Header graphic for print

D&O Discourse

Why Are Companies and Their Directors and Officers Still Behind on Cyber Security Oversight and Disclosure?

Posted in Board Oversight, Corporate Governance, Cyber Security, SEC, SEC Enforcement

Over the past three years, I’ve been outspoken about the need for better board oversight of cyber security, as well as the need for better cyber security disclosure.  The severity of the cyber threat is so significant to companies, as well as to the nation’s economy and security, that boards have no choice but to pay attention.  Indeed, I can easily envision a world where, as a practical matter, directors face a heightened risk of personal liability for cyber-security problems.  And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way.

Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.

How in the world could that be so?

Below, I examine two of the underlying problems, and provide solutions: (1) a suite of problems that I call “cyber freak-out,” and (2) an odd lack of concern about director liability.

Cyber Freak-Out

The average corporate director was 47 years old when Amazon became a public company.  Although that was also almost 20 years ago, and most people who serve on boards have grown comfortable with computers and the basics of technology, there is nevertheless a fundamental sense of discomfort with discussion around the IT aspects of cyber security.

This discomfort yields a suite of problems that I diagnose collectively as “cyber freak-out.”  Cyber freak-out includes one or more of the following stated or unstated excuses for not tackling cyber security issues:

  • Excuse: The audit committee handles risks, so that’s the right group to handle cyber security.
    • Reality: Cyber security is an enterprise risk that the full board needs to understand and decide how to manage – even if it is ultimately given to a committee.  And the audit committee has too much work already.
  • Excuse: Being hacked is inevitable, so we can’t do much about it.
    • Reality: The reality is cyber security oversight isn’t just about preventing attacks – it’s also about deciding what assets to protect and how to respond to a breach, among other issues.
  • Excuse: Cyber security is an IT issue, and the IT folks have told us for years that we’re safe.
    • Reality: The world of cyber security poses higher risks now, and it’s incumbent upon the board to ask hard questions of the IT department.  There are outside consultants galore who can give the board an independent evaluation. And cyber security is not just an IT issue.  Most cyber attacks can be prevented through employee education – which presents issues of employee training and corporate culture, which even a Luddite director can help shape.
  • And there are several more things few people say out loud, but I fear that too many think:
    • Excuse: We should have been on top of this earlier, so engaging in a full-scale program of cyber security readiness will make us look bad.
    • Excuse: I don’t want to ask a dumb question, and don’t think I can ask a smart one.
    • Excuse: If I wait long enough, one of my fellow directors will get up to speed and lead us through what we need to do.

Reality: The absurdity of these excuses speaks for itself.

Another common mistake is to assume that cyber attacks are limited to companies with personal information, like credit card numbers or health information.  That is wrong:  Any company with valuable assets – including trade secrets – is and will be a target.  The reason that companies with personal information grab the headlines is that their breaches have become public because of breach-notification laws.  Companies that aren’t subject to breach-notification laws rarely disclose cyber breaches.  One of the country’s leading cyber-security lawyers to public companies said at the SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair White and Commissioners Aguilar (who gave an important speech in June 2014 on board oversight of cyber security), Gallagher, Piwowar, and Stein:

I would say that I really can’t think of a case – and we’ve worked a lot –  where the disclosure thinking or analysis was driven by the securities law issues, frankly.

Basically there are other state laws, other situations that are going to create a disclosure obligation, and that’s what drives it. And I think just to be someone speaking from the trenches in terms of the reality of what really happens, there is a tremendous disincentive to disclose a breach.

I believe that the well-known cyber breaches are the very tip of the iceberg, and the much larger cyber security problem is, and will be, beneath the surface until companies start disclosing cyber security issues because of their yet-unenforced federal securities law obligations.  A company whose IP has been stolen, or whose business has been interrupted, faces various disclosure issues.   The issue isn’t just whether a breach is material.  It’s much broader: a cyber security breach could make any number of statements misleading, including financial statements, earnings guidance, statements about internal controls, and statements about the status and prospects of the business operations.  Yet most directors seem to believe that cyber security is just a problem for banks, retailers, and health-care providers and insurers.  That’s just not so.

The problem with cyber freak-out is that it undercuts directors’ main defenses to shareholder claims of breach of fiduciary duty.  There are two main claims for breach of fiduciary duty in this area:

The first type of claim is for a failure to act, or a failure to engage in appropriate oversight, under a standard articulated in a leading case called Caremark.  The court in Caremark called the claim it branded “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”  To be liable for a failure of oversight – a type of breach of the duty of loyalty – a director must fail to establish any system for detecting problems, or if a system exists, must deliberately fail to monitor it or follow up on red flags.  Thus, the only way a director can be liable for a failure of oversight is to not even try – or in the cyber security context, to be paralyzed by cyber freak-out.

In contrast to a claim for inaction, the second type of claim is based on director action.  Such claims are governed by the business judgment rule, which protects from second-guessing a decision made by informed and disinterested directors.  A shareholder can overcome the presumption, however, if the challenged decision was not informed.  Cyber freak-out can result in challenged cyber-security decisions being insufficiently informed, and thus outside the protection of the business judgment rule.

Thus, directors will not be liable if they in fact oversee cyber security, and make decisions about cyber security based on adequate information. Boards need to just pay attention and start somewhere – there’s no secret sauce, and perfection isn’t required.  There’s no cyber-security intelligence test.  An inquisitive director can do a good job overseeing cyber security without even being a computer user.

Director Liability

On the one hand, diligent directors don’t face real risk of liability for cyber security oversight.  On the other hand, I believe the fear of director and officer liability needs to increase before directors and officers and their companies sufficiently tune up their cyber security oversight and disclosures.

Although I don’t wish a lawsuit on anyone, much less actual liability, I think some jarring liability event is necessary: Just as Bill Lerach, Mel Weiss, and other prominent securities class action plaintiffs’ lawyers have greatly improved the quality of corporate disclosure, and corporate-law decisions like Smith v. Van Gorkom have improved board decision-making processes, so too would a cyber-security liability jolt improve cyber-security oversight and disclosure.  But at the moment, directors and officers observe that stocks generally haven’t dropped enough to trigger securities class actions, and the handful of shareholder derivative cases haven’t been virulent.  And the shareholder derivative litigation dismissal in Wyndham, while great for Wyndham’s directors, probably set cyber security oversight back.  The Wyndham decision, resting on the board’s post-breach process in deciding to reject a shareholder demand on the board, was virtually meaningless in its impact on the law governing board oversight of cyber security.

But securities and corporate governance litigation involving cyber security problems is indeed coming.  And it may be ugly.  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.  We not only could see a sharp uptick in the number of claims, but they could be quite difficult for directors and officers to defend, until cyber security oversight and disclosure improve.  I worry about this dynamic a lot.

I also worry about SEC enforcement concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers shouldn’t think the SEC is going to announce new guidance or make new rules before it begins enforcement activity around cyber security disclosures.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures are rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity by the staff is a perception that companies aren’t taking cyber security disclosure seriously.  That may or may not be preceded by further cyber security disclosure guidance.  And companies need to be concerned about whistleblowers, including over-worked and under-paid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.


Greater cyber security oversight, and better corporate disclosure, are inevitable.  I hope that they happen naturally, as the result of good counseling by the advisors who are ready and able to help, rather than only developing after we are hit by the inevitable wave of shareholder litigation and SEC investigations and enforcement actions.

Securities Class Action Defense Counsel Selection: An Interview Process is Essential

Posted in Corporate Governance, D&O Insurance, D&O Insurance Brokers, Defense Costs, Defense Counsel, Falsity Analysis, Scienter Analysis, Securities Class Action, Statements of Opinion

When a public company purchases a significant good or service, it typically seeks competitive proposals.  From coffee machines to architects, companies invite multiple vendors to bid, evaluate their proposals, and choose one based on a combination of quality and cost.  Yet companies named in a securities class action frequently fail to engage in a competitive interview process for their defense counsel, and instead simply retain litigation lawyers at the firm they use for their corporate work.

To be sure, it is difficult for company management to tell their outside corporate lawyers that they are going to consider hiring another firm to defend a significant litigation matter.  The corporate lawyers are trusted advisors, often former colleagues of the in-house counsel, and have usually made sacrifices for the client that make the corporate lawyers expect to be repaid through engagement to defend whatever litigation might arise.  A big litigation matter is what makes all of the miscellaneous loss-leader work worth it.  “You owe me,” is the unspoken, and sometimes spoken, message.

