The LabMD Case and the Evolving Concept of “Reasonable Security”

Posted on July 16, 2018 by - Uncategorized

Facts of the LabMD Case

LabMD, Inc. was a cancer diagnostic testing facility that used medical specimen samples and patient information to provide diagnostic information to health care providers. The company was subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and had a HIPAA compliance program in place that prohibited the downloading of peer-to-peer (P2P) file-sharing applications on company computers. LabMD v. FTC, Case No. 16-16270 (11th Cir. June 6, 2018), at 2. Now defunct as an operating company, LabMD nonetheless exists as a company and continues to protect its information.

In violation of this prohibition, a company billing manager installed LimeWire on a company computer. This P2P software permits users to make computer documents accessible to the larger LimeWire community. The manager made a file containing the personal information of 9,300 consumers (the 1718 File) available to approximately two to five million LimeWire users. The 1718 File included names, dates of birth, Social Security numbers, laboratory diagnostic and testing codes, and for some patients health insurance information.

A data security firm, Triversa Holding Corporation (Triversa), downloaded the 1718 File and contacted LabMD to offer remediation services, which were refused. The LimeWire was deinstalled from the billing manager’s computer. Triversa sent the 1718 File to the FTC.

In its resulting complaint, the FTC alleged a variety of general security failures around LabMD’s policies and procedures that the FTC decided ultimately led to the posting of the 1718 File.

The Eleventh Circuit noted that there was no evidence that any of the 1718 File information was accessed by anyone other than Triversa or that it was otherwise improperly used.

FTC Consent Orders and Reasonable Information Security Programs

The FTC has filed enforcement actions against a variety of companies for security program failures, alleging that such failures constitute an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) (the FTC Act or Section 5(a)). The resulting consent orders generally require the defendant companies to implement and maintain information security policies and procedures designed to protect consumer information.

In this manner, the FTC has for years been building a “common law” body of orders intended to require companies to maintain reasonable information security programs. The FTC published in 2015 a guide for companies based on these consent orders, Start with Security, which it updated in 2017 with its “Stick with Security” blog series. These guides are crafted as “lessons-learned” guidance and focus on the following:

  1. Security and privacy programs aligned with the following principles: purpose or minimization limitation on the collection of personal information; retention for only as long as necessary; appropriate employee training and education; and consumer choice.
  2. Data access controls designed to restrict access to personal information and limit administrative access.
  3. Operational access controls, such as passwords and authentication processes.
  4. Protection of data in storage and in transit.
  5. Network firewalls and monitoring.
  6. Remote access controls.
  7. Addressing security in the development of new products or services.
  8. Vendor management of security risks posed by third-party service providers.
  9. Ongoing monitoring and evaluation of security processes.
  10. Physical security of storage media.

The enforcement actions tend to arise out of fairly egregious facts and are usually precipitated by a significant data breach. Accordingly, the specific “lessons learned” are often a list of “do-nots.” For example, a do-not of LabMD is “do not allow downloading of P2P (or noncompany) software on company systems.” The FTC has leveraged these specific do-nots into a larger concept of reasonable security. In LabMD, the FTC reasoned that a general laxity of information security policies and procedures led to the installation and failure to detect the presence of the P2P software on the billing manager’s computer.

In its press release regarding its 2017 Annual Privacy and Security Update (the Update), the FTC expressly stated that it “uses a variety of tools to protect consumers’ privacy and personal information including bringing enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior.” The FTC regularly includes comprehensive information security program requirements in its consent orders, attributing identified security lapses or breaches as resulting from weak security generally.

The FTC consent order security programming requirements tend to be: (1) technology-neutral; (2) intended to be evaluated and updated on a regular basis; and (3) focused on the individual company’s risk-management efforts, taking into account the amount of practical risk, costs involved, industry standards, and sensitivity of information, among other factors.

Other Regulatory Approaches to “Reasonable Security”

The FTC’s concept of “reasonable security” is consistent with approaches taken by other laws and regulatory guidance regarding information security programs. The consensus seems to be that as technology and innovation is evolving faster than the law, the applicable laws should focus on security management standards and goals, rather than express prescriptive rules.

For example, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity https://www.nist.gov/cyberframework/framework (RMF) offers a general set of standards, guidelines, and best practices to manage cybersecurity risk in critical infrastructure. The NIST RMF is neither prescriptive nor specific. Rather, it allows companies to evaluate their security programs in light of “their organizational requirements and objectives, risk appetite, and resources against” certain “core” cybersecurity principles.

Similarly, the Federal Financial Institutions Examination Council (FFIEC) Cyberscurity Assessment Tool (CAT) provides a “repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” Like the NIST RMF, the FFIEC CAT offers core principles and goals but relies on the company’s own risk-management assessment and strategies. The FFIEC CAT maturity domains include general statements like, “[d]edicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies” or “[t]he institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate.”

State statutory and regulatory requirements around security programs are also general. For example, the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (the NY Cyber Reg) requires such companies to develop cybersecurity programs based on a risk inventory and assessment process, with the goal of developing a policy that addresses all of the following:

  1. information security
  2. data governance and classification
  3. asset inventory and device management
  4. access controls and identity management
  5. business continuity and disaster recovery planning and resources
  6. systems operations and availability concerns
  7. systems and network security
  8. systems and network monitoring
  9. systems and application development and quality assurance
  10. physical security and environmental controls
  11. customer data privacy
  12. vendor and third-party service provider management
  13. risk assessment
  14. incident response

Like the NIST RMF and the FFIEC CAT, which address the use of multifactor authentication and penetration testing, as appropriate, the NY Cyber Reg does not require the use of specific technology.

The more comprehensive Massachusetts cybersecurity regulation, Standards for the Protection of Personal Information of Residents of the Commonwealth (the MA Cyber Reg), requires companies to maintain cybersecurity programs that, at a minimum and to the extent technically feasible, should have the following elements:

  1. Secure user authentication protocols including:
    (a) control of user IDs and other identifiers;
    (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
    (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
    (d) restricting access to active users and active user accounts only; and
    (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
  2. Secure access control measures that:
    (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
    (b) assign unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
  3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
  4. Reasonable monitoring of systems for unauthorized use of or access to personal information;
  5. Encryption of all personal information stored on laptops or other portable devices;
  6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
  7. Reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
  8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The MA Cyber Reg is technology-neutral, industry standards- and risk-based, and tied to a “reasonableness” concept.

Other state laws are even more broad. The recently enacted Alabama State Data Breach Notification Act (the AL Act) requires companies to maintain “reasonable security measures” to protect personal information. “Reasonable” means “practicable” in relation to a cost-benefit analysis, the type and volume of information involved, and the size of the entity, and with emphasis to be placed on “data security failures that are multiple or systemic” and taking into account consideration of all of the following measures:

  1. designation of one or more managers of the security program;
  2. risk inventory—both internal and external;
  3. vendor management with contractual security obligations;
  4. continuous monitoring and evaluation of threats and measures; and
  5. board or management oversight.

LabMD Consent Order

The FTC’s consent order in this case, FTC Consent Order In the Matter of LabMD, Inc., Docket No. 9357, at 2–3, imposed security requirements that were commensurate with those imposed by previous consent orders, which required LabMD to:

establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:

  1. the designation of an employee or employees to coordinate and be accountable for the information security program;
  2. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
  3. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
  4. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
  5. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by [the order], any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

Eleventh Circuit Holding and Reasoning in LabMD

The Eleventh Circuit held that the LabMD consent order was void for lack of specificity:

In the case at hand, the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.

The Eleventh Circuit acknowledged that due to limitations on legislating “an extensive list of unfair acts or practices,” Congress authorized the FTC “to establish unfair acts or practices through case-by-case litigation.” Notably, the court did not squarely address the issue of whether the FTC has data security enforcement authority under section 5(a).

The court focused on the FTC’s own two-prong test to determine whether an act or practice is “unfair” under section 5(a):

  1. whether there is a “consumer injury,” which is substantial, not outweighed by a countervailing benefit to the consumer, and not reasonably avoidable by the consumer; and
  2. whether the act “offended public policy as established by statute, the common law, or otherwise.”

The court found that “the [FTC’s] complaint alleges no specific unfair acts or practices” by LabMD other than the installation of P2P software on a single LabMD computer. The FTC complaint did not state that the installation of the P2P software violated a specific company policy. The court assumes that LabMD had a policy against the download. The court’s focus appears to be on this single violation, which, according to the court’s reasoning below, would justify an express prohibition in the consent order against policies or procedures permitting such an installation. The court did not discuss the FTC’s more holistic approach in the context of whether the company could have exercised better practices generally in implementing controls to actually prevent the employee from downloading external programs on a company computer, and whether such failure would warrant the imposition of more comprehensive security requirements, as was done in the order.

The opinion, however, assumed arguendo “that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice” under section 5(a).

The Eleventh Circuit recognized that although “[n]othing in the FTC Act addresses what content must go into a cease and desist order,” the FTC’s own procedural rule requires that “a complaint must contain a “clear and concise factual statement sufficient to inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law.” The court concluded that (1) the complaint must state violations with “reasonable definiteness,” and (2) the remedy (in this case, the requirements of the consent order) “must comport with this requirement of reasonable definiteness.” Accordingly, the opinion states that “the order’s prohibitions must be stated with clarity and precision.”

The opinion further explains how enforcement of FTC consent orders occur procedurally, either with enforcement by the administrative law judge (ALJ) or the district court. These authorities are charged with enforcement of injunctions of specific prohibited conduct enumerated in the consent order. The court concludes that the effect of indefinite requirements would lead to micromanagement in the form of constant interpretation and modification of the order by the ALJ or court.

The opinion holds that the order is void for lack of enforceability in that the order contained no express prohibited acts or practices: “it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness.”

