One of my “5 Wishes for Securities Litigation Defense” (April 30, 2016 post) is greater involvement by boards of directors in decisions concerning D&O insurance and the defense of securities litigation, including defense-counsel selection. Far too often, directors cede these critical strategic decisions to management.

For most directors, securities litigation is a mysterious world ruled by sinister plaintiffs’ lawyers, powerful judges, and a unique legal framework that must be navigated by fancy defense lawyers who charge exorbitant fees. Directors react to this litigation with everything from unnecessary panic to an unjustified feeling of invincibility. The right approach is somewhere in the middle: “attentive concern.” Securities litigation can pose personal risk to directors as well as to their companies, but if directors educate themselves and pay attention, this risk is almost always manageable.

Of course, part of what makes the risk manageable is D&O insurance. But in the event of a claim, independent directors share their D&O insurance with the company and its management. Despite this competition for policy proceeds, directors typically leave management to handle D&O insurance decisions. Directors need to protect their own interests by having a greater role in deciding the features of their D&O insurance program and how the company uses the policy proceeds in the event of a claim.

Greater Involvement by Directors in Securities Litigation Defense

Why Should Directors Care?

Although much of the recent discussion about securities litigation has revolved around meritless merger litigation, securities class actions and associated shareholder derivative actions have always posed greater risk than merger actions. A securities class action alleges that a company and its representatives made false or misleading statements that artificially inflated the stock price. Directors are virtually always included in Section 11 cases, which challenge statements in registered offerings, and increasingly are also named in Section 10(b) actions, which can challenge any public corporate statement. Directors are often named in “tag-along” shareholder derivative actions as well, which allege that the directors failed to properly oversee the company’s public disclosures.

Often, it is difficult to know from the initial complaint whether a securities case will pose a personal risk to directors because it is merely a placeholder. Only after the court selects the lead plaintiff and lead counsel will the plaintiffs’ attorneys draft more substantial allegations and add defendants through an amended complaint. But regardless of any personal risk, directors have a duty to oversee the significant potential liability the company faces. For these reasons, directors should treat each one of these cases as if they are personally named.

The Economics of Securities Litigation Matter

One emerging risk to companies is that ever-increasing securities defense fees no longer match the economics of most cases, and are quickly outpacing D&O policy limits. In the past, securities class actions were initiated by an oligopoly of larger plaintiffs’ firms with significant resources and mostly institutional clients that tended to bring larger cases against larger companies. But recently, smaller plaintiffs’ firms with retail-investor clients have been initiating more cases, primarily against smaller companies. Indeed, in recent years, approximately half of all securities class actions were filed against companies with $750 million or less in market capitalization. As a result, securities class actions have shrunk in size to a level last seen in 1997.

Yet at the same time, the litigation costs of most defense firms have increased exponentially. This two-decade mismatch—between 1997 securities-litigation economics and 2016 law-firm economics—creates the danger that a company’s D&O policy will be insufficient to cover the fees for a vigorous defense and the price to resolve the case. Indeed, inadequate policy proceeds due to skyrocketing defense costs is directors’ biggest risk from securities litigation—by far.

Historically, most securities defense firms have marquee names with high billing rates. Especially in cases against small-cap companies—now the lion’s share—it is more difficult for these firms to vigorously defend an action without risking that there will be too little D&O insurance left for settlement. To avoid this result, firms either cut corners or settle early for bloated amounts that make the defendants look like they did something wrong.

Quite obviously, directors should not be subjected to these hazards—which are created not by the securities class action itself, but by law-firm economics. The vast majority of securities class actions—if handled in the right way by the right defense counsel—can be defended and either won or settled, within D&O insurance policy limits, leaving no residual liability for either the company or its directors. With just a little time and effort at the beginning of the litigation, directors can put these cases on the right track.

The Importance of Directors’ Involvement in Defense-Counsel Selection

First and foremost, directors must ensure their company selects the right counsel. Securities litigation is a specialty field, and it can be nearly impossible to differentiate between the claims of expertise and experience made by the herd of lawyers that descends upon a company after a suit is filed. And it is a serious error—especially for mid-size and smaller companies—to use a law firm brand name as a proxy for quality and fit. Fortunately, many pitfalls of counsel selection can be avoided if directors keep in mind a few key principles:

  • Select a securities litigation specialist, and not a multi-discipline commercial litigator, even one who is highly regarded and/or from a marquee firm.
  • Educate yourself about the strategic differences between firms.
  • Avoid defaulting to your regular corporate firm.
  • Conduct an interview process.

An interview process is essential, in all cases. Directors should use the interview process to insist on a better alternative than the rote decision by most companies to simply retain their regular outside counsel, or a firm with a marquee name. To state the obvious, the most effective securities defense lawyers do not all work at marquee firms. Directors should insist that management interview a range of firms, including those that emphasize a combination of superior quality and reasonable cost—in other words, firms that offer good value. And directors should insist that management push for price concessions from all defense firms that management interviews.

The key is for directors to pay attention and to use the leverage of a competitive hiring process to find counsel to help them through the litigation safely, strategically, and economically.

Directors’ Oversight of D&O Insurance

As a refresher, a D&O insurance policy has three categories of coverage.

  • Side A coverage reimburses directors and officers for losses not indemnified by the company.
  • Side B coverage reimburses the company for indemnification of its directors and officers.
  • Side C coverage insures the company for its own liability.

Directors’ exposure to securities litigation has changed. Due in part to the changes in the plaintiffs’ bar noted above, directors are now much more frequent targets in securities class actions and related shareholder derivative claims—and the trend is very likely to continue. Even as directors’ involvement in securities and derivative suits is increasing, their share of the D&O insurance is effectively decreasing, due to more competition for policy proceeds.

For example, companies frequently seek D&O insurance coverage for various types of investigations, which may help the company, but can significantly erode the policy limits. Companies also deplete limits by, among other things, requesting coverage for employees beyond directors and officers, and seeking ways to avoid triggering the fraud exclusion, which can result in large defense-costs payments to rogue officers. These types of decisions might make sense in certain circumstances, but they should be subject to director oversight.

Perhaps the biggest threat to the sufficiency of directors’ D&O insurance policy is from their own lawyers, due to skyrocketing defense costs. Some insurers have a pre-set list of lawyers from which defendants are encouraged or required to choose. This means that some of the counsel-selection process is done before a claim is filed—which is another reason directors should be involved in the D&O insurance purchasing decision.

Some companies try to eliminate the competition between the company and individuals for policy proceeds by purchasing separate Side A policies that cover only individuals, but these policies do not address erosion from other individuals or by attorneys’ fees, and they only apply if the company cannot indemnify the directors. There are Side A products available specifically for outside directors, but those are infrequently purchased, probably because directors are usually not involved in D&O insurance purchasing decisions.

Independent directors don’t need to take over the process of handling the company’s D&O insurance, or spend an inordinate amount of time on these issues, in order to adequately protect themselves. Rather, they need to become more involved and understand their D&O insurance options and the realities of the claim process. They can do this simply by asking for direct access to the D&O broker and insurer, and by spending some time on D&O insurance decisions at board meetings.

Conclusion

At the same time directors’ securities litigation risk is increasing, they share an increasing percentage of their D&O insurance with the company, officers, and even their own lawyers. Directors can mitigate the risks of these trends by simply becoming more involved in purchasing their D&O insurance and overseeing the defense of securities litigation, including defense-counsel selection. In doing so, they will not only protect their own interests, but will also better oversee and manage the company’s risks as well.

I am committed to helping shape a system for securities litigation defense that helps directors and officers get through securities litigation safely and efficiently, without losing their serenity or dignity, and without facing any real risk of paying any personal funds.

But we are actually moving in the opposite direction of this goal, and unless some changes are made, securities litigation will pose greater and greater risk to individual directors and officers.  It is time for the “repeat players” in securities litigation defense – D&O insurers and brokers, defense lawyers, and economists – to make some fundamental changes to how we do things.  Although most cases still seem to turn out fine for the individual defendants, resolved by a dismissal or a settlement that is fully funded by D&O insurance, the bigger picture is not pretty.  The law firms that have defended the lion’s share of cases since securities class actions gained footing through Basic v. Levinson – primarily “biglaw” firms based in the country’s several largest cities – are no longer suitable for many, or even most, securities class actions.  Fueled by high billing rates and profit-focused staffing, those firms’ skyrocketing defense costs threaten to exhaust most or all of the D&O insurance towers in cases that are not dismissed on a motion to dismiss.  Rarely can such firms defend cases vigorously through summary judgment and toward trial anymore.

