On July 13, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced charges against:
Stable Road Acquisition Corp. (“SRAC”), a special purpose acquisition company (“SPAC”);
SRAC’s proposed merger target, Momentus Inc. (“Momentus”);
SRAC’s CEO and Momentus’s CEO; and
the SPAC’s sponsor, SRC-NI Holdings, LLC (“Sponsor”),
in connection with misleading claims made by SRAC and Momentus about Momentus’s propulsion technology and national security concerns associated with Momentus’s CEO.
Momentus is an early-stage space transportation company that intends to provide satellite positioning services with in-space propulsion systems powered by proprietary microwave electrothermal thruster (“MET”) water plasma thrusters. In October 2020, Momentus and SRAC entered into a merger agreement and SRAC executed subscription agreements in connection with a $175 million private investment in public equity (“PIPE”) that was set to close simultaneously with the merger.
In its Order Instituting Cease-And-Desist Proceedings (the “Order”),[i] the SEC states that Momentus and SRAC misled investors regarding:
the extent to which Momentus’s propulsion technology had been “successfully tested” in space; and
the extent to which national security concerns involving Momentus’s CEO hindered Momentus from obtaining necessary governmental licenses critical to its operations.
The SEC went on to state that as a result of its failure to conduct adequate due diligence, SRAC compounded these disclosure violations by repeating materially false and misleading statements in materials presented to investors.
The SEC claims that these failures amounted to violations of Section 10(b), Rule 10b-5, Section 14(a) and Rule 14a-9 of the Securities Exchange Act of 1934 (the “Exchange Act”); and Section 17(a) of the Securities Act of 1933 (the “Securities Act”).
Without admitting or denying the SEC’s findings, all parties, except for Momentus’s CEO, have agreed to settle these charges with the SEC, with the following penalties being imposed:
Momentus, SRAC, and SRAC’s CEO paid civil penalties of $7 million, $1 million, and $40,000, respectively;
all subscribers in the PIPE were given the opportunity to terminate their subscription agreements;
the Sponsor forfeited 250,000 founder shares in SRAC; and
Momentus has undertaken substantial enhancements to its disclosure controls, including the creation of an independent board committee and the retention of an internal compliance consultant for a period of two years.
The merger of SRAC and Momentus was consummated on August 12, 2021. PIPE subscribers representing an aggregate of $118 million in the original PIPE investment elected to terminate their subscription agreements. While SRAC was able to obtain subscription agreements from new PIPE subscribers, the overall size of the PIPE was decreased from $175 million to $110 million. In addition to the PIPE shares, SRAC agreed to issue each remaining PIPE subscriber warrants to purchase its common stock at a price of $11.50 per share in an amount equal the number of PIPE shares purchased by such subscriber (11,000,000 additional warrants in total).
The SEC has separately filed litigation against the former CEO of Momentus.
Momentus’s and SRAC’s Statements
Propulsion Technology Failures
In both the investor presentation materials provided to potential PIPE investors and the registration statement on Form S-4 filed in connection with the stockholder vote to approve the merger, Momentus and SRAC repeatedly claimed that Momentus had “successfully tested” its “cornerstone” propulsion technology in space and that the test satellite was “still operational today.” In fact, Momentus had conducted only one in-space test of a preliminary version of its technology in 2019, and that test had failed to meet even Momentus’s own internal definition of “mission success.” Momentus had sought to achieve “100 individual burns of one minute or more.” Out of 23 attempts, only three generated plasma, and none generated any measurable thrust. None of the burns lasted a full minute. Momentus was not able to attempt the remaining 77 burns because it lost contact with the satellite partway through the testing. As of July 13, 2021, this test satellite remained in space but was not functional. Even if Momentus had achieved its “mission success” criteria, the preliminary version of the technology was not powerful enough to be commercially viable.
By misleading investors about the results of the in-space test, the SEC found that the registration statement and other public filings falsely assured investors that Momentus was farther along toward commercial deployment of its technology than it actually was.
U.S. National Security Concerns
Momentus and SRAC also failed to disclose the extent to which the CEO’s involvement with Momentus was jeopardizing its chances for success. Because Momentus’s former CEO is a foreign national, he required an export license in order to access parts of Momentus’s technology, and he was required to hold a valid visa in order to work in the United States. Various U.S. governmental agencies had not only repeatedly denied the CEO such licenses, but also had revoked his work visa- in each case, because of “national security concerns.” The CEO had also previously been required by the U.S. government to divest his holdings in another U.S.-based space technology business, again for “national security reasons.” Importantly, these issues were affecting Momentus by slowing down its development process. Following the announcement of the merger with SRAC, the U.S. Federal Aviation Administration (“FAA”) twice denied approval for scheduled launches of new satellites in 2021 because of the CEO’s holdings in Momentus. These launches were critical for Momentus, as they were to be its first commercial flights. The denials by the FAA caused Momentus to reforecast its expected launch dates from 2021 to 2022.
Most of the foregoing information was omitted from SRAC’s initial filings of its registration statement. The initial filings failed to disclose that the CEO was considered a national security risk by various U.S. governmental agencies and, thus, was less likely to be granted asylum or an export license. Instead, the disclosure stated that the CEO had not “yet” obtained an export license, even though at the same time it was becoming clear that his application would be denied. Finally and importantly, the registration statement’s financial projections for Momentus did not take into account the delays it was experiencing as a result of the FAA’s denials.
SRAC’s Due Diligence Failings
While the SEC noted most of the omitted information was kept from SRAC by Momentus, the SEC found that SRAC “conducted inadequate due diligence” and adopted Momentus’s disclosures when the SPAC included these statements in its PIPE investor presentation and its initial drafts of the registration statement. The SEC found that SRAC’s diligence efforts were undertaken in a “compressed timeframe and unreasonably failed both to probe the basis of Momentus’s claims that its technology had been ‘successfully tested’ in space and to follow up on red flags concerning national security and foreign ownership risks.” As a result, SRAC’s marketing materials and its disclosures caused investors to be misled about material aspects of Momentus’s business.
Key Takeaways
Filings made in the context of business combinations undertaken by SPACs face similar scrutiny from the SEC Staff as do the filings made in connection with traditional initial public offerings (“IPOs”) and should be prepared with the same level of rigor. The notion, suggested by some in the popular press, that private companies combining with SPACs do not face the same liability as companies that undergo traditional IPOs, should not be relied upon. As emphasized by the SEC Staff:
“[a]ny material misstatement in or omission from an effective Securities Act registration statement as part of a de-SPAC business combination is subject to Securities Act Section 11. Equally clear is that any material misstatement or omission in connection with a proxy solicitation is subject to liability under Exchange Act Section 14(a) and Rule 14a-9, under which courts and the Commission have generally applied a “negligence” standard. Any material misstatement or omission in connection with a tender offer is subject to liability under Exchange Act Section 14(e) . . . . Given this legal landscape, SPAC sponsors and targets should already be hearing from their legal, accounting, and financial advisors that a de-SPAC transaction gives no one a free pass for material misstatements or omissions . . . .”
The SEC expects SPACs and their sponsors to conduct due diligence on the target in connection with an initial business combination. In a traditional IPO, the due diligence undertaken by underwriters serves an important investor protection function, and the SEC Staff has publicly lamented the absence of this structural component in de-SPAC transactions. Indeed, holding the SPAC accountable for its due diligence failures hearkens back to statements made by the Staff of the SEC’s Division of Corporation Finance asking whether the SEC should “reconsider the concept of ‘underwriter’ in [de-SPAC] transactional paths.”
Related to the point above, the SEC also is focused on the misalignment of incentives arising from the SPAC structure. SPAC sponsors stand to obtain substantial profit from the completion of a successful business combination, even if the resulting combined company fails to prosper following the business combination. On the other hand, if a SPAC does not complete a business combination within a specified timeframe, SPAC sponsors stand to lose millions of dollars in invested capital. These powerful financial incentives coupled with:
the limited time period a SPAC has to complete an initial business combination; and
the increasingly competitive market for targets
have caused the SEC to be concerned that sponsors will conduct cursory due diligence, overlook red flags uncovered during the diligence process, and fail to make the necessary disclosures to their stockholders, all in the interest of getting a favorable stockholder vote.
The SEC’s Order should also be viewed in the wider context of the SEC’s heightened scrutiny of SPACs in the first half of 2021, and statements made by SEC Staff, including the following:
The SEC’s Public Statement on Financial Reporting and Auditing Considerations of Companies Merging with SPACs (March 2021);[ii]
The SEC Staff’s Statement on Select Issues Pertaining to Special Purpose Acquisition Companies (March 2021);[iii]
The SEC Division of Corporation Finance’s Public Statement on SPACs, IPOs and Liability Risk under the Securities Laws (April 2021);[iv] and
The SEC Staff’s Statement on Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies (April 2021).[v]
The SEC’s stated regulatory agenda includes addressing rules related to SPACs.[vi] Although the agenda does not specify the aspects to be addressed, given statements by the SEC Staff, statements made by SEC Chair Gary Gensler, and areas addressed in proposed SPAC related legislation in Congress, the SEC is likely to address liability issues, whether relating to the use of projections and the availability of the safe harbor for forward-looking statements. In the meantime, we expect additional guidance and additional actions related to SPACs from the SEC in the near future.
This article is the second in a two-part series exploring the implications of President Biden’s executive order on cybersecurity. In the first installment, available here, William R. Denny discusses the role the executive order plays in the federal government’s commitment to modernize cybersecurity defenses.[1]
Recent cyber-attacks, such as the SolarWinds[2] and Kaseya[3] supply chain attacks, which affected thousands of entities, and the ransomware attack on Colonial Pipeline,[4] are stark reminders of the tremendous and growing cyber threat both to the public and private sectors. The level of sophistication of these attacks make it ever more difficult for enforcement agencies to detect and prevent these incidents. On May 12, 2021, just days after the attack on Colonial Pipeline, President Biden released a comprehensive executive order (EO)[5] intended to improve U.S. cybersecurity infrastructure and protect the federal government’s networks. While this is an ambitious step by the administration, there is still a need for public-private partnerships to reduce the risk of future attacks. The President noted in the EO that “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”
In our previous article, we discussed the elements of the new EO, highlighting remarks made by Dan Sutherland, Chief Counsel for the Cybersecurity & Infrastructure Security Agency (CISA), and Jen Daskal, Deputy General Counsel at the Department of Homeland Security (DHS). The speakers emphasized that ransomware was a massive national security problem requiring both a “whole of government” and a “whole of private sector” approach. Ransomware often strikes the weakest links in information systems. While the government is investing in strengthening resiliency, the private sector must also play a role in helping to protect against cyberattacks. This article focuses on the implications of the EO for the private sector.
While EOs do not have the effect of law, they serve as a roadmap for federal agencies to regulate themselves. The President can require that certain terms be included in federal contracts and can use EOs to bolster this agenda. For private sector businesses interested in competing for federal contracts, the President’s “procurement power” creates a powerful catalyst for change. And because the federal government is such a significant purchaser of private IT services, new federal standards will have a powerful ripple effect on cybersecurity in the private sector.
The EO’s commitment to public/private partnerships is evident through the demands it places on private sector contracting partners. The EO mandates the removal of barriers that prevent private businesses (who contract with the government) from sharing cybersecurity and breach information, and mandates contract provisions that require the reporting of such information.
For private sector businesses, the EO indicates the increased likelihood of new cyber-related legislation and heightened regulation of existing cybersecurity laws and policies. While the EO broadly applies to the federal government, it provides several best practices that the private sector should consider emulating to enhance its own cybersecurity readiness.
1. Modernize Private Sector Cybersecurity
The EO directs agencies to prioritize the adoption and use of cloud technologies to store data. Businesses should likewise invest in cloud technologies for data storage, as this could help ensure that businesses are consistently up to date with the latest security tools. Businesses should, in the same vein, consider intermittently conducting a thorough procedure of identifying the types of data they store and assessing the sensitive nature of the data. During this process, businesses should identify data that is no longer needed and dispose of it. In the event of a cyberattack, businesses should be better able to tell which data may have been compromised.
The EO also directs the creation of policies for logging data, including retention and management of the logs, to ensure centralized access to critical data for analysis in case of a cyberattack. The EO provides a valuable outline of the types of security controls that should be considered. These include endpoint protection, access controls, network security, email security, logging, monitoring and threat hunting. The private sector can take a cue from the government and adopt some of these security controls. Businesses should also get in the habit of training their employees on cybersecurity and the importance of protecting their data.
2. Enhance Software Supply Chain Security
The Fact Sheet following the EO states that the EO will:
improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available. It stands up a concurrent public-private process to develop new and innovative approaches secure software development and uses the power of Federal procurement to incentivize the market.
The Biden Administration plans to utilize the purchasing power of the government to implement updated security measures from software vendors who contract with the government. Businesses can follow suit and require security standards from third-party vendors with whom they transact business. Businesses should consider conducting due diligence on third parties to ensure that they have the appropriate IT security measures in place to mitigate the risk of a cyber incident. Businesses should inquire about the measures their third-party vendors have in place such as multifactor authentication and encryption. Doing so enables businesses to identify possible risks and find remedies before their data is potentially compromised. Businesses should also get into the habit of including contract provisions that obligate their third-party vendors to notify them of any unauthorized disclosures of their confidential information. With this information, businesses could act quickly in the event of an attack and attempt to minimize harm from a breach.
3. Develop an Incident Response Plan
The EO instructs federal agencies to develop, within 120 days, a “playbook” to be utilized in the planning and conducting of cybersecurity vulnerability and incident response activities. Private sector organizations should also develop their own incident response plans. An incident response plan outlines a course of action in the event of a significant incident. It assigns roles and creates an incident recovery team, comprised of key professionals within the organization as well as outside experts. It also prepares employees for any possible attacks. Having an incident response plan would enable businesses to respond more quickly and effectively to a cyberattack. After a cyber incident, businesses should reflect on lessons learned, revisit their best practices and modify any elements of their incident response plan that need to be updated.
4. Establish a Cyber Safety Review Board
The EO directs the establishment of a Cyber Safety Review Board co-chaired by government and private sector leads that may convene following a significant cyber incident to analyze the attack and provide concrete recommendations for improving cybersecurity. Similarly, the private sector should cooperate to establish a similar review board to conduct security threat assessments, identify potential vulnerabilities and make recommendations.
5. Engage In-House Counsel or External Counsel
Because of the increasing sophistication of cyber risks, businesses should engage with general counsel to set governing principles that balance protecting data with ensuring that the businesses are complying with privacy and regulatory principles. General counsel could also be instrumental in assisting their businesses to understand the cyber landscape and assisting management in making decisions about cybersecurity measures. Business attorneys can assist organizations in drafting contracts that include the above-mentioned reporting requirements. Businesses should take a holistic approach in addressing cybersecurity breaches in a way that addresses employee and client privacy and governance.
The federal government will continue to make cybersecurity a priority to protect the United States, its infrastructure, and its citizens. For the private sector, the new EO provides a comprehensive guideline for strengthening their cybersecurity. By modernizing cybersecurity measures, enhancing software supply chain security, developing an incident response plan, establishing a cyber safety review board and engaging in-house counsel, businesses will be better prepared to mitigate cybersecurity risks and respond effectively in the event of cyberattacks.
