In an era of increasing data breaches and cyberattacks, businesses face mounting risks that can lead to financial, reputational, and operational damage. The cost of a data breach reached an average of $4.88 million in 2024, a 10 percent increase from the previous year. And with companies increasingly relying on artificial intelligence (AI) for decision-making and operations, they must navigate additional risks and legal challenges as AI’s transformative power introduces opportunities and significant exposures.
In this context, cyber insurance is a comforting safety net, helping businesses manage and mitigate the impact of cybersecurity incidents, including those driven by AI technology. AI’s evolving landscape also creates new challenges, such as algorithmic biases, unpredictable outputs, and the potential for “black box errors”—AI errors with unclear causes—that may result in uninsured exposure if not properly accounted for in insurance policies. Knowing that such a safety net exists can provide a sense of reassurance in the face of these evolving risks.
Even with strong cybersecurity, systems can be breached. Cyber insurance can help cover costs from data breaches, ransomware, and AI risks, though AI-specific coverage is still developing. Many policies offer some AI protection, but specialized coverage for algorithmic bias, large language model (LLM) hallucinations, and regulatory issues is emerging, often with broader protection than traditional policies.
However, expect high premiums and low limits, much like early cyber insurance. Insurers may also exclude losses from intentional AI misuse, standard software failures, and breaches not covered in existing policies. Exclusions for noncompliance with data privacy laws may also appear as regulations evolve.
Given the increasingly sophisticated nature of cyber and AI-related threats, the importance of cyber insurance cannot be overstated. AI creates unique vulnerabilities, from algorithmic decision-making errors to data privacy violations. Without adequate cyber insurance, businesses risk financial devastation and legal exposure in the event of AI system malfunctions or cybersecurity breaches.
Types of Cyber Insurance Coverage
Insurance policies generally provide two categories of coverage: first-party and third-party. With AI becoming integral to business processes, understanding these coverage types and how they apply to AI-specific risks is essential for selecting the right policies.
First-Party Coverage
First-party coverage addresses direct financial losses from a cyberattack or AI-related incident. An AI-related incident includes malfunctions, errors, or unforeseen consequences from AI systems, such as algorithmic biases, black box errors, security breaches, or data mishandling. As AI becomes integral to operations, these risks increase, potentially falling outside traditional insurance policies. Critical areas of coverage, often focusing on intangible losses like data breaches and cyber extortion and offering specialized services such as breach response and reputation management, include:
Data recovery: Covers the cost of recovering lost or compromised data after a cyber or AI-related incident.
Business interruption: Provides compensation for income lost due to a cyber event, such as a malfunctioning AI system that disrupts business operations.
Cyber extortion: Covers payments made in response to ransomware or AI-related extortion schemes.
Reputational harm: Addresses costs related to damage to your company’s reputation following a cyber or AI-related incident.
Notification costs: Pays for notifying affected individuals, clients, and regulators about a data breach or AI system failure.
Regulatory fines: Provides coverage for penalties imposed by regulatory bodies for noncompliance with data protection and AI-related laws.
Third-Party Coverage
Third-party coverage focuses on liabilities your business might face from external parties due to a cyber or AI-related incident. Areas it covers include:
Liability from data breaches: Protects against claims from customers or clients whose personal data was compromised by a security breach or AI malfunction that exposes data.
Network security failures: Provides coverage for claims arising from network security failures, including AI-related security failures, such as unauthorized access or data loss.
Privacy violations: Covers legal actions related to violations of privacy laws caused by mishandling sensitive data, including sensitive data mishandled in connection with AI systems.
The Cyber Insurance Procurement Process
Due to AI developments, securing the right cyber insurance policy has become more complex. Businesses must adopt a comprehensive approach that ensures their insurance policies cover both traditional cybersecurity threats and emerging AI-related liabilities.
Step 1: Assess Cybersecurity and AI Risks
Before pursuing a cyber insurance policy, it’s not just important to conduct a thorough risk assessment, particularly concerning AI usage; it’s essential. This assessment helps identify vulnerabilities in your information and AI systems and data protection strategies, ensuring your business is prepared for AI-related and traditional cyber threats. Being prepared with a thorough risk assessment can provide a sense of readiness in the face of these risks.