Worse, these high prices too often do not yield strategic benefits.  A strong motion to dismiss focuses on the truth of what the defendants said, with support from the context of the statements, as directed by the U.S. Supreme Court in Tellabs and Omnicare.  Yet far too often, the motion-to-dismiss briefs that come out of these large firms are little more than cookie-cutter arguments based on the structure of the Reform Act.  And if a motion is lost, settlements are higher than necessary because the defendants often have no option but to settle in order to avoid an avalanche of defense costs that would exhaust their D&O insurance limits.  On the other hand, if settlement occurs later, it can be difficult to keep settlement within D&O insurance limits – and defense counsel’s analysis of a “reasonable” settlement can be influenced by a desire to justify the amount they have billed.

At the same time that defense costs are continuing to rise exponentially, securities class actions are becoming smaller and smaller, with two-thirds of cases brought against companies with market caps less than $2 billion, and almost half under $750 million.  Although catawampus securities litigation economics is a systemic problem, impacting cases of all sizes, the problem is especially acute in the smallest half of cases.  Some of those cases simply cannot be defended both well and economically by typical defense firms.  Either defense costs become ridiculously large for the size of the case and the amount of the D&O insurance limits, or firms try to reduce costs by cutting corners on staffing and projects – or both.  We see large law firms routinely chase smaller and smaller cases.  From a market perspective, it makes no sense at all.

So how do we achieve a better securities litigation system?  Five changes would have a profound impact:

  1. Require an interview process for the selection of defense counsel, to allow the defendants to understand their options; to evaluate conflicts of interest and the advantages and disadvantages of using their corporate firm to defend the litigation; and to achieve cost concessions that only a competitive interview process can yield.
  2. Increase the involvement of D&O insurers in defense-counsel selection and in other strategic defense decisions, to put those who have the greatest overall experience and economic stake in securities class action defense in a position to provide meaningful input.
  3. Make the Supreme Court’s Omnicare decision a primary tool in the defense of securities class actions.  Obviously, Omnicare should be used to defend against challenges to all forms of opinions, including statements regarded as “puffery” and forward-looking statements protected by the Reform Act’s Safe Harbor for forward-looking statements.  But defense counsel should also take advantage of the Supreme Court’s direction in Omnicare that courts evaluate challenged statements in their full factual context.  Omnicare supplements the Court’s previous direction in Tellabs that courts evaluate scienter by considering not just the complaint’s allegations, but also documents incorporated by reference and documents subject to judicial notice.  Together, Omnicare and Tellabs allow defense counsel to defend their clients’ honesty with a robust factual record at the motion to dismiss stage.
  4. Increase the involvement of boards of directors in decisions concerning D&O insurance and the defense of securities litigation, including counsel selection, to ensure their personal protection and good oversight of the defense of the company and themselves.
  5. Move damages expert reports and discovery ahead of fact discovery, to allow the defendants and their D&O insurers to understand the real economics of cases that survive a motion to dismiss, and to make more informed litigation and settlement decisions.

These five changes are among the top wishes I have to improve securities litigation defense, and to preserve the protections of directors and officers who face securities litigation.  Over the next several months, I will post about each one.  Here are links to the posts in the series so far:

Wish #1:  5 Wishes for Securities Litigation Defense: A Defense-Counsel Interview Process in All Cases

Wish #2:  5 Wishes for Securities Litigation Defense: Greater Insurer Involvement in Defense-Counsel Selection and Strategy

Wish #3:  5 Wishes for Securities Litigation Defense: Effective Use of the Supreme Court’s Omnicare Decision

Wish #4:  5 Wishes for Securities Litigation Defense: Greater Director Involvement in Securities Litigation Defense and D&O Insurance

Wish #5:  5 Wishes for Securities Litigation Defense: Early Damages Analysis and Discovery

Following is an article we wrote for Law360, which gave us permission to republish it here:

The coming year promises to be a pivotal one in the world of securities and corporate governance litigation.  In particular, there are five developing issues we are watching that have the greatest potential to significantly increase or decrease the exposure of public companies and their directors, officers, and insurers.

1.  How Will Lower Courts Apply the Supreme Court’s Decision in Omnicare, Inc. v. Laborers Dist. Council Const. Industry Pension Fund?

If it is correctly understood and applied by defendants and the courts, we believe Omnicare will stand alongside Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007), as one of the two most important securities litigation decisions since the Private Securities Litigation Reform Act of 1995.

In Omnicare, 135 S. Ct. 1318 (2015), the Supreme Court held that a statement of opinion is only false if the speaker does not genuinely believe it, and that it is only misleading if – as with any other statement – it omits facts that make it misleading when viewed in its full context.  The Court’s ruling on what is necessary for an opinion to be false establishes a uniform standard that resolves two decades of confusing and conflicting case law, which often resulted in meritless securities cases surviving dismissal motions.  And the Court’s ruling regarding how an opinion may be misleading emphasizes that courts must evaluate the fairness of challenged statements (both opinions and other statements) within a broad factual context, eliminating the short-shrift that many courts have given the misleading-statement analysis.

These are tremendous improvements in the law, and should help defendants win more cases involving statements of opinion, not only under Section 11, the statute at issue in Omnicare, but also under Section 10(b), since Omnicare’s holding applies to the “false or misleading statement” element common to both statutes.  The standards the Court set should also add to the Reform Act’s Safe Harbor, and expand the tools that defendants have to defend against challenges to earnings forecasts and other forward-looking statements, which are quintessential opinions.

Indeed, if used correctly, Omnicare should also help defendants gain dismissal of claims brought based on challenged statements of fact, because of its emphasis on the importance of considering the entire context of a statement when determining whether it was misleading.   For example, the Court emphasized that whether a statement is misleading “always depends on context,” so a statement must be understood in its “broader frame,” including “in light of all its surrounding text, including hedges, disclaimers, and apparently conflicting information,” and the “customs and practices of the relevant industry.”

A good motion to dismiss has always analyzed a challenged statement (of fact or opinion) in its broader factual context to explain why it was not misleading.  But many defense lawyers unfortunately choose to leave out this broader context, and as a result of this narrow record, courts sometimes take a narrower view.  With Omnicare, this superior method of analysis is now explicitly required.  This will be a powerful tool, especially when combined with Tellabs’s directive that courts must weigh scienter inferences based not only on the complaint’s allegations, but also on documents on which the complaint relies or that are subject to judicial notice.

Omnicare bolsters the array of weapons available to defendants to effectively defend allegations of falsity, and to set up and support the Safe Harbor defense and arguments against scienter.  Because of its importance, we plan to write a piece critiquing the cases applying Omnicare after its one-year anniversary in March.

2.  Will Courts Continue to Curtail the Use of 10b5-1 Plans as a Way to Undermine Scienter Allegations?

All successful securities fraud complaints must persuade the court that the difference between the challenged statements and the “corrective” disclosure was the result of fraud, and not due to a business reversal or some other non-fraudulent cause.  Because few securities class action complaints contain direct evidence of fraud, such as specific information that a speaker knew his statements were false, most successful complaints include allegations that the defendants somehow profited from the alleged fraud, such as through unusual and suspicious stock sales.

Thus, stock-sale allegations are a key battleground in most securities actions.  An important defensive tactic has been to point out that the challenged stock sales were made under stock-sale plans under SEC Rule 10b5-1, which provides an affirmative defense to insider-trading claims, if the plan was established in good faith at a time when they were unaware of material non-public information.  Although Rule 10b5-1 is designed to be an affirmative defense in insider-trading cases, securities class action defendants also use it to undermine stock-sale allegations, if the plan has been publicly disclosed and thus subject to judicial notice, since it shows that the defendant did not have control over the allegedly unusual and suspicious stock sales.

Plaintiffs’ argument in response to a 10b5-1 plan defense has always been that any plan adopted during the class period is just a large insider sale designed to take advantage of the artificial inflation in the stock price.  Plaintiffs claim that by definition, the class period is a time during which the defendants had material nonpublic information – although they often manipulate the class period in order to encompass stock sales and the establishment of 10b5-1 plans.

