Directors and officers of both public and private companies operate in difficult, complex, and evolving business, legal, and regulatory environments. Challenges and risk exposures are unavoidable, and the speed of change shows no sign of slowing. Accordingly, it is imperative that directors and officers stay abreast of issues impacting the risk landscape and continually analyze how best to protect themselves. The recently released NACD Board Leadership report prepared with Marsh, “Evolving Directors & Officers Liability Environment Emerging Issues & Considerations,” identifies core areas of change and associated insurance concerns for directors & officers (D&O).
Four areas being closely watched today are discussed below.
Securities regulations and resulting enforcement and claims will change over the course of President Trump’s administration, although the extent of the change remains to be seen. Deregulation for financial institutions and other organizations is likely. Although deregulation may ease the regulatory burden on businesses in an effort to stimulate growth, it could lead to a rise in resulting claims due a potential decrease in transparency and mandated corporate guidelines.
We may also see a shift in how government regulatory agencies handle purported wrongdoing—perhaps with the assessment of fewer corporate penalties while continuing to hold culpable individuals accountable. Based on some of the recent U.S. Securities and Exchange Commission appointments — including the SEC Chair and co-heads of the SEC Division of Enforcement —many expect that the agency will continue to aggressively pursue culpable individuals.
Generally speaking, activism is on the rise, including environmental activism, shareholder activism, and other forms. The first climate change-related securities class action was filed in late 2016, and more are expected to follow. Some anticipate that, as a result of the Trump administration’s withdrawal from the Paris Agreement, environmental activists’ drive to advance their agenda—whether through civil litigation, shareholder resolution initiatives, or other means—will increase. In addition, we expect there to be more initiatives driven by state regulatory actions and non-governmental organizations.
Increase in Securities Claims
According to NERA Economic Consulting, the number of securities class action filings in the first quarter of 2017 was significantly higher than in past years. The number for the first quarter of 2017 stood at 144 filings of federal securities class actions, which is up from 102 filings in the first quarter of 2016. If filings continue at this rate, we expect there to be close to 500 securities class action filings in 2017 alone, a 66 percent increase from 2016. The rise in filings can be attributed to several factors including, but not limited to: the increase in merger objection-related filings in federal court; the increase in the number of securities plaintiff firms; and, arguably, a race to the courthouse before any new regulatory changes are implemented.
Cybersecurity-related losses continue to be one of the most worrisome potential exposures for companies. Despite some significant recent cyberbreaches, the first traditional securities class action litigation against directors and officers was only recently filed. The complaint generally alleges that the defendants made materially false and/or misleading statements about the breach. It also claims failure to disclose material adverse facts about the company’s business and operations specific to data protection, and the discovery and potential impact of the data breaches.
On the other hand, there have been a number of derivative lawsuits filed against companies’ directors and officers for alleged mismanagement of cybersecurity incidents. To date, defendants in this type of litigation have largely been successful in getting these cases dismissed by invoking the business judgement rule, among other defenses. However, a notable, recent settlement of one of these derivative actions while on appeal will likely continue to fuel the plaintiff’s bar’s drive to pursue cybersecurity-related D&O claims.
While each of the above can be viewed as discrete risks, they each share a common thread: increased exposure to directors and officers. As a best practice, all directors should regularly review their D&O insurance program with their insurance advisors to ensure adequate protection in the wake of the increasingly risky environment in which we live. Directors and the officers of their companies should ask themselves probing questions about their insurance coverage:
Does my D&O insurance program provide sufficient limits of liability?
Am I protected by Side-A Difference In Conditions insurance? If so, are those limits sufficient?
How will my D&O insurance coverage respond in connection with a regulatory investigation? Will I be covered to the extent there is an internal investigation associated with an external regulatory investigation?
Does the selection of insurers on my company’s D&O “tower” make the most sense should I need to turn to the insurers for coverage?
How narrowly tailored is the exclusionary language in my policies? How favorable is the severability language?
