Category: Regulations & Legislation

Lessons From the War Over the Target Data Breach

Published by
Craig Newman

Craig Newman

The dust settled recently on another chapter of the Target Corp. data breach litigation. Although the five shareholder derivative lawsuits filed against Target’s officers and directors have been dismissed, they underscore the critical oversight function played by corporate directors when it comes to keeping an organization’s cyber defenses up to par. While the ink isn’t quite dry on the court papers, it’s time to start reflecting on the lessons of the skirmish.

In the midst of the 2013 holiday shopping season, news leaked that hackers had installed malware on Target’s credit card payment system and lifted the credit card information of more than 70 million shoppers. That’s almost 30 percent of the adult population in the U.S.

Predictably, litigation was filed, regulatory and congressional investigations commenced, and heads rolled. Banks, shareholders, and customers all filed lawsuits against the company. Target’s CEO was shown the door.

And Target’s directors and officers were caught in the crossfire. In a series of derivative lawsuits, shareholders claimed that the retailer’s board and C-suite violated their fiduciary duties by not providing proper oversight for the company’s information security program, not making prompt and accurate public disclosures about the breach, and ignoring red flags that Target’s IT systems were vulnerable to attack.

The four derivative cases filed in federal court were consolidated (one derivative lawsuit remained in state court) and Target’s board formed a Special Litigation Committee (SLC) to investigate the shareholders’ accusations. The SLC was vested with “complete power and authority” to investigate and make all decisions concerning the derivative lawsuits, including what action, if any, would be “in Target’s best interests.” Target did not appoint sitting independent directors but retained two independent experts with no ties to the company—a retired judge and a law professor. The SLC conducted a 21-month investigation with the help of independent counsel, interviewing 68 witnesses, reviewing several hundred thousand documents, and retaining the assistance of independent forensics and governance experts.

On March 30, 2016, the SLC issued a 91-page report, concluding that it would not be in Target’s best interest to pursue claims against the officers and directors and that it would seek the dismissal of all derivative suits.

Minnesota law, where Target is headquartered, provides broad deference to an SLC. Neither judges nor plaintiffs’ are permitted to second-guess the SLC members’ conclusions so long as the committee’s members are independent and the SLC’s investigative process is ‘adequate, appropriate and pursued in good faith.” By these standards, U.S. District Judge Paul A. Magnuson recently dismissed the derivative cases with the “non-objection” of the shareholders, subject to their lawyers’ right to petition the court for legal fees.

Target isn’t the only data-breach-related derivative case filed by shareholders against corporate officers and directors. Wyndham Worldwide Corp.’s leadership faced derivative claims relating to three separate data breaches at the company’s resort properties. After protracted litigation, the derivative claims were dismissed in October 2014, in large measure because Wyndham board’s was fully engaged on data security issues and was already at work bolstering the company’s cybersecurity defenses when the derivative suit was filed. A data-breach-related derivative action was also filed against the directors and officers of Home Depot, which remains pending.

Despite the differences between the Target and Wyndham derivative suits, both cases contain important lessons for corporate executives and sitting board members.

  1. Treat data security as more than “just an IT issue.” Boards must be engaged on data security issues and have the ability to ask the right questions and assess the answers. Board members don’t know what they can’t see. Developing expertise in data security isn’t the objective; rather, it’s for directors to exercise their oversight function. Board members can get cybersecurity training and engage outside technical and legal advisors to assist them in protecting their organizations from data breaches.
  2. Evaluate board information flow on cybersecurity issues. How are board members kept up-to-date on data security issues? Are regular briefings held with the chief information officer (CIO) to discuss cybersecurity safeguards, internal controls, and budgets? Boards might also consider appointing special committees and special legal counsel charged with data security oversight.
  3. Prepare for cyberattacks in advance. Boards should ask tough questions about their organization’s state of preparedness to respond to all aspects of a cyber-attack, from reputational risk to regulatory implications. Get your house in order now, and not during or after an attack. Not surprisingly, multiple studies—including the Ponemon Institute’s 2016 Cost of Data Breach Study—suggest that there is a correlation between an organization’s up-front spending on cybersecurity preparation and the ultimate downstream costs of responding to a breach.
  4. Decide whether and when to investigate data breaches. Before hackers strike, boards must decide whether and when to proactively investigate the breach, wait to see if lawsuits are filed, or wait to see if regulators take notice. Regardless, boards should be prepared to make this difficult decision, which will establish the tone of the company’s relationship with customers, shareholders, law enforcement, regulators, and the press.
  5. Develop a flexible cyber-risk management framework. Cyber-risk oversight isn’t a one-time endeavor, nor is there a one-size-fits-all solution. The threat environment is constantly changing and depends, in part, on a company’s sector, profile, and type of information collected and stored. While cyber-criminals swiped credit card data in the Target and Wyndham cases, the threat environment has escalated to holding organizations hostage for ransomware payments and stealing industrial secrets.