There have been surprisingly few key court decisions on this pivotal issue, but on July 24, 2015, the Second Circuit held that “[w]hen executives enter into a trading plan during the Class Period and the Complaint sufficiently alleges that the purpose of the plan was to take advantage of an inflated stock price, the plan provides no defense to scienter allegations.” Employees’ Ret. Sys. of Gov’t of the Virgin Island v. Blanford, 794 F.3d 297, 309 (2d Cir. 2015).

Plaintiffs’ ability to plead scienter will take a huge step forward if Blanford, decided by an important appellate court, starts a wave of similar holdings in other circuits.

3.  Will Delaware’s Endorsement of Forum Selection Bylaws and Rejection of Disclosure-Only Settlements Reduce Shareholder Challenges to Mergers?

For the past several years, there has been great focus on amending corporate bylaws to try to corral and curtail shareholder corporate-governance claims, principally shareholder challenges to mergers.  Meritless merger litigation is indeed a big problem.  It is a slap in the face to careful directors who have worked hard to understand and approve a merger, and to CEOs who have worked long hours to find and negotiate a transaction that is in the shareholders’ best interests.  It is cold comfort to know that nearly all mergers draw shareholder litigation, and that nearly all of those cases will settle before the transaction closes without any payment by the directors or officers personally.  It is proof that the system is broken when it routinely allows meritless suits to result in significant recoveries for plaintiffs’ lawyers, with virtually nothing gained by companies or their shareholders.

In 2015, the Delaware legislature and courts took significant steps to curb meritless merger litigation.

First, the legislature added new Section 115 to the Delaware General Corporation Law (“DGCL”), which provides:

The certificate of incorporation or the bylaws may require, consistent with applicable jurisdictional requirements, that any or all internal corporate claims shall be brought solely and exclusively in any or all of the courts in this State.

This provision essentially codified the holding in Boilermakers Local 154 Ret. Fund v. Chevron Corp., 73 A.3d 934 (Del. Ch. 2013), in which the Delaware Court of Chancery upheld the validity of bylaws requiring that corporate governance litigation be brought only in Delaware state and federal courts.  The Delaware legislature also amended the DGCL to ban bylaws that purport to shift fees.  In new subsection (f) to Section 102, the certificate of incorporation “may not contain any provision that would impose liability on a stockholder for the attorneys’ fees or expenses of the corporation or any other party in connection with an internal corporate claim.” See also DGCL Section 109(b) (similar).

Second, in a series of decisions in 2015, the Delaware Court of Chancery rejected or criticized so-called disclosure-only settlements, under which the target company supplements its proxy-statement disclosures in exchange for a payment to the plaintiffs’ lawyers.  See Acevedo v. Aeroflex Holding Corp., et al., C.A. No. 7930-VCL (Del. Ch. July 8, 2015) (TRANSCRIPT) (rejecting disclosure-only settlement); In re Aruba Networks S’holder Litig., C.A. No. 10765-VCL (Del. Ch. Oct. 9, 2015) (TRANSCRIPT) (same); In re Riverbed Tech., Inc., S’holder Litig., 2015 WL 5458041, C.A. No. 10484-VCG (Del. Ch. Sept. 17, 2015) (approving disclosure-only settlement with broad release, but suggesting that approval of such settlements “will be diminished or eliminated going forward”); In re Intermune, Inc., S’holder Litig., C.A. No. 10086–VCN (Del. Ch. July 8, 2015) (TRANSCRIPT) (noting concern regarding global release in disclosure-only settlement).

We will be closely watching the impact of these developments, with the hope that they will deter plaintiffs from reflexively filing meritless merger cases.  Delaware exclusive-forum bylaws will force plaintiffs to face the scrutiny of Delaware courts, and the Court of Chancery has indicated that it may no longer allow an easy exit from these cases through a disclosure-only settlement.  And with cases in a single forum, defendants will now be able to coordinate them for early motions to dismiss.  Thus, the number of mergers subject to a shareholder lawsuit should decline – and the early returns suggest that this may already be happening.

Yet defendants should brace for negative consequences.  Plaintiffs’ lawyers will doubtless bring more cases outside of Delaware against non-Delaware corporations, or against companies that haven’t adopted a Delaware exclusive-forum bylaw.  And within Delaware, plaintiffs’ lawyers will tend to bring more meritorious cases that present greater risk, exposure, and stigma – and while Delaware is a defendant-friendly forum for good transactions, it is a decidedly unfriendly one for bad ones.  If disclosure-only settlements are no longer allowed, defendants will no longer have the option of escaping these cases easily and cheaply.  This means that those cases that are filed will doubtless require more expensive litigation, and result in more significant settlements and judgments.  Thus, although the current system is undoubtedly badly flawed, many companies may well look back on the days of this broken system with nostalgia, and conclude that they were better off before it was “fixed.”

4.  Will Item 303 Claims Make a Difference in Securities Class Actions?

The key liability provisions of the federal securities laws, Section 10(b) of the Securities Exchange Act of 1934 and Section 11 of the Securities Act of 1933, both require that plaintiffs establish a false statement, or a statement that is rendered misleading by the omission of facts.  Over the last several years, plaintiffs’ lawyers have increasingly tried to bypass this element by asserting claims for pure omissions, detached from any challenged statement.

Plaintiffs base these claims on Item 303 of SEC Regulation S-K, which requires companies to provide a “management’s discussion and analysis” (MD&A) of the company’s “financial condition, changes in financial condition and results of operations.”  Item 303(a)(3)(ii) indicates that the MD&A must include a description of “any known trends or uncertainties that have had or that the [company] reasonably expects will have a material … unfavorable impact on net sales or revenues or income from continuing operations.”

Both Section 10(b) and Section 11 prohibit a false statement or omission of a fact that causes a statement to be misleading, while Section 11 also allows a claim based on an issuer’s failure to disclose “a material fact required to be stated” in a registration statement. 15 U.S.C. § 77k(a) (emphasis added).  Item 303 is one regulation that lists such “material fact(s) required to be stated.”  Panther Partners Inc. v. Ikanos Communications, Inc., 681 F.3d 114, 120 (2d Cir. 2012).  Based on this unique statutory language, Section 11 claims thus appropriately can include claims based on Item 303.

Last year, in Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2d Cir. 2015), the Second Circuit held that Item 303 also imposes a duty to disclose for purposes of Section 10(b), meaning that the omission of information required by Item 303 can provide the basis for a Section 10(b) claim.  This ruling is at odds with the Ninth Circuit’s opinion in In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014), in which the court held that Item 303 does not establish such a duty.  The U.S. Supreme Court declined a cert petition in NVIDIA.

Claims based on Item 303 seem innocuous enough, and even against plaintiffs’ interest. Plaintiffs face a high hurdle in showing that information was wrongfully excluded under Item 303, since they must show that a company actually knew:  (1) the facts underlying the trend or uncertainty, (2) those known facts yield a trend or uncertainty, and (3) the trend or uncertainty will have a negative and material impact.  In virtually all cases, these sorts of omitted facts would also render one or more of defendants’ affirmative statements misleading, and thus be subject to challenge regardless.  Moreover, in Section 11 cases, Item 303 injects knowledge and causation requirements in a statute that normally doesn’t require scienter and only includes causation as an affirmative defense.

Why, then, have plaintiffs’ counsel pushed Item 303 claims so hard?  We believe they’ve done so to combat the cardinal rule that silence, absent a duty to disclose, is not misleading.  Companies omit thousands of facts every time they speak, and it is relatively easy for a plaintiff to identify omitted facts – but much more difficult to explain how those omissions rendered an affirmative statement misleading.  Plaintiffs likely initially saw these claims as a way to maintain class actions in the event the Supreme Court overruled Basic v. Levinson as a result of attacks in the Amgen and Halliburton cases.  And even though the Supreme Court declined to overrule Basic in Halliburton II, the Court’s price-impact rule presents problems for plaintiffs in some cases.  As a result, plaintiffs may believe it is in their strategic interests to assert Item 303 claims, which plaintiffs have contended fall under the Affiliated Ute presumption of reliance, rather than under Basic.

