Shareholder litigation comes in waves.  There is a widespread belief that the next big wave will be shareholder derivative litigation – a shareholder’s assertion of a claim belonging to the corporation, typically brought against directors and officers, alleging corporate harm for a board’s failure to prevent corporate problems.

Derivative cases filed as tag-alongs to securities class actions have long been commonplace, and frequently are little more than a nuisance.  Over the years, there have been sporadic large derivative actions concerning other areas of legal compliance – typically over a very large corporate problem.   Non-disclosure derivative litigation filings recently have seemed more frequent, and there have been some large settlements that have come as a result.  And the specter of cyber liability derivative suits looms large – not surprisingly, Target shareholders just filed derivative litigation related to the recent customer data breach.  Whether the forecasted non-disclosure derivative-litigation wave materializes, or remains a sporadic occurrence in the larger world of D&O litigation, is one of the issues I’m watching closely in 2014 and beyond.

This potential wave raises issues that are unique to derivative litigation.  One key issue that has not been analyzed enough is representation: which lawyers can and should represent the company and the individual defendants in derivative litigation?

Because a derivative litigation claim belongs to the corporation, it puts the corporation in an odd spot.  A shareholder, as one of the corporation’s “owners” (usually a really, really small owner – but an owner nevertheless), is trying to force the company to bring a claim against the people who run the company.  The law says, however, that those people, the directors, get to decide whether the company should sue someone – including themselves – unless a shareholder can show that they couldn’t make a disinterested and independent decision.   Thus, to bring a derivative action, a shareholder must allege that it would have been futile to demand that the board take action, and defendants will typically challenge the lawsuit with a motion to dismiss for failure to make a demand (“demand motion”) on the basis that the demand-futility allegations aren’t sufficiently probative or particularized.

It is often said that the interests of the company and defendants are aligned through the demand motion, because they all have an interest in making sure that the shareholder follows proper governance procedures – namely, making a pre-suit demand on the board.  But this sort of statement prejudges the demand-futility allegations; it assumes that the allegations of futility are insufficient.  In Delaware and states that follow its demand law, proper corporate governance procedures require a shareholder either to make a demand or to plead demand-futility.  Only if and when the court rules that demand was required can we truly say that the interests of the company and defendants on the demand issue were aligned.  However, I don’t think this means that legal ethics require the company to be separately represented from the inception of a derivative action in all cases; the shared-interest view is arguable.   So if there are good practical reasons for joint representation from inception, and it causes no harm, so be it.  (That the primary lawyers are expensive relative to the D&O insurance limits isn’t a good reason for joint representation – it’s a good reason why those lawyers were the wrong lawyers for the matter.  But I digress.)

There’s also a compelling strategic reason to separate the representation from the beginning of the case.  A demand motion asks the court to allow the defendants to be the judge – to require the plaintiff to ask the directors to evaluate and bring claims against themselves and senior officers.  Thus, the company must overcome a judge’s skepticism that such an evaluation presents a “fox-guarding-the-chicken-coop” problem.  This is far easier to do if the company is separately represented and makes the demand motion.  It is true that courts frequently grant demand motions made during joint representation of the company and defendants.  But it is also true that joint representation always carries strategic risk, and the more serious the derivative litigation, the more unwise it is to take the risk.  Rather than make judgments in advance about which derivative litigation is serious, warranting a split, and which isn’t, allowing joint representation, I advocate splitting the representation from the outset – since the representation must be split up if demand is excused, splitting it from the outset imposes relatively little additional cost burden, if there’s appropriate coordination.

Representation between and among the defendants has strategic components, in addition to ethical considerations.  It can be strategically advantageous for individuals who aren’t accused of active wrongdoing to be separately represented from those who are.  That typically means officers and outside directors are represented separately in groups.  With this division, the court can see that the directors who would evaluate a demand don’t have the same lawyers as the people who allegedly engaged in active wrongdoing.  However, I don’t think that’s as strategically important for purposes of the demand motion as splitting up the company and defendants.  In evaluating a demand, the directors, acting as directors and not director-defendants, should be represented by counsel other than their litigation defense counsel.  Moreover, demand futility is judged at the time the suit is filed, not when the court decides the demand motion.  Thus, it isn’t technically necessary or legally accurate to send a “signal” of independence to the court through splitting up the representation further.  That said, in a very significant derivative case, and/or one in which the judge is new to derivative litigation, such an approach could be strategically advantageous.

It can sometimes be appropriate to consider even more divisions – for example, splitting the outside directors into audit-committee and non-audit-committee groups where audit-committee oversight is the main oversight allegation.  Such divisions may be ethically prudent or necessary later, but for purposes of the demand motion, they often don’t add much, if anything, since the demand motion is about the ability of a majority of the full board to consider a demand.

