In my law practice, I defend particular clients in particular securities and governance cases.  My mission is to get them through the litigation safely and comfortably.

But I’ve always had a broader interest in securities law and practice as well.  After Congress passed the Private Securities Litigation Reform Act of 1995, I read and chronicled every Reform Act court decision over the next several years.  As a senior associate and, later, a junior partner, I wrote articles, helped my mentors prepare for speeches, and then started speaking myself.  I also began to discuss securities litigation issues behind the scenes with other defense lawyers, plaintiffs’ lawyers, and D&O insurers and brokers, and enjoyed the collegiality those discussions involved.

My connection with this broader group of repeat players in securities litigation was the seed of the D&O Discourse blog—my posts are basically the types of discussions I’ve had over the years.  In setting up the blog, I got good advice from mentors:  write with at least one specific person in mind; address issues I care about; and avoid trying to chronicle new developments.  That advice led to the feature of the blog people seem to like the most:  I call it like I see it.  But, to be candid about this too, I get butterflies every time I hit “enter” to send a pointed post out into the insensitive internet.

I’m grateful for the time my colleagues let me spend on the blog; for friends who generously take time to kick around draft posts; and for readers who take time to read what I write—it’s still humbling that so many people care what I have to say.

People sometimes ask me about my favorite posts.  Here is a list of one of my favorite posts from each year of the blog:

Following is an article I wrote for Law360, which gave me permission to republish it here:

Among securities litigators, there is no consensus about the importance of developments in securities and corporate governance litigation.  For some, a Supreme Court decision is always supreme.  For others, a major change in a legal standard is the most critical.  For me, the key developments are those that have the greatest potential to significantly increase or decrease the frequency or severity of claims against public companies and their directors and officers.

Given my way of thinking, there are three developments in 2016 that stand out as noteworthy:

  • The persistence of securities class actions brought against smaller public companies primarily by smaller plaintiffs’ firms on behalf of retail investors—a trend that began five years ago and now appears to represent a fundamental shift in the securities class action landscape.
  • The 2nd Circuit’s robust application of the Supreme Court’s Omnicare decision in Sanofi, illustrating the significant benefits of Omnicare to defendants.
  • The demise of disclosure-only settlements under the Delaware Court of Chancery’s Trulia decision and the 7th Circuit’s subsequent scathing Walgreen opinion by Judge Posner.

I discuss each of these developments in detail, and then list other 2016 developments that I believe are important as well.

1. The Securities Class Action Landscape Has Fundamentally Changed

The Private Securities Litigation Reform Act’s lead plaintiff process incentivized plaintiffs’ firms to recruit institutional investors to serve as plaintiffs.  For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role.  At the same time, securities class action economics tightened in all but the largest cases.  Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work.  And the median settlement amount of cases that survive dismissal motions is fairly low.  These dynamics placed a premium on experience, efficiency, and scale.  Larger firms filed the lion’s share of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

This started to change with the wave of cases against Chinese companies in 2010.  Smaller plaintiffs’ firms initiated the lion’s share of these cases, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs, and uncertain insurance and company financial resources.  Moreover, these cases fit smaller firms’ capabilities well. Nearly all of the cases had “lawsuit blueprints” such as auditor resignations and/or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss.  The dismissal rate was low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up momentum that has kept them going, even after the wave of China cases subsided.  For the last several years, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and they have initiated an increasing number of cases.  Like the China cases, these cases tend to be against smaller companies.  Thus, smaller plaintiffs’ firms have discovered a class of cases—cases against smaller companies that have suffered well-publicized problems (reducing the plaintiffs’ firms’ investigative costs) for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

As smaller firms have gained further momentum, they have expanded the cases they initiate beyond “lawsuit blueprint” cases—and they continue to initiate and win lead-plaintiff contests primarily in cases against smaller companies brought by retail investors.  To be sure, the larger firms still mostly can and will beat out the smaller firms for the cases they want.  But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies, and are content to focus on larger cases on behalf of their institutional investor clients.

The securities litigation landscape now clearly consists of a combination of two different types of cases: smaller cases brought by a set of smaller plaintiffs’ firms on behalf of retail investors, and larger cases pursued by the larger plaintiffs’ firms on behalf of institutional investors.  This change—now more than five years old—appears to be here to stay.

In addition to this fundamental shift, two other trends are an indicator of further changes to the securities litigation landscape.

First, the smaller plaintiffs’ firms often file cases against U.S. companies in New York City or California—regardless where the company is headquartered—diverging from the larger plaintiffs’ firms’ practice of filing in the forum of the defendant company’s headquarters.  In addition to inconvenience, filing cases in New York City and California against non-resident companies results in sticker-shock, since defense firms based in those venues are much more expensive than their home town firms.  The solution to this problem will need to include greater defense of cases in New York City and California by a more economically diverse set of defense firms.

Second, plaintiffs’ firms, large and small, are increasingly rejecting the use of historical settlement values to shape the settlement amounts.  This practice is increasing settlement amounts in individual cases, and will ultimately raise settlement amounts overall.  And it will be increasingly difficult for defendants and their insurers to predict defense costs and settlement amounts, as more mediations fail and litigation proceeds past the point they otherwise would.

2. Sanofi Shows Omnicare’s Benefits

In Tongue v. Sanofi, 816 F.3d 199 (2nd Cir. 2016), the Second Circuit issued the first significant appellate decision interpreting the Supreme Court’s decision in Omnicare, Inc. v. Laborers District Council Construction Industry Pension Fund, 135 S. Ct. 1318 (2015).  Sanofi shows that Omnicare provides powerful tools for defendants to win more motions to dismiss.

As a reminder, the Supreme Court in Omnicare held that a statement of opinion is only false under the federal securities laws if the speaker does not genuinely believe it, and is only misleading if it omits information that, in context, would cause the statement to mislead a reasonable investor.  This ruling followed the path Lane Powell advocated in an amicus brief on behalf of Washington Legal Foundation.

The Court’s ruling in Omnicare was a significant victory for the defense bar for two primary reasons.

First, the Court made clear that an opinion is false only if it was not sincerely believed by the speaker at the time that it was expressed, a concept sometimes referred to as “subjective falsity.”  The Court thus explicitly rejected the possibility that a statement of opinion could be false because “external facts show the opinion to be incorrect,” because a company failed to “disclose[] some fact cutting the other way,” or because the company did not disclose that others disagreed with its opinion.  This ruling resolved two decades’ worth of confusing and conflicting case law regarding what makes a statement of opinion false, which had often permitted meritless securities cases to survive dismissal motions.  Omnicare governs the falsity analysis for all types of challenged statements. Although Omnicare arose from a claim under Section 11 of the Securities Act, all of its core concepts are equally applicable to Section 10(b) of the Securities Exchange Act and other securities laws with similar falsity elements.

Second, Omnicare declared that whether a statement of opinion (and by clear implication, a statement of fact) was misleading “always depends on context.”  The Court emphasized that showing a statement to be misleading is “no small task” for plaintiffs, and that the court must consider not only the full statement being challenged and the context in which it was made, but must also consider other statements made by the company, and other publicly available information, including the customs and practices of the relevant industry.

A good motion to dismiss has always analyzed a challenged statement (of fact or opinion) in its broader factual context to explain why it’s not false or misleading.  But many defense lawyers unfortunately leave out the broader context, and courts have sometimes taken a narrower view.  Now, this type of superior, full-context analysis is clearly required by Omnicare.  And combined with the Supreme Court’s directive in Tellabs that courts consider scienter inferences based not only on the complaint’s allegations, but also on documents on which the complaint relies or that are subject to judicial notice, courts clearly must now consider the full array of probative facts in deciding both whether a statement was false or misleading and, if so, whether it was made with scienter.   

Due to the importance of its holdings and the detailed way in which it explains them, Omnicare is the most significant post-Reform Act Supreme Court case to analyze the falsity element of a securities class-action claim, laying out the core principles of falsity in the same way that the Court did for scienter in Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007).  If used correctly, Omnicare thus has the potential to be the most helpful securities case for defendants since Tellabs, providing attorneys with a blueprint for how to structure their falsity arguments in order to defeat more complaints on motions to dismiss.