But whatever plaintiffs’ rationale, Item 303 is largely a red herring.  Although it shouldn’t matter to securities litigation, it will matter, as long as plaintiffs continue to bring such claims.  And they probably will continue to bring them, given the current strategic considerations, and the legal footing they have been given by key appellate rulings in Panther Partners and Stratte-McClure.  Defense attorneys will have to pay close attention to these trends and mount sophisticated defenses to these claims, to ensure that Item 303 claims do not take on a life of their own.

5.  Cyber Security Securities and Derivative Litigation: Will There Be a Wave or Trickle?

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cyber security will become a significant D&O liability issue.  Although many practitioners have been bracing for a wave of cyber security D&O matters, to date there has been only a trickle.

We remain convinced that a wave is coming, perhaps a tidal wave, and that it will include not just derivative litigation, but securities class actions and SEC enforcement matters as well.  To date, plaintiffs generally haven’t filed cyber security securities class actions because stock prices have not significantly dropped when companies have disclosed breaches.  That is bound to change as the market begins to distinguish companies on the basis of cyber security.  There have been a number of shareholder derivative actions asserting that boards failed to properly oversee their companies’ cyber security.  Those actions will continue, and likely increase, whether or not plaintiffs file cyber security securities class actions, but they will increase exponentially if securities class action filings pick up.

While the frequency of cyber security shareholder litigation will inevitably increase, we are more worried about its severity, because of the notorious statistics concerning a lack of attention by companies and boards to cyber security oversight and disclosure.  Indeed, the shareholder litigation may well be ugly:  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.

We also worry about SEC enforcement actions concerning cyber security.  The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers should not assume that the SEC will announce new guidance or issue new rules before it begins new enforcement activity in this area.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures were rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity is a perception that companies are not taking cyber security disclosure seriously.  As in all areas of legal compliance, companies need to be concerned about whistleblowers, including overworked and underpaid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

Conclusion

Of course, there are a number of other important issues that deserve to be on watch lists.  But given the line we’ve drawn – issues that will cause the most volatility in securities litigation liability exposure – we regard the issues we’ve discussed as the top five.

And the top one – whether lower courts will properly apply Omnicare – is a rare game-changer.  If defense counsel understands and uses Omnicare correctly, and if lower courts apply it as the Supreme Court intended, securities litigation decisions will be based on reality, and therefore far fairer and more just.  But if either defense counsel or lower courts get it wrong, companies and their directors and officers will suffer outcomes that are less predictable, more arbitrary, and often wrong.

Over the past three years, I’ve been outspoken about the need for better board oversight of cyber security, as well as the need for better cyber security disclosure.  The severity of the cyber threat is so significant to companies, as well as to the nation’s economy and security, that boards have no choice but to pay attention.  Indeed, I can easily envision a world where, as a practical matter, directors face a heightened risk of personal liability for cyber-security problems.  And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way.

Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.

How in the world could that be so?

Below, I examine two of the underlying problems, and provide solutions: (1) a suite of problems that I call “cyber freak-out,” and (2) an odd lack of concern about director liability.

Cyber Freak-Out

The average corporate director was 47 years old when Amazon became a public company.  Although that was also almost 20 years ago, and most people who serve on boards have grown comfortable with computers and the basics of technology, there is nevertheless a fundamental sense of discomfort with discussion around the IT aspects of cyber security.

This discomfort yields a suite of problems that I diagnose collectively as “cyber freak-out.”  Cyber freak-out includes one or more of the following stated or unstated excuses for not tackling cyber security issues:

  • Excuse: The audit committee handles risks, so that’s the right group to handle cyber security.
    • Reality: Cyber security is an enterprise risk that the full board needs to understand and decide how to manage – even if it is ultimately given to a committee.  And the audit committee has too much work already.
  • Excuse: Being hacked is inevitable, so we can’t do much about it.
    • Reality: The reality is cyber security oversight isn’t just about preventing attacks – it’s also about deciding what assets to protect and how to respond to a breach, among other issues.
  • Excuse: Cyber security is an IT issue, and the IT folks have told us for years that we’re safe.
    • Reality: The world of cyber security poses higher risks now, and it’s incumbent upon the board to ask hard questions of the IT department.  There are outside consultants galore who can give the board an independent evaluation. And cyber security is not just an IT issue.  Most cyber attacks can be prevented through employee education – which presents issues of employee training and corporate culture, which even a Luddite director can help shape.
  • And there are several more things few people say out loud, but I fear that too many think:
    • Excuse: We should have been on top of this earlier, so engaging in a full-scale program of cyber security readiness will make us look bad.
    • Excuse: I don’t want to ask a dumb question, and don’t think I can ask a smart one.
    • Excuse: If I wait long enough, one of my fellow directors will get up to speed and lead us through what we need to do.

Reality: The absurdity of these excuses speaks for itself.

Another common mistake is to assume that cyber attacks are limited to companies with personal information, like credit card numbers or health information.  That is wrong:  Any company with valuable assets – including trade secrets – is and will be a target.  The reason that companies with personal information grab the headlines is that their breaches have become public because of breach-notification laws.  Companies that aren’t subject to breach-notification laws rarely disclose cyber breaches.  One of the country’s leading cyber-security lawyers to public companies said at the SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair White and Commissioners Aguilar (who gave an important speech in June 2014 on board oversight of cyber security), Gallagher, Piwowar, and Stein:

I would say that I really can’t think of a case – and we’ve worked a lot –  where the disclosure thinking or analysis was driven by the securities law issues, frankly.

Basically there are other state laws, other situations that are going to create a disclosure obligation, and that’s what drives it. And I think just to be someone speaking from the trenches in terms of the reality of what really happens, there is a tremendous disincentive to disclose a breach.

I believe that the well-known cyber breaches are the very tip of the iceberg, and the much larger cyber security problem is, and will be, beneath the surface until companies start disclosing cyber security issues because of their yet-unenforced federal securities law obligations.  A company whose IP has been stolen, or whose business has been interrupted, faces various disclosure issues.   The issue isn’t just whether a breach is material.  It’s much broader: a cyber security breach could make any number of statements misleading, including financial statements, earnings guidance, statements about internal controls, and statements about the status and prospects of the business operations.  Yet most directors seem to believe that cyber security is just a problem for banks, retailers, and health-care providers and insurers.  That’s just not so.

The problem with cyber freak-out is that it undercuts directors’ main defenses to shareholder claims of breach of fiduciary duty.  There are two main claims for breach of fiduciary duty in this area:

The first type of claim is for a failure to act, or a failure to engage in appropriate oversight, under a standard articulated in a leading case called Caremark.  The court in Caremark called the claim it branded “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”  To be liable for a failure of oversight – a type of breach of the duty of loyalty – a director must fail to establish any system for detecting problems, or if a system exists, must deliberately fail to monitor it or follow up on red flags.  Thus, the only way a director can be liable for a failure of oversight is to not even try – or in the cyber security context, to be paralyzed by cyber freak-out.

In contrast to a claim for inaction, the second type of claim is based on director action.  Such claims are governed by the business judgment rule, which protects from second-guessing a decision made by informed and disinterested directors.  A shareholder can overcome the presumption, however, if the challenged decision was not informed.  Cyber freak-out can result in challenged cyber-security decisions being insufficiently informed, and thus outside the protection of the business judgment rule.

Thus, directors will not be liable if they in fact oversee cyber security, and make decisions about cyber security based on adequate information. Boards need to just pay attention and start somewhere – there’s no secret sauce, and perfection isn’t required.  There’s no cyber-security intelligence test.  An inquisitive director can do a good job overseeing cyber security without even being a computer user.

Director Liability

On the one hand, diligent directors don’t face real risk of liability for cyber security oversight.  On the other hand, I believe the fear of director and officer liability needs to increase before directors and officers and their companies sufficiently tune up their cyber security oversight and disclosures.

Although I don’t wish a lawsuit on anyone, much less actual liability, I think some jarring liability event is necessary: Just as Bill Lerach, Mel Weiss, and other prominent securities class action plaintiffs’ lawyers have greatly improved the quality of corporate disclosure, and corporate-law decisions like Smith v. Van Gorkom have improved board decision-making processes, so too would a cyber-security liability jolt improve cyber-security oversight and disclosure.  But at the moment, directors and officers observe that stocks generally haven’t dropped enough to trigger securities class actions, and the handful of shareholder derivative cases haven’t been virulent.  And the shareholder derivative litigation dismissal in Wyndham, while great for Wyndham’s directors, probably set cyber security oversight back.  The Wyndham decision, resting on the board’s post-breach process in deciding to reject a shareholder demand on the board, was virtually meaningless in its impact on the law governing board oversight of cyber security.