Cybercrime is scary and unpredictable. It poses risks to a company’s brand, reputation, and bottom line.  Board members are on the hot seat, vested with the opportunity and responsibility to oversee cybersecurity and protect the company they serve.

Craig A. Newman is a litigation partner in Patterson Belknap Webb & Tyler LLP and chair of the firm’s Privacy and Data Security practice. He represents public and private companies, professional service firms, nonprofits institutions and their boards in litigation, governance and data security matters. Mr. Newman, a former journalist, has served as general counsel of both a media and technology consortium and private equity firm.

Directors Can Add Valuable Perspective to SEC’s View of Sustainability

Published by

The sustainability information in CSR reports is not, from our perspective, “investment-grade;” that is, it is not necessarily material, not industry specific, not comparable, and not auditable.

Business news headlines on any given day highlight the importance of sustainability issues such as resource scarcity, climate change, population growth, globalization, and transformative technologies. In today’s world, management of these and other sustainability risks and opportunities influences corporate success. Thus, understandably, investors are increasingly requesting information on how companies are managing these factors.

Aulana Peters

Aulana Peters

A concept release from the Securities and Exchange Commission (SEC) on disclosure effectiveness includes a lengthy discussion of sustainability disclosure. In the release, the SEC states that it is “interested in receiving feedback on the importance of sustainability and public policy matters to informed investment and voting decisions.” We hope that the SEC’s request for input on sustainability issues signals an understanding that the information investors consider “material”—much like the world around it—is changing. As a result, corporate disclosures should also evolve to provide investors with the information they need to make informed investment and voting decisions.

Sustainability issues are increasingly important to a company’s financial condition and operating performance, and thus merit the attention of its board. At more than 55 percent of S&P 500 companies, the board oversees sustainability, according to the Investor Responsibility Research Center Institute. Such boards are to be applauded for taking a more holistic view of risk oversight, and for getting out in front of global challenges.

This shift in focus by investors and the business community is driven by a growing recognition that sustainability issues are business issues, not only born of social or political concerns. One recent study found that when companies focus their efforts on managing material sustainability factors—namely, those critically linked to their core business—they outperform their peers with significantly higher return on sales, sales growth, return on assets, and return on equity. They also show significantly improved risk-adjusted shareholder returns.

Clearly, the board plays a key role in developing a company’s capacity to create long-term value and in safeguarding its assets. In this regard, a board’s careful consideration of information on material sustainability factors would help it to fulfill its oversight responsibilities, by assisting it in understanding, prioritizing, and monitoring business-related risks and opportunities.

For example, a board should regularly consider how its company measures, manages, and reports its material sustainability risks. A pharmaceuticals company might consider how it is addressing a $431 billion counterfeit drug market, where mitigation strategies in an increasingly complex, global supply chain could stem or reverse the loss of consumer confidence and company revenues, and prevent up to 100,000 deaths each year (see Roger Bate’s 2012 book Phake: The Deadly World of Falsified and Substandard Medicines). The plunging stock price and loss of goodwill suffered by Chipotle Mexican Grill after outbreaks of E. coli and norovirus at its restaurants demonstrate the way in which a failure to manage sustainability risk factors can seriously damage a company’s reputation and shareholder value.

Moreover, sustainability issues not only raise risks, but also present opportunities that can and should be taken into account by the board as it considers development and implementation of the company’s strategic goals.

Sustainability issues may have a material impact on a company’s ability to achieve such goals. For automakers, a strategy that incorporates fuel-efficient technologies and alternative fuels can help the company capitalize on legal and consumer trends regarding fuel economy and emissions in a market where car ownership is projected to triple by 2050.