The early returns show that Omnicare is already helping defendants win more motions to dismiss.  The most significant such decision is Sanofi. In Sanofi, the Second Circuit became the first appeals court to discuss Omnicare in detail, and to examine the changes that it brought about in the previously governing law.  Sanofi was not, as some securities litigation defense lawyers have claimed, a “narrow” reading of the Court’s decision.  Rather, it was a straightforward interpretation of Omnicare that emphasized the Supreme Court’s ruling on falsity, and the intensive contextual analysis required to show that a statement is misleading.  It correctly took these concepts beyond the Section 11 setting and applied them to allegations brought under Section 10(b).

Statements about Lemtrada, a drug in development for treatment of multiple sclerosis, were at issue in the case.  Sanofi and its predecessor had conducted “single-blind” clinical trials for Lemtrada (studies in which either the researcher or the patient does not know which drug was administered), despite the fact that the U.S. Food and Drug Administration had repeatedly expressed concerns about these trials and recommended “double-blind” clinical studies (studies in which both the researcher and the patient do not know which drug was administered).

The plaintiffs alleged that Sanofi’s failure to disclose FDA’s repeated warnings that a single-blind study might not be adequate for approval caused various statements made by the company to be misleading, including its projection that FDA would approve the drug, its expressions of confidence about the anticipated launch date of the drug, and its view that the results of the clinical trials were “unprecedented” and “nothing short of stunning.”  Although FDA eventually approved Lemtrada without further clinical trials, the agency initially refused approval based in large part on the single-blind studies concern, causing a large drop in the price of Sanofi stock.

In an opinion issued before Omnicare, the district court dismissed the claims, in part because it found that plaintiffs had failed to plead that the challenged statements of opinion were subjectively false, under the standard employed by the Second Circuit in Fait v. Regions Financial Corp.  The Second Circuit stated that it saw “no reason to disturb the conclusions of the district court,” but wrote to clarify the impact of Omnicare on prior Second Circuit law.

The court acknowledged that Omnicare affirmed the previous standard that a statement of opinion may be false “if either ‘the speaker did not hold the belief she professed’ or ‘the supporting fact she supplied were untrue.’”  However, it noted that Omnicare went beyond the standard outlined by Fait in holding that “opinions, though sincerely held and otherwise true as a matter of fact, may nonetheless be actionable if the speaker omits information whose omission makes the statement misleading to a reasonable investor.”

In reality, Omnicare did not represent a change in Second Circuit law.  Although Fait only discussed falsity, without considering what it would take to make an opinion “misleading,” prior Second Circuit law had been clear that “[e]ven a statement which is literally true, if susceptible to quite another interpretation by the reasonable investor, may properly be considered a material misrepresentation.”  Kleinman v. Elan Corp., 706 F.3d 145 (2nd Cir. 2013) (citation and internal quotation marks omitted).  Omnicare simply brought together these two lines of authority, by correctly clarifying that, like any other statement, a statement of opinion can be literally true (i.e., actually believed by the speaker), but can nonetheless omit information that can cause it to be misleading to a reasonable investor.

The Second Circuit highlighted the Omnicare Court’s focus on context, taking note of its statement that “an omission that renders misleading a statement of opinion when viewed in a vacuum may not do so once that statement is considered, as is appropriate, in a broader frame.”  Since Sanofi’s offering materials “made numerous caveats to the reliability of the projections,” a reasonable investor would have considered the opinions in light of those qualifications.  Similarly, the Second Circuit recognized that reasonable investors would be aware that Sanofi would be engaging in continuous dialogue with FDA that was not being disclosed, that Sanofi had clearly disclosed that it was conducting single-blind trials for Lemtrada, and that FDA had generally made clear through public statements that it preferred double-blind trials. In this broader context, the court found that Sanofi’s optimistic statements about the future of Lemtrada were not misleading even in the context of Sanofi’s failure to disclose FDA’s specific warnings regarding single-blind trials.

Under the Omnicare standards, the Second Circuit thus found nothing false or misleading about the challenged statements, holding that Omnicare imposes no obligation to disclose facts merely because they tended to undermine the defendants’ optimistic projections.  In particular, the Second Circuit found that “Omnicare does not impose liability merely because an issuer failed to disclose information that ran counter to an opinion expressed in a registration statement.”  It also reasoned that “defendants’ statements about the effectiveness of [the drug] cannot be misleading merely because the FDA disagreed with the conclusion—so long as Defendants conducted a ‘meaningful’ inquiry and in fact held that view, the statements did not mislead in a manner that is actionable.”

3. Companies May Regret the Decline of Disclosure-Only Settlements

In combination with the Delaware Court of Chancery’s decision in In re Trulia, Inc. Stockholder Litigation, 129 A.3d 884 (Del. Ch. 2016), Judge Posner’s blistering opinion In re Walgreen Company Stockholder Litigation, 2016 WL 4207962 (7th Cir. Aug. 10, 2016), may well close the door on disclosure-only settlements in shareholder challenges to mergers.  That certainly feels just.  And it may well go a long way toward discouraging meritless merger litigation.  But I am concerned that we will regret it.  Lost in the cheering over Trulia and Walgreen is a simple and practical reality: the availability of disclosure-only settlements is in the interests of merging companies as much as it is in the interests of shareholder plaintiffs’ lawyers, because disclosure-only settlements are often the timeliest and most efficient way to resolve shareholder challenges to mergers, even legitimate ones.

I am offended by meritless merger litigation, and have long advocated reforms  to fix the system that not only allows it, but encourages and incentivizes it.  Certainly, strict scrutiny of disclosure-only settlements will reduce the number of merger claims—it already has.  Let’s say shareholder challenges to mergers are permanently reduced from 90% to 60% of transactions.  That would be great.  But how do we then resolve the cases that remain?  Unfortunately, there aren’t efficient and generally agreeable alternatives to disclosure-only settlements to dispose of a merger lawsuit before the closing of the challenged transaction.  Of course, the parties can increase the merger price, though that is a difficult proposition.  The parties can also adjust other deal terms, but few merger partners want to alter the deal unless and until the alteration doesn’t actually matter, and settlements based on meaningless deal-structure changes won’t fare better with courts than meaningless disclosure-only settlements.

If the disclosure-only door to resolving merger cases is shut, then more cases will need to be litigated post-close.  That will make settlement more expensive.  Plaintiffs lawyers are not going to start to settle for less money, especially when they are forced to litigate for longer and invest more in their cases.  And in contrast to adjustments to the merger transaction or disclosures, in which 100% of the cash goes to lawyers for the “benefit” they provided, settlements based on the payment of cash to the class of plaintiffs require a much larger sum to yield the same amount of money to the plaintiffs’ lawyers.  For example, a $500,000 fee payment to the plaintiffs under a disclosure-only settlement would require around $2 million in a settlement payment to the class to yield the same fee for the plaintiffs’ lawyers, assuming a 25% contingent-fee award.

The increase in the cash outlay required for companies and their insurers to deal with post-close merger litigation will actually be much higher than my example indicates.  Plaintiffs’ lawyers will spend more time on each case, and demand a higher settlement amount to yield a higher plaintiffs’ fee.  Defense costs will skyrocket.  And discovery in post-close cases will inevitably unearth problems that the disclosure-only settlement landscape camouflaged, significantly increasing the severity of many cases.  It is not hard to imagine that merger cases that could have settled for disclosures and a six-figure plaintiffs’ fee will often become an eight-figure mess.  And, beyond these unfortunate economic consequences, the inability to resolve merger litigation quickly and efficiently will increase the burden upon directors and officers by requiring continued service to companies they have sold, as they are forced to produce documents, sit for depositions, and consult with their defense lawyers, while the merger case careens toward trial.

Again, it’s hard to disagree with the logic and sentiment of these decisions, and the result may very well be more just.  But this justice will come with a high practical price tag.