But securities and corporate governance litigation involving cyber security problems is indeed coming.  And it may be ugly.  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.  We not only could see a sharp uptick in the number of claims, but they could be quite difficult for directors and officers to defend, until cyber security oversight and disclosure improve.  I worry about this dynamic a lot.

I also worry about SEC enforcement concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers shouldn’t think the SEC is going to announce new guidance or make new rules before it begins enforcement activity around cyber security disclosures.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures are rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity by the staff is a perception that companies aren’t taking cyber security disclosure seriously.  That may or may not be preceded by further cyber security disclosure guidance.  And companies need to be concerned about whistleblowers, including over-worked and under-paid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

Conclusion

Greater cyber security oversight, and better corporate disclosure, are inevitable.  I hope that they happen naturally, as the result of good counseling by the advisors who are ready and able to help, rather than only developing after we are hit by the inevitable wave of shareholder litigation and SEC investigations and enforcement actions.

In the world of securities and corporate governance litigation, we are always in the middle of a reform discussion of some variety.  For the past several years, there has been great focus on amendment of corporate bylaws to corral and curtail shareholder corporate-governance claims, principally shareholder challenges to mergers.*  Meritless merger litigation is indeed a big problem.  It is a slap in the face to careful directors who have worked hard to understand and approve a merger, or to CEOs who have spent many months or years working long hours to locate and negotiate a transaction in the shareholders’ best interest.  It is cold comfort to know that nearly all mergers draw shareholder litigation, and that nearly all of those cases will settle before the transaction closes without any payment by the directors or officers personally.  And we know the system is broken when it routinely allows meritless suits to result in significant recoveries for plaintiffs’ lawyers, with virtually nothing gained by companies or their shareholders.

There are three main solutions afoot, at different stages of maturity, involving amendments to corporate bylaws to require that: (1) there be an exclusive forum, chiefly Delaware, for shareholder litigation; (2) a losing shareholder pay for the litigation defense costs; and (3) a shareholder stake hold a minimum amount of stock to have standing to sue.  I refer readers to the blogs published by Kevin LaCroix, Alison Frankel, and Francis Pileggi for good discussions of these types of bylaws.  The purpose of this blog post is not to specifically chronicle each initiative, but to caution that they will cause unintended consequences that will leave us with a different set of problems than the ones they solved.

Exclusive-forum bylaws offer the most targeted solution, albeit with some negative consequences.

Exclusive-forum bylaws best address the fundamental problem with merger litigation: the inability to coordinate cases for an effective motion to dismiss before the plaintiffs and defendants must begin negotiations to achieve settlement before the merger closes.  Although the merger-litigation problem is virtually always framed in terms of the oppressive cost and hassle of multi-forum litigation, good defense counsel can usually manage the cost and logistics.  Instead, the bigger problem, and the problem that causes meritless merger litigation to exist, is the inability to obtain dismissals.  This is primarily so because actions filed in multiple forums can’t all be subjected to a timely motion to dismiss, and a dismissal in one forum that can’t timely be used in another forum is a hollow victory.  Exclusive litigation in Delaware for Delaware corporations is preferable, because of Delaware’s greater experience with merger litigation and likely willingness to weed out meritless cases at a higher rate.  But the key to eradicating meritless merger litigation is consolidation in some single forum, and not every Delaware corporation wishes to litigate in Delaware.

The closest historical analogy to such bylaws is the Securities Litigation Uniform Standards Act’s provision requiring that covered class actions be brought in federal court and litigated under federal law to ensure that the least meritorious cases are weeded out early, as Congress intended through the Reform Act.  The Reform Act’s emphasis on early dismissal of cases that lack merit has been its best feature, and requiring litigation in federal court helped achieved it.

So too would litigation in an exclusive forum, because it would yield a more meaningful motion to dismiss process, which would weed out less-meritorious cases early, which in turn would deter plaintiffs’ lawyers from bringing as many meritless cases.  The solution is that simple.  There will be consequences, though.  Plaintiffs’ lawyers, of course, will tend to bring more meritorious cases that present greater risk, exposure, and stigma, and will bring more in Delaware, which is a defendant-friendly forum for good transactions but a decidedly unfriendly one for bad transactions.  So while it certainly isn’t good that there are shareholder challenges to 95% of all mergers, the current system reduces the stigma of being sued and tends to result in fairly easy and cheap resolutions.  In contrast, cases that focus on the worst deals and target defendants that the plaintiffs’ lawyers regard as the biggest offenders will require more expensive litigation and significant settlements and judgments.

Fee-shifting and minimum-stake bylaws are overly broad and will cause a different set of problems.

So exclusive-forum bylaws attack the merger-litigation problem in a focused and effective fashion, albeit with downside risk.  In contrast, fee-shifting bylaws and minimum-stake bylaws attack the merger-litigation problem, but do so in an overly broad fashion, and will cause significant adverse consequences.

Fee-shifting bylaws, of course, attempt to curtail the number of cases by forcing plaintiffs who bring bad cases to pay defendants’ fees.  I find troubling the problem of deterring plaintiffs’ lawyers from bringing meritorious cases as well, since many plaintiffs’ lawyers would be very conservative and thus refuse to bring any case that might not succeed, even if strong.  That concern probably will cause the downfall of fee-shifting bylaws, where the Delaware Senate just passed a bill that would outlaw fee-shifting bylaws, and the issue now goes to the Delaware House.  (The same bill authorizes bylaws designating Delaware as the exclusive forum for shareholder litigation.)  But to me, the bigger problem is an inevitable new category of super-virulent cases, involving tremendous reputational harm (e.g. the plaintiffs’ firm decided to risk paying tens of millions of dollars in defense fees because they decided those defendants are that guilty) and intractable litigation that quite often would head to trial – at great cost not just financially, but to the law as well because it is indeed true that bad facts make bad law.

The Reform Act’s pleading standards have created analogous negative consequences, but much less severe and costly.  The pleading standards (and the Rule 11 provision) weed out bad cases early on, but almost never is there a financial penalty to a plaintiff for bringing a bad case.  Instead, the bigger plaintiffs’ firms have tended to be more selective in the cases they bring, which has yielded a pretty good system overall – even though they sometimes still bring meritless cases, and meritless cases sometimes get past motions to dismiss.  The bigger and still-unsolved problem with pleading standards is the overly zealous and necessarily imperfect confidential-witness investigations they cause, to attempt to satisfy the statute’s elevated pleading requirements.  The fee-shifting bylaws would occasion those sorts of problems as well, in addition to the virulent-case problem I’ve described.

Fee-shifting bylaws advocates’ push for ultra-meritorious lawsuits strikes me as an extreme case of “be careful what you wish for.”  But it brings to mind a more mainstream situation that has worried me for many years: aggressive arguments in demand motions for pre-litigation board demands and shareholder inspections of books and records.  In arguing that a shareholder derivative lawsuit should be dismissed for failure to make a demand on the board, defendants have long asserted that a shareholder failed to even ask the company for records under Section 220 of the Delaware General Corporation Law or similar state laws, to attempt to investigate the corporate claims he or she is pressing.  Delaware courts, in turn, have chastised shareholders for failing to utilize 220, though thus far have stopped short of requiring it.  Likewise, defendants, sometimes with great disdain, have criticized shareholders for not making a pre-suit demand on the board.

Although these are correct and appropriate litigation arguments, I have observed that, over time, they have succeeded in spawning more 220 inspection demands and pre-suit demands on boards, which over time will create more costly and virulent derivative cases than plain vanilla demand-excused cases brought without the aid of books and records.  The solution is to just get those highly dismiss-able cases dismissed, without trying to shame the derivative plaintiffs into making a 220 or demand on the board next time.