CISA recently launched a new webpage focused on ransomware, https://www.cisa.gov/stopransomware, that includes guidelines that would be extremely beneficial to businesses. CISA itself is also strategically designed not just to work on cyber defense and resiliency, but also to improve public-private partnerships. When there is an incident, quick action is needed, and CISA wants businesses and governmental agencies to know that it has resources to assist.
[1] Maame Nyakoa Boateng, a third-year student at Penn State Dickinson Law, contributed to both articles.
While politically and ideologically poles apart, U.S. House of Representatives members Liz Cheney and Adam Schiff, both members of the Select Committee investigating the attack on the Capitol on January 6th, cited the rule of law as the fundamental basis for their concerns. Representative Cheney expressly said that “our most important obligation” is “to defend the rule of law.” She then rhetorically asked, “Will we adhere to the rule of law?” Representative Schiff stated, “Because if we’re no longer committed to a peaceful transfer of power after our elections if our side doesn’t win, then God help us.”
We read or hear virtually every day that the “rule of law” has once again been broken or threatened. There are many books documenting current and recent threats to democracy, widespread economic inequality, and overt discrimination against large segments of our society. Laurence H. Tribe, Harvard constitutional law professor emeritus, and two other law school professors, both former U.S. Attorneys, recently published an op-ed that concluded, “If Garland’s Justice Department is going to restore respect for the rule of law, no one, not even a former president, can be above it.”
What is the “rule of law”? All lawyers, even business lawyers, are charged with responsibility for both adhering to it in our professional practice and preserving it for the benefit of humanity and the social, political and economic order of which we are so proud. But what is it? Where did it originate? Why are lawyers in particular supposed to protect it?
This famous and almost revered term of art describes a both realistic and aspirational concept of universally applicable normative behavior for humans in relation to themselves and others, including animals, plants and other elements of creation. These norms, when initially articulated and established, are prospective, not retroactive; clearly expressed both orally and in writing with unambiguous and coherent terminology; and broadly and commonly accepted as reasonably and objectively interpreted and applied in the situations to which they are intended to apply. They are to be promulgated and enforced by persons and institutions of integrity with widely acknowledged authority to enact and enforce the norms and who themselves are expected and required to comply with them.
King John’s affixing his seal to the Magna Carta in June 1215 is frequently cited as the earliest official act of a divine right sovereign monarch recognizing that he was, after all, subject to restraints on his power. The text reads in significant part:
“No freeman shall be taken, imprisoned, disseised, outlawed, banished, or in any way destroyed, nor will We proceed against or prosecute him, except by the lawful judgement of his peers or by the law of the land. To no one will We sell, to none will We deny or delay, right or justice.”
These ancient words that King John negotiated with his powerful barons expressly forbid the exercise of arbitrary or unaccountable power – and thus the use of violence – coercively to achieve the King’s goals. They further put everyone on notice that the King would not corruptly use the power he retained. These principles plainly are thus embedded in the rule of law.
Our foundational law, the Constitution of the United States, is not the result of a monarch’s recognizing restraints on his powers but is a covenant of a community who, in 1787, stated in the Preamble:
“We the People of the United States, in Order to form a more perfect union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”
It is easy to see the basic principles reflected in the Magna Carta also reflected in the Preamble’s language. Establishing justice, ensuring domestic tranquility, providing for common defense and promoting the general welfare, while securing the blessings of liberty, are norms that are not only in the whole community’s interest, but they also allow individual members of the community to pursue happiness, one of the express goals of the Declaration of Independence. These principles are embedded in the rule of law as we commonly understand it today.
Two years ago, the American Bar Association Business Law Section Council established the Rule of Law Working Group, explicitly recognizing that business lawyers, as members of the Bar, have responsibility for not just honoring the rule of law but also for protecting and defending the Constitution, as we are sworn to do upon admission to the Bar. Why has this responsibility been assigned to lawyers? Are lawyers especially equipped to be the custodians of the rule of law?
Lawyers are educated, trained and professionally engaged unfailingly to comply with the Rules of Professional Conduct. These rules require us to be unflinchingly honest with clients, tribunals and each other as we engage on behalf of clients, and to be reasonable (i.e., to make fact-based arguments and proposals) when professionally engaged. We are also expected to assure, to the extent we can, that statutes and other normative rules are lawfully authorized and rationally interpreted and enforced, in order to promote the general welfare and secure the blessing of liberty, both currently and in the future, for the benefit and account of our clients and ultimately, also, the community at large.
These standards are explicitly set forth in the Preamble to the ABA Model Rules of Professional Conduct. “[1] A lawyer, as a member of the legal profession, is a representative of clients, an officer of the legal system and a public citizen having special responsibility for the quality of justice. … [6] … As a member of a learned profession, a lawyer should cultivate knowledge of the law beyond its use for clients, employ that knowledge in reform of the law and work to strengthen legal education. In addition, a lawyer should further the public’s understanding of and confidence in the rule of law and the justice system because legal institutions in a constitutional democracy depend on popular participation and support to maintain their authority.” (Emphasis supplied.)
Of course, lawyers may reasonably be compensated for legal services rendered (Model Rule 1.5), but Model Rule 6.1, “Voluntary Pro Bono Publico Service,” states that “Every lawyer has a professional responsibility to provide legal services to those unable to pay.” Both of these rules and the principles embedded in them are conditions to our being licensed as lawyers. Thus, none of us can legitimately claim that our limited expertise or limited personal interest in knowing or caring about the rule of law, much less protecting and defending the Constitution, excuses us from respecting and indeed, honoring, these responsibilities, both in our professional practices and otherwise as “public citizens.”
What are the implications of this responsibility?
What persons or institutions can or should determine normative behavior?
What restraints, if any, are imposed on the deciders or enforcers of normative behavior for each of these categories?
What gives the restraints, or lack thereof, authenticity or legitimacy?
How does the rule of law answer or provide guidance for the answers to each of these questions? This brief article is not the vehicle for definitively answering that question, but it is important – and for lawyers, necessary – to have a working knowledge of possible answers. Although the rule of law has applicability beyond the strictly legal realm (such as with respect to the philosophical concept of justice and also with respect to ethics and morality), lawyers over the ages have assumed the mantle of its custodian. It is submitted that our challenge and responsibility is to do our part in the circumstances we currently confront as practitioners and as citizens.
What can the buyer of an operating business recover as damages when the seller fails to indemnify the buyer for harm caused by the seller’s breach of a representation or warranty in the transaction contract? Modern case law and commentary describe mutually exclusive options: either dollar-for-dollar damages to recover out-of-pocket losses, or damages equal to the diminution in value of the business, which is often misleadingly described as damages “subject to a multiplier” or “at the multiple.”[1] The determinative question for deciding between these options, we are told, is whether the business has been permanently injured as a result of the issue giving rise to the breach. For example, if the breached representation concerns the status of a material customer relationship, some would suggest that the buyer must establish lost revenues from that customer “into perpetuity” to be entitled to diminution in value damages.[2] However, the notion that diminution in value damages are only appropriate if the business has suffered harm that will linger for eternity is a false construct, and a confusing way of expressing the simple concept that diminution in value damages are warranted only when the value of the business as acquired has actually been diminished by the seller’s breach. The confusion is compounded when the best way of calculating the diminution in the entity’s value involves using a multiple of earnings, and the valuation methodology is mischaracterized as producing a multiple of damages. Determining whether the value of a business has been diminished by a seller’s breach of representation or warranty (really, its breach of its obligation to indemnify for the loss caused by that breach) is hard enough, without muddying the waters with a misleading standard. This article will endeavor to dispel some myths haunting the measurement of damages in representation and warranties claims arising out of mergers and acquisitions.
Absent an express remedy in the contract, state common law is the starting point for determining damages for a breach of contract. While many states express the measure of damages arising from a breach of contract as “the amount of money that would put the non-breaching party in the same position that the party would have been in had the breach never occurred,”[3] that simple phrase leaves much open to interpretation and offers little real guidance in the M&A context. To place the buyer of an operating business into the position it should have held but for a breach of representation concerning the business, a court will typically award either the cost to “remedy the defect” caused by the breach (an out-of-pocket loss), or the diminution in the value of the business.[4] Ostensibly, the court selects an option which makes the buyer whole without an unwarranted windfall.
The easiest way to illustrate these damages options is through hypotheticals at the extremes. If the seller’s breach of warranty is an inflated representation of one, relatively minor, account receivable, the buyer could be placed in the position it would have been in but for the breach by awarding damages in the amount of the difference between the receivable as represented and in reality. This remedy makes the buyer whole, because the value of the entire business really has not been diminished by one inflated account receivable. At the other extreme, if the seller has fraudulently and grossly inflated its last twelve months’ earnings by using fictitious revenue from fictitious customers, then the value of the business as delivered to the buyer is materially different than the value as warranted. In that case, diminution in value damages are the only way to make the buyer whole.
But consider a more nuanced situation where the breach of representation or warranty concerns the status of a material customer relationship, and the relationship disappears upon the buyer’s purchase. Should the buyer be compensated for the lost profit from the relationship for some fixed period of time, maybe tied to the length of the business’ contract with the customer (if such a contract exists)? Or, should the buyer be compensated for the difference between the value of the business with an unimpaired customer relationship (as warranted) and the value without the relationship at all (as delivered)? There is scant case law from which to answer these questions, which only causes undue emphasis on the few cases that strive to do so.
Zayo Group, LLC v. Latisys Holdings, LLC, C.A. No. 12874-VCS, is one of the rare cases that does consider the type of damages to be awarded in a situation somewhat similar to the one described above, albeit only in dicta and limited to some very specific facts. Zayo involved the sale of an information technology infrastructure services business that primarily employed short-term contracts with its customers. The seller warranted that it had not received notice of the termination of, material modification of, or refusal to perform, its material contracts. The seller, however, did not warrant lack of notice of a customer’s intent not to renew a material contract. When several material contracts did not renew post-acquisition, the buyer brought suit. After trial, the court entered judgment for the seller, finding no breach of contract. Although the decision on liability was determinative of the case, the court considered the buyer’s claim for damages. A careful reading of the damages portion of the Zayo opinion reveals the court’s reliance on the seller’s expert as the source of what could be misunderstood as statements of the law of damages. For example, the court stated:
Benefit of the bargain—or expectancy—damages measure the difference between the as-represented value of a transaction (typically the purchase price) and the value the purchaser actually received. The actual value the purchaser received, in turn, must assume, and account for, a diminution of the company’s earnings into perpetuity. The “benefit of the bargain” methodology is appropriate for calculating damages only when the alleged breach of the representation or warranty has caused a permanent diminution in the value of the business (as a result of lost revenues into perpetuity) and the business has thereby been permanently impaired.[5]
As explained below, the italicized sentence, for which no legal authority is cited, is ripe for misinterpretation and serves as a poor teacher for any court seeking to determine whether out-of-pocket loss or diminution in value is the appropriate measure of damages.
Precise word choice matters, and this portion of the Zayo opinion uses temporal terms that cannot be read literally, leaving courts and practitioners alike to wonder how they should be applied. No buyer of a business could ever prove lost revenues from any customer into perpetuity. “Perpetuity” is defined as “eternity,” and “eternity” is defined as “infinite time.”[6] It is hard enough (impossible, actually) to prove that a customer would be a customer for eternity, but if the customer relationship has been lost, how does the business buyer prove that the customer would have been a customer for eternity after the customer is no longer a customer by its own volition?
Similarly, “permanent” is defined as “continuing or enduring without fundamental or marked change.”[7] While the loss of a material customer relationship could permanently diminish the value of a business, it is equally possible that such a loss could materially diminish the value of the business as sold (at the time of the acquisition), but over the course of time the business could recover.[8] Is the buyer only entitled to diminution in value damages in the former scenario, but not the latter? And, if the question turns on whether the value of the business will forever be diminished, or might at some point in the future recover, how could the parties and court even determine that within the timespan of a litigation commenced shortly after the sale?
The manner in which valuation professionals value businesses may be to blame for the misleading suggestion that lost revenue into perpetuity is a prerequisite for diminution in value damages. Valuation professionals typically value a business by making an informed estimate of the business’s future using its present and past performance as indicia of its prospects. Typically, the income stream used in the valuation of a business should be the expected income into “perpetuity,” but, that income into perpetuity is then discounted (through a discount rate or embedded within an earnings multiple) to capture the increasing and compounding risk that the income stream could stop after a given year and, therefore, not last into perpetuity. Effectively, depending on the discount rate, after about 15 to 20 years the expected discounted annual income could quickly approach $0. In other words, while “perpetuity” is the standard terminology used in valuing a business, it is a risk adjusted perpetuity, such that the valuation models typically reflect little incremental benefit from the income after 15 to 20 years in the future. The buyer of a business does not typically actually expect any business condition, let alone a revenue stream, to continue into perpetuity, further divorcing the aforementioned Zayo standard for the award of “expectancy damages” from the reality of what a business buyer expects from a transaction. This therefore begs the question of why, if the status of a material customer relationship is misrepresented and the objective value of the business as delivered is less than as warranted, a court would require a buyer to prove loss of perpetual income that no one contemplated simply to recover the difference in the value of the company as promised and as conveyed?
The use of the misnomer “damages subject to a multiplier” to explain diminution in value damages compounds the confusion caused by the misunderstanding of “perpetuity” for valuation purposes.[9] This phrase conflates the nature of the harm with the valuation methodology used to calculate the harm. A brief hypothetical illustrates the point: Assume a business is purchased for $100 million, and the purchase price was established under a market approach valuation using a 5x multiple against a trailing 12-month EBITDA of $20 million. The seller represents that it is unaware of any indication that its top ten customer relationships are in peril. That representation proves to be false; the seller was aware that a top, longstanding customer was planning to terminate its relationship, and the customer does so right after the sale. The customer was responsible for $2 million of EBITDA over the trailing 12 months. The buyer may argue that the appropriate calculation of damages is to use the market approach to determine the difference between the value of the business as warranted ($100 million) and as delivered. The buyer might then argue that the court should back out the lost customer’s contribution to the trailing 12-months EBITDA ($2 million) from the company’s total, and then reprice the business as it was originally priced, using a 5x multiple. This would result in an “as-delivered” value of $90 million (5 x $18 million). The difference between the business as warranted and as-delivered now is $10 million ($100 million – $90 million), thus the buyer’s diminution in value damages are $10 million.
Too often, however, the buyer’s damages in this scenario are described as “damages at the multiple” or as consequential damages, as if the buyer’s damages were actually $2 million, and are somehow being multiplied like a statutory enhanced damages award.[10] In fact, the buyer’s damages are $10 million, the difference between the price paid and the value of the company as delivered, and are only being calculated using a multiple in the market-based valuation methodology. Indeed, it is likely that the business without the customer relationship could be valued (and the same damages amount reached) using an income approach without a multiple but with a discount rate. Awarding any plaintiff or injured party a “multiple” of its actual damages sounds extreme, to be applied only in the most egregious of situations. But, in this hypothetical the buyer is not recovering a “multiple” of its damages, it is recovering the base value of its actual damages. Characterizing the amount as damages “at the multiple” or “subject to a multiplier” simply because a market approach is used to calculate the diminution in the company’s value will consciously or unconsciously bias courts against what is a just award.
