A FEW SIMPLE STEPS THAT DIRECTORS CAN TAKE TO MINIMIZE DIRECTOR LIABILITY

Directors of Public Companies should take these steps. Substantial Privately-Owned and Family-Owned and Managed Companies would do well to take them as well.

With a few simple steps, directors can reduce the burden of these lawsuits and protect themselves from the most common tactics utilized by stockholders’ attorneys.

Seven Tactics for Minimizing Director Litigation Headaches

Published by Craig Zieminski and Andrew Jackson Craig Zieminski, July 10, 2017

Law firms that specialize in suing directors will scrutinize nearly every major transaction, public offering, stock drop, restatement, and press release filed by public companies. For instance, according to Cornerstone Research, stockholders file lawsuits challenging the majority of public company transactions valued at more than $100 million, with an average of three lawsuits per transaction. An effective defense of these almost-inevitable lawsuits can begin long before they are filed. With a few simple steps, directors can reduce the burden of these lawsuits and protect themselves from the most common tactics utilized by stockholders’ attorneys.

1. Vet conflicts early and often. Perhaps the easiest way to avoid fiduciary duty liability is to avoid situations where you have conflicting interests in a transaction or other board decision. Due to various protections under Delaware law, directors are rarely held liable for poor or ill-informed decisions if the directors are not self-interested (unless they are grossly negligent), and articles of incorporation almost universally protect directors from monetary damages for such decisions. By contrast, Delaware fiduciary duty law imposes exacting standards for directors who participate in board decisions when they have a material self-interest in that decision. Thus, any major board initiative should begin with a full analysis of each director’s potential self-interests, and this analysis should be updated throughout the initiative. Of course, this analysis requires you to stay organized with your outside business interests (e.g., your employer’s customers, suppliers, and competitors) and personal financial situation (e.g., ownership interests). Recusing yourself can be the stitch in time that saves nine.

2. Treat all board communications formally. The documents that often cause the most trouble in litigation are informal e-mails between two directors. Even if e-mails contain nothing objectively negative regarding the board decision at issue, such e-mails can raise questions about the board’s deliberative process, especially if the issue raised in an e-mail was not discussed with the full board. A skilled plaintiff’s counsel can often interpret a casually written message in an unintended manner. In most instances, if a director raises any concern outside of a board meeting, the full board should resolve that concern and memorialize the process in a contemporaneous document (e.g., the minutes). If you have said anything in an e-mail that is inconsistent with your ultimate vote on an issue—even if you were just playing “devil’s advocate”—you should be prepared to square your communications with your vote. In other words, make sure your concerns are resolved through the deliberative process before making your decision.

3. Maximize efficiency in pressing circumstances. Perhaps underestimating how quickly and diligently directors and their advisors can work in exigent circumstances, plaintiffs’ attorneys often allege that board decisions were too rushed. For instance, in one of the more infamous Delaware fiduciary duty decisions, a financial advisor did not send any valuation materials to a board of directors until 9:42 p.m. on the night that the directors met to vote on a merger. The board met at 11 p.m. and approved the merger that night. Tight deadlines are often unavoidable, but directors can take steps to maximize the efficiency of the process. For instance, request early drafts of meeting materials, make your advisors work around-the-clock when necessary, and don’t wait until the board meeting to ask questions. At the end of the day, you need to be able to honestly state that you had enough time to fully consider any issues or concerns and come to a reasoned decision. Use your resources efficiently to get to that point.

4. Make your advisors an asset, not a liability. The quality and independence of a board’s advisors is a direct reflection on the quality and independence of the board’s process. This scrutiny begins when a board (or committee) selects its outside advisors. Stockholders may cry foul if directors simply accept management’s recommended advisor, especially if any member of management may have a self-interest in the relevant transaction.

To avoid these common allegations, interview multiple advisory firms, thoroughly inspect their potential conflicts, and negotiate for a fee structure that aligns the advisor’s incentivizes with the best interests of the stockholders. Stockholders also regularly allege that advisors are “deal cheerleaders” who bend their analysis to support the board’s wishes. To rebut these allegations, insist that your advisors objectively analyze the relevant issues, and ask them to obtain the board’s approval for any significant assumptions, methodology decisions, and other subjective portions of their analyses. To the extent possible, you should also resist your advisors’ efforts to load their work-product with disclaimers. Above all, carefully analyze your advisors’ work-product, ask questions, and do not rely on their opinions until you understand and approve of the efforts and reasoning underlying those opinions.

5. Ensure that the meeting minutes fully reflect the process. We cannot overstate the importance of minutes in litigation against directors. First, judges and juries typically place more weight on contemporaneous records of a board decision than after-the-fact testimony. Second, depositions often happen several months (if not years) after a challenged board decision, and minutes are an important tool for refreshing directors’ memories. Ask the board secretary to draft minutes promptly after a board meeting so that you can review them while the meeting is still fresh on your mind. When reviewing minutes, make sure that they accurately reflect a summary of the issues discussed, the specifics of any decisions reached, and a list of all attendees (plus mid-meeting arrivals and departures). Not every single statement made during a meeting can or should be part of the minutes, but it is important for the minutes to reflect every topic discussed at the meeting. Ask yourself: “If I’m questioned about this meeting at a deposition next year, will these minutes help me answer questions and show the court that we fulfilled our duties?”

6. Know the boundaries of the attorney-client privilege. The attorney-client privilege is not a guarantee that all correspondences with counsel are shielded from discovery. For instance, contrary to many directors’ (and attorneys’) beliefs, the attorney-client privilege does not protect every e-mail on which an attorney is copied. Rather, an e-mail is generally privileged only if the correspondence is sent in furtherance of requesting or providing legal advice. Parties in litigation are often required to redact the “legal advice” portion of e-mails and produce the remaining portions. Thus, an e-mail (or a portion of an e-mail) concerning purely business issues might not be shielded from production. Additionally, communications with certain persons that would ordinarily be privileged, including in-house and outside counsel, may not be privileged under certain circumstances. Further, even if a document is undisputedly privileged, litigants sometimes waive the attorney-client privilege for strategic reasons, such as when the board asserts that it made a challenged decision in reliance on advice from counsel. While it is vital to have open and honest communications with your counsel, it is also important to remember that those communications may be shown to an opposing party. If there is something you would not write down in a non-privileged e-mail, then consider calling your attorney instead of sending an e-mail.

7. Use a board-specific e-mail address. By exclusively using a non-personal e-mail address for board-related correspondences, you can significantly reduce the odds of personal e-mails (or e-mails concerning your other business endeavors) becoming subject to discovery. Too often, we see directors using their “day job” e-mail addresses for their directorial correspondences; this can lead to situations where your employer’s confidential information must be copied, reviewed by your outside counsel, or (worse yet) produced to the opposing party in litigation. The same holds true for personal e-mail addresses, which some directors use for their family’s bank statements and board-related e-mails. The best way to potentially avoid this situation is to proactively segregate board-related e-mails to a different e-mail account. Some companies create e-mail addresses for their directors. If yours does not, consider creating an e-mail account and conducting board-related business solely from that address.

Craig Zieminski and Andrew Jackson are litigation attorneys at Vinson & Elkins LLP. They specialize in representing companies and their directors in lawsuits alleging breaches of fiduciary duties, partnership agreement duties, merger agreements, and federal securities laws.

Director Liability And Protection. Developments, Strategies, Trends.

by Pepper Hamilton LLP

Directors and officers are exposed to potential liability from suits by the company, shareholders, and debt holders, among others. There are, however, a number of protections available to protect the assets of directors and officers.

Published in the December 2017 issue of INSIGHTS (Volume 31, Number 12). INSIGHTS is published monthly by Wolters Kluwer, 76 Ninth Avenue, New York, NY 10011. For article reprints, contact Wrights Media at 1.877.652.5295. Reprinted here with permission.

Being a corporate director or officer can be risky business, especially for those involved with public companies. Directors and officers (Ds&Os) are exposed to lawsuits by the company, corporate successors, shareholders, debt holders, employees, bankruptcy trustees and governments. The building blocks of asset protection for Ds&Os are outlined in this article, as well as basic securities and fiduciary liability principles, updates on relevant government enforcement policies under the Trump Administration, and implications for D&O liability insurance coverage.

As discussed here, private securities claims and derivative suits against public company directors and officers are on a powerful upswing, with an unprecedented number of new lawsuits filed in 2017. Meanwhile, under the Trump administration, there are signs of a possible easing of government enforcement actions as the Department of Justice and SEC review prior policies governing corporate cooperation credit and the pursuit of individuals responsible for corporate wrongdoing. In these changing and challenging times, it is important for directors, officers and companies to review their corporate articles, bylaws, contracts and insurance to assure that corporate commitments and policies for protecting Ds&Os fit the needs of the company for balance sheet protection, flexibility and the exercise of discretion, and also satisfy the needs of Ds&Os for reliable and adequate sources of indemnity and advancement.

Asset Protection Overview

Lawsuits and demands against Ds&Os often materialize as claims for alleged violations of securities laws or breaches of fiduciary duties owed to the company or its stockholders. Directors and officers have several potential layers of protection for out-of-pocket expenses and losses, including legal costs, settlements and even judgments.

Statutory Corporate Indemnity and Advancement

State corporations laws permit or require companies to indemnify directors, officers, and employees who are forced to incur costs to defend or protect themselves in lawsuits or proceedings involving their work. Delaware and California law require indemnification of directors and officers who succeed in defending themselves—in Delaware “on the merits or otherwise” and in California “on the merits.”1

Delaware and California law also permit (but do not require) indemnification for defense costs, judgments, fines and settlements incurred by directors, officers and employees who acted “in good faith and in a manner reasonably believed to be in and or not opposed to the best interests of the corporation” or, in a criminal matter, “had no reasonable cause to believe the conduct was unlawful.”2

These are known as the “minimum standards of conduct” for permissive corporate indemnification. A corporation is not legally permitted to indemnify an individual for expenses resulting from conduct that fails to meet these standards. Nor may a corporation indemnify an individual for a judgment of monetary liability to the corporation itself.

Rather than face a potential non-indemnifiable liability, cases against Ds&Os generally settle, if they are not dismissed on pre-trial motions. Corporate laws permit a corporation to advance legal expenses prior to any final determination of whether an individual met the minimum standards of conduct for indemnification. In Delaware and California, corporations may advance defense costs if the individual promises to repay the money if he or she is later found not to have met the minimum standards of conduct for indemnification.3

In order to attract high quality Ds&Os to serve, many companies commit to indemnification and advancement of their Ds&Os in the articles of incorporation or bylaws “to the greatest extent permitted by law.” This language effectively makes permissive indemnification and advancement mandatory.

Contractual Indemnity and Advancement

Directors and officers can strengthen their rights to corporate indemnity and advancement by requiring, as a condition of employment, that the company enter into a private contract stating the terms of its obligation to indemnify and advance.4 Then, if later changes in the articles, bylaws, ownership, key decision-makers or policies are disadvantageous to a director or officer, the company is bound by its contractual agreements to them. These private agreements usually contain presumptions, burdens of proof, timetables and other terms that favor individuals and generally continue in force after the employment relationship or directorship ends.