Minimum-stake bylaws are problematic as well.  They have as their premise that shareholders with some “skin in the game” will evaluate cases better, and will help prevent lawyer-driven litigation.  Like fee-shifting bylaws, they will prevent shareholders from brining meritless lawsuits, and likewise tend to yield more expensive and difficult cases to defend and resolve.  But they also will create a more difficult type of plaintiff to deal with, much the same way as the Reform Act’s lead-plaintiff provisions have created a class of plaintiffs that sometimes make us yearn for the days when the plaintiffs’ lawyers had more control.  More invested plaintiffs increase litigation cost, duration, and difficulty, and increase the caliber and intensity of plaintiffs’ lawyering.

And I have no doubt that, despite the bylaws, smaller shareholders and plaintiffs’ firms will find a way back into the action, much as we’re seeing recently with retail investors and smaller plaintiffs’ firms brining more and smaller securities class actions that institutional investors and the larger plaintiffs’ firms with institutional-investor clients don’t find worth their time and money to bring.  So with securities class actions, I think a two-headed monster is emerging: a relatively small group of larger and virulent cases, and a growing group of smaller cases.  That, too, likely would happen, somehow, with minimum-stake bylaws.

What’s the harm with taking a shot at as many fixes as possible?

Even if someone could see the big picture well enough to judge that these problems aren’t sufficient to outweigh the benefits of fee-shifting and minimum-stake bylaws, I would still hesitate to advocate their widespread adoption, because governments and shareholder advocacy groups would step in to regulate under-regulation caused by reduced shareholder litigation.  That would create an uncertain governance environment, and quite probably a worse one for companies.  Fear of an inferior alternative was my basic concern about the prospect that the Supreme Court in Halliburton Co. v. Erica P. John Fund, Inc. would overrule Basic v. Levinson and effectively abolish securities class actions.

Beyond the concern about an inferior replacement system, I worry about doing away with the benefits shareholders and plaintiffs’ lawyers provide, albeit at a cost.  Shareholders and plaintiffs’ lawyers are mostly-rational economic actors who play key roles in our system of disclosure and governance; the threat of liability, or even the hassle of being sued, promotes good disclosure and governance decisions.  Even notorious officer and director liability decisions, such as the landmark 1985 Delaware Supreme Court decision in Smith v. Van Gorkom, are unfortunate for the defendants involved but do improve governance and disclosure.

One final thought.  Shareholder litigation’s positive impact on governance and disclosure makes me wonder: will the quality of board oversight of cybersecurity, and corporate disclosure of cybersecurity issues, improve without the shock of a significant litigation development?

 

* Although indiscriminate merger litigation is the primary target of bylaw amendments, other types of securities and corporate-governance lawsuits, such as securities class actions and non-merger derivative litigation, are sometimes part of the discussion.  Those types of cases, however, do not pose the same problems as merger litigation.  And it is doubtful whether a company’s bylaws could regulate securities class actions, which are not an intra-corporate dispute between a current shareholder and the company, but instead direct class-period claims brought by purchasers or sellers, who do not need to be, and often are not, current shareholders.

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cybersecurity will become a significant D&O liability issue. Although many D&O practitioners have been bracing for a wave of cybersecurity D&O matters, to date there has been only a trickle. Some have come to believe that at most, there will be a surge of derivative litigation, due to the lack of significant and sustained stock drops on the announcement of even large cybersecurity breaches.

Yet I remain convinced that a wave is coming, perhaps a tidal wave, and it will include not just derivative litigation, but securities class actions and SEC enforcement matters as well. In this post, I will focus on securities class actions, since that is where most of the uncertainty lies, including the question I begged in my previous post on cybersecurity securities class actions: what will trigger securities class actions when, to date, even the largest breaches haven’t caused significant and sustained stock-price drops?   Unlike shareholder derivative actions, which do not require a significant stock drop, securities class actions require misrepresentations to cause loss to stock purchasers – loss that materializes upon the disclosure of bad news that causes the stock to drop. Thus, the advent of cybersecurity securities class actions will not occur unless stock prices begin to drop.

So why do I think stock prices will drop? It’s easiest to start to answer that question by thinking about why stock prices generally haven’t dropped to date. I’m not an economist, of course, but I’ve discussed this issue with some and have read and thought about it a lot. I believe that stock prices generally haven’t dropped significantly because the market believes that all companies are susceptible to a cyber-attack, and it’s basically random and unlucky when a company suffers one – it’s Company A this week and Company B next week, and so on. So a breach isn’t fundamental to the company’s business and doesn’t portend future negative financial consequences. That means that the market assesses the cost of the breach as the cost of remedying it through consumer notices, litigation defense and the like – which involves great but manageable and predictable cost, and does not view the breach as a fundamental or long-term problem.

That dynamic is bound to change, for several reasons. First, many companies have improved their cybersecurity and cybersecurity oversight significantly over the past few years. Those that are leaders will begin to tout their leadership, and criticize competitors who have had or may have problems. Cybersecurity thus will become a competitive issue, and the market will begin to pick winners and losers instead of regard as simply unlucky a company that suffered a breach.

Second, as companies begin to tout their cybersecurity for competitive reasons, they will do so through statements that will be susceptible to challenge as false or misleading if they suffer a breach. The most difficult statements to defend in securities class actions often are those based on business braggadocio, and I think cybersecurity statements ultimately will be no different. In terms of stock price impact, such statements will bake strong cybersecurity into companies’ stock prices, leading to disappointment and thus stock drops when a seemingly strong cybersecurity company suffers a breach.

Third, the number of companies that disclose breaches will increase, leading to a larger universe of companies who might suffer stock drops. To date, virtually the only type of companies to disclose breaches are consumer-oriented companies, driven by breach-notification privacy laws. There have been few disclosures of significant breaches by non-consumer companies, whose disclosure decisions are based not on consumer breach-notification laws, but on SEC disclosure requirements.

That will change. The SEC is focused on cybersecurity disclosure, and inevitably will start to more aggressively police disclosure by companies that aren’t compelled to disclose breaches under privacy laws. (Of course, SEC enforcement over cybersecurity disclosures will not require a stock drop.) Also, I predict that whistleblowers from IT departments will start to surface, drawn by increasingly large whistleblower bounties. And auditors will begin to prompt disclosure as they too increase their focus on the financial impact of cybersecurity breaches.

I don’t know if this all means that cybersecurity securities class actions will become the most prominent type of securities class action. I doubt it. But I do think that the risk is high enough that all companies need to pay more attention to their cybersecurity disclosures, and insurers, brokers and risk managers need to be mindful of the inevitable increase of securities class action risk in this area.

Last fall, I wrote about board oversight of cybersecurity and derivative litigation in the wake of cybersecurity breaches.  I plan to update my thoughts later this year, after we see developments in the recently filed Target and Wyndham derivative actions, and learn the results of the 2014 installment of Carnegie Mellon’s bi-annual CyLab Governance of Enterprise Security Survey, which explores oversight of cybersecurity by boards of directors and senior management.

In this post, I’d like to focus on cybersecurity disclosure and the inevitable advent of securities class actions following cybersecurity breaches.  In all but one instance (Heartland Payment Systems), cybersecurity breaches, even the largest, have not caused a stock drop big enough to trigger a securities class action.  But there appears to be a growing consensus that stock drops are inevitable when the market better understands cybersecurity threats, the cost of breaches, and the impact of threats and breaches on companies’ business models.  When the market is better able to analyze these matters, there will be stock drops.  When there are stock drops, the plaintiffs’ bar will be there.

And when plaintiffs’ lawyers arrive, what will they find?  They will find companies grappling with cybersecurity disclosure.  Understandably, most of the discussion about cybersecurity disclosure focuses on the SEC’s October 13, 2011 “CF Disclosure Guidance: Topic No. 2” (“Guidance”) and the notorious failure of companies to disclose much about cybersecurity, which has resulted in a call for further SEC action by Senator Rockefeller and follow-up by the SEC, including an SEC Cybersecurity Roundtable on March 24, 2014.  But, as the SEC noted in the Guidance, and Chair White reiterated in October 2013, the Guidance does not define companies’ disclosure obligations.  Instead, disclosure is governed by the general duty not to mislead, along with more specific disclosure obligations that apply to specific types of required disclosures.

Indeed, plaintiffs’ lawyers will not even need to mention the Guidance to challenge statements allegedly made false or misleading by cybersecurity problems.  Various types of statements – from statements about the company’s business operations (which could be imperiled by inadequate cybersecurity), to statements about the company’s financial metrics (which could be rendered false or misleading by lower revenues and higher costs associated with cybersecurity problems), to internal controls and related CEO and CFO certifications, to risk factors themselves (which could warn against risks that have already materialized) – could be subject to challenge in the wake of a cybersecurity breach.

