Month: March 2017

Heads Up: Board of Directors, Resignation from the Board, Duty of Loyalty.

When a venture capital fund invests in an emerging growth company, it typically seeks to protect its investment by obtaining the right to designate a member of the Board of Directors. While many of these individual designees are experts in their field and have vast networks of valuable relationships at their disposal, a newly designated director may be unfamiliar with the duties imposed on him should he want to resign. Paul Hastings Client Alert

March 2017 Follow @Paul_Hastings

Resigning From a Board of Directors:Considerations for VC Fund Designees
By Samuel A. Waxman, Jordan L. Goldman & Brooke Schachner

When a venture capital fund invests in an emerging growth company, it typically seeks to protect its investment by obtaining the right to designate a member of the Board of Directors. While many of these individual designees are experts in their field and have vast networks of valuable relationships at their disposal, a newly designated director may be unfamiliar with the duties imposed on him should he want to resign.

Delaware law generally gives the Board of Directors broad authority to manage the business affairs of a corporation. Although this level of discretion is generally extended to the ability to resign, there are various factors that should be considered when weighing the value of keeping a seat against the potential turmoil and liability associated with resignation. Designated directors often reflexively consider resignation when the company has run out of money or is heading into the so-called “zone of insolvency” out of fear of personal liability. Resigning at this point, however, may actually give rise to the very liability the director was seeking to avoid. As a result, it is important for a director to know when he can resign versus when he should resign.

I. The Benefits of Sitting on a Board: A Seat at the Table
The best way for a venture capital fund to remain informed and maintain influence on a company’s decision-making is to hold a seat on the Board. Directors have the power to vote on matters mandated by Delaware law, the certificate of incorporation, or the investment documents that affect material aspects of the business and its stakeholders. For example, Board approval may be necessary for: amendments to the certificate of incorporation and bylaws; equity grants or transfers (whether stock, options, or warrants); distributions to stockholders; borrowing or lending money; adopting an annual budget; hiring or terminating members of senior management (or amending their terms of employment); adopting employee benefit plans; a sale of material assets of the company; adissolution of the company; and/or entering into agreements and transactions of material importance to the company (intellectual property licenses, mergers, or IPOs).

This remains true even if the investment has gone sour. Directors will continue to have say over bridge financings, the direction of DIP loan packages, and other key decisions that need to be made by a company in distress.

II. Should I Stay or Should I Go?
Under Delaware law, a director generally may resign at any time, unless the certificate of incorporation or bylaws require otherwise. Notably, however, a director may not resign when doing so would constitute a breach of the duty of loyalty.

A. Duty of Loyalty
Directors have a duty to act in the best interests of the shareholders—personal benefit is secondary, even if management is making questionable choices. For example, simply resigning upon discovery of flagrant crimes committed by corporate insiders, without attempting to rectify the issue, may constitute a breach of the duty of loyalty. In In re Puda Coal Shareholders’ Litigation, a CEO was accused of theft through unauthorized transfers which went unnoticed for 18 months. A third party brought the suspected criminality to the attention of the independent directors, but the directors were “stonewalled” by management when they attempted to bring suit. So, the independent directors resigned from the Board. The Delaware court was critical of the directors’ decision to resign rather than cause the company to join a related derivative suit, stating that simply resigning at that point (while the company was in hot water) might be a breach of the duty of loyalty.

Similarly, in Rich v. Chong, another Delaware case, the court determined that ignoring numerous red flags and resigning from the Board may have constituted an abdication of the directors’ duties. In this case, the company completed its public offering in 2009. In 2010, it revealed discrepancies in its financial statements, and in 2011, auditors discovered a $130 million cash transfer to third parties in China. A 2010 stockholder suit urged the company’s audit committee to investigate, but the investigation was abandoned in 2012 due to management’s failure to pay the fees incurred by the audit company’s advisors. The company also failed to hold an annual stockholder meeting for several years despite a 2012 court order to do so. The independent directors subsequently resigned. Chiding the directors, the court stated that “the conscious failure to act, in the face of a known duty, is a breach of the duty of loyalty.”

Directors of companies with foreign operations, moreover, are subject to a heightened fiduciary duty. Delaware Supreme Court Chief Justice Strine’s view on local companies with foreign operations is that a director’s required engagement is even more strenuous (e.g., traveling to that foreign country, having language skills, and knowing the culture).