Implications for FTC Cybersecurity Enforcement

The FTC’s consent order in this case included comprehensive but general information security program requirements, which is consistent with its approach in many previous cybersecurity consent orders. The intent of the FTC appears to have been to craft an evolving concept of “reasonable security” and to require companies to monitor and develop their security programs over time. The Eleventh Circuit, however, rejected this approach as lacking in specificity. The implications for the enforceability of existing FTC consent orders is significant. If courts follow the LabMD holding, a domino effect voiding a long line of consent orders may well follow. Moreover, going forward, the FTC must consider including very specific security requirements and prohibitions in its consent orders.

At a recent conference, an FTC attorney advisor, speaking in her “personal capacity” and not on behalf of the agency, indicated in an off-the-cuff remark that they were “considering [their] options” in light of the opinion. Hot Topics in Advertising Law 2018, “FTC Year in Review” Practising Law Institute webinar (Christine DeLorme, 6/26/18).

The Eleventh Circuit emphasized that:

  1. the posting of the 1718 File was in direct violation of a specific LabMD policy against downloading P2P software on company systems; and
  2. the FTC did not demonstrate that any alleged general laxity in security programming resulted in this specific company policy violation.

Does this mean that if the FTC concludes that a company’s failure to implement adequate cybersecurity programs caused a specific unfair act or practice, the FTC must:

  1. limit the remedy in the consent order to the specific act or practice; and/or
  2. expressly demonstrate that the specific violation was caused by a broader, but still definite, series of security lapses?

The FTC cybersecurity consent orders generally require a long-term information security program (20 years is typical) that encompasses all of the company’s activities related to consumer information. Does the LabMD decision mean that the order must focus on the specific violation as of a definite point in time?

Consider a company that does not honor consumer choices regarding information offered through its website. For example, the company may not give the opportunity to consent to or opt out of sharing of personal information with unrelated third parties for marketing purposes, or may offer that choice but not honor it. Must the consent order be limited to requiring that consumer choices regarding such sharing of personal information collected via the website for marketing purposes be offered and honored? In that event, would other types of sharing not violate the order, even if consumer choices are offered but not honored? Alternatively, would the same company be liable if it later offered a mobile application and failed to offer or honor the same consumer choices via the app? Would the FTC have to micromanage the company’s information security program through a series of enforcement actions over time?

Conversely, should the FTC focus its efforts on promulgating regulations to require companies to implement reasonable security programs, as has been done with the other laws and regulatory guidance discussed above?

The potential importance of this opinion cannot be overstated, both with respect to its impact on existing FTC consent orders and the FTC’s ability to continue developing a concept of “reasonable security” while prosecuting unfair privacy and security practices on an action-by-action basis.

Strategizing a Case in Litigation Versus Arbitration

Posted on July 16, 2018 by - Uncategorized

In principle, every case should be decided according to the facts and the law, no matter who is making the decision or in which forum. In practice, the forum making the decision can make a huge difference. In particular, the differences between litigation in court and arbitration before a private panel can be dispositive because of the differences in procedures, the nature of the forum, opportunities to seek fees and costs, and the opportunities for review after the proceeding is over. Those differences may also be critical regarding certain preliminary aspects of the dispute, such as requests for injunctive relief. Each stage of the process presents different kinds of strategic decisions.

The first question a litigator should ask herself when a dispute arises is where the dispute should be heard. Is there an arbitration clause that might be applicable? If there is, does it in fact apply? To a large extent, whether the clause applies will depend on the language of the clause and how it relates to the facts, although the Eleventh Circuit has cautioned that “‘[t]he case law yields no clear answer’ to the question of how broadly to construe an arbitration clause.” Hemispherx Biopharma, Inc. v. Johannesburg Consol. Invs., 553 F.3d 1351, 1366 (11th Cir. 2008) (quoting Telecom Italia, SpA v. Wholesale Telecom Corp., 248 F.3d 1109, 1114 (11th Cir. 2001)). For example, a clause that required arbitration of disputes that “arise out of or relate to” an agreement settling a dispute did not require arbitration of later conduct similar to what caused the settled dispute because that is a new dispute. Zetor N. Am., Inc. v. Rozeboom, 861 F.3d 807, 810 (8th Cir. 2017). A clause calling for arbitration of “[a]ny dispute arising from the [fundraising] Activity” covered by the contract did require arbitration of a minimum wage claim by a fundraiser. Leonard v. Delaware N. Am. Cos. Sports Serv., Inc., 861 F.3d 727, 729 (8th Cir. 2017). “‘[A]rising under’ language is narrower in scope than language, such as “relating to,” under which a claim may be arbitrable if it has a “significant relationship” to the contract, regardless of whether it arises under the contract itself.” Evans v. Building Materials Corp. of Am., 858 F.3d 1377, 1381 (Fed. Cir. 2017). An arbitration clause covering disputes that “arise out of or in any way relate to” the services provided covers antitrust claims by customers. In re Cox Enters., Inc. Set-top Television Box Antitrust Litig., 835 F.3d 1195, 1202 (10th Cir. 2016).

If the clause arguably does not apply, the attorney should ask herself whether it is worth trying to litigate the case in court. The other side may commence motion practice under section 3 of the Federal Arbitration Act to stay the action and have the dispute referred to arbitration. Even if that motion does not succeed, the exercise may take several months. Is the delay worth it? More to the point, what are the chances the case can stay in the court system? There is a strong policy in pretty much every court system in favor of arbitrating disputes. That means a party resisting arbitration needs a very strong argument as to why an arbitration clause does not apply. See, for example, Chassen v. Fidelity Nat’l Fin., Inc., 836 F.3d 291, 304 (3d Cir. 2016) (“[I]f the language of the contract is ambiguous, the presumption of arbitrability applies because we must resolve any doubts concerning the scope of arbitrable issues in favor of arbitration.” (internal quotations and alterations omitted)).

If there is no arbitration clause, should the parties consider whether to enter into a post-dispute arbitration submission agreement? Certain kinds of disputes might be well-suited for such a submission. For example, if the parties prefer not to have their dispute become a matter of public record, they might prefer to construct an appropriate arbitration procedure and panel for their dispute in order to avoid public scrutiny and press coverage. Alternatively, the nature of the dispute may require that it be heard in a court that is utterly unfamiliar with the type of case at issue; if the parties want a decision maker who has at least some clue about how to think about their dispute, they can agree to have their dispute arbitrated by a credentialed person.

There are limited opportunities to choose your judge if your case is in court. Most courts assign cases out of a wheel or similar random assignment system. It is easier to avoid a disfavored judge (by discontinuing under Rule 41(a)(1) and refiling) than to steer a case to a favored one. Arbitration affords greater opportunities for choosing the decision maker. The American Arbitration Association typically provides lists of proposed arbitrators and invites the parties to strike disfavored names. The arbitration agreement might provide procedures for selecting the arbitrator, set forth minimum qualifications, or name a specific person. In all events, the litigant should think hard about the characteristics of the person she wants deciding the case and plan the strikes and nominations with those goals in mind. One common procedure calls for each side to name one arbitrator and then the two named arbitrators pick the third. For this type procedure it is necessary to consider how persuasive your named arbitrator can be in order to keep the selection of the third arbitrator within acceptable bounds.

Choosing your decision maker should be part of your decision about what your overall approach to the dispute should be. In court the tools are well known: motions to dismiss to narrow the issues, discovery to learn the facts and lock the other side into their story, and motion for summary judgment to win the case or get as much of it decided in your favor as possible ahead of trial. Which tools you use and how, and which grounds you will raise at which stage of the proceeding, will vary from case to case, of course.

Arbitration presents a different set of challenges because you have fewer tools readily available. In most arbitrations, motions to dismiss are not contemplated. Discovery is more limited—typically there are no interrogatories or depositions. Specific types of arbitration might vary, such as FINRA arbitrations, and parties can always agree to additional procedures, but it is never advisable to rely on the other side’s agreeing to your preferred procedure.

In at least some federal courts, there is no third-party discovery in arbitration: third-party evidence either is before the arbitrators or not at all. See, for example, Life Receivables Tr. v. Syndicate 102 at Lloyd’s of London, 549 F.3d 210 (2d Cir. 2008); Hay Group, Inc. f. E.B.S. Acquisition Corp., 360 F.3d 404 (3d Cir. 2004). The Sixth and Eighth Circuits disagree. See In re Sec. Life Ins. Co. of Am., 228 F.3d 865, 870–71 (8th Cir. 2000)American. Fed’n. of Television and Radio Artists, AFL–CIO v. WJBK–TV (New World Commc’ns of Detroit, Inc.), 164 F.3d 1004, 1009 (6th Cir. 1999). This doesn’t necessarily mean the third party has to show up and testify; the arbitrator may and often will facilitate third-party discovery by directing that documents be produced before him or her at an interim hearing called for the sole purpose of having the third party produce documents. Often the adversary will see which way the wind is blowing and consent to having the production done without the arbitrator present. But a good litigator must bear in mind the relative ease of access to third-party proof.

The likelihood in arbitration is that you are going to trial. That means arbitration may provide you with tools that may not be available in court. Bear in mind the grounds on which arbitration awards can be vacated. They are set forth in section 10(a) of the Federal Arbitration Act:

  1. where the award was procured by corruption, fraud, or undue means;
  2. where there was evident partiality or corruption in the arbitrators, or either of them;
  3. where the arbitrators were guilty of misconduct in refusing to postpone the hearing, upon sufficient cause shown, or in refusing to hear evidence pertinent and material to the controversy; or of any other misbehavior by which the rights of any party have been prejudiced; or
  4. where the arbitrators exceeded their powers, or so imperfectly executed them that a mutual, final, and definite award upon the subject matter submitted was not made.

Although these grounds are narrow, they are real, and arbitrators don’t like being overturned any more than judges do. So they are likely to run the hearing in a way that will keep them far away from any of these. The ones that give parties the most scope for affecting the proceeding are subsection 3 and 4.

