includes the possibility that an excess insurer can bootstrap the trigger language from an underlying insurance policy to avert its payment obligation.

 

To be sure, now that this growing line of cases has highlighted the issue, many insurance buyers are seeking, and many excess insurers are now granting, excess coverage trigger language that allows the amounts below the excess insurer’s attachment point to be funded by payment either by the underlying insurers or by the policyholder. With this type of alternative payment trigger language in place, excess insurers are much less likely to be able to avoid payment. However, the Forest Labs case underscores the fact that the language needs to be cleaned up all the way up the tower, to guard against the possibility that an upper level excess insurer might, like the top level excess insurer here, try to bootstrap trigger language from an underlying policy in order to try to avoid its payment obligation.

 

Nate Raymond has a good article on the On the Case blog, here, discussing the two decisions. Special thanks to a loyal reader for providing me with a copy of the Sizth Circuit opinion.

 

 

 

 

I am pleased to publish below a guest post written by Paul A. Ferrillo of the Weil Gotshal and Manges law firm. Paul’s guest post identifies the liability exposures that IPO companies and their directors and officers face, and describes the insurance considerations the companies should address in confronting those exposures. Paul’s article was first printed in Westlaw Journal Corporate Officers & Directors Liability, a Thomson Reuters publication.

 

I would like to thank Paul for his willingness to publish his article on this site. I welcome guest posts from responsible commentators on topics of interest to readers of this blog. Any readers who are interested in publishing a guest post on this site are encourage to contact me directly. Here is Paul’s guest post:

 

 

With a potentially improving economy and rebounding public markets, the idea of going public (a long-shelved consideration in the past few years) in an initial public offering (an “IPO”) has come back in vogue, both in the United States and abroad.  Going public, of course, can be a very good thing for a company, its directors, its initial investors (often venture capital firms or private equity firms), and its stockholders—if the stock does well. But sometimes the stock does not do well because the company misses earnings, or worse, finds some accounting problem that must be disclosed to investors. The price of “not doing well” is often more than just monetary—there could be mountains of lawsuits filed against the company and its directors and officers. These lawsuits can present unique problems for defendants, since the strict liability provisions of Section 11 of the 1933 Act (which govern liability with respect to the publication of alleged materially misleading statements in a company’s prospectus) are almost always implicated. That means, in sum, that any material misrepresentation, even negligently made (because scienter, or culpable knowledge, is not a requirement of a Section 11 claim), could form the basis of liability against a corporate director. Depending upon the severity of the problem and the resulting drop in the stock price, an IPO “failure” could also draw the attention of state and federal securities regulators and potentially the United States Attorneys office. Needless to say, securities class action litigations and investigations can cost millions or tens of millions to defend and settle.

 

 

The delicate balance between the “good” and the “bad” IPOs often ends up on the desk of a company’s risk manager.  Unfortunately, D&O insurance for IPOs is a very different product than other corporate insurance. Slips and falls, broken bones, workers compensation and fire losses are not the issue here. Instead, the personal assets of directors and the company’s most senior executives are at risk.  For this reason, leaving D&O insurance decisions for IPOs solely to risk managers is not advised.  Directors themselves need to understand the pitfalls and perils of poor decisions related to D&O insurance for IPOs. Directors need to understand the value that a sophisticated insurance broker brings to the D&O insurance purchasing decision.   This knowledge is especially important for directors in today’s environment where companies may be seeking to go public under the streamlined requirements for emerging growth companies as set forth in the Jumpstart Our Business Startups Act (“Jobs Act”) of 2012, which generally sets forth looser compliance and internal control requirements than under the Sarbanes Oxley Act of 2002. This article attempts to bring all of these issues together, in one place, for directors to understand what they need to know about D&O insurance (and related corporate insurances) when a company goes public.

 

 

How Much D&O Insurance to Buy?

 

Very often, after a director is recruited to sit on the board of a company going public, one of his first questions is “well, how much D&O insurance are you going to have?” Unfortunately, there is not one right answer to this question.  Some view it a “cost question.” Buying a lot of good D&O insurance costs money, and some companies don’t want to pay a lot for it, as they think it’s a “commodity.” Directors often take an opposite view.  They are on the firing line, and if there is not enough D&O insurance, they could be asked to write a personal check to the plaintiffs’ counsel to settle an action against them—a very unpalatable prospect. Finally, others view it as a question answered by reference to benchmarks—if the last company that did a $300 million IPO bought $20 million of D&O insurance, why shouldn’t we? 

 

 

All of these viewpoints have some ring of truth and make some sense. But the bottom line is that being uninsured is a very bad thing for everyone involved. So why not resolve to make a D&O IPO insurance purchase that makes better sense to all those potentially involved in the aftermath of a failed IPO? To do so, we recommend the following: First, ask your insurance broker for recommendations as to other similarly situated companies that went public in terms of what D&O limits they purchased. A sophisticated broker with experience in the public company D&O markets should have this information at his fingertips. Such benchmarking is a good start to get a ballpark figure of what limits to buy.  Second, an arguably better approach is a market capitalization analysis of potential stock drop scenarios, using generally-accepted settlement figures that are publicly-available. For instance, imagine that a company expects its market capitalization twelve months post-IPO to be $1 billion. And what if that company were to suffer a 40% stock drop as a result of the announcement of unexpected bad news? That would equate to a $400 market capitalization drop. Taking 10% of that number (10% being a “proxy” for the percent of shareholder losses that might be recoverable in a “medium” severity case) would equate to a potential settlement of $40 million (but note that in a Section 11 case with strict liability issues, the settlement percentage could arguably be higher!). Adding in attorney’s fees and the potential costs of an investigation might get you to a $50 million total per-claim loss. The $50 million number should be another data point to consider when evaluating a D&O limits purchase. Again, there is no “right” answer here. 

 

 

What Carriers to Use in “the Tower”

 

Years of experience defending securities class actions allow us to make some comments about the importance of good D&O insurance. D&O insurance is not a commodity. Not all D&O carriers are equal.  Not all D&O carriers have good reputations for handling and paying claims. Not all carriers will “step up to the plate” when its time to resolve the action. Directors should ask around (to other directors and other companies of boards they sit on) to understand which carriers are willing to pay claims and which are not. Good brokers will have this information too, if they are willing to share it with you. Lawyers who defend securities class action typically run into many carriers while mediating class actions, and may also have an opinion on which carriers are business-minded and stand behind their director clients. There is nothing worse that having a recalcitrant carrier at the settlement table that refuses to pay a claim. 