Plaintiffs will allege that the challenged statements were misleading because they omitted facts about cybersecurity (whether or not subject to disclosure under the Guidance).  In some cases, this allegation will require little more than coupling a statement with the omitted facts.  In cybersecurity cases, plaintiffs will have greater ability to learn the omitted facts than in other cases, as a result of breach notification requirements, privacy litigation, and government scrutiny, to name a few avenues.  The law, of course, requires more than simply coupling the statement and omitted facts; plaintiffs must explain in detail why the challenged statement was misleading, not just incomplete, and companies can defend the statement in the context of all of their disclosures.  But in cybersecurity cases, plaintiffs will have more to work with than in many other types of cases.

Pleading scienter likely will be easier for plaintiffs as well.  With increased emphasis on cybersecurity oversight at the senior officer (and board) level, a CEO or CFO will have difficulty (factually and in terms of good governance) suggesting that she or he didn’t know, at some level, about the omitted facts that made the challenged statements misleading.  That doesn’t mean that companies won’t be able to contest scienter.  Knowledge of omitted facts isn’t the test for scienter; the test is intent to mislead purchasers of securities.  However, this important distinction is often overlooked in practice.  Companies will also be able to argue that they didn’t disclose certain cybersecurity matters because, as the Guidance contemplates, some cybersecurity disclosures can compromise cybersecurity.  This is a proper argument for a motion to dismiss, as an innocent inference under Tellabs, but it may feel too “factual” for some judges to credit at the motion to dismiss stage.

As this analytic overview shows, cybersecurity securities class actions, on the whole, likely will be virulent.  Companies, of course, are talking about cybersecurity risks in their boardrooms – and they should also think about how to discuss those risks with their investors.  The best way for companies to lower their risk profile is to start to address this issue now, by thinking about cybersecurity in connection with all of their key disclosures, and enhancing their disclosures as appropriate.

Perfection and prescience are not required.  Effort matters most.  Companies that don’t even try will stand out.  As I’ve written in the context of the Reform Act’s Safe Harbor for forward-looking statements, judges are skeptical of companies whose risk factors remain static over time, and look favorably on companies who appear to try to draft meaningful risk factors.  I thus construct a defense of forward-looking statements by emphasizing, to the extent I can, ways in which the company’s risk disclosures evolved, and were tailored and focused.  I predict that the same approach will prove effective in cybersecurity cases.

 

Shareholder litigation comes in waves.  There is a widespread belief that the next big wave will be shareholder derivative litigation – a shareholder’s assertion of a claim belonging to the corporation, typically brought against directors and officers, alleging corporate harm for a board’s failure to prevent corporate problems.

Derivative cases filed as tag-alongs to securities class actions have long been commonplace, and frequently are little more than a nuisance.  Over the years, there have been sporadic large derivative actions concerning other areas of legal compliance – typically over a very large corporate problem.   Non-disclosure derivative litigation filings recently have seemed more frequent, and there have been some large settlements that have come as a result.  And the specter of cyber liability derivative suits looms large – not surprisingly, Target shareholders just filed derivative litigation related to the recent customer data breach.  Whether the forecasted non-disclosure derivative-litigation wave materializes, or remains a sporadic occurrence in the larger world of D&O litigation, is one of the issues I’m watching closely in 2014 and beyond.

This potential wave raises issues that are unique to derivative litigation.  One key issue that has not been analyzed enough is representation: which lawyers can and should represent the company and the individual defendants in derivative litigation?

Because a derivative litigation claim belongs to the corporation, it puts the corporation in an odd spot.  A shareholder, as one of the corporation’s “owners” (usually a really, really small owner – but an owner nevertheless), is trying to force the company to bring a claim against the people who run the company.  The law says, however, that those people, the directors, get to decide whether the company should sue someone – including themselves – unless a shareholder can show that they couldn’t make a disinterested and independent decision.   Thus, to bring a derivative action, a shareholder must allege that it would have been futile to demand that the board take action, and defendants will typically challenge the lawsuit with a motion to dismiss for failure to make a demand (“demand motion”) on the basis that the demand-futility allegations aren’t sufficiently probative or particularized.

It is often said that the interests of the company and defendants are aligned through the demand motion, because they all have an interest in making sure that the shareholder follows proper governance procedures – namely, making a pre-suit demand on the board.  But this sort of statement prejudges the demand-futility allegations; it assumes that the allegations of futility are insufficient.  In Delaware and states that follow its demand law, proper corporate governance procedures require a shareholder either to make a demand or to plead demand-futility.  Only if and when the court rules that demand was required can we truly say that the interests of the company and defendants on the demand issue were aligned.  However, I don’t think this means that legal ethics require the company to be separately represented from the inception of a derivative action in all cases; the shared-interest view is arguable.   So if there are good practical reasons for joint representation from inception, and it causes no harm, so be it.  (That the primary lawyers are expensive relative to the D&O insurance limits isn’t a good reason for joint representation – it’s a good reason why those lawyers were the wrong lawyers for the matter.  But I digress.)

There’s also a compelling strategic reason to separate the representation from the beginning of the case.  A demand motion asks the court to allow the defendants to be the judge – to require the plaintiff to ask the directors to evaluate and bring claims against themselves and senior officers.  Thus, the company must overcome a judge’s skepticism that such an evaluation presents a “fox-guarding-the-chicken-coop” problem.  This is far easier to do if the company is separately represented and makes the demand motion.  It is true that courts frequently grant demand motions made during joint representation of the company and defendants.  But it is also true that joint representation always carries strategic risk, and the more serious the derivative litigation, the more unwise it is to take the risk.  Rather than make judgments in advance about which derivative litigation is serious, warranting a split, and which isn’t, allowing joint representation, I advocate splitting the representation from the outset – since the representation must be split up if demand is excused, splitting it from the outset imposes relatively little additional cost burden, if there’s appropriate coordination.

Representation between and among the defendants has strategic components, in addition to ethical considerations.  It can be strategically advantageous for individuals who aren’t accused of active wrongdoing to be separately represented from those who are.  That typically means officers and outside directors are represented separately in groups.  With this division, the court can see that the directors who would evaluate a demand don’t have the same lawyers as the people who allegedly engaged in active wrongdoing.  However, I don’t think that’s as strategically important for purposes of the demand motion as splitting up the company and defendants.  In evaluating a demand, the directors, acting as directors and not director-defendants, should be represented by counsel other than their litigation defense counsel.  Moreover, demand futility is judged at the time the suit is filed, not when the court decides the demand motion.  Thus, it isn’t technically necessary or legally accurate to send a “signal” of independence to the court through splitting up the representation further.  That said, in a very significant derivative case, and/or one in which the judge is new to derivative litigation, such an approach could be strategically advantageous.

It can sometimes be appropriate to consider even more divisions – for example, splitting the outside directors into audit-committee and non-audit-committee groups where audit-committee oversight is the main oversight allegation.  Such divisions may be ethically prudent or necessary later, but for purposes of the demand motion, they often don’t add much, if anything, since the demand motion is about the ability of a majority of the full board to consider a demand.

So, a typical case needs at least two lawyers from the outset – one for the company, and another for the individual defendants.  The type of derivative litigation we’re discussing often arises in the context of an underlying legal problem for which the company has lawyers – in a disclosure-related matter for a related securities class action, and in non-disclosure matters for other types of underlying matters (FCPA, antitrust, privacy, etc.).   To what extent should the lawyers defending the underlying matters be involved in the derivative action?

In general, I believe that the lawyers defending the underlying proceedings that created the corporate liability or harm (actual or potential) at issue in the derivative case should not defend the derivative case.  The reasons are similar to those I have written about in the context of using corporate counsel to defend a securities class action that may involve corporate counsel’s advice – there are tricky and hidden conflict issues, and the lawyers can be of better service to their clients as witnesses.

