In combination with the Delaware Court of Chancery’s decision in In re Trulia, Inc. Stockholder Litigation, 129 A.3d 884 (Del. Ch. 2016), Judge Posner’s blistering opinion In re Walgreen Company Stockholder Litigation, 2016 WL 4207962 (7th Cir. Aug. 10, 2016), may well close the door on disclosure-only settlements in shareholder challenges to mergers.  That certainly feels just.  And it may well go a long way toward discouraging meritless merger litigation.  But, as I’ve cautioned, I am concerned that we will regret it.  Lost in the cheering over Trulia and Walgreen is a simple and practical reality: the availability of disclosure-only settlements is in the interests of merging companies as much as it is in the interests of shareholder plaintiffs’ lawyers, because disclosure-only settlements are often the most timely and efficient way to resolve shareholder challenges to mergers, even legitimate ones.

I am offended by meritless merger litigation, and have long advocated reforms to fix the system that not only allows it, but encourages and incentivizes it.  Certainly, strict scrutiny of disclosure-only settlements will reduce the number of merger claims—it already has.  Let’s say shareholder challenges mergers are permanently reduced from 90% to 60% of transactions.  That would be great.  But how do we then resolve the cases that remain?  Unfortunately, there aren’t efficient and generally agreeable alternatives to disclosure-only settlements to dispose of a merger lawsuit before the closing of the challenged transaction.  Of course, the parties can increase the merger price, though that is a difficult proposition.  The parties can also adjust other deal terms, but few merger partners want to alter the deal unless and until the alteration doesn’t actually matter, and settlements based on meaningless deal-structure changes won’t fare better with courts than meaningless disclosure-only settlements.

If the disclosure-only door to resolving merger cases is shut, then more cases will need to be litigated post-close.  That will make settlement more expensive.  Plaintiffs lawyers are not going to start to settle for less money, especially when they are forced to litigate for longer and invest more in their cases.   And in contrast to adjustments to the merger transaction or disclosures, in which 100% of the cash goes to lawyers for the “benefit” they provided, settlements based on the payment of cash to the class of plaintiffs require a much larger sum to yield the same amount of money to the plaintiffs’ lawyers.  For example, a $500,000 fee payment to plaintiffs’ under a disclosure-only settlement would require around $2 million in a settlement payment to the class to yield the same fee for the plaintiffs’ attorneys, assuming a 25% contingent-fee award.

The increase in the cash outlay required for companies and their insurers to deal with post-close merger litigation will actually be much higher than my example indicates.  Plaintiffs’ lawyers will spend more time on each case, and demand a higher settlement amount to yield a higher plaintiffs’ fee.  Defense costs will skyrocket.  And discovery in post-close cases will inevitably unearth problems that the disclosure-only settlement landscape camouflaged, significantly increasing the severity of many cases.  It is not hard to imagine that merger cases that could have settled for disclosures and a six-figure plaintiffs’ fee will often become an eight-figure mess.  And, beyond these unfortunate economic consequences, the inability to resolve merger litigation quickly and efficiently will increase the burden upon directors and officers by requiring continued service to companies they have sold, as they are forced to produce documents, sit for depositions, and consult with their defense lawyers, while the merger case careens toward trial.

Again, it’s hard to disagree with the logic and sentiment of these decisions, and the result may very well be more just.  But this justice will come with a high practical price tag.

Cyber security is top of mind for companies, and cyber-security oversight is top of mind for corporate directors.  I recently co-moderated a panel discussion for directors on board oversight of cyber security and cyber-security disclosures.  I thought I’d share my thoughts on some of the key issues.

What are the board’s fiduciary duties in the area of cyber-security oversight?  Board oversight of cyber security conceptually is no different than oversight of any other area of risk.  The board must take good-faith steps to ensure that the company has systems designed to address cyber-attack prevention and mitigation, and to follow up on red flags it sees.  The board’s decision-making is protected by the business judgment rule.

It is important for directors to understand that cyber-security oversight isn’t exotic.  Because cyber security is a highly technical area, some directors may feel out of their depth – which may help explain why Carnegie Mellon’s 2012 CyLab survey revealed that some boards are not sufficiently focused on cyber-security oversight.  But with the help of experts – on which directors are entitled to rely – boards can ask the same types of questions they’re used to asking about other types of risk, and gain a similar degree of comfort.