Defendants in particular can—and often do—use the prospect of a post-award vacatur proceeding under subsection 3 as a tool to obtain adjournments and to keep the record open for all kinds of evidence that in court might be viewed as cumulative or of limited probative force or questionable admissibility. Of course, it is possible to overdo it, and a good arbitrator will see through the more egregious misuses of this strategy.

Similarly, the parties may wrangle over the scope of the arbitrator’s power and how it is exercised because subsection 4 permits challenges on those grounds. These arguments will turn on the language of the contract that empowered the arbitrators in the first place (which may or may not be idiosyncratic, unclear, or debatable). In court, though, such issues typically are pitched in terms of jurisdiction, finality, or scope of discretion, and there is usually a wealth of case law to inform the parties’ arguments.

Courts, especially federal courts, have much more rigid guidelines for the procedures to be followed, well-defined evidentiary rules, and, in the main, a case-management ethic that expects judges to keep cases moving along smartly. Although the number of tools is greater (motions, discovery), the opportunities for delay in each part of the proceeding are far fewer. Unlike arbitrators, whose decisions are highly insulated from substantive review, judges can be reversed on appeal. Although appellate courts reverse trial courts in only a small percentage of cases, see, e.g., Just the Facts, (Dec. 20, 2016) (fewer than 9% of federal appeals resulted in reversals in 2015); National Center for State Courts, Caseload Highlights (March 2007) (of appeals prosecuted to decision, 70% were affirmed), the prospect of a reversal on appeal can occasionally be a useful tool for a litigant.

The bottom line: no matter which forum you are in, each stage of the proceeding requires that you keep in mind the rules of the forum so that you can construct your strategy to fit the forum and maximize your client’s chances.

Stuart Riback gratefully acknowledges the assistance and input of Judge Gail Andler (ret.), Peter Valori and Mian Wang.

Delaware Court of Chancery Examines the Garner Exception to the Attorney-Client Privilege

Posted on July 16, 2018 by - Uncategorized

Two recent decisions from the Delaware Court of Chancery offer new insight into the court’s application of an important exception to the attorney-client privilege in breach of fiduciary duty actions. The Garner exception to the attorney-client privilege, first articulated by the Fifth Circuit Court of Appeals in Garner v. Wolfinbarger, 430 F.2d 1093 (5th Cir. 1970), cert. denied, 401 U.S. 974 (1971), requires fiduciaries defending claims for breaches of fiduciary duty to produce otherwise privileged documents upon a showing of good cause by the party asserting the claims. The Supreme Court of Delaware has emphasized that the exception is “narrow, exacting, and intended to be very difficult to satisfy.” Wal-Mart Stores, Inc. v. Indiana Elec. Workers Pension Trust Fund IBEW, 95 A.3d 1264, 1278 (Del. 2014). Consistent with this view, in Buttonwood Tree Value Partners, L.P. v. R.L. Polk & Co., Inc., 2018 WL 346036 (Del. Ch. Jan. 10, 2018) and Morris v. Spectra Energy Partners (DE) GP, LP, 2018 WL 2095241 (Del. Ch. May 7, 2018), the Court of Chancery found the Garner exception inapplicable while providing new guidance on its limits.

Buttonwood Tree Value Partners, L.P. v. R.L. Polk & Co., Inc.

In this case, former minority stockholders of R.L. Polk & Co., Inc. (Polk) asserted direct breach of fiduciary duty claims against the Polk family, which collectively held approximately 90 percent of Polk common stock, and against directors affiliated with the Polk family. Plaintiffs alleged that these defendants breached their duties of loyalty and care in connection with a self-tender transaction orchestrated by the Polk family. According to plaintiffs, the transaction enriched the Polk family, who afterwards received dividends amounting to one-third of the self-tender price and sold the company for three times the self-tender valuation.

Invoking the Garner exception, plaintiffs moved to compel the production of privileged documents withheld by defendants that related to the sale of the company, the self-tender, and various restructuring options under consideration at the time of the self-tender. The court explained that in evaluating whether a stockholder has established sufficient “good cause” to warrant application of the Garner exception, Delaware courts focus on three of the factors identified by the Fifth Circuit in Garner: “(1) the colorability of the claim; (2) the extent to which the communication is identified versus the extent to which the shareholders are blindly fishing; and (3) the apparent necessity or desirability of shareholders having the information and availability of it from other sources.” In its view, the first and second of these factors act as “gatekeepers” that “strain out frivolous attempts to vitiate the privilege.” The third factor, applicable only when the first two are satisfied, reflects “a balancing test to see whether the interest in discovery, or that of maintaining the privilege, is paramount.” The court noted that Garner “balances the [attorney-client] privilege’s purpose of encouraging open communication between counsel and client against the right of a stockholder to understand what advice was given to fiduciaries who are charged with breaching their duties.” (Quotations and citations omitted.)

The court found that the first factor weighed in favor of disclosure of the privileged documents at issue because the court previously held that the complaint stated claims against the Polk family and its affiliated directors for breaches of fiduciary duty, and therefore the claims were colorable. The court found that the second factor also weighed in favor of disclosure because the documents at issue, although “relatively large” in number (1,200), were tailored to plaintiffs’ allegations, and there was no indication that production of the documents would be overly burdensome.

Having found that plaintiffs “cleared the initial hurdle” imposed by the first two factors, the court turned to the third factor and found that it weighed against disclosure because the plaintiffs had not demonstrated that the information sought was unavailable from other nonprivileged sources. In so finding, the court noted that plaintiffs had yet to depose any witnesses, and there was no reason to believe that depositions would fail to reveal information about the sale of the company, the self-tender, and the restructuring options considered at the time of the self-tender. The court rejected plaintiffs’ argument that the documents at issue were necessary to prepare for the forthcoming depositions or to test the witnesses’ credibility. The court reasoned that such concerns are always present, and if the court were to adopt them as a basis to apply the Garner exception, the scope of the exception “would expand significantly, an outcome contrary to our Supreme Court’s admonition that the exception is ‘narrow, exacting, and intended to be very difficult to satisfy.’” (quoting Wal-Mart, 95 A.3d at 1278). The court emphasized that a stockholder invoking Garner must establish that they “have exhausted every available method of obtaining the information they seek.” Given that plaintiffs did not do so, the court concluded that the balancing test under the third factor “tip[ped] against disclosure of the privileged documents,” and held that the Garner exception did not apply.

Having held that plaintiffs failed to demonstrate that their motion to compel should be granted, the court found it unnecessary to decide whether Garner could apply to the direct, as opposed to derivative, claims in issue. Defendants argued that Garner applies only to derivative claims “where [the] defendant corporate actors assert the privilege on behalf of the very entity that the plaintiffs purport to represent derivatively, in which case the assertion of the privilege on behalf of the corporation and its principals may be inimical to the corporate interest.” Without deciding the issue, the court noted that the Garner exception logically applied in the context of direct claims for breach of fiduciary duty, “but that the nature of the action must be accounted for in the balance of interests that Garner requires.”

Morris v. Spectra Energy Partners (DE) GP, LP

The discovery dispute at issue in this decision arose in the context of a challenge to a transfer of certain assets of Spectra Energy Partners, LP (Spectra LP) to a principal of Spectra LP’s general partner, Spectra Energy Partners (DE) GP, LP (Spectra GP). Spectra LP’s limited partnership agreement (the LPA) eliminated common-law fiduciary duties, but required Spectra GP to act in good faith with respect to such transfers. The plaintiff, a common unitholder of Spectra LP, claimed that Spectra GP breached its duty to act in good faith by knowingly approving a transfer of assets for approximately $500 million less than the assets were purportedly worth.

The plaintiff moved to compel the production of two documents in unredacted form under the Garner exception. In a matter of first impression, the court considered whether the Garner exception applies in circumstances where a limited partnership has eliminated common-law fiduciary duties. Relying on precedent holding that the Garner exception is limited to circumstances where there is a fiduciary relationship between the party challenging the privilege and the party asserting it, the court concluded that the Garner exception does not apply when fiduciary duties are expressly disclaimed.

In so finding, the court emphasized the policy underlying the Garner exception, which rests on the “mutuality of interest” between a stockholder and a fiduciary when the fiduciary seeks legal advice in connection with actions taken or contemplated in his role as a fiduciary. In such circumstances, the court reasoned, the stockholder is “the ultimate beneficiary of legal advice sought by fiduciaries qua fiduciaries,” making it appropriate for the stockholder to view the communications reflecting the advice in certain circumstances. The court recognized that the Garner exception has been applied in situations far removed from stockholder derivative suits (i.e., actions by trust beneficiaries against the trust and trustee, and actions by creditors against a bankruptcy creditor’s committee), but a fiduciary relationship existed in these cases, establishing the requisite mutuality of interest between the parties.

Given that there was no fiduciary relationship between the plaintiff and Spectra GP under the express terms of the LPA, the court concluded that the mutuality of interest underpinning the Garner exception did not exist, and the Garner exception therefore did not apply.