 

 

Portfolio Company IPO’s versus Spin-offs

 

Many times IPOs are a tool for private equity firms or hedge funds looking to exit or reduce an investment. Sometimes IPOs result from larger companies spinning off profitable subsidiaries into standalone public companies. Spin-offs present unique D&O challenges to consider in the D&O insurance purchasing decision: the potential for overlapping boards, the potential for not only a stock drop for the company going public, but for the parent as well under certain circumstances, counsel and privilege issues that might require multiple sets of defense counsel (which add to the cost of a litigation), and the selling shareholder liability of the ultimate parent who is selling its shares of the spin-off in the IPO.

 

 

Regardless of the challenges, one simple strategy for a director of the company going public is to insist that the company going public purchase enough D&O insurance to fully satisfy the company’s (and his) potential liability to shareholders.  Another question to ask is whether there will be any additional insureds on the policy (e.g. the private equity sponsor, or the ultimate parent who is spinning off the company going public) who may have other liability issues like potential selling shareholder liability.  If too many constituencies share from the same tower chances are that there may be not enough money left at the end of the day to effectuate a settlement of all outstanding litigations and investigations, especially in a Section 11 case.

 

 

Indemnifiable versus non-Indemnifiable Loss Coverage –Side A D&O Insurance

 

Part of any analysis of the purchase of D&O insurance is the purchase of Side A D&O coverage. “Side A” excess D&O coverage is for “non-indemnifiable loss,” i.e. loss incurred by a director for which a company cannot advance or indemnify, or is financially unable (because of an insolvency scenario) to advance or indemnify pursuant to its bylaws or certificate of incorporation. Side A coverage only exists for the benefit of the directors and officers—it would never cover the entity.

Though certainly a part of traditional D&O coverage, in the years after Enron and Worldcom, it has become standard to purchase separate Side A D&O coverage to cover the directors and officers with dedicated limits that are fully accessible in any insolvency situation. Though some would term this “bankruptcy-specific” D&O coverage, the need for Side A excess D&O insurance can come up in other ways. More specifically, under Delaware law, the settlement of a shareholder derivative action is “non-indemnifiable,” meaning the Company cannot fund such a settlement.  So having Side A coverage available for such a situation is a huge positive for a director. More specialized forms of Side A coverage also exist, like Side A “difference in conditions” coverage (which can, under certain circumstances, drop down and provide coverage in situations where an underlying carrier won’t pay), and “independent director” coverage (which expressly covers only independent directors) also exist. Directors and independent directors should insist on dedicated Side A limits as part of the overall IPO D&O structure.

 

 

Mandatory Advancement – Presumptive Indemnification Clauses

 

One of the new developments in the D&O marketplace over the last two years is mandatory advancement of defense costs under any circumstance. Previous to 2010 D&O carriers would generally advance defense costs from dollar one in insolvency settings, understanding that (1) in such a case a company “was unable to advance” defense costs within the retention, and (2) to not advance defense costs would potentially leave directors without adequate counsel, thus exposing them (and the carrier) to increased exposure. A soft market for D&O insurance, among other reasons, caused carriers to expand advancement of defense costs to situations where a company “simply refuses” to advance or pay a director’s defense costs, in addition to the insolvency scenario. That is a huge consideration when such defense costs could run into the hundreds of thousands of dollars. Further, presumptive indemnification language normally contained in D&O policies should be stricken or watered down so it does not conflict with the broad advancement of defense cost coverage now being offered in the D&O marketplace.

 

 

Definition of Loss Issues

 

A D&O policy is not particularly useful if it does not cover all claims-related payments and settlements concerning litigation commenced against directors and officers. A director should insist on the broadest definition of “loss” possible, which should include the payment of (1) all pre-claim investigation or inquiry costs, (2) all defense costs, judgments and settlements related to litigation and post-claim investigatory proceedings and litigation, (3) all expert costs, (4) any defense costs associated with bankruptcy-related investigations commenced by a trustee, receiver or creditors committee, and (5) all defense costs and settlements associated with claims against him under Sections 11, 12 and 15 of the 1933 Act. 

 

 

Bankruptcy Protections

 

Needless to say, the primary D&O policy should work in all settings, including bankruptcy settings. Directors should insist on broad “definition of claim” words to cover bankruptcy investigations, and a broad carve-out from the insured-versus-insured exclusion for derivative claims brought by creditors committee, bondholder committees or properly formed bankruptcy constituencies of the company. Finally, we recommend a simplified “order of payments” (or “priority of payments”) clause which does not leave any discretion to the company to withhold or direct payments under a D&O policy. 

 

 

Though our list of questions is long, it is certainly not exclusive of other D&O policy enhancements sophisticated brokers might also suggest for clients going public. A good broker can be an ally here, not a hindrance to the process. At the end of the day, however, it is up to the director himself to fully educate himself on the D&O coverage for any company for whom he or she is going to sit on the board. This is an area that is simply too important to overlook. Again, good D&O insurance often goes unnoticed. But poor D&O insurance often comes to light at the worst possible time for a director.

 

 

************

 

 

Weil Gotshal & Manges Releases Latest Edition of "The 10b-5 Guide": In adddition to writing the above blog post, Paul Ferillo is also one of the co-authors, along with his colleagues Robert Carangelo, David Schwartz and Matthew Altemeier, all also of the Weil, Gotshal & Manges law firm, of the seventh edition of The 10b-5 Guide, which the firm released today. The  law firm’s press release regarding the Guide can be found here and a link to the electronic version of the Guide can be found here

 

 

The Guide provides a comprehensive survhey of recent developments in the regarding 10b-5 actions, including in particular a complete overview of the decisions of the U.S. Supreme Court in the securities law arena during the 2010-11 term. The Guide is presented as a primer for corporate employees and securities ltigation practitioners and serves as a handbook to one of the SEC’s most important rules.

 

 

The Guide is great resource and I highly recommend it for everyone. (Readers will note that I wrote the Foreward for this latest edition of the Guide.)

 

In the August 2012 issue of Business Law Today, the ABA Business Law Section published an article entitled “Training for Tomorrow: Corporate Counsel Checklist for Supervising Creation/Renewal of D&O Protection Program” (here). The article describes the critical components of a comprehensive executive protection program. A detailed description of the article and an explanation of the process by which the ABA Business Section created and published the checklist can be found in a September 11, 2012 post by Kevin Brady on the Delaware Corporate and Commercial Litigation Blog

 

The ABA checklist and accompanying commentary emphasizes that there are multiple components of a comprehensive program to protect corporate directors and officers from potential financial and criminal liability. The first element, statutory exculpation, should be incorporated into the company’s certificate or articles of incorporation.