In derivative litigation, the problem can be even worse.  Corporate counsel typically advises on relevant corporate governance issues, such as compliance programs, the severity of legal risks that ultimately trigger the derivative litigation, board review of various risks, and preparation or review of board minutes.  Some companies are heavily guided in these areas by their corporate counsel, either directly in the boardroom or indirectly through advice to in-house counsel.   It is in the interests of the company and the board to be able to testify that they took a course of action, or didn’t do so, because of their lawyers’ advice.  The problem is greater than that of lawyer-as-witness – defense counsel should not be in the position of making judgments or recommendations that might be influenced by the law firm’s concerns about the public airing of its corporate work.

In derivative cases based on a disclosure problem, another representation issue arises:  whom should the securities class action defense counsel represent – the company or the defendants?   Securities class action defense counsel take different approaches to dividing derivative litigation representation.  Some will represent the company only, and have their securities class action individual defendant clients be represented by a different firm.  Others represent the individual defendants in the derivative action, and have the company represented by a different firm.   The right approach is a judgment call, but I prefer to have the securities class action defense counsel represent the individual defendants in the derivative action and have another firm represent the company.  That approach allows the lawyers in defense mode to fully remain in defense mode – they can defend the lack of merit to the charges of wrongdoing in all proceedings.   It also allows the defending lawyers to avoid the tension involved in simultaneously defending individuals in the securities class action and representing the potentially adverse company in the related derivative action.  This approach is possible with the right waivers, but I prefer the pure-defense approach.

Once the right lawyers are in place, how can and should the lawyers interact to prepare motions to dismiss and conduct other preliminary projects effectively – and cost-effectively?  The gating question is who should make the demand motion – the company or the defendants?  The company is really the right movant.  The demand motion is about the company’s corporate governance procedures, and the directors are involved not as directors but as individual defendants, so the purest approach is for the company to make the demand motion.

The same result makes sense from a strategic perspective.  The defendants have 12(b)(6) motions to make, and having them make both motions is awkward.   Although both motions say that the allegations (not the claims) aren’t good enough – the demand motion asserts that the allegations don’t raise a substantial likelihood of liability or other disabling interest sufficient to excuse demand, and the 12(b)(6) motion asserts they are not sufficient to state a claim – having the directors simultaneously assert that they could impartially consider a demand, but that the claims should be dismissed, is slicing the issues pretty finely.   If the defendants don’t make a 12(b)(6) motion, that problem is alleviated.  Many defense lawyers – including me from time to time – opine that the 12(b)(6) motions will fail if the demand motion fails, so defendants should just forego the 12(b)(6) motion entirely and make a 12(c) motion later, if necessary.  However, that foregoes the initial line of defense for the individuals.

It will be interesting to see if there is indeed a wave of more serious derivative litigation coming.  I will be on the look-out, and will write about other derivative-litigation issues that I think are of interest.

Cyber security is top of mind for companies, and cyber-security oversight is top of mind for corporate directors.  I recently co-moderated a panel discussion for directors on board oversight of cyber security and cyber-security disclosures.  I thought I’d share my thoughts on some of the key issues.

What are the board’s fiduciary duties in the area of cyber-security oversight?  Board oversight of cyber security conceptually is no different than oversight of any other area of risk.  The board must take good-faith steps to ensure that the company has systems designed to address cyber-attack prevention and mitigation, and to follow up on red flags it sees.  The board’s decision-making is protected by the business judgment rule.

It is important for directors to understand that cyber-security oversight isn’t exotic.  Because cyber security is a highly technical area, some directors may feel out of their depth – which may help explain why Carnegie Mellon’s 2012 CyLab survey revealed that some boards are not sufficiently focused on cyber-security oversight.  But with the help of experts – on which directors are entitled to rely – boards can ask the same types of questions they’re used to asking about other types of risk, and gain a similar degree of comfort.

How do I pick the right experts?  Directors should be comfortable that they are receiving candid and independent advice, and need to be mindful that the company’s internal IT group may have trouble being self-critical.  So in addition to receiving appropriate reports from the IT group, directors should periodically consult outside advisors who are capable of giving independent advice.

Given the importance of cyber security, will courts impose a higher standard on directors?  Directors’ basic duties are not heightened by general political and economic concerns about cyber security, or even the magnitude of harm that the company itself could suffer from a cyber attack.  But the magnitude of potential harm does matter.  If a substantial portion of a company’s value depends on the security of its cyber assets, common sense dictates that directors will naturally spend relatively more time on cyber security.  In my experience, that’s the way directors think and work – they analyze and devote more time to their companies’ most important issues.  And from a practical perspective, directors’ actions, or inaction, will be judged against the backdrop of a really bad problem.  Judges are human beings, and often do make decisions that are influenced by the presence of particularly severe harm.

How does cyber insurance fit in to the board’s job?   Cyber insurance allows the company to shift a specific and potentially very large risk.  As such, it is important that boards consider cyber insurance among the types of expenditures appropriate to prevent and mitigate cyber attacks.  Shifting risk through cyber insurance also can help directors avoid a shareholder derivative action, by reducing the attractiveness of the suit to plaintiffs’ lawyers, or reduce the severity of an action that is filed, making it easier and less expensive to resolve.

Are there any court decisions on directors’ duties in the area of cyber security?  No.  Although a TJX Companies, Inc. shareholder brought a derivative suit following a significant data breach, Louisiana Municipal Police Employees Retirement Fund v. Alvarez, Civil Action No. 5620-VCN (Del. Ch. July 2, 2010), the case settled early in the litigation.  As a result, the court never had the opportunity to make any substantive rulings on the plaintiffs’ allegations that the board failed to adequately oversee the company’s cyber security.

What is the board’s role in overseeing the company’s disclosures concerning cyber security?  The board’s duty is the same as it is with any corporate disclosure.

Does the SEC’s October 13, 2011 guidance on cyber-security disclosures enhance the board’s oversight responsibilities?   No.  As the guidance itself notes, it does not change disclosure law, but rather interprets existing law.  The guidance does, however, put a sharper focus on cyber-security disclosures, and provides the SEC and plaintiffs’ counsel with a checklist of potential criticisms – though those criticisms would really just be based on existing law.

The sharper focus on cyber-security disclosure isn’t meaningless, however.  The SEC has issued cyber-security comments to approximately 50 public companies since issuing its guidance.  The guidance, moreover, provides another opportunity for the board to discuss cyber security with management, and the increased focus should result in incrementally better disclosure.  And the SEC may well speak again on the subject; last spring, Senator Rockefeller asked new SEC Chair Mary Jo White to further address cyber-security disclosures.  (For a good discussion of the SEC’s guidance, I recommend an article by Dan Bailey, which was reprinted in the D&O Diary, and a recent D&O Diary post discussing a Willis survey of cyber-security disclosures.)

Are there any disclosure securities class actions alleging a false or misleading statement based on failure to follow the guidance?  No.  There was a securities class action against Heartland Payment Systems for a stock price drop that plaintiffs attributed to Heartland’s alleged misstatements concerning its cyber-security protections.  In re Heartland Payment Sys., Inc. Sec. Litig., CIV. 09-1043, 2009 WL 4798148 (D.N.J. Dec. 7, 2009).  The litigation was dismissed because the plaintiffs had not sufficiently alleged that the company made a false or misleading statement or, if it had, did so with scienter.  However, that case was filed prior to the SEC’s cyber-security guidance.  At least one commentator has suggested the outcome might have been different if the SEC guidance had informed the analysis.

Is there a wave of cyber-security shareholder suits coming?  What type of suits will there be?  If there is a wave, it looks like the lawsuits primarily will be shareholder derivative actions, not securities class actions.

There has not been a wave of cyber-attack securities class actions because companies’ stock prices generally haven’t fallen significantly following disclosure of cyber attacks.  If that trend remains, shareholder litigation over cyber security primarily will take the form of shareholder derivative litigation, seeking to recover from directors and officers damages for the harm to the corporation caused by a cyber attack.

The vast majority of options backdating lawsuits were derivative actions due to the lack of significant stock drops, and many of them survived motions to dismiss and resulted in significant settlements.  However, unlike the options backdating cases, in which many motions to dismiss for failure to make a demand on the board were complicated by directors’ receipt of allegedly backdated options or service on compensation committees that allegedly approved backdated options, directors’ governance of cyber security should be judged by more favorable legal standards and with a more deferential judicial attitude.  For that reason, I anticipate that plaintiffs’ attorneys will file derivative cases mostly over larger cyber-security breaches, in which the litigation environment will help them overcome the legal obstacles, and will not routinely file over less significant breaches.