Corporate lawyers also make the pitch that it will be more efficient for their litigation colleagues to defend the litigation since the corporate lawyers know the facts and can more efficiently work with the firm’s litigators.  Meanwhile, they tell the client that there is no conflict – even if their work on the company’s disclosures is at issue, they assure the company that they will all be on the same side in defending the disclosures, and if they have to be witnesses, the lawyer-as-witness rules will allow them to work around the issue.

All of these assertions are flawed.  It is always – without exception – in the interests of the defendants to take a day to interview several defense firms of different types and perspectives.  And it is never – without exception – in the interests of the defendants to simply hand the case off to the litigators of the company’s corporate firm.  Even if the defendants hire the company’s corporate firm at the end of the interview process, they will have gained highly valuable strategic insights from multiple perspectives; cost concessions that only a competitive interview process will yield; better relationships with their insurers, who will be more comfortable with more thoughtful counsel selection; greater comfort with the corporate firm’s litigators, whom the defendants sometimes have never even met; and better service from the corporate firm.

Problems with Using Corporate Counsel

A Section 10(b) claim involves litigation of whether the defendants:  (1) made a false statement, or failed to disclose a fact that made what they said misleading in context; and (2) made any such false or misleading statements with intent to defraud (i.e. scienter).

Corporate counsel is very often an important fact witness for the defendants on both of these issues.  For example, in a great many cases, corporate counsel has:

  • Drafted the disclosures that plaintiffs challenge, so that the answer to the question “why did you say that?” is “our lawyers wrote it for us.”
  • Advised that omitted information wasn’t required to be disclosed, so that the answer to the question “why didn’t you disclose that” is “our lawyers told us we didn’t have to.”
  • Reviewed disclosures without questioning anything, or not questioning the challenged portion.
  • Drafted the risk factors that are the potential basis of the protection of the Reform Act’s Safe Harbor for forward-looking statements.
  • Not revised the risk factors that are the potential basis of Safe Harbor protection.
  • Advised on the ability of directors and officers to enter into 10b5-1 plans and when to do so, and on the ability of directors and officers to sell stock at certain times, given the presence or absence of material nonpublic information.
  • Advised on individual stock purchases.

The fact that the lawyer has given such advice, or not given such advice, can win the case for the defendants.  For example, for any case turning on a statement of opinion, the lawyer’s advice that the opinion had a reasonable basis virtually guarantees that the defendants won’t be liable.  Likewise, a lawyer’s drafting, revising, or advising on disclosures virtually guarantees that the defendants didn’t make the misrepresentation with scienter, and a lawyer’s advice on the timing of entering into 10b5-1 plans or selling stock makes the sales benign for scienter purposes.

To the defendants, it doesn’t matter if the lawyer was right or wrong.  As long as the advice wasn’t so obviously wrong that the client could not have followed it in good faith, the lawyer’s advice protects the defendants.  But to the lawyer, it matters a great deal for purposes of professional reputation and liability.  Deepening the conflict is the specter of the law firm defending its advice on the basis that the client didn’t tell them everything.  The interests of the lawyer and defendant client thus can diverge significantly.

That this information may be privileged doesn’t change this analysis.  Of course, the privilege belongs to the client, who can decide whether to use the information in his or her defense, or not.  But with corporate counsel’s litigation colleagues guiding the development of the facts, privileged information is rarely analyzed, much less discussed with the client.  The reality is that most privileged information isn’t truly sensitive to the client, but instead reflects a client seeking advice – and seeking the liability protection the lawyer’s advice provides.  But from the lawyer’s perspective, there can be much to protect.  Privileged communications may reflect poor legal advice, and internal files may contain candid discussions about the client and the client’s issues that would result in embarrassment to the firm, and possible termination, if produced.

Perhaps even more importantly, regular corporate counsel’s litigation colleagues may often fail to assess the case objectively, in part because it implicates the work of their corporate colleagues, and in part because of a desire not to ask hard questions that could strain the law firm’s relationship with the client.  Sometimes the problem arises from a deliberate attempt by the lawyers to protect a particular person who may have made an error leading to the litigation, such as the General Counsel (often is a former colleague), the CFO, or the CEO – all of whom are important to the client relationship.  Sometimes, though, the failure to thoughtfully analyze a case is due to a more generalized alliance with the people with whom the law firm works regularly.  It’s hard for a lawyer to scrutinize someone who will be in the firm’s luxury box at the baseball game that night, much less report a serious problem with him or her to the board.

Yet the defendants, including the board of the corporate client, need candid advice about the litigation to protect their interests.  For example, some problematic cases should be settled early, before the insurance limits are significantly eroded by defense costs and documents are produced that that will make the case even more difficult, and could even spawn other litigation or government investigations.  Defendants and corporate boards need to know this.

Corporate firms might counter that their litigation colleagues will give sound and independent advice, because they are a separate department and will face no economic or other pressure from the corporate department.  But that undermines one of the main reasons corporate lawyers urge that their litigation colleagues be hired: that it is more efficient to use the firm’s litigators since they work closely with the corporate lawyers, if not the company itself.  The corporate firm can’t have it both ways: either the litigators are close to the corporate lawyers and the company, and suffer from the problems outlined above, or they are independent, and their involvement yields little or no benefit in efficiency.  Indeed, it is most likely that the corporate firm’s litigators will be hindered by conflict, while nevertheless failing to create greater efficiency.  Just because lawyers are in a same firm doesn’t mean that they can read each other’s minds.  They still have to talk to one another, just as litigators from an outside firm would have to do.

So Why is Corporate Counsel Used So Often?

I doubt many directors or officers would disagree with the analysis above.  So why do so many companies turn to their corporate counsel without conducting an audition process?  Several practical factors impede the proper analysis of counsel selection in the initial days of a securities class action.

The single most important factor is probably that the corporate firm is first on the scene. Many companies reflexively hire their corporate firm immediately after the initial complaint is filed, or even after the stock drop, before a complaint is even filed.  By the time the defendants start to hear from other securities defense practices, they often have retained counsel.  And then it’s very difficult from a personal and practical perspective to walk the decision back.

This decision, moreover, is often made by the legal department, sometimes in consultation with the CEO and CFO.  The board is often not involved.  Instead, the board is merely presented with the decision, which can seem natural because the firm hired is familiar to them.  The directors often aren’t personally named in the initial complaint, so they might not pay as much attention as they would if they understood if they were likely to become defendants later – either in the main securities action, especially if the case involves a potential Section 11 claim, or in a tag-along shareholder derivative action.

Initial complaints can also mislead the company as to the real issues at stake.  Regular corporate counsel and the defendants may review the first complaint and incorrectly conclude that the allegations don’t implicate the lawyer’s work.  But these initial complaints are merely placeholders, because the Reform Act specifies that the lead plaintiff appointed by the court can later file an amended complaint.  Initial filers have little incentive to invest the time or effort into making detailed allegations in the initial complaint, because they may be beaten out for the lead plaintiff role.  The lead plaintiff’s amended complaint thus typically greatly expands the case to include new alleged false and misleading statements, more specific reasons why the challenged statements were false or misleading, and more detailed scienter allegations, including stock-sale and confidential-witness allegations that most initial complaints lack.  If a conflict becomes apparent at that point, however, it can be very difficult and even prejudicial to the defendants for corporate counsel to bow out.

Regular corporate counsel will often advise their clients that there is no issue with them defending the litigation, or even that doing so makes sense because they advised on the underlying disclosures.  But even if the corporate firm is trying to be candid and look out for its client’s interests, it may have blind spots in seeing its potential conflicts – especially when the corporate lawyers are facing pressure from their firm management to “hold the client.”

The pressures that lead a company to hire its corporate firm to defend the securities litigation are very real, and sometimes this decision is ultimately fine.  But I strongly believe that it is never in a client’s interest to take its corporate counsel’s advice on these issues without obtaining analysis from other securities practices as part of a competitive interview process.

The Benefits of a Competitive Process

In addition to obtaining important perspectives about potential problems with corporate counsel’s defense of the securities class action, an interview process involves myriad benefits – including tens of thousands of dollars of free legal advice.  The only cost to the company is a few hours to select the 3-5 firms that it wants to interview, and a day spent hearing presentations from those firms and discussing their analysis and approach with them.

An interview process gives defendants the opportunity to hear from several experienced securities litigators, who will offer a range of analyses and strategies on how best to defend the case.  It also allows defendants to evaluate professional credentials and personal compatibility, which are both important criteria.  It is difficult, if not impossible, for a company to evaluate how their corporate counsel’s litigators stack up against other litigators in this specialized and national practice area, without first hearing from some other firms.  Sometimes, a company will not even meet its corporate firm’s securities litigators in person before engaging them, which obviously makes it impossible for them to make judgments about personal compatibility and trust.