 

Three additional elements of the program described in the ABA article are:  the right to advancement of defense costs; relief from the duty to repay advances; and indemnity against settlement and judgments. All three of these elements should be address in the company’s corporate by-laws. As the article notes, the changing legal environment poses “significant hurdles” to “making sure that the entity’s by-laws actually provide the maximum rights to advancement and indemnity that the law permits. The article provides a short, useful checklist to be used in reviewing corporate by-laws in order to ensure that the provisions provide the recommended components of executive protection program. Readers of this blog will find this portion of the ABA article particularly useful.

 

The article also notes that D&O insurance is a critical component of a comprehensive executive protection program. The article also contains a D&O insurance checklist. The list contains many useful items. D&Oinsurance professionals will want to be familiar with the list, as it is possible that their clients, armed with checklist, might expect the insurance professionals to respond to each of the checklist items.

 

One item that should be added to the list is the critical importance of associating in the D&O insurance placement process an experienced and knowledgeable insurance professional that is qualified to negotiate policy terms and conditions and that is able to make informed recommendations about policy limits and structure. Corporate counsel that want to ensure that their company’s D&O insurance program is state of the marketplace will want to enlist the assistance of a D&O insurance professional that is out in the marketplace every day and that is fully informed about what is available in general and from each of the carriers.

 

On September 7, 2012, the Delaware Supreme Court, applying California law, held that Intel’s excess insurer’s defense obligations were not triggered where Intel had settled with the underlying insurer for less than policy limits and had itself funded the defense fees above the settlement amount and below the underlying insurer’s policy limit. A copy of the Court’s opinion can be found here. (Hat tip to the Traub Lieberman Insurance Law Blog for the link to the Court’s opinion).

 

Intel carried a multilayer tower of general liability insurance, consisting of a primary layer of $5 million, a first excess layer of $50 million, and multiple layers above that. Intel became involved in antitrust class action litigation triggering the insurance tower. Intel subsequently became involved in insurance coverage litigation with the first level excess insurer, which the first level excess insurer settled with a payment to Intel of $27.5 million. Intel funded its own defense expenses above that amount.

 

When its payment of defense expenses exceeded the remaining amount of the first level excess carrier’s limit of liability, Intel contended that the second level excess carrier’s defense obligations had been triggered. The second level excess carrier contended that its payment obligations could only be triggered by payments by the underlying excess insurer and that Intel’s own payments did not trigger payment. The second level excess insurer (hereafter, the insurer) filed an action in Delaware Superior Court seeking a judicial declaration that its payment obligations had not been triggered. The Superior Court granted summary judgment for the excess insurer, and Intel appealed.

 

On appeal, Intel argued that its defense cost payments were sufficient to trigger the insurer’s payment obligation. In making this argument, Intel relied on Condition H, which is titled “When Damages Are Payable” and provides that policy coverage “will not apply unless and until the insured or the insured’s underlying insurance had been paid or is obligated to pay the full amount of the Underlying Limits.”

 

In arguing that its payment obligations had not been triggered notwithstanding Intel’s payment of the defense expenses, the insurer argued in reliance on an Endorsement that had been added to the policy and that provided in Paragraph C that “Nothing in this Endorsement shall obligate us to provide a duty to defend any claims or suit before the Underlying Insurance Limits … are exhausted by payment of judgments or settlements.” The insurer argued that notwithstanding Intel’s payment of defense expenses, the underlying limit had not been exhausted by “payment of judgments or settlements.”

 

In affirming the lower court’s entry of summary judgment, the Supreme Court, in an opinion written by Justice Henry duPont Ridgeley for a five-judge panel, found that “Intel’s reading of the [insurer’s] policy purports to do exactly what Paragraph C of the Endorsement forbids: obligate [the insurer] to provide a duty to defend before exhaustion of the underlying …policy by payment of judgments or settlements.” The Court added that “viewing the policy language as a whole, Intel’s reading is untenable.” The Delaware Court also called Intel’s interpretation “strained.”

 

The Court specifically found that Paragraph C “cannot be construed under California precedents to encompass an insured’s own payment of defense costs.” The term “judgments” refers, the Court found,“to a decision by some adjudicative body of the parties’ rights” and the term “settlements” refers to “some agreement between parties as to a dispute between them.” Defense costs paid by the insured “do not fall within the plain meaning of either term.”

 

The Delaware court also referred specifically to the California Intermediate Court of Appeals decision in the Qualcomm case (about which refer here), in which the court held that payments of amounts by the policyholder did not suffice to exhaust the underlying insurance and trigger the excess coverage.  Though noting that the Qualcomm case involved different policy language, “the implications of Qualcomm’s holding for this case are clear” – that is, that “plain policy language on exhaustion, such as that contained in Paragraph C, will control despite competing public policy concerns.”

 

The Delaware Court also concluded that because the “plain language of the policy control,” the venerable Zeig v. Massachusetts Bonding & Insurance Co. decision from the Second Circuit is “inapplicable.”

 

Discussion

This Delaware decision joins a growing line of cases concluding –based on the language at issue requiring payment by the underlying insurer — that the policyholder’s payments do not suffice to trigger an excess insurer’s payment obligation. (Refer here for the most recent discussion of the growing line of cases).

 

It is worth emphasizing that these cases are strictly a reflection of the policy language at issue. The excess policies certainly could provide that payment by either the insurer or the insured would suffice to exhaust the underlying insurance amounts and to trigger the excess insurer’s payment obligation. Indeed, more recently, many excess D&O insurance carriers have agreed to modify their policies to recognize payment either by the underlying insurer or by the insured as a trigger to the excess insurer’s obligation.

One of the interesting things about this case is that Condition H, on which Intel relied, did in fact expressly allow for the amount of the underlying insurance to be paid either by the “insured or the insured’s underlying insurance.” The Delaware Court, interpreting this provision (which is captioned “When Damages Are Payable”), said that it provided only that “Intel’s payment of damages may trigger [the insurer’s] duty to indemnify” (emphasis added). The Court went on to say that “nothing in Paragraph C suggests that Intel’s direct payment of defense costs may trigger (the insurer’s] duty to defend” (emphasis added).

 

That is, because the payment on which Intel sought to rely in arguing that the insurer’s payment obligations had been triggered was the payment of defense expenses (not damages), and because INtel was seeking payment from the insurer of defense expense (not damages), Condition H was irrelevant and only Paragraph C applied.