Elisse Walter

Elisse Walter

Sustainability issues directly affect a company’s financial condition and operating performance. Therefore, it is not surprising that investors are increasingly demanding more effective and useful sustainability information. Many companies have made efforts to meet this demand through disclosures in corporate social responsibility (CSR) reports, by responding to questionnaires, or otherwise engaging with investors. The sustainability information in CSR reports is not, from our perspective, “investment-grade;” that is, it is not necessarily material, not industry specific, not comparable, and not auditable. To that point, a 2015 PwC study found that 82 percent of investors said they are dissatisfied with how risks and opportunities are identified and quantified in financial terms; 74 percent of the investors polled said they are dissatisfied with the comparability of sustainability reporting between companies in the same industry.

What the markets have lacked, until now, are standards that can guide companies in disclosing material sustainability information in a format that is decision-useful. These standards must be industry specific. Sustainability issues affect financial performance differently depending on the topic and the industry. Therefore, investors need guidance on which sustainability issues are material to which industries, and they need industry-specific metrics by which to evaluate and compare the performance of reporting companies.

The Sustainability Accounting Standards Board (SASB), an independent 501(c)(3) nonprofit, was created to address this market inefficiency. The mission of SASB is to develop and disseminate industry standards for sustainability disclosure that help public corporations provide material, decision-useful information to investors via MD&A and other relevant sections of SEC filings such as the Form 10-K and 20-F. SASB’s standards are formulated with broad market participation and draw upon metrics already used by the corporate community. They will continue to evolve, as our world, and thus material sustainability issues, change.

Investors want to place their funds in entities that have good prospects for the future. To do so, they evaluate the information that is material to a company’s prospects. Not all that information rests in the financial statements that reflect a company’s current financial condition. We believe that, in today’s world, risks and opportunities not yet reflected in a company’s financial statements influence its success.  And, the information that is “material” to investors—much like the world around it—has changed.

To help companies disclose material sustainability information, the capital markets need standards for disclosure of sustainability information that are created by the market, specific to industry, and compatible with U.S. securities law.

The management and disclosure of sustainability issues merits the attention of directors. The public comment period for the SEC’s disclosure effectiveness concept release runs through July 21. This is an important opportunity for publicly held companies and their directors to be heard on these critical issues, and to stress the importance of a market standard that serves investors while not overburdening issuers.

Aulana Peters was an SEC Commissioner from 1984-1988. Elisse Walter was the 30th chair of the SEC. Peters and Walter serve on the SASB board of Directors.

What Boards Should Know About the Paris Agreement

Published by

The twenty-first session of the Conference of Parties (COP) convened in Paris Nov. 30-Dec. 11 last year to negotiate a legally binding international agreement on mitigating the effects of climate change. Known as both COP21 and the 2015 Paris Climate Conference, this historic meeting of parties to the United Nations Framework Convention on Climate Change (UNFCCC) resulted in the first-ever unanimous accord, with 187 countries pledging collective action to cut carbon emissions. Despite a U.S. Supreme Court setback to environmental regulations on February 10, this deal will have significant consequences for business worldwide—consequences that will unfold as governments establish regulations that enact their support for and compliance with the Paris agreement.

The Sustainable Innovation Forum 2015

(Photo: Climate Action/The Sustainable Innovation Forum 2015)

What are the key elements of the agreement?

The COP21 accord seeks to accomplish specific major goals:

  • To restrict the increase of global temperatures to “well below” 2.0°C beyond those of the pre-industrial era, and to endeavor to limit their rise to a maximum of 1.5°C above pre-industrial averages.
  • Curtailing the amount of greenhouse gases (GHGs) generated by human activity to levels that trees, soil, and oceans can absorb naturally by sometime within the latter half of this century.
  • To review each country’s contribution to emissions reduction every five years so they can scale up to the challenge.
  • For wealthy countries to provide “climate financing” that will enable poorer countries to adapt to climate change and switch from fossil fuels to renewable energy sources.

How can countries understand and manage their own emissions?

Like any business goal, understanding and managing emissions requires three basic steps: measurement—determining where you are and where you need to go; management—determining opportunities, challenges and actions; and reporting—monitoring and disclosing performance over time.