So, a typical case needs at least two lawyers from the outset – one for the company, and another for the individual defendants.  The type of derivative litigation we’re discussing often arises in the context of an underlying legal problem for which the company has lawyers – in a disclosure-related matter for a related securities class action, and in non-disclosure matters for other types of underlying matters (FCPA, antitrust, privacy, etc.).   To what extent should the lawyers defending the underlying matters be involved in the derivative action?

In general, I believe that the lawyers defending the underlying proceedings that created the corporate liability or harm (actual or potential) at issue in the derivative case should not defend the derivative case.  The reasons are similar to those I have written about in the context of using corporate counsel to defend a securities class action that may involve corporate counsel’s advice – there are tricky and hidden conflict issues, and the lawyers can be of better service to their clients as witnesses.

In derivative litigation, the problem can be even worse.  Corporate counsel typically advises on relevant corporate governance issues, such as compliance programs, the severity of legal risks that ultimately trigger the derivative litigation, board review of various risks, and preparation or review of board minutes.  Some companies are heavily guided in these areas by their corporate counsel, either directly in the boardroom or indirectly through advice to in-house counsel.   It is in the interests of the company and the board to be able to testify that they took a course of action, or didn’t do so, because of their lawyers’ advice.  The problem is greater than that of lawyer-as-witness – defense counsel should not be in the position of making judgments or recommendations that might be influenced by the law firm’s concerns about the public airing of its corporate work.

In derivative cases based on a disclosure problem, another representation issue arises:  whom should the securities class action defense counsel represent – the company or the defendants?   Securities class action defense counsel take different approaches to dividing derivative litigation representation.  Some will represent the company only, and have their securities class action individual defendant clients be represented by a different firm.  Others represent the individual defendants in the derivative action, and have the company represented by a different firm.   The right approach is a judgment call, but I prefer to have the securities class action defense counsel represent the individual defendants in the derivative action and have another firm represent the company.  That approach allows the lawyers in defense mode to fully remain in defense mode – they can defend the lack of merit to the charges of wrongdoing in all proceedings.   It also allows the defending lawyers to avoid the tension involved in simultaneously defending individuals in the securities class action and representing the potentially adverse company in the related derivative action.  This approach is possible with the right waivers, but I prefer the pure-defense approach.

Once the right lawyers are in place, how can and should the lawyers interact to prepare motions to dismiss and conduct other preliminary projects effectively – and cost-effectively?  The gating question is who should make the demand motion – the company or the defendants?  The company is really the right movant.  The demand motion is about the company’s corporate governance procedures, and the directors are involved not as directors but as individual defendants, so the purest approach is for the company to make the demand motion.

The same result makes sense from a strategic perspective.  The defendants have 12(b)(6) motions to make, and having them make both motions is awkward.   Although both motions say that the allegations (not the claims) aren’t good enough – the demand motion asserts that the allegations don’t raise a substantial likelihood of liability or other disabling interest sufficient to excuse demand, and the 12(b)(6) motion asserts they are not sufficient to state a claim – having the directors simultaneously assert that they could impartially consider a demand, but that the claims should be dismissed, is slicing the issues pretty finely.   If the defendants don’t make a 12(b)(6) motion, that problem is alleviated.  Many defense lawyers – including me from time to time – opine that the 12(b)(6) motions will fail if the demand motion fails, so defendants should just forego the 12(b)(6) motion entirely and make a 12(c) motion later, if necessary.  However, that foregoes the initial line of defense for the individuals.

It will be interesting to see if there is indeed a wave of more serious derivative litigation coming.  I will be on the look-out, and will write about other derivative-litigation issues that I think are of interest.

Cyber security is top of mind for companies, and cyber-security oversight is top of mind for corporate directors.  I recently co-moderated a panel discussion for directors on board oversight of cyber security and cyber-security disclosures.  I thought I’d share my thoughts on some of the key issues.

What are the board’s fiduciary duties in the area of cyber-security oversight?  Board oversight of cyber security conceptually is no different than oversight of any other area of risk.  The board must take good-faith steps to ensure that the company has systems designed to address cyber-attack prevention and mitigation, and to follow up on red flags it sees.  The board’s decision-making is protected by the business judgment rule.

It is important for directors to understand that cyber-security oversight isn’t exotic.  Because cyber security is a highly technical area, some directors may feel out of their depth – which may help explain why Carnegie Mellon’s 2012 CyLab survey revealed that some boards are not sufficiently focused on cyber-security oversight.  But with the help of experts – on which directors are entitled to rely – boards can ask the same types of questions they’re used to asking about other types of risk, and gain a similar degree of comfort.