 

It is worth noting that Paragraph C had been added by endorsement, and it is fair to say the relationship between the various provisions and amendments is complicated. As the Delaware court itself noted, the “interplay” between the provisions “is admittedly complex.”

 

Insurance policies are of course complicated contracts with a variety of operating provisions. These provisions interact in complex ways, and when base forms are amended by endorsement, the interactions can become even more complicated.

 

Without in any way meaning to suggest that the policy at issue in this case did not reflect the intent of the parties to the contract, this case is a good illustration of how important it is to make sure that all of the various policy provisions are appropriately structured to that the interaction of the various provisions results in the intended outcome. Which is reminder that it is mportant in connection with the policy placement process that policyholders enlist the assistance of knowledgeable, experienced insurance advisors who understand the coverage and understand how various provisions and amendments will interact even the event of a claim.

 

 Today’s Typo of the Day: This high school booster club banner has a rather unfortunate typo.

 

In an August 27, 2012 post (here), I discussed Central District of California Judge James Selna’s August 21, 2012 decision in Petersen v. Columbia Casualty, and in particular Judge Selna’s consideration of the insurer defendant’s duty to advance under its liability policy. Following my publication of the post, I was contacted by Jeffrey Kiburtz of the Shapiro, Rodarte & Forman law firm. Jeff had a differing perspective on Judge Selna’s opinion and he suggested the possibility of a guest post on the topic, to which I readily agreed. Jeff’s guest post discussing Judge Selna’s opinion is set forth below.

 

I would like to thank Jeff for his willingness to set out his views as a guest post on this site. I welcome guest posts from responsible commentators on topics of interest to this blog. Any readers who are interested in publishing a guest post on this site are encourage to contact me directly. Here is Jeff’s guest post:

 

 

 

As a regular reader of Kevin’s blog, I always find it be well-written, informative and timely – it is truly a great resource and I am thankful to him for helping me stay up-to-date on a variety of management liability issues (as well as the opportunity to submit this guest blog). And while I also find myself in agreement with the majority of his substantive commentary, I felt compelled to provide a different perspective on the Petersen v. Columbia Casualty he discussed here. (For the record, I had no involvement in the Petersen case.)

 

 

As discussed in greater detail there, Petersen ostensibly addressed the standard for determining whether an insurer must advance defense costs under a non-duty to defend policy. For Kevin, “the court [in Petersen] correctly understood the insurer’s defense obligations and correctly declined to apply principles derived from duty to defend cases to the determination of the insurer’s obligations.” From my perspective, however, the court’s decision on the standard applicable to non-duty to defend policies did not expressly consider, and is in any event difficult to reconcile with, established Ninth Circuit precedent. (I’ll leave for others the issue of whether there is any actual conflict between our two stated perspectives.)

 

 

In refusing to apply duty to defend principles (most notably the principle that defense obligations are triggered by a “mere potential” for coverage) to the analysis of whether an insurer must advance defense costs, the court in Petersen appears to have relied nearly exclusively on Jeff Tracy, Inc. v. U.S. Specialty Ins. Co., 636 F. Supp. 2d 995 (C.D.Cal. 2009). Further, both Petersen and Jeff Tracy suggested that the only support for the insured’s “mere potential” argument was Gon v. First State Ins. Co. 871 F.2d 863 (9th Cir. 1989), which both courts distinguished as addressing the timing of when an insurer must begin to advance defense costs, not the method of determining whether such a duty exists in the first instance. Thus, in both Jeff Tracy and Petersen, the Central District concluded in one form or another that “the Ninth Circuit did not hold [in Gon] that the duty to defend or ‘potential for coverage’ standard still applied” to non-duty to defend policies. Jeff Tracy at 1003.

 

 

Now, admittedly, the specific reach of Gon (and a similar case, Okada v. MGIC Indem. Corp., 823 F.2d 276, 282 (9th Cir.1986)) is a little unclear, but the Ninth Circuit itself regards Gon and Okada as “circuit precedent requiring the advancement of defense costs for potentially covered claims.” Pan Pacific Retail Properties, Inc. v. Gulf Ins. Co., 471 F.3d 961, 970 (9th Cir. 2006). Moreover, although the court in Pan Pacific distinguished Gon and Okada on grounds that those cases are inapplicable when, as in Pan Pacific, the coverage action was brought after the conclusion of the underlying matter, the court made reasonably clear in a separate case that potentiality remains the test when contemporaneous advancement of defense costs is the issue. Unified Western Grocers, Inc. v. Twin City Fire Ins. Co., 457 F.3d 1106, 1112 (9th Cir. 2006).

 

 

Unified Western Grocers involved alleged fraudulent transfers in the context of a leveraged buyout. The insurer declined coverage on grounds that the underlying suit effectively constituted an action for restitution based on allegations of intentionally wrongful conduct. And, while the insured countered that the asserted breach of fiduciary duty was at least potentially covered, the insurer argued that the claim for breach of fiduciary duty and its related allegations were, in effect, inseparably intertwined with the non-covered, intentionally wrongful conduct and demand for restitution. Reversing the district court, the Ninth Circuit agreed with the insured, holding that the breach of fiduciary duty claim gave rise to a potential for coverage and the broad allegations of intentionally wrongful conduct did “not automatically subsume all allegations of a negligent character.” Id. at 1114.      

 

 

As most relevant to this discussion, the Ninth Circuit stated that “[i]n determining whether an unproven claim is covered by an applicable insurance policy, we are reluctant to frame coverage based on isolated allegations in an underlying complaint.” Id. at 1112 (citingGon and the seminal California duty to defend case Gray v. Zurich Ins. Co. (1966) 65 Cal.2d 263 for the proposition that “the third party complainant, who may overstate the claims against the insured, should not be the arbiter of the policy’s coverage.”) Based on this, the court applied a potentiality test to the two coverage issues raised by the insurer (intentionally wrongful conduct and restitution), ultimately holding that there remained a possibility of covered liability based on the not-necessarily-intentional conduct alleged in connection with the breach of fiduciary claim and that the relief sought was not necessarily restricted to restitution.   

 

 

Further, lest one think that the Ninth Circuit missed that it was dealing with what appears to have been a pretty standard D&O policy that did not provide for a duty to defend, the court made clear that while “Gon and Gray involved interpretations of an insurer’s duty to defend potentially covered claims” and are “not directly applicable to determining an insurer’s duty to indemnify loss,” the determination that the district court’s decision below that there were “no covered claims as a matter of law . . . is closely analogous to the question of whether there is a potentially covered claim.” Id. at 1112 fn.8.  