Key Takeaways

Although application of the Garner exception is necessarily a fact-specific inquiry, these recent decisions offer certain key insights for litigants prosecuting or defending breach of fiduciary duty claims in the Delaware Court of Chancery:

  • Fiduciary relationship required, and contractual duties are not enough. The court’s decision in Morris makes clear that the Garner exception is unavailable where common-law fiduciary duties are disclaimed by contract and therefore no fiduciary relationship exists. The LPA in Morris replaced common-law fiduciary duties with contractual duties, and although not expressly addressed, the court’s decision appears to render Garner inapplicable to actions involving breaches of contractual duties. Therefore, even if a plaintiff asserting breaches of contractual duties could otherwise satisfy the high burden required for Garner’s application, it is unavailable in that setting.
  • Garner likely applies to direct fiduciary breach claims, but the burden of establishing good cause may be higher in that context. Although the court in Buttonwood did not decide the issue, it surmised in dicta that the Garner exception would apply to direct fiduciary duty claims as well as derivative claims. In Garner, where the claims were both direct and derivative, the Fifth Circuit noted that its decision was not dependent on whether the derivative claim was “in the case or out.” Garner, 430 F.2d at 1097 n.11. In Buttonwood, however, the court cautioned that the nature of the claim should be considered when balancing the interests inherent in the attorney-client privilege against the interests of a stockholder seeking to review privileged communications. This suggests that stockholders invoking the Garner exception in the context of direct fiduciary duty claims may face a higher burden of establishing the requisite “good cause” necessary to invoke the exception.
  • Garner does not apply if information sought is potentially available through depositions. When evaluating “the apparent necessity or desirability of shareholders having the information and availability of it from other sources,” the court will not likely find sufficient good cause to invoke Garner if the moving stockholder can obtain the information sought through depositions. Similarly, the potential usefulness of otherwise privileged documents to deposition preparation is not enough under Garner. Rather, a stockholder must exhaust other available options, consistent with the Delaware Supreme Court’s expectation that the Garner exception should “be very difficult to satisfy.”

FIFA Rules in Light of US, Canada, and Mexico Being Announced as Hosts of 2026 FIFA World Cup

Posted on June 30, 2018 by - Uncategorized

On 13 June 2018, with 134 of the 200 votes cast, the three countries of the so-called “United Bid”, Canada, Mexico and the U.S., were designated by the Congress of the Fédération Internationale de Football Association (“FIFA”) as hosts of the 2026 FIFA World Cup. This is a historical decision, not only for the three selected countries, but also because it is the first time that the host country of one of the most prestigious international soccer competitions has been designated by a vote of all the members of the governing body of soccer worldwide, i.e. by all 211 national member associations of FIFA.

The new process of selection and nomination of the host country was introduced by FIFA after the FIFA Executive Committee’s decision in December 2010 to appoint Russia and Qatar as hosts of the 2018 and 2022 World Cups, respectively, led to severe criticism, debate and investigations. The subsequent change from a secret vote by a small group of officials to a democratic and transparent voting process by the Congress has been widely welcomed. Indeed it shows an openness by FIFA to amend and improve its rules and decision-making processes.

Interestingly, FIFA has also issued new rules concerning how host countries should navigate human rights. Again, in reaction to concerns triggered by the Russia and the Qatar World Cups, FIFA issued a new Human Rights Policy in May 2017 which articulated FIFA’s statutory human rights commitment and outlined FIFA’s approach to its implementation in accordance with the UN Guiding Principles on Business and Human Rights. Such implementation in Canada, Mexico and the United States will undoubtedly be closely monitored by the Human Rights Watch organization, which has already advised FIFA in connection with World Cup bidding requirements.

Despite these recent positive developments, one should consider whether other rules governing international soccer are in need of critical analysis and substantive revision. In this regard, a top priority could be the FIFA Regulations on the Status and Transfer of Players (“RSTP”), which were issued in 2001 and, remarkably, are probably the only legal instrument existing in the world of sport that regulates, on a worldwide level, basically all issues relating to the international transfer of athletes within a particular sport. The RSTP apply as soon as a player is transferred from one country to another. Over the past 17 years, millions of players have been registered and/or transferred under the RSTP and thousands of disputes have arisen and have been dealt with, in large part by FIFA judicial organs and the Court of Arbitration for Sport, in respect of the RSTP.

However, recent developments show that the RSTP need to be reconsidered in order to address certain highly problematic issues that have emerged in international soccer. For instance, recent transfers have triggered huge fees paid to certain agents. Another recent area of concern is the tendency of some larger clubs to place a very high number of players under contract and then temporarily loan such players to other clubs. Finally, the increasing number of minor players attempting to move to other countries and register with a foreign club in the hopes of making a fortune, triggers concerns surrounding fundamental issues such as education and child abuse.

It will be interesting to observe how FIFA will work with all relevant stakeholders (soccer players, national member associations, clubs, leagues, etc.) to create a more modern and fair version of the RSTP. Such work is never easy, given often-conflicting stakeholder interests. Nevertheless, one maintains hope that a new, better version of the RSTP will soon emerge. For the good of the game.

What’s Next for Sports Betting in the U.S.?

Posted on June 27, 2018 by - Business Regulation and Regulated Industries

On May 14 of this year, the Supreme Court issued a decision that has changed the landscape of gambling in the United States. In Murphy v. NCAA, 138 S. Ct. 1461, the Court invalidated the federal law that had limited sports betting to Nevada. Since that decision, several states have passed, or are in the final stages of passing, laws authorizing wagering on sports. While the Court’s decision has unleashed pent-up enthusiasm in states for regulated sports betting, the road forward is likely to be contentious.

The Law and Its Detractors

Congress passed the Professional and Amateur Sports Protection Act (PASPA) in 1992 to address concerns that legalized sports betting would expand from Nevada to other states. Senator Bill Bradley was the driving force for proposals to ban sports betting in the U.S.  Bradley claimed that government-sanctioned sports betting undermined the more noble aspirations of sporting competitions in favor of the pursuit of gambling winnings. 

But Bradley and other proponents were unable to gather the votes needed to pass a law that would prohibit sports betting. To achieve what they thought would be the same result, they enacted a law that forbade states from passing laws that authorized or licensed sports betting. Nevada was allowed to continue to offer sports betting and New Jersey was given one year from the law’s effective date to adopt sports wagering. As it turned out, supporters of PASPA could not have been more wrong about the law being the equivalent of a federal law prohibiting sports betting.

While New Jersey failed to act within the one-year grace period, they later had a case of non-buyer’s remorse. In 2011, voters passed a constitutional amendment to allow sports betting and in 2012 the regulatory structure for sports betting was in place. But it took New Jersey six years of court battles before their attack on PASPA finally paid off.

The Supreme Court’s Ruling 

Justice Alito’s opinion for the Court left little doubt that PASPA violated the Constitution. The law’s fatal flaw was in its mandate to the states that they could not authorize or license sports betting. According to the Court, Congress lacks the constitutional authority to dictate how a state chooses to legislate. The Court ruled that Congress had unconstitutionally “commandeered” the legislative processes of states by barring them from adopting sports betting. PASPA thus violated fundamental tenets of federalism and constituted a “direct affront to state sovereignty.”

The Court also rejected the argument that the portion of PASPA directed at the states could be severed from a provision that barred private persons from operating sports books. Once the provision directed at the states was invalidated, the Court decided, the entire statutory framework of the law collapsed.

While the result itself might not have been a surprise, the emphatic repudiation of the core provision of PASPA by seven justices was remarkable. Constitutional law scholars have already begun to ponder the implications of the Court’s aggressive application of the “commandeering” principle.

States Jump In    

Flush with success, New Jersey wasted little time in parlaying its court victory. On June 14, New Jersey Governor Phil Murray placed the first legal sports bet in the state. But New Jersey was beaten to the punch by Delaware which began taking sports bets on June 5. Other states have joined the rush as well. For example, the Mississippi Gaming Commission quickly adopted regulations for sports betting based on a 2017 law permitting daily fantasy sports. Sports betting could be live there by the end of July. The West Virginia Lottery approved regulations that will likely lead to sports wagering by September 1. Rhode Island and Pennsylvania have also already legalized sports betting.

The Devil is in the Details

While other states are likely to jump on the sports betting bandwagon, the bandwagon may move forward with fits and starts. For example, New York state legislators considered sports betting proposals but adjourned June 20 without acting. New York’s experience suggests that as states undertake consideration of sports betting they will face several challenging and controversial issues.

Fees

First, the major sports leagues will continue to press the argument that they deserve to be compensated from the money that sports books collect. This argument was initially framed as an “integrity” fee. The leagues use this term because they assert they will be put to considerable expense in monitoring betting patterns to determine if there is unusual betting activity that would suggest corruption of a game. 

Alternatively, the leagues have asserted that sports books should be required to use, and pay for, official league data as the basis for determining the results of sports bets. Adam Silver, the NBA Commissioner, has put the case for compensation in even sharper relief, claiming that the leagues were entitled to royalty fees because they were “content creators.”

While the leagues have pressed the monetization issue aggressively, none of the states which have enacted sports betting provisions included fees for the leagues. A proposal in New York specified the leagues would receive one-fifth of a percent of wagers placed but, as noted, New York’s legislative bodies took no action on sports betting before adjourning. Had New York acted and included the fee, the leagues would have been emboldened to promote the fee to other states.

Taxing Sports Betting

Second, legislators will have to determine the proper tax rate for sports betting. High tax rates could severely undermine the objectives for legal, regulated sports betting. For example, Rhode Island’s staggering 51% tax of the revenues collected from sports betting, and Pennsylvania’s rate of 36%, may well backfire. Taxing at those levels will challenge even the best sports book operator to make a profit, and states with high tax rates may have difficulty attracting operators.

Sports book operators who do venture into high tax jurisdictions may have to charge more for their product by offering less favorable odds or significantly limiting bet maximums.  The high taxation discourages the migration of bettors from the unregulated (illegal) sports betting options to the regulated state platforms. The former pay no taxes, have no regulatory compliance costs, and no expensive infrastructure to maintain. This allows them to offer more attractive betting options. If one of the purposes of regulated sports betting is to drive the criminal element out of the industry, high tax rates will have exactly the opposite effect.

In setting tax rates, many legislators will be surprised when they learn that sports betting is unlikely to be a budget game-changer for states. Legislators understandably get excited when they hear claims that sports betting is a $200 billion industry in the U.S. But even if that figure is accurate, it means only that $200 billion is wagered. Sports books are low margin operations; historically, sports books in Nevada pay back approximately 95% of the money wagered to those placing winning bets. In last year’s Super Bowl, Nevada sports books won a paltry 0.7% of the money bet. While every little bit helps, the revenue generated from taxes on the $10 billion retained by the sports books is far from transformative.