Exculpation

Many states also permit companies to limit the personal liability of directors (but not of officers) to the corporation and its stockholders with an “exculpation” provision in the articles of incorporation. These provisions excuse directors from personal monetary liability to the company and its shareholders for breach of the fiduciary duty of care. Corporate laws do not permit exculpation, however, for breach of the fiduciary duty of loyalty, bad faith, intentional misconduct, knowing violations of law, transactions resulting in an improper personal benefit, or improper payment of corporate dividends.5

Third-Party Insurance

The final layer of asset protection is D&O liability insurance purchased by the company to protect corporate assets and provide coverage for Ds&Os when the company cannot or will not indemnify them. D&O liability insurance is designed to pay losses (including legal fees) for defending against allegations of “wrongful acts,” such as violations of securities laws or breaches of fiduciary duty, that result in damages to the company, its stockholders or investors.

Most D&O liability policies contain multiple products in a single policy. A traditional “ABC” policy covers personal asset protection and corporate balance sheet protection. Side A covers directors and officers when the corporation cannot or will not indemnify them—such as when it is insolvent, chooses to withhold indemnity, or concludes that an individual failed to meet the minimum standards of conduct. Side B reimburses the corporation for indemnification paid to directors and officers. Side C covers the corporation when it is named in a securities action. Finally, excess Side A DIC (difference in conditions) coverage is dedicated coverage for directors and officers that is not “shared” with the corporation. Side A DIC provides coverage in excess of a tower of primary and excess policies and, among other attributes, “drops down” to replace an underlying insurer if it becomes insolvent.

Although D&O policies provide coverage for claims alleging “wrongful acts,” they exclude coverage for willful or intentional misconduct, which is uninsurable as a matter of law and public policy. That said, insurance can provide coverage for conduct that would not be indemnifiable by the corporation, such as non-exculpable failure of oversight or forms of “bad faith” that do not rise to the level of intentional misconduct. Corporate laws generally allow companies to buy D&O insurance for nonindemnifiable claims.6

Liability Standards—Securities Laws

Corporate directors and officers have potential exposure under both state and federal laws for securities law violations, which commonly are based on allegedly misleading disclosures to investors or illegal sales of securities. Liability for securities violations ranges from mere negligence to intentional wrongdoing. Federal law preempts state law in securities fraud class actions.7

Section 10(b) of the Securities Exchange Act of 1934 (Exchange Act) is the work horse most often invoked against directors and officers in private securities litigation. Federal courts have exclusive jurisdiction over Section 10(b) cases, and most federal circuit courts have concluded that “recklessness” satisfies the mental state required to prove liability—although the U.S. Supreme Court has never determined whether “reckless” conduct is sufficient.8

Federal securities fraud class action filings hit a record pace in 2017, with the most new case filings since enactment of the Private Securities Litigation Reform Act of 1995 (PSLRA). The PSLRA set up legal hurdles and protections for companies, directors and officers, designed to weed out meritless claims at the pleading stage, often filed on little more than accusations of prior disclosure fraud when disappointing news results in a stock price decline.9

Sections 11 and 12 of the Securities Act of 1933 (Securities Act) are invoked against Ds&Os less frequently than Section 10(b) because they apply in narrower circumstances.10 Section 11 is designed to redress material misstatements in a registration statement, and most often invoked following a public offering, when stockholders can trace their purchases to a particular registration statement. Section 12 is designed to redress the illegal sale of unregistered securities and material misstatements in prospectuses and other offering materials. Ds&Os can defend themselves against misrepresentation claims under Sections 11 and 12 by demonstrating their due diligence and that they “had no reasonable ground to believe and did not believe” that the challenged statements were untrue when made.11

In 2017, the United States Supreme Court took up an important issue in Cyan Inc. v. Beaver County Employees Retirement Fund,12 about whether state courts have jurisdiction over claims filed under the Securities Act. From the mid-1990’s until recently, plaintiffs brought Section 11 and Section 12 claims in federal court, where many of the PSLRA’s protections operate through the federal rules of civil procedure.13 However, federal courts in California parted company with other jurisdictions by holding that state courts retain jurisdiction over 1933 Act claims. If the Supreme Court agrees, then public companies—especially new companies following an IPO—will face the prospect of securities class actions in state courts that lack familiarity with the federal securities laws and are not obliged to enforce some of the procedural protections contemplated by the PSLRA—thus, increasing D&O liability risk.

Liability Standards—State Fiduciary Duties

The liability of directors and officers for breach of fiduciary duties owed to the corporation or its stockholders is governed by state law—usually the state of incorporation.14 In Delaware, gross negligence violates the fiduciary duty of care.15 In California, directors and officers are held to a standard of ordinary negligence, except that directors, unlike officers, have no liability if they act in good faith and in reasonable reliance on others.16

Duty of Care: The Business Judgment Rule

The first line of defense in a breach of fiduciary duty case is the business judgment rule (BJR). By statute or common law, depending on the state, the BJR immunizes directors for decisions made in good faith and on an informed business basis, even if those decisions result in losses to the company or its stockholders. In Delaware, it is unsettled whether the BJR protects both directors and officers; in California, it protects only directors.17

Many states, including Delaware and California, recognize a presumption that disinterested directors acted in good faith and on an informed basis, and put the burden on plaintiffs to rebut the presumption that the BJR applies to a given board decision.

Where the BJR applies, courts are expected to defer to a board’s decision about managing corporate affairs.18 Even if a board’s business judgment is “substantively wrong, or degrees of wrong extending through ‘stupid’ to ‘egregious’ or ‘irrational,’ ” no court should second-guess it and no director should have liability for it as long as “the process employed was either rational or employed in a good faith effort to advance corporate interests.”19

Business judgments that result in waste of corporate assets, however, are not recognized as valid and could expose directors to personal liability. However, “waste” is a transaction “so one-sided that no business person of ordinary, sound judgment could conclude that the corporation has received adequate consideration.”20

Duty of Loyalty and Good Faith

Directors are not entitled to corporate indemnification—nor exculpated from personal liability—for breaches of the duty of loyalty or bad faith. “Bad faith” and the absence of good faith are “two sides of the same coin.”21 Bad faith in its “most extreme form” involves “the conscious doing of a wrong because of [a] dishonest purpose,” or “intentionally fail[ing] to act in the face of a known duty to act, demonstrating a conscious disregard for [his or her] duties.”22 In order to win a money judgment against directors, plaintiffs must allege and prove a non-exculpable breach of the duty of loyalty or bad faith. Accordingly, plaintiffs often allege that directors “consciously disregarded” a duty to intervene in events that are harmful to the company or its stockholders, or that they approved or engaged in transactions for self-interested reasons, knowing that their actions were not in the best interests of the company or its stockholders.

A transaction is self-interested when a director stands on both sides of it or is influenced by someone whose interests are across the table from the corporation’s interests. It is important to note that Ds&Os engage in business transactions with their companies not infrequently. These transactions are not inherently wrongful. Rather, the transaction will be subject to heightened judicial scrutiny, and the burden rests on the self-interested director to prove that the transaction was “entirely fair” to the corporation.23 This heightened scrutiny and burden expose the director to the risk of a finding that the director obtained a personal benefit that he or she knew was opposed to the best interests of the corporation or its shareholders—i.e., non-exculpable, non-indemnifiable conduct.

Liability for Failure of Oversight Under Caremark

Directors also face non-exculpable, non-indemnifiable liability exposure for a failure of corporate oversight that amounts to breach of loyalty. Under the Delaware Court of Chancery’s Caremark decision, directors face liability for breach of loyalty when “a loss eventuates not from a [business] decision but, from unconsidered inaction.”24 Directors may be liable if they knew or should have known that violations of law were occurring within the corporation and yet failed to take steps to prevent or remedy the situation. Directors must assure themselves that “information and reporting systems” exist that are reasonably designed to provide timely and accurate information sufficient to allow them to make informed judgments “concerning both the corporation’s compliance with law and its business performance.”25 “[A] sustained or systematic failure of the board to exercise oversight—such as an utter failure to attempt to assure a reasonable information and reporting system exists—will establish the lack of good faith that is a necessary condition to liability.”26

Because liability under Caremark is based on bad faith amounting to breach of the duty of loyalty, the company cannot indemnify a culpable director or officer. This narrows the potential source of indemnity to D&O insurance. A company may indemnify and advance legal fees and settlement costs, however, before a final determination of liability—which naturally tends to drive failure of oversight cases to settlement.

Government Investigations Focusing on Individual Wrongdoing

The federal titans of securities law enforcement—the Department of Justice (DOJ) and the Securities and Exchange Commission (SEC)—have policies that encourage aggressive pursuit of individuals, both as sources of information and targets of enforcement action. These policies have negative implications for D&O defense.

The DOJ Policy

In a September 2015 memorandum by then-Deputy Attorney General Sally Yates, the DOJ announced a policy to more aggressively pursue individuals.27 This announcement followed an uptick in the number of individuals charged under the Foreign Corrupt Practices Act (FCPA) and the False Claims Act. Statements out of the DOJ under the new administration have raised some uncertainty about whether the policy will continue in full force.

The Yates Memo gave federal prosecutors and investigators guidance on “key steps” to strengthen pursuit of individuals for corporate misconduct. In order to gain “any” credit for cooperation, companies must turn over “all relevant facts” relating to conduct of individuals responsible for corporate misconduct. Both civil and criminal enforcement attorneys are to focus on individuals at the inception of an investigation and share information with each other. Enforcement attorneys may not agree to a settlement that protects individuals or resolves a corporate case without a clear plan to resolve individual cases. Finally, civil attorneys must consider actions for monetary recovery against culpable individuals regardless of ability to pay.

While the impact of the Yates Memo is still playing out, some commentators have noted a counterintuitive drop in FCPA enforcement actions against individuals.28 In a speech at New York University Law School in October 2017, Deputy Attorney General Rosenstein stated that while the Yates Memo is “under review” and subject to change, the policy of focusing on individual accountability for corporation wrongdoing will continue under the current administration.29 On the other hand, in a November 17, 2017 press release, Attorney General Sessions may have been alluding to the Yates Memo in declaring an end to the DOJ “practice” of blurring regulations and “guidance,” stating that the DOJ “will proactively work to rescind existing guidance documents that go too far.”30

The Yates Memo policies of targeting individuals responsible for corporate wrongdoing presents challenges to the protective use of corporate indemnity and third-party insurance. The criteria for obtaining cooperation credit pit companies against directors and officers in positions of oversight. Those potentially in harm’s way will want separate legal counsel early in any internal or government investigation, for which they will look to the company for immediate advancement. Third-party insurance may not be available to defray the cost because coverage generally is triggered by a claim for money and often provides only limited coverage, if any, to cover an investigation.

This dynamic increases the importance of careful consideration of potential conflicts that may require separate counsel for various corporate actors, which can spiral into a full-employment-act for lawyers unless carefully managed. At the same time, companies seeking to curry favor with the government may wish to maximize flexibility to refuse advancement to individuals perceived by the DOJ as potential wrongdoers. Of course, there may be legal limitations on a corporation’s ability to refuse advancement.

The impact of the DOJ’s cooperation program tends to make government investigations more complex, extend over a longer period of time, and foster more tension between and among Ds&Os who are under scrutiny and boards of directors or committees that are leading internal investigations. If an investigation leads to self-reporting of a violation of law, or an enforcement action based on, for example, information provided by a whistleblower, it may take longer for companies to settle while individual culpability remains under consideration. To assess the adequacy of D&O defense and protection, companies should reevaluate their indemnification and advancement bylaws, as well as insurance coverage, retention limits, excess coverage, policy language and exclusions, and Side A coverage for individuals.