By reviewing these questions in conjunction with their insurance programs on at least an annual basis, directors and officers will be more adequately prepared for the scenarios outlined above.
Hackers are hard at work trying to steal your information. That is a fact of modern life, whether you are an individual making purchases with your personal credit card or a Fortune 500 company managing many millions of customer records. Indeed, a company that maintains it has not been hacked probably doesn’t realize the full extent of the attacks it faces or how successful hackers may have been already. Moreover, the fallout from successful cybersecurity breaches is not limited to lost information. From 2014 through the second quarter of 2015, companies reported over 2,429 data breaches containing more than 1.25 billion records of personal information, according to a study published by data security firm Gemalto. IBM recently reported that in 2015 the average corporate cost of data breaches reached $154 per record and more than $3.75 million per incident.
Regulators and plaintiff lawyers alike pay increasing attention to data breaches in an environment where the technology and the legal obligations change rapidly. Keeping ahead of both the threats and the evolving laws and regulations is challenging. In the United States alone, the list of interested regulators is expansive and includes the Securities and Exchange Commission, the Federal Trade Commission, the Consumer Financial Protection Bureau, the Federal Communications Commission, and fifty State Attorneys General, each with potentially distinct requirements and agendas. Security breaches reviewed by these authorities have led to a variety of adverse actions against well-established corporations and their directors, including Facebook, Home Depot, and Target. Reasonable safeguards and notice requirements also vary significantly by industry, particularly in healthcare and financial services, as well as by the kind of Personally Identifiable Information (or PII) involved. For companies with a global presence, especially those with European customers, the compliance challenges multiply, as do the accompanying uncertainties.
Despite the highly technical and complex nature of the problem, these issues should be discussed and addressed at the board level. As former Securities Exchange Commissioner Louis A. Aguilar observed at a recent Cyber Risks and the Boardroom Conference: “[E]nsuring the adequacy of a company’s cybersecurity measures needs to be a critical part of a board of director’s risk oversight responsibilities.… [B]oards that choose to ignore, or minimize, the importance of cybersecurity oversight responsibility, do so at their own peril.” Because the applicable rules and standards typically require the company to “evaluate and adjust” the security program over time, safeguards that may be state-of-the-art today can become an alleged basis for liability in a changed environment.
Recent rulings and a settlement in FTC v. Wyndham Worldwide Corporation relating to claims for allegedly sloppy security practices demonstrate the growing challenge boards face with cyber risk oversight. In that case, the extended fallout from several relatively small attacks from 2008 to 2010 (affecting approximately 500,000 customer credit cards) has taken more than five years and many millions of dollars in legal fees to resolve. Unsuccessful claims asserted against the company’s directors also demonstrate the real possibility that if directors do not react swiftly and assertively (as the Wyndham directors did), they may face the prospect of personal responsibility for their failures.
In a world where hackers are constantly refining their attacks and reassessing the different vulnerabilities that can be exploited, there simply is no “one size fits all” approach. Nevertheless, the list below identifies issues that directors should consider, as well as some proactive steps to consider:
Add cybersecurity to the list of risks evaluated by the committee of the board that evaluates enterprise risks;
Develop company procedures and a communication plan (sometimes known as a security incident response plan) to be implemented in the event of a data breach;
Add cybersecurity expertise to the board in the form of an experienced director or outside advisors (including experienced counsel);
Create reporting lines from the company’s most senior IT executives, CISO, and in-house counsel responsible for cybersecurity to the company’s directors;
Establish a “tone at the top” that instills a company-wide awareness of security risks;
Consider and explore purchasing cyber insurance to mitigate exposure to risks;
Regularly consult with third-party technical, legal, and training specialists on cyber security and related compliance issues; and
Act promptly if cyberattacks or intrusions occur. Many states have their own prompt notice provisions that must be observed.
While the nature and extent of future attacks is unforeseeable, it is certain that hackers are focused on attacking most companies. All directors therefore must be persistently vigilant in this evolving technical and legal environment.