A more honest – if not better – standard for determining when diminution in value damages are appropriate in mergers and acquisitions representations and warranties claims is akin to Justice Potter Stewart’s famous definition of pornography: “I know it when I see it.”[11] Notwithstanding its misleading use of “damages at the multiple” and “perpetuity” terminology, the AICPA Practice Aid that was heavily relied upon by the seller’s expert (and thus the court) in Zayo provides a simpler analysis: “Claims that result in dollar-for-dollar damage are typically those that have a one-time effect on the target and that do not impact the target financial condition in future periods (in other words, will not affect future cash flows).”[12] To determine whether a diminution in value has occurred, the AICPA Practice Aid advises that “[t]he primary question that should be asked and evaluated is, Has the buyer’s business been damaged into the future?”[13],[14] Damage that lasts into the future is more likely to be damage that affects the underlying value of the business at the time of the sale, but as suggested above, the future is not necessarily eternity.
Rather than trying to understand and adhere to misused concepts like “perpetuity,” “permanent,” or “at the multiple,” courts should employ a more holistic approach, focusing on the buyer’s actual expectations, the impact of the misrepresentation on the business after the transaction,[15] and a healthy dose of common sense. In Zayo, for example, a host of factors contributed to the court adopting the seller’s damages calculations, including that (i) no breach occurred (which explains why the damages portion of the opinion is dicta), (ii) the buyer’s expert had no valuation experience, and (iii) no buyer witness testified that the buyer would have paid less but for the alleged misrepresentation. However, the core of the court’s reasoning was that the underlying business “was a revolving door” of short-term contracts with short customer loyalty.[16] The loss of a few of these short-term customer relationships was to be expected and did not devalue the overall business in an amount greater than the lost contract renewal revenue (the out-of-pocket loss). Therefore, a “dollar-for-dollar” damages award would make the buyer whole, whereas a diminution in value recovery calculated using a multiple of EBITDA would result in a windfall to the buyer.
As the case law in this area develops, one would expect and hope to see more clarity around the standard for determining when diminution in value damages are appropriate. Diminution in value, after all, is the traditional remedy for a breach of warranty under the “benefit of the bargain” rule, i.e., the difference between the actual value of the property and the value which it would have had absent the breach.[17] As a result, one would expect diminution in value to be the default remedy for a contractual misrepresentation in the sale of a business, generally applicable absent a showing that it would result in a windfall. Eliminating the misconceptions that diminution in value damages require proof of lost revenue for eternity or that they equate to enhanced damages may hasten the arrival of such much-needed clarity.
[1]See, e.g., American Institute of Certified Public Accountants Forensic & Valuation Services Practice Aid for Mergers and Acquisition Disputes (“AICPA Practice Aid”), at 19 (“Depending on the nature of the alleged breach, claims for indemnification may result in dollar-for-dollar damages to recover out-of-pocket losses or damages subject to a multiplier in situations when a buyer can demonstrate that it overpaid for the target based on the alleged breach.”)
[3]Cobalt Operating, LLC v. James Crystal Enterprises, LLC, Civ. A. 714-VCS, 2007 WL 2142926, *29 (Del. Ch. July 20, 2007) (citing Del. Limousine Serv., Inc. v. Royal Limousine Serv., Inc., 1991 WL 53449, *3 (Del. Super. 1991)). See also,Merrill Lynch & Co., Inc. v. Allegheny Energy, Inc., 500 F.3d 171, 185 (2d Cir. 2007) (“A party injured by breach of contract is entitled to be placed in the position it would have occupied had the contract been fulfilled according to its terms.”) (citation omitted).
[4]SeeUniversal Enterprise Group, L.P. v. Duncan Petroleum Corp., C.A. No. 4948-VCL, 2013 WL 3353743, *19 (Del. Ch. July 1, 2013). There is certainly an argument that the correct measure of damages is always, or almost always, diminution in value: “[W]here the seller makes misrepresentations about the business he is selling, the natural and probable result is that the business is actually worth less than the buyer paid, and diminution of value damages therefore compensate the buyer for ‘the value of the promised performance.’” Powers v. Stanley Black & Decker, Inc., 137 F. Supp. 3d 358, 386 (S.D.N.Y. 2015) (quoting Schonfeld v. Hilliard, 218 F.3d 164, 176 (2d Cir. 2000)).
[5]Zayo, C.A. No. 12874-VCS at 16 (citations omitted; emphasis added).
[8] Damages are measured at the time of the breach. Comrie v. Enterasys Networks, Inc., 837 A.2d 1, 17 (Del. Ch. 2003); Sharma v. Skaarup Ship Mgmt. Corp., 916 F.2d 820, 825 (2d Cir. 1990). For a breach of representation or warranty arising from the sale of a business, that time is typically the date the transaction closes.
[10]See AICPA Practice Aid, at 57 (“Indemnity claim damages can be measured two ways: dollar for dollar over a finite period or into perpetuity or at the multiple ….”); Powers, 137 F. Supp. 3d at 385-86 (holding that diminution in value damages are direct, not consequential, damages).
[11]Jacobellis v. Ohio, 378 U.S. 184, 197 (1964) (Stewart, J., concurring).
[14] In the sale of an operating business, past harm can create damage into the future. The import of representations and warranties is to protect against the possibility that the earnings assumptions on which the buyer relies in purchasing the business are not sustainable on a going-forward basis. Cobalt Operating, at *27. Thus, past harm (e.g., inflated revenue figures, or concealment of material customer relationship problems) often affects future cash flows.
[15] A word of caution: As noted above, damages are measured as of the date of the breach, which is usually the date of the transaction. See supra, n.5. Courts have taken very divergent views on whether the company’s performance after the transaction is probative of its value as of the date of the transaction. See, e.g., Merrill Lynch & Co., 500 F.3d at 185 (“The district court’s inquiry into [the business’s] performance and market conditions in the months following the acquisition was improper because events subsequent to the breach, viewed in hindsight, may neither offset nor enhance [the buyer’s] general damages.”)
The temptation for anyone – including lawyers – to take part in a whistleblower bonanza is all but irresistible. Moreover, federal whistleblower legislation and the federal agencies authorized to provide monetary whistleblower awards continue to proliferate, the latest being the Anti-Money Laundering Act of 2020 (the “AMLA”),[1] which was enacted in January 2021. The AMLA provisions were modeled on others enacted as recently as 2010, and whistleblower awards over the past decade have been nothing short of bountiful.
On May 19, 2021, for example, the Securities and Exchange Commission (the “SEC”) awarded $28 million to a whistleblower based on charges and a recovery not from the particulars reported by the whistleblower, but from an investigation in another geographic area altogether that arose as a result of the original tip. That is, the tip reporting wrongdoing in one geographic region did not itself lead to any recovery, but led to investigations by the SEC and another agency that ultimately resulted in charges and recovery in another geographic region not reported by the whistleblower.
In general, an agency authorized to provide whistleblower awards does so as a result of moneys collected in a judicial or administrative action (a “Covered Action”), provided the sum collected is at least $1 million. In aid of a Covered Action can be another judicial or administrative action brought by another entity[2] based upon the original information provided by the whistleblower (a “Related Action”). The Final Order in the aforementioned May 2021 award noted that, although “the Covered Action’s and the Related Action’s charges involved misconduct in geographical regions that were not the subject of the Claimant’s information” and there was “not a strong nexus between the Claimant’s information and the . . . charges,” an award would nonetheless be granted that “appropriately recognizes Claimant’s level of contribution to the Covered Action and Related Action.”
Another whistleblower award of similar magnitude was issued on April 20, 2020, when the SEC announced the payment of a bounty of more than $27 million to a whistleblower who alerted the agency to misconduct occurring, in part, overseas. But that award did not even make it onto the list of the top 10 awards ever paid by the SEC, which has now made over $900 million in whistleblower awards. As these awards may, by statute, only be from 10% to 30% of the amounts recovered, simple arithmetic tell us that, based on information from whistleblowers, the SEC has since collected anywhere from $3 to $9 billion for violations of the federal securities laws.[3]
These whistleblower awards are given pursuant to express authority contained in the Dodd-Frank Wall Street Reform & Consumer Protection Act of 2010 (“Dodd-Frank”).[4] The $28 million award in May 2021 is only the 10th largest the SEC has granted since inception of the program. The largest thus far was a whopping $114 million, issued on October 22, 2020, of which $52 million came from the SEC and the balance of $62 million from another agency, the identity of which is redacted in the Final Order.
“Where do I sign up?,” you may well ask. Receiving money of this magnitude is truly a life-changing event and creates a powerful incentive for anyone to provide information to the government that is likely to lead to large recoveries for fraud. This article therefore considers the propriety of a lawyer receiving a financial award for acting as a whistleblower[5] under recent federal programs authorizing rather munificent bounties. In the majority of cases, receipt by a lawyer of such an award would be not unjust enrichment, but rather unethical enrichment.
Whistleblowing by a lawyer all by itself – i.e., even without the added layer of financial incentive – is problematic in legal ethics, not only because it raises serious questions about disclosure of confidential client information but also because uncertainty surrounds a federal administrative agency’s assertion of authority to preempt state analogues of the Model Rules. The prospect of substantial financial gain[6] compounds the problem by creating incentives that, by their very nature, run counter to two fundamental and virtually peremptory norms of the legal profession: avoiding conflicts of interest under Model Rule 1.7 and either Model Rule 1.8 (for current clients) or Model Rule 1.9(c) (for former clients), as well as preserving the confidentiality of client information under Model Rule 1.6.
While reference is occasionally made by analogy in this article to judicial decisions addressing the question of lawyers receiving financial awards in qui tam actions[7] arising under the federal False Claims Act (“FCA”), this discussion will not address recovery by a lawyer as a “relator”[8] under the FCA or any of the many state analogues[9] of that statutory scheme.
Before proceeding, let’s briefly acknowledge the “elephant in the room”: A cynical lawyer might postulate, purely from a financial or retirement planning perspective, that the magnitude of whistleblower bounties makes the prospect of severe disciplinary action – even suspension or disbarment – an acceptable risk. The author will not comment on this risk-reward conjecture, other than to point out that the risk should not be underestimated, because the pot of gold at the end of the rainbow may not be found. The behavior that may give rise to discipline would always antedate any whistleblower award, neither the receipt nor the magnitude of which is a “sure thing” — dependent as they are upon:
a determination by one or more government agencies to investigate;
the outcome of the investigation;
a decision to prosecute an enforcement action on the basis of that investigation;
the success of that enforcement action; and
the ultimate monetary recovery by the government.
In the English version of an adage from the ancient world, “There’s many a slip ‘twixt the cup and the lip.”
BACKGROUND
The whistleblowing provisions in question have been created by two separate regimes. The older one, scarcely more than a decade old, was enacted in Dodd-Frank; the more recent – enacted in 2021, in fact – is the AMLA.
The Dodd-Frank Regime
There are two pertinent provisions of Dodd-Frank. Section 748 amended the Commodity Exchange Act of 1936 (the “CEA”)[10] by adding a new Section 23, entitled “Commodity Whistleblower Incentives and Protection.” That provision directs the Commodity Futures Trading Commission (the “CFTC”) to pay awards, subject to certain limitations and conditions, to whistleblowers who voluntarily provide it with “original” information about a violation of the CEA that leads to the successful enforcement of an action brought by the CFTC that results in monetary sanctions exceeding $1,000,000, or the successful enforcement of a related action.[11] The CFTC promulgated a final rule[12] and created a “Whistleblower Program” to implement this provision. Similarly, Section 922 of Dodd-Frank amended the Securities Exchange Act of 1934 (the “Exchange Act”)[13] by adding a new Section 21F, directing the SEC to do likewise, mutatis mutandis.[14] The SEC has established its own “Office of the Whistleblower” and promulgated a final rule (since amended) to implement the elements of its respective statutory authorizations.[15] If an eligible whistleblower’s information leads to recovery by either the CFTC or the SEC of $1 million or more, then the whistleblower may receive anywhere from 10% to 30% of the actual amount recovered in the action or related actions.[16]
AMLA
A 1984 statute authorized the Treasury to pay an award to whistleblowers for original information about violations of the anti-money laundering laws[17] if it led to a criminal fine, civil fine, or asset forfeiture of at least $50,000, and capped the award at the lesser of 25% of the net amount collected or $150,000.[18] Modeled largely on the Dodd-Frank approach, the AMLA significantly enlarges this authority by authorizing Treasury to pay whistleblower awards of up to 30% for information leading to enforcement actions that result in penalties, disgorgement, and interest of at least $1 million.[19] The whistleblower must provide original information relating to a violation of the BSA to (1) the whistleblower’s employer, (2) Treasury, or (3) the Department of Justice. Any whistleblower who makes an anonymous claim for an award must be represented by counsel and will have to disclose the whistleblower’s identity before receiving the bounty.
In view of the newness of these provisions and the absence (as of this writing) of any final regulations implementing this new authority, the discussion that follows will focus on the ethics implications of the substantially similar Dodd-Frank whistleblower provisions, with which there have been 10 years of experience.
The Details under Dodd-Frank
To be eligible for a financial award from either of the Commissions, a whistleblower must meet certain statutory criteria. First, the whistleblower’s information must have been voluntarily provided and must lead to successful enforcement of a Covered Action[20] or Related Action.[21] Second, what the whistleblower provides must be “original information,” which means that it is:
derived from the whistleblower’s “independent knowledge or independent analysis,”[22]
not otherwise known from a source other than the whistleblower, and
not “exclusively derived from an allegation made in a judicial or administrative hearing or government report, hearing, audit, or investigation, or from the news media, unless the whistleblower is a source of the information.”[23]
Third, the whistleblower may not knowingly and willfully make any false, fictitious, or fraudulent statement or representation, or use any false writing or document knowing that it contains any false, fictitious, or fraudulent statement or entry.[24]
As noted above, an eligible whistleblower may receive anywhere from 10% to 30% of the actual amount recovered by either of the Commissions, provided that the amount recovered is at least $1 million. The minimum award payable under the Dodd-Frank regime is therefore $100,000 (which is 10% of $1 million), but there appears to be no upper limit, as recoveries by the Commissions (and therefore whistleblower awards) can easily be in the millions or tens of millions of dollars. [25]
The magnitude of any such potential award – truly a life-changing amount of money – creates an ethically precarious situation for a lawyer whistleblower. Awards of this dimension provide a temptation toward thinking with less than complete objectivity, a temptation to which any person, including a lawyer, could easily succumb.