SEC Policy

The SEC’s policies of pursuing individuals responsible for corporate securities violations have been endorsed under the Trump administration and raise many of the same challenges discussed above. A more recent SEC policy of requiring companies and individuals to admit wrongdoing in some cases as a condition of settlement further negatively impacts the D&O safety nets of indemnity and insurance.

Pursuit of individuals. SEC initiatives launched in 2010 and 2011 encourage individuals to cooperate and report corporate wrongdoing. The 2010 “Enforcement Cooperation Initiative” offers deferred prosecution agreements and non-prosecution agreements in exchange for cooperation,31 while the 2011 Whistleblower Program, implemented pursuant to the Dodd Frank Wall Street Reform and Consumer Protection Act, provides life-changing bounty awards for tips leading to successful enforcement actions, including against compliance officers and other gatekeepers.32

These programs operate in tandem with the SEC’s longstanding policy of encouraging corporate cooperation with SEC enforcement through self-reporting, self-remediation, and punishing and turning over individuals responsible for corporate wrongdoing. The 2001 Seaboard Guidelines, published in an SEC report of investigation, articulate the framework by which the SEC evaluates corporate cooperation, including factors considered in determining whether, and to what extent, the SEC will grant leniency for cooperating.33

These programs appear to be here to stay under the Trump administration, although details may be tweaked. The Whistleblower Program has continued to generate large rewards. An October 2017 SEC report announced that the total awards under the program have reached $162 million to 47 whistleblowers.34 A co-director of the SEC’s Division of Enforcement recently confirmed that the Seaboard Guidelines also will remain in effect, while acknowledging that the SEC should be more specific about the exact benefits of cooperation and provide greater transparency about why cooperation credit is granted or denied.35

Admissions of wrongdoing. In June 2013, then-SEC Chair Mary Jo White announced a shift in policy to seek more admissions of wrongdoing in settlements—a departure from the SEC’s longstanding practice of permitting settling parties to “neither admit nor deny” wrongdoing. According to a March 2015 article in The New York Times, the SEC had generated admissions of culpability in at least 18 different cases involving 19 companies and 10 individuals. In 2017, however, a co-director of the SEC Enforcement Division stated that, while the SEC supports having companies and individuals that admit wrongdoing to other agencies make similar admissions to the SEC, the “harder piece” is deciding whether to continue a policy of departing from the SEC’s “neither admit nor deny” practice.

The SEC’s policies of pursuing individual wrongdoers and seeking corporate cooperation raise the same issues discussed above regarding the DOJ policies of targeting individuals—i.e., more requests for separate counsel, advancement and indemnification, longer investigations, heightened tension between internal investigators and the subjects of investigation, and greater importance of Side A D&O insurance coverage.

Further, an admission of wrongdoing in an SEC settlement limits the ability of a settling director or officer to access corporate indemnity if the admission is deemed to establish non-indemnifiable conduct. Insurance may not be available to fill the gap because coverage for SEC investigations (as opposed to money damages claims) often is not covered or is limited, and there is no coverage for intentional wrongdoing. Ds&Os who admit liability also risk inability to access corporate or insurance funds for defense in parallel or follow on securities litigation, derivative suits and criminal proceedings.

Corporate D&O Litigation

M&A Lawsuits

Until 2016, whenever a public company was sold, the selling company’s board invariably found itself on the receiving end of a class action lawsuit for breach of fiduciary duty to the selling stockholders. So-called “merger objection” lawsuits typically were filed by stockholders of the selling company claiming that the directors and officers breached their fiduciary duties in negotiating the merger price and terms, agreeing to a price that was too low, and approving deficient proxy disclosures. As of the end of 2014, a leading research firm reported that more than 90 percent of merger and acquisition (M&A) transactions above $100 million had ended up in litigation since 2009.36

Historically, most M&A cases were resolved by settlement before the merger closed based on the defendants’ agreement to make additional disclosures or minor adjustments in the deal terms, along with a negotiated fee to the plaintiff ’s attorneys, in exchange for a broad release of D&O liability. Those settlements, until recently, were routinely approved.37 In these early settlements, directors never face a real prospect of out-of-pocket liability exposure.

Recently, however, more M&A cases are being litigated as traditional class actions for money damages after the merger closes.38 This trend has serious liability implications for directors. In order to obtain a judgment for money damages, plaintiffs must prove non-exculpable conduct. This requires proof of self-dealing, bad faith or breach of the duty of loyalty—all of which expose directors to out-of-pocket, non-indemnifiable loss, leaving directors to rely on Side A insurance to fill a potential corporate indemnity gap. It is often unclear exactly what degree of wrongful conduct, however, may be insured.

Two factors are driving the trend toward post-closing merger class actions. First, the Delaware Court of Chancery has taken a stand against broad releases in exchange for “a peppercorn and a fee,” refusing to approve pre-closing nonmonetary settlements. In January 2016, the Court of Chancery embraced the mounting criticism of these settlements and rejected a disclosure-only settlement in In re Trulia Inc. Securities Litigation.39Trulia echoed the analysis in Acevedo v. Aerofl ex Holding Corp., where the Court of Chancery harshly criticized “disclosure-only” settlements stating that they “do not provide any identifiable much less quantifiable benefit to stockholders” and that “ubiquitous merger litigation is simply a deadweight loss.”40 The Court in Aeroflex gave the plaintiffs three choices: (1) declare the claims moot based on the enhanced disclosures and seek attorneys’ fees; (2) propose a settlement limiting release of the directors to Delaware fiduciary duty claims; or (3) litigate the case.41 None of those choices would provide the defendants with broad releases from personal liability.

Second, the trend toward post-closing merger class action cases is fueled by the high potential dollar recovery. Plaintiffs now are filing many of these cases in federal court (to avoid Delaware).42 Although the cases are subject to a high dismissal rate, the rewards of surviving a motion to dismiss are potentially considerable. But again, in order to win a judgment against corporate directors, plaintiffs must establish non-exculpable liability—such as breach of loyalty—which is not indemnifiable by the company. Individual defendants, who usually have parted ways with the company under new ownership, are highly motivated to encourage a class-wide settlement with insurance dollars rather than face risk of personal liability at trial, even on weak or patently unmeritorious claims.

Derivative Suits

Derivative suits against corporate officers and directors historically have presented a low risk of liability for Ds&Os and low returns for plaintiff’s firms. Generally, cases are filed in the wake of securities class actions and settled for minor prophylactic measures, such as corporate governance improvements, and a relatively small fee award. Recently, however, derivative suits have gained traction after high-profile cases resulted in large settlements, including $275 million for Activision Blizzard (2014), $139 million for News Corp. (2013), $137.5 million for Freeport-McMoRan (2015), and $62.5 million for Bank of America Merrill Lynch (2012), among others.43

Stockholders seeking to sue on behalf of a company must establish their standing to assert the company’s claims, which normally are controlled by the board. Stockholders must first make a demand on the board to bring the desired action, or else establish that demand would be futile because a majority of the directors are too conflicted to exercise valid business judgment on a demand.44 In response to a demand, the board must investigate and make a business decision about whether it is in the best interest of the company to take the action demanded. If the demand is refused, courts should defer to the board’s business judgment and dismiss the case without considering the underlying merits of the claims.45

While the odds that plaintiffs will get past the pleading stage in a derivative suit are low, the potential payoff is high, as the settlements cited above suggest. As in the merger litigation context, plaintiffs must prove that defendant directors engaged in nonexculpable wrongdoing (bad faith, breach of loyalty), which generally cannot be indemnified by the company. Further, companies cannot indemnify directors and officers for a judgment of monetary liability in favor of the company, regardless of the theory. Thus, defendants face theoretical out-of-pocket liability in derivative suits. The primary defense strategy is to obtain dismissal based on plaintiffs’ lack of standing, regardless of the underlying merits of the claim. All equal, a settlement funded by D&O insurance is preferable to trial.

Plaintiffs have gained leverage in derivative suits based on recent Delaware decisions that allow more expansive pre-suit stockholder access to “books and records,” enabling plaintiffs to investigate D&O wrongdoing and file better complaints.46 Delaware courts have long encouraged stockholders to use Section 220 of the Delaware General Corporate Law to obtain nonpublic books and records before bringing derivative actions.47 To obtain corporate records, a would-be stockholder plaintiff need only show a “credible basis from which fiduciary misconduct could be inferred.”48

In 2014, the Delaware Supreme Court upheld a Court of Chancery decision enforcing a “books and records” demand by Wal-Mart stockholders to investigate an ongoing Wal-Mart internal investigation of alleged FCPA violations in Mexico. The court required Wal-Mart to comply with demands to search back-up tapes and to produce lower-level officer documents that were never seen by the board and certain privileged attorney-client communications.49 With such extensive information, plaintiffs in theory are better able to craft derivative complaints that stand a chance of survival at the pleading stage.

Coverage and Indemnity Implications

D&O coverage typically is triggered by a demand for money—not by a demand for corporate “books and records” or a demand that a board of directors investigate and bring suit on behalf of a company. Yet, these demands are serious precursors to derivative litigation against D&O defendants. Some D&O policies provide limited coverage to defray corporate costs of the board’s investigation in response to a demand. But this is only part of the cost. Individual Ds&Os who are questioned in the board investigation may seek separate counsel and request corporate advancement and indemnification. If the derivative suit were to result in a judgment in favor of the company, the culpable Ds&Os could not look to the company to defray the cost, and would need to call upon Side A insurance coverage.

Conclusion

If you are a director or officer of a public company, or considering a board position with a public company, it is a good idea to invest in a legal checkup on the company’s indemnification and advancement articles, bylaws, policies and agreements, and a review of its D&O liability coverage.

Endnotes

1 Del. Gen. Corp. Law § 145(c) (emphasis added); Cal. Corp. Code § 317(d) (emphasis added); Cal. Lab. Code § 2802 (mandating indemnification of employees for expenses incurred in the discharge of lawful duties).

2 Del. Gen. Corp. Law §§ 145(a) and (b); Cal. Corp. Code § 317(b).

3 Del. Gen. Corp. Law § 145(e); Cal. Corp. Code § 317(f).

4 Del. Gen. Corp. Law § 145(f); Cal. Corp. Code §§ 317(g) and (i).

5 Del. Gen. Corp. Law § 102(b)(7); Cal. Corp. Code § 204.

6 Del. Gen. Corp. Law § 145(g); Cal. Corp. Code 317(i).

7 The 1995 Private Securities Litigation Reform Act preempted state securities laws in class actions alleging securities fraud. 15 U.S.C. § 78u-4.

8 Tellabs, Inc. v. Makor Issues & Rights, Ltd., 551 U.S. 308 (2007).

9 Cornerstone Research, Securities Class Action Filings, 2017 Midyear Assessment, available at https://www.cornerstone.com.