Mobile Sports Betting

Third, states will need to address how sports wagers can be made.  Limiting sports betting to bricks and mortar casinos will stunt revenues from regulated sports betting. Much of the rise in Nevada’s sports wagering revenues is attributable to the availability of mobile apps that allow sports bets to be made from anywhere in the state. Whatever else can be said about the gambling preferences of millennials, requiring them to go to casinos to place sports bets, or even betting kiosks in convenience stores, will not be popular. Mississippi’s recently enacted law allows mobile betting, but requires the bettor to be present on the licensed premises. Such limitations on mobile wagering may be revisited when it becomes apparent revenues are being lost.

Indian Tribes

Fourth, legislators in states such as California, Connecticut, and Florida will have to manage issues relating to the compacts those states have with Indian tribes. These compacts often provide for the tribes to share revenues with the state in exchange for granting the tribes exclusivity in offering gambling. Renegotiation of the compacts to allow for sports betting to be offered by others will not be seamless. Tribes themselves may want in on sports wagering.

The Future

New Jersey’s ultimately successful effort to overturn PASPA was an epic struggle, and the story of how sports betting will actually be regulated in the U.S. promises to be no less riveting. The uncertainties and inefficiencies of a state-by-state model could prompt Congress to consider enacting a law with a uniform federal template that states would be required to use for sports betting. States would stoutly resist such legislation, and Congress would need to show an unusual level of resolve to overcome that opposition. In any event, the next year will present a dynamic and fluid environment for regulated sports wagering in the U.S. to exhibit its nascent presence in the gambling world.

CFPB Re-Examination of Disparate Impact and ECOA

Posted on June 15, 2018 by - Business Regulation and Regulated Industries

The Consumer Financial Protection Bureau’s (“CFPB”) Acting Director, Mick Mulvaney, recently announced that the CFPB will re-examine its position on disparate impact liability under the Equal Credit Opportunity Act (“ECOA”). Based on recent federal developments that reflect a trend of repudiating Obama-era financial reform and limiting the regulatory discretion of the CFPB, the end of disparate impact enforcement by the CFPB seems likely. 

The disparate impact doctrine establishes liability for a facially neutral policy or practice that results in a discriminatory effect, even absent a discriminatory intent. Since the inception of the agency, the CFPB has relied heavily on the disparate impact doctrine in its fair lending enforcement. In an April 2012 Bulletin entitled “Lending Discrimination,” the CFPB “reaffirm[ed that] the legal doctrine of disparate impact remains applicable as the Bureau exercises its supervision and enforcement authority to enforce compliance with ECOA and Regulation B.” A March 2013 Bulletin entitled “Indirect Auto Lending and Compliance with the Equal Credit Opportunity Act” reiterated that the CFPB would apply a disparate impact analysis and provided guidance on how indirect motor vehicle lenders could avoid disparate impact violations of ECOA and Regulation B. 

These actions were not without controversy. In December 2017, the Government Accountability Office (“GAO”) concluded that, although the 2013 CFPB Bulletin was not a formal regulation, it still was a “rule” subject to the Congressional Review Act of 1996 (“CRA”). This determination greatly increased congressional oversight of the CFPB, as the CRA allows Congress to effectively veto rules issued by federal agencies. Agencies must submit rules subject to the CRA to Congress after they have been finalized but before they take effect. After submission, Congress has 60 legislative days to approve or veto the rule.  The GAO’s conclusion effectively prohibited the CFPB from unilaterally issuing guidance that serves as de facto regulation for anyone subject to CFPB supervision or enforcement.

On May 21, 2018, Congress officially repealed the CFPB’s March 2013 Bulletin through a CRA resolution signed by the President. In a contemporaneous press release, Acting Director Mick Mulvaney stated that the CFPB also will re-examine its use of disparate impact for ECOA enforcement. Mulvaney thanked the President and Congress for “reaffirming that the Bureau lacks the power to act outside of federal statutes” and noted that “[a]s an executive agency, we are bound to enforce the law as written, not as we may wish it to be.” Mulvaney indicated that the Supreme Court’s 2015 decision in Texas Department of Housing and Community Affairs v. The Inclusive Communities Project influenced the decision to re-examine the CFPB’s position on disparate impact. Mulvaney’s announcement followed the Department of Housing and Urban Development’s decision to seek public comment on whether its Disparate Impact Regulation, which it applies to the Fair Housing Act (“FHA”), is consistent with the Inclusive Communities decision.

In Inclusive Communities, the Court held in a 5-4 decision that the FHA recognizes a disparate-impact theory. However, the Court did not extend the application of the disparate impact doctrine to ECOA, and the Court’s analysis strongly suggests that disparate impact would not apply to ECOA. It is likely that the CFPB will look towards the analysis in Inclusive Communities to determine if it will apply disparate impact to ECOA.

The Court’s decision in Inclusive Communities relied heavily on specific language in the FHA that the court found imputed disparate impact liability. The Court noted that, in addition to the FHA, Title VII of the Civil Rights Act of 1964 and the Age Discrimination in Employment Act (ADEA) recognize the disparate-impact doctrine. The Court found that Title VII, the ADEA, and the FHA all have “operative text” that looks at results of a policy or practice, as opposed to the intent.  ECOA does not seem to have equivalent language. 

The Court also noted that from the time the FHA was enacted to when it was amended, “all nine Courts of Appeals to have addressed the question had concluded the Fair Housing Act encompassed disparate-impact claims.” The Court found the fact that Congress amended the FHA, but still retained the relevant statutory text, indicated that Congress intended for disparate impact to apply. The Court also found that exemptions to liability under FHA, which address the role of property appraisals, drug convictions, and occupancy restrictions, arguably presupposed the application of disparate impact under the FHA. There is likely no similar evidence of legislative intent to apply disparate impact to ECOA.

The Court also found that disparate impact liability was consistent with the “statutory purpose” of the FHA. There is a strong possibility that a court would find that disparate-impact liability was consistent with the statutory purpose of ECOA, an anti-discrimination law. However, it is unlikely that the general intent of the law would be dispositive over statutory language and, arguably, evidenced legislative intent.

Based on Inclusive Communities and policy goals of this presidential administration, it seems likely that the days of CFPB using the disparate impact doctrine to enforce ECOA may be over.

Dodd-Frank Rollback Law Includes Increased Flexibility for Growth Companies and Venture Funds

Posted on June 15, 2018 by - Securities

On May 24, 2018, President Trump signed into law a broad rollback of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. In addition to a number of changes applicable specifically to financial institutions, the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act) contains a number of reforms to federal securities laws and regulations that will affect privately held, high-growth companies; venture capital funds; and public reporting companies, including:

  • Rule 701: Directs the U.S. Securities and Exchange Commission (SEC) to raise the threshold amount that triggers mandatory increased issuer disclosure for issuances of securities under a compensatory benefit plan in reliance on Rule 701 from $5 million to $10 million in any 12-month period.
  • Investment Company Act of 1940 (1940 Act): Exempts from investment company status certain venture capital funds that have no more than 250 investors and no more than $10 million in aggregate capital contributions and uncalled committed capital.
  • Regulation A: Directs the SEC to permit public reporting companies: (a) to make exempt offerings under Regulation A; and (b) to satisfy the periodic and current reporting requirements for Regulation A Tier 2 offerings by meeting the reporting requirements of section 13 of the Securities Exchange Act of 1934 (Exchange Act).

Although mandated under the law, the reforms to Rule 701 and Regulation A are not immediate. The changes are required to be made by the SEC within 60 days of adoption of the Act, and the SEC already has a substantial rulemaking docket in process. Accordingly, the revisions may not be effective for several months.

Rule 701—Increased Minimum Value to Trigger Enhanced Disclosure

The Act directs the SEC to increase the amount of securities that a private company may offer and sell under employee benefit plans before enhanced disclosure by that company is triggered. The Act increases the threshold amount for enhanced disclosure from $5 million to $10 million over a 12-month period. Rule 701 is an exemption to the registration requirements of the Securities Act of 1933 (the Securities Act) that allows private companies to issue securities under employee benefit plans, including options, restricted stock, and restricted stock units. Rule 701 has an overall limitation on use based on the value of the awards at the time of issuance in any 12-month period not exceeding the greater of: (i) $1 million; (ii) 15 percent of the issuer’s total assets; and (iii) 15 percent of the issuer’s total class of equity offered, in each case measured as of its last balance sheet date. As a result, Rule 701 generally is flexible with the size of the issuer.

In addition, Rule 701 currently includes an enhanced disclosure requirement by an issuer if, in any 12-month period, the issuer awards more than $5 million in securities in the aggregate in reliance on Rule 701. If the enhanced disclosure threshold is exceeded, issuers must provide all recipients of securities issued under Rule 701 with various and potentially onerous required disclosures, including risk factors associated with investing in the issuer’s securities and GAAP-compliant financial statements that are no more than 180 days old. The issuer must give this information to each participant (including participants who received an award before the threshold was exceeded) within a reasonable period of time before the date of sale. The date of sale in some cases may be at the time of grant (for example, RSUs and restricted stock).

The Act directs the SEC to raise the 12-month threshold for enhanced disclosure to $10 million from $5 million. In addition, it provides that the SEC must also include a provision to adjust the threshold for inflation every five years.

Key takeaways: Private companies that issue stock options and other securities to employees, consultants, directors, and other stakeholders should continue to monitor their compliance with Rule 701. As companies remain private for longer periods of time and valuations increase, they have been much more likely to reach the current $5 million disclosure threshold in a 12-month period in recent years. At the same time, the SEC’s enforcement staff recently has demonstrated an increased interest in Rule 701 and has begun imposing civil penalties for failure to comply with Rule 701’s disclosure requirements. Until the SEC rulemaking for Rule 701 is complete, issuers who are nearing the $5 million disclosure threshold should consult their attorneys to discuss strategies for managing Rule 701 securities offerings and any required disclosures. However, some issuers may want to consider delaying certain grants to later dates when the $10 million disclosure threshold becomes available (hopefully in the coming months) to avoid triggering the enhanced disclosure requirements.