Additional Significant Developments

There were a number of other 2016 developments that I believe may also significantly impact the frequency and severity of securities claims against public companies and their directors and officers.  These include:

  • The ongoing wave of Securities Act cases in state court, especially in California, and the Supreme Court cert petitions in Cyan, Inc. v. Beaver County Employees Retirement Fund, No. 15-1439, and FireEye, Inc., et al., v. Superior Court of California, Santa Clara County, No. 16-744.
  • The lack of a wave of cyber security shareholder litigation, and the conclusion in favor of the defendants in the Target and Home Depot shareholder derivative cases, which follows the dismissal of the Wyndham derivative case in 2014.
  • The challenge to the SEC’s use of administrative proceedings, including Lynn Tilton’s tilt at the process.
  • The Supreme Court’s decision on insider trading in Salman v. U.S. 137 S. Ct. 420 (2016), rejecting the 2nd Circuit’s heightened personal benefit requirement established in U.S. v. Newman, 773 F.3d 438 (2nd Cir. 2014).
  • The persistence and intractability of securities class actions against foreign issuers after Morrison v. National Australia Bank, 561 U.S. 247 (2010).
  • The 8th Circuit’s reversal of class certification under Halliburton II in IBEW Local 98 Pension Fund v. Best Buy Co., 818 F.3d 775, 777 (8th Cir. 2016).
  • The 9th Circuit becoming the first appellate court to hold that Section 304 of Sarbanes-Oxley allows the SEC to seek a clawback of compensation from CEOs and CFOs in the event of a restatement even if it did not result from their misconduct. U.S. Securities & Exchange Commission v. Jensen, 835 F.3d 1100 (2016).
  • The 2nd Circuit’s lengthy and wide-ranging decision in In re Vivendi, S.A. Securities Litigation, 838 F.3d 223 (2nd Cir. 2016), affirming the district court’s partial judgment against Vivendi following trial.

Earlier this month, I spent a week in the birthplace of D&O insurance, London.  In addition to moderating a panel at Advisen’s European Executive Risks Insights Conference, I met with many energetic and talented D&O insurance professionals, both veterans and rising stars, to discuss U.S. securities litigation and regulatory risks.  Themes emerged on some key issues.  What follows is a collection of my impressions and opinions about three of them—not quotes from any particular company or person.

1.  Greater frequency of securities class actions against smaller public companies gives D&O insurers an opportunity to innovate.

As I’ve observed over the past several years, a significant risk to companies is that ever-increasing securities defense fees no longer match the economics of most cases, and are quickly outpacing D&O policy limits.  In the past, securities class actions were initiated by an oligopoly of larger plaintiffs’ firms with significant resources and mostly institutional clients that tended to bring larger cases against larger companies.  But in recent years, smaller plaintiffs’ firms with retail-investor clients have been initiating more cases, primarily against smaller companies. Indeed, in recent years, approximately half of all securities class actions were filed against companies with $750 million or less in market capitalization.  As a result, securities class actions have shrunken in size to a level last seen in 1997.

Yet at the same time, the litigation costs of the typical defense firms (mainly firms with marquee names) have increased exponentially.  This two-decade mismatch—between 1997 securities-litigation economics and present-day law-firm economics—creates the danger that a company’s D&O policy will be insufficient to cover the fees for a vigorous defense and the price to resolve the case.  Indeed, in my view, inadequate policy proceeds due to skyrocketing defense costs is the biggest risk directors and officers face from securities litigation—by far.

D&O insurers face a double-whammy: They are paying defense costs on smaller claims that are out of proportion to the actual risk because the lion’s share of cases against all companies, both large and small, are defended by the typical defense firms.  At the same time, insurers are unable to charge a sufficient premium for this risk, due to the softness of the market.

I strongly believe the solution lies in a more tailored D&O insurance option for smaller public companies.  Today, every public company buys some form of D&O indemnity insurance, which allows the company to choose their own lawyers and control their defense strategy.  Under this approach, securities litigation defense lawyers effectively control the D&O insurance claims process; even the most veteran in-house lawyers are almost always securities litigation rookies.  Is that in the insureds’ interest?  Is the one-size-fits-all D&O insurance model right for smaller public companies, whose insurance proceeds are being disproportionately being spent on defense costs?  Is there demand for an optional product that gives insurers greater control, up to and including an optional duty to defend D&O product for smaller companies?

London insurers and brokers are working through these issues. I’m extremely hopeful that there will be innovation for smaller public companies and their directors and officers—insureds who most need the guidance and protection of their insurance professionals.

2.  In the wake of Morrison, greater strategic control is needed to deal with the risk of separate actions around the world.

In Morrison v. National Australia Bank, 561 U.S. 247 (2010), the U.S. Supreme Court held that the U.S. securities laws only apply to “transactions in securities listed on domestic exchanges, and domestic transactions in other securities.”  In the aftermath of the decision, it was widely assumed that the frequency of U.S. securities class actions against foreign issuers would decline.  Yet it has not.  For more background, I refer you to Kevin LaCroix’s September 26, 2016 post in his blog, The D&O Diary.

Despite Morrison, foreign issuers whose securities are traded in the U.S. are still subject to a securities class action with respect to those securities.  To add insult to injury, plaintiffs’ lawyers are also bringing separate actions around the world to recover for losses suffered from securities purchased outside of the U.S.  The result is vastly more expensive claim resolution due to multiple actions around the world, with many lawyers madly working in each jurisdiction, and a greater practical settlement value due to the “let’s just get this over with” dynamic—but with uncertainty about the ability to obtain a worldwide release.  So insurers now face a world in which claims are more severe, and in which the anticipated decline in the number of claims has not materialized.

London insurers and brokers are grappling with how to bring some order to this chaos.  I don’t see an easy fix.  As long as U.S. courts can’t accommodate all claims, worldwide litigation can’t be “won”—it can only be managed and settled as efficiently as possible.  This requires strong strategic control of the overall litigation, both to orchestrate settlements in the most efficient fashion and to avoid lawyers in every jurisdiction doing duplicative and unproductive legal work.

Critically, strong strategic control must be imposed by an independent lawyer—someone who would obviously be paid for his or her time, but who otherwise has no financial interest in the worldwide work.  Independence would give the strategic lawyer freedom from law-firm economics when making decisions about which lawyers should be doing what—and which lawyers should be doing nothing—as well as about when to settle.  In other words, if Dewey Cheatham & Howe is worldwide defense counsel, with multiple offices and dozens of lawyers working on the case, the strategic leader should not be a Dewey Cheatham & Howe lawyer.

But who would play such a role?  Although many companies of course have excellent in-house lawyers, very few have in-house lawyers who formerly were prominent securities litigators.  So should the strategic quarterback be a securities litigator from a firm other than the worldwide defense firm?  Should it be the broker?  Should it be a lawyer for the primary or a low excess carrier?  These are all good possibilities.  And how can this arrangement be put in place before the litigation defense is already beyond control?  Having the discussion is an important first step, and London insurers and brokers are working hard to figure this out.

3.  The danger of a wave of D&O claims relating to cyber security remains real.

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cyber security will become a significant D&O liability issue.  Although many practitioners and D&O insurers and brokers have been bracing for a wave of cyber security D&O matters, to date there has been only a trickle.  Yet among D&O insurers and brokers in London and elsewhere, there remains a concern that a wave is coming.

I share that concern.  To date, plaintiffs generally haven’t filed cyber security securities class actions because stock prices have not significantly dropped when companies have disclosed breaches.  That is bound to change as the market begins to distinguish companies on the basis of cyber security.  There have been a number of shareholder derivative actions asserting that boards failed to properly oversee their companies’ cyber security.  Those actions will continue, and likely increase, whether or not plaintiffs file cyber security securities class actions, but they will increase exponentially if securities class action filings pick up.

I also worry about SEC enforcement actions concerning cyber security.  The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers should not assume that the SEC will announce new guidance or issue new rules before it begins new enforcement activity in this area.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures were rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity is a perception that companies are not taking cyber security disclosure seriously.  As in all areas of legal compliance, companies need to be concerned about whistleblowers, including overworked and underpaid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

In addition to an increase in frequency, I worry about severity because of the notorious statistics concerning a lack of attention by companies and boards to cyber security oversight and disclosure.  Indeed, the shareholder litigation may well be ugly:  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.