The Commissions, to their credit, limit the ability of lawyers to be eligible whistleblowers:
The CFTC’s approach is to exclude from the “independent knowledge” component information that is obtained (A) via a communication that was subject to the attorney-client privilege or (B) “[i]n connection with the legal representation of a client on whose behalf the whistleblower, or the whistleblower’s employer or firm, have been providing services, and the whistleblower seek[s] to use the information to make a whistleblower submission for the whistleblower’s own benefit,” unless, in either instance, the disclosure is otherwise permitted by the applicable federal or state attorney conduct rules.[26]
The SEC’s approach is to acknowledge from the outset the “special duties” lawyers owe their clients and the importance of furthering consultation between issuers of securities and their counsel in promoting overall compliance with the federal securities laws.[27] Thus, the SEC’s Dodd-Frank regulations announce that a lawyer will not generally be credited with providing “original information” if that information was obtained (1) from confidential communications subject to the attorney-client privilege, (2) from the legal representation of a client, or (3) from association with a firm retained by an organization to conduct an inquiry into possible violations of law, unless, in the case of (1) and (2), disclosure is permitted by the standards of lawyers’ professional conduct issued by the SEC in 2003[28] pursuant to the Sarbanes-Oxley Act (“SOX”),[29] by applicable state attorney conduct rules, or “otherwise.”[30]
The SEC’s lawyer conduct rules allow disclosure of client confidences outside the issuer organization only after the lawyer has reported “up the ladder” within the issuer’s organizational structure information about a “material violation”[31] by the “issuer”[32] or an officer, director, employee, or agent of the issuer.[33] The Part 205 rules do not mandate “reporting out” to the SEC but permit it, without the issuer’s consent – to the extent the lawyer reasonably believes necessary – in certain situations.[34]
At the same time, however, by incorporating the SOX regulations into the Dodd-Frank whistleblower framework, the SEC introduced a “wild card” into the ethics calculus, namely the assertion by the SEC and one of its former General Counsel that its SOX regulations preempt[35] inconsistent state ethics rules, at least with respect to that subset of the bar over which the SEC has any colorable authority (i.e. attorneys “appearing and practicing”[36] before the SEC).[37]
ETHICAL IMPLICATIONS
The Dodd-Frank whistleblower provisions create a significant ethical dilemma for the legal profession, especially for lawyers who practice (whether as in-house counsel or outside counsel) in the securities regulatory and commodities regulatory spheres. The dilemma arises from the magnitude of the awards, as the question of whether lawyers may ethically “blow the whistle” on clients, not just in the financial regulatory arena but across the spectrum of law practice, has already been settled in the Model Rules.
Conflicts of Interest
Model Rule 1.7 – Current Client
The enormous incentive to blow the whistle represented by the award levels authorized under Dodd-Frank seems ineluctably to create an impermissible conflict of interest for a lawyer[38] under Model Rule 1.7. Model Rule 1.7(a) prohibits (subject to a four-part set of exceptions enumerated in paragraph (b) but not pertinent here[39]) a lawyer from representing a client in the face of a concurrent conflict of interest, which exists if, inter alia, “the representation . . . will be materially limited by . . . a personal interest of the lawyer.”[40]
During the SEC’s Dodd-Frank whistleblowing rulemaking, the ABA expressed concerns about the impact of potential financial awards on the attorney-client privilege:
The ABA is concerned that any provisions in the final rules that would entitle whistleblowers to collect substantial awards may create a strong incentive for a lawyer to compromise his or her ethical obligations and undermine the client confidence that the U.S. Supreme Court recognized in the Upjohn case as critical to assuring the continued effectiveness of the attorney-client privilege and the work product doctrine. A client’s awareness that its attorneys may use information provided confidentially to obtain large whistleblower awards could well prevent the free flow of information necessary to the client’s right to effective counsel.[41]
The Dodd-Frank whistleblowing scenario, and the sheer size of potential awards payable by the Commissions, assume Brobdingnagian proportions when compared with considerations identified in two ABA ethics opinions addressing potential financial interest conflicts.[42] It is difficult to conceive that either of those contexts (an amount advanced as bail for a client or a security interest to guarantee payment of legal fees) would represent monetary amounts even remotely comparable to the order of magnitude of Dodd-Frank whistleblower awards. Yet even far smaller sums than those have been deemed sufficient to trigger the personal interest conflict under Model Rule 1.7(a).[43]
Even more so here, the magnitude of the lawyer’s pecuniary interest in the potential award irrevocably undermines any ability on the lawyer’s part to be a neutral and objective provider of legal advice. It is difficult to imagine, under the standard embodied by Model Rule 1.7(a)(2), a limitation more “material,” a lawyer’s interest more “personal,” or a conflict more trenchant and unyielding.
The correctness of this conclusion can be seen by comparison to the Second Circuit’s decision in United States v. Schwarz,[44] in which a lawyer representing one of two police officers charged with assaulting a suspect in custody subsequently received a $10 million retainer to represent the Police Benevolent Association in a civil action brought by the victim of the alleged assault. In contrast to what is possible under the whistleblower scenario, the police officer client actually gave informed consent to the potential conflict.[45] Nevertheless, the court held that the conflict was not waivable, as the lawyer’s financial interests “so permeated the defense that no meaningful waiver could be obtained.”[46]
The same conclusion was reached in the Dodd-Frank context by the New York County Law Association’s Committee on Professional Ethics in a 2013 opinion.[47] Viewing the ethical issues surrounding whistleblowing by lawyers in the abstract, the opinion interpreted New York’s version of Model Rule 1.7 and found that such a financial incentive “might tend to cloud a lawyer’s professional judgment.”[48] The opinion continued, “the potential payment of an anticipated whistleblower bounty in excess of $100,000 presumptively gives rise to a conflict of interest between the lawyer’s personal interest and that of the client.”[49]
Model Rule 1.7(b) raises the possibility that a personal interest conflict can be waived and consented to by the client.[50] Even in the case of a waiver of conflict, however, there is, as the NYCLA concluded, a “‘significant risk’ that the lawyer’s professional judgment or representation will be adversely affected by the lawyer’s personal interest, [and] in some circumstances the whistleblower-bounty conflict may be unwaivable.”[51]
To sum up: In the vast majority of situations – in view of the secrecy that underlies the whistleblowing process, the adversarial nature of the conduct, and the magnitude of the awards –
Dodd-Frank whistleblowing
on a current client
by a lawyer acting as a lawyer
who is eligible to receive a monetary award from either of the Commissions
creates an impermissible and unconsentable conflict of interest proscribed by Model Rule 1.7(a).
This author does not go so far as to suggest that there can never be circumstances in which a Dodd-Frank whistleblower award could ethically be sought by a lawyer who is acting as a lawyer. For example, it is conceivable that an individual lawyer might have so much personal or family wealth that even the magnitude of a Dodd-Frank whistleblower award would have no effect on that lawyer’s objectivity. Such circumstances, it is fair to assume, will be extremely rare, however, and so for the vast majority of lawyers, seeking such an award for information provided to one or both of the Commissions may constitute profoundly unethical conduct. Other possible exceptions might arise as contemplated by the Commissions’ regulations if, for example, outside counsel is participating in an internal corporate investigation into wrongdoing and has a reasonable basis for believing that disclosure of the information to either of the Commissions is necessary to prevent conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors or that will impede an investigation of the wrongdoing.[52] An exception may also exist where at least 120 days have elapsed since the lawyer whistleblower provided the information to the relevant entity’s audit committee, chief legal officer, chief compliance officer (or their equivalents), or the whistleblower’s supervisor.[53]
Model Rule 1.8 – Current Client
In addition to Model Rule 1.7, a conflict of interest governed by Model Rule 1.8(a) arises where a lawyer knowingly acquires a pecuniary interest adverse to a client. Model Rule 1.8 is commonly understood to apply to business transactions with a client, but the “pecuniary interest” language is not limited to that context. The Rule proscribes entering into “a business transaction with a client or knowingly enter[ing] into an ownership, possessory, security or pecuniary interest adverse to a client.” (Emphasis added). The use of the disjunctive contemplates an ownership-based conflict for these categories of interests even in the absence of a business transaction with a client.
The “pecuniary interest” conflict exists unless all three conditions in Model Rule 1.8(a)(1)-(3) are satisfied. As these include full written disclosure, written advice that the client take legal advice from an independent source, and the client’s informed consent, the conditions simply cannot be met in the Dodd-Frank whistleblowing context.
Therefore, merely by arranging to be eligible for a substantial monetary award in the amount of 10% to 30% of any amount in excess of $1 million recovered from the client by either of the Commissions based on lawyer-supplied “original information,” the lawyer acquires the proscribed adverse pecuniary interest in violation of Model Rule 1.8(a).
In addition, Model Rule 1.8(b) prohibits a lawyer from using “information relating to representation of a client to the disadvantage of the client unless the client gives informed consent, except as permitted or required by these Rules.” Paramount among the “permitted or required” instances that might arise in the Dodd-Frank whistleblower context are the provisions of Model Rule 1.6(b)(2)-(3), which authorize, respectively, disclosure to prevent a client’s concurrent crime of fraud and disclosure to prevent, mitigate, or rectify a client’s prior crime or fraud, which, in each instance, is reasonably certain to result (or, in the case of prior client misconduct, has already resulted) “in substantial injury to the financial interests or property of another and in furtherance of which the client has used the lawyer’s services.” The extent of the disclosure must be what the lawyer “reasonably believes necessary” to accomplish these aims.
Assuming that a client engaged in wrongdoing of this magnitude is unlikely to give informed consent, a lawyer’s blowing the whistle to either of the Commissions is prohibited by Model Rule 1.8(b) as using confidential information relating to the representation to the disadvantage of the client, unless all three of the following conditions are met:
the lawyer’s services were used in furtherance of a crime or fraud;
which is reasonably certain to cause, or has already caused, substantial injury to the financial interests or property of one or more third parties; and
the extent of the disclosure is reasonably believed by the lawyer to be necessary to prevent, mitigate, or rectify the client’s crime or fraud.
Model Rule 1.9 – Former Client
Model Rule 1.9(c)(1) prohibits the use of information relating to the representation of a former client to the disadvantage of the former client except as the Rules permit or require. The analysis is thus essentially the same[54] as what was just discussed under Rule 1.8(b). In applying New York’s version of Model Rule 1.9, NYCLA Op. 746 reached the same conclusion.
Common Law Fiduciary Duty
In addition to violations of the conflicts of interest provisions under the Model Rules, whistleblowing under the Dodd-Frank regime would violate a lawyer’s fiduciary duty at common law that would be breached were a lawyer to appropriate and disclose information of a current or former client for the lawyer’s own profit.[55] In the Restatement’s formulation, a lawyer is prohibited, except with the client’s consent, from using “confidential information of a client for the lawyer’s pecuniary gain other than in the practice of law [and] must account for any profits made by the use of such information.”[56] This strict duty, which applies even when the disclosure is permissible under the Model Rules and even when the client is not harmed by the disclosure, is an outgrowth of the common law of agency:[57]
The strict confidentiality duty of the Subsection is warranted for prophylactic purposes. A lawyer who acquires confidential client information as a result of a representation should not be tempted by expectation of profit to risk a possibly incorrect assessment of future harm to a client. There is no important societal interest in permitting lawyers to make unconsented use or revelation of confidential client information for self-enrichment in personal transactions.[58]
The prospect of having to account to the client and make restitution of the lawyer’s profit from whistleblowing would remove any temptation to violate the rules of professional conduct and risk disbarment in anticipation of living on easy street because of the magnitude of the anticipated bounty. Yet this prospect is illusory because of the mandated secrecy, noted above, surrounding Dodd-Frank whistleblower activities. The client will never know whether the “covered judicial or administrative action” was based on information provided by a whistleblower or, if so, who that whistleblower was. This practical difficulty underscores the need for the rules of professional conduct to act as a deterrent.
Confidentiality
In General
Model Rule 1.6 requires lawyers to refrain from disclosing confidential client information or using it adversely against the client, unless the client consents or an exception applies. The duty of confidentiality sweeps broadly. In particular, “confidential” information includes much more than information protected by the attorney-client privilege or work product doctrine. Under Model Rule 1.6 (as well as under many state incarnations), “confidential” information includes “all information relating to the representation, whatever its source.”[59]
The confidentiality rationale rests on the vital importance society places upon the “full, free and frank” exchange between lawyer and client, shielded from the intrusive eyes and ears of others, including the government. Without assurances of confidentiality, critical discussions between lawyer and client would necessarily be limited in a manner that would negatively affect the former’s ability to serve the latter. The benefits of confidentiality have long been recognized. As Chief Justice Lemuel Shaw of the Massachusetts Supreme Judicial Court said almost 200 years ago:
This principle we take to be this; that so numerous and complex are the laws by which the rights and duties of citizens are governed, so important is it that they should be permitted to avail themselves of the superior skill and learning of [attorneys] both in ascertaining their rights in the country, and maintaining them most safely in court … that the law has considered it the wisest policy to encourage and sanction this confidence, by requiring that on such facts the mouth of the attorney should be forever sealed.[60]
Consistent with this policy, lawyers must be able to gather all the necessary information and be free to explore with the client the client’s options. If a client perceives a “threat that these confidential communications will be shared with those whose interests may be adverse to the client, the chilling effect on the lawyer-client relationship becomes plain.”[61]
“A fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation.”[62] Disclosure of confidential information of any client is authorized under Model Rule 1.6 “to the extent the lawyer reasonably believes necessary”[63] either “to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another”[64] or “to prevent, mitigate, or rectify substantial injury to the property of another,”[65] in each case where the client has used the lawyer’s services in furtherance of the crime or fraud. Those disclosure exceptions are simply not available where the lawyer’s services have not been so used.
Furthermore, with respect to an organizational client, the prescribed approach is set out in Model Rule 1.13, which requires a lawyer who knows of corporate misconduct to report such misconduct up-the-line (to the board of directors if necessary) unless the lawyer believes it is “not necessary in the best interest of the organization” to do so. Disclosure outside the organization without its consent is limited to situations where the highest authority in the organization has failed to address the legal violation the lawyer has reported and the lawyer “reasonably believes that the violation is reasonably certain to result in substantial injury to the organization” – and even then only “to the extent necessary to prevent substantial injury to the organization.”[66] In the case of an attorney who has been engaged to investigate matters within the corporation or to defend the organization or its constituents, however, reporting any discovered misconduct outside the organization is forbidden.[67]
Although the existence of conflicts of interest is enough of an ethical proscription against lawyers collecting bounties for Dodd-Frank whistleblowing, NYCLA Op. 746 devoted the majority of its analysis to confidentiality under applicable New York rules of professional responsibility. Because of the complexity of the regulatory framework established by the SEC in particular, which resurrects judicially unresolved questions of preemption first aired in the SOX era, some additional points are noteworthy.
Effect of the Dodd-Frank Regulatory Framework
The Commissions, in their respective regulations, limit the ability of lawyers to be eligible whistleblowers. The lodestar is the source of the information being conveyed by the whistleblower. As noted above, only “original” information qualifies. Information obtained by those occupying positions with fiduciary or quasi-fiduciary obligations (which would include in-house counsel and outside counsel)[68] is generally not considered “original,” but there are some exceptions as described below. Furthermore, the original information must be “voluntarily” provided. That means it must be provided prior to any request to the whistleblower (or anyone representing the whistleblower) from the Commissions, any other federal or state authority (e.g., DOJ or a State Attorney General), Congress, or any SRO about a matter to which the information in the whistleblower’s submission is relevant.[69]
The CFTC’s approach is to exclude from the “independent knowledge” component[70] any information that is:
obtained via a communication that was subject to the attorney-client privilege, or
in connection with the legal representation of a client on whose behalf the whistleblower (or the whistleblower’s employer or firm) have been providing services, and that the whistleblower seeks to use to make a submission for the whistleblower’s own benefit, unless, in either instance, the disclosure is otherwise permitted by the applicable federal or state attorney conduct rules.[71]
The SEC’s approach is to acknowledge from the outset the “special duties” lawyers owe their clients and the importance of furthering consultation between issuers of securities and their counsel in promoting overall compliance with the federal securities laws.[72] Thus, the SEC’s Dodd-Frank regulations announce that a lawyer will not generally be credited with providing “original information” if that information was obtained (1) from confidential communications subject to the attorney-client privilege, (2) from the legal representation of a client, or (3) from association with a firm retained by an organization to conduct an inquiry into possible violations of law, unless, in the case of (1) and (2), disclosure is permitted by the standards of lawyers’ professional conduct issued by the SEC in its 2003 Part 205 rules,[73] by applicable state attorney conduct rules, or “otherwise.”[74]
By incorporating the Part 205 rules into the Dodd-Frank whistleblower framework, however, the SEC introduced some complexities into the ethics calculus. These complexities include not only exceptions to the requirement of confidentiality that are not found in the Model Rules, but also the (as yet untested) assertion by the SEC that its regulations preempt state avatars of the Model Rules in certain circumstances.