10 Section 11, 15 U.S.C. § 77k; Section 12, 15 U.S.C. § 77l.

11 Section 11(b)(1); 15 U.S.C. § 77k(b)(1); Section 12(a)(2), 15 U.S.C. § 77l(a)(2).

12 Cyan, Inc. v. Beaver County Employees Retirement Fund, Case No. 15-1439.

13 The Securities Litigation Uniform Standards Act of 1998, Pub. L. No. 105-353, 112 Stat. 3227, was designed to preempt state jurisdiction over securities fraud class actions, and was widely understood to apply to claims under the Securities Act of 1933, superseding federal law conferring concurrent state and federal jurisdiction. Compare 15 U.S.C. § 77v with 15 U.S.C. §77(p) (SLUSA).

14 Under the “internal affairs doctrine,” the law of the state of incorporation governs the rights and duties among corporate constituencies. Edgar v. MITE Corp., 457 U.S. 624, 645 (1982). By statute, California law regulates director conduct and other internal affairs of companies that merely do business in the state. Cal. Corp. Code § 2115.

15 Gantler v. Stevens, 965 A.2d 695, 708-09 (Del. 2009).

16 Cal. Corp. Code § 309 (the standard of care is ordinary negligence – action “with such care, including reasonable inquiry, as an ordinarily prudent person in a like position would use under similar circumstances.”). Directors, however, are immune from liability if they act in good faith and in reasonable reliance on others, which is tantamount to a gross negligence standard. Katz v. Chevron Corp., 22 Cal. App. 4th 1352, 1366 (1994).

17 FDIC v. Perry, No. CV 11-5561 ODW (MRWx) (C.D. Cal. Dec. 13, 2011); Gaillard v. Naomasa Co., 208 Cal. App.3d 1250, 1264 (1989).

18 Cal. Corp. Code § 309; Lee v. Insurance Exch., 50 Cal. App. 4th 694 (1996); Aronson v. Lewis, 473 A.2d 805, 812 (Del. 1984).

19 In re Caremark Int’l Deriv. Litig., 698 A.2d 959, 967 (Del. Ch. 1996) (emphasis in original).

20 In re Walt Disney Co. Deriv. Litig., 906 A.2d 27, 74 (Del. 2006); see also In re Walt Disney Co. Derivative Litigation, 907 A.2d 693, 749 (Del. Ch. 2005) (“waste is very rarely found in Delaware courts … . committing waste is an act of bad faith”).

21 In re Dole Food Co. Stockholder Litig., 2015 Del. Ch. LEXIS 223, at *129 (Aug. 27, 2015).

22 Id. at *129-30 (quoting McGowan v. Ferro, 859 A.2d 1012, 1036 (Del. Ch. 2004)).

23 See Guth v. Loft, 5 A.2d 503, 510 (Del. Ch. 1939).

24 In re Caremark Int’l Inc. Deriv. Litig., 698 A.2d 959, 967-968 (Del. Ch. 1996); see also Stone v. Ritter, 911 A.2d 362, 365 (Del. 2006) (confirming that “Caremark articulates the necessary conditions for assessing director oversight liability”).

25 Caremark, 698 A.2d at 970.

26 Id. at 971.

27 Sally Quillian Yates, Individual Accountability for Corporate Wrongdoing, Dep’t of Justice, available at http://www.justice.gov/dag/file/769036/download.

28 Sharon Oded, “Yates Memo – Time for Reassessment?,” Compliance and Enforcement, available at https://wp.nyu.edu/compliance_enforcement/2017/04/20/yates-memo-time-for-reassessment/#_edn4.

29 Kevin LaCroix, “Deputy AG Emphasizes Continued Individual Accountability for Corporate Misconduct,” D&O Diary blog, October 31, 2017 available at https://www.dandodiary.com/2017/10/articles/director-andofficer-liability/deputy-ag-emphasizes-continuedindividual-accountability-corporate-misconduct/.

30 Attorney General Jeff Sessions Ends the Department’s Practice of Regulation by Guidance, press release (Nov. 17, 2017), available at https://www.justice.gov.

31 SEC Spotlight, “Enforcement Cooperation Program,” available at https://www.sec.gov/spotlight/enforcementcooperation-initiative.shtml.

32 The SEC’s website announces huge awards. https://www.sec.gov/spotlight/whistleblower-awards. See https://www.sec.gov/spotlight/dodd-frank/whistleblower.shtml (background of the Whistleblower program).

33 Report of Investigation Pursuant to Section 21(a) of the Securities Exchange Act of 1934 and Commission Statement on the Relationship of Cooperation to Agency Enforcement Decisions, https://www.sec.gov/litigation/investreport/34-4969.htm.

34 SEC Press Release, October 12, 2017, available at https://www.sec.gov/news/press-release/2017-195.

35 Andrew Ramonas, “SEC Should Clarify Path to Cooperation Perks in Cases: Official,” Bloomberg BNA, Oct. 26, 2017, available at https://www.bna.com/sec-clarify-path-n73014471401/.

36 Cornerstone Research, Shareholder Litigation Involving Acquisitions of Public Companies, Review of 2014 M&A Litigation, at 1, available at https://www.cornerstone.com [“2014 M&A Litigation”].

37 Acevedo v. Aeroflex Holding Corp., C.A. No. 7930-VCL, transcript of settlement hearing at 63-65, July 8, 2015 (Laster, V.C.) (quoting Solomon v. Pathé Communications Corp., 1995 Del. Ch. LEXIS 46, C.A. No. 12,563 (Del. Ch. Apr. 21, 1995) (Allen, C.)).

38 2014 M&A Litigation, supra note 37, at 1.

39 In re Truvia Inc. Sec. Lit., 129 A.3d 884 (2016).

40 Acevedo v. Aeroflex Holding Corp., No. 7930-CVL, at 63-65 (transcript of settlement hearing).

41 Id. at 74-76.

42 Cornerstone Research, Securities Class Action Filings, 2016 Year in Review, at 11-12, available at https://www.cornerstone.com.

43 See Kevin LaCroix, Largest Derivative Lawsuit Settlements, D&O Diary blog, Dec. 5, 2014, available at http://www.dandodiary.com/2014/12/articles/shareholdersderivative-litigation/largest-derivative-lawsuitsettlements.

44 See Aronson v. Lewis, 473 A.2d 805, 818 (Del. 1984) (holding that a stockholder may pursue a derivative suit in the absence of a pre-suit demand on the corporation’s board of directors only if the stockholder’s complaint contains allegations of fact sufficient to create a reasonable doubt (1) that the directors are disinterested and independent or (2) that the challenged transaction was otherwise the product of valid business judgment).

45 See, e.g., Cuker v. Mikalauskas, 692 A.2d 1042, 1045 (Pa. 1997) (the BJR permits the board of directors of a Pennsylvania corporation to reject a demand or terminate a derivative suit brought by the corporation’s stockholders); Zapata Corp. v. Maldonado, 430 A.2d 779, 788 (Del. 1981) (describing standard and proceedings in Delaware for dismissal of derivative claims based on the business judgment of an independent committee).

46 For example, the court in King v. VeriFone Holdings, Inc., 12 A.3d 1140 (Del. 2011), enforced an inspection demand under Delaware General Corporate Law section 220 in order to enable stockholders to take discovery and file a better derivative complaint after the first was dismissed for failure to plead that a pre-suit demand on the board would have been futile.

47 VeriFone Holdings, 12 A.3d at 1150 n.64 (citing cases).

48 Polygon Global Opportunities Master Fund v. W. Corp., 2006 Del. Ch. LEXIS 179 (Oct. 12, 2006).

49 Walmart v. IBEW, No. 13-614 (Del. July 23, 2014).

Businesses And Boards-Curing A “Defective Corporate Act” Under Delaware Law

The Exposure
Under the Delaware General Corporation Law (the “DGCL”) otherwise permissible corporate acts that do not satisfy the consent and other procedural requirements of the DGCL, the corporation’s organizational documents or any other agreement to which the corporation is a party, are deemed to be “defective corporate acts” and are generally held to be void and of no legal force and effect.[i]

In sum, founders and their Boards should, at minimum, undertake the below listed procedural steps* in order to ensure that otherwise defective corporate acts are cured and ratified in the manner prescribed by the DGCL.

WRITTEN BY:

Fox Rothschild LLP

The Problem
As every founder knows, starting and scaling a company is an extremely difficult and multi-faceted undertaking. In addition to the primary goals of developing a viable product, finding (and in some cases building from scratch) a robust market, and raising the capital necessary to sustain and scale their business and operations, founders and their core teams also grapple with the day-to-day management and operations of a growing enterprise, whether that be personnel issues, forecasting cash needs and burn rates or tackling the legal and regulatory hurdles that often go hand-in-hand with the creation of disruptive technologies. Unfortunately, given the size and complexity of the average founder’s workload, it is no surprise that emerging companies of all sizes occasionally neglect to heed the advice of their attorneys and ensure that any and all corporate actions taken by the company and its officers are properly authorized and, if necessary, approved by the company’s Board and stockholders.

The Exposure
Under the Delaware General Corporation Law (the “DGCL”) otherwise permissible corporate acts that do not satisfy the consent and other procedural requirements of the DGCL, the corporation’s organizational documents or any other agreement to which the corporation is a party, are deemed to be “defective corporate acts” and are generally held to be void and of no legal force and effect.[i] The pre-2014 historical body of Delaware case law held such corporate acts, taken without “scrupulous adherence to the statutory formalities” of the DGCL, to be acts undertaken “without the authority of law” and therefore necessarily void.[ii] Prior to the enactment of Sections 204 and 205 of the DGCL, the relevant line of Delaware case law held that corporate acts, transactions and equity issuances that were void or voidable as a result of the corporation’s failure to comply with the procedural requirements of the DGCL and the corporation’s governing documents could not be retroactively ratified or validated by either (i) unilateral acts of the Corporation intended to cure the procedural misstep or (i) on equitable grounds in the context of litigation or a formal petition for relief to the Court of Chancery.[iii] In short, there was no legally recognized cure for such defective actions and the company was left forever exposed to future claims by disgruntled shareholders, which could ultimately jeopardize future financings, exits and ultimately the very existence of the company.

The Statutory Cure
Luckily, for those founders who make the potentially serious misstep of failing to obtain the required consents and approvals before taking a particular action (e.g. issuing options to employees or executing a convertible note or SAFE without the prior consent of the Board), in 2014 Delaware enacted Sections 204 and 205 of the DGCL, which served to clarify the state of the law in Delaware and fill a perceived gap in the DGCL by providing new mechanisms for a corporation to unilaterally ratify defective corporate acts or otherwise seek relief from the Court of Chancery.[iv]

While both Section 204 and 205 were intended to remedy the same underlying issue and provide a clear process for ratifying or validating a defective corporate act, the mechanics set forth in the respective sections take disparate routes to arrive at the intended result:

Section 205 provides a pathway for ratification that runs through the courts, allowing a corporation, on an ex parte basis, to request that the court determine the validity of any corporate act.
Section 204, on the other hand, is considered a “self-help statute” in the sense that the procedural mechanic provided for in the statute allows a company to ratify the previously defective act unilaterally, without the time and expense involved with petitioning the court for validation of the corporate act in question.
In the case of early stage companies, the expenditure of the heavy costs and valuable time associated with seeking validation in the Court of Chancery render Section 205 a less than ideal tool for curing defective acts. This post focuses on Section 204, which provides a far less onerous mechanic for ratifying defective corporate acts, allowing a corporation to cure past errors “without disproportionately disruptive consequences.”[v]

Section 204 in Practice
Section 204 provides a company with a procedure to remedy otherwise be void or voidable corporate acts, providing that “no defective corporate act or putative stock shall be void or voidable solely as a result of a failure of authorization if ratified as provided in [Section 204].”[vi] Pursuant to Section 204, a corporation’s Board may retroactively ratify defective corporate acts by adopting written resolutions setting forth:

the specific defective corporate act(s) to be ratified;
the date on which such act(s) occurred;
the underlying facts that render the act(s) in question defective (e.g., failure to obtain the authorization of the Board or inadequate number of authorized shares); and
that the Board has approved the ratification of the defective corporate act(s).
Additionally, if a vote of one or more classes of stockholders was initially required to authorize the defective act at the time such act was taken (e.g., the approval of a majority of the Series A preferred stockholders in the case of an act that falls within the purview of the Series A protective provisions), then ratifying resolutions of the relevant class of stockholders is also required in order to cure the prior defect in the corporate act.