How do I pick the right experts?  Directors should be comfortable that they are receiving candid and independent advice, and need to be mindful that the company’s internal IT group may have trouble being self-critical.  So in addition to receiving appropriate reports from the IT group, directors should periodically consult outside advisors who are capable of giving independent advice.

Given the importance of cyber security, will courts impose a higher standard on directors?  Directors’ basic duties are not heightened by general political and economic concerns about cyber security, or even the magnitude of harm that the company itself could suffer from a cyber attack.  But the magnitude of potential harm does matter.  If a substantial portion of a company’s value depends on the security of its cyber assets, common sense dictates that directors will naturally spend relatively more time on cyber security.  In my experience, that’s the way directors think and work – they analyze and devote more time to their companies’ most important issues.  And from a practical perspective, directors’ actions, or inaction, will be judged against the backdrop of a really bad problem.  Judges are human beings, and often do make decisions that are influenced by the presence of particularly severe harm.

How does cyber insurance fit in to the board’s job?   Cyber insurance allows the company to shift a specific and potentially very large risk.  As such, it is important that boards consider cyber insurance among the types of expenditures appropriate to prevent and mitigate cyber attacks.  Shifting risk through cyber insurance also can help directors avoid a shareholder derivative action, by reducing the attractiveness of the suit to plaintiffs’ lawyers, or reduce the severity of an action that is filed, making it easier and less expensive to resolve.

Are there any court decisions on directors’ duties in the area of cyber security?  No.  Although a TJX Companies, Inc. shareholder brought a derivative suit following a significant data breach, Louisiana Municipal Police Employees Retirement Fund v. Alvarez, Civil Action No. 5620-VCN (Del. Ch. July 2, 2010), the case settled early in the litigation.  As a result, the court never had the opportunity to make any substantive rulings on the plaintiffs’ allegations that the board failed to adequately oversee the company’s cyber security.

What is the board’s role in overseeing the company’s disclosures concerning cyber security?  The board’s duty is the same as it is with any corporate disclosure.

Does the SEC’s October 13, 2011 guidance on cyber-security disclosures enhance the board’s oversight responsibilities?   No.  As the guidance itself notes, it does not change disclosure law, but rather interprets existing law.  The guidance does, however, put a sharper focus on cyber-security disclosures, and provides the SEC and plaintiffs’ counsel with a checklist of potential criticisms – though those criticisms would really just be based on existing law.

The sharper focus on cyber-security disclosure isn’t meaningless, however.  The SEC has issued cyber-security comments to approximately 50 public companies since issuing its guidance.  The guidance, moreover, provides another opportunity for the board to discuss cyber security with management, and the increased focus should result in incrementally better disclosure.  And the SEC may well speak again on the subject; last spring, Senator Rockefeller asked new SEC Chair Mary Jo White to further address cyber-security disclosures.  (For a good discussion of the SEC’s guidance, I recommend an article by Dan Bailey, which was reprinted in the D&O Diary, and a recent D&O Diary post discussing a Willis survey of cyber-security disclosures.)

Are there any disclosure securities class actions alleging a false or misleading statement based on failure to follow the guidance?  No.  There was a securities class action against Heartland Payment Systems for a stock price drop that plaintiffs attributed to Heartland’s alleged misstatements concerning its cyber-security protections.  In re Heartland Payment Sys., Inc. Sec. Litig., CIV. 09-1043, 2009 WL 4798148 (D.N.J. Dec. 7, 2009).  The litigation was dismissed because the plaintiffs had not sufficiently alleged that the company made a false or misleading statement or, if it had, did so with scienter.  However, that case was filed prior to the SEC’s cyber-security guidance.  At least one commentator has suggested the outcome might have been different if the SEC guidance had informed the analysis.

Is there a wave of cyber-security shareholder suits coming?  What type of suits will there be?  If there is a wave, it looks like the lawsuits primarily will be shareholder derivative actions, not securities class actions.

There has not been a wave of cyber-attack securities class actions because companies’ stock prices generally haven’t fallen significantly following disclosure of cyber attacks.  If that trend remains, shareholder litigation over cyber security primarily will take the form of shareholder derivative litigation, seeking to recover from directors and officers damages for the harm to the corporation caused by a cyber attack.

The vast majority of options backdating lawsuits were derivative actions due to the lack of significant stock drops, and many of them survived motions to dismiss and resulted in significant settlements.  However, unlike the options backdating cases, in which many motions to dismiss for failure to make a demand on the board were complicated by directors’ receipt of allegedly backdated options or service on compensation committees that allegedly approved backdated options, directors’ governance of cyber security should be judged by more favorable legal standards and with a more deferential judicial attitude.  For that reason, I anticipate that plaintiffs’ attorneys will file derivative cases mostly over larger cyber-security breaches, in which the litigation environment will help them overcome the legal obstacles, and will not routinely file over less significant breaches.