Among the most significant outcomes of COP21 are action plans for the ten largest CO2 emitters by country.  These countries include (in order of the size of their emissions) China, the United States, the European Union (28 member states), India, Russia, Japan, South Korea, Canada, Iran, and Saudi Arabia.  The major global economic sectors emitting the highest amounts of GHGs are establishing mitigation objectives (i.e., emission reduction targets) referred to as Intended Nationally Determined Contributions (INDCs).  For instance, the European Union has set a target of at least a 40% reduction by 2030, and the United States is aiming for a 26%–28% reduction by 2025.

Such a global effort will have credibility only if these INDCs are made publicly available. The five-page United States INDC published on the UNFCCC site outlines how the country is planning to measure, manage, and report its performance; it also references existing U.S. laws and standards and draws on the EPA’s Greenhouse Gas Inventory Report: 1990–2013.  This report breaks down responsibility for sources of GHG emissions over time and by major industry sector.

A significant amount of research went into the target of a 26%–28% reduction by 2025.  The U.S. federal government is already taking steps to reduce emissions, and public-private collaborations have developed that will enable these sectors to leverage high-efficiency, low-missions solutions and incentivize market and technology innovations in response to the challenge.

This drive is creating a global wave of new business and investment opportunities and is no longer regarded as a fringe activity. Goldman Sachs produces regular equity research, such as The Low Carbon Economy—GS Sustain equity investor’s guide to a low carbon world, 2015–25 and Standard & Poor’s has an entire team dedicated to analyzing sovereign ratings, corporate credit risk, and carbon efficient indices.

What kind of impact will climate change and the Paris Agreement have on a company’s valuation?

In an update to the Annual Study of Intangible Asset Market Value, Ocean Tomo LLC reveals that the intangible asset value of the S&P 500 grew to an average of 84% by January 1, 2015, which represents an increase of four percentage points over 10 years.  As management of intangible assets has become increasingly critical to a company’s valuation, expectations for transparency about how these ‘intangible’ risks are managed have risen.  These risks now extend to climate change and the costs and benefits of reducing GHG emissions.

Companies can show that they are actively managing climate-change risks and reducing their GHG emissions through research surveys like the CDP (formerly known as the Carbon Disclosure Project).  The CDP was founded in 2000 in order to collect data related to carbon emissions and distribute it to interested investors.  What began as a small group of activists has grown to include more than 800 institutional investors representing assets in excess of US $95 trillion.

Interested investors (asset owners and managers) have demonstrated their support of the CDP by becoming CDP signatories and being involved in a range of investment-related projects.  The list of CDP Signatories and Members includes some of the largest institutional investors, such as Bank of America, BlackRock, BNY Mellon, CalPERS & CalSTRS, Goldman Sachs, Morgan Stanley, Northern Trust, Oppenheimer Funds, State Street, TIAA-CREF, T. Rowe Price, and Wells Fargo.  The CDP is by far the most influential organization specializing in this area, and it maintains a comprehensive public collection of corporate performance information.

Data posted on the CDP website can be organized by country, index, industry, or company, and is also presented in reports such as the following:

These reports can be helpful to any company seeking to establish its own GHG emissions strategy.  Drawing from public sources also allows a company to see the commitments and disclosures of industry peers, what customers may expect, and how suppliers are improving their own efficiency.  In addition, GHG-specific data such as that reported through the CDP is now being integrated into specialized research tools, for example, analyses on Bloomberg’s Sustainable Business & Finance website.  Any company (or investor) with a Bloomberg subscription can quickly compare and contrast a range of GHG-related factors, ranging from policies (i.e., climate change policy, energy efficiency policy, environmental supply chain policy) to specific GHG metrics (i.e., energy consumption per revenue, total GHG emissions per revenue, percentage of renewable energy consumption).

Do corporate and institutional customers care?

Consider the manner in which new market demands ripple through supply chains: ISO 9000, Y2K, Dodd–Frank/Conflict Minerals, etc.  That same dynamic is playing out around GHG emissions.  Once an organization makes a commitment to understand its own GHG footprint, it soon recognizes the degree to which its purchasing decisions influence its overall GHG footprint.