In sum, founders and their Boards should, at minimum, undertake the below listed procedural steps* in order to ensure that otherwise defective corporate acts are cured and ratified in the manner prescribed by the DGCL.

A resolution by the Board that states (i) the defective corporate act to be ratified, (ii) the date of the defective act, (iii) if shares or other equity is involved, the number, class and date of the equity issuance, (iv) the reason for the defect, and (v) the approval and ratification by the Board of the defective corporate act.
Approval of the stockholders or a particular class of stockholders (in form of a written consent) if such an approval was required at the time of the defective corporate act.
Proper notice of the ratification sent to all stockholders (including stock that may have been invalidly issued). The notice must include a copy of the ratifying resolution/consent and an explanation that any claim that the ratification in question is not effective must be brought before the Court of Chancery no later than 120 days from the effective date of the ratification.
In certain circumstances, the filing of a “Certificate of Validation” with the Delaware Department of State to cure the defective corporate act being ratified (e.g., if shares were issued without filing the necessary Certificate of Amendment to increase the authorized shares of a corporation).
*This list should not be considered all-inclusive. Each situation is unique and further actions may be required depending on the underlying facts and the cause of the defect in question.

Takeaways
The potential adverse impact of an uncured defective corporate act cannot be understated. For an early stage company seeking to raise capital from venture investors or other outside parties (or eventually exit through an acquisition), the risks associated with such defective acts are particularly acute. As a practical example, a corporation’s failure to observe the proper procedures in the election of a director can result in the invalidation of such election. In the event of such a defective election, actions taken by, or with the approval of, the improperly elected Board may be void or voidable. This or other defective corporate acts may result in the corporation being in breach of representations and warranties in any number of contracts, including stock purchase agreements executed as part of a financing round or M&A transaction.

Generally speaking, relatively extensive due diligence is typically the first step in all venture financings and other major corporate transactions. As part of this process, counsel for the investor or acquiror will undoubtedly review all material actions of the company along with the corresponding Board and stockholder consents as a means of “tying out” the company’s cap table. Any defective corporate act that was not later ratified by the company in accordance with Section 204 or 205 will at best need to be ratified or validated in advance of the closing of the transaction, and at worst may result in either (i) a reduction in the company’s valuation due to the perceived risk that past actions are ultimately void or unenforceable, or (ii) in extreme situations, the abandonment or termination of the transaction.

In an ideal world, companies of all sizes would always observe the proper procedures in authorizing corporate acts and ensuring that all other necessary steps had been taken to ensure the validity of such actions. Unfortunately, in the fast-paced and often frenzied world of a startup, certain “housekeeping” items occasionally fall by the wayside. Upon the discovery of a defective corporate act by a company or its counsel, it is vital that the proper ratification procedures be undertaken in order to ensure that any and all past actions that could potentially be rendered defective are rectified and ratified in accordance with Section 204 (or in some cases Section 205) of the DGCL.

[i] A “defective corporate act” includes any corporate act or transaction that was within the power granted to a corporation by the DGCL but was thereafter determined to have been void or voidable for failure to comply with the applicable provisions of the DGCL, the corporation’s governing documents, or any plan or agreement to which the corporation is a party. See 8 Del. C. § 204(h)(1); See also, e.g., Blades v. Wisehart, C.A. No. 5317-VCS, at 8 (Del. Ch. Nov. 17, 2010) (holding that “scrupulous adherence to statutory formalities when a board takes actions changing a corporation’s capital structure”); STAAR Surgical Co. v. Waggoner, 588 A.2d 1130, 1136 (Del. 1991) (“Stock issued without authority of law is void and a nullity.”).

[ii] See, e.g., Blades v. Wisehart, C.A. No. 5317-VCS, at 8 (Del. Ch. Nov. 17, 2010) (holding that “scrupulous adherence to statutory formalities when a board takes actions changing a corporation’s capital structure”); STAAR Surgical Co. v. Waggoner, 588 A.2d 1130, 1136 (Del. 1991) (“Stock issued without authority of law is void and a nullity.”).

[iii] Id.

[iv] See H.B. 127, 147th Gen. Assemb., Reg. Sess. (Del. 2013): “Section 204 is intended to overturn the holdings in case law . . . that corporate acts or transactions and stock found to be “void” due to a failure to comply with the applicable provisions of the General Corporation Law or the corporation’s organizational documents may not be ratified or otherwise validated on equitable grounds.”

[v] In re Numoda Corp. S’holders Litig., Consol. C.A. No. 9163-VCN, 2015 WL 402265, at 8 (Del. Ch. Jan. 30, 2015).

[vi] 8 Del. C. § 204(a).

[View source.]

Employee Non-Disclosure Agreements and Enforcement.

Drafting and enforcing NDAs requires considerable thought, care, continual maintenance and a skilled legal advisor. It is an area rife with risks and traps; and employers who believe they can “gag” their employees, by simply requiring them to sign a broadly worded agreement with heavy penalties, may be in for a rude shock.

How Weak Are Employee “Nondisclosure Agreements”? The Answer May Make You Gag

Gregory W. McClune
POSTED BY GREGORY W. MCCLUNE ON 30 MAY 2017
POSTED IN NONDISCLOSURE AGREEMENTS, Foley and Lardner
Background
We live in a world of “leaking” and threats of dire consequences for the leakers. Does an employer have the legal means to prevent disclosure of information acquired during employment? Likewise, can an employer seek legal redress for such disclosures?

In late 2016, the Virginia-based political journalism company, Politico, published an article revealing that the Trump Transition team had required all its “members” (presumably including its employees) to sign a “non-disclosure agreement” (NDA) “to make certain they keep all of their work confidential.” According to the article, such agreements were standard in the Trump organization. The article stated that the NDA prohibited an employee or volunteer from “disclosing info about major portions of the transition work, like policy briefings, personnel material, donor info, fundraising goals, budgets, contracts, or any draft research papers. It also demands that if anyone on the team suspects a colleague of leaking material, he or she must tell transition team leadership. And it gives the Trump team grounds to [fire] those who run afoul of the rules.” (A mandatory “snitch” clause?)

Would such an agreement be enforceable against an employee or volunteer? We will answer that question at the end of this article.

Drafting and enforcing NDAs requires considerable thought, care, continual maintenance and a skilled legal advisor. It is an area rife with risks and traps; and employers who believe they can “gag” their employees, by simply requiring them to sign a broadly worded agreement with heavy penalties, may be in for a rude shock.

The problems are many. First, this is an area that is primarily enforced by state law, and the states are far from uniform in viewing the enforceability of NDAs. Thus, a non-disclosure provision enforceable in one state may be struck down in another. Employers who operate in multiple states will have to ensure it is compliant with the laws of all those jurisdictions.

Most jurisdictions will decline to enforce an overbroad definition of “confidential information.” To that end, an Illinois court refused to enforce an NDA that sought to protect against the disclosure of information concerning “any methods and manners by which Employer leases, rents, sells, finances, or deals with its products and its customers.” (Trailer Leasing Co. v. Associates Commercial Corp., 1996 WL 392135, at *1 (N.D.Ill. July 10, 1996)).

Similarly, an employer’s attempt to seal an employee’s lips forever will find little sympathy in the courts. A Virginia court invalidated an NDA on two grounds. It found that the employer had attempted to preclude an employee from disclosing any information concerning the business of the employer to any person. Thus, the prohibition was “not narrowly tailored to protect the legitimate business interests” of the employer. The court explained that the provision was so overbroad that, as written, it prohibited the employee from telling a neighbor anything about the employer – including information that was not proprietary in nature or worthy of confidence – for the rest of her life. (Lasership, Inc. v. Belinda Watson and Midnite Air Corp., d/b/a Midnite Express, 79 Va. Cir. 205 (1979)).

Some state courts (e.g., Georgia, New York, and Illinois) may “blue pencil” a defective agreement; that is, excise the offending provisions and allow the remainder of the agreement to be enforced. But even if an employer finds itself in one of those jurisdictions, there is no guarantee the judge will undertake that exercise as he/she may find the offending portion key to the whole agreement and, therefore, strike the entire NDA.

Recently a court in North Carolina invalidated an NDA on a different basis that, if followed by other courts, could have far-reaching consequences. The court invalidated the entire NDA because there was no additional “consideration” (i.e. the employee gave up his/her rights but received no additional compensation or other item of value). (Roundpoint Mortgage Co. v. Florez, 2016 NCBC 17 (Feb. 18, 2016)).

There are yet other traps for the unwary. This year a federal appeals court struck down a “confidentiality agreement” that sought to preclude an employee from sharing “private employee information (such as salaries, disciplinary action, etc.)“ because the restriction unlawfully impinged on the employees’ rights, under Section 7 of the National Labor Relations Act, to discuss such matters. (Banner Health System v. N.L.R.B., 2017 WL 1101104 (D.C. Cir. 2017)).

Finally, even if an employer crafts a compliant NDA it will lose its power to enforce the NDA if it is lax in the treatment of confidential information. A written agreement does not supplant the need for sound business practices which safeguard such secrets and prevent disclosure. Moreover, an employer will enhance its chance of enforcing an NDA by periodically reinforcing the need for confidentiality, conducting regular training on the proper handling of confidential information, etc.

So, back to the Trump transition team and its NDA; would that have been enforceable? We have not had access to the full agreement so we are not in a position to be definitive. However, we are mindful of that old story about a physician coming across a victim lying on a public sidewalk. When asked by a bystander in the gathering crowd how the victim was doing, the physician, after a brief examination, responded: “Well, only two of the wounds are fatal; the others aren’t so bad.”

BOARD OVERSIGHT OF CORPORATION COMPLIANCE PROGRAMS: RECENT DOJ GUIDANCE AND WHAT TO DO NOW

BOARD OVERSIGHT OF CORPORATION COMPLIANCE PROGRAMS: RECENT DOJ GUIDANCE AND WHAT TO DO NOW
By Holly J. Gregory* and Rebecca Grapsas*

Boards should consider assessing the effectiveness of their compliance programs now in light of the DOJ’s recent guidance on evaluating compliance programs — whether or not the company currently has any compliance issues.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient. As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or officers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

Oversight of a company’s “tone at the top” and its compliance program designed to establish and maintain that tone and detect problems is an important board responsibility.As fiduciaries, directors are required to assess the company’s compliance program in light of the legal and regulatory compliance framework and ensure that the company has appropriate compliance-related reporting and information systems and internal controls in place. It is a business judgment for the board to determine what compliance program best suits the company’s needs and the level of compliance risk it is willing to take.

