The securities class action war is about far more than the height of the pleading hurdles plaintiffs must clear, the scorecard of motions to dismiss won and lost, or median settlement amounts.  It is a fight for strategic positioning—about achieving a system of securities litigation that sets up one side or the other to win more cases over the long term.  How this war plays out has real-world consequences for the people sued in securities class actions.

Defendants win a lot of battles.  The Private Securities Litigation Reform Act of 1995 was an enormous victory for the defense bar, imposing high pleading burdens on plaintiffs and establishing a safe harbor for forward-looking statements that, in Bill Lerach’s famous words, gives defendants “license to lie.”  The rate of dismissal is markedly higher than the dismissal rate in other types of complex federal litigation.  And cases that survive motions to dismiss typically settle for predictable amounts.

But despite their success in battle, defendants are losing the war.  The root of the problem is the defense side’s lack of a centralized command, which creates a mismatch in expertise, experience, and efficiency.

  • While the plaintiffs’ bar is relatively small, with about a dozen firms that dominate, the defense bar is highly splintered, comprising many dozens of firms that can credibly pitch a case, with multiple possible lead partners within each firm—some qualified and some, frankly, not qualified.  As a result, the average plaintiffs’ partner is many times more experienced than the average defense partner.
  • While the plaintiffs’ bar’s specialized composition and small size yield a unified approach, the splintered nature of the defense bar makes this impossible for defendants.
  • While the defense bar has achieved significant legislative and judicial success, it has come with costly collateral consequences.
  • While the plaintiffs’ bar’s contingent-fee structure incentivizes efficiency, the defense bar is wildly inefficient due to hourly billing and the view that D&O insurance reimbursement is “free money.”  This penalizes the defense firms’ clients—both in individual cases and on the whole—by leaving less insurance money for a vigorous defense and settlement.

How can the defense bar approximate the plaintiffs’ bar’s advantages?  Given the competitive legal environment and large-firm economics, the defense bar can’t achieve a centralized command on its own.  The only way to do so is to give greater control to D&O insurers, the player with the greatest economic and strategic stake in both individual cases and on the whole.

Winning the securities litigation war isn’t an abstraction or a dispute about allocation of money between law firms and insurance companies. It’s about the safety and comfort of real people who face securities litigation.  At the core of every securities case are people accused of doing something wrong—not just directors and officers, but also hard-working company employees who find themselves at the center of a securities suit.  Just the idea of securities class actions makes businesspeople uncomfortable.

So the most fundamental question we on the defense side must ask ourselves is: how does the system of securities litigation defense position directors and officers to withstand securities litigation safely and comfortably?

To state the obvious, defendants are entitled to a system that allows them a fair fight with sufficient insurance resources.

I have divided this analysis into three blog posts.  In this post (Part I), I explain how and why the plaintiffs’ bar is stronger than ever.  In my next post (Part II), I’ll analyze the current state of the defense bar and explain why defendants are losing the war despite winning many battles.  In the last post (Part III), I’ll explain why and how the solution to solving the current mismatch between counsel for plaintiffs and defendants lies in giving D&O insurers greater control of securities class action defense.

Part I: The Plaintiffs’ Bar Is Back—and Better than Ever

When I was a young lawyer, most of my cases were against Milberg Weiss Bershad Hynes & Lerach.  I still remember the San Diego office’s phone number by heart (619-231-1058)—remember when we had to call people to communicate with them?  Of course, there were several other strong plaintiffs’ firms and prominent lawyers, including some of my favorite lawyers in the plaintiffs’ bar—though from my vantage point, Lerach and Weiss loomed large.

The downfall of Lerach and Weiss is well-known, so I won’t recount it here.  Many defense lawyers still discuss it with odd glee.  To me, it was sad and unfortunate.  My direct contacts with them made huge impressions on me.  For example, one of Bill Lerach’s oral arguments remains the most impressive advocacy I’ve ever witnessed.  And I’ll always remember the throng of defense lawyers at the first IPO Securities Litigation hearing turning to watch Mel Weiss enter the Daniel Patrick Moynihan U.S. Courthouse Ceremonial Courtroom, on September 7, 2001.

Lerach and Weiss helped shape and police our system of disclosure and governance, and our markets, corporate governance, and retirement savings are better off for it.  I believe that most public company disclosure deciders see the image of Bill Lerach when they decide whether or not to disclose something.