Cyber security has improved, albeit not enough, in part because of the thought leadership and product development by insurers and brokers. So even if there is never a wave of D&O cyber security matters, the excellent work by insurers and brokers in London and around the world will have been worthwhile.

The Roots of D&O Insurance

London insurers and brokers are also focused on finding the right coverages for entities and individuals in the Yates-memo regulatory environment.  This of course can create tension between entities, who would like their investigations costs covered, and individuals, for whom D&O insurance was created.

I am a D&O insurance fundamentalist—director and officer protection should always be our North Star.  But a company can find the right path to protection of both individuals and the company with good communication between and among the company, its directors and officers, broker, and insurers—both at policy inception and when a claim arises.

It was a privilege to discuss this fundamental D&O insurance question, and many others, with thoughtful D&O insurance professionals who work just down the street from Edward Lloyd’s coffee house.

Because I continue to believe that the advent of significant cyber security shareholder litigation and SEC enforcement is near, I remain committed to helping public companies and their directors, officers, insurers, and brokers understand cyber security oversight and disclosure issues, risks, and defenses.  This spring, I will be discussing these topics at three programs:

Facets of Board Oversight of Cyber Security, National Association of Corporate Directors, Northwest Chapter, Boise, March 16, 2016

2016 Executive Risk Insights Conference, Advisen, Chicago, May 10, 2016

12th Annual D&O Liability Insurance ExecuSummit, Uncasville, CT, May 17-18, 2016

I hope you can attend one of them.

 

Following is an article we wrote for Law360, which gave us permission to republish it here:

The coming year promises to be a pivotal one in the world of securities and corporate governance litigation.  In particular, there are five developing issues we are watching that have the greatest potential to significantly increase or decrease the exposure of public companies and their directors, officers, and insurers.

1.  How Will Lower Courts Apply the Supreme Court’s Decision in Omnicare, Inc. v. Laborers Dist. Council Const. Industry Pension Fund?

If it is correctly understood and applied by defendants and the courts, we believe Omnicare will stand alongside Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007), as one of the two most important securities litigation decisions since the Private Securities Litigation Reform Act of 1995.

In Omnicare, 135 S. Ct. 1318 (2015), the Supreme Court held that a statement of opinion is only false if the speaker does not genuinely believe it, and that it is only misleading if – as with any other statement – it omits facts that make it misleading when viewed in its full context.  The Court’s ruling on what is necessary for an opinion to be false establishes a uniform standard that resolves two decades of confusing and conflicting case law, which often resulted in meritless securities cases surviving dismissal motions.  And the Court’s ruling regarding how an opinion may be misleading emphasizes that courts must evaluate the fairness of challenged statements (both opinions and other statements) within a broad factual context, eliminating the short-shrift that many courts have given the misleading-statement analysis.

These are tremendous improvements in the law, and should help defendants win more cases involving statements of opinion, not only under Section 11, the statute at issue in Omnicare, but also under Section 10(b), since Omnicare’s holding applies to the “false or misleading statement” element common to both statutes.  The standards the Court set should also add to the Reform Act’s Safe Harbor, and expand the tools that defendants have to defend against challenges to earnings forecasts and other forward-looking statements, which are quintessential opinions.

Indeed, if used correctly, Omnicare should also help defendants gain dismissal of claims brought based on challenged statements of fact, because of its emphasis on the importance of considering the entire context of a statement when determining whether it was misleading.   For example, the Court emphasized that whether a statement is misleading “always depends on context,” so a statement must be understood in its “broader frame,” including “in light of all its surrounding text, including hedges, disclaimers, and apparently conflicting information,” and the “customs and practices of the relevant industry.”

A good motion to dismiss has always analyzed a challenged statement (of fact or opinion) in its broader factual context to explain why it was not misleading.  But many defense lawyers unfortunately choose to leave out this broader context, and as a result of this narrow record, courts sometimes take a narrower view.  With Omnicare, this superior method of analysis is now explicitly required.  This will be a powerful tool, especially when combined with Tellabs’s directive that courts must weigh scienter inferences based not only on the complaint’s allegations, but also on documents on which the complaint relies or that are subject to judicial notice.

Omnicare bolsters the array of weapons available to defendants to effectively defend allegations of falsity, and to set up and support the Safe Harbor defense and arguments against scienter.  Because of its importance, we plan to write a piece critiquing the cases applying Omnicare after its one-year anniversary in March.

2.  Will Courts Continue to Curtail the Use of 10b5-1 Plans as a Way to Undermine Scienter Allegations?

All successful securities fraud complaints must persuade the court that the difference between the challenged statements and the “corrective” disclosure was the result of fraud, and not due to a business reversal or some other non-fraudulent cause.  Because few securities class action complaints contain direct evidence of fraud, such as specific information that a speaker knew his statements were false, most successful complaints include allegations that the defendants somehow profited from the alleged fraud, such as through unusual and suspicious stock sales.

Thus, stock-sale allegations are a key battleground in most securities actions.  An important defensive tactic has been to point out that the challenged stock sales were made under stock-sale plans under SEC Rule 10b5-1, which provides an affirmative defense to insider-trading claims, if the plan was established in good faith at a time when they were unaware of material non-public information.  Although Rule 10b5-1 is designed to be an affirmative defense in insider-trading cases, securities class action defendants also use it to undermine stock-sale allegations, if the plan has been publicly disclosed and thus subject to judicial notice, since it shows that the defendant did not have control over the allegedly unusual and suspicious stock sales.

Plaintiffs’ argument in response to a 10b5-1 plan defense has always been that any plan adopted during the class period is just a large insider sale designed to take advantage of the artificial inflation in the stock price.  Plaintiffs claim that by definition, the class period is a time during which the defendants had material nonpublic information – although they often manipulate the class period in order to encompass stock sales and the establishment of 10b5-1 plans.

There have been surprisingly few key court decisions on this pivotal issue, but on July 24, 2015, the Second Circuit held that “[w]hen executives enter into a trading plan during the Class Period and the Complaint sufficiently alleges that the purpose of the plan was to take advantage of an inflated stock price, the plan provides no defense to scienter allegations.” Employees’ Ret. Sys. of Gov’t of the Virgin Island v. Blanford, 794 F.3d 297, 309 (2d Cir. 2015).

Plaintiffs’ ability to plead scienter will take a huge step forward if Blanford, decided by an important appellate court, starts a wave of similar holdings in other circuits.

3.  Will Delaware’s Endorsement of Forum Selection Bylaws and Rejection of Disclosure-Only Settlements Reduce Shareholder Challenges to Mergers?

For the past several years, there has been great focus on amending corporate bylaws to try to corral and curtail shareholder corporate-governance claims, principally shareholder challenges to mergers.  Meritless merger litigation is indeed a big problem.  It is a slap in the face to careful directors who have worked hard to understand and approve a merger, and to CEOs who have worked long hours to find and negotiate a transaction that is in the shareholders’ best interests.  It is cold comfort to know that nearly all mergers draw shareholder litigation, and that nearly all of those cases will settle before the transaction closes without any payment by the directors or officers personally.  It is proof that the system is broken when it routinely allows meritless suits to result in significant recoveries for plaintiffs’ lawyers, with virtually nothing gained by companies or their shareholders.

In 2015, the Delaware legislature and courts took significant steps to curb meritless merger litigation.

First, the legislature added new Section 115 to the Delaware General Corporation Law (“DGCL”), which provides:

The certificate of incorporation or the bylaws may require, consistent with applicable jurisdictional requirements, that any or all internal corporate claims shall be brought solely and exclusively in any or all of the courts in this State.

This provision essentially codified the holding in Boilermakers Local 154 Ret. Fund v. Chevron Corp., 73 A.3d 934 (Del. Ch. 2013), in which the Delaware Court of Chancery upheld the validity of bylaws requiring that corporate governance litigation be brought only in Delaware state and federal courts.  The Delaware legislature also amended the DGCL to ban bylaws that purport to shift fees.  In new subsection (f) to Section 102, the certificate of incorporation “may not contain any provision that would impose liability on a stockholder for the attorneys’ fees or expenses of the corporation or any other party in connection with an internal corporate claim.” See also DGCL Section 109(b) (similar).