1940 Act—Expanded Exemption for Venture Capital Funds

The Act also amends section 3(c)(1) of the 1940 Act to permit certain funds to accept more than the prior limit of 100 investors without being required to register as an investment company, which provides significantly more potential capital fundraising flexibility to venture capital funds that rely on section 3(c)(1). Having an applicable exemption under the 1940 Act is critical for venture fund sponsors to avoid registration requirements that would make the operation of typical venture funds financially impractical. Previously, section 3(c)(1) exempted any fund from the definition of an investment company under the 1940 Act if it was beneficially owned by no more than 100 persons and did not make a public offering of its securities. The new amendments allow a venture capital fund relying on section 3(c)(1) to accept up to 250 investors instead, so long as the fund: (i) has at all times less than $10 million in aggregate capital contributions and uncalled committed capital; and (ii) meets the definition of a “venture capital fund,” which is defined through a cross reference to Rule 203(l)-1 under the Investment Advisers Act of 1940 (the Advisers Act).[1] The $10 million limit will be adjusted every five years to account for inflation.

Key takeaways: Section 3(c)(1)’s 100-investor limit previously was the most significant regulatory factor limiting the size of venture funds that are not able to rely on section 3(c)(7)—the other 1940 Act exemption most relied upon by venture funds. Section 3(c)(7) similarly exempts funds from the definition of an investment company that do not make public offerings, and unlike section 3(c)(1), includes no limitation on the number of investors. In exchange, however, it requires that all investors be “qualified purchasers” (generally, individuals with at least $5 million in investments and entities with $25 million). Many fund managers with funds running up against the 100-investor limitation under section 3(c)(1) simultaneously form a parallel, side-by-side fund that individually relies on section 3(c)(7) to increase the amount of investor capital they can accept. For funds raising $10 million or less in capital, the new amendments may reduce the need for such side-by-side structures and/or may increase the capital raised that otherwise would be left on the table for regulatory purposes in any structure involving a fund that relies on section 3(c)(1).

Venture fund sponsors should note that there is no safe harbor or exception in the event that a venture capital fund initially intending to rely on the amended 250-investor limitation subsequently accepts more than $10 million in capital commitments if at that time the fund has more than 100 investors. In addition, based on the plain language of the amendment, fund sponsors should be aware that the standard “general partner” capital commitment may be included within this $10 million limitation. Accordingly, fund sponsors should take care and be deliberate in monitoring their fundraising activities and closings if they intend to rely on the exemption as amended.

Regulation A—Exemption for Public Reporting Companies

Finally, the Act directs the SEC to permit reporting companies to take advantage of the Regulation A exemption for securities offerings and to satisfy the periodic and current reporting requirements for Regulation A Tier 2 offerings by meeting the reporting requirements of section 13 of the Exchange Act. Often referred to as “mini-public offerings,” Regulation A offerings are exempt from securities registration requirements and can be made to the general public, but the issuer must prepare abbreviated disclosure filings that are subject to SEC review and comment. There are two tiers of Regulation A offerings. Tier 1 offerings may not raise more than $20 million in a 12-month period but require less disclosure. Tier 2 offerings may raise up to $50 million in a 12-month period but require issuers to satisfy ongoing, periodic reporting obligations. In addition, Tier 2 offerings preempt state securities registration requirements, although states may still require notice filings, consents to service of process, and filing fees.

Currently, reporting companies cannot issue securities under Regulation A. Once Regulation A is revised, reporting companies will be able to make Regulation A offerings, and reporting companies making Tier 2 offerings will be deemed to have satisfied the periodic disclosure requirements if they have satisfied their Exchange Act periodic disclosure obligations.

Key takeaways: The mandated changes to Regulation A will primarily benefit small public companies. Many small public companies that do not qualify as well-known seasoned issuers may be ineligible to take advantage of the streamlined Form S-3ASR for seasoned offerings. Although registered offerings on Form S-1 can involve a lengthy and expensive drafting and SEC comment process, the disclosures required under Regulation A can be abbreviated and less costly. In addition, reporting companies that do not trade on national exchanges must comply with state securities registration requirements. By making Tier 2 offerings, these companies will be able to avoid the complexity and cost of complying with blue sky laws for every state in which purchasers reside. However, because Tier 1 Regulation A offerings may not exceed $20 million in a 12-month period, and Tier 2 Regulation A offerings may not exceed $50 million in a 12-month period, with further restrictions for selling stockholders, it remains unclear whether this additional flexibility will be of substantial practical benefit for many companies given the alternative of Form S-3.

[1]      This cross reference harmonizes the amendment with the exemption from registration under the Advisers Act that is commonly relied upon by many venture fund managers. Rule 203(l)-1 under the Advisers Act defines a “venture capital fund” to generally include private funds that meet specific conditions. These conditions include representing to investors that the private fund pursues a venture capital strategy, holding 80 percent or more of the fund’s aggregate capital contributions and uncalled committed capital in certain “qualifying investments,” conforming to specific limitations regarding the amount and types of leverage they can take on, and placing significant limitations on the ability of investors to redeem their interests. For these purposes, “qualifying investments” generally include equity securities issued by and acquired from operating companies that, among other things, are not reporting companies or foreign traded.

MHS Capital LLC v. Goggin: Reviewing Fiduciary Duty and Exculpation Provisions in Limited Liability Company Agreements

Posted on June 15, 2018 by - Uncategorized

In MHS Capital LLC v. Goggin, the Delaware Chancery Court, in addressing claims for breach of contract and breach of fiduciary duty, provided guidance to members and managers of limited liability companies (LLCs) and their counsel regarding issues to consider when negotiating and adopting fiduciary duty modifications and exculpatory provisions in limited liability company agreements.

Background

In Goggin, a member of East Coast Miner LLC (ECM) brought suit against ECM’s manager and his associates challenging several allegedly self-dealing transactions. The plaintiff alleged, among other things, that ECM’s manager had caused ECM’s part ownership of specified assets to be diverted to different entities that the manager and his associates owned and controlled. The assets in question were subject to a lien that ECM held against a bankrupt entity. Pursuant to the lien, ECM had the right to credit bid on the secured assets in a bankruptcy auction. The plaintiff alleged that ECM’s manager had arranged for the bankruptcy court’s order to transfer the assets to a consortium of entities, all the members of which, other than ECM, were allegedly owned and controlled by ECM’s manager and his associates. The plaintiff brought series of claims against ECM’s manager, including claims for breach of ECM’s LLC agreement and breach of fiduciary duty.

ECM’s manager moved to dismiss, arguing that the provisions of ECM’s LLC agreement operated to preclude any recovery of monetary damages, and that any award of equitable relief was precluded by the bankruptcy court’s order with respect to the asset transfer. In analyzing the claims, the Delaware Chancery Court noted that two provisions of ECM’s LLC agreement were particularly relevant. First, it contained provisions specifying the standard of conduct applicable to the manager, dispensing with traditional fiduciary duties and replacing them with a provision obligating the manager to “discharge his duties in good faith, with the care an ordinarily prudent person in a like position would exercise under similar circumstances.” Second, it contained a broad exculpatory clause providing that “[t]he Manager shall not be liable to [ECM] or any Member [of ECM] for monetary damages for breach of such person’s duty as a Manager, except as otherwise required under the [LLC] Act.”

The Breach of Contract Claims

On the record before it, at the motion to dismiss stage, the Delaware Chancery Court assumed that the conduct of ECM’s manager challenged in the complaint constituted a breach of the LLC agreement’s contractual standard of conduct. The key question, in view of the breadth of the LLC agreement’s exculpatory clause, was whether plaintiff had stated a breach of contract claim for which relief could be granted. Given that the exculpatory clause broadly eliminated claims for monetary damages, the court principally considered whether an award of equitable relief could be granted and, if so, whether any such award would conflict with the bankruptcy court order. That order specified that the purchasers in the bankruptcy sale would take title to the underlying assets free and clear of encumbrances, and that persons holding claims would be enjoined from asserting those claims against the purchasers with respect to the assets.

Ruling on the motion to dismiss, the Delaware Chancery Court found that its “‘broad discretionary power to fashion appropriate equitable relief,’” as well as its ability to “‘depart from strict application of the ordinary forms of relief where circumstances require,’” would potentially allow it to craft an equitable remedy. The Delaware Chancery Court noted that so long as the plaintiff stated a claim for which relief could be granted, its claim would survive defendant’s motion to dismiss, regardless of the nature of the exact relief that would ultimately be granted. By way of illustration, the court cited precedent where it had “declined to dismiss an otherwise well-pled claim for promissory or equitable estoppel that rested on a request for rescission which may have been ‘impossible’ to grant,” on the basis that, in light of its broad equitable powers, “it did not need to evaluate the effect of any remedial order at the pleading stage.” Without speculating as to any specific type of relief (or its viability), the court noted that “it may be possible” to grant equitable relief that would not run afoul of the bankruptcy court’s order. That analysis, however, involved “a fact-intensive question” not capable of resolution at the motion to dismiss stage.

The Breach of Fiduciary Duty Claims

The Delaware Chancery Court next addressed the defendant’s motion to dismiss the plaintiff’s claims for breach of fiduciary duty. It reviewed the nature of the fiduciary duty claims—including the allegations that the defendant failed to act in the best interests of ECM by usurping opportunities belonging to ECM—and held that they were duplicative of the plaintiff’s claim for breach of contract. Noting that “Delaware law is clear that fiduciary duty claims may not proceed in tandem with breach of contract claims absent an ‘independent basis for the fiduciary duty claims apart from the contractual claims,’” the Delaware Chancery Court dismissed plaintiff’s fiduciary duty claims, noting that in order for a breach of fiduciary duty claim to proceed simultaneously with a breach of contract claim, the former would have to “depend on additional facts,” be “broader in scope, and involve different considerations in terms of a potential remedy.’” In the present case, all of the conduct that could have been the subject of a breach of fiduciary duty claim was already the subject of plaintiff’s breach of contract claim—and was being reviewed under the contractual standard. Moreover, the plaintiff was seeking the same remedy for both claims.