An interview process, if properly structured, is highly substantive.  The firms that fare best in a new-case interview typically prepare thorough discussions of the issues, and come prepared to analyze the case in great detail.  And the best ones look beyond the issues in the initial complaint to the issues that might emerge in the amended complaint, analyzing the full range of the company’s disclosures, to forecast future disclosure and scienter allegations, and evaluating the defenses that will remain even after allegations are added.

An interview process also helps the company to achieve a better deal on billing rates, staffing, and alternative fee arrangements.  Without an interview process, a law firm is much more likely to charge rack rates and do its work in the way it sees fit – which defendants are rarely in a position to challenge without having done some comparison shopping.  Even though securities class action defense costs are covered by D&O insurance, price matters in defense-counsel selection.  It is a mistake to treat D&O insurance proceeds as “free money.”  Without appropriate cost control, defendants run the risk of not having enough insurance proceeds to defend and resolve the case.  Appropriate cost control can help the litigation from resulting in a difficult or expensive D&O insurance renewal, and can allow the company to save money if the fees are less than the deductible.

An interview process also helps get the defendants off to a better start with its D&O insurers.  In addition to appreciating the cost control that an interview process yields, insurers also appreciate the defendants making a thoughtful decision on defense counsel, including vetting the potential problems with use of the company’s corporate firm.  D&O insurers and brokers are “repeat players” in securities litigation, and know the qualifications of defense counsel better than anyone else – a seasoned D&O insurance claims professional has overseen hundreds of securities class actions.  Asking insurers and brokers to help identify defense counsel to interview may therefore not only yield helpful suggestions, but may also make it easier to develop a relationship of strategic trust with the insurers – which will make it easier to obtain consent to settle early if appropriate, and if not, to defend the case through summary judgment or to trial.

Perhaps most importantly, an interview process results in a closer relationship between the defendants and their lawyers, whoever they end up being.  Most securities class action defendants are troubled by being sued, and need lawyers that they can trust to walk them through the process.  An interview process is the best way to find the lawyers who have the right combination of relevant characteristics – including skills, strategy, and bedside manner – that will best fit the needs of the defendants.

Securities Claims Based on Item 303 of Regulation S-K: It Just Doesn’t Matter

Posted in 2nd Circuit, 9th Circuit, Class Certification, Falsity Analysis, Litigation Strategy, Motions to Dismiss, Plaintiffs' Bar, Securities Class Action, Supreme Court

Does Item 303 of Regulation S-K matter in private securities litigation?  In Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2nd Cir. 2015), the Second Circuit held that Item 303 imposes a duty to disclose for purposes of Section 10(b), meaning that the omission of information required by Item 303 can provide the basis for a Section 10(b) claim.  This ruling is at odds with the Ninth Circuit’s opinion in In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014), in which the court held that Item 303 does not establish such a duty.  The U.S. Supreme Court declined a cert petition in NVIDIA.

I’m glad the Supreme Court didn’t take the case, because while this issue seems important, it really isn’t – as a practical matter, a claim under Item 303 doesn’t add much, if anything, to a plain vanilla claim alleging that a statement was misleading for omitting the same information.

Evolution of the Legal Issue

SEC forms, under both the Securities Act and the Exchange Act, require the disclosure of various items described in SEC Regulation S-K.  Some of the most important disclosures are found in S-K Item 303(a), which includes “management’s discussion and analysis” (MD&A) of the company’s “financial condition, changes in financial condition and results of operations.”  And Item 303(a)(3)(ii) indicates that the MD&A must include a description of “any known trends or uncertainties that have had or that the [company] reasonably expects will have a material … unfavorable impact on net sales or revenues or income from continuing operations.”  This is a high hurdle for a plaintiff to clear: a company must actually know: (1) the facts underlying the trend or uncertainty, (2) those known facts yield a trend or uncertainty, and (3) the trend or uncertainty will have a negative and material impact.

The key liability provisions of the federal securities laws, Section 10(b) of the Securities Exchange Act of 1934 and Section 11 of the Securities Act of 1933, prohibit a false statement or omission of a fact that causes a statement to be misleading.  In addition, the text of Section 11 allows a claim to be based on the issuer’s failure to disclose “a material fact required to be stated” in a registration statement. 15 U.S.C. § 77k(a) (emphasis added).  One such requirement is Item 303.  Panther Partners Inc. v. Ikanos Communications, Inc., 681 F.3d 114, 120 (2nd Cir. 2012).  Based on this statutory language – which is unique to Section 11 – Section 11 claims thus appropriately can include claims based on Item 303.

Panther Partners is the decision that has fueled plaintiffs’ counsel’s use of Item 303. In Panther Partners, the Second Circuit held that Item 303 required the issuer, Ikanos Communications, to disclose information about a high product defect rate, and that the omission of this information from a registration statement gave rise to a cause of action under Section 11.  There are two important facets of the decision that have largely been forgotten.  First, the court emphasized Section 11’s language, which isn’t present in the statute or decisions under Section 10(b), that an issuer must disclose “a material fact required to be stated” in a registration statement.  Second, the court was troubled by the fact that the company’s risk factor about product defects suggested there were no defects when, in fact, there were:

In light of these allegations, the Registration Statement’s generic cautionary language that “[h]ighly complex products such as those that [Ikanos] offer[s] frequently contain defects and bugs” was incomplete and, consequently, did not fulfill Ikanos’s duty to inform the investing public of the particular, factually-based uncertainties of which it was aware in the weeks leading up to the Secondary Offering.

Id.at 122.  I could make a strong argument that the driver of the court’s decision was a false or misleading risk factor, and Item 303 was just the way the court articulated its conclusion.  As I’ve written, courts are often troubled by boilerplate risk factors, especially those that cast as hypothetical risks that have materialized.

In NVIDIA, plaintiffs alleged that several of NVIDIA’s SEC filings contained materially false and misleading statements because they omitted information relating to a defect in NVIDIA’s graphics processing unit (“GPU”) chips.  Plaintiffs also argued that certain omissions in filing statements were actionable under Section 10(b) because the chip defects constituted a “known trend” under Item 303 – but did not present this theory in the complaint itself.

The district court found that plaintiffs had pled “at least one” material misrepresentation – a risk factor saying that defects “might occur,” which falsely suggested that NVIDIA was not already aware of the same defect in other products.  The district court did not inquire into whether any of the other specific statements were also materially misleading.  Nonetheless, the district court dismissed the complaint on the ground that plaintiffs had failed to plead scienter.  The district court opinion only mentioned Item 303 briefly, as it was not (yet) a centerpiece of plaintiffs’ theory.

Before the Ninth Circuit, plaintiffs argued that the district court should have considered scienter in the context of Item 303, focusing on whether defendants had acted with scienter in violating that rule.  The Ninth Circuit rejected this line of argument on the ground that Item 303 does not establish an independent duty of disclosure for the purposes of Section 10(b).  The Ninth Circuit did not consider whether plaintiffs had successfully pled a material misrepresentation (as the district court had found), focusing instead on scienter, and affirming the district court’s judgment on this ground.

Shortly thereafter, the Second Circuit, in Stratte-McClure, held that Item 303 does establish an independent duty of disclosure for purposes of Section 10(b).  The court began with the cardinal rule that silence, absent a duty to disclose, is not actionable, and such a duty is created when a company omits facts that make a statement misleading.  768 F.3d at 101-02.  The court then grappled with whether omission of facts required to be disclosed under Item 303 creates a duty of disclosure for purposes of Section 10(b).  In analyzing this issue, the court relied on the Panther Partners holding, though the court compared Section 10(b)’s requirements to Section 12(a)(2) of the 1933 Act, which does not contain Section 11’s unique statutory language, i.e., Section 11 makes actionable not just a false or misleading statement, but also a failure to disclose “a material fact required to be stated” in a registration statement.

The court’s comparison of Section 10(b) to Section 12(a)(2) instead of to Section 11 resulted in a large legal leap.  The court in Panther Partners stated that “[o]ne of the potential bases for liability under §§ 11 and 12(a)(2) is an omission in contravention of an affirmative legal disclosure obligation” (i.e. making actionable the omission of “a material fact required to be stated” in a registration statement).  681 F.3d at 120.  But, in fact, only Section 11, and not Section 12(a)(2), contains that provision.  Instead, Section 12(a)(2), like Section 10(b), imposes liability for a false or misleading statement, and doesn’t contain the alternative basis of liability for a failure to disclose “a material fact required to be stated ….”  As a result, Stratte-McClure doesn’t fairly portray the rationale for the holding in Panther Partners.