 

 

Returning to Petersen, it is difficult to reconcile the court’s apparent rejection of any form of a potentiality test with the precedent discussed above, especially Unified Western Grocers. For example, like Unified Western Grocers and unlike Pan Pacific, coverage in Petersen was determined during the pendency of the underlying litigation. Further, while it appears that the court in Petersen implicitly distinguished Olympic Club v. Those Interested Underwriters at Lloyd’s London, 991 F.2d 497 (9th Cir. 1993) (an earlier Ninth Circuit decision in which the court explicitly held that potentiality is the test for non-duty to defend policies) on grounds that the policy in Olympic Club did not expressly disclaim the insurer’s duty to defend, that would not be sufficient to distinguish Unified Western Grocers as the policy there plainly had no duty to defend. The Petersen court also appears to have distinguished Olympic Club on grounds that the policy in Petersen did not provide coverage for allegations of wrongful conduct, an assertion which does not appear factually accurate, as the definition of “Act” quoted in the Petersen decision encompassed allegations of wrongful conduct.  

 

 

The court in Petersen also appears to have been swayed by the presence of allocation provisions in the policy, which seems to suggest that the court viewed potentiality and allocation as mutually exclusive, i.e., that one cannot have a potentiality standard without also requiring the insurer to fund 100% of the defense of a mixed suit. Irrespective of the rationale, the policy’s allocation provisions would not in any event appear to be an adequate basis for distinguishing United Western Grocers, as the policy at issue there also contained an allocation provision. Lastly, while Unified Western Grocers did not mention the final policy attribute cited as militating against a potentiality standard in Petersen (i.e., that the policy required the insured to consult with the insurer before incurring defense costs), it is hard to imagine that factor being significant, especially since the “power of the purse” control that language provides the insurer makes the policy more akin to a duty to defend policy, arguably making it more appropriate to apply principles developed under duty to defend policies. 

 

 

It seems worth noting that the Petersen court’s decision on the standard applicable to determining whether an insurer must advance defense costs could be considered dicta, as it is not clear from the recited facts that application of a potentiality standard would have yielded a different result. Nevertheless, whether dealt with on that basis or otherwise, I would question the suggestion that Petersen (or Jeff Tracy for that matter) represents the law in California federal courts concerning the duty to advance defense costs. 

 

 

        

            

I am pleased to publish below an article by my good friend Richard J. Bortnick (pictured left) concerning the directors’ and officers’ liability issues related to cyber security and data breaches. Rick is a Member of the Cozen O’Connor law firm and he is also the co-author of the CyberInquirer blog. This article first appeared as a chapter in the July 2012 publication Willis’ Executive Risks – A Boardroom Guide 2012/2013. I would like to thank Rick for his willingness to publish the article here.

 

I welcome guest posts from responsible commentators on topics of interest to this blog. Any readers who are interested in publishing a guest post on this site are encourage to contact me directly. Here is Rick’s guest post: 

 

 

Cyber insurance has become a necessity. Every company that maintains, houses or moves sensitive information is at risk of a data breach, primarily due to the growth and increased sophistication of hackers, malicious software and, most recently, ‘hacktavists’. Even mere employee negligence can lead to a data breach. High-profile companies such as Sony can attest that cyber-intrusions can lead to hundreds of millions, if not billions, of dollars in legal exposure.

 

 

Equally troublesome, our expanding online society has introduced new financial risks and exposures that may not be covered under general and professional liability insurance products, including standard directors’ and officers’ (D&O) policies. As such, corporate directors and officers, and their risk-management professionals, must ensure that they buy appropriately tailored policies that provide protection against the rapidly expanding risks to which they could be vulnerable, both personally and professionally.

 

 

The risks and costs of a data breach

 

It has become known as the Year of the Breach: in 2011, companies of all sizes experienced malicious intrusions or employee negligence that affected their operations and/or businesses. For example, in April 2011, computer hacktavists unlawfully accessed the Sony PlayStation Network (PSN) and obtained the personal and financial information of roughly 77 million PSN users. Since then, Sony and its insurers likely have spent tens, if not hundreds, of millions of dollars to remedy and mitigate the resulting security and commercial crises — an amount that grows by the day as lawyers prosecute class action lawsuits on behalf of allegedly affected users whose personal and financial information was improperly accessed. 

 

 

Equally problematic for Sony, it has been sued by its commercial general liability (CGL) insurer, Zurich American, which is seeking to avoid coverage by arguing that its general liability policies do not and never were intended to cover data breaches.

The TJX Companies also fell victim to a cyber intrusion that security experts predict will have long-term costs of between US$4 billion and US$8 billion in fines, legal fees, notification expenses and brand impairment. In the TJX case, the retail group reported that 45.6 million credit and debit card numbers were stolen from one of its systems during the period July 2005 to January 2007. Of critical import, the January 2007 intrusion occurred after TJX already had knowledge of the initial breaches. 

 

 

Of course, big corporations are not the only entities that are vulnerable to hackers and hactavisits; indeed, half of all companies that have experienced data breaches have fewer than 1,000 employees. 

 

 

NetDiligence, a US company that specialises in assessing cyber risks and data breaches, released a study in June 2011 summarising its survey of data-breach insurance claims made between 2005 and 2010 in a variety of industries in the US (see the panels on the next three pages). Based on the claims payout data submitted for the study, the average cost for a data breach was US$2.4 million. Topping the list of the most frequently breached sectors were healthcare and financial services. 

 

 

Moreover, the study found that 95 per cent of the breaches were caused by one of three things: hackers, rogue employees and loss/theft of equipment. For the most part, the information stolen consisted of personal identification information (PII) — name, address, email address, telephone number, social security number and credit card information — or personal health information (PHI).

 

 

 

Similarly troubling, in 2011 nearly 23 million confidential records were exposed in the US as a result of over 419 reported security breaches, according to the non-profit Identity Theft Resource Center (ITRC).

 

 

These numbers are likely to hold steady; at the start of April 2012, the ITRC reported 105 breaches and roughly 4.5 million exposed records in the first three months of the year. In turn, the Ponemon Institute, a data-security research firm, reported that the average cost of a breach to US organisations in 2011 was US$5.5 million, and that the cost per compromised data record stood at $194. These substantial numbers include the attendant costs of retaining forensic experts, attorneys’ fees, customer-notification expenses, fraud monitoring, public relations support, business interruption, loss of customer goodwill, and third-party liability claims.