Practical Observations

As the Delaware Chancery Court in Goggin indicated, section 18-1101(c) of the Delaware Limited Liability Company Act (the LLC Act) provides members and managers with broad authority to expand, restrict, or eliminate duties (including fiduciary duties) pursuant to an LLC agreement, subject to the implied covenant of good faith and fair dealing. In addition, section 18-1101(e) of the LLC Act provides that an LLC agreement may eliminate or limit the liability of members or managers for breach of contract and breach of duty, including any fiduciary duty, except for bad faith violations of the implied contractual covenant of good faith and fair dealing. The Delaware Chancery Court’s opinion in Goggin serves as an important reminder that fiduciary duty modifications and exculpatory provisions must be considered together, and must be carefully crafted to ensure that in the event of a dispute, they will operate as the parties intended.

Although not expressly addressed in the opinion, several important observations emerge from a review of Goggin. First, the Delaware courts will apply and respect contractual modifications that supplant traditional fiduciary duties of care and loyalty. Parties seeking to modify fiduciary duties, however, should make their desire to override fiduciary duties clear, and they should carefully consider the scope of the duties, if any, that will be used in lieu of the traditional duties of care and loyalty. To that end, parties seeking to pare back fiduciary duties should ensure that the language deployed to that end does not effectively build back traditional duties by contract.

Next, once the scope of duties has been identified, parties should consider the circumstances under which members or managers may be held liable for falling short of the standard of conduct. The LLC Act’s authorization of provisions that exculpate members and managers from liability in a broad range of circumstances contrasts sharply with the Delaware General Corporation Law’s (the DGCL) relatively limited authorization of exculpation. Section 102(b)(7) of the DGCL, which deals with exculpation, only permits a corporation, through its certificate of incorporation, to exculpate its directors (not officers) against liability to the corporation or its stockholders for monetary damages for breaches of the duty of care. (Section 102(b)(7) specifically disallows exculpation for any breach of the duty of loyalty as well as for unlawful dividends and stock redemptions and repurchases, acts not in good faith or involving intentional misconduct, or a knowing violation of law or transactions from which a director derives an improper personal benefit.)

Although certificates of incorporation of Delaware corporations routinely provide for exculpation of directors to the fullest extent permitted by the DGCL, LLC agreements are more likely to contain bespoke provisions regarding the exposure of managers and members to liability for breach of contractual or fiduciary duties. Many LLC agreements, for example, will preclude exculpation for damages stemming from specified types of conduct, such as bad faith or willful misconduct. Some agreements, however, will decline to exculpate members or managers for losses resulting from their own gross negligence. See, for example, LLCs, Partnerships, Unincorporated Entities Committee, Single-Member LLC Entity Member Form. Although claims for gross negligence may be difficult to plead, prior decisions of the Delaware courts indicate that successfully pleading such claims may not be as challenging as one might expect. See William T. Allen, Jack B. Jacobs & Leo E. Strine, Jr., Function Over Form: A Reassessment of Standards of Review in Delaware Corporation Law (observing that the Delaware Supreme Court, in two cases following its adoption of a standard of review requiring plaintiffs to plead gross negligence in order to state a claim for a breach of the duty of care, “purport[ed] to apply the gross negligence standard of review [but] in reality applied an ordinary negligence standard”). Indeed, the exposure of directors to liability for action taken in good faith under this pleading standard prompted the adoption of section 102(b)(7) of the DGCL. See generally 1 R. Franklin Balotti & Jesse A. Finkelstein, The Delaware Law of Corporations & Business Organizations § 4.13[B], at 4-99 (3d ed. 2018 Supp.). Accordingly, managers of LLCs who are not entitled to exculpation for conduct that is grossly negligent run a substantial risk of liability for breach of the duty of care (or any analogous contractual duty) in connection with action otherwise taken in good faith. Indeed, managers of an LLC in that scenario may be afforded less protection against claims based on the duty of care than the directors of nearly every Delaware corporation. Even more problematic from the standpoint of a manager is the circumstance in which the LLC agreement establishes an “ordinary negligence” standard of care but fails to provide that the manager is exculpated for monetary liability for breaches of duty.

Conclusion

Given the contractual freedom provided by the LLC Act, there are numerous potential formulations of the standards of conduct of members and managers and of the circumstances under which they will (or will not) be exculpated from liability against breach. Members and managers and their counsel must consider the interplay between the standards of conduct (whether stemming from default fiduciary duties or contractually specified analogues) and the nature and scope of any clauses exculpating members and managers for breach of duty to ensure that the parties achieve the desired balance of incenting (or not unduly discouraging) value-maximizing risk-taking on the one hand, and providing means of policing and enforcing specified classes and categories of misconduct on the other.

Why Destruction of Information Is So Difficult and So Essential: The Case for Defensible Disposal

Posted on June 15, 2018 by - Uncategorized

The information universe is expanding in truly mind-numbing ways. There is a new exabyte of data created every few hours across the globe. (One exabyte of data is the equivalent of 50,000 years of continuous movies.) That Mount-Everest-sized pile of information is replicated many times every day and continues to grow faster and faster. Big companies typically have millions or billions of files stored in multiple locations, including third-party-owned Clouds. For many companies, that means they can’t keep all their information forever because they are collapsing under its weight. So why are companies hard-pressed to clean house of unneeded information?

Companies historically had records-management programs so that they could manage records and properly dispose of them in accordance with the company retention policy at some future date. At the time, making retention rules work meant that employees had to apply the rules to their records. That was simple when each employee boxed their paper records annually and applied a retention rule to each box. However, having employees apply business rules to millions or billions of files from various systems is like drinking from a firehose through a straw. In other words, cleaning house according to the retention schedule applied to each record one by one for most businesses is no longer doable.

The current business environment is like information’s “perfect storm”—more data in more formats and systems with less visibility into what information assets exist, more laws directing how it must be managed, more consequences for mismanagement, and more challenges in managing it according to old company rules with much of it floating in a Cloud.

Why Does Information Just Pile Up?

Companies relied for years on paper and electronic information, sometimes duplicating each other over and over. Although electronic information legally is on par with its paper counterparts for almost all purposes, lawyers fallaciously believed paper was the “best evidence,” and thus the two piles grew even though paper printouts of electronic records could be legally destroyed.

Today, much of the growth in information volumes comes from communications, social media, and collaboration technologies the output of which may not rise to the level of a company record. Thus, the pile grows further with information that may be “nonrecord,” which need not be retained to satisfy legal or business needs.

While litigants began to focus on electronic information for discovery purposes, sometimes company lawyers over-preserved information so as not to worry about its destruction during the pendency of a matter. What that set in motion was everything, even information ready for destruction pursuant to the retention rules, continuing to be preserved. Wide-sweeping legal holds that took precedence over retention rules stopped the proper destruction of records in the ordinary course of business according to company policy. Thus, the pile grew larger still because employees couldn’t classify and/or manage the growing amount of information, given that the sheer volume of files, documents, and e-mail became overwhelming.

Compounding matters, there was a need to manage information according to other information-related policy regimes, like information security, privacy, attorney-client privilege, etc., which often impacted the same information. Further compounding the problem was that information classification couldn’t be easily accomplished given limited functionality in most technology unless information was being purposefully stored in document and records-management applications. In other words, if employees were so inclined (and they generally weren’t), most technology in use didn’t allow for such compliance rules to be easily applied or applied at all. Thus, the pile grew.

The fallacious belief that storage is cheap further impacted storage growth. Although storage costs per terabyte are decreasing a few percentage points, any cost savings are dwarfed by company information footprints doubling every year or two, and with storage costs between $5–$10 million per year, per petabyte, storage costs are now huge for companies with big information footprints. Thus, the pile grew larger.

Then Big Data happened. Big Data is not about large piles of information. It’s about using analytics or artificial intelligence (AI) software to crawl through large piles of information to answer a business question. Suddenly there was even less pressure to clean house. Business folks want more information for longer periods of time to run queries and see what they learn from a business perspective.

In 2018 the tide seems to be turning in that less information may be retained given significant compliance events. First, with endless information security and privacy failures, companies realize their risk profile declines with smaller information footprints, which can be accomplished by keeping less and for a shorter period. As Jeff Stone, et. al put it in a May 29, 2018 article in the Wall Street Journal:

Cybersecurity threats are relentless, they’re getting stronger and they are coming from more directions than ever . . . more, the consequences of a breach can be disastrous, with staggering losses of customer data and corporate secrets—followed by huge costs to strengthen security, as well as the threat of regulatory scrutiny and lawsuits.

Further, the EU’s General Data Protection Regulation (GDPR) became law and is forcing companies to rethink what information they keep and for how long because GDPR requires it.

What Is Defensible Disposition and How Will It Help?

A solution to the unmitigated data sprawl is to “defensibly dispose” the business content that no longer has business or legal value to the organization. Defensible disposition is a way to take on piles of information without employees classifying .

To apply a retention rule to large chunks of information to make a business decision to dispose of it requires different diligence depending upon the content; thus, there is no one-size-fits-all approach to defensible disposition. In some cases, a software analytics tool may need to crawl the contents looking for specific terms, and in others, knowing the age of the information pile, the business unit that created it, the lack of active litigation, and so on might be enough to purge the entire contents without looking at each file. Having worked with so many companies cleaning up stored information, determining the amount of diligence needed in analyzing information piles to make a company comfortable to purge is rather variable.