Nevertheless, the court in Stratte-McClure supplied a separate basis, grounded in Section 10(b)’s requirement of a false or misleading statement, for concluding that Item 303 supplies a duty to disclose that can be actionable under Section 10(b):

Due to the obligatory nature of [Item 303], a reasonable investor would interpret the absence of an Item 303 disclosure to imply the nonexistence of “known trends or uncertainties … that the registrant reasonably expects will have a material … unfavorable impact on … revenues or income from continuing operations.” …  It follows that Item 303 imposes the type of duty to speak that can, in appropriate cases, give rise to liability under Section 10(b).

776 F.3d at 102 (citations omitted).  In other words, a company that fails to disclose information required to be disclosed by Item 303 has misled investors by creating an impression of a state of affairs (that there are no materially negative trends or uncertainties) that differs from the one that actually exists (that there are such trends or uncertainties).  Thus, what the court implicitly held is that an Item 303 omission makes the whole set of the company’s affirmative statements misleading.

Item 303’s Lack of Practical Impact

The Item 303 issue is certainly interesting.  My colleagues and I have had lively discussions about the questions it raises.  But we keep concluding that it doesn’t really add anything.

We first reached this conclusion in a roundabout way in a case a few years ago.  There were two offerings at issue, and just after Panther Partners, plaintiffs’ counsel featured the Item 303 allegations.  We drafted a detailed motion to dismiss section on the Item 303 issue.  As we evaluated our arguments in light of the page limit, we kept shortening the Item 303 argument.  In the end, we decided that the Item 303 claim was redundant: the court wasn’t going to deny the motion to dismiss under Item 303 without also finding that the plaintiffs had sufficiently pleaded a false statement and scienter, because the plaintiffs challenged many statements and pleaded scienter using the same allegations that formed the basis of the Item 303 claim.  So in the filed version of the motion, the argument became a fraction of the size of the original one.  And in the reply brief, the Item 303 argument was in a short footnote.

Since then, the plaintiffs’ bar’s focus on the issue, and various court decisions, and even a cert petition, have kept me re-thinking the importance of Item 303 to securities claims.  But I haven’t changed my view that Item 303 is redundant: very rarely, if ever, would there be an omitted fact that gives rise to an Item 303 claim without also rendering false or misleading one or more challenged statements; and the knowledge required under Item 303 is at least as great as is necessary to establish scienter.  Even under Section 11, where the unique statutory language allows for a claim, Item 303’s multiple knowledge requirements, if appropriately applied, make the claim difficult to plead and prove.

The NVIDIA case provides a good illustration.  Recall that the plaintiffs alleged that NVIDIA made false statements related to a defect in its GPU chips, and argued that the chip defects constituted a known trend under Item 303.  The complaint challenged many statements, and the district court concluded that “at least one” was misleading as a result of the defects:

*          “Our core businesses are continuing to grow as the GPU becomes increasingly central to today’s computing experience in both the consumer and professional market segments.”

*          “Fiscal 2008 was another outstanding and record year for us. Strong demand for GPUs in all market segments drove our growth. Relative to Q4 one year ago, our discrete GPU business grew 80%.”

*          “As we have in the past, we intend to use this [R&D] strategy to achieve new levels of graphics, networking and communications features and performance and ultra-low power designs, enabling our customers to achieve superior performance in their products.”

*          “[W]e believe that close relationships with OEMs, ODMs and major system builders will allow us to better anticipate and address customer needs with future generations of our products.”

*          “The growth of GPUs continues to outpace the PC market. We shipped 42 percent more GPUs this quarter compared to the same period a year ago, resulting in our best first quarter ever. … We expect this positive feedback loop to continue to drive our growth.”

*          “In the past, we have discovered defects and incompatibilities with customers’ hardware in some of our products. Similar issues in the future may result in delays or loss of revenue to correct any defects or incompatibilities.”

*          “If our products contain significant defects our financial results could be negatively impacted, our reputation could be damaged and we could lose market share.”

*          In a statement disclosing the defects: “We are evaluating the potential scope of this situation, including the nature and cause of the alleged defect and the merits of the customer’s claim, and to what extent the alleged defect might occur with other of our products.”

This list of challenged statements illustrates that companies affirmatively say many things on the subject matter of an omission sufficient to yield an Item 303 claim.  Indeed, it’s hard to imagine a case in which an issue is so major as to require Item 303 disclosure but isn’t something about which the company has spoken.

And given that is the case, and Item 303’s disclosure requirements are infused with knowledge requirements, it also would be an anomalous case in which there is an Item 303 violation but not scienter.  For example, if a company violates Item 303 by not disclosing that its biggest customer is switching suppliers next quarter, and proceeds to say things about its business and financial outlook as it of course would, it has made misleading statements with intent to defraud.  The Item 303 claim adds nothing.  Stratte-McClure, on its face, is an anomalous case.  After concluding that Morgan Stanley had a duty to disclose certain facts about subprime lending that were likely to cause material trading losses, the court concluded that the failure to disclose those facts wasn’t done with scienter.  The analysis is fact-specific and technical.  Suffice it to say that I could easily re-write the opinion, using the court’s own scienter analysis, to conclude that no disclosure was required under Item 303 in the first place – it’s really a matter of six of one, half a dozen of another.

Why, then, have plaintiffs’ counsel pushed Item 303 claims so hard?  I believe it’s mostly to combat the cardinal rule that silence, absent a duty to disclose, is not misleading. Companies omit thousands of facts every time they speak, and it’s relatively easy for a plaintiff to identify omitted facts – but it’s analytically difficult work, and often unsuccessful, to challenge affirmative statements.

Another important reason is defendants’ attack on the fraud on the market presumption of reliance over the past several years – first to the legitimacy of Basic v. Levinson, which gave rise to securities class actions, and now to its viability in specific cases under the price-impact rule of Halliburton II.  Claims of pure omission under Item 303 arguably would fall under the Affiliated Ute presumption of reliance, rather than under Basic, which would make class certification easier and more certain.  But the court’s reasoning in Stratte-McClure that an Item 303 violation makes what the company said misleading would make the claim a statement-based claim that would be evaluated under Basic, not Affiliated Ute.

Whatever the reason, I hope parties and courts don’t waste time litigating over Item 303 further.  It just doesn’t matter.

Fixing the Economics of Securities Class Action Defense: Nationwide Defense by Regional Firms

Posted in D&O Insurance, Defense Costs, Defense Counsel, Litigation Strategy, Plaintiffs' Bar, Securities Class Action

In my last D&O Discourse post, “The Future of Securities Class Action Litigation,” I discussed why changes to the securities litigation defense bar are inevitable: in a nutshell, the economic structures of the typical securities defense firms – mostly national law firms – result in defense costs that significantly exceed what is rational to spend in a typical securities class action.  As I explained, the solution needs to come from outside the biglaw paradigm; when biglaw firms try to reduce the cost of one case without changing their fundamental billing and staffing structure, they end up cutting corners by foregoing important tasks or settling prematurely for an unnecessarily high amount.  That is obviously unacceptable.

The solution thus requires us to approach securities class action defense in a new way, by creating a specialized bar of securities defense lawyers from two groups: lawyers from national firms who change their staffing structure and lower their billing rates, and experienced securities litigators from regional firms with economic structures that are naturally more rational.

But litigation venues are regional.  We have state courts and federal courts organized by states and areas within states.  Since lawyers need to go to the courthouse to file pleadings, attend court hearings, and meet with clients in that location, the lawyer handling a case needs to live where the judge and clients live.


Not anymore.

Although the attitude that a case needs a local lawyer persists, that is no longer how litigation works.  We don’t file pleadings at the courthouse.  We file them on the internet from anywhere – even from an airplane.  There are just a handful of in-person court hearings in most cases.  And the reality is that most clients don’t want their lawyers hanging around in person at their offices – email, phone calls, and Skype suffice.  Even document collection can be done mostly electronically and remotely.  And with increasingly strict deposition limits, and witnesses located around the country and world, depositions don’t require much time in the forum city either.

In a typical Reform Act case, where discovery is stayed through the motion-to-dismiss process, the amount of time a lawyer needs to spend in the forum city is especially modest.  If a case is dismissed on a motion to dismiss, the case activities in the forum city in a typical case amount only to (1) a short visit to the clients’ offices to learn the facts necessary to assess the case and prepare the motion to dismiss, and (2) the motion-to-dismiss argument, if there is one.  Indeed, assuming that a typical securities case requires a total of 1,000 hours of lawyer time through an initial motion to dismiss, fewer than 50 of those hours – one-half of one percent – need to be spent in the forum city.  The other 99.5% can be spent anywhere.