Dodd-Frank whistleblowing, by its nature, entails “reporting out” – specifically to the government. Yet the SOX regulations invoked by the SEC do not contemplate “reporting out” except in exceptional circumstances. To begin with, those regulations do not apply to all lawyers but only to a subset: those “appearing and practicing” before the SEC. Secondly, the default requirement for such attorneys under the Part 205 regulatory regime is emphatically not blowing the whistle to the SEC; rather, those regulations require reporting “evidence of a material violation”[75] of the securities laws by the issuer (or any of its officers, directors, employees or agents) to the CEO or, perhaps more likely, the Chief Legal Officer,[76] and thereafter if no satisfactory action is taken, “up the ladder” within the corporate organization, all the way to the board of directors if necessary. [77] This procedure is, in essence, consistent with Model Rule 1.13(b), though the latter requires not merely credible evidence of a reasonably likely violation but actual knowledge[78] of an existing or impending violation.
Incorporating the Part 205 rules into the Dodd-Frank whistleblower framework also inserts into the analysis a potential “wild card,” namely the assertion, made both by the SEC and by one of its former General Counsel,[79] that the SOX regulations[80] preempt inconsistent state ethics rules,[81] at least with respect to that subset of the bar over which the SEC has any colorable authority (to wit: attorneys “appearing and practicing” before the SEC). If the SEC’s whistleblower regulations preempt inconsistent state ethics rules, that could theoretically preclude state disciplinary action and the salutary effect on attorney conduct of the threat of such disciplinary action for flagrant violations of confidentiality, privilege, and conflict of interest rules.
The preemption debate began shortly after promulgation of the final Part 205 rules, with both the Washington State Bar[82] and the California Bar[83] taking the position that the SEC lacked preemption authority.[84] In the intervening years, no court has yet had occasion to rule on the SOX/state ethics rules preemption question.[85]
Logically, however, it would seem that whatever legal or policy arguments might support preemption in the SOX/Part 205 context are simply absent in the Dodd-Frank whistleblower context. For one thing, there was not – and cannot have been – any preemptive intent regarding regulation of the Bar on the part of Congress when enacting Dodd-Frank, since the two whistleblower provisions predominantly apply to individuals who are not lawyers. More tellingly, in enacting Dodd-Frank Congress was very attentive to preemption issues and specifically legislated on that topic in other areas,[86] but Section 922 (the SEC whistleblower provision) is silent on preemption.[87] For another, the secrecy requirements of Dodd-Frank whistleblowing are, in the case of a lawyer-whistleblower, incompatible not only with the default confidentiality principles of the Model Rules and the attorney-client privilege but also the SEC’s own Part 205 rules, which require internal, up-the-ladder reporting and contemplates “reporting out” only when that default procedure does not function as intended.
Accordingly, confidentiality principles are another reason to be chary of whistleblowing by lawyers. Such whistleblowing constitutes disclosure of client information in violation of the default confidentiality provisions of the Model Rules and may only be done ethically where those Rules (or their state avatars) expressly so permit or require.[88]
CONCLUSION
Seeking a monetary award from the SEC or the CFTC for whistleblowing on a client almost certainly creates a personal interest conflict, within the meaning of Model Rule 1.7(a)(2). Disclosing the client’s information to a federal agency, other than as specifically authorized under the Model Rules, violates the confidentiality requirements of Model Rule 1.6. A lawyer, acting as a lawyer, who pursues such an award does so at extreme peril of disciplinary action and should, at a minimum, consult the ethics rules and authorities in each jurisdiction in which he or she is admitted.
[1] This constitutes Titles 60-63 of the massive (nearly 1500 pages) William M. (Mac) Thornberry National Defense Act of 2021, Pub. L. No.: 116-283, §§ 6001 et seq. Another, related piece of the puzzle is Title 64, the Corporate Transparency Act ( the “CTA”), establishing disclosure requirements for beneficial owners of certain business enterprises. The Business Law Section has already done two “In the Know” webinars on the CTA, one addressing the substance and the other addressing some of the ethical implications.
[2] Possible other entities include: the Department of Justice; an appropriate department or agency of the Federal Government, acting within the scope of its jurisdiction; a self-regulatory organization; a state attorney general in connection with a criminal investigation; an appropriate state regulatory agency or department. Other possibilities are, in the case of commodities-related whistleblowers, a foreign futures authority; and in the case of securities-related whistleblowers, the Public Company Accounting Oversight Board, a foreign securities authority, and a foreign law enforcement authority. See 7 U.S.C. § 26(h)(2)(C)(I)-(VI); 15 U.S.C. § 78u-6(h)(2)(D) (I)-(VIII).
[3] Actually, the recovery amount may be somewhat higher, since the statute does not authorize whistleblower awards for collection of monetary sanctions of $1 million or less. See 15 U.S.C. § 78u-6(a)(1) (definition of “covered judicial or administrative action”).
[5] The term “whistleblower” is susceptible of many different definitions in different contexts. See Julian W. Kleinbrodt, Pro-Whistleblower Reform in the Post-Garcetti Era, 112 Mich. L. Rev. 111, 113 (2013) (observing that “[t]here is no single definition of a whistleblower, and it takes on different contours in different contexts”). Although the term is neither defined nor used in the ABA Model Rules of Professional Conduct (2018) [hereinafter the “Model Rules”], references in this article to a lawyer as “whistleblower” should be understood to mean a lawyer who reports a client’s wrongdoing to a governmental or law enforcement agency. Cf. Black’s Law Dictionary (9th ed. 2009) (defining a whistleblower as “[a]n employee who reports employer wrongdoing to a governmental or law-enforcement agency”).
[6] As discussed below, the minimum award payable is $100,000 and could fairly easily reach millions of dollars.
[7] The descriptor qui tam is short for the Latin phrase “qui tam pro domino rege quam pro se ipso in hac parte sequitur,” which refers to one who brings an action on behalf of the king as well as himself. This regime, despite certain similarities, is conceptually different from the Dodd-Frank regulatory whistleblower landscape considered in this article.
[8] A “relator” is an individual who brings suit under the FCA in the name of the government, which has sixty days to intervene in the action. If the government declines to intervene, the relator may proceed alone. 31 U.S.C. § 3730(b). If the action is successful, the relator stands to receive an award of 15-25% of the proceeds (whether a verdict or settlement) if the government has intervened and litigated the matter and between 25-30% if the government has not intervened. 31 U.S.C. § 3730(d). State false claims acts operate in similar fashion.
[9]E.g., the N.Y. False Claims Act, N.Y. State Fin. Law §§ 187 et seq.
[12] CFTC, Final Rules for Implementing the Whistleblower Provisions of Section 23 of the Commodity Exchange Act, 76 Fed. Reg. 53,172 (Aug. 25, 2011) (codified at 17 C.F.R. §§ 165.1 et seq.).
[14] Dodd-Frank § 922 (creating Section 21F of the Exchange Act, 15 U.S.C. § 78u-6).
[15]See SEC, Securities Whistleblower Incentives and Protections, 76 Fed. Reg. 34,300 (June 13, 2011) (codified at 17 C.F.R. §§ 240.21F-1 et seq.) [hereinafter “SEC Dodd-Frank Release”].
[16] 7 U.S.C. § 26(b)(1) (CFTC); 15 U.S.C. §78u-6(b)(1) (SEC). The CFTC and the SEC shall jointly be referred to hereinafter as the “Commissions.”
[17]E.g., Currency and Foreign Transactions Reporting Act of 1970, Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified as amended in scattered sections of 12, 18, and 31 U.S.C. and commonly known as the “Bank Secrecy Act”) [hereinafter referred to as the “BSA”].
[20] 7 U.S.C. § 26(b)(1) (CFTC); 15 U.S.C. § 78u-6(b)(1) (SEC). As noted earlier, the term “covered judicial or administrative action” means any judicial or administrative action brought by the CFTC or the SEC, as the case may be, that results in monetary sanctions exceeding $1million. 7 U.S.C. § 26(a)(1) (CFTC); 15 U.S.C. § 78u-6(a)(1) (SEC).
[21] A “related action” is defined as a judicial or administrative action brought by a statutorily designated entity that is based upon the original information provided by a whistleblower that led to the successful enforcement by either of the Commissions of a “covered judicial or administrative action.” 7 U.S.C. § 26(a)(5) (CFTC); 15 U.S.C. § 78u-6(a)(5) (SEC). Statutorily designated entities include, inter alia, (1) the Department of Justice; (2) an appropriate Federal regulatory authority (e.g., one of the bank regulatory agencies); (3) a self-regulatory organization; (4) a State attorney general in connection with any criminal investigation; (5) an appropriate State regulatory authority; and (6) a foreign law enforcement or regulatory authority. See 7 U.S.C. § 26(h)(2)(C)(i) (CFTC); 15 U.S.C. §78u-6(h)(2)(D)(i) (SEC).
[22] These concepts are not defined in Dodd-Frank but are defined by the Commissions in their separate regulations. The term “independent knowledge” means factual information in the whistleblower’s possession that is not derived from publicly available sources. The term “independent analysis” means the whistleblower’s examination and evaluation (whether performed alone or with others) of information (including publicly available information), which then reveals information that is not generally known or available to the public. See generally 17 C.F.R. § 165.2(g)-(h) (CFTC), 17 C.F.R. § 240.21F-4(b)(2)-(4). (SEC).
[24] 7 U.S.C. § 26(m) (CFTC); 15 U.S.C. § 78u-6(i) (SEC). Such false or fraudulent statements or conduct are independently criminalized under 18 U.S.C. § 1001 and, in the case of a whistleblower who is a lawyer, would subject the lawyer to discipline under Model Rule 8.4(b) and (c).
[25] In addition to the awards described at the beginning of this article see, e.g., CFTC, Press Release, CFTC Announces Whistleblower Award of More Than $10 Million (April 4, 2016), available athttp://www.cftc.gov/PressRoom/PressReleases/pr7351-16. The SEC typically redacts its whistleblower grant orders, but a law firm that represents whistleblowers revealed on its website an award of $22.5 million dated June 30, 2016. See The Employment Law Group, Rewards Tracker, available athttp://sec-whistleblowers.com/rewards-tracker/.
[27]See generally SEC Dodd-Frank Release, 76 Fed. Reg. at 34,314.
[28] SEC, Implementation of Standards of Professional Conduct for Attorneys, Securities Act Release No. 33-8185, 68 Fed. Reg. 6296 (Feb. 6, 2003) (currently codified at 17 C.F.R. § 205.3(d)(2)). These regulations (known colloquially as the “Part 205 rules”) apply only to lawyers “appearing and practicing” before the SEC in the context of providing legal services to an “issuer” of securities. “Issuer” in this context is broadly defined to include certain affiliates for which the lawyer has provided services on behalf of, or at the behest of or for the benefit of, the issuer, regardless of whether the lawyer is employed or retained by the issuer. Id. § 205.2(h). Likewise, “appearing and practicing” is broadly defined and includes, inter alia, merely advising on U.S. securities laws or regulations in connection with a document that the lawyer has notice will be filed or submitted (or incorporated into a document to be filed or submitted) to the SEC. Id. § 205.2(a).
[29] Public Company Accounting Reform and Investor Protection Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002) (which became colloquially known, after its Senate and House sponsors, Paul Sarbanes and Michael Oxley, as the Sarbanes-Oxley Act).
[30] 17 C.F.R. § 240.21F-4(b)(4)(i), (ii), (iii)(C). Note that the SEC has not (to date) explained what facts or circumstances might give rise to the “otherwise” exclusion.
[31] Referring to both federal and state laws and obligations, this term is defined for purposes of the Part 205 rules as “a material violation of an applicable United States federal or state securities law, a material breach of fiduciary duty arising under United States federal or state law, or a similar material violation of any United States federal or state law.” 17 C.F.R. § 205.3(i).
[32] See supra note 28 (describing broad definition of “issuer” for this purpose).
[34] The circumstances include: (i) To prevent the issuer from committing a material violation that is likely to cause substantial injury to the financial interest or property of the issuer or investors; (ii) To prevent the issuer, in the course of an SEC investigation or administrative proceeding, from committing perjury, proscribed in 18 U.S.C. § 1621; suborning perjury, proscribed in 18 U.S.C. § 1622; or committing any act proscribed in 18 U.S.C. § 1001 that is likely to perpetrate a fraud upon the SEC; or (iii) To rectify the consequences of a material violation by the issuer that caused, or may cause, substantial injury to the financial interest or property of the issuer or investors in the furtherance of which the attorney’s services were used. 17 C.F.R. § 205.3(d)(2)(i)-(iii).
Differences between the SEC’s rule and Model Rule 1.13 are discussed later in the article.
[35] No preemption issue exists with respect to the CFTC, which has no SOX responsibilities and has not incorporated by reference any other regulations purporting to govern attorney conduct.
[37] The validity of this assertion is open to question (see infra notes 79-85 and accompanying text), and there has even been a lack of consensus on the issue among former SEC General Counsels.
[38] This article focuses only on situations in which a lawyer is acting as a lawyer and is representing a client involved in the conduct giving rise to the possibility of whistleblowing. Thus, in the case of a business entity, this discussion does not address the conduct of a whistleblower who has a law degree and may well be licensed to practice law in one or more jurisdictions but who is acting as a director, officer, employee, or agent without any attorney-client relationship with the organization.
[39] The client’s informed consent is a basic component of the exceptions in paragraph (b). Whistleblowing under the Dodd-Frank framework, by its nature, precludes seeking the client’s consent. In order not to impair the efficacy of any agency investigation, Dodd-Frank whistleblowing is confidential, and in fact the Commissions are generally required to keep the information confidential. See 7 U.S.C. § 26(h)(2)(A) (CFTC); 15 U.S.C. § 78u-6(h)(2)(A) (SEC). Moreover, the adversary nature of a lawyer blowing the whistle on a client would seem to render the conflict non-consentable per se.
[41]Letter from Stephen N. Zack, President, Am. Bar Ass’n, to Hon. Mary L. Schapiro, Chair, Securities and Exchange Commission, at 3 (May 11, 2011).
[42]See, e.g., ABA Formal Ethics Op. 432 (2004) (advancing bail on behalf of accused client may pose a conflict if amount of bail is “material” to the lawyer); ABA Formal Ethics Op. 427 (2002) (discussing the propriety of a lawyer taking a security interest in property of the client to guarantee payment of legal fees).