Each company should, at a minimum, have a basic effective compliance program in place. A program that exists “on paper” but is not effective is not sufficient As well as making good business sense for a range of reasons, having an effective compliance program can influence a federal prosecutor’s decision on whether to charge a company for the bad acts of its employees or of cers and the extent to which the company may receive credit for cooperation in a settlement. Having an effective compliance program can also help mitigate penalties if corporate wrongdoing is found

The standard for effectiveness in compliance program design is set forth in Chapter 8 of the United States Federal Sentencing Guidelines, which provides that a company must:

Establish standards and procedures to prevent and detect criminal conduct

Ensure board oversight of the compliance program

Appoint a high-level individual (such as a chief compliance of cer) who has overall responsibility for the compliance program

Exercise due diligence to exclude unethical individuals from positions of authority

Communicate information about the compliance program to employees and directors

Monitor the compliance program’s effectiveness

Promote and consistently enforce the compliance program

Respond to violations and make necessary modi cations to the compliance program (US Sentencing Commission Guidelines Manual §§ 8B21(b), 8C25(f))

The Principles of Federal Prosecution of Business Organizations in the US Attorneys’ Manual provide that prosecutors should consider specific factors (known as the “Filip Factors”) in conducting corporate investigations, determining whether to bring charges and negotiating plea or other agreements. These factors include “the existence and effectiveness of the corporation’s pre-existing compliance program” and the corporation’s remedial efforts “to implement an effective corporate compliance program or to improve an existing one.” The Department of Justice (DOJ) emphasizes that critical factors in evaluating a compliance program are “whether the program is adequately designed for maximum effectiveness in preventing and detecting wrongdoing by employees and whether corporate management is enforcing the program or is tacitly encouraging or pressuring employees to engage in misconduct to achieve business objectives” US Attorneys’ Manual § 9-28.300, General Principle; § 9-28.800, Comment (2015)

In February 2017, the Fraud Section of the DOJ issued a resource entitled Evaluation of Corporate Compliance Programs. The document provides more speci c examples of how federal prosecutors will evaluate a company’s compliance program in the process of

The DOJ’s recent guidance for evaluating corporate compliance programs is also discussed in the most recent issue of Sidley’s Anti-Corruption Quarterly.

investigating and resolving an enforcement matter. The document emphasizes that “the Fraud Section does not use any rigid formula to assess the effectiveness of corporate compliance programs.” The document is the latest communication forming part of the Fraud Section’s Compliance Initiative, which began with the Fraud Section’s hiring of Hui Chen as full-time compliance counsel in November 2015.

The document contains probing questions regarding the following eleven “sample” topics:

1. Analysis and remediation of underlying misconduct (including root cause analysis and prior indications)

2. Senior and middle management (including conduct at the top, shared commitment and oversight)

3. Autonomy and resources (including compliance function stature, experience, quali cations, empowerment, funding and outsourcing)

4. Policies and procedures (including design, applicability, gatekeepers, accessibility, operational integration, controls and vendor management)

5. Risk assessment (including methodology, information gathering and analysis, and manifested risks)

6. Training and communications (including form, content and effectiveness, communications about misconduct and availability of guidance)

7. Confidential reporting and investigation (including reporting mechanism effectiveness, investigation scope and response to investigations)

8. Incentives and disciplinary measures (including accountability, process and consistency)

9. Continuous improvement, periodic testing and review (including internal audit, control testing, interviews and evolving updates)

10. Third-party management (including risk-based and integrated processes, controls, relationship management and misconduct consequences)

11. Mergers and acquisitions (including due diligence process, integration in the M&A process and process connecting due diligence to implementation)

The questions are designed to look behind a company’s compliance program “on paper” and evaluate how the program has been implemented, updated and enforced in practice. Although some of the questions focus on the effectiveness of a company’s compliance program in the context of specific misconduct (for example, what caused the misconduct, whether there were prior indications of the misconduct and which controls failed), many of the questions focus on the compliance program more broadly, including, for example, whether compliance personnel report directly to the board, what methodology the company uses to identify, analyze and address the risks it faces, and how the company incentivizes compliance and ethical behavior.

Compliance program assessment is a key element of the board’s oversight of compliance programs. Boards should conduct such assessments periodically to identify areas for improvement in light of the company’s evolving risks and regulatory preferences with respect to compliance structures and practices. Periodic assessment of the compliance program, in a process overseen by the board or a board committee, helps ensure that the program continues to be “ for the purpose” by identifying areas for improvement, while also creating evidence of the company’s commitment to compliance for use in any future regulatory enforcement actions. Assessments should be risk-based to re ect the company’s changing risk environment and to help ensure that limited compliance resources are prioritized to focus on the most signi cant risks.

The assessment criteria should be based on the elements of an effective compliance program as described in DOJ guidance discussed above, including specific guidance from
regulators regarding the company’s industry. The assessment criteria should also reflect trends in settlement agreements, developing notions of recommended practices (both generally and within the company’s specific industry), and the practices of peer companies, to the extent that benchmarking data is available.

In conducting its assessment, the board should evaluate the following and consider how it would answer the specific questions set forth in the DOJ’s recent guidance:

■ The board’s level of oversight including availability of compliance expertise, private sessions with compliance personnel and information

■ Reporting lines and related structures

■ Experience, qualifications and performance of the chief compliance officer and compliance function

■ Compliance function responsibilities, budget and budget allocation (including employees, outside advisors and other resources), staff turnover rate and outsourcing

■ Written corporate policies and procedures regarding ethics and compliance (including legal and regulatory risks), and the process for designing, reviewing and evaluating the effectiveness of policies and procedures

■ Internal controls to reduce the likelihood of improper conduct and compliance violations

■ Ongoing monitoring, control testing and auditing processes to assess the effectiveness of the program and any improper conduct

■ Role of compliance in strategic and operational decisions

■ Key compliance risks, risk assessment processes and risk mitigation

■ Senior management conduct and commitment to compliance, and how the company monitors this

■ Communication efforts by the board, CEO, other senior executives, and middle management regarding expectations and tone

■ Education and training regarding compliance generally and the company’s program, policies and procedures at all levels

■ Understanding of corporate commitment to compliance at all levels

■ Awareness and use of mechanisms to seek guidance and/or to report possible compliance
violations, and fear of retaliation

■ Specific problems that have arisen, why they arose and how they were identified and resolved

■ Investigation protocols and experiences

■ Performance incentives, accountability, disciplinary measures and enforcement

■ Remediation and efforts to apply lessons learned

The DOJ’s recent guidance should help boards determine the assessment process that is appropriate for the company, evaluate whether the company’s program continues to be effective and t for purpose, and consider appropriate modi cations to the program.

Sidley Perspectives | JUNE 2017 • 4

*Holly J. Gregory is a partner in Sidley’s New York of ce and a co-leader of the rm’s global Corporate Governance and Executive Compensation practice. Rebecca Grapsas is counsel in Sidley’s Corporate Governance and Executive Compensation practice who works from both the rm’s New York and Sydney of ces. The views expressed in this article are those of the authors and do not necessarily re ect the views of the rm.

Corporate Governance and Change

Corporate Governance and Change

A Quick Review Of Basics

By: Saul Winsten,General Counsel
The Winsten Group.Trusted Counsel LLC.
A national Legal, Business, and Corporate Affairs firm
thewinstengroup.com

What is “Governance”?

Governance has been defined in different ways. For our purposes, corporate governance may be understood to mean the system, processes and relationships by which a corporation is controlled and directed. Boards of Directors are responsible ultimately for governance, the control and direction of the corporation they serve.
For brevity our discussion will focus on this topic as applied to closely-held and family-owned business corporations.

What has changed?

With ever increasing market competition, and pace and magnitude of technological change, the challenges encountered by closely-held and family-owned businesses and their Boards have grown. The traditional or legacy structures for governance, or legacy leadership may no longer be appropriate. New governance structure, processes, and leaders may be called for.

Questions concerning governance often include questions concerning the role and responsibilities of the Board, and how governance may be evolving in response to change. Below is a quick review of basic principles, and of some increasingly common business adaptations to change.

Basic Principles:

The Role and Responsibilities of Boards

Board responsibilities are separate from those of management. Boards are not to manage the business; executive management has that responsibility. The Board’s role and its responsibilities include:

1.To advise and consult with management on corporate strategy, operational performance & effectiveness, key performance metrics, executive performance and compensation, risk management, and growth and change matters
2.To provide oversight of and approve corporate strategy and strategic plans, major
acquisitions and divestitures, management and business performance, strategic matters,
company resource planning and needs, legal compliance, protection of assets, budget and
significant financing, mergers, and corporate reorganizations
3.To plan for executive and Board succession, select new executives, and
recommend new Board members

Board Requirements

Boards and Board members must act solely in and for the interest of the corporation. Board members should be qualified to carry out Board responsibilities, be informed and knowledgeable of matters that may come before the Board, exercise prudent business judgement, and act free from conflicts of interest that compromise such action and judgement.

Fiduciary Duties

Boards of Directors and individual Board Members have “Fiduciary Duties”, to act prudently, in and for the interest of the business and shareholders, with care, honesty, prudence, and in good faith.

The primary fiduciary duties have been referred to as “Duty of Care”, and “Duty of Loyalty”. Some courts and securities regulation also refer to a “Duty of Candor” or “Duty of Disclosure”. Various courts have identified and discussed specific aspects of these duties.

The “Duty of Care” requires Board members act with knowledge of the pertinent facts and circumstances, with care, after due consideration of all relevant information.

The “Duty of Loyalty” requires Board members act in the best interests of the corporation and shareholders, and to ensure that actions are taken in good faith.

“Good Faith” has been defined by Black’s Law Dictionary as requiring Board members act with “(1) honesty in belief or purpose, (2) faithfulness to one’s duty or obligation, (3) observance of reasonable commercial standards of fair dealing in a given trade or business, (4) absence of intent to defraud or to seek unconscionable advantage”.

Liability for Breach of Fiduciary Duties

Boards and individual Directors have been found liable for breach of their fiduciary duties.

Defense to Claim of Breach of Fiduciary Duties

A defense to an action against a Board for Board action is sometimes called “the business judgement rule”. Under that rule, a court generally will not “second guess” a Board decision if the Board: (i) followed a reasonable and informed process; (ii) took into account all relevant facts and circumstances; and (iii) made its decision” in good faith”.

Adaptations to Change
These include but are not limited to:

Enhanced Board “on-boarding” and education

To properly prepare new Board members for joining the Board and carrying out Board responsibilities, businesses and organizations are paying increasing attention to proper orientation, introduction and education of Board members. The need for such action increases with the size of the organization, complexity of the organization and its activities, demands of shareholders and stakeholders, and the nature and complexity of risks to which the organization is subject.

Use of Board Committees:

As the quantity and complexity of matters that Boards are to act upon have increased, the use of committees and the need for enhanced committee and Board expertise has increased.