Discovery doesn’t change these percentages much.  Assume that it takes another 10,000 hours of attorney time to litigate a case through a summary judgment motion, or 11,000 total hours.  Four lawyers/paralegals spending four weeks in the forum city for document collection and depositions (a generous allotment) yields only another 640 hours.  So in my hypothetical, only 0.63% of the defense of the case requires a lawyer to be in the forum city.  The other 99.37% of the work can be done anywhere.  Because a biglaw firm would litigate a securities class action with a larger team, the total number of hours in a typical biglaw case would be much higher – both the total defense hours and the total number of hours spent in the forum city – but the percentages would be similar.

Nor does the cost of travel move the economic needle.  Of course, if a firm is willing not to charge for travel time and travel costs to the forum city, there is no economic issue.  My firm is willing to make this concession, and I would bet others are as well.  Even if a firm does charge for travel cost and travel time, the cost is miniscule in relationship to total defense costs.  For example, my total travel costs for a five-night trip to New York City – both airfare and lodging – are typically less than the cost of two biglaw partner hours.

Of course, there are some purposes for which local counsel is necessary, or at least ideal – someone who knows the local rules, is familiar with the local judges, and is admitted in the forum state.  But the need to utilize local counsel for a limited number of tasks doesn’t present any economic or strategic issue either, if the lawyers’ roles are clearly defined.  Depending on the circumstances, I like to work either with a local lawyer in a litigation boutique that was formed by former large-firm lawyers with strong local connections, or with a lawyer from a strong regional firm.  I just finished a case in which the local firm was a boutique, and a case in which the local firm was another regional firm.  In both cases, the local firms charged de minimis amounts.  In some cases, the local firm can and should play a larger role, but whatever the type of firm and its role, the lead and local lawyers can develop the right staffing for the case and work together essentially as one firm – if they want to.

All of these considerations show that securities litigation defense can and should be a nationwide practice.  It is no longer local.  We need look no farther than the other side of the “v” for a good example.  Our adversaries in the plaintiffs’ bar have long litigated cases around the country, often teaming up with local lawyers from different firms.  Like securities defense, plaintiffs’ securities work requires a full-time focus that has led to a relatively small number of qualified firms.  The qualified firms litigate cases around the country, not just in their hometowns or even where their firms have lawyers.

This all seems relatively simple, but it requires us all to abandon old assumptions about the practice of law that are no longer applicable, and embrace a new mindset.  Biglaw defense lawyers need to obtain more economic freedom within their firms to reduce their rates and staffing for typical securities cases, or they must face the reality that their firms perhaps are well suited only for the largest cases.  Regional firms must recruit more full-time securities litigation partners and be willing not to charge for travel time and costs.  And companies and insurers must appreciate that securities litigation defense will improve – through better substantive and economic results in both individual cases and overall – if they recognize that a good regional firm with dedicated securities litigators can defend a securities class action anywhere in the country, and can usually do so more effectively and efficiently than a biglaw firm.

D&O Discourse News – and a Shameless Request for Help

Posted in Cyber Security, D&O Discourse News, Statements of Opinion, Supreme Court

There are several bits of D&O Discourse news to share:

1.  I hope that you can attend conferences at which I’m speaking this fall:

  • I am co-chairing ACI’s D&O Liability Forum in New York City on September 17-18, and moderating a panel discussing significant securities litigation developments.  Readers of D&O Discourse can receive a discount off the current price.  Please email me: greened@lanepowell.com.
  • I am co-chairing and speaking on a panel discussing board oversight of cybersecurity at a meeting of the National Association of Corporate Directors, Northwest Chapter, in Seattle on October 20, 2015.

2.  The ABA is accepting nominations for the list of the Top 100 Law Blogs.  If you are so inclined, I’d be grateful for your nomination of D&O Discourse. Nominations are due by the end of the day on August 16.  Here is the link to the nomination page.  Thank you.

3.  We continue to try to make D&O Discourse as useful as possible.  We now have three features:

  • The D&O Discourse blog itself:  In the blog, we provide opinion about key issues in the law and practice of securities and corporate governance litigation and SEC enforcement.  We write an opinion-based piece roughly monthly.
  • Twitter:  Because the D&O Discourse blog doesn’t attempt to chronicle current events, we started a Twitter feed to identify current developments that we think would be most important to our readers.  You can follow us by reading our Twitter feed on the left-hand side of the D&O Discourse blog, or on Twitter, @DandODiscourse.
  • LinkedIn:  We recently set up a special LinkedIn page, where we publish thoughts that are too long for Twitter but too short for a blog post.  Here is an example:

“In writing my 2014 year-in-review piece, it occurred to me that the judicial environment for securities and corporate governance litigation seems about as neutral as it has been in a long time. We’ve seen streaks of decisions that feel pro-plaintiff or pro-defendant, driven in part by judicial skepticism caused by the waves of corporate scandals since Enron and WorldCom. But over the past year or so, the decisions feel pretty even. The 2nd Circuit / 9th Circuit split over whether omission of matters covered by Item 303 of S-K can be actionable epitomizes the current judicial environment.”

Here is a link to our LinkedIn page.  Please click “Follow” to receive updates in your LinkedIn feed.

4.  In the upcoming issue of the PLUS Journal, my partner Claire Davis and I are publishing an article about the importance of the U.S. Supreme Court’s decision in Omnicare, based on one of our D&O Discourse blog posts.  As our readers know, Claire and I wrote an amicus brief that shaped the Supreme Court’s Omnicare opinion.

We hope you enjoy the rest of your summer.

The Future of Securities Class Action Litigation

Posted in D&O Insurance, Defense Costs, Defense Counsel, Litigation Strategy, Plaintiffs' Bar, Securities Class Action, Securities Class Action Statistics, Settlement

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full time.  The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands, and books-and-records inspections), and shareholder challenges to mergers.  The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged as well.  And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement, and an internal investigation, involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift.  Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports.  This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of former giants Bill Lerach and Mel Weiss.  But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine.  Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends.  Securities class action filings are down significantly over the past several years, but as I have written, I’m confident they will remain the mainstay of securities litigation, and won’t be replaced by merger cases or derivative actions.  There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type.  Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market, and the lack of significant financial-statement restatements.

While I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions.  As D&O Discourse readers know, the Reform Act’s lead plaintiff process incentivized plaintiffs’ firms to recruit institutional investors to serve as plaintiffs.  For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role.  At the same time, securities class action economics tightened in all but the largest cases.  Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work.  And the median settlement amount of cases that survive dismissal motions is fairly low.  These dynamics placed a premium on experience, efficiency, and scale.  Larger firms filed the lion’s share of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010.  Smaller plaintiffs’ firms initiated the lion’s share of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs, and uncertain insurance and company financial resources.  Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations and/or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss.  The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided.  For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and they have initiated an increasing number of cases.  Like the China cases, these cases tend to be against smaller companies.  Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly can and will beat out the smaller firms for the cases they want.  But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies, and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics.  Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review,” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997, and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.”  Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages.  NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation:  2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years.  And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion), and one-quarter were against micro-cap companies (market capitalization less than $300 million).*  These numbers confirm the trend toward filing smaller cases against smaller companies, so that now, most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change.  Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant.  This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters.  It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million.  It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers, or avoiding important tasks.  It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if they lose, to settle for more than $6 million just because they can’t defend the case economically past that point.  And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case.  .

Nor is the answer to hire general commercial litigators at lower rates.  Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law, but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators, and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control.  Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics.  The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which Biglaw firms are uniquely situated to handle well, on the whole);
  2. Reign in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters, and by reducing staffing and associate-to-partner ratios; and/or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms.  A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city.  And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates, and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change as well.  For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation.  Thus, the insured selects counsel and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld.  D&O insurers are in a bad spot in a great many cases.  Since most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm.  But in many cases, that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs and/or an early settlement that doesn’t reflect the merits, but which is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to their choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case.  If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent, or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium.  It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Since I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective.  But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.


* Median settlement values are falling as well.  In 2014, the median settlement was just $6.5 million according to NERA and $6.0 million according to Cornerstone.  NERA found that “[o]n an inflation-adjusted basis, 2014 median settlement was the third-lowest since the passage of the PSLRA: only in 1996 and in 2001 were median settlement amounts lower on an inflation-adjusted basis.”  Cornerstone reports that 62% of settlements in 2014 were $10 million or less, compared to an average of 53% over 2005-13.  Since settlements in 2014 were of cases filed in earlier years, when the size of cases was larger, it stands to reason that median settlements should remain small or decrease further in future years.