B. Reasons for Resignation
A director may want to resign from his position on the Board for several reasons. If the company breaks the law or materially breaches its bylaws or shareholder agreements, without immediate rectification, a director may consider resignation. In addition, a director may deem it necessary to resign over disagreements among the Board members. Deadlocks and discord can severely impede progress—a particular concern for growth companies. While discussion and debate is healthy for an effective Board, intractable differences of opinion about the company’s future can stall innovation and stifle success. Similarly, a fundamental opposition to some of the company’s major practices could be reason enough to step away.

Designees are often selected for board seats because of their expertise in a particular field and their vast network of connections. However, a conflict of interest may arise as a result. If conflicts of interest persist and become irreconcilable, a director’s exit might be best for all parties involved. Still, a director’s fiduciary duties to the corporation and its shareholders must be at the forefront of one’s concerns, and if an exit may constitute a breach of the duty of loyalty, directors must think twice
2
about resignation. In addition, while the director himself may not have a personal conflict, a designated director might wish to resign if the fund they represent is going to engage in certain debt financing transactions with the company.

Additionally, a director may want to resign if he is unable to obtain adequate protection against personal liability. A director should ensure that the company has a sufficient director and officer (“D&O”) insurance policy and an indemnification agreement in place that protects individual directors. It is important to make sure D&O policies have a proper tail so that directors are still covered even after they leave the Board. A director is often best served staying on the Board as long as possible to make sure that the D&O insurance is kept in place at the expected levels and/or to best negotiate a tail on his exit. Without appropriate D&O insurance, directors may face liability for certain claims against the corporation. Notably, a recently enacted California law includes directors in the group of individuals that may be held personally liable for unpaid final wages. While a director may be covered by insurance or indemnification in this instance, it is important to be aware of state laws that may subject corporate agents to additional liability.
Finally, evidence that management is not acting in the best interests of the shareholders may be cause for a director’s resignation. But again, a director has to be sure that his exit does not unduly harm the company or breach a fiduciary duty owed to the shareholders.

III. Practice Tips for the Director Pondering Resignation
When considering resignation, a director must act in the best interests of the company. Current or potential directors should research whether there are any unusual restrictions on resignation in the certificate of incorporation or bylaws or unusual internal procedures and policies.

Moreover, a director should take specific steps upon the discovery of illegality or malfeasance, namely:
1. A director’s first duty is to take reasonable steps to stop any ongoing legal or ethical violations.
2. If met with stonewalling, the director should seek independent legal counsel.
3. A director who decides to resign may want to submit a written statement to the chairman for circulation to the Board and possibly to the shareholders.
Following these general steps will ensure that a director can leave a Board while guarding against potential liability. The decision to resign from a Board must not be made flippantly. Facts and circumstances will rule the day; regardless, a director must always mind his fiduciary duties to the company and its shareholders.


Heads Up: Boards, Businesses, Leaders- CyberSecurity, Risks and Responsibility, Heightened Requirements.

Dickinson Wright

Corporate boards recognize that cybersecurity is and will remain a high priority because of the attendant risks on so many levels. And two recent matters – one a case and the other a high profile internal investigation – portend that an imminent frontier in corporate monitoring will be cybersecurity.

Cybersecurity is “hot” and will stay “hot” for corporations, executives, regulators, law enforcement and legislators. Rarely is there a corporate compliance discussion in 2017 where cyber isn’t “the” topic or a material part of the discussion. Corporate boards recognize that cybersecurity is and will remain a high priority because of the attendant risks on so many levels. And two recent matters – one a case and the other a high profile internal investigation – portend that an imminent frontier in corporate monitoring will be cybersecurity.

Recent governmental attention to corporate cybersecurity programs suggests strongly that cyber oversight will be the next priority area for corporate compliance monitoring. The Securities and Exchange Commission (SEC), for example, announced in January 2017 that cybersecurity compliance procedures would be a key focus for its Office of Compliance Inspections and Examinations (OCIE) this year.i OCIE previously announced cybersecurity as a priority for its 2016 examination program,ii tracking its September 2015 cybersecurity examinations initiative.iii Considering prior enforcement actions by the SEC against investment advisors and broker-dealers to address allegedly inadequate cybersecurity policies that enabled data breaches, the SEC’s announcement is no surprise. Similarly, the Federal Trade Commission (FTC) has been flexing its enforcement muscle through actions alleging that policy failures led to the exposure of confidential consumer information.iv These actions consistently result in settlements that impose cybersecurity enhancements designed to prevent similar future incidents. In the absence of an informed and sufficient monitoring program, however, it is difficult to assess effectively whether the corporations are implementing the negotiated settlements properly and, perhaps more importantly, as expected by the agency.