Second, in a series of decisions in 2015, the Delaware Court of Chancery rejected or criticized so-called disclosure-only settlements, under which the target company supplements its proxy-statement disclosures in exchange for a payment to the plaintiffs’ lawyers.  See Acevedo v. Aeroflex Holding Corp., et al., C.A. No. 7930-VCL (Del. Ch. July 8, 2015) (TRANSCRIPT) (rejecting disclosure-only settlement); In re Aruba Networks S’holder Litig., C.A. No. 10765-VCL (Del. Ch. Oct. 9, 2015) (TRANSCRIPT) (same); In re Riverbed Tech., Inc., S’holder Litig., 2015 WL 5458041, C.A. No. 10484-VCG (Del. Ch. Sept. 17, 2015) (approving disclosure-only settlement with broad release, but suggesting that approval of such settlements “will be diminished or eliminated going forward”); In re Intermune, Inc., S’holder Litig., C.A. No. 10086–VCN (Del. Ch. July 8, 2015) (TRANSCRIPT) (noting concern regarding global release in disclosure-only settlement).

We will be closely watching the impact of these developments, with the hope that they will deter plaintiffs from reflexively filing meritless merger cases.  Delaware exclusive-forum bylaws will force plaintiffs to face the scrutiny of Delaware courts, and the Court of Chancery has indicated that it may no longer allow an easy exit from these cases through a disclosure-only settlement.  And with cases in a single forum, defendants will now be able to coordinate them for early motions to dismiss.  Thus, the number of mergers subject to a shareholder lawsuit should decline – and the early returns suggest that this may already be happening.

Yet defendants should brace for negative consequences.  Plaintiffs’ lawyers will doubtless bring more cases outside of Delaware against non-Delaware corporations, or against companies that haven’t adopted a Delaware exclusive-forum bylaw.  And within Delaware, plaintiffs’ lawyers will tend to bring more meritorious cases that present greater risk, exposure, and stigma – and while Delaware is a defendant-friendly forum for good transactions, it is a decidedly unfriendly one for bad ones.  If disclosure-only settlements are no longer allowed, defendants will no longer have the option of escaping these cases easily and cheaply.  This means that those cases that are filed will doubtless require more expensive litigation, and result in more significant settlements and judgments.  Thus, although the current system is undoubtedly badly flawed, many companies may well look back on the days of this broken system with nostalgia, and conclude that they were better off before it was “fixed.”

4.  Will Item 303 Claims Make a Difference in Securities Class Actions?

The key liability provisions of the federal securities laws, Section 10(b) of the Securities Exchange Act of 1934 and Section 11 of the Securities Act of 1933, both require that plaintiffs establish a false statement, or a statement that is rendered misleading by the omission of facts.  Over the last several years, plaintiffs’ lawyers have increasingly tried to bypass this element by asserting claims for pure omissions, detached from any challenged statement.

Plaintiffs base these claims on Item 303 of SEC Regulation S-K, which requires companies to provide a “management’s discussion and analysis” (MD&A) of the company’s “financial condition, changes in financial condition and results of operations.”  Item 303(a)(3)(ii) indicates that the MD&A must include a description of “any known trends or uncertainties that have had or that the [company] reasonably expects will have a material … unfavorable impact on net sales or revenues or income from continuing operations.”

Both Section 10(b) and Section 11 prohibit a false statement or omission of a fact that causes a statement to be misleading, while Section 11 also allows a claim based on an issuer’s failure to disclose “a material fact required to be stated” in a registration statement. 15 U.S.C. § 77k(a) (emphasis added).  Item 303 is one regulation that lists such “material fact(s) required to be stated.”  Panther Partners Inc. v. Ikanos Communications, Inc., 681 F.3d 114, 120 (2d Cir. 2012).  Based on this unique statutory language, Section 11 claims thus appropriately can include claims based on Item 303.

Last year, in Stratte-McClure v. Morgan Stanley, 776 F.3d 94 (2d Cir. 2015), the Second Circuit held that Item 303 also imposes a duty to disclose for purposes of Section 10(b), meaning that the omission of information required by Item 303 can provide the basis for a Section 10(b) claim.  This ruling is at odds with the Ninth Circuit’s opinion in In re NVIDIA Corp. Securities Litigation, 768 F.3d 1046 (9th Cir. 2014), in which the court held that Item 303 does not establish such a duty.  The U.S. Supreme Court declined a cert petition in NVIDIA.

Claims based on Item 303 seem innocuous enough, and even against plaintiffs’ interest. Plaintiffs face a high hurdle in showing that information was wrongfully excluded under Item 303, since they must show that a company actually knew:  (1) the facts underlying the trend or uncertainty, (2) those known facts yield a trend or uncertainty, and (3) the trend or uncertainty will have a negative and material impact.  In virtually all cases, these sorts of omitted facts would also render one or more of defendants’ affirmative statements misleading, and thus be subject to challenge regardless.  Moreover, in Section 11 cases, Item 303 injects knowledge and causation requirements in a statute that normally doesn’t require scienter and only includes causation as an affirmative defense.

Why, then, have plaintiffs’ counsel pushed Item 303 claims so hard?  We believe they’ve done so to combat the cardinal rule that silence, absent a duty to disclose, is not misleading.  Companies omit thousands of facts every time they speak, and it is relatively easy for a plaintiff to identify omitted facts – but much more difficult to explain how those omissions rendered an affirmative statement misleading.  Plaintiffs likely initially saw these claims as a way to maintain class actions in the event the Supreme Court overruled Basic v. Levinson as a result of attacks in the Amgen and Halliburton cases.  And even though the Supreme Court declined to overrule Basic in Halliburton II, the Court’s price-impact rule presents problems for plaintiffs in some cases.  As a result, plaintiffs may believe it is in their strategic interests to assert Item 303 claims, which plaintiffs have contended fall under the Affiliated Ute presumption of reliance, rather than under Basic.

But whatever plaintiffs’ rationale, Item 303 is largely a red herring.  Although it shouldn’t matter to securities litigation, it will matter, as long as plaintiffs continue to bring such claims.  And they probably will continue to bring them, given the current strategic considerations, and the legal footing they have been given by key appellate rulings in Panther Partners and Stratte-McClure.  Defense attorneys will have to pay close attention to these trends and mount sophisticated defenses to these claims, to ensure that Item 303 claims do not take on a life of their own.

5.  Cyber Security Securities and Derivative Litigation: Will There Be a Wave or Trickle?

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cyber security will become a significant D&O liability issue.  Although many practitioners have been bracing for a wave of cyber security D&O matters, to date there has been only a trickle.

We remain convinced that a wave is coming, perhaps a tidal wave, and that it will include not just derivative litigation, but securities class actions and SEC enforcement matters as well.  To date, plaintiffs generally haven’t filed cyber security securities class actions because stock prices have not significantly dropped when companies have disclosed breaches.  That is bound to change as the market begins to distinguish companies on the basis of cyber security.  There have been a number of shareholder derivative actions asserting that boards failed to properly oversee their companies’ cyber security.  Those actions will continue, and likely increase, whether or not plaintiffs file cyber security securities class actions, but they will increase exponentially if securities class action filings pick up.

While the frequency of cyber security shareholder litigation will inevitably increase, we are more worried about its severity, because of the notorious statistics concerning a lack of attention by companies and boards to cyber security oversight and disclosure.  Indeed, the shareholder litigation may well be ugly:  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.

We also worry about SEC enforcement actions concerning cyber security.  The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers should not assume that the SEC will announce new guidance or issue new rules before it begins new enforcement activity in this area.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures were rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity is a perception that companies are not taking cyber security disclosure seriously.  As in all areas of legal compliance, companies need to be concerned about whistleblowers, including overworked and underpaid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

Conclusion

Of course, there are a number of other important issues that deserve to be on watch lists.  But given the line we’ve drawn – issues that will cause the most volatility in securities litigation liability exposure – we regard the issues we’ve discussed as the top five.