How do I pick the right experts?  Directors should be comfortable that they are receiving candid and independent advice, and need to be mindful that the company’s internal IT group may have trouble being self-critical.  So in addition to receiving appropriate reports from the IT group, directors should periodically consult outside advisors who are capable of giving independent advice.

Given the importance of cyber security, will courts impose a higher standard on directors?  Directors’ basic duties are not heightened by general political and economic concerns about cyber security, or even the magnitude of harm that the company itself could suffer from a cyber attack.  But the magnitude of potential harm does matter.  If a substantial portion of a company’s value depends on the security of its cyber assets, common sense dictates that directors will naturally spend relatively more time on cyber security.  In my experience, that’s the way directors think and work – they analyze and devote more time to their companies’ most important issues.  And from a practical perspective, directors’ actions, or inaction, will be judged against the backdrop of a really bad problem.  Judges are human beings, and often do make decisions that are influenced by the presence of particularly severe harm.

How does cyber insurance fit in to the board’s job?   Cyber insurance allows the company to shift a specific and potentially very large risk.  As such, it is important that boards consider cyber insurance among the types of expenditures appropriate to prevent and mitigate cyber attacks.  Shifting risk through cyber insurance also can help directors avoid a shareholder derivative action, by reducing the attractiveness of the suit to plaintiffs’ lawyers, or reduce the severity of an action that is filed, making it easier and less expensive to resolve.

Are there any court decisions on directors’ duties in the area of cyber security?  No.  Although a TJX Companies, Inc. shareholder brought a derivative suit following a significant data breach, Louisiana Municipal Police Employees Retirement Fund v. Alvarez, Civil Action No. 5620-VCN (Del. Ch. July 2, 2010), the case settled early in the litigation.  As a result, the court never had the opportunity to make any substantive rulings on the plaintiffs’ allegations that the board failed to adequately oversee the company’s cyber security.

What is the board’s role in overseeing the company’s disclosures concerning cyber security?  The board’s duty is the same as it is with any corporate disclosure.

Does the SEC’s October 13, 2011 guidance on cyber-security disclosures enhance the board’s oversight responsibilities?   No.  As the guidance itself notes, it does not change disclosure law, but rather interprets existing law.  The guidance does, however, put a sharper focus on cyber-security disclosures, and provides the SEC and plaintiffs’ counsel with a checklist of potential criticisms – though those criticisms would really just be based on existing law.

The sharper focus on cyber-security disclosure isn’t meaningless, however.  The SEC has issued cyber-security comments to approximately 50 public companies since issuing its guidance.  The guidance, moreover, provides another opportunity for the board to discuss cyber security with management, and the increased focus should result in incrementally better disclosure.  And the SEC may well speak again on the subject; last spring, Senator Rockefeller asked new SEC Chair Mary Jo White to further address cyber-security disclosures.  (For a good discussion of the SEC’s guidance, I recommend an article by Dan Bailey, which was reprinted in the D&O Diary, and a recent D&O Diary post discussing a Willis survey of cyber-security disclosures.)

Are there any disclosure securities class actions alleging a false or misleading statement based on failure to follow the guidance?  No.  There was a securities class action against Heartland Payment Systems for a stock price drop that plaintiffs attributed to Heartland’s alleged misstatements concerning its cyber-security protections.  In re Heartland Payment Sys., Inc. Sec. Litig., CIV. 09-1043, 2009 WL 4798148 (D.N.J. Dec. 7, 2009).  The litigation was dismissed because the plaintiffs had not sufficiently alleged that the company made a false or misleading statement or, if it had, did so with scienter.  However, that case was filed prior to the SEC’s cyber-security guidance.  At least one commentator has suggested the outcome might have been different if the SEC guidance had informed the analysis.

Is there a wave of cyber-security shareholder suits coming?  What type of suits will there be?  If there is a wave, it looks like the lawsuits primarily will be shareholder derivative actions, not securities class actions.

There has not been a wave of cyber-attack securities class actions because companies’ stock prices generally haven’t fallen significantly following disclosure of cyber attacks.  If that trend remains, shareholder litigation over cyber security primarily will take the form of shareholder derivative litigation, seeking to recover from directors and officers damages for the harm to the corporation caused by a cyber attack.