 

 

Many breaches result in reputational damage, leading to diminished future cash flows. While loss of goodwill is notoriously hard to quantify, its financial impact can be both long-term and substantial.

 

 

Cyber security regulations and compliance

 

SEC guidance

 

On October 13, 2011, in response to the “increasing dependence on digital technologies” and associated risks, the Division of Corporation Finance (DCF) of the US Securities and Exchange Commission (SEC) issued a ‘Disclosure Guidance’ that presents, for the first time, disclosure recommendations relating to cyber-security risks. It is worth noting the DCF’s own observation in the guidance that it “is not a rule, regulation, or statement of the Securities and Exchange Commission”. The DCF also emphasises that many of its ‘recommendations’ may already be encompassed within corporate disclosure obligations found elsewhere in various SEC regulations.

 

 

While the Disclosure Guidance is designed to be ‘advisory’, its practical implications establish the ‘recommendations’ as best practices and in essence render compliance essential, if not mandatory. To put it another way: non-compliance would be ill-advised. 

 

 

At the same time, the DCF counsels that “material information regarding cyber-security risks and cyber incidents” may need to be disclosed “in order to make other required disclosures, in light of the circumstances under which they are made, not misleading.” It cites Basic Inc v Levinson (1988) for the proposition that “information is considered material if there is a substantial likelihood that a reasonable investor would consider it important in making an investment decision or if the information would significantly alter the total mix of information made available.”

 

 

Although the Disclosure Guidance is only directed at public companies under the SEC’s jurisdiction, it can be expected to have far-reaching implications for non-public companies and even individuals doing business with public companies.  

 

 

What does the disclosure guidance say?

 

It makes most sense to begin with what the Disclosure Guidance is not. The DCF makes it clear that it is not advising companies to make detailed disclosures of highly technical elements of their cyber-security programme or even the details of an actual cyber attack. Indeed, it is aware that “detailed disclosures could compromise cyber-security efforts — for example, by providing a ‘roadmap’ for those who seek to infiltrate a registrant’s network security — and we emphasize that disclosures of that nature are not required under the federal securities laws”. On the other hand, the DCF advises that companies should avoid offering “generic risk factor disclosure.”

It also highlights the point that existing disclosure obligations may warrant discussion of such risks — in many cases rendering cyber-security disclosures mandatory. For instance, Regulation S-K and Form 20-F of the Securities Act of 1933 require public companies to disclose “risk factors” that would be relevant to a prospective investor. Accordingly, the Disclosure Guidance counsels that companies “should disclose the risk of cyber incidents if these issues are among the most significant factors that make an investment in the company speculative or risky.”

 

 

The DCF further suggests that companies, in determining whether risk disclosure is required, should evaluate their cyber-security risks, taking account of previous incidents, the likelihood of future occurrences, the magnitude of those risks and the adequacy of preventive measures. Depending on the circumstances of individual companies, the DCF says that appropriate disclosures may include:

 

•             discussion of aspects of the company’s business or operations that give rise to material cyber-security risks and the potential costs and consequences

•             description of outsourced functions that have material cyber-security risks, and how the company is addressing those risks

•             description of cyber incidents experienced by the company that are individually or in the aggregate material, including the costs and other consequences

•             risks related to cyber incidents that may remain undetected for an extended period

•             description of relevant insurance coverage.

 

Beyond all of this, the DCF recommends the following (potentially required) disclosures that could implicate cyber issues.

 

 

Discussion and analysis of financial condition

 

The DCF recommends: “Registrants should address cyber-security risks and cyber incidents … if the costs or other consequences associated with one or more known incidents or the risk of potential incidents represent a material event, trend, or uncertainty that is reasonably likely to have a material effect … For example, if material intellectual property is stolen in a cyber attack … the registrant should describe the property that was stolen and the effect of the attack on its … operations, liquidity, and financial condition and whether the attack would cause reported financial information not to be indicative of future operating results or financial condition. If it is reasonably likely that the attack will lead to reduced revenues, an increase in cyber-security protection costs, including related to litigation, the registrant should discuss these possible outcomes, including the amount and duration of the expected costs, if material.”

 

 

Description of business

 

“If one or more cyber incidents materially affect a registrant’s products, services, relationships with customers or suppliers, or competitive conditions, the registrant should provide disclosure … In determining whether to include disclosure, registrants should consider the impact on each of their reportable segments. As an example, if a registrant has a new product in development and learns of a cyber incident that could materially impair its future viability, the registrant should discuss the incident and the potential impact to the extent material.”

 

 

Legal proceedings

 

“If a material pending legal proceeding to which a registrant or any of its subsidiaries is a party involves a cyber incident, the registrant may need to disclose information regarding this litigation …”

 

Financial statement disclosures

 

Noting that “cyber-security risks and cyber incidents may have a broad impact on a registrant’s financial statements”, the DCF sets out some of the costs and losses that may need to be disclosed in statements, depending on the nature and severity of the potential or actual incident:

 

•             the possibly substantial costs incurred in preventing cyber attacks

•             any incentives provided to customers to mitigate damages from a cyber incident and maintain the business relationship

•             losses, in the wake of cyber attacks, from asserted and unasserted claims, including those related to warranties, breach of contract, product recall and replacement, and indemnification of counterparty losses from their remediation efforts

•             potentially diminished future cash flows, therefore requiring consideration of impairment of certain assets including goodwill, intangible assets, trademarks and patents.

 

 

Disclosure controls and procedures

 

The DCF further notes that: “Registrants are required to disclose conclusions on the effectiveness of disclosure controls and procedures. To the extent cyber incidents pose a risk to a registrant’s ability to record, process, summarize, and report information that is required to be disclosed in Commission [SEC] filings, management should also consider whether there are any deficiencies in its disclosure controls and procedures that would render them ineffective.” 

 

 

In short, directors and officers must be attuned to the regulations to protect themselves against the impact of cyber risks and costs in the larger context of their company’s disclosure obligations to investors. Or, to put it another way, those who ignore the Disclosure Guidance do so at the risk of an action by the SEC or by shareholders if a cyber incident occurs.

 

 

Given the increased prevalence and effectiveness of cyber attacks and breaches, and in light of the Disclosure Guidance, it would be difficult to justify why proper protective measures — including sufficient cyber insurance   — were not put in place, and why the risks were not disclosed to the investing public.

 

 

A ‘not so hypothetical’ hypothetical

 

Consider the following case and contemplate whether the court may have reached a different result in light of the Disclosure Guidance. Heartland Payment Systems stores millions of credit and debit card numbers on an internal computer network to facilitate payment processing. In December 2007, hackers launched a Structured Query Language (SQL) attack on Heartland’s payroll management system. To its credit, Heartland was able to repel the attack before any personally identifiable information was stolen.