[43]Cf. United States v. Quest Diagnostics Inc., 734 F.3d 154 (2d Cir. 2013) (lawyer violated applicable New York professional conduct rules by filing qui tam action against former employer with respect to matters substantially related to prior representation of employer).
[45] The court explained the potential conflict as the disincentive, created by the lawyer’s simultaneous representation of the PBA, to seek to obtain acquittal for the police officer client by endeavoring to place the blame entirely on the other police officer. Id. at 94-95.
[46]Id. at 96 (quoting United States v. Fulton, 5 F.3d 605, 613 (2d Cir. 1993)).
[47] N.Y. Cnty. Lawyers’ Ass’n., Comm. on Professional Ethics, Ethical Conflicts Caused by Lawyers as Whistleblowers under the Dodd-Frank Wall Street Reform Act of 2011,Formal Op. 746 (Oct. 7, 2013) [hereinafter referred to as “NYCLA Op. 746”].
[50] A recent ethics opinion of the New York State Bar Association concluded that neither a lawyer nor his firm may represent a client in litigation funded by a litigation financing company in which the lawyer is an equity holder. Among several ethical concerns, the opinion identified New York’s version of Rule 1.7(a)(2). The opinion found that the lawyer’s personal and financial interest in the financing company could create a significant risk that the lawyer’s professional judgment could be adversely affected by the lawyer’s own interests. “For instance, the Company may have an interest in expediting (or prolonging) the litigation to enhance the value of the Company’s investment but which may not equate with the client’s interests in going to trial (or reaching an early settlement). A continuing duty exists to protect the client from this risk.” N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 1145 ¶ 12 (March 7, 2018). The opinion noted, however, that this conflict could “be adequately disclosed and waived under Rule 1.7(b) if the other requirements of Rule 1.7(b) are fulfilled.” Id.
[54] Actually, the coverage of Model Rule 1.9 is a little broader. Whereas Rule 1.8(b) only covers a client represented by the lawyer, Rule 1.9(c)(1) applies to a client formerly represented by either the lawyer or by his or her present or former law firm.
[55]See Fremont Reorganizing Corp. v. Faigin, 198 Cal. App. 4th 1153 (2011) (former in-house counsel who told insurance authorities about former employer’s allegedly illegal conduct could be liable for breach of fiduciary duty and duty of confidentiality).
[56] Restatement (Third) of the Law Governing Lawyers § 60(2).
[66] Model Rule 1.13(c). In contrast to Model Rule 1.6(b)(3), Model Rule 1.13 does not, by its terms, authorize disclosure to prevent, mitigate, or rectify substantial injury to the property of another.
[72]See generally SEC Dodd-Frank Release, 76 Fed. Reg. at 34,314.
[73] SEC, Implementation of Standards of Professional Conduct for Attorneys, Securities Act Release No. 33-8185, 68 Fed. Reg. 6296 (Feb. 6, 2003) (currently codified at 17 C.F.R. § 205.3(d)(2)).
[74] 17 C.F.R. § 240.21F-4(b)(4)(i), (ii), (iii)(C). Note that the SEC has not (to date) explained what facts or circumstances might give rise to the “otherwise” exclusion.
[75]See id. § 205.2(e) (defining “evidence of a material violation”). This definition of “evidence of a material violation” is a notorious double-negative standard: “credible evidence, based upon which it would be unreasonable, under the circumstances, for a prudent and competent attorney not to conclude that it is reasonably likely that a material violation has occurred, is ongoing, or is about to occur.” Cf. Keith R. Fisher, The Higher Calling: Regulation of Lawyers Post-Enron, 37 U. Mich. J. L. Reform 1017, 1104 (2004) (suggesting that this standard comes “perilously close to ‘knew or should have known’ standard of proof – in other words, scienter”). As noted above, the term “material violation” is itself defined as a “material violation of an applicable United States federal or state securities law, a material breach of fiduciary duty arising under United States federal or state law, or a similar material violation of any United States federal or state law.” 17 C.F.R. § 205.2(i).
[76]Id. § 205.3(b)(1), (c)(1). The duplication in two separate paragraphs refers to two situations: one for issuers that have not established a Qualified Legal Compliance Committee and the other for issuers that have. If the reporting attorney is a subordinate attorney, however, he may content himself with reporting to his supervisor and need take no further action. Id. § 205.5(c). This is actually somewhat less onerous than a subordinate lawyer’s obligations under Model Rule 5.2(b), compliance with which requires that the supervisory lawyer’s resolution of an “arguable” question of professional duty be “reasonable” and that the subordinate act in accordance with that resolution.
[80] No preemption issue exists with respect to the CFTC, which has no SOX responsibilities or other regulations purporting to govern attorney conduct.
[81]See 17 C.F.R. § 205.1 (“These standards supplement applicable standards of any jurisdiction where an attorney is admitted or practices and are not intended to limit the ability of any jurisdiction to impose additional obligations on an attorney not inconsistent with the application of this part. Where the standards of a state or other United States jurisdiction where an attorney is admitted or practices conflict with this part, this part shall govern”).
[82]See Ethics 2003 Committee of Wash. State Bar Ass’n. Internal Formal Ethics Opinion 2003, available athttp://www.wsba.org/lawyers/groups/ethics2003/formalopinion.doc (opining that lawyers admitted in the State of Washington may not ethically reveal client confidences and secrets unless authorized to do so under Washington’s rules of professional conduct, regardless of the permissive disclosure provisions of the Part 205 Rules).
[83]See, e.g., State Bar of California, Ethics Alert, The New SEC Attorney Conduct Rules v. California’s Duty of Confidentiality (Spring 2004); Corporations Comm. of the Business Law Section of the California State Bar, Conflicting Currents: The Obligation to Maintain Inviolate Client Confidences and the New SEC Attorney Conduct Rules, 32 Pepp. L. Rev. 89 (2004) (arguing that the SEC’s preemption assertion exceeds its authority).
[84]But cf. Roger Cramton, George Cohen & Susan Koniak, Legal and Ethical Duties of Lawyers After Sarbanes-Oxley, 49 Vill. L. Rev. 725 (2004) (supporting an argument for implied preemption).
[85] Also worth noting, even en passant, are (1) that in SOX Congress did not expressly grant the SEC preemptive authority over state regulation of lawyers, and (2) that similar attempts by another federal administrative agency to invoke regulatory authority over lawyers in other regulatory contexts – the privacy provisions of the Gramm-Leach-Bliley Act of 1999 and the Fair and Accurate Credit Transactions Act of 2003 – were resoundingly rejected when challenged by the bar. SeeNew York State Bar Ass’n v. FTC, 276 F. Supp.2d 110 (D.D.C. 2003) (holding that the FTC exceeded its authority in extending the statutory term of art “financial institution” to lawyers), aff’d sub nom.American Bar Ass’n v. FTC, 430 F.3d 457 (D.C. Cir. 2005); American Bar Ass’n v. FTC, 671 F. Supp.2d 64 (D.D.C. 2009) (holding that nothing in the FACT Act contained an “unmistakably clear” grant of authority that would permit FTC intervention into regulating the practice of law), vacated as moot, 636 F.3d 641 (D.C. Cir. 2011) (concluding that intervening legislation clarifying that lawyers were not subject to the FTC rule had mooted the controversy).
[86]E.g., Dodd-Frank § 767 (preempting State gaming and bucket-shop laws), § 1041(a) (preempting state consumer protection laws to the extent, and only to the extent, they are inconsistent with federal consumer protection laws under Dodd-Frank Title X), and § 1044 (prescribing state law preemption standards for national banks and their subsidiaries).
[87] Likewise Dodd-Frank § 748, amending the CEA, evinces no preemptive intent.
[88] Examples include Model Rules 4.1 and 1.6(b)(2)-(3), and 1.13(c).
On June 28, 2021, while both congressional bodies continue to introduce and consider numerous legislative proposals to “reform” and amend the existing legal analytical framework, the U.S. District Court for the District of Columbia dismissed two high-profile antitrust cases simultaneously brought by the Federal Trade Commission (FTC) and 46 states. Both cases alleged that Facebook illegally maintained a monopoly in the social networking space through its acquisition of nascent competitors, including WhatsApp and Instagram, as well as by placing restrictions on developers that access Facebook’s networks.
The key difference between the decisions is that the court granted the FTC leave to amend its complaint to better address Facebook’s alleged monopolization. Therefore, while the states’ case is finished (unless they file an appeal), the FTC retains a number of options, including trying to bolster its monopolization claim or pursuing the case through the FTC’s administrative proceedings.
Members of both political parties and from both congressional chambers condemned the decisions:
The FTC should pursue this case, but we shouldn’t count on regulators and the courts alone to save us. Keeping our markets competitive, open and fair? It will require the Congress to act.
Facebook is clearly a monopoly. The district court ruling shows the need for Congress to reform the antitrust laws. Our bipartisan bills give additional resources to law enforcement agencies and brings greater scrutiny to mergers. We have to act now.
The FTC and 46 states separately sued Facebook in December 2020, alleging that Facebook violated Section 2 of the Sherman Act[3] through its alleged “buy or bury” strategy of acquiring Instagram (2012) and WhatsApp (2014) and by adopting policies that prevented app developers that Facebook viewed as potential competitive threats from accessing Facebook’s platform interfaces (API Policies). The states also sought relief under Section 7 of the Clayton Act[4], which prevents acquisitions that tend to substantially lessen competition.
District Court Judge James Boasberg dismissed each case on different grounds.
The FTC Case. Judge Boasberg dismissed the FTC’s monopolization claim for a failure to plausibly allege facts that Facebook has monopoly power.[5] The FTC defined the relevant product market served by Facebook as one for “Personal Social Networking Services,” which the FTC described as “online services that enable and are used by people to maintain personal relationships and share experiences with friends, family, and other personal connections in a shared social space.”[6] The FTC alleged that Facebook held a market share “in excess of 60%,” and there were no substitutes for Facebook. The decision criticized the FTC for failing to offer any measure or metrics for this analysis and failing to name even a single Facebook competitor. The court therefore observed that “[i]t is almost as if the [FTC] expects the Court to simply nod to the conventional wisdom that Facebook is a monopolist. After all, no one who hears the title of the 2010 film ‘The Social Network’ wonders which company it is about.”[7]
The court also expressed concern with the FTC’s claims regarding Facebook’s API Policies, cautioning the FTC that generally antitrust law does not impose a duty to deal on monopolists.[8] Although the court made plain that the FTC “to be sure, has alleged several specific refusals to deal that in fact may meet [antitrust law’s] requirements” for pleading a claim, the court explained that injunctive relief is not available under Section 13(b) of the FTC Act[9] because the FTC does not allege ongoing or imminent anticompetitive conduct.[10]
The States’ Case. The states similarly premised their claims on Facebook’s alleged monopoly, but Judge Boasberg found additional grounds for dismissal with prejudice under the doctrine of laches, which does not apply to the U.S. government. More specifically, the court found that laches precluded the states’ claims because it viewed the Clayton Act’s four-year statute of limitations as “the starting presumption” for when an aggrieved plaintiff may file a complaint.[11] The court then pointed to the states having waited six and eight years, respectively, to claim that the WhatsApp and Instagram acquisitions violated antitrust laws and found “no case … in which a plaintiff other than the United States (against which laches does not apply), whether a state or a private party, was awarded equitable relief after such long post-acquisition delays in filing suit.”[12]
The court explained that laches was particularly appropriate because (1) the Instagram and WhatsApp acquisitions were widely publicized at the time; (2) it was well-understood at the time that Facebook was “the dominant player” in online social networking; (3) the FTC’s extra scrutiny of the Instagram transaction was publicized; (4) analysts had expressly commented that Facebook was acquiring WhatsApp to “eliminate[e] a potential competitor poised to mount a major challenge to Facebook’s monopoly;” and (5) significant prejudice to Facebook was apparent, given that the states sought a divestiture of longtime core Facebook assets.[13]
The attorneys general are appealing the decision.
Two Key Takeaways
Laches Applies to Everyone Besides the US GovernmentThe court found that the United States — not the states — is the proper enforcer of the federal antitrust laws, as Congress, when passing the Clayton Act, had not articulated a special role for the states in enforcing those laws, making them akin to private plaintiffs against which equitable defenses applied.[14] Indeed, even prior to the Facebook decision, the states had tacitly admitted this, as the National Association of Attorney Generals recently urged Congress to expand the states’ role as antitrust enforcers.[15] By contrast, at no point did the court question the ability of the FTC to complain about Facebook’s acquisitions of competitors that occurred well before the Clayton Act’s four-year statute of limitations. Timing may eventually impact the FTC if it repleads its refusal to deal claim or asserts other claims based on non-acquisition conduct that is not more recent or ongoing in nature.
The FTC’s Next Move May Implicate Chair Khan’s New PlaybookThe court criticized the FTC for making a conclusory claim of Facebook’s 60% “market share,” but also noted that it “believes that the agency may be able to ‘cure [the] deficiencies’ by repleading.” To strengthen its market power allegations, the FTC would likely need to include additional information regarding the basis of its market share calculation, allegations regarding whether Facebook’s market share remained constant or how it otherwise shifted since 2011 (the period that the FTC itself references), the identity of at least some of the other firms that account for the remaining 30-40% of the market, and proof that people value Facebook more than its social media substitutes and connect the popularity of Facebook’s social media services to the advertising dollars that popularity helps generate.
The decision may also lead the FTC to pivot under new Chair Lina Khan. Although the FTC filed the case in federal court and has advised the court that it would file an amended complaint, it also could have chosen to bring an action through its in-house administrative process, where FTC commissioners themselves would review an order from the FTC’s administrative law judge and render a decision that can be appealed to federal courts. Such a strategic decision could dovetail with the FTC’s withdrawal of its 2015 guidance on standalone use of Section 5 of the FTC Act, which prohibits “unfair methods of competition” — a broader standard than antitrust claims under Sections 1 and 2 of the Sherman Act and Section 7 of the Clayton Act.
[8]Id. at 39-41. Specifically, the court noted that “to be actionable, such a scheme must involve specific instances in which that policy was enforced (i) against a rival with which the monopolist had a previous course of dealing; (ii) while the monopolist kept dealing with others in the market; (iii) at a short-term profit loss, with no conceivable rationale other than driving a competitor out of business in the long run.”
In the wake of the Colonial Pipeline hack, President Biden released a long-anticipated Executive Order (EO) intended to strengthen U.S. cybersecurity infrastructure. [1][2] The EO highlights the government’s interest in public-private partnerships in the realm of cybersecurity by triggering a rulemaking process that will impose cybersecurity standards on private companies that contract with the federal government in the areas of information technology (IT) and operational technology (OT). The EO is only one of many steps the new administration is taking to improve cybersecurity. In line with the government’s vision, the Department of Energy also released a 100-day cybersecurity pilot program,[3] and the Federal Energy Regulatory Commission took steps to establish incentive-based programs for cybersecurity investments.[4]
Dan Sutherland, Chief Counsel for the Cybersecurity & Infrastructure Security Agency (CISA), and Jen Daskal, Deputy General Counsel at the Department of Homeland Security (DHS), spoke at an Infragard webinar on May 19, 2021 about the new Executive Order (EO).[5]
Before delving into the EO, the speakers gave a brief introduction to the roles of DHS and CISA. DHS takes a “whole of government” approach to cybersecurity, and deals with cybersecurity issues through the United States Secret Service and Immigration and Customs Enforcement (ICE), which focuses on prosecuting cyber-enabled crime. It also works through the Transportation Security Administration (TSA) and Coast Guard, which focus on cybersecurity in surface transportation. CISA, on the other hand, is an independent federal agency under DHS oversight. It focuses specifically on the United States’ cybersecurity and communications infrastructure. Acting more as a risk advisor and research arm, rather than enforcer, CISA aims to keep the nation’s critical infrastructure secure, robust, and capable of defending itself against cyber-attacks.