In 2010, Wal­-Mart Stores Inc. announced its goal to eliminate 20 million metric tons of GHG emissions from its global supply chain by the end of 2015.  The company actually exceeded its commitment by eliminating 28.2 million metric tons, which is the equivalent of taking more than 5.9 million cars off the road for an entire year. Wal-Mart achieved this reduction by implementing innovative measures across both its global operations and those of its suppliers: enhancing energy efficiency, executing numerous renewable energy projects, and collaborating with suppliers on the Sustainability Index to track progress toward reducing products’ overall carbon footprint.  By 2017, Wal-Mart will buy 70% of the goods its sells in U.S. stores from suppliers that participate in this Index.

Then, of course, there is the world’s largest single procurement agency, the United States’ General Services Administration (GSA), which spends more than $600 billion annually.  The GSA and the U.S. Department of Defense (DoD) are both actively involved in the management of GHGs in their supply chains.  These and other federal agencies are working closely with the White House Council on Environmental Quality to understand the GHG footprint of the government’s purchasing decisions and to engage and educate suppliers on GHG reduction strategies.  The Federal Supplier Greenhouse Gas Management Scorecard lists the largest suppliers to the US government by spend and identifies whether the supplier discloses its emissions and whether it has set emissions targets.  This information is drawn from public sources, and, like the CDP, this scorecard creates added market pressure on public and private companies to measure, manage, and report on GHG-related activities.

Do consumers care?

In 2015, Cone Communications partnered with Ebiquity to field its third survey of global attitudes, perceptions, and behaviors around sustainability and corporate responsibility.  They conducted an online survey of more than 9,500 consumers in nine of the largest countries as measured by GDP: the United States, Canada, Brazil, the United Kingdom, Germany, France, China, India, and Japan.  The survey broadly described corporate social responsibility (CSR) to respondents as “companies changing their business practices and giving their support to help address the social and environmental issues the world faces today.” Respondents were then asked whether in the preceding 12 months they had:

Corporate Social Responsibility (CSR) graphic

 

What does the agreement mean for your business?

Awareness about fossil fuel use, carbon and GHG emissions, and climate change impact is proliferating in all segments of the economy—public and private companies; federal, state, and local governments; employees, customers, and shareholders; etc.  Today’s management teams and directors need to understand where their company stands on the risk/opportunity spectrum.  To begin or advance the boardroom conversation on climate-change risks and strategies for reducing GHG emissions, consider the following:

  • Look across the company’s value chain. Where is the company most vulnerable geographically?  Which facilities are purchasing power from the highest and lowest carbon emitting electric utilities? Are their GHG reduction opportunities through our electric utility or through other energy providers in our region?
  • Have we taken a public position on reducing GHG emissions? Have we set goals and targets?  If not, why not?  If so, how are we performing? Do we have quantifiable and verifiable information?
  • What positions have our largest customers taken on the issue of GHG emissions? What are their expectations of us as a supplier?
  • Is our industry sector a leader or a laggard? How is our organization doing in comparison with our peers?

As part of the lead-up to COP21, the Science Based Targets (SBT) initiative was formed to actively engage companies in setting GHG emission reduction targets.  A collaboration among the CDP, the UN Global Compact, the World Resources Institute, and the World Wildlife Fund, the SBT initiative publishes the emission reduction targets set by more than 100 of the world’s largest companies.  Here are just a few examples:

  • Coca-Cola Enterprises has committed to a 50% reduction of absolute GHG emissions from their core business operations by 2020, using 2007 as the base year. Coca-Cola Enterprises also commits to a 33% reduction of the GHG emissions associated with manufacturing of their products by 2020, using 2007 as the base year.
  • General Mills has committed to reducing absolute emissions by 28% across their entire value chain from farm to fork to landfill by 2025, using a 2010 base-year. These reductions include total GHG emissions across all relevant categories, with a focus on purchased goods and services (dairy, row crops, and packaging) as well as delivery and distribution.
  • Procter & Gamble has committed to cutting emissions from operations by 30% from 2010 levels by 2020.
  • Sony has committed to reducing GHG emissions from its operations by 42% below fiscal year 2000 levels by fiscal year 2020. The company also has a long-term plan for reducing its environmental footprint to zero by 2050, requiring a 90% reduction in emissions over 2008 levels by 2050.