So their exit naturally left a void in the plaintiffs’ bar.  But a remarkable thing has happened: their protégés, who are my contemporaries and counterparts—as well as other senior plaintiffs’ lawyers and their protégés, plus some new entrants into the plaintiffs’ securities class action market, described below—have not only filled the gap, but have bolstered the bar.  The plaintiffs’ bar is now back, and better than ever.

Looking back, several things converged to cause this.  The first was the stock options backdating scandal, which began with a study by University of Iowa professor Eric Lie that showed an unusually large number of stock option grants to executives at stock price lows.  Since few of the companies exposed in the scandal suffered stock-price drops, the vast majority of the dozens of options cases were filed as shareholder derivative claims, on behalf of the company, alleging breaches of fiduciary duty and proxy-statement misstatements.

At the time, the most prolific securities class action firm was Coughlin Stoia Geller Rudman & Robbins, the successor of Bill Lerach’s firm and the predecessor of Robbins Geller Rudman & Dowd.  If they filed a derivative suit on behalf of a company, it meant they could not sue the company in a securities class action.  For this simple reason, many people, including me, did not think they would file many options backdating derivative cases.

But they did—and they filed a lot of them.  Not only did they file a lot of them, they defeated motions to dismiss and achieved settlements involving unprecedented types of corporate governance reforms and plaintiffs’ attorneys’ fee awards.  Their large fee awards increased the fee awards of smaller plaintiffs’ firms.  By the time they were finished, the plaintiffs’ firms that filed options backdating cases made a mint.

Then, toward the end of the options backdating scandal, the credit crisis happened and started a new wave of shareholder litigation, this time both securities class actions and shareholder derivative actions.  The plaintiffs’ bar had a war chest and was ready for battle.  The larger plaintiffs’ firms won lead plaintiff roles in the mega securities class actions and also represented plaintiffs in large individual actions.

While that was going on, the Chinese reverse-merger scandal happened.  That created a new breed of securities class action plaintiffs’ firms.  Historically, the Reform Act’s lead plaintiff provisions incentivized plaintiffs’ firms to recruit institutional investors to serve as plaintiffs.  For the most part, institutional investors have retained the larger plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role.  At the same time, securities class action economics tightened in all but the largest cases, placing a premium on experience, efficiency, and scale.  As a result, larger firms filed the lion’s share of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

The China cases changed this dynamic.  Smaller plaintiffs’ firms initiated the lion’s share of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs, and uncertain insurance and company financial resources.  Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations and/or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss (and thus reducing the likelihood of dismissal and no recovery).  The dismissal rate was indeed low, and limited insurance and company resources prompted early settlements in amounts that, while on the low side, yielded good outcomes for the smaller plaintiffs’ firms.

With these recoveries, these firms built up momentum that kept them going even after the wave of China cases subsided.  For the last several years, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and they have initiated an increasing number of cases.  Like the China cases, these cases tend to be against smaller companies.  Thus, smaller plaintiffs’ firms have discovered a class of cases—cases against smaller companies that have suffered well-publicized problems (reducing the plaintiffs’ firms’ investigative costs) for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

As smaller firms have gained further momentum, they have expanded the cases they initiate beyond “lawsuit blueprint” cases—and they continue to initiate and win lead-plaintiff contests primarily in cases against smaller companies brought by retail investors.  The securities litigation landscape now clearly consists of a combination of two different types of cases: smaller cases brought by a set of smaller plaintiffs’ firms on behalf of retail investors, and larger cases pursued by the larger plaintiffs’ firms on behalf of institutional investors.  This change is now more than five years old, and appears to be here to stay.

Plaintiffs firms thus have us surrounded—no public company can fly under the radar anymore.  Plaintiffs’ firms of all types have made a lot of money over the past decade.  They’re now filing a record number of cases, even subtracting out the federal-court merger cases.  And on the whole, they’re strong lawyers, with some genuine superstars among them.

Yet, though expanded, the number of firms is small, with about a dozen in the core group.  This gives them the practical ability to take common strategic, economic, and legal positions—even if they don’t always see eye-to-eye or get along.