Both speakers briefly discussed three pieces of legislation that give CISA more authority to perform their work:
The National Defense Authorization Act (NDAA), which is a product of the Cyberspace Solarium Commission, provides 11 substantive new authorities for CISA, including: the ability to issue administrative subpoenas, the authority to do more to protect federal networks, and the wherewithal to provide capabilities and tools to other federal agencies without reimbursement. However, CISA’s subpoena authority is very limited. It mainly involves the power to collect public-facing IP information from internet service providers (ISPs) when the information is not otherwise available. Under this authority, ISPs must provide identifying information attached to IP addresses. CISA, of course, claims to have no interest in overstepping privacy rights or civil liberties.
The last legislation the speakers highlighted was the American Rescue Plan Act of 2021, which gave CISA $650 Million to improve federal network security. CISA will operate a pilot cloud environment featuring heightened security systems. This could signal a significant new path for CISA to provide services to agencies rather than merely issuing policies and directives.
Executive Order on Improving the Nation’s Cybersecurity
The Executive Order has been a priority for the Secretary of the DHS, Alejandro Mayorkas. When he outlined his vision for DHS’s cybersecurity efforts on March 31, 2021, Secretary Mayorkas said, “[m]ake no mistake: a free and secure cyberspace is possible. We will champion this with words and action.”[6]
The speakers highlighted the importance of the role the EO plays in the federal government’s commitment to modernize cybersecurity defenses and protect the federal government’s infrastructure. While executive orders cannot direct the private sector or create new authorities that do not already exist, they can leverage the power of the White House to signal priorities and support the use of existing authorities to implement key priorities. All the EO provisions outlined by the speakers build on the maturation of the cybersecurity mission and are intended to address recent cybersecurity incidents.
The EO has several innovative aspects. It leverages the procurement power of the federal government to impose reporting requirements and standards for service providers with which the federal government contracts. This has the potential to have a ripple effect for the private sector; to set standards of care and best practices beyond the provision of services to the federal government.
The EO also focuses on improving information sharing about potential incidents in the inter-agency process and through procurement power. It eliminates roadblocks for private entities to share information with government and assists the government in preventing incidents from occurring in the first place. The federal government observed that IT and OT service providers who contract with the government are hesitant and sometimes unable to share information with CISA and the FBI. They often claim that their contracts prevent the sharing of information to any agency outside of their contracting partners. The EO requires CISA to develop standard contractual clauses to be implemented through the federal acquisition regulation process. IT and OT service providers will thereby be required to collect, preserve, and share data and to collaborate during investigations. The EO goes beyond information sharing and provides standard formats to assist with investigation and remediation. Section 2(g)(I) of the EO outlines the types of reporting that should be included in the contracts.
Additionally, the EO creates a new Cybersecurity Safety Review Board, which will analyze broader, nationally significant cyber incidents affecting federal civilian information systems or non-federal systems, and make concrete recommendations for improving cybersecurity. CISA is actively working to develop this Board.
The EO provides authorities to conduct threat-hunting authorities, ensuring that there is government-wide buy-in on CISA’s ability to use these authorities effectively. It also includes desired improvements in cloud security and in the development of software used in the supply chain.
Recent cyber security incidents have revealed a lack of visibility into the cloud environment. To address this, the EO requires CISA to develop a set of security principles that govern the cloud environment for federal agencies. The EO also requires the Secretary of Commerce, in coordination with National Institute of Standards and Technology (NIST), to publish minimum elements of the bill of materials and a definition of “critical software.” The Secretary of Commerce is also responsible for recommending minimum standards for testing of third-party software source code by the third-party licensors.
In addition, CISA can help federal agencies by providing a federal incident-response playbook and improving methods for detecting vulnerabilities. Because currently CISA sees internet traffic only at the perimeter but not at the object (computer) level, the EO requires organizations to give CISA access to monitor object-level data and provide endpoint detection capabilities, allowing CISA a greater ability to look for malicious code and vulnerabilities.
When asked whether the EO sufficiently protects critical infrastructure, Dan Sutherland stated that CISA was taking substantial new steps to address recent issues. Regarding possible metrics of success, he said that these metrics may include measurements of efforts and results and, since the EO has many short, aggressive deadlines, people should expect to see results such as patching happening quickly.
The final point the speakers addressed was on inter-agency sharing of information. Under the Federal Information System Moderation Act (FSMA), every agency is responsible for its own security, while CISA provides only guidance and policies. After the data breach at the federal Office of Personnel Management,[7] there was more cooperation and collaboration in the federal civilian executive branch. The EO is further prompting federal agencies to work collaboratively. In that regard, the EO calls for procedures for the Secretary of DHS and the Department of Defense to share all directives applying to their respective information networks. To take this a step further, the speakers recommended the cultivation of greater information sharing between the federal system and the private industry.
Our next article will focus on steps the private sector should be taking in light of new standards under the EO.
On July 7, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA). By enacting the CPA, Colorado becomes the third state in the nation to implement a generally applicable consumer data privacy law, after California with the California Consumer Privacy Act (CCPA) and Virginia with the Virginia Consumer Data Protection Act (VCDPA). While the CPA is similar to the CCPA and VCDPA in many respects, it has a different scope and different obligations than those two laws. Accordingly, impacted businesses must conduct a separate scope analysis, and, if subject to the CPA, they will need to set up different business rules to comply with the law.
The CPA applies to person(s) that conduct business in Colorado or that produce products or services that are intentionally targeted to Colorado residents and that either (1) control or process personal data of at least 100,000 Colorado residents during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 Colorado residents. The CPA applies to information that is linked or reasonably linkable to an identified or identifiable person acting in an individual or household context. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or orientation, citizenship or citizenship status, and personal data from a known child.
However, the CPA does not apply to, among other things:
financial institutions or data subject to the federal Gramm-Leach-Bliley Act;
certain activities regulated by the Fair Credit Reporting Act;
information on persons acting in a commercial or employment context;
deidentified data or, in some contexts, pseudonymous data; or
publicly available information.
Consumer Rights
The CPA provides consumers with a number of rights related to their personal data, several of which are similar to rights available under the CCPA and VCDPA. Under the CPA, consumers have the right to:
confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
access their personal data;
correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
delete personal data concerning them;
obtain a portable copy of personal data that they access from the controller;
opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and
appeal a refusal to take action on a request to exercise a right under the CPA.
The CPA also requires controllers to adopt and offer, by July 1, 2024, a universal opt-out mechanism to allow consumers to opt out of the sale of personal data and opt out of the processing of personal data for purposes of targeted advertising under technical specifications to be established by the Colorado attorney general.
Controller Obligations
The CPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.
Under the CPA, controllers must, among other things:
provide a Privacy Notice containing specific disclosures, including the categories of personal data collected, processed, and shared, the purposes for which personal data are collected and processed, the categories of third parties with whom the controller shares personal data, and, if selling personal data or processing personal data for targeted advertising, a clear and conspicuous disclosure of the sale or processing and how a consumer can opt out;
limit processing personal data to what is adequate, relevant, necessary, reasonable, and proportionate in relation to the specified purposes for which such personal data is processed;
not process personal data for purposes that are not reasonably necessary or compatible with specified purposes, unless the controller obtains consumer consent;
take reasonable measures to secure personal data during both storage and use from unauthorized acquisition;
not process personal data in violation of discrimination laws; and
not process sensitive data without consent.
The CPA also requires controllers to conduct and document data protection assessments when conducting data processing that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm to a consumer includes engaging in the following activities:
the processing of personal data for purposes of targeted advertising;
the sale of personal data;
the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
the processing of sensitive data.
Processor Obligations
A processor must follow a controller’s instructions and must assist the controller in:
responding to consumer rights;
meeting data security and breach notification obligations; and
providing information to enable the controller to conduct and document data protection assessments.
There are also requirements for contracts between controllers and processors as well as requirements for engaging subcontractors.
Enforcement
The Colorado attorney general and district attorneys have exclusive authority to enforce the CPA. The attorney general and DAs may seek civil penalties of up to $20,000 for each violation of the CPA, in addition to injunctive relief. The CPA provides for a 60-day right to cure.
The CPA does not provide for a private right of action.
Do you know what an ombudsman does? Did you know that the Board of Governors of the Federal Reserve System (“Board”) has an Ombudsman Office that serves individuals and financial institutions affected by the Federal Reserve System’s (the “Federal Reserve”) regulatory and supervisory activities? This article provides an overview of the Board’s Ombudsman Office and explains recent amendments to the Federal Reserve’s procedures for an institution to appeal a rating or other supervisory action (material supervisory determination (“MSD”) appeals process).[1]
What Is an Ombudsman?
The term “ombudsman” is Swedish in origin (literally translated, it means “representative”), and an ombudsman’s function is to assist “individuals and groups in the resolution of conflicts and concerns.”[2] The ombudsman profession dates back to 1713, when King Charles XII of Sweden appointed an ombudsman to help promote good governance and conflict mitigation.[3] The use of ombudsmen has continued to evolve, spreading throughout the public, private, and academic sectors around the world.[4] Examples of organizations and businesses that employ ombudsmen include the United Nations, the International Monetary Fund, the American Red Cross, the Inter-American Development Bank, the United States Olympic Committee, American Express Company, The Coca-Cola Company, Mars Inc., and United Technologies Corporation.
This article presents an outline of the office’s methods and purpose from the perspective of the Federal Reserve’s Ombudsman Office employees, past and present.
The Federal Reserve System’s Ombudsman Office
Establishment of the Ombudsman Office
The Board established the position of Ombudsman in 1995, as required by the Riegle Act.[5] Other financial regulators, including the Consumer Financial Protection Bureau, Federal Deposit Insurance Corporation, National Credit Union Administration, and Office of the Comptroller of the Currency, also have ombudsmen. The Riegle Act directed each federal banking agency to appoint an ombudsman to:
(A) act as a liaison between the agency and any party with any problem the party may have in dealing with the agency as a result of its regulatory activities; and
(B) ensure that safeguards exist to encourage complainants to come forward and preserve confidentiality.[6]
What We Do and How We Do It
The Board’s Ombudsman Office is guided by four core principles: independence, informality, fairness, and confidentiality. We operate outside of the Federal Reserve’s supervisory and regulatory processes and are therefore independent. The Ombudsman Office is located in the Board’s Office of the Secretary, and Ombudsman staff do not report to the Board’s supervisory divisions.
The Ombudsman Office has three major functions. Primarily, we are available to facilitate the fair and timely resolution of complaints related to the Federal Reserve’s supervisory and regulatory activities. In performing this function, we most commonly hear from representatives of state member banks (for which the Federal Reserve is the primary federal regulator) about a specific supervisory determination. For example, financial institutions have contacted our office about supervisory component and composite ratings; findings in safety and soundness examinations and consumer compliance exams; timing, process, or other concerns relating to exams; and the review and approval of pending applications. To help resolve such matters, we work collaboratively with representatives of the supervised institution and with senior staff at the Board or Reserve Bank, as appropriate. In short, we do our best to facilitate productive communication and to keep the resolution process on track.
Depending on the severity of the problem, the Board’s general practice is to attempt to resolve problems informally, when appropriate. In keeping with this policy, our office typically assists individuals or financial institutions before a formal process is initiated, often obviating the need to use a formal process. Moreover, our office can continue to assist an individual or institution in resolving a dispute even if it has escalated to a formal process. We have informally assisted financial institutions during the pendency of an MSD appeal to provide information and to help address, for example, communication or delay issues.
We also serve as an intake point for whistleblower complaints against supervised institutions or institution-affiliated parties. We generally gather information from the complainant and share the information with appropriate Board or Reserve Bank staff. However, if an individual wants to remain anonymous outside of discussions with the Ombudsman Office, we will not share any identifying information.
The second major function of our office is to investigate any claim that Federal Reserve staff has retaliated against a supervised institution. The Board has a strict policy prohibiting retaliation. The Ombudsman Office defines retaliation as any action or decision by Board or Reserve Bank staff that causes a supervised institution to be treated differently (e.g. more harshly) than other similarly situated institutions because the institution has attempted to resolve a complaint by filing an MSD appeal or has utilized any other Board mechanism for resolving a complaint.[7] Because of the ongoing relationships between financial institutions and the Board, we recognize how difficult it can be for an institution to raise retaliation claims, and we ensure that all such claims are fully investigated. During this process, our office collects and reviews relevant documents, interviews witnesses, and consults with Board or Reserve Bank subject matter experts.[8] Throughout the course of our investigation, we also attempt to resolve retaliation claims informally, such as through discussions with the complaining institution and relevant Board or Reserve Bank staff.[9] At the conclusion of an investigation, our office determines if retaliation occurred and reports its factual findings and determination to the appropriate Federal Reserve internal resources.[10] We may also recommend to the appropriate division director that personnel involved in the claimed retaliation be excluded from the next examination of the institution or review that may lead to an MSD. However, the division director will make the final decision regarding any exclusions of Federal Reserve personnel from future examinations.
Our third function is to provide feedback on patterns of issues.[11] This function includes reporting to Board members and senior staff on issues that are likely to have a significant impact on the Federal Reserve’s missions, activities, or reputation that arise from the Ombudsman’s review of complaints, such as patterns of issues that occur across multiple complaints. This information includes aggregate data, and may also include particular issues raised by institutions. To maintain confidentiality, we do not share any identifying information about an institution in these reports, unless expressly authorized to do so by the institution. This reporting function enables us to share directly with Board members and senior staff our perspective based on the concerns of individuals and financial institutions affected by the Federal Reserve’s supervisory or regulatory activities.
Due to the nature of the Ombudsman Office’s functions, we have established safeguards to protect the identity of the individuals and financial institutions that contact our office. We also protect the confidentiality of the information they share, upon request. Our email address and telephone line are not accessible to anyone other than Ombudsman Office staff. We share identifying and other information with Federal Reserve staff only if the individual or financial institution has explicitly authorized us to do so (except if disclosure is required by law, in the event of imminent risk of serious harm, or in the case of fraud, waste, or abuse).
In sum, our office serves in most instances as an informal resource, and we advocate for a fair and timely resolution of disputes or concerns. An institution’s participation in a resolution process with the Ombudsman is voluntary. If a financial institution or individual no longer wants to pursue resolution through our office, it is free to terminate the process at any time.
The MSD Appeals Process
The Riegle Act also directed the federal banking agencies to establish an “independent intra-agency appellate process” for the review of “material supervisory determination[s]” and to ensure that “appropriate safeguards exist for protecting the appellant from retaliation by agency examiners.”[12] In response, the Board established an MSD appeals process in March 1995. Last year, the Board adopted an amended MSD appeals process, drawing on experience with and feedback on the original policy.[13] The purpose of the revised process is to improve and expedite the appeals process. Highlights of the amendments, which became effective on April 1, 2020, are summarized below.