 

 

Regrettably, however, the company failed to detect malicious software (malware) that had been placed on the network by way of the SQL attack. This malware infected Heartland’s payment processing system, ultimately enabling the hackers to steal 130 million consumer credit and debit card numbers.

 

 

Heartland did not discover the malware until January 2009, at which time it notified government authorities and publicly disclosed the event. 

 

 

Over the course of the following month, Heartland’s stock price plunged in value. Shareholder class actions alleging securities fraud and material non-disclosures followed. 

 

 

In their complaint, the plaintiffs alleged that Heartland and its officers and directors had made material misrepresentations and omissions about the December 2007 SQL attack. For example, the plaintiffs alleged the following material misrepresentations:

 

•             At numerous times, defendants concealed the SQL attack in statements made during earnings conference calls and in 10-K (annual) reports

•             Defendants misrepresented the general state of Heartland’s data security because they were aware that Heartland’s network had been breached and yet they had not fully remedied the problem

•             Notwithstanding its knowledge of the SQL attack, the company failed to disclose that its information systems were extremely vulnerable (rather, it had stated that it took computer security very seriously).  

 

The plaintiffs claimed that Heartland and its directors and officers had violated Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 by failing to disclose material information related to a lack of security and known breaches of its information systems. As a result of the company’s material misrepresentations related to the security breach, the plaintiffs alleged, Heartland’s common stock lost around 80 per cent of its value.

 

 

As is common in security class action lawsuits, the Heartland defendants moved to dismiss the shareholders’ complaint on the basis that it failed to state a claim upon which relief could be granted, because it did not allege the existence of a material mis-statement or omission. In ruling on that motion (see In re Heartland Payment Systems Inc, 2009), the US District Court for the District of New Jersey found that the existence of unresolved network security issues did not, in itself, suggest that the company did not value data security or that it did not maintain a high level of security. The court further found that while knowledge of the 2007 SQL attack may have been material to the plaintiffs’ investment decisions, securities issuers have no general duty to disclose every material fact to investors.

 

 

In addition, the court found that the plaintiffs’ complaint failed to sufficiently plead the necessary elements of scienter, or knowledge of wrongdoing, as it did not allege that defendants knew or had reason to suspect that Heartland’s security systems were so deficient that it was false to say the company placed significant emphasis on maintaining a high level of security. Accordingly, the court granted the defendants’ motion to dismiss. 

 

 

Now, consider the language of the Disclosure Guidance in addressing the following, potentially required ‘risk factor’ disclosures: “A registrant may need to disclose known or threatened cyber incidents to place the discussion of cyber-security risks in context. For example, if a registrant experienced a material cyber attack in which malware was embedded in its systems and customer data was compromised, it likely would not be sufficient for the registrant to disclose that there is a risk that such an attack may occur. Instead, as part of a broader discussion of malware or other similar attacks that pose a particular risk, the registrant may need to discuss the occurrence of the specific attack and its known and potential costs and other consequences.”

 

 

In light of the express reference to ‘malware’, Heartland may have found it more difficult to argue that its failure to detect the malware embedded in its systems was reasonable and that its failure to disclose the extent of other potentially significant risks associated with a known cyber attack adequately satisfied the recommendations in the Disclosure Guidance. At a minimum, the fate of the defendants at the motion-to-dismiss stage may have been different, as the shareholder plaintiffs’ counsel would have been able to cite the company’s failure to abide by the Disclosure Guidance as being allegedly reckless and actionable. 

 

 

Additional theories of liability against officers and directors, and actions against non-public companies Securities Act violations, as alleged by the Heartland plaintiffs, are by far the most likely to be brought by shareholders alleging cyber-related material non-disclosures. However, plaintiffs who choose not to seek federal class-action status are free to assert claims based on state law theories of fraud, breach of fiduciary duty or negligence. Therefore, directors and officers should be aware that, in addition to Securities Act violations, state law remedies could support other types of action   especially against non-public or closely held companies faced with cyber/privacy liabilities. The DCF Disclosure Guidance further highlights that directors and officers continue to face exposure from the possibility of derivative suits.

 

 

The Disclosure Guidance: practical implications for non-public companies

 

Yes, the Disclosure Guidance only applies to public companies; but that doesn’t mean the recommended best practices do not affect private companies. 

 

 

A prudent public company subject to SEC reporting requirements will require its business partners, suppliers, vendors and others to provide it with parallel disclosures in order to avoid direct (or even vicarious) liability to those with whom it is in privity for those companies’ failings. Privately held entities also have business relationships with public corporations and so may find themselves required to perform the analyses and assessments suggested by the Disclosure Guidance, albeit indirectly, simply to maintain their competitive footing in the market. To illustrate, if you were a business client and your prospective public company associate provided you with all of its cyber-related disclosures, would you not insist upon similar disclosures from potential private company partners — irrespective of whether the Guidance applies to them?

 

 

As a private company submitting a business proposal to a prospective client who asks for such information, would you refuse? Of course not. The only practical solution is to evaluate your own cyber risks and exposures — and be in a position to address them. 

 

 

Why technology and cyber insurance has become a necessity

 

A typical CGL insurance policy defines ‘property damage’ as “physical injury to tangible property, including all resulting loss of use of that property”. Regrettably, many policyholders and brokers incorrectly assume that CGL policies extend to losses involving intangible property such as electronic data. This misconception is partially based on the intuition of policyholders and brokers that traditional policy forms should adapt to protect against evolving risks. While this belief may be understandable, it is not correct.

 

 

Beginning in 2001 (in other words, during the early emergence of electronic commerce), certain CGL policy forms added language that specifically excluded electronic data from their definitions of ‘property damage’. Additionally, professional liability policies often do not include coverage for the results of a cyber intrusion, and often contain exclusions when criminal acts are the cause of the loss. 

 

 

Even though a majority of cyber incidents may not be covered by traditional insurance products, 65 per cent of company respondents in a Carnegie Mellon University study indicated that their boards are not reviewing insurance coverage for cyber-related risks, notwithstanding that 86 per cent of respondents agreed that cyber and information-security risks pose at least a moderate danger to their organisation.

 

 

The study, published in March 2012, further found that boards and senior management are not engaging in key oversight activities such as setting policies and budgets to help protect against breaches and mitigate financial losses. Thus, although many corporate executives may appreciate the risks posed by cyber breaches, most do not follow up by taking steps to ensure that their companies purchase technology and cyber liability insurance. 