The SEC has a well-established track record for using independent corporate monitors across a broad range of cases. The FTC, on the other hand is in its infancy doing so, somewhat surprisingly. In a September 2016 settlement, the FTC jumped into the monitorship space by imposing a monitor to ensure compliance with a settlement that required a company to change fundamentally its compensation structure by rewarding actual sales rather than recruitment of new distributors. Although that FTC settlement did not present a cybersecurity issue, the FTC nevertheless set the stage to connect monitorships with the agency’s already active regulatory attention to cybersecurity matters. An example of such an opportunity presented on March 1, 2017 when Yahoo announced, in its Form 10-K filed with the SEC,v that as a result of an internal investigation associated with three cybersecurity incidents – including the theft of data from more than one billion accounts – the Company “took certain remedial action, notifying 26 specifically targeted users and consulting with law enforcement.” The 10-K describes the cyber-centric “other remedial actions” as follows:

The Board has directed the Company to implement or enhance a number of corrective actions, including revision of its technical and legal information security incident response protocols to help ensure: escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed.

The 10-K also references 43 related class action lawsuits and the company’s cooperation with the SEC, the FTC, the United States Attorney’s Office for the Southern District of New York, and two State Attorneys General. Additionally, the General Counsel and Secretary resigned, receiving no severance payments. Moreover, the CEO gave up $12 million in stock and did not receive her 2016 cash bonus. It is easy to see where breaches and remediation as Yahoo disclosed could become the door-opener for a cybersecurity monitor.

Traditional corporate monitoring models allow for the implementation of an independent monitor to oversee an organization’s compliance with imposed obligations over a period of time. Independent monitors, by operation of the monitorship agreement, typically receive access to the subject company’s personnel, files, books, and records that fall within the scope of the settlement agreement and have authority to take necessary steps to become fully informed regarding the monitored company’s operations, within the parameters of the agreement. The independent monitors also are free to communicate with the regulatory body (or agency) regarding the monitored company’s corrective measures (or lack thereof). If the subject organization is found not to have complied with the terms of the settlement (i.e., not adhering to the compliance and other policies, procedures and steps designed to remediate and correct the conduct that gave rise to the settlement), then penalties can be assessed, including reinstitution of the criminal or regulatory action(s), and extension of the monitorship. And, particularly in the cybersecurity area, systems vulnerabilities easily can challenge the test of compliance with the settlement terms.

Cybersecurity-related regulatory actions, however, usually do not follow this model. Instead, many cybersecurity settlements and consent orders mandate only that independent third-party professionals periodically assess and report on the implementation of information privacy and cybersecurity safeguards. Because cybersecurity settlement agreements do not typically include an active independent monitor with the requisite background and experience to assess an organization’s remedial cybersecurity measures on a granular level, the benefits of an imbedded qualified professional to ensure true remediation are absent from the impacted company. Ideally, a cybersecurity monitor would and should have through knowledge, skill, training, experience, or education sufficient up-to-date technical expertise and a measurable level of experience – preferably a minimum of five years of demonstrable experience dealing with cybersecurity or incident responses – to act in a cyber-monitoring capacity. Also, the cybersecurity monitor should hold a minimum of one relevant technical certification. Instead, the present norm is the less beneficial periodic spot-checking undertaken by professionals who likely do not have the level of knowledge of the organization or an in-depth appreciation of the issues surrounding what gave rise to the settlement and need for remediation in the first place.