The original process defined an MSD to include determinations related to examinations or inspection composite ratings, the adequacy of loan loss reserves, and significant loan classifications. The revised process clarifies that Matters Requiring Attention (MRAs) and Matters Requiring Immediate Attention (MRIAs) constitute appealable MSDs. Specifically, the revised process states that an MSD includes, but is not limited to, “any material determination relating to examination or inspection composite ratings, material examination or inspection component ratings, the adequacy of loan loss reserves and/or capital, significant loan classification, accounting interpretation, Matters Requiring Attention (MRAs), Matters Requiring Immediate Attention (MRIAs), Community Reinvestment Act ratings (including component ratings), and consumer compliance ratings.” The revised process clarifies that it excludes any referral of a matter to another government agency from an appealable MSD. Finally, the revised process continues to exclude any supervisory determination for which an independent right of appeal exists.
The original appeals process consisted of three levels—an initial review panel, an appeal to the president of the Reserve Bank that issued the MSD, and an appeal to the appropriate Governor at the Board. The revised process only includes two levels—an initial review panel and a final review panel—both of which have three members. Under the revised process, all appeals are filed with the Ombudsman Office. Generally, the initial review panel consists of three Reserve Bank employees, with the option for a Board employee to be appointed as one of the three members in appropriate circumstances. The final review panel must consist of at least two Board employees, at least one of whom must be an officer of the Board at the level of associate director or higher. Members of the review panels must not have been substantively involved in, or directly or indirectly report to someone else who was involved in, the MSD being appealed. Additionally, none of the panel members may be employees of the Reserve Bank that made the MSD being appealed.
Under the revised, streamlined process, an institution must file an initial appeal within 30 calendar days of receipt of the MSD, and the initial review panel will issue a decision within 45 calendar days of the date the appeal is received.[14] An institution must file a final appeal within 14 calendar days of the initial review panel’s decision, and the final review panel will issue a decision within 21 calendar days of the filing of a final appeal.[15]
The revised process also addresses a potential timing conflict between the Prompt Corrective Action (PCA) framework[16] and the original MSD appeals process by expediting the appeals process. If an MSD being appealed relates to or causes an institution to become critically undercapitalized, the appeals process is further expedited. An institution must still file an initial appeal within 30 calendar days of receipt of the MSD, but the initial review panel will issue a decision within 35 calendar days of the date the appeal is received.[17] An institution must file a final appeal within seven calendar days of the initial review panel’s decision, and the final review panel will issue a decision within 10 calendar days of the filing of a final appeal.
The revised process also defines specific standards of review applicable at each level of the appeal. The initial review panel considers whether the MSD being appealed is consistent with applicable laws, regulations, and policy, and is supported by a preponderance of evidence in the record. The initial review panel will make its own supervisory determination and will not defer to the judgment of the Reserve Bank staff that made the MSD being appealed. The initial review panel may, however, rely on any examination work papers developed by the Reserve Bank or materials submitted by the institution if it determines it is reasonable to do so. The final review panel determines whether the initial review panel’s decision was reasonable.
Finally, the Ombudsman Office may attend, as an observer, meetings or deliberations relating to the appeal, if requested by either the institution or Federal Reserve personnel. Ombudsman staff will also follow up with institutions that have filed an MSD appeal to inquire whether retaliation has occurred. As in the prior policy, the Ombudsman Office is the authorized recipient of all retaliation claims made by supervised institutions involving the Federal Reserve.
Conclusion
As explained above, the three main functions of the Ombudsman Office are: (1) to facilitate the fair and timely resolution of complaints related to the Federal Reserve’s supervisory and regulatory activities; (2) to investigate any claim that Federal Reserve staff has retaliated against a supervised institution; and (3) to provide feedback on patterns of issues. The Board’s Ombudsman Office staff is here to assist you, and we are dedicated to helping the Federal Reserve and its constituents resolve issues efficiently and effectively. If you have any questions, please contact us via email at [email protected] or by calling 1-800-337-0429.
[1] The authors of this article would like to acknowledge the valuable contributions of former staff members of the Ombudsman Office who contributed to the development of this article.
[2] The International Ombudsman Association, https://www.ombudsassociation.org/what-is-an-organizational-ombuds.
[3] C. McKenna Lang, A Western King and an Ancient Notion: Reflections on the Origins of Ombudsing, Journal of Conflictology, Vol. 2, Issue 2 (2011).
[5] Riegle Community Development and Regulatory Improvement Act of 1994, 12 USC §§ 4701 et seq.
[6] 12 U.S.C. § 4806(d)(2). In addition, when Congress created the Consumer Financial Protection Bureau in 2010, it directed that the Consumer Financial Protection Bureau appoint an ombudsman to carry out these roles. 12 U.S.C. § 5493(a)(5).
[7] “Internal Appeals Process for Material Supervisory Determinations and Policy Statement regarding the Ombudsman for the Federal Reserve System,” 85 Fed. Reg. 15175, 15182 (March 17, 2020).
[13] “Internal Appeals Process for Material Supervisory Determinations and Policy Statement regarding the Ombudsman for the Federal Reserve System,” 85 Fed. Reg. 15175 (March 17, 2020).
[14] The initial review panel may extend the period for issuing a decision by up to 30 calendar days if the panel determines that the record is incomplete, and that additional fact-finding is necessary for the panel to issue a decision.
[15] The final review panel may extend the period for issuing a decision by up to 30 calendar days if the panel determines an extension is appropriate.
[17] This period may be extended by up to an additional seven calendar days if the initial review panel decides that such time is required to supplement the record and consider additional information received.
May 26, 2021 was a landmark day for Big Oil. Its inner sanctums were put on notice by stakeholders that the companies must take meaningful steps now to address climate change. 61% of Chevron Corporation (“Chevron”) shareholders voted to approve a resolution seeking Chevron’s reduction of Scope 3 greenhouse gas (“GHG”) emissions.[1] Three directors, who were nominated by a small hedge fund to make Exxon more accountable for all of its carbon emissions, were elected to Exxon Mobil’s Board of Directors at Exxon’s annual meeting.[2] A Dutch trial court ordered Royal Dutch Shell to cut its GHG emissions by 45% by the year 2030.[3] While these events are unprecedented for Big Oil, how they came about and their actual impact are worth a closer look. Perhaps what’s most noteworthy is the prospect that years of shareholder activism may suddenly be yielding dividends.
I. Chevron and Its Shareholders
At Chevron’s annual meeting on May 26th, shareholders approved the following resolution:
“RESOLVED: Shareholders request [Chevron] to substantially reduce the greenhouse gas (GHG) emissions of their energy products (Scope 3) in the medium- and long-term future, as defined by the Company. To allow maximum flexibility, nothing in this resolution shall serve to micromanage the Company by seeking to impose methods for implementing complex policies in place of the ongoing judgement of management as overseen by its board of directors.”[4]
The resolution was proposed by Follow This, a Dutch activist fund. Chevron had initially sought to exclude the proposal from a vote and requested no-action relief from the SEC on the basis that (i) the proposal related to the Company’s “ordinary business” operations and sought to “micromanage the Company’s actions to direct its GHG emissions management program,” which made it excludable from proxy materials under Rule 14a-8,[5] and (ii) the proposal duplicated a prior proposal.[6] On March 30, 2021, the SEC denied Chevron no-action relief, indicating on its website that the SEC was “[u]nable to concur with exclusion on any of the bases asserted.”[7]
Also considered during this stockholder meeting were resolutions (a) directing the Board of Chevron to issue an audit report discussing “whether and how a significant reduction in fossil fuel demand, envisioned in the IEA [International Energy Agency] Net Zero 2050 scenario, would affect its financial position and underlying assumptions,” and (b) seeking to convert Chevron to a Public Benefit Corporation under Delaware law, the purpose of which would have been to enable Chevron to adopt and adhere to sustainability goals consistent with the public interest. The Board of Directors of Chevron opposed all three resolutions.[8]
Only the first of the proposed resolutions, identified as Item 4 on the proxy card, passed. What does Item 4 actually obligate Chevron and its Board to do? On its face, very little. It “request[s],” but does not mandate, that the company reduce its Scope 3 emissions.[9] It contains no firm climate change benchmarks that the company must achieve. The timeframe for accomplishing these reductions, in the “medium and long term future,” is not specific. And furthermore, Chevron’s governance rules only commit the Board to “reconsider any stockholder proposal not supported by the Board that receives a majority of the votes cast at its Annual Meeting . . . .”[10] From management’s perspective, Item 4 could be viewed as more advisory than mandatory.
Nevertheless, the impact of the resolution’s passage is far from illusory. It is after all the first resolution calling for any reduction in GHG emissions passed by Chevron’s shareholders, and the fact that it does not impose specific targets or requirements is due to the limitations of Rule 14a-8, which allows shareholders owing certain amounts of securities to place proposals in the company’s proxy materials for vote at shareholder meetings, subject to certain procedural requirements and substantive exclusions. One such exclusion is proposals that relate to the company’s “ordinary business operations,” which could result in impermissible micro-management of the company by shareholders.[11] Follow This expressly limited its proposal to calling for a reduction in emissions only, appropriately leaving the specifics of accomplishing the reduction to management: “Had the Proponent not been required to draft this proposal with pointed consideration of the potential for exclusion on grounds of micromanagement, the Proponent would have requested much more specific and progressive reductions.”[12] Going forward, should Chevron’s Board ignore the resolution, its directors could be at greater risk of being replaced over time by the same shareholders who voted for the resolution.
II. Exxon Mobil’s Three New Directors
Engine No. 1, a hedge fund with a .02% holding in Exxon Mobil, proposed a slate of four directors for election to Exxon’s twelve-member board at its annual meeting on May 26, 2021. Engine No. 1’s stated goal was to infuse the Exxon Board with people who will push the energy giant to recognize the significance of global climate change and respond constructively to the goals of the Paris Climate Agreement. Engine No. 1 succeeded in electing three of its four nominees, garnering critical support from Exxon’s three largest shareholders (and the three largest asset managers in the world) BlackRock, Vanguard and State Street, as well as major shareholders such as CalPERS and the New York State Common Retirement Fund.[13] In fact, Engines No. 1’s three directors received the highest number of votes of all nominees.[14]
In the case of Exxon, Engine No. 1’s success appears to have been based on excellent timing and a compelling slate of candidates. Going into the annual meeting, Exxon had faced “mounting criticism for its reluctance to invest more in renewable energy and for years of weak financial performance.”[15] New York State’s Comptroller said investors had “received platitudes and gaslighting in response” to concerns about climate change for years.[16] Meanwhile, Exxon’s three largest shareholders have placed themselves at the forefront of the Environmental, Social, and Governance (ESG) movement as members of the NetZero Asset Managers Alliance among other things.[17] BlackRock in particular all but foreshadowed its vote in its 2021 annual letter to clients:
“We expect the issuers we invest in on our clients’ behalf to be adequately managing the global transition towards a net zero economy…. Where we do not see progress in this area, and in particular where we see a lack of alignment combined with a lack of engagement, we will not only use our vote against management for our index portfolio-held shares, we will also flag these holdings for potential exit in our discretionary active portfolios because we believe they would present a risk to our clients’ returns.”[18]
Engine No. 1 provided a slate of qualified candidates to garner the votes, including highly regarded industry executives with success in both conventional and renewable energy transition (Gregory Goff and Kaisa Hietala) and a former U.S. Asst. Secretary of Energy and clean tech entrepreneur with expertise in energy infrastructure, R&D and policy (Alexander Karsner).[19] Shareholders recognized that Exxon needs diversity of expertise, background and perspective on its board to move towards sustainability, and voted accordingly.[20]
III. Royal Dutch Shell in The Hague
Potentially the most significant of the May 26th events was the decision by the Hague District Court to order Royal Dutch Shell (“RDS”) to cut its GHG emissions by net 45% by 2030 compared to 2019 levels.[21]
There are many significant elements of the Judgment, starting with the Court’s recognition of the effects of climate change. The Court accepted as fact that mankind’s use of fossil fuels leads to the release of carbon dioxide which traps heat within the ozone layer and causes temperatures on earth to rise.[22] It discussed the so-called carbon budget, which is the total remaining capacity of the earth to absorb GHGs, and accepts as fact the conclusions by various international organizations about the effects of climate change.[23] In particular, the Court accepted as fact that The Netherlands generates more CO2 emissions than many other European countries and there is a direct connection between those activities and future disruptions to human existence.[24]
The plaintiffs asserted that RDS had duties under Dutch law to prevent climate change through its corporate policies and to ensure that its carbon emissions comply with levels deemed acceptable under, for example, the IEA’s Net Zero 2050 plan. The Court concluded that RDS’ corporate policies, policy intentions and ambitions are incompatible with CO2 reduction targets prescribed in the Paris Climate Agreement, the IEA Net Zero 2050 and other global climate change policies. It ordered RDS to reduce its Scope 1, 2 and 3 emissions by a net 45% of 2019 levels by the end of 2030 through the adoption and implementation of new corporate policies that will actually enable these results.
Given the breadth and impact of the Judgment, it is likely that RDS will appeal. If so, the Hague Court of Appeal would review the case do novo, i.e. it may re-examine the facts and reach its own conclusions about the facts and the outcome of the case.[25] While this story is not over, it remains to be seen what effect (if any) the case may have on future U.S. public policy and legislation.
IV. Measuring Progress Toward Net Zero
Much of the world now pays ever closer attention to the consequences of our reliance on fossil fuels. As the reality of climate change is now in the boardrooms of Big Oil, there is growing demand from the investor community for companies to, as Bill Gates puts it, go from emitting 51 billion tons of GHGs each year to zero.[26]
On June 10, 2021, The Investor Agenda published a “Statement to Governments” signed by 457 investment firms and individuals representing US$41 trillion in assets urging governments to issue standards for measuring and quantifying climate risk so that investors can properly assess those risks and invest wisely.[27] The Statement calls on all governments to take broad action in 2021, including:
strengthening NDCs for 2030;
committing to “decarbonization roadmaps” for carbon-intensive sectors;
Like BlackRock’s 2021 annual letter to clients, the Statement invokes the need for greater transparency in climate risk disclosures.[29] The inability of investors to obtain material information about company carbon emissions impedes investors’ efforts to invest the capital required to achieve Net Zero. Extraordinary associations and statements such as these underscore the growing urgency with which climate change and ESG issues are being considered. While the full significance of May 26, 2021 remains to be seen, the day may hopefully be remembered as the beginning of a shift of consciousness in Big Oil from avoidance to constructive engagement with the forces of climate change.
[11] See 17 CFR §240.14a-8(i)(7). See also Exchange Act Release No. 40018 (May 21, 1998). The policy underlying the ordinary business exclusion is “to confine… ordinary business problems to management and the board…, since it is impracticable for shareholders to decide how to solve such problems at an annual shareholders meeting,” and to consider “the degree to which the proposal seeks to ‘micro-manage’ the company by probing too deeply into matters of a complex nature upon which shareholders… [are not] in a position to make an informed judgment.” Id.