Hey There Fellow Securities Defense Lawyers: Omnicare is GOOD for Us!

Posted in Falsity Analysis, Motions to Dismiss, Securities Class Action, Statements of Opinion, Supreme Court

If correctly understood and applied, the Supreme Court’s decision in Omnicare, Inc. v. Laborers Dist. Council Const. Industry Pension Fund, 135 S. Ct. 1318 (2015), will allow corporate officers to speak more freely, without fear of unfair liability.  And defendants will win more cases.

Yet I keep seeing commentary from defense lawyers saying that Omnicare expanded the basis for defendants’ liability.  That sort of statement is simply wrong, and fails to appreciate the muddled state of the pre-Omnicare standards for judging statements of opinion and the Omnicare standard itself.  Indeed, Omnicare – which applies to the “false or misleading statement” element of both Section 11 and Section 10(b) – will be the most helpful Supreme Court decision for defendants since Tellabs, if we in the defense bar use it right.

Pre-Omnicare Law Governing Statements of Opinion Was Muddled

To correctly understand Omnicare, it is critical to appreciate that the law on statements of opinion before Omnicare was a mess.  For a full discussion, I invite you to review pages 13-19 of our Omnicare amicus brief on behalf of Washington Legal Foundation.  Here, I’ll share what  I believe was going on in the cases, starting with the base case, the Supreme Court’s decision in Virginia Bankshares v. Sandberg, 501 U.S. 1083 (1991).

Virginia Bankshares held that an opinion may be actionable as a false statement of “fact,” to the extent to which it is a “misstatement of the psychological fact of the speaker’s belief in what he says.”  501 U.S. at 1095.  This makes sense.  If it’s raining and I say to someone from another city that the weather where I am is “nice,” my statement of opinion is true if I genuinely believe it.  It doesn’t matter if most other people wouldn’t think so.  But it also makes sense that my true opinion could be misleading to a reasonable person, since most people wouldn’t regard rainy weather as “nice.”  Virginia Bankshares only concerned the “falsity” of an opinion, and not the broader question of whether a “true” statement of opinion can omit facts that make the opinion misleading – just like any other type of true statement can be misleading.

Virginia Bankshares didn’t catch on.  I think there are two main reasons.  First, the decision is difficult to read and decipher.  Many doubted that the Supreme Court actually meant to create a subjective falsity standard, and many defendants and courts didn’t even cite the case when analyzing statements of opinion.  Second, the subjective falsity standard only covers the “false” half of the “false or misleading statement” element – the fact of the speaker’s state of mind.  Courts thus struggled to figure out how to harmonize Virginia Bankshares with the “misleading” half of the element, especially as defendants argued that a lack of subjective falsity alone defeated the entire claim.  I believe that these difficulties led courts to ignore or distinguish Virginia Bankshares, or to apply an alternative standard.

The most influential alternative standard was the disjunctive three-part test the Ninth Circuit established in In re Apple Computer Sec. Litig., 886 F.2d 1109 (9th Cir. 1989).  In Apple, the Ninth Circuit held that opinions are actionable if they (1) are not genuinely believed, (2) there is no reasonable basis for the belief, or (3) the speaker knows undisclosed facts that tend to seriously undermine the opinion.  Courts around the country followed the broad and plaintiff-friendly Apple standard to such an extent that it is fair to say it was the prevailing test for deciding whether an opinion was actionable.  Virginia Bankshares, if cited at all, was typically an afterthought.  Even after the Ninth Circuit first applied Virginia Bankshares in 2009, in Rubke v. Capitol Bancorp Ltd., 551 F.3d 1156 (9th Cir. 2009), it didn’t expressly overrule the incompatible Apple standard, and some courts, both inside and outside the Ninth Circuit, continued to refer to Apple.

Virginia Bankshares Recently Had Started to Catch On

Recently, in Fait v. Regions Fin. Corp., 655 F.3d 105 (2d Cir. 2011), the Second Circuit joined the Ninth Circuit in applying Virginia Bankshares.  Based on Fait and Rubke, and a few other circuit court decisions, defendants began to argue that an opinion can only be false or misleading if it was not actually believed by the speaker.  This, I think, is the source of the defense bar’s disappointment with Omnicare: they feel it is a step backward from the standard of law they hoped was developing – namely, one that makes a statement of opinion not actionable as long as the speaker genuinely believes it (i.e. is subjectively true), without considering whether it may nevertheless be misleading.

But whatever the merits of recent decisions, Virginia Bankshares concerns only “subjective falsity,” the first half of the “false or misleading statement” element.  In Omnicare, the Supreme Court prescribed the standards for analysis for both halves of the “false or misleading statement” element, which, of course, is legally required, because under Section 11 and Section 10(b), a true statement can be actionable if it is misleading.

Omnicare’s Second Prong is Simply the Misleading Half of “False or Misleading Statement” Element

Indeed, the “misleading” half of the “false or misleading statement” element was the real showdown in Omnicare.  At oral argument, it seemed inevitable that the Supreme Court would reject the plaintiffs’ argument that a genuinely believed opinion may nonetheless be considered “false” if it is later determined that the opinion was incorrect. But the Court also expressed discomfort with the potential loopholes that could be created by Omnicare’s position at the other extreme – that if a statement is phrased as an opinion, it cannot be found to be either false or misleading under the securities laws, as long as the opinion was honestly held by the speaker.

There were many wrong turns that the Court could have taken in rejecting these two extremes, running the risk of further confusing the law not only regarding the truth or falsity of opinions, but also muddling the law of scienter and materiality.  But the Court successfully navigated these potential pitfalls – including refusing to adopt the “reasonable basis” standard advocated by the Solicitor General – and instead adopted an analytically sound approach that is consistent with its previous securities rulings, holding that:

(1) a statement of opinion is only “false” under the securities laws if it is not genuinely believed by the speaker; and

(2) like any other kind of statement, a statement of opinion may be “misleading” if, when considered in context, it creates a false impression in the mind of a reasonable investor.

Omnicare thus simply stitches together (1) Virginia Bankshares’s subjective falsity standard and (2) the standard for “misleading” in the “false or misleading statement” element that has always applied to each and every type of challenged statement in each and every securities class action.  See, e.g., Brody v. Transitional Hosps. Corp., 280 F.3d 997, 1006 (9th Cir. 2002) (a statement is misleading due to omissions if it “affirmatively create[s] an impression of a state of affairs that differs in a material way from the one that actually exists”).

Although recent cases seemed to focus on subjective falsity, a rule of subjective falsity alone never could or would have been the law, because the misleading-statement half of the “false or misleading statement” is an integral part of the law of Section 10(b) and Section 11. Thus, the law on what can make a statement of opinion misleading inevitably would have developed in the courts, with or without Omnicare. For this simple reason, the view that Omnicare’s second prong is something new and plaintiff-friendly is wrong; it is simply the pre-existing “misleading” half of the “false or misleading statement” element.

The legal standard Omnicare established to evaluate misleading-statement allegations will greatly help defendants argue for dismissal of claims based on statements of both fact and opinion.  In evaluating what investors understood, the Court directed courts to consider the entire factual context in which defendants made the challenged statement.  In particular, the Court’s analysis emphasizes that whether a statement is misleading “always depends on context” and a statement must be understood in its “broader frame,” including “in light of all its surrounding text, including hedges, disclaimers, and apparently conflicting information,” and the “customs and practices of the relevant industry.”  135 S. Ct. at 1330.

A good motion to dismiss has always analyzed a challenged statement (fact or opinion) in its broader factual context to explain why it’s not misleading.  But many defense lawyers unfortunately leave out the broader context, and courts sometimes take a narrower view.  Now, this type of superior, full-context analysis is required by Omnicare.  And combined with Tellabs’s directive that courts consider scienter inferences based on not only on the complaint’s allegations, but also on documents on which the complaint relies or that are subject to judicial notice, courts clearly must now consider the full array of probative facts in deciding both whether a statement was false or misleading and, if so, was made with scienter.  Plaintiffs can’t cherry-pick what the court considers anymore.