Some matters, particularly complex matters requiring special expertise, are increasingly delegated to committees of the Board, which in turn make recommendations for Board deliberation and action. Committees such as Compensation, Audit, Governance, and Nominating, among others, are common.
Many Boards have an Executive Committee of corporate officers, who are tasked with developing recommendations on policy and other matters for Board action.

Matters requiring special expertise may be delegated to a committee which includes members with that special expertise.

An example of a committee tasked with matters requiring special expertise is the Audit Committee. This committee is charged with developing recommendations concerning matters concerning accounting policies, financial reporting, and other audit related matters. It is responsible for oversight of the independent auditor, internal financial control policies, financial risk management policies, and the performance of the internal audit function.

Another example is the Nominating and/or Governance Committee where identification of desired qualified candidates for Board service, selection of nominees for Board positions, governance standards and processes, Board and CEO evaluation may be discussed and recommendations made.

Other committees requiring specialized knowledge may be used by a business’ Board. These include Cybersecurity, Technology, Legal, Finance, Strategic Planning, M&A, HR, Ethics/Corporate Responsibility, and Environmental Committees, for example.

Addition of Independent and Specially Qualified Directors:

Another response increasingly used by Boards of closely held businesses, including family-owned or managed businesses, is the addition “Independent Directors” to their Boards. These Independent Directors assist the Board in carrying out its responsibilities by bringing independent thought, needed specialized expertise, and special perspective to those Boards. Examples of the knowledge and expertise sought and retained for Independent Directors include proven industry and outside business leadership, legal, finance, technology, cybersecurity, and other specialized expertise.
Some courts, notably Delaware, have addressed the issue of what makes a Board member “independent”.

Use of Board Counsel

Some larger businesses and organizations have retained special Board Counsel to provide independent advice and guidance on Board and governance matters of special concern. Board Counsel have been found especially useful where perspective, guidance, and advice independent of Board or executive leadership relationships, is desired.

Conclusion

Governance changes are driven by a number of factors. Growth, market competition, disruptive technology, regulatory requirements, and succession generated dynamics for example, may compel a company to change the way it does business, manages risk, and the way it is governed.
Businesses and organizations that will succeed are those prepared for change.

NB: Privacy, Data and Cookies Policy, Protects Facebook from Litigation

JUNE 7, 2017 CLIENT ALERT

Privacy Policy Rescues Facebook from Costly Litigation

From Michael Best & Friedrich.

We have all gone to a website and, in accessing the website’s services, have agreed to terms and conditions that include a litany of policies, including privacy policies governing how the company maintaining the website will use our information obtained while accessing the website. One such specific website that most, if not all, of us have used is Facebook. While we may not pay very close attention to privacy policies such as data and cookie policies, those policies explain that Facebook uses cookies or browser fingerprinting to identify users and track what third-party websites users browse. Such privacy policies serve an important function for any company, including Facebook, to help protect against potential liability for use of a consumer’s information. Indeed, Facebook’s privacy policy just carried the day in getting a case dismissed against it in which the Plaintiffs alleged a litany of causes of action against Facebook, including violation of the Computer Fraud and Abuse Act, California Invasion of Privacy Act, Health Insurance Portability and Accountability Act, and other common law claims.

In Smith v. Facebook, Inc., Case no. 16-cv-1282, the Northern District of California dismissed the claims against Facebook, with prejudice, based upon Facebook’s user agreement. There, the Plaintiffs argued that Facebook violated numerous federal and state statutes, as well as common law, by tracking and collecting its users’ web browsing activity, including sensitive information from various healthcare websites. In dismissing the case, the Court found that Plaintiffs had consented to Facebook’s tracking and marketing activity when they agreed to Facebook’s “data policy” and “cookie policy” when opening a Facebook account. The Court further found that while the applicable policy provisions were broad, they were not vague and provided adequate notice of the tracking activity in which Facebook engaged. For example, a portion of Facebook’s “cookie policy” explained that “[t]hings like Cookies and similar technologies (such as information about your device or a pixel on a website) are used to understand and deliver ads, make them more relevant to you, and analyze products and services and the use of those products and services . . . we use cookies so we, or our affiliates and partners, can serve you ads that may be interesting to you on Facebook Services or other websites and mobile applications.” Simply put, Facebook’s privacy policy, which Plaintiffs had agreed to when they signed up for Facebook, was adequately clear to permit Facebook to track and collect Plaintiffs’ web browsing activity, including browsing of healthcare related information. In so finding, the Court rejected Plaintiff’s arguments that the policies were buried and overbroad.

Facebook’s recent victory is a good reminder of the importance of having a thorough and clear privacy policy. Any company that collects or uses consumers’ information should aim to have a transparent and broad privacy policy to help guard against liability.

Albert Bianchi, Jr.
abianchi@michaelbest.com
T.608.283.4425

Michelle L. Dama
mdama@michaelbest.com

Heads Up: Board of Directors, Resignation from the Board, Duty of Loyalty.

When a venture capital fund invests in an emerging growth company, it typically seeks to protect its investment by obtaining the right to designate a member of the Board of Directors. While many of these individual designees are experts in their field and have vast networks of valuable relationships at their disposal, a newly designated director may be unfamiliar with the duties imposed on him should he want to resign. Paul Hastings Client Alert

March 2017 Follow @Paul_Hastings

Resigning From a Board of Directors:Considerations for VC Fund Designees
By Samuel A. Waxman, Jordan L. Goldman & Brooke Schachner

When a venture capital fund invests in an emerging growth company, it typically seeks to protect its investment by obtaining the right to designate a member of the Board of Directors. While many of these individual designees are experts in their field and have vast networks of valuable relationships at their disposal, a newly designated director may be unfamiliar with the duties imposed on him should he want to resign.

Delaware law generally gives the Board of Directors broad authority to manage the business affairs of a corporation. Although this level of discretion is generally extended to the ability to resign, there are various factors that should be considered when weighing the value of keeping a seat against the potential turmoil and liability associated with resignation. Designated directors often reflexively consider resignation when the company has run out of money or is heading into the so-called “zone of insolvency” out of fear of personal liability. Resigning at this point, however, may actually give rise to the very liability the director was seeking to avoid. As a result, it is important for a director to know when he can resign versus when he should resign.

I. The Benefits of Sitting on a Board: A Seat at the Table
The best way for a venture capital fund to remain informed and maintain influence on a company’s decision-making is to hold a seat on the Board. Directors have the power to vote on matters mandated by Delaware law, the certificate of incorporation, or the investment documents that affect material aspects of the business and its stakeholders. For example, Board approval may be necessary for: amendments to the certificate of incorporation and bylaws; equity grants or transfers (whether stock, options, or warrants); distributions to stockholders; borrowing or lending money; adopting an annual budget; hiring or terminating members of senior management (or amending their terms of employment); adopting employee benefit plans; a sale of material assets of the company; adissolution of the company; and/or entering into agreements and transactions of material importance to the company (intellectual property licenses, mergers, or IPOs).

This remains true even if the investment has gone sour. Directors will continue to have say over bridge financings, the direction of DIP loan packages, and other key decisions that need to be made by a company in distress.

II. Should I Stay or Should I Go?
Under Delaware law, a director generally may resign at any time, unless the certificate of incorporation or bylaws require otherwise. Notably, however, a director may not resign when doing so would constitute a breach of the duty of loyalty.

A. Duty of Loyalty
Directors have a duty to act in the best interests of the shareholders—personal benefit is secondary, even if management is making questionable choices. For example, simply resigning upon discovery of flagrant crimes committed by corporate insiders, without attempting to rectify the issue, may constitute a breach of the duty of loyalty. In In re Puda Coal Shareholders’ Litigation, a CEO was accused of theft through unauthorized transfers which went unnoticed for 18 months. A third party brought the suspected criminality to the attention of the independent directors, but the directors were “stonewalled” by management when they attempted to bring suit. So, the independent directors resigned from the Board. The Delaware court was critical of the directors’ decision to resign rather than cause the company to join a related derivative suit, stating that simply resigning at that point (while the company was in hot water) might be a breach of the duty of loyalty.

Similarly, in Rich v. Chong, another Delaware case, the court determined that ignoring numerous red flags and resigning from the Board may have constituted an abdication of the directors’ duties. In this case, the company completed its public offering in 2009. In 2010, it revealed discrepancies in its financial statements, and in 2011, auditors discovered a $130 million cash transfer to third parties in China. A 2010 stockholder suit urged the company’s audit committee to investigate, but the investigation was abandoned in 2012 due to management’s failure to pay the fees incurred by the audit company’s advisors. The company also failed to hold an annual stockholder meeting for several years despite a 2012 court order to do so. The independent directors subsequently resigned. Chiding the directors, the court stated that “the conscious failure to act, in the face of a known duty, is a breach of the duty of loyalty.”

Directors of companies with foreign operations, moreover, are subject to a heightened fiduciary duty. Delaware Supreme Court Chief Justice Strine’s view on local companies with foreign operations is that a director’s required engagement is even more strenuous (e.g., traveling to that foreign country, having language skills, and knowing the culture).

B. Reasons for Resignation
A director may want to resign from his position on the Board for several reasons. If the company breaks the law or materially breaches its bylaws or shareholder agreements, without immediate rectification, a director may consider resignation. In addition, a director may deem it necessary to resign over disagreements among the Board members. Deadlocks and discord can severely impede progress—a particular concern for growth companies. While discussion and debate is healthy for an effective Board, intractable differences of opinion about the company’s future can stall innovation and stifle success. Similarly, a fundamental opposition to some of the company’s major practices could be reason enough to step away.

Designees are often selected for board seats because of their expertise in a particular field and their vast network of connections. However, a conflict of interest may arise as a result. If conflicts of interest persist and become irreconcilable, a director’s exit might be best for all parties involved. Still, a director’s fiduciary duties to the corporation and its shareholders must be at the forefront of one’s concerns, and if an exit may constitute a breach of the duty of loyalty, directors must think twice
2
about resignation. In addition, while the director himself may not have a personal conflict, a designated director might wish to resign if the fund they represent is going to engage in certain debt financing transactions with the company.

Additionally, a director may want to resign if he is unable to obtain adequate protection against personal liability. A director should ensure that the company has a sufficient director and officer (“D&O”) insurance policy and an indemnification agreement in place that protects individual directors. It is important to make sure D&O policies have a proper tail so that directors are still covered even after they leave the Board. A director is often best served staying on the Board as long as possible to make sure that the D&O insurance is kept in place at the expected levels and/or to best negotiate a tail on his exit. Without appropriate D&O insurance, directors may face liability for certain claims against the corporation. Notably, a recently enacted California law includes directors in the group of individuals that may be held personally liable for unpaid final wages. While a director may be covered by insurance or indemnification in this instance, it is important to be aware of state laws that may subject corporate agents to additional liability.
Finally, evidence that management is not acting in the best interests of the shareholders may be cause for a director’s resignation. But again, a director has to be sure that his exit does not unduly harm the company or breach a fiduciary duty owed to the shareholders.

III. Practice Tips for the Director Pondering Resignation
When considering resignation, a director must act in the best interests of the company. Current or potential directors should research whether there are any unusual restrictions on resignation in the certificate of incorporation or bylaws or unusual internal procedures and policies.