The vast majority of options backdating lawsuits were derivative actions due to the lack of significant stock drops, and many of them survived motions to dismiss and resulted in significant settlements.  However, unlike the options backdating cases, in which many motions to dismiss for failure to make a demand on the board were complicated by directors’ receipt of allegedly backdated options or service on compensation committees that allegedly approved backdated options, directors’ governance of cyber security should be judged by more favorable legal standards and with a more deferential judicial attitude.  For that reason, I anticipate that plaintiffs’ attorneys will file derivative cases mostly over larger cyber-security breaches, in which the litigation environment will help them overcome the legal obstacles, and will not routinely file over less significant breaches.

 

 

I am frequently asked about the safety of director service.  Below is the text of a short article I wrote for a forthcoming issue of a business publication.

Although the article is short and non-technical, I decided it was a good opportunity to start a discussion here on director service.  I would enjoy a dialogue with readers on these issues, so please post comments or email or call me.  I may write follow-up blog posts on issues that generate discussion.

D&O insurance is an essential component of the analysis of the safety of director service.  “The ‘Nuts and Bolts’ of D&O Insurance,” by Kevin LaCroix, author of The D&O Diary, is an excellent primer on the subject.

Here is the text of my article:

Disclosure dilemmas and legal problems are a reality of business, and shareholder lawsuits often follow.

So, is it safe to serve on a public company board of directors?  The answer is easy:  yes, it indeed is safe, as long as the director is conscientious and has appropriate corporate protections against personal liability.

Shareholder lawsuits are frequent, but outside director liability is rare.  Shareholder litigation almost never affects the personal finances of outside directors, due to a combination of factors.

  • Shareholder litigation rarely goes to trial.  This is true for many reasons, including potential exceptions under corporate indemnification and Directors’ & Officers’ (“D&O”) liability insurance contracts if a defendant were to lose at trial.
  • Nearly all shareholder cases are settled with D&O insurance proceeds and/or a payment by the company.  Only in exceptional cases have outside directors ever made any significant financial contribution toward the settlement of public company shareholder litigation.
  • Outside directors are not the target defendants in securities class actions.  They are often sued in shareholder derivative actions challenging the directors’ oversight of the company, but plaintiffs face high hurdles to establish liability.  They also are often named as defendants in shareholder challenges to mergers, but such cases almost always settle for modest amounts.

Yet, no director wants to be sued, so prevention of problems is key — the fewer problems, the less risk of litigation, and preventive measures actually establish substantive defenses to liability.  In simple terms, the law expects directors to make sure that their companies have systems in place to prevent and detect problems, and to follow up on indications of a lack of compliance.  Attention is essential.  The Sargent Schultz defense (“I know nothing!”) doesn’t work.

Sarbanes-Oxley’s certification requirements are central to a company’s systems for compliance with the securities laws. Because of Sarbanes-Oxley, more work goes into internal controls, financial reporting, and other public disclosures than ever before, and more issues bubble-up and are addressed at the senior management and board level.  Even though the burdens that these requirements have imposed are onerous, they have made outside directors’ compliance with their oversight duties easier.

Legal compliance on matters other than disclosures is highly company-specific.  In a nutshell, directors need to understand the company’s legal risks, implement the appropriate compliance and reporting systems, and act to address problems as they are identified.  Directors can easily satisfy their oversight duty if they understand their responsibility, ask the right questions and engage the right legal advisors.

If problems and litigation arise, directors have several protections against personal liability.

The most fundamental protection is an “exculpation,” or “raincoat” protection in the company’s corporate charter or articles of incorporation.  In general terms, such a provision provides that directors shall not be liable to the corporation for money damages unless they acted disloyally, intentionally or in bad faith.

Corporate indemnification is a director’s primary financial protection.  Directors should ensure that the company’s indemnification provisions are well-crafted and provide the maximum protection the law allows, and should ask a securities litigator to review them from time to time.

D&O insurance, of course, also provides important protections.  Three points are important to keep in mind:

  1. Engage a broker who is a specialist in D&O insurance coverage and claims.  Such a broker will best know what coverage provisions are possible and at what price, and will know the right structure and amount of insurance.
  2. Focus on protections for outside directors.  Ensure that the insolvency provisions are state-of-the-art, and there is sufficient Side A coverage.
  3. From time to time, ask a securities litigator to review your D&O insurance program.