In the full context of the facts, Omnicare prescribes strict scrutiny of misleading-statement allegations, emphasizing the narrowness of its standard:  an opinion is not misleading just because “external facts show the opinion to be incorrect,” 135 S. Ct. at 1328, or if a company fails to disclose “some fact cutting the other way,” or if the company does not disclose that some disagree with its opinion.  Id. at 1329-30.  Rather, the Court seized upon the misleading-statement analysis that our amicus brief (alone among the parties and amici) had urged, finding that an opinion is misleading if it omits information that is necessary to avoid creating a false impression of the “real facts” in a reasonable investor, when the statement is taken as a whole and considered in its full context.  Unlike the “reasonable basis test” urged by the Solicitor General, the Court emphasized that this inquiry “is objective.”  Id. at 1327.  And the Court stressed that pleading a misleading opinion will be “no small task for an investor.”  Id. at 1332.

Thus, far from being plaintiff-friendly, Omnicare has expressly given the defense bar tools with which to make better arguments.  If the defense bar uses Omnicare correctly, the decision will have a profound impact on securities litigation defense and, most importantly, on the ability of directors and officers to speak their minds without fear of liability for doing so honestly.

Corralling and Curtailing Merger Litigation: Lessons Learned from Past Securities and Corporate Governance Litigation Reform

Posted in Board Oversight, Cyber Security, Delaware Courts, Litigation Reforms, Litigation Strategy, M&A Litigation, Plaintiffs' Bar, Section 220, Shareholder Derivative Action

In the world of securities and corporate governance litigation, we are always in the middle of a reform discussion of some variety.  For the past several years, there has been great focus on amendment of corporate bylaws to corral and curtail shareholder corporate-governance claims, principally shareholder challenges to mergers.*  Meritless merger litigation is indeed a big problem.  It is a slap in the face to careful directors who have worked hard to understand and approve a merger, or to CEOs who have spent many months or years working long hours to locate and negotiate a transaction in the shareholders’ best interest.  It is cold comfort to know that nearly all mergers draw shareholder litigation, and that nearly all of those cases will settle before the transaction closes without any payment by the directors or officers personally.  And we know the system is broken when it routinely allows meritless suits to result in significant recoveries for plaintiffs’ lawyers, with virtually nothing gained by companies or their shareholders.

There are three main solutions afoot, at different stages of maturity, involving amendments to corporate bylaws to require that: (1) there be an exclusive forum, chiefly Delaware, for shareholder litigation; (2) a losing shareholder pay for the litigation defense costs; and (3) a shareholder stake hold a minimum amount of stock to have standing to sue.  I refer readers to the blogs published by Kevin LaCroix, Alison Frankel, and Francis Pileggi for good discussions of these types of bylaws.  The purpose of this blog post is not to specifically chronicle each initiative, but to caution that they will cause unintended consequences that will leave us with a different set of problems than the ones they solved.

Exclusive-forum bylaws offer the most targeted solution, albeit with some negative consequences.

Exclusive-forum bylaws best address the fundamental problem with merger litigation: the inability to coordinate cases for an effective motion to dismiss before the plaintiffs and defendants must begin negotiations to achieve settlement before the merger closes.  Although the merger-litigation problem is virtually always framed in terms of the oppressive cost and hassle of multi-forum litigation, good defense counsel can usually manage the cost and logistics.  Instead, the bigger problem, and the problem that causes meritless merger litigation to exist, is the inability to obtain dismissals.  This is primarily so because actions filed in multiple forums can’t all be subjected to a timely motion to dismiss, and a dismissal in one forum that can’t timely be used in another forum is a hollow victory.  Exclusive litigation in Delaware for Delaware corporations is preferable, because of Delaware’s greater experience with merger litigation and likely willingness to weed out meritless cases at a higher rate.  But the key to eradicating meritless merger litigation is consolidation in some single forum, and not every Delaware corporation wishes to litigate in Delaware.

The closest historical analogy to such bylaws is the Securities Litigation Uniform Standards Act’s provision requiring that covered class actions be brought in federal court and litigated under federal law to ensure that the least meritorious cases are weeded out early, as Congress intended through the Reform Act.  The Reform Act’s emphasis on early dismissal of cases that lack merit has been its best feature, and requiring litigation in federal court helped achieved it.

So too would litigation in an exclusive forum, because it would yield a more meaningful motion to dismiss process, which would weed out less-meritorious cases early, which in turn would deter plaintiffs’ lawyers from bringing as many meritless cases.  The solution is that simple.  There will be consequences, though.  Plaintiffs’ lawyers, of course, will tend to bring more meritorious cases that present greater risk, exposure, and stigma, and will bring more in Delaware, which is a defendant-friendly forum for good transactions but a decidedly unfriendly one for bad transactions.  So while it certainly isn’t good that there are shareholder challenges to 95% of all mergers, the current system reduces the stigma of being sued and tends to result in fairly easy and cheap resolutions.  In contrast, cases that focus on the worst deals and target defendants that the plaintiffs’ lawyers regard as the biggest offenders will require more expensive litigation and significant settlements and judgments.

Fee-shifting and minimum-stake bylaws are overly broad and will cause a different set of problems.

So exclusive-forum bylaws attack the merger-litigation problem in a focused and effective fashion, albeit with downside risk.  In contrast, fee-shifting bylaws and minimum-stake bylaws attack the merger-litigation problem, but do so in an overly broad fashion, and will cause significant adverse consequences.

Fee-shifting bylaws, of course, attempt to curtail the number of cases by forcing plaintiffs who bring bad cases to pay defendants’ fees.  I find troubling the problem of deterring plaintiffs’ lawyers from bringing meritorious cases as well, since many plaintiffs’ lawyers would be very conservative and thus refuse to bring any case that might not succeed, even if strong.  That concern probably will cause the downfall of fee-shifting bylaws, where the Delaware Senate just passed a bill that would outlaw fee-shifting bylaws, and the issue now goes to the Delaware House.  (The same bill authorizes bylaws designating Delaware as the exclusive forum for shareholder litigation.)  But to me, the bigger problem is an inevitable new category of super-virulent cases, involving tremendous reputational harm (e.g. the plaintiffs’ firm decided to risk paying tens of millions of dollars in defense fees because they decided those defendants are that guilty) and intractable litigation that quite often would head to trial – at great cost not just financially, but to the law as well because it is indeed true that bad facts make bad law.

The Reform Act’s pleading standards have created analogous negative consequences, but much less severe and costly.  The pleading standards (and the Rule 11 provision) weed out bad cases early on, but almost never is there a financial penalty to a plaintiff for bringing a bad case.  Instead, the bigger plaintiffs’ firms have tended to be more selective in the cases they bring, which has yielded a pretty good system overall – even though they sometimes still bring meritless cases, and meritless cases sometimes get past motions to dismiss.  The bigger and still-unsolved problem with pleading standards is the overly zealous and necessarily imperfect confidential-witness investigations they cause, to attempt to satisfy the statute’s elevated pleading requirements.  The fee-shifting bylaws would occasion those sorts of problems as well, in addition to the virulent-case problem I’ve described.

Fee-shifting bylaws advocates’ push for ultra-meritorious lawsuits strikes me as an extreme case of “be careful what you wish for.”  But it brings to mind a more mainstream situation that has worried me for many years: aggressive arguments in demand motions for pre-litigation board demands and shareholder inspections of books and records.  In arguing that a shareholder derivative lawsuit should be dismissed for failure to make a demand on the board, defendants have long asserted that a shareholder failed to even ask the company for records under Section 220 of the Delaware General Corporation Law or similar state laws, to attempt to investigate the corporate claims he or she is pressing.  Delaware courts, in turn, have chastised shareholders for failing to utilize 220, though thus far have stopped short of requiring it.  Likewise, defendants, sometimes with great disdain, have criticized shareholders for not making a pre-suit demand on the board.

Although these are correct and appropriate litigation arguments, I have observed that, over time, they have succeeded in spawning more 220 inspection demands and pre-suit demands on boards, which over time will create more costly and virulent derivative cases than plain vanilla demand-excused cases brought without the aid of books and records.  The solution is to just get those highly dismiss-able cases dismissed, without trying to shame the derivative plaintiffs into making a 220 or demand on the board next time.

Minimum-stake bylaws are problematic as well.  They have as their premise that shareholders with some “skin in the game” will evaluate cases better, and will help prevent lawyer-driven litigation.  Like fee-shifting bylaws, they will prevent shareholders from brining meritless lawsuits, and likewise tend to yield more expensive and difficult cases to defend and resolve.  But they also will create a more difficult type of plaintiff to deal with, much the same way as the Reform Act’s lead-plaintiff provisions have created a class of plaintiffs that sometimes make us yearn for the days when the plaintiffs’ lawyers had more control.  More invested plaintiffs increase litigation cost, duration, and difficulty, and increase the caliber and intensity of plaintiffs’ lawyering.