Moreover, a director should take specific steps upon the discovery of illegality or malfeasance, namely:
1. A director’s first duty is to take reasonable steps to stop any ongoing legal or ethical violations.
2. If met with stonewalling, the director should seek independent legal counsel.
3. A director who decides to resign may want to submit a written statement to the chairman for circulation to the Board and possibly to the shareholders.
Following these general steps will ensure that a director can leave a Board while guarding against potential liability. The decision to resign from a Board must not be made flippantly. Facts and circumstances will rule the day; regardless, a director must always mind his fiduciary duties to the company and its shareholders.


Heads Up: Boards, Businesses, Leaders- CyberSecurity, Risks and Responsibility, Heightened Requirements.

Dickinson Wright

Corporate boards recognize that cybersecurity is and will remain a high priority because of the attendant risks on so many levels. And two recent matters – one a case and the other a high profile internal investigation – portend that an imminent frontier in corporate monitoring will be cybersecurity.

Cybersecurity is “hot” and will stay “hot” for corporations, executives, regulators, law enforcement and legislators. Rarely is there a corporate compliance discussion in 2017 where cyber isn’t “the” topic or a material part of the discussion. Corporate boards recognize that cybersecurity is and will remain a high priority because of the attendant risks on so many levels. And two recent matters – one a case and the other a high profile internal investigation – portend that an imminent frontier in corporate monitoring will be cybersecurity.

Recent governmental attention to corporate cybersecurity programs suggests strongly that cyber oversight will be the next priority area for corporate compliance monitoring. The Securities and Exchange Commission (SEC), for example, announced in January 2017 that cybersecurity compliance procedures would be a key focus for its Office of Compliance Inspections and Examinations (OCIE) this year.i OCIE previously announced cybersecurity as a priority for its 2016 examination program,ii tracking its September 2015 cybersecurity examinations initiative.iii Considering prior enforcement actions by the SEC against investment advisors and broker-dealers to address allegedly inadequate cybersecurity policies that enabled data breaches, the SEC’s announcement is no surprise. Similarly, the Federal Trade Commission (FTC) has been flexing its enforcement muscle through actions alleging that policy failures led to the exposure of confidential consumer information.iv These actions consistently result in settlements that impose cybersecurity enhancements designed to prevent similar future incidents. In the absence of an informed and sufficient monitoring program, however, it is difficult to assess effectively whether the corporations are implementing the negotiated settlements properly and, perhaps more importantly, as expected by the agency.

The SEC has a well-established track record for using independent corporate monitors across a broad range of cases. The FTC, on the other hand is in its infancy doing so, somewhat surprisingly. In a September 2016 settlement, the FTC jumped into the monitorship space by imposing a monitor to ensure compliance with a settlement that required a company to change fundamentally its compensation structure by rewarding actual sales rather than recruitment of new distributors. Although that FTC settlement did not present a cybersecurity issue, the FTC nevertheless set the stage to connect monitorships with the agency’s already active regulatory attention to cybersecurity matters. An example of such an opportunity presented on March 1, 2017 when Yahoo announced, in its Form 10-K filed with the SEC,v that as a result of an internal investigation associated with three cybersecurity incidents – including the theft of data from more than one billion accounts – the Company “took certain remedial action, notifying 26 specifically targeted users and consulting with law enforcement.” The 10-K describes the cyber-centric “other remedial actions” as follows:

The Board has directed the Company to implement or enhance a number of corrective actions, including revision of its technical and legal information security incident response protocols to help ensure: escalation of cybersecurity incidents to senior executives and the Board of Directors; rigorous investigation of cybersecurity incidents and engagement of forensic experts as appropriate; rigorous assessment of and documenting any legal reporting obligations and engagement of outside counsel as appropriate; comprehensive risk assessments with respect to cybersecurity events; effective cross-functional communication regarding cybersecurity events; appropriate and timely disclosure of material cybersecurity incidents; and enhanced training and oversight to help ensure processes are followed.

The 10-K also references 43 related class action lawsuits and the company’s cooperation with the SEC, the FTC, the United States Attorney’s Office for the Southern District of New York, and two State Attorneys General. Additionally, the General Counsel and Secretary resigned, receiving no severance payments. Moreover, the CEO gave up $12 million in stock and did not receive her 2016 cash bonus. It is easy to see where breaches and remediation as Yahoo disclosed could become the door-opener for a cybersecurity monitor.

Traditional corporate monitoring models allow for the implementation of an independent monitor to oversee an organization’s compliance with imposed obligations over a period of time. Independent monitors, by operation of the monitorship agreement, typically receive access to the subject company’s personnel, files, books, and records that fall within the scope of the settlement agreement and have authority to take necessary steps to become fully informed regarding the monitored company’s operations, within the parameters of the agreement. The independent monitors also are free to communicate with the regulatory body (or agency) regarding the monitored company’s corrective measures (or lack thereof). If the subject organization is found not to have complied with the terms of the settlement (i.e., not adhering to the compliance and other policies, procedures and steps designed to remediate and correct the conduct that gave rise to the settlement), then penalties can be assessed, including reinstitution of the criminal or regulatory action(s), and extension of the monitorship. And, particularly in the cybersecurity area, systems vulnerabilities easily can challenge the test of compliance with the settlement terms.

Cybersecurity-related regulatory actions, however, usually do not follow this model. Instead, many cybersecurity settlements and consent orders mandate only that independent third-party professionals periodically assess and report on the implementation of information privacy and cybersecurity safeguards. Because cybersecurity settlement agreements do not typically include an active independent monitor with the requisite background and experience to assess an organization’s remedial cybersecurity measures on a granular level, the benefits of an imbedded qualified professional to ensure true remediation are absent from the impacted company. Ideally, a cybersecurity monitor would and should have through knowledge, skill, training, experience, or education sufficient up-to-date technical expertise and a measurable level of experience – preferably a minimum of five years of demonstrable experience dealing with cybersecurity or incident responses – to act in a cyber-monitoring capacity. Also, the cybersecurity monitor should hold a minimum of one relevant technical certification. Instead, the present norm is the less beneficial periodic spot-checking undertaken by professionals who likely do not have the level of knowledge of the organization or an in-depth appreciation of the issues surrounding what gave rise to the settlement and need for remediation in the first place.

This seemingly minimalist approach to corporate cybersecurity monitoring is surprising because proper implementation of cybersecurity safeguards is, by design, meant to be tailored to a specific organization. It is not always clear, however, that proper implementation necessarily will satisfy regulators’ expectations. For example, many experts view the National Institute of Standards and Technology’s Framework for Improving Critical Infrastructure Cybersecurity (the “Cybersecurity Framework”) to be a benchmark for modern digital security implementation standards. In a seeming inherent contradiction, the FTC has opined that (1) the Cybersecurity Framework is not something with which an organization can “comply,” and (2) even if an organization follows the NIST Cybersecurity Framework (which the FTC describes as “a set of industry standards and best practices to help organizations identify, assess, and manage cybersecurity risks”), then that does not necessarily mean an organization’s cybersecurity policies will withstand regulatory scrutiny.vi Additionally, cybersecurity enforcement actions often are precipitated by incidents exposing sensitive third-party information, which in turn result in the near inevitable perceptions of an absence of cybersecurity buy-in from management teams and a failure to fully appreciate various cybersecurity risk vectors. Periodic spot-checks of corporate policies, and even implemented practices, can miss these issues; meanwhile, an independent and informed monitor with appropriate in-depth knowledge of a company’s remedial efforts undertaken pursuant to a settlement agreement would be well-positioned to identify and remediate corporate deficiencies while simultaneously satisfying regulators’ expectations.

Properly addressing modern and emerging corporate and regulatory cybersecurity concerns demands a new compliance prism and model as part of settlement agreements with government agencies. Rather than simply accepting periodic external assessments, matters involving cybersecurity should be addressed more effectively through the use of a cyber-knowledgeable independent corporate monitor. That monitor will be able to appreciate the technical cyber and substantive needs of the subject company, have intimate knowledge of that company, and understand the goals and objectives of the regulatory body with the cyber-compliance expectations. Equally important is that the monitor will be in a position to ensure – from an informed position – that the company implements proper cybersecurity practices, and the Board, management and staff receive appropriate cyber-training. Thus, the not-too-distant future is now for cybersecurity monitoring and monitors.

i U.S. Securities & Exchange Commission, SEC Announces 2017 Examination Priorities (Jan. 12, 2017), https://www.sec.gov/news/pressrelease/2017-7.html

ii U.S. Securities & Exchange Commission, SEC Announces 2016 Examination Priorities (Jan. 11, 2016), https://www.sec.gov/news/pressrelease/2016-4.html

iii U.S. Securities & Exchange Commission, OCIE’s 2015 Cybersecurity Examination Initiative (Sept. 15, 2015), https://www.sec.gov/ocie/announcement/ocie-2015-cybersecurity-examination-initiative.pdf

iv E.g., Federal Trade Commission v. Wyndham Worldwide Corporation, 799 F.3d 236 (3d Cir. 2015); Federal Trade Commission v. D-Link Corp., No. 3:17-cv-00039 ((N.D. Cal. Compl. filed Jan. 5, 2017))

v https://www.sec.gov/Archives/edgar/data/1011006/000119312517065791/d293630d10k.htm

vi See Andrea Arias, Fed. Trade Comm., The NIST Cybersecurity Framework and the FTC (Aug. 31, 2016), https://www.ftc.gov/news-events/blogs/business-blog/2016/08/nist-cybersecurity-framework-ftc

Boards and Business Executives Beware- Possible Liability For Data Breach

Publication By Michael Best
Albert Bianchi, Jr.Michelle L. Dama, Adrienne S. Ehrhardt
MARCH 3, 2017CLIENT ALERT

Executives and Board Members Could Face Liability for Data Breaches

Executives and Board Members Could Face Liability for Data Breaches
By now, most everyone is aware that Yahoo was hacked in both 2013 and 2014 and had names, passwords, and other account data of between 500 million and one billion of its users stolen. Following the breach, various class action lawsuits brought against Yahoo by consumers and small business users of Yahoo ensued. The stolen data and lawsuits also caused Verizon to reduce its offer to purchase Yahoo by $350 million. Unfortunately for Yahoo, its inability to protect private account data has led to additional negative consequences.
In late February 2017, a group of Yahoo shareholders, guided by the Oklahoma Firefighters Pension and Retirement System, sued Yahoo, as well as some of its executives and board members, including the chairman of its Board of Directors, co-founder, and current CEO, for breach of their fiduciary duty to the shareholders stemming from the stolen account data. Although the complaint is sealed (and thus unavailable to the public), the lawsuit, which appears to be the first of its kind, seems to assert that Yahoo and its executives breached their fiduciary duty to shareholders by failing to disclosure the data security breaches to Yahoo account holders.
This lawsuit will be one to keep an eye on to see whether a failure to properly handle a data breach, and possibly even the data breach itself, can be considered a breach of a fiduciary duty to shareholders. Although this case appears to be the first of its kind, if it continues moving forward, it will undoubtedly spur like cases for other similarly situated entities that have suffered a security breach.
Other businesses that have been hacked and had personal account data stolen may be next in line for similar shareholder lawsuits. As such, the shareholder suit against Yahoo and its executives is yet another warning of how important it is for business to approach the need to properly protect personal data seriously. Whether its employee or customer information, businesses need to be on their guard and prepared to prevent and handle data breaches.

Page 1 of 2