In any event, lawyers’ input will be essential to help define a reasonable diligence process to assess the legal requirements for continued information retention and/or preservation, based on the information at issue. Thereafter, lawyers can also help select a practical information assessment and/or classification approach, given information volumes, available resources, and risk profile.

Does Litigation Profile Matter?

A good time to clean up outdated information is when there are fewer legal or compliance issues that require continued preservation of information. Disposing of information when no litigation or government investigations or audits exist is less risky. Otherwise, before information can be purged, the company must conduct sufficient diligence to ensure that nothing is destroyed that will give rise to a spoliation claim. That, of course, begs the questions of how diligence will be performed when it’s impractical to review millions or billions of files or documents.

Can Technology Help?

There are all kinds of analytics and classification technologies that can help analyze information and may help with defensible disposition; however, having used these technologies for years to help companies deal with dead data, the expense and/or complexity should not be underestimated. Putting aside cost, these technologies are better and faster than employees at classifying information. As Maura R Grossman, JD, Ph.D., et. al described in the Richmond Journal of Law and Technology, “[t]his work presents evidence supporting the contrary position: that a technology-assisted process, in which only a small fraction of the document collection is ever examined by humans, can yield higher recall and/or precision than an exhaustive manual review process, in which the entire document collection is examined and coded by humans.”

Studies and courts make clear that when appropriate, companies should not fear using technologies to help manage information. For example, in Moore v. Publicis Groupe, Judge Andrew Peck made clear in the discovery context that “[c]omputer-assisted review appears to be better than the available alternatives, and thus should be used in appropriate cases . . ounsel no longer have to worry about being the “first” or “guinea pig” for judicial acceptance of computer assisted review.”

Can I Clean House with Methodology Alone?

If information has piled up and you don’t think it makes sense to crawl it for records or preservation obligations, then there are other ways to get rid of content.

For example, if your company has 100,000 back-up tapes from 20 years ago, minimal review might be required before the whole lot of tapes can be comfortably disposed. On the other hand, if you have an active shared drive with records and information that is needed for ongoing litigation, there must be deeper analysis with analytics and/or classification technologies. In other words, the facts surrounding the information will help inform whether the information can be properly disposed with minimal analysis or whether it requires deep diligence.

Conclusion

Defensible disposition is needed like never before, given that information is growing unfettered for most businesses and impacting their ability to function. In addition, a bloated information footprint further increases a business’s privacy and information security risk profile. Although there are many reasons why retention is no longer happening as it used to, what is clear is that keeping everything forever is not without great costs or risks that must be addressed. In the end, lawyers must find a way to get rid of information without creating greater business and legal issues for their clients. Without their guidance, no one will destroy data, and it will continue to overwhelm.

Gagosian Gallery Faces Two Lawsuits Over Non-Delivery of Koons Statues

Posted on June 15, 2018 by - Uncategorized

There is a very tiny world out there in which people pay millions of dollars in advance payments for “factory-manufactured” balloon animal stainless steel sculptures—some in the shape of Greek and Roman goddesses—only to be told by “sales and contract performance drones” that there would be years of delay due to “the high volume of data” from “numerous scans of balloons,” along with technical difficulties in “reverse engineering” and “Computer-Aided Design processes (known as ‘CAD’).” This world—rich, strange— is detailed in Steven Tananbaum’s filed on April 19 in New York County court against the Gagosian Gallery and artist Jeff Koons. Eight days later, on April 27, Hollywood producer Joel Silver filed a similar referencing Tananbaum’s complaint.

Tananbaum alleges breach of contract and violations of New York UCC §2-609 (Right to adequate assurances) and Article 15 of New York’s Arts and Cultural Affairs Law, specifically   which is meant to protect art buyers of sculptures. According to Tananbaum, the world of Gagosian features “unadorned avarice and conspiratorial actions in connection with factory-manufactured industrial products called Jeff Koons sculptures,” all run by a “well-oiled machine” that “exploit[s] art collectors’ desire to own Jeff Koons sculptures.” And underneath it all lies a “fraudulent financial routine that harkens the name Ponzi.”

Gagosian Gallery is the largest art gallery in the world, a complex economic and cultural entity whose workings are central to the complaints. There are 16 locations globally and several hundred employees. It has its own private planes. Art galleries can purchase art directly from the artist and represent them to the public (i.e. primary market) or they can purchase art from entities other than the artist (i.e. secondary market): Gagsosian Gallery does it all. It represents living artists, artists’ estates and resells secondary market art. It clears about $1 billion in art sales each year while publishing about 40 books annually. When representing an artist, it is in the best interest of Gagosian, like any art gallery, to create buzz around the artist’s work; one way to create buzz and to sell to the global market is by attending art fairs. In 2000, there were 55 major art fairs around the world. Last year there were 260. A booth at Frieze art fair in New York City might cost $125,000 to rent for a weekend. With added on-site handling costs to build out the booth and shipping and handling costs of the art itself, a large gallery may need to sell hundreds of thousands of dollars of art just to break even.

Jeff Koons is the most commercially successful artist of all time; he has managed to create intrigue and interest for his balloon animal sculptures. In 2012, Koons’ stainless steel Tulips sold at Christie’s for $33,700,000.00—this was a record high for Koons, and the second highest auction price ever recorded for a living artist. Only one year later, in November 2013, his Balloon Dog (Orange) sculpture, which is a stainless-steel sculpture in the shape of a balloon animal that stands 121 inches tall, sold at Christie’s for a realized price of $58.4 million and became the record price at auction for a work of art by a living artist. Bottom line: Jeff Koons’ auction price high went from $33.7 million to $58.4 million in a single year.

The demand for Koons’ balloon animal sculptures has only increased. Last year, rapper and businessman Jay Z commissioned a 40-foot balloon dog from Koons to be on stage with him at the V-Festival in Weston Park, England. Koons has entered commercial deals with Google to design phone cases inspired by his Gazing Ball series, which involve generic classical Greek sculptures of plaster with a shiny blue glass sphere attached. Last year, with much fanfare, Louis Vuitton released a line of handbags designed by Koons called the “Masters Collection.” Each handbag was covered in one of a series of paintings by artists such as Rubens, Da Vinci, or Van Gogh; they could easily be mistaken for a bag at any museum gift shop.  They were priced at around $4000 and bore the LV monogram in one corner and a Koons monogram in another. This October, Louis Vuitton will release a second line of “Masters” designed by Koons—they feature the same concept, only with paintings of different artists like Turner and Monet. As Tananbaum’s complaint alleges, this is the commercial world of Jeff Koons and the gatekeeper is Gagosian Gallery.

In September 2013, Steven Tananbaum agreed to purchase Balloon Venus Hohlen Fels (Magenta) for $8 million from Gagosian Gallery with an estimated completion date of December 2015 and paid a deposit of $1.6 million. A few months later in early 2014, Joel Silver agreed to purchase Balloon Venus (Yellow) from Gagosian Gallery for $8 million with an estimated completion date of June 2017 and made a deposit of $1,600,000.00. In 2014 and early 2015, Tananbaum made additional payments totaling $3.2 million and Silver made additional payments totaling $2.2 million.  

In 2015 and 2016, both Tananbaum and Silver were periodically informed that the completion dates for their works would be pushed back a few months; later, they were informed the art would be delayed two years. During this time, Tananbaum made his third payment of $1.6 million and Silver did not make his two scheduled payments.

Then, despite the delayed delivery of the previous piece, in December 2016, Tananbaum agreed to purchase two more stainless steel balloon sculptures by Koons: Eros for $6 million with an estimated completion date of January 2019 and Diana (edition 3 of 3, an edition being part of a limited-run series) for $8.5 million with an estimated completion date of August 2019.Tananbaum made an additional deposit of $1.2 million for Eros. Regarding the Diana series, in January 2017, Gagosian gave Tananbaum an option to cancel after review of the first edition of Diana (which had a completion date of October 2018), and Tananbaum paid a deposit of $2.125 million for the third edition of Diana.

In January 2017, after learning that the completion date had been pushed back another two years to July 2019, Silver attempted to cancel the purchase and requested a refund. Gagosian counsel informed Silver that any more missed payments would result in a forfeit of payments already made. A was subsequently signed by Gagosian, Silver, and Koons. It included a new payment schedule for the remaining $4.8 million owed and a new completion date of December 2020.

By January 2018, Tananbaum had paid $4.8 million on the Balloon Venus agreement, $2.4 million on the Eros agreement and $4.25 million on the Diana agreement. It was at this time Tananbaum was informed that the new completion date for Balloon Venus would be August 2019 and for Eros would be October 2019. In February 2018, he was informed that Diana edition 1 would “not be ready this year.” In April 2018, Tananbaum filed the complaint. Around the same time, Joel Silver filed a similar complaint after his offer to make additional payments to an escrow account was rejected by Gagosian.  

When a work of art is on display or for sale, the year the work was completed is always shown next to information such as size and medium. For Jeff Koons’ balloon animal stainless steel sculptures, the completed date is instead usually a range of 6 to 8 years.  His “iconic” Play-Doh sculpture—which was on view at the Whitney Museum for the Koons retrospective in 2014 and is currently on view at the Rockefeller Center in advance of its auction date at Christie’s—took nearly twenty years to complete (1994-2012). Play-Doh is made of aluminum, stands at 11 feet tall, and resembles the leftovers of a Play-Doh project.

According to their complaints, Tananbaum and Silver asked for information about the foundry, fabricator, studio, photos, production schedules and any evidence that production had even started when learning of production delays. Neither received any photos nor specific information about production. Tananbaum’s complaint detailed a number of works—including one that was the subject of another lawsuit involving Gagosian—that were prioritized before Tananbaum’s. These actions and inactions may support Tananbaum’s NYUCC claims and both Tananbaum and Silver’s NYACAL claims. Defendants’ responses are due June 20, 2018 in the Tananbaum case.