And I have no doubt that, despite the bylaws, smaller shareholders and plaintiffs’ firms will find a way back into the action, much as we’re seeing recently with retail investors and smaller plaintiffs’ firms brining more and smaller securities class actions that institutional investors and the larger plaintiffs’ firms with institutional-investor clients don’t find worth their time and money to bring.  So with securities class actions, I think a two-headed monster is emerging: a relatively small group of larger and virulent cases, and a growing group of smaller cases.  That, too, likely would happen, somehow, with minimum-stake bylaws.

What’s the harm with taking a shot at as many fixes as possible?

Even if someone could see the big picture well enough to judge that these problems aren’t sufficient to outweigh the benefits of fee-shifting and minimum-stake bylaws, I would still hesitate to advocate their widespread adoption, because governments and shareholder advocacy groups would step in to regulate under-regulation caused by reduced shareholder litigation.  That would create an uncertain governance environment, and quite probably a worse one for companies.  Fear of an inferior alternative was my basic concern about the prospect that the Supreme Court in Halliburton Co. v. Erica P. John Fund, Inc. would overrule Basic v. Levinson and effectively abolish securities class actions.

Beyond the concern about an inferior replacement system, I worry about doing away with the benefits shareholders and plaintiffs’ lawyers provide, albeit at a cost.  Shareholders and plaintiffs’ lawyers are mostly-rational economic actors who play key roles in our system of disclosure and governance; the threat of liability, or even the hassle of being sued, promotes good disclosure and governance decisions.  Even notorious officer and director liability decisions, such as the landmark 1985 Delaware Supreme Court decision in Smith v. Van Gorkom, are unfortunate for the defendants involved but do improve governance and disclosure.

One final thought.  Shareholder litigation’s positive impact on governance and disclosure makes me wonder: will the quality of board oversight of cybersecurity, and corporate disclosure of cybersecurity issues, improve without the shock of a significant litigation development?


* Although indiscriminate merger litigation is the primary target of bylaw amendments, other types of securities and corporate-governance lawsuits, such as securities class actions and non-merger derivative litigation, are sometimes part of the discussion.  Those types of cases, however, do not pose the same problems as merger litigation.  And it is doubtful whether a company’s bylaws could regulate securities class actions, which are not an intra-corporate dispute between a current shareholder and the company, but instead direct class-period claims brought by purchasers or sellers, who do not need to be, and often are not, current shareholders.

Supreme Court’s Omnicare Decision Follows Middle Path Advocated by Lane Powell and WLF

Posted in 6th Circuit, Falsity Analysis, Securities Class Action, Statements of Opinion, Supreme Court

In the opinion issued yesterday in Omnicare, Inc. v. Laborers District Council Construction Industry Pension Fund (“Omnicare”), the Supreme Court rejected the two extremes advocated by the parties regarding how the truth or falsity of statements of opinion should be considered under the securities laws, and instead adopted the middle path advocated in the amicus brief filed by Lane Powell on behalf of the Washington Legal Foundation (“WLF”). In doing so, the Court also laid out a blueprint for examining claims of falsity under the securities laws, which we believe will do for falsity analysis what Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007), did for scienter analysis.

From the tenor of oral argument, it seemed inevitable that the Court would reject the Sixth Circuit’s erroneous position – that a genuinely believed opinion may nonetheless be considered “false” under Section 11 of the Securities Act if it is later determined that the opinion was incorrect. But the Court also expressed discomfort with the potential loopholes that could be created by Omnicare’s position at the other extreme – that if a statement is phrased as an opinion, it cannot be found to be either false or misleading under the securities laws, as long as the opinion was honestly held by the speaker.

There were many wrong turns that the Court could have taken in rejecting these two extremes, running the risk of further confusing the law not only regarding the truth or falsity of opinions, but also muddling the law of scienter and materiality. But the Court successfully navigated these potential pitfalls – including refusing to adopt the “reasonable basis” standard advocated by the Solicitor General – and instead adopted an analytically sound approach that is consistent with its previous securities rulings, holding that 1) a statement of opinion is only “false” under the securities laws if it is not genuinely believed by the speaker; and 2) like any other kind of statement, a statement of opinion may be “misleading” if, when considered in context, it creates a false impression in the mind of a reasonable investor.

Because Omnicare’s analysis concerns what makes a statement false or misleading, it will apply not only in Section 11 cases, but in cases brought under Section 10(b) of the Securities Exchange Act. In fact, much of the Court’s reasoning will also assist defendants in battling inadequate allegations that factual statements are false or misleading. Similar to how Tellabs laid a definitive groundwork for the consideration of scienter allegations after the Reform Act, Omnicare has thus laid out a clear blueprint for how courts must consider allegations that statements of fact or opinion were false or misleading.

For our complete discussion of the Omnicare opinion, please see our post today on WLF’s The Legal Pulse Blog.

Cybersecurity Securities Class Actions: A Wave or Trickle?

Posted in Board Oversight, Corporate Governance, Cyber Security, SEC Enforcement, Securities Class Action, Shareholder Derivative Action

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cybersecurity will become a significant D&O liability issue. Although many D&O practitioners have been bracing for a wave of cybersecurity D&O matters, to date there has been only a trickle. Some have come to believe that at most, there will be a surge of derivative litigation, due to the lack of significant and sustained stock drops on the announcement of even large cybersecurity breaches.

Yet I remain convinced that a wave is coming, perhaps a tidal wave, and it will include not just derivative litigation, but securities class actions and SEC enforcement matters as well. In this post, I will focus on securities class actions, since that is where most of the uncertainty lies, including the question I begged in my previous post on cybersecurity securities class actions: what will trigger securities class actions when, to date, even the largest breaches haven’t caused significant and sustained stock-price drops?   Unlike shareholder derivative actions, which do not require a significant stock drop, securities class actions require misrepresentations to cause loss to stock purchasers – loss that materializes upon the disclosure of bad news that causes the stock to drop. Thus, the advent of cybersecurity securities class actions will not occur unless stock prices begin to drop.

So why do I think stock prices will drop? It’s easiest to start to answer that question by thinking about why stock prices generally haven’t dropped to date. I’m not an economist, of course, but I’ve discussed this issue with some and have read and thought about it a lot. I believe that stock prices generally haven’t dropped significantly because the market believes that all companies are susceptible to a cyber-attack, and it’s basically random and unlucky when a company suffers one – it’s Company A this week and Company B next week, and so on. So a breach isn’t fundamental to the company’s business and doesn’t portend future negative financial consequences. That means that the market assesses the cost of the breach as the cost of remedying it through consumer notices, litigation defense and the like – which involves great but manageable and predictable cost, and does not view the breach as a fundamental or long-term problem.

That dynamic is bound to change, for several reasons. First, many companies have improved their cybersecurity and cybersecurity oversight significantly over the past few years. Those that are leaders will begin to tout their leadership, and criticize competitors who have had or may have problems. Cybersecurity thus will become a competitive issue, and the market will begin to pick winners and losers instead of regard as simply unlucky a company that suffered a breach.

Second, as companies begin to tout their cybersecurity for competitive reasons, they will do so through statements that will be susceptible to challenge as false or misleading if they suffer a breach. The most difficult statements to defend in securities class actions often are those based on business braggadocio, and I think cybersecurity statements ultimately will be no different. In terms of stock price impact, such statements will bake strong cybersecurity into companies’ stock prices, leading to disappointment and thus stock drops when a seemingly strong cybersecurity company suffers a breach.

Third, the number of companies that disclose breaches will increase, leading to a larger universe of companies who might suffer stock drops. To date, virtually the only type of companies to disclose breaches are consumer-oriented companies, driven by breach-notification privacy laws. There have been few disclosures of significant breaches by non-consumer companies, whose disclosure decisions are based not on consumer breach-notification laws, but on SEC disclosure requirements.

That will change. The SEC is focused on cybersecurity disclosure, and inevitably will start to more aggressively police disclosure by companies that aren’t compelled to disclose breaches under privacy laws. (Of course, SEC enforcement over cybersecurity disclosures will not require a stock drop.) Also, I predict that whistleblowers from IT departments will start to surface, drawn by increasingly large whistleblower bounties. And auditors will begin to prompt disclosure as they too increase their focus on the financial impact of cybersecurity breaches.

I don’t know if this all means that cybersecurity securities class actions will become the most prominent type of securities class action. I doubt it. But I do think that the risk is high enough that all companies need to pay more attention to their cybersecurity disclosures, and insurers, brokers and risk managers need to be mindful of the inevitable increase of securities class action risk in this area.