David R. Owen and Bradley J. Bondi are partners at Cahill Gordon & Reindel LLP. They advise global corporations and financial institutions, boards of directors, audit committees, and officers and directors in significant matters, including those involving cybersecurity, data protection, and regulatory investigations. Travis Scheft, an associate at Cahill, assisted with this article.
The U.S. False Claims Act (FCA) is an anti-fraud statute used to police the conduct of companies that accept federal funds or have payment obligations to the federal government. The government has been hugely successful in pursuing FCA cases, collecting $26.4 billion from 2009-2015, with $5.5 billion and $3.5 billion in 2014 and 2015, respectively. In light of these staggering figures, every company potentially subject to the FCA must be aware of and take steps to minimize its FCA compliance risk.
The FCA imposes liability on companies and individuals that submit “false claims” for payment to the government. Originally termed “Lincoln’s Law,” the FCA was enacted during the Civil War to bring to justice suppliers who sold fraudulent goods to the Union Army. Its modern incarnation has expanded beyond its defense contracting roots to become a leviathan statute with the ability to reach a vast number of companies and organizations.
The FCA imposes a broad spectrum of liability. “Claims” may be direct or indirect. In addition to a classic “claim”—i.e., an invoice for services rendered—the FCA also applies to, for example, pharmaceutical companies receiving funds through research grants and oil companies paying royalties. Indeed, any entity participating in a government program that provides funding, including Medicare, the Small Business Administration, or even the Federal Emergency Management Association, is subject to the FCA.
While a violation occurs only if the claim is “false,” falsity is a concept given wide latitudes under the FCA. A claim could be “false” if it incorrectly states the amount owed, mischaracterizes services rendered, or in at least some jurisdictions—even if the claim is entirely accurate on its face—the submitter was not in perfect compliance with an applicable contract term, statute, or regulation, and a plaintiff convinces a court that this lack of compliance could have affected the government’s decision to pay that claim.
Penalties for violating the FCA are severe, including triple damages and up to $11,000 penalties per false claim. These high penalties push this civil statute into the quasi-criminal realm. This means that in an industry where invoicing occurs based on discrete transactions, the penalties alone could be harsh even if the actual “false claim” is relatively small. FCA cases are also expensive to defend, and carry additional risks of reputational impact and even suspension or debarment from doing business with the government. Companies often choose to settle these cases for high amounts rather than risk an unfavorable verdict. In 2014, Countrywide Financial Corp. and Bank of America paid $1 billion to settle an FCA case, rather than litigate to measured damages and penalties.
The FCA is a bounty statute, allowing private citizens to bring suit on behalf of the government in exchange for a “bounty” for bringing the case to the government. The potential rewards for turning in a whistleblower create a strong incentive for current and former employees to run to the government with any perceived violations rather than reporting the concern to management. In 2015 alone, FCA whistleblowers received over $590 million.
There are some affirmative steps that a board can take to protect against FCA liability:
Review the company’s business operations with management to identify “claims” subject to potential FCA enforcement and ensure that these actions are periodically reviewed to prevent and detect potential FCA violations;
Maintain a publicized, anonymous and confidential fraud reporting hotline for employees and third parties;
Investigate reports of fraud-related conduct through counsel to establish and maintain attorney-client privilege over the investigation;
Ensure hotline reporters are informed about the company’s attention to their concerns, validating their efforts while only sharing non-privileged information so as to protect the privilege;
Be aware of whistleblower protection laws, especially the FCA’s prohibition of retaliating against employees;
Upon learning of potential FCA liability, consider whether the company has any obligation to report this to any government agency;
Ensure that the company has a compliance professional and/or experienced FCA counsel who periodically assesses the company’s potential liability and advises the Board about this complex and evolving statute.
Tirzah Lollar is a partner and Kathleen Neace is an associate in the Washington, D.C. office of Vinson & Elkins LLP.