***

Next week, in Part II, I’ll analyze the current state of the defense bar and explain why defendants are losing the war despite winning key legislative and judicial battles.  And the following week, in Part III, I’ll discuss why and how giving greater control of securities class action defense to D&O insurers would solve the current mismatch between counsel for plaintiffs and defendants.

Note:   I later published a wrap-up post in response to questions and comments I received.

Over the past three years, I’ve been outspoken about the need for better board oversight of cyber security, as well as the need for better cyber security disclosure.  The severity of the cyber threat is so significant to companies, as well as to the nation’s economy and security, that boards have no choice but to pay attention.  Indeed, I can easily envision a world where, as a practical matter, directors face a heightened risk of personal liability for cyber-security problems.  And over the past several years, there has developed an army of talented IT, legal, and insurance professionals ready to help boards manage this threat, and there are some very proactive, outspoken, and conscientious directors who are trying to lead the way.

Yet surveys still say that, on the whole, directors aren’t sufficiently engaged, and companies aren’t providing directors with sufficient information and support.

How in the world could that be so?

Below, I examine two of the underlying problems, and provide solutions: (1) a suite of problems that I call “cyber freak-out,” and (2) an odd lack of concern about director liability.

Cyber Freak-Out

The average corporate director was 47 years old when Amazon became a public company.  Although that was also almost 20 years ago, and most people who serve on boards have grown comfortable with computers and the basics of technology, there is nevertheless a fundamental sense of discomfort with discussion around the IT aspects of cyber security.

This discomfort yields a suite of problems that I diagnose collectively as “cyber freak-out.”  Cyber freak-out includes one or more of the following stated or unstated excuses for not tackling cyber security issues:

  • Excuse: The audit committee handles risks, so that’s the right group to handle cyber security.
    • Reality: Cyber security is an enterprise risk that the full board needs to understand and decide how to manage – even if it is ultimately given to a committee.  And the audit committee has too much work already.
  • Excuse: Being hacked is inevitable, so we can’t do much about it.
    • Reality: The reality is cyber security oversight isn’t just about preventing attacks – it’s also about deciding what assets to protect and how to respond to a breach, among other issues.
  • Excuse: Cyber security is an IT issue, and the IT folks have told us for years that we’re safe.
    • Reality: The world of cyber security poses higher risks now, and it’s incumbent upon the board to ask hard questions of the IT department.  There are outside consultants galore who can give the board an independent evaluation. And cyber security is not just an IT issue.  Most cyber attacks can be prevented through employee education – which presents issues of employee training and corporate culture, which even a Luddite director can help shape.
  • And there are several more things few people say out loud, but I fear that too many think:
    • Excuse: We should have been on top of this earlier, so engaging in a full-scale program of cyber security readiness will make us look bad.
    • Excuse: I don’t want to ask a dumb question, and don’t think I can ask a smart one.
    • Excuse: If I wait long enough, one of my fellow directors will get up to speed and lead us through what we need to do.

Reality: The absurdity of these excuses speaks for itself.

Another common mistake is to assume that cyber attacks are limited to companies with personal information, like credit card numbers or health information.  That is wrong:  Any company with valuable assets – including trade secrets – is and will be a target.  The reason that companies with personal information grab the headlines is that their breaches have become public because of breach-notification laws.  Companies that aren’t subject to breach-notification laws rarely disclose cyber breaches.  One of the country’s leading cyber-security lawyers to public companies said at the SEC’s Cybersecurity Roundtable in March 2014 – in the presence of SEC Chair White and Commissioners Aguilar (who gave an important speech in June 2014 on board oversight of cyber security), Gallagher, Piwowar, and Stein:

I would say that I really can’t think of a case – and we’ve worked a lot –  where the disclosure thinking or analysis was driven by the securities law issues, frankly.

Basically there are other state laws, other situations that are going to create a disclosure obligation, and that’s what drives it. And I think just to be someone speaking from the trenches in terms of the reality of what really happens, there is a tremendous disincentive to disclose a breach.

I believe that the well-known cyber breaches are the very tip of the iceberg, and the much larger cyber security problem is, and will be, beneath the surface until companies start disclosing cyber security issues because of their yet-unenforced federal securities law obligations.  A company whose IP has been stolen, or whose business has been interrupted, faces various disclosure issues.   The issue isn’t just whether a breach is material.  It’s much broader: a cyber security breach could make any number of statements misleading, including financial statements, earnings guidance, statements about internal controls, and statements about the status and prospects of the business operations.  Yet most directors seem to believe that cyber security is just a problem for banks, retailers, and health-care providers and insurers.  That’s just not so.