 

 

Technology insurance is analogous to traditional ‘tangible property’ insurance. It typically covers first-party loss such as business-interruption expense as well as the costs of a forensic expert, who would be retained to identify the cause of the technology breach, and other necessary expert consultants. In turn, cyber liability insurance provides third-party coverage that is designed to protect a company from legal claims brought by those whose personal information has been compromised.

 

 

Technology and cyber insurance can take many forms, with some insurers adding endorsements to a standard CGL policy that extend the coverage to technology and cyber risks. For example, Insurance Service Office (ISO) endorsements provide first-party coverage for loss of electronic data resulting from physical damage to tangible property. That, however, means companies may not be adequately protected against substantial risks if there is a different cause for the loss. Additionally, endorsements do not cover the crisis-management costs of lawyers, forensic experts, breach-notification letters etc.

 

 

Standalone technology and cyber insurance products are far more comprehensive and, typically, cost-effective. Although they may be marketed under various names, they generally cover similar risks and exposures. Covered losses in the first-party context include ‘data-breach expenses’, ‘cyber extortion’, ‘digital asset loss’ and ‘business-interruption loss’. However, as suggested by its name, first-party cyber insurance does not cover claims brought by third parties. Additionally, few products cover the expenses incurred to correct system problems and prevent future data breaches. 

 

 

In turn, third-party cyber insurance often fills in these gaps and may be referred to as ‘privacy liability insurance’, ‘network security liability insurance’ or ‘internet media liability insurance’. Despite the differing labels, each provides similar cover for third-party liability after a data breach, namely: ‘crisis-management expenses’, including notification costs, fraud monitoring, forensic investigations, public relations consultants and the costs of pursuing third parties responsible for the breach, ‘liability expenses’, including the costs of defending and settling lawsuits, and ‘regulatory expenses’, including the cost of compliance with SEC regulations.

 

 

Regardless of what form of insurance is purchased, companies and their insurance professionals must ensure that their policies are tailored to their own unique needs.

 

 

Why directors and officers’ insurance should supplement cyber insurance

 

In addition to purchasing tech/cyber insurance covering first-party and third-party exposure, both public and private companies should ensure that their D&O liability policies respond to cyber-related claims based on allegations of securities fraud, breach of fiduciary duty and alternative theories of liability. 

 

 

In the event of a data breach or a catastrophic first-party loss, it would not be surprising for shareholders’ counsel to file securities fraud and/or derivative suits against a company’s directors and officers alleging failure to properly disclose and manage risks and/or breach of fiduciary duty. Given the defence costs associated with such suits, even in the absence of liability exposure, it is essential to have a D&O policy that complements a cyber insurance policy. In this respect, a specialist insurance broker is not just helpful, it is a necessity.

 

 

Methods of preventing data breaches, and strategies in the event of an intrusion  

 

Ultimately, the responsibility for preventing cyber breaches falls on each individual company whose reputation is on the line. While government regulation may have advanced in addressing the problem of data breaches, it has been estimated that 85 to 90 per cent of a company’s assets are maintained on an electronic platform and susceptible to a tech/cyber crisis — and regulations alone cannot protect them. In some cases, they may be self-defeating, as the cost of regulatory compliance can consume much of a company’s ‘security’ budget. 

 

 

Of course, it is far less costly, from both a financial and reputational point of view, to prevent a cyber breach than to attempt after-the-fact mitigation of its negative effects.. This point is made clear by the 2012 ‘Data Protection & Breach Readiness Guide’, published by the Online Trust Alliance (OTA). The report advocates several ‘security best practices’ that could significantly reduce the likelihood of a tech/cyber loss. While the OTA provides 19 guidelines on ‘data governance and loss prevention’, four in particular bear mention. 

 

 

First, according to the OTA, companies should engage in data classification according to the level of the data’s sensitivity and tailor their software protection schemes accordingly. Next, the OTA advises that data minimisation can prevent a breach, as hackers cannot obtain information that is not kept on a system. Companies should review any sensitive information on their system and eliminate non-essential data that poses an unnecessary risk of data breach.

 

 

Third, companies should destroy data that is no longer in use. And fourth, the OTA suggests that companies provide employee awareness and readiness training to ensure that staff understand company policies on data collection and retention, and data-loss reporting procedures. 

 

 

In addition to taking steps to prevent an incident, organizations need to be ready to identify and deal with the results of any breach. They should have in place a data response team trained to respond to a breach in a co-ordinated and prompt fashion. This trained response team should include representatives from key groups within the company, including legal, information technology, information security, human resources, public relations and customer service. The data response team should have broad decision-making authority and be available 24/7. The initial goal of the group should be to evaluate systems and create plans and procedures to prevent and, if necessary, manage a tech/cyber incident.

 

 

Additionally, companies should determine the notification requirements that govern their industry. Since many state, federal and foreign regulations require prompt notification, it is important to work out in advance how the relevant individuals should be contacted, as it will significantly improve the company’s ability to mitigate consumer frustration and increase compliance. Should a breach occur, the response team and dedicated employees can move quickly to contain and repair the damage.

 

 

Conclusion

 

Although the DCF says the Disclosure Guidance is ‘advisory,’ it makes it equally clear that cyber-security risks may fall under existing SEC disclosure obligations in certain circumstances. Accordingly, a public company would be ill-advised to disregard the best practices provided by the DCF. 

 

 

The essential message is simple: if companies are aware of material cyber-security risks and/or incidents, and if disclosure of those risks or incidents would be material to investors, a company risks SEC action (not to mention shareholders’ and derivative actions) by failing to publicly disclose this information as part of its routine reporting requirements.    

 

 

Companies also should follow prudent security practices to reduce the likelihood of a data breach, and have a data response team ready to deal with and mitigate potential future damage in the event of a cyber incident. Perhaps most importantly, businesses should ensure that they have virtually seamless insurance coverage to deal with any such events. Just as our economy is evolving, so are the types of insurance available to meet a policyholder’s changing needs. 

 

 

Understanding the components of these new-age policies is critical, and executives should devote the time and resources needed to identify a specialist insurance broker who can assess a company’s vulnerabilities and ensure that it purchases the right products.

 

 

Data is a prized asset that warrants its own specific protection. Now is the time to ensure that your data and corporate executives are properly insured so that, when a cyber incident occurs tomorrow, your company and its directors and officers are not burdened with exorbitant costs and huge, uncovered potential exposures.