And the top one – whether lower courts will properly apply Omnicare – is a rare game-changer.  If defense counsel understands and uses Omnicare correctly, and if lower courts apply it as the Supreme Court intended, securities litigation decisions will be based on reality, and therefore far fairer and more just.  But if either defense counsel or lower courts get it wrong, companies and their directors and officers will suffer outcomes that are less predictable, more arbitrary, and often wrong.

Over the past three years, I’ve been outspoken about the need for better board oversight of cyber security, as well as the need for better cyber security disclosure.  The severity of the cyber threat is so significant to companies, as well as to the nation’s economy and security, that boards have no choice but to pay attention.  Indeed, I can easily envision a world where, as a practical matter, directors face a heightened risk of personal liability for cyber-security problems.  And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way.

Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.

How in the world could that be so?

Below, I examine two of the underlying problems, and provide solutions: (1) a suite of problems that I call “cyber freak-out,” and (2) an odd lack of concern about director liability.

Cyber Freak-Out

The average corporate director was 47 years old when Amazon became a public company.  Although that was also almost 20 years ago, and most people who serve on boards have grown comfortable with computers and the basics of technology, there is nevertheless a fundamental sense of discomfort with discussion around the IT aspects of cyber security.

This discomfort yields a suite of problems that I diagnose collectively as “cyber freak-out.”  Cyber freak-out includes one or more of the following stated or unstated excuses for not tackling cyber security issues:

  • Excuse: The audit committee handles risks, so that’s the right group to handle cyber security.
    • Reality: Cyber security is an enterprise risk that the full board needs to understand and decide how to manage – even if it is ultimately given to a committee.  And the audit committee has too much work already.
  • Excuse: Being hacked is inevitable, so we can’t do much about it.
    • Reality: The reality is cyber security oversight isn’t just about preventing attacks – it’s also about deciding what assets to protect and how to respond to a breach, among other issues.
  • Excuse: Cyber security is an IT issue, and the IT folks have told us for years that we’re safe.
    • Reality: The world of cyber security poses higher risks now, and it’s incumbent upon the board to ask hard questions of the IT department.  There are outside consultants galore who can give the board an independent evaluation. And cyber security is not just an IT issue.  Most cyber attacks can be prevented through employee education – which presents issues of employee training and corporate culture, which even a Luddite director can help shape.
  • And there are several more things few people say out loud, but I fear that too many think:
    • Excuse: We should have been on top of this earlier, so engaging in a full-scale program of cyber security readiness will make us look bad.
    • Excuse: I don’t want to ask a dumb question, and don’t think I can ask a smart one.
    • Excuse: If I wait long enough, one of my fellow directors will get up to speed and lead us through what we need to do.

Reality: The absurdity of these excuses speaks for itself.

Another common mistake is to assume that cyber attacks are limited to companies with personal information, like credit card numbers or health information.  That is wrong:  Any company with valuable assets – including trade secrets – is and will be a target.  The reason that companies with personal information grab the headlines is that their breaches have become public because of breach-notification laws.  Companies that aren’t subject to breach-notification laws rarely disclose cyber breaches.  One of the country’s leading cyber-security lawyers to public companies said at the SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair White and Commissioners Aguilar (who gave an important speech in June 2014 on board oversight of cyber security), Gallagher, Piwowar, and Stein:

I would say that I really can’t think of a case – and we’ve worked a lot –  where the disclosure thinking or analysis was driven by the securities law issues, frankly.

Basically there are other state laws, other situations that are going to create a disclosure obligation, and that’s what drives it. And I think just to be someone speaking from the trenches in terms of the reality of what really happens, there is a tremendous disincentive to disclose a breach.

I believe that the well-known cyber breaches are the very tip of the iceberg, and the much larger cyber security problem is, and will be, beneath the surface until companies start disclosing cyber security issues because of their yet-unenforced federal securities law obligations.  A company whose IP has been stolen, or whose business has been interrupted, faces various disclosure issues.   The issue isn’t just whether a breach is material.  It’s much broader: a cyber security breach could make any number of statements misleading, including financial statements, earnings guidance, statements about internal controls, and statements about the status and prospects of the business operations.  Yet most directors seem to believe that cyber security is just a problem for banks, retailers, and health-care providers and insurers.  That’s just not so.

The problem with cyber freak-out is that it undercuts directors’ main defenses to shareholder claims of breach of fiduciary duty.  There are two main claims for breach of fiduciary duty in this area:

The first type of claim is for a failure to act, or a failure to engage in appropriate oversight, under a standard articulated in a leading case called Caremark.  The court in Caremark called the claim it branded “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”  To be liable for a failure of oversight – a type of breach of the duty of loyalty – a director must fail to establish any system for detecting problems, or if a system exists, must deliberately fail to monitor it or follow up on red flags.  Thus, the only way a director can be liable for a failure of oversight is to not even try – or in the cyber security context, to be paralyzed by cyber freak-out.

In contrast to a claim for inaction, the second type of claim is based on director action.  Such claims are governed by the business judgment rule, which protects from second-guessing a decision made by informed and disinterested directors.  A shareholder can overcome the presumption, however, if the challenged decision was not informed.  Cyber freak-out can result in challenged cyber-security decisions being insufficiently informed, and thus outside the protection of the business judgment rule.

Thus, directors will not be liable if they in fact oversee cyber security, and make decisions about cyber security based on adequate information. Boards need to just pay attention and start somewhere – there’s no secret sauce, and perfection isn’t required.  There’s no cyber-security intelligence test.  An inquisitive director can do a good job overseeing cyber security without even being a computer user.

Director Liability

On the one hand, diligent directors don’t face real risk of liability for cyber security oversight.  On the other hand, I believe the fear of director and officer liability needs to increase before directors and officers and their companies sufficiently tune up their cyber security oversight and disclosures.

Although I don’t wish a lawsuit on anyone, much less actual liability, I think some jarring liability event is necessary: Just as Bill Lerach, Mel Weiss, and other prominent securities class action plaintiffs’ lawyers have greatly improved the quality of corporate disclosure, and corporate-law decisions like Smith v. Van Gorkom have improved board decision-making processes, so too would a cyber-security liability jolt improve cyber-security oversight and disclosure.  But at the moment, directors and officers observe that stocks generally haven’t dropped enough to trigger securities class actions, and the handful of shareholder derivative cases haven’t been virulent.  And the shareholder derivative litigation dismissal in Wyndham, while great for Wyndham’s directors, probably set cyber security oversight back.  The Wyndham decision, resting on the board’s post-breach process in deciding to reject a shareholder demand on the board, was virtually meaningless in its impact on the law governing board oversight of cyber security.

But securities and corporate governance litigation involving cyber security problems is indeed coming.  And it may be ugly.  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.  We not only could see a sharp uptick in the number of claims, but they could be quite difficult for directors and officers to defend, until cyber security oversight and disclosure improve.  I worry about this dynamic a lot.

I also worry about SEC enforcement concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers shouldn’t think the SEC is going to announce new guidance or make new rules before it begins enforcement activity around cyber security disclosures.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures are rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity by the staff is a perception that companies aren’t taking cyber security disclosure seriously.  That may or may not be preceded by further cyber security disclosure guidance.  And companies need to be concerned about whistleblowers, including over-worked and under-paid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

Conclusion

Greater cyber security oversight, and better corporate disclosure, are inevitable.  I hope that they happen naturally, as the result of good counseling by the advisors who are ready and able to help, rather than only developing after we are hit by the inevitable wave of shareholder litigation and SEC investigations and enforcement actions.

There are several bits of D&O Discourse news to share:

1.  I hope that you can attend conferences at which I’m speaking this fall:

  • I am co-chairing ACI’s D&O Liability Forum in New York City on September 17-18, and moderating a panel discussing significant securities litigation developments.  Readers of D&O Discourse can receive a discount off the current price.  Please email me: greened@lanepowell.com.
  • I am co-chairing and speaking on a panel discussing board oversight of cybersecurity at a meeting of the National Association of Corporate Directors, Northwest Chapter, in Seattle on October 20, 2015.

2.  The ABA is accepting nominations for the list of the Top 100 Law Blogs.  If you are so inclined, I’d be grateful for your nomination of D&O Discourse. Nominations are due by the end of the day on August 16.  Here is the link to the nomination page.  Thank you.