This seemingly minimalist approach to corporate cybersecurity monitoring is surprising because proper implementation of cybersecurity safeguards is, by design, meant to be tailored to a specific organization. It is not always clear, however, that proper implementation necessarily will satisfy regulators’ expectations. For example, many experts view the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) to be a benchmark for modern digital security implementation standards. In a seeming inherent contradiction, the FTC has opined that (1) the Cybersecurity Framework is not something with which an organization can “comply,” and (2) even if an organization follows the NIST Cybersecurity Framework (which the FTC describes as “a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks”), then that does not necessarily mean an organization’s cybersecurity policies will withstand regulatory scrutiny.vi Additionally, cybersecurity enforcement actions often are precipitated by incidents exposing sensitive third-party information, which in turn result in the near inevitable perceptions of an absence of cybersecurity buy-in from management teams and a failure to fully appreciate various cybersecurity risk vectors. Periodic spot-checks of corporate policies, and even implemented practices, can miss these issues; meanwhile, an independent and informed monitor with appropriate in-depth knowledge of a company’s remedial efforts undertaken pursuant to a settlement agreement would be well-positioned to identify and remediate corporate deficiencies while simultaneously satisfying regulators’ expectations.

Properly addressing modern and emerging corporate and regulatory cybersecurity concerns demands a new compliance prism and model as part of settlement agreements with government agencies. Rather than simply accepting periodic external assessments, matters involving cybersecurity should be addressed more effectively through the use of a cyber-knowledgeable independent corporate monitor. That monitor will be able to appreciate the technical cyber and substantive needs of the subject company, have intimate knowledge of that company, and understand the goals and objectives of the regulatory body with the cyber-compliance expectations. Equally important is that the monitor will be in a position to ensure – from an informed position – that the company implements proper cybersecurity practices, and the Board, management and staff receive appropriate cyber-training. Thus, the not-too-distant future is now for cybersecurity monitoring and monitors.

i U.S. Securities & Exchange Commission, SEC Announces 2017 Examination Priorities (Jan. 12, 2017), https://www.sec.gov/news/pressrelease/2017-7.html

ii U.S. Securities & Exchange Commission, SEC Announces 2016 Examination Priorities (Jan. 11, 2016), https://www.sec.gov/news/pressrelease/2016-4.html

iii U.S. Securities & Exchange Commission, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

iv E.g., Federal Trade Commission v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015); Federal Trade Commission v. D-Link Corp., No. 3:17-cv-00039 ((N.D. Cal. Compl. filed Jan. 5, 2017))

v https://www.sec.gov/Archives/edgar/data/1011006/000119312517065791/d293630d10k.htm

vi See Andrea Arias, Fed. Trade Comm., The NIST Cybersecurity Framework and the FTC (Aug. 31, 2016), https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc

Boards and Business Executives Beware- Possible Liability For Data Breach

Publication By Michael Best
Albert Bianchi, Jr.Michelle L. Dama, Adrienne S. Ehrhardt
MARCH 3, 2017CLIENT ALERT

Executives and Board Members Could Face Liability for Data Breaches

Executives and Board Members Could Face Liability for Data Breaches
By now, most everyone is aware that Yahoo was hacked in both 2013 and 2014 and had names, passwords, and other account data of between 500 million and one billion of its users stolen. Following the breach, various class action lawsuits brought against Yahoo by consumers and small business users of Yahoo ensued. The stolen data and lawsuits also caused Verizon to reduce its offer to purchase Yahoo by $350 million. Unfortunately for Yahoo, its inability to protect private account data has led to additional negative consequences.
In late February 2017, a group of Yahoo shareholders, guided by the Oklahoma Firefighters Pension and Retirement System, sued Yahoo, as well as some of its executives and board members, including the chairman of its Board of Directors, co-founder, and current CEO, for breach of their fiduciary duty to the shareholders stemming from the stolen account data. Although the complaint is sealed (and thus unavailable to the public), the lawsuit, which appears to be the first of its kind, seems to assert that Yahoo and its executives breached their fiduciary duty to shareholders by failing to disclosure the data security breaches to Yahoo account holders.
This lawsuit will be one to keep an eye on to see whether a failure to properly handle a data breach, and possibly even the data breach itself, can be considered a breach of a fiduciary duty to shareholders. Although this case appears to be the first of its kind, if it continues moving forward, it will undoubtedly spur like cases for other similarly situated entities that have suffered a security breach.
Other businesses that have been hacked and had personal account data stolen may be next in line for similar shareholder lawsuits. As such, the shareholder suit against Yahoo and its executives is yet another warning of how important it is for business to approach the need to properly protect personal data seriously. Whether its employee or customer information, businesses need to be on their guard and prepared to prevent and handle data breaches.