The problem with cyber freak-out is that it undercuts directors’ main defenses to shareholder claims of breach of fiduciary duty.  There are two main claims for breach of fiduciary duty in this area:

The first type of claim is for a failure to act, or a failure to engage in appropriate oversight, under a standard articulated in a leading case called Caremark.  The court in Caremark called the claim it branded “possibly the most difficult theory in corporation law upon which a plaintiff might hope to win a judgment.”  To be liable for a failure of oversight – a type of breach of the duty of loyalty – a director must fail to establish any system for detecting problems, or if a system exists, must deliberately fail to monitor it or follow up on red flags.  Thus, the only way a director can be liable for a failure of oversight is to not even try – or in the cyber security context, to be paralyzed by cyber freak-out.

In contrast to a claim for inaction, the second type of claim is based on director action.  Such claims are governed by the business judgment rule, which protects from second-guessing a decision made by informed and disinterested directors.  A shareholder can overcome the presumption, however, if the challenged decision was not informed.  Cyber freak-out can result in challenged cyber-security decisions being insufficiently informed, and thus outside the protection of the business judgment rule.

Thus, directors will not be liable if they in fact oversee cyber security, and make decisions about cyber security based on adequate information. Boards need to just pay attention and start somewhere – there’s no secret sauce, and perfection isn’t required.  There’s no cyber-security intelligence test.  An inquisitive director can do a good job overseeing cyber security without even being a computer user.

Director Liability

On the one hand, diligent directors don’t face real risk of liability for cyber security oversight.  On the other hand, I believe the fear of director and officer liability needs to increase before directors and officers and their companies sufficiently tune up their cyber security oversight and disclosures.

Although I don’t wish a lawsuit on anyone, much less actual liability, I think some jarring liability event is necessary: Just as Bill Lerach, Mel Weiss, and other prominent securities class action plaintiffs’ lawyers have greatly improved the quality of corporate disclosure, and corporate-law decisions like Smith v. Van Gorkom have improved board decision-making processes, so too would a cyber-security liability jolt improve cyber-security oversight and disclosure.  But at the moment, directors and officers observe that stocks generally haven’t dropped enough to trigger securities class actions, and the handful of shareholder derivative cases haven’t been virulent.  And the shareholder derivative litigation dismissal in Wyndham, while great for Wyndham’s directors, probably set cyber security oversight back.  The Wyndham decision, resting on the board’s post-breach process in deciding to reject a shareholder demand on the board, was virtually meaningless in its impact on the law governing board oversight of cyber security.

But securities and corporate governance litigation involving cyber security problems is indeed coming.  And it may be ugly.  The more directors and officers are on notice about the severity of cyber security problems, and the less action they take while on notice, the easier it will be for plaintiffs to prove their claims.  We not only could see a sharp uptick in the number of claims, but they could be quite difficult for directors and officers to defend, until cyber security oversight and disclosure improve.  I worry about this dynamic a lot.

I also worry about SEC enforcement concerning cyber security. The SEC has been struggling to refine its guidance to companies on cyber security disclosure, trying to balance the concern of disclosing too much and thus providing hackers with a roadmap, with the need to disclose enough to allow investors to evaluate companies’ cyber security risk.  But directors and officers shouldn’t think the SEC is going to announce new guidance or make new rules before it begins enforcement activity around cyber security disclosures.  All it takes to trigger an investigation of a particular company is some information that the company’s disclosures are rendered false or misleading by inadequate cyber security.  And all it takes to trigger broader enforcement activity by the staff is a perception that companies aren’t taking cyber security disclosure seriously.  That may or may not be preceded by further cyber security disclosure guidance.  And companies need to be concerned about whistleblowers, including over-worked and under-paid IT personnel, lured by the SEC’s whistleblower bounty program, and about auditors, who will soon be asking more frequent and difficult questions about cyber security.

Conclusion

Greater cyber security oversight, and better corporate disclosure, are inevitable.  I hope that they happen naturally, as the result of good counseling by the advisors who are ready and able to help, rather than only developing after we are hit by the inevitable wave of shareholder litigation and SEC investigations and enforcement actions.