3.  We continue to try to make D&O Discourse as useful as possible.  We now have three features:

  • The D&O Discourse blog itself:  In the blog, we provide opinion about key issues in the law and practice of securities and corporate governance litigation and SEC enforcement.  We write an opinion-based piece roughly monthly.
  • Twitter:  Because the D&O Discourse blog doesn’t attempt to chronicle current events, we started a Twitter feed to identify current developments that we think would be most important to our readers.  You can follow us by reading our Twitter feed on the left-hand side of the D&O Discourse blog, or on Twitter, @DandODiscourse.
  • LinkedIn:  We recently set up a special LinkedIn page, where we publish thoughts that are too long for Twitter but too short for a blog post.  Here is an example:

“In writing my 2014 year-in-review piece, it occurred to me that the judicial environment for securities and corporate governance litigation seems about as neutral as it has been in a long time. We’ve seen streaks of decisions that feel pro-plaintiff or pro-defendant, driven in part by judicial skepticism caused by the waves of corporate scandals since Enron and WorldCom. But over the past year or so, the decisions feel pretty even. The 2nd Circuit / 9th Circuit split over whether omission of matters covered by Item 303 of S-K can be actionable epitomizes the current judicial environment.”

Here is a link to our LinkedIn page.  Please click “Follow” to receive updates in your LinkedIn feed.

4.  In the upcoming issue of the PLUS Journal, my partner Claire Davis and I are publishing an article about the importance of the U.S. Supreme Court’s decision in Omnicare, based on one of our D&O Discourse blog posts.  As our readers know, Claire and I wrote an amicus brief that shaped the Supreme Court’s Omnicare opinion.

We hope you enjoy the rest of your summer.

In the world of securities and corporate governance litigation, we are always in the middle of a reform discussion of some variety.  For the past several years, there has been great focus on amendment of corporate bylaws to corral and curtail shareholder corporate-governance claims, principally shareholder challenges to mergers.*  Meritless merger litigation is indeed a big problem.  It is a slap in the face to careful directors who have worked hard to understand and approve a merger, or to CEOs who have spent many months or years working long hours to locate and negotiate a transaction in the shareholders’ best interest.  It is cold comfort to know that nearly all mergers draw shareholder litigation, and that nearly all of those cases will settle before the transaction closes without any payment by the directors or officers personally.  And we know the system is broken when it routinely allows meritless suits to result in significant recoveries for plaintiffs’ lawyers, with virtually nothing gained by companies or their shareholders.

There are three main solutions afoot, at different stages of maturity, involving amendments to corporate bylaws to require that: (1) there be an exclusive forum, chiefly Delaware, for shareholder litigation; (2) a losing shareholder pay for the litigation defense costs; and (3) a shareholder stake hold a minimum amount of stock to have standing to sue.  I refer readers to the blogs published by Kevin LaCroix, Alison Frankel, and Francis Pileggi for good discussions of these types of bylaws.  The purpose of this blog post is not to specifically chronicle each initiative, but to caution that they will cause unintended consequences that will leave us with a different set of problems than the ones they solved.

Exclusive-forum bylaws offer the most targeted solution, albeit with some negative consequences.

Exclusive-forum bylaws best address the fundamental problem with merger litigation: the inability to coordinate cases for an effective motion to dismiss before the plaintiffs and defendants must begin negotiations to achieve settlement before the merger closes.  Although the merger-litigation problem is virtually always framed in terms of the oppressive cost and hassle of multi-forum litigation, good defense counsel can usually manage the cost and logistics.  Instead, the bigger problem, and the problem that causes meritless merger litigation to exist, is the inability to obtain dismissals.  This is primarily so because actions filed in multiple forums can’t all be subjected to a timely motion to dismiss, and a dismissal in one forum that can’t timely be used in another forum is a hollow victory.  Exclusive litigation in Delaware for Delaware corporations is preferable, because of Delaware’s greater experience with merger litigation and likely willingness to weed out meritless cases at a higher rate.  But the key to eradicating meritless merger litigation is consolidation in some single forum, and not every Delaware corporation wishes to litigate in Delaware.

The closest historical analogy to such bylaws is the Securities Litigation Uniform Standards Act’s provision requiring that covered class actions be brought in federal court and litigated under federal law to ensure that the least meritorious cases are weeded out early, as Congress intended through the Reform Act.  The Reform Act’s emphasis on early dismissal of cases that lack merit has been its best feature, and requiring litigation in federal court helped achieved it.

So too would litigation in an exclusive forum, because it would yield a more meaningful motion to dismiss process, which would weed out less-meritorious cases early, which in turn would deter plaintiffs’ lawyers from bringing as many meritless cases.  The solution is that simple.  There will be consequences, though.  Plaintiffs’ lawyers, of course, will tend to bring more meritorious cases that present greater risk, exposure, and stigma, and will bring more in Delaware, which is a defendant-friendly forum for good transactions but a decidedly unfriendly one for bad transactions.  So while it certainly isn’t good that there are shareholder challenges to 95% of all mergers, the current system reduces the stigma of being sued and tends to result in fairly easy and cheap resolutions.  In contrast, cases that focus on the worst deals and target defendants that the plaintiffs’ lawyers regard as the biggest offenders will require more expensive litigation and significant settlements and judgments.

Fee-shifting and minimum-stake bylaws are overly broad and will cause a different set of problems.

So exclusive-forum bylaws attack the merger-litigation problem in a focused and effective fashion, albeit with downside risk.  In contrast, fee-shifting bylaws and minimum-stake bylaws attack the merger-litigation problem, but do so in an overly broad fashion, and will cause significant adverse consequences.

Fee-shifting bylaws, of course, attempt to curtail the number of cases by forcing plaintiffs who bring bad cases to pay defendants’ fees.  I find troubling the problem of deterring plaintiffs’ lawyers from bringing meritorious cases as well, since many plaintiffs’ lawyers would be very conservative and thus refuse to bring any case that might not succeed, even if strong.  That concern probably will cause the downfall of fee-shifting bylaws, where the Delaware Senate just passed a bill that would outlaw fee-shifting bylaws, and the issue now goes to the Delaware House.  (The same bill authorizes bylaws designating Delaware as the exclusive forum for shareholder litigation.)  But to me, the bigger problem is an inevitable new category of super-virulent cases, involving tremendous reputational harm (e.g. the plaintiffs’ firm decided to risk paying tens of millions of dollars in defense fees because they decided those defendants are that guilty) and intractable litigation that quite often would head to trial – at great cost not just financially, but to the law as well because it is indeed true that bad facts make bad law.

The Reform Act’s pleading standards have created analogous negative consequences, but much less severe and costly.  The pleading standards (and the Rule 11 provision) weed out bad cases early on, but almost never is there a financial penalty to a plaintiff for bringing a bad case.  Instead, the bigger plaintiffs’ firms have tended to be more selective in the cases they bring, which has yielded a pretty good system overall – even though they sometimes still bring meritless cases, and meritless cases sometimes get past motions to dismiss.  The bigger and still-unsolved problem with pleading standards is the overly zealous and necessarily imperfect confidential-witness investigations they cause, to attempt to satisfy the statute’s elevated pleading requirements.  The fee-shifting bylaws would occasion those sorts of problems as well, in addition to the virulent-case problem I’ve described.

Fee-shifting bylaws advocates’ push for ultra-meritorious lawsuits strikes me as an extreme case of “be careful what you wish for.”  But it brings to mind a more mainstream situation that has worried me for many years: aggressive arguments in demand motions for pre-litigation board demands and shareholder inspections of books and records.  In arguing that a shareholder derivative lawsuit should be dismissed for failure to make a demand on the board, defendants have long asserted that a shareholder failed to even ask the company for records under Section 220 of the Delaware General Corporation Law or similar state laws, to attempt to investigate the corporate claims he or she is pressing.  Delaware courts, in turn, have chastised shareholders for failing to utilize 220, though thus far have stopped short of requiring it.  Likewise, defendants, sometimes with great disdain, have criticized shareholders for not making a pre-suit demand on the board.