In October 2015, more than 80 major U.S. corporations signed the American Business Act on Climate Pledge, among them such companies as  Alcoa, American Express, Apple, AT&T, Berkshire Hathaway Energy, Dell, GE, General Motors, Goldman Sachs, Google, Johnson & Johnson, McDonald’s, Nike, Pepsi, Pacific Gas & Electric, Salesforce, Starbucks, UPS, etc.  A range of quantitative GHG-emission reduction goals and targets are available for public review on the SBT website.

In addition, entire industries—such as the fashion and hospitality industries—are working together to set their own targets.  These types of voluntary public commitments are setting precedents and thus expectations for others within and across industries and economic sectors.

Given the pending presidential election in the United States and the existing regulations referenced in the United States’ own INDC, it is unlikely that significant regulatory changes will impact business in 2016.  It is likely, however, that existing standards and Executive Orders will shape the conduct and actions of specific industries.

Growing interest in the federal government’s own footprint and those of its suppliers may constitute the most significant impetus for change. As the GSA and the DoD increasingly seek suppliers with the lowest GHG emissions, these suppliers (public and private) will be incentivized to measure, manage, disclose, and verify their GHG emissions.

The Sustainable Innovation Forum 2015

(Photo: Climate Action/The Sustainable Innovation Forum 2015)

What do directors need to do now?

  1. First and foremost, become familiar with your company’s carbon profile and sustainability image. You need to know the carbon footprint of your company, the company’s plans to reduce that footprint, and the company’s messaging about those plans.
  2. Whether your company is public or private, make sure that its customers know the company’s story. Business-to-business customers expect suppliers to measure, manage, and report on carbon emissions. Directors can ensure that a credible and compelling message is communicated to customers.
  3. Conversely, directors can ensure that the company exhibits GHG consciousness when choosing major suppliers. In a choice between two qualified vendors, why not pick the one that is also better for the sustainability of your business and the planet?
  4. If you serve on the board of a public company, look for the names of your largest investors on the list of CDP signatories, realizing that more and more of these investors are conducting due diligence on carbon emissions in their portfolio companies. Urge your CEO to announce carbon reductions in any communications with your company’s climate-oriented investors.
  5. Develop your business case for carbon reduction and other sustainability measures. Reducing carbon emissions means the reduction in the use of fossil fuels, which translates to cost savings. Diversifying the firm’s energy portfolio to include lower emission sources is also a strategic move in today’s market.  Seeking out and procuring lower-emissions goods and services has become commonplace.  Leverage your procurement spend to help reduce your overall GHG footprint.
  6. Urge management to reach out to sources knowledgeable about climate change in order to learn more from them or even to consider them as possible business partners. Wall Street firms, private equity investors, lenders, insurers, rating agencies, and stock exchanges are all becoming involved in climate issues and can be valuable partners in identifying future risks and opportunities, as well as crafting new strategies.
  7. Ensure your investors understand and appreciate the value of investments your company makes to reduce its carbon footprint and improve the sustainability of its operations.

For more practical guidance on board oversight of this important issue, please use NACD’s Oversight of Corporate Sustainability Activities Handbook.

About BrownFlynn (www.brownflynn.com) and the authors:

BrownFlynn is a corporate sustainability and governance consulting firm with 20 years of experience supporting public and private corporations in the development and implementation of strategic corporate responsibility and sustainability programs.  www.brownflynn.com

Barb Brown, co-founder and principal, has led the firm since 1996, when it was established to address the growing demand from shareholders on intangible issues such as corporate responsibility; sustainability; environmental, social, and governance topics.  Recognized as a pioneer in the industry, Brown is a sought-after speaker, author, and thought leader and has contributed her expertise to a range of professional and industry groups, as well as numerous multinational corporations.

Mike Wallace is managing director at BrownFlynn. An NACD member, he has been a regular contributor to NACD programs and publications.  He has worked in the field of corporate responsibility/sustainability for more than 20 years and has presented on these topics to audiences at NACD Master Classes, the NACD Global Board Leaders’ Summit, and meetings of the Society of Corporate Secretaries, and the National Investor Relations Institute.  He advises public and private companies as well as boards and board committees on these issues.