Although these are correct and appropriate litigation arguments, I have observed that, over time, they have succeeded in spawning more 220 inspection demands and pre-suit demands on boards, which over time will create more costly and virulent derivative cases than plain vanilla demand-excused cases brought without the aid of books and records.  The solution is to just get those highly dismiss-able cases dismissed, without trying to shame the derivative plaintiffs into making a 220 or demand on the board next time.

Minimum-stake bylaws are problematic as well.  They have as their premise that shareholders with some “skin in the game” will evaluate cases better, and will help prevent lawyer-driven litigation.  Like fee-shifting bylaws, they will prevent shareholders from brining meritless lawsuits, and likewise tend to yield more expensive and difficult cases to defend and resolve.  But they also will create a more difficult type of plaintiff to deal with, much the same way as the Reform Act’s lead-plaintiff provisions have created a class of plaintiffs that sometimes make us yearn for the days when the plaintiffs’ lawyers had more control.  More invested plaintiffs increase litigation cost, duration, and difficulty, and increase the caliber and intensity of plaintiffs’ lawyering.

And I have no doubt that, despite the bylaws, smaller shareholders and plaintiffs’ firms will find a way back into the action, much as we’re seeing recently with retail investors and smaller plaintiffs’ firms brining more and smaller securities class actions that institutional investors and the larger plaintiffs’ firms with institutional-investor clients don’t find worth their time and money to bring.  So with securities class actions, I think a two-headed monster is emerging: a relatively small group of larger and virulent cases, and a growing group of smaller cases.  That, too, likely would happen, somehow, with minimum-stake bylaws.

What’s the harm with taking a shot at as many fixes as possible?

Even if someone could see the big picture well enough to judge that these problems aren’t sufficient to outweigh the benefits of fee-shifting and minimum-stake bylaws, I would still hesitate to advocate their widespread adoption, because governments and shareholder advocacy groups would step in to regulate under-regulation caused by reduced shareholder litigation.  That would create an uncertain governance environment, and quite probably a worse one for companies.  Fear of an inferior alternative was my basic concern about the prospect that the Supreme Court in Halliburton Co. v. Erica P. John Fund, Inc. would overrule Basic v. Levinson and effectively abolish securities class actions.

Beyond the concern about an inferior replacement system, I worry about doing away with the benefits shareholders and plaintiffs’ lawyers provide, albeit at a cost.  Shareholders and plaintiffs’ lawyers are mostly-rational economic actors who play key roles in our system of disclosure and governance; the threat of liability, or even the hassle of being sued, promotes good disclosure and governance decisions.  Even notorious officer and director liability decisions, such as the landmark 1985 Delaware Supreme Court decision in Smith v. Van Gorkom, are unfortunate for the defendants involved but do improve governance and disclosure.

One final thought.  Shareholder litigation’s positive impact on governance and disclosure makes me wonder: will the quality of board oversight of cybersecurity, and corporate disclosure of cybersecurity issues, improve without the shock of a significant litigation development?

 

* Although indiscriminate merger litigation is the primary target of bylaw amendments, other types of securities and corporate-governance lawsuits, such as securities class actions and non-merger derivative litigation, are sometimes part of the discussion.  Those types of cases, however, do not pose the same problems as merger litigation.  And it is doubtful whether a company’s bylaws could regulate securities class actions, which are not an intra-corporate dispute between a current shareholder and the company, but instead direct class-period claims brought by purchasers or sellers, who do not need to be, and often are not, current shareholders.

One of the foremost uncertainties in securities and corporate governance litigation is the extent to which cybersecurity will become a significant D&O liability issue. Although many D&O practitioners have been bracing for a wave of cybersecurity D&O matters, to date there has been only a trickle. Some have come to believe that at most, there will be a surge of derivative litigation, due to the lack of significant and sustained stock drops on the announcement of even large cybersecurity breaches.

Yet I remain convinced that a wave is coming, perhaps a tidal wave, and it will include not just derivative litigation, but securities class actions and SEC enforcement matters as well. In this post, I will focus on securities class actions, since that is where most of the uncertainty lies, including the question I begged in my previous post on cybersecurity securities class actions: what will trigger securities class actions when, to date, even the largest breaches haven’t caused significant and sustained stock-price drops?   Unlike shareholder derivative actions, which do not require a significant stock drop, securities class actions require misrepresentations to cause loss to stock purchasers – loss that materializes upon the disclosure of bad news that causes the stock to drop. Thus, the advent of cybersecurity securities class actions will not occur unless stock prices begin to drop.

So why do I think stock prices will drop? It’s easiest to start to answer that question by thinking about why stock prices generally haven’t dropped to date. I’m not an economist, of course, but I’ve discussed this issue with some and have read and thought about it a lot. I believe that stock prices generally haven’t dropped significantly because the market believes that all companies are susceptible to a cyber-attack, and it’s basically random and unlucky when a company suffers one – it’s Company A this week and Company B next week, and so on. So a breach isn’t fundamental to the company’s business and doesn’t portend future negative financial consequences. That means that the market assesses the cost of the breach as the cost of remedying it through consumer notices, litigation defense and the like – which involves great but manageable and predictable cost, and does not view the breach as a fundamental or long-term problem.

That dynamic is bound to change, for several reasons. First, many companies have improved their cybersecurity and cybersecurity oversight significantly over the past few years. Those that are leaders will begin to tout their leadership, and criticize competitors who have had or may have problems. Cybersecurity thus will become a competitive issue, and the market will begin to pick winners and losers instead of regard as simply unlucky a company that suffered a breach.

Second, as companies begin to tout their cybersecurity for competitive reasons, they will do so through statements that will be susceptible to challenge as false or misleading if they suffer a breach. The most difficult statements to defend in securities class actions often are those based on business braggadocio, and I think cybersecurity statements ultimately will be no different. In terms of stock price impact, such statements will bake strong cybersecurity into companies’ stock prices, leading to disappointment and thus stock drops when a seemingly strong cybersecurity company suffers a breach.

Third, the number of companies that disclose breaches will increase, leading to a larger universe of companies who might suffer stock drops. To date, virtually the only type of companies to disclose breaches are consumer-oriented companies, driven by breach-notification privacy laws. There have been few disclosures of significant breaches by non-consumer companies, whose disclosure decisions are based not on consumer breach-notification laws, but on SEC disclosure requirements.

That will change. The SEC is focused on cybersecurity disclosure, and inevitably will start to more aggressively police disclosure by companies that aren’t compelled to disclose breaches under privacy laws. (Of course, SEC enforcement over cybersecurity disclosures will not require a stock drop.) Also, I predict that whistleblowers from IT departments will start to surface, drawn by increasingly large whistleblower bounties. And auditors will begin to prompt disclosure as they too increase their focus on the financial impact of cybersecurity breaches.

I don’t know if this all means that cybersecurity securities class actions will become the most prominent type of securities class action. I doubt it. But I do think that the risk is high enough that all companies need to pay more attention to their cybersecurity disclosures, and insurers, brokers and risk managers need to be mindful of the inevitable increase of securities class action risk in this area.

Following our post on the Supreme Court’s decision in Halliburton II, we decided to take the summer off from further blogging.  We will resume our regular postings in September.

In addition to reading the blog, I hope that you can attend conferences at which I’m speaking this fall:

  • I am co-chairing a panel discussion on board oversight of cybersecurity at a meeting of the Northwest Chapter of the National Association of Corporate Directors in Seattle on September 23.
  • I am co-chairing and speaking at ACI’s D&O Liability Forum in New York City on September 30 – October 1.  Readers of D&O Discourse can receive a discount off the current price by registering using the code DWG200.
  • I am speaking on cybersecurity oversight and disclosure at the PLUS Conference in Las Vegas on November 5 – 7.

We also want to remind you about our Twitter feature.  We tweet current securities and corporate governance litigation news and links.  Our goal is to help turn the fire hose of securities litigation news into a drinking fountain, by tweeting the current developments that we find most important.  You can follow us by reading our Twitter feed on the left-hand side of the D&O Discourse blog, or on Twitter, @DandODiscourse.

We hope you enjoy the remainder of your summer.