Step 2: Gather Information
Underwriters require detailed information about your business’s cybersecurity and AI protocols. Be prepared to provide details on the following:
existing cybersecurity and AI governance policies
security measures, such as multi-factor authentication and data encryption, as well as monitoring of AI systems
incident response plans that account for AI-related failures
records of employee training on both cybersecurity and AI risk management
Step 3: Compare Policies
When comparing policies, consider both traditional and AI-related risks. Key factors include:
Coverage limits: Ensure the policies provide adequate coverage for AI-related incidents, including algorithmic errors and business interruptions caused by AI.
Exclusions: Be mindful of exclusions related to AI, such as liability for black box errors, biased algorithms, or failures caused by poorly trained AI models.
Step 4: Negotiate Terms
Negotiating AI-specific terms is crucial to ensure your policy provides the necessary protection. Areas to negotiate include:
extending coverage to include AI-driven business interruption losses
ensuring the inclusion of legal costs related to AI-generated data breaches and privacy violations
clarifying what constitutes an “AI-related event” in the policy
Step 5: Understand Policy Exclusions and Limitations
With the rapid adoption of AI, businesses should pay particular attention to policy exclusions related to AI use. Standard exclusions might include:
Black box errors: Many policies exclude coverage for AI decisions that cannot be explained or justified.
Acts of war or terrorism: Some policies exclude cyberattacks involving AI systems attributed to state actors or terrorist organizations.
Preexisting conditions: Coverage may be denied for vulnerabilities or issues that existed before the policy’s inception.
Step 6: Regularly Review and Update Your Policy
Regularly reviewing and updating your business insurance policies as cyber risks and AI technology evolve ensures that your coverage remains adequate to address new AI-related dangers and vulnerabilities. AI systems are continuously improving; your insurance must keep pace with these changes.
Best Practices for Managing AI-Related Cybersecurity Risks
AI introduces significant new risks, from algorithmic biases to unforeseen system failures. However, strong governance and cybersecurity measures can minimize the likelihood of AI-related incidents. Here are several best practices to mitigate AI risks and improve cybersecurity posture:
Develop and implement a written information security program (WISP): Ensure your business has a comprehensive security program in place, as required by various regulatory frameworks, including the Gramm-Leach-Bliley Act and the Federal Trade Commission Red Flags Rule.
Implement strong governance and oversight policies for AI: Ensure your organization generally has a comprehensive AI risk management policy that includes regular risk assessments and mitigation strategies; in some instances AI policies specific to cybersecurity issues may be appropriate.
Implement strong access controls for data: Restrict access to sensitive data and ensure multifactor authentication is used to mitigate unauthorized access.
Monitor systems continuously: Continuous monitoring is essential to ensure cyber and AI systems function as designed and meet performance expectations.
Conduct regular cybersecurity audits: Regular audits of your systems and third-party vendors will help identify vulnerabilities before they are exploited.
Train employees on risk: Regularly educate employees on cybersecurity and AI-related risks, ensuring they have a sufficient understanding of how AI works and the potential vulnerabilities it introduces.
Test incident response plans: AI-driven incidents can be more complex than traditional cyberattacks. Regularly test your WISP and incident response plans to address traditional cyber threats and AI-specific failures.
Cyber insurance is crucial for managing cyberattack fallout, but with AI’s rise, all businesses must understand their insurance coverage and how they mitigate cyber and AI-specific risks. Businesses should consider AI-specific coverage, regularly review regulatory and risk management guidelines for their industry, especially those issued by regulators, and prepare for policy renewals by outlining their AI strategies, uses, and compliance measures. Understanding AI technology and articulating risk management is crucial in insurance negotiations. Thorough risk assessments, strong AI governance, and regular policy updates will mitigate cyber and AI risks in our complex digital world.
Today, technical, legal, and business risks associated with generative AI (GenAI) are widely publicized to most legal professionals. AI hallucinations, privacy issues, infringement of third-party intellectual property rights, possible antitrust issues, leak of confidential information, poisoning of training datasets, and theft of proprietary technology are just a few to name. However, the AI governance strategies of many US law firms either are still in a nascent stage of conceptualization or early implementation, or don’t exist at all. This article discusses key steps lawyers and law firms should consider to preserve confidentiality of client data as this always-important goal faces further challenges in the turbulent era of automation and GenAI.
While cybersecurity is increasingly a top priority of large and medium-sized law firms, the rise of AI has increased the incentives to obtain firms’ data, frequently by improper or illicit means. For instance, creating competitive and trustworthy LegalTech AI solutions requires high-quality training data—including sensitive, privileged, and confidential legal documents. Now, not only sophisticated cybercrime actors and malicious insiders, but also numerous technology startups and large tech vendors actively seek to get access to law firms’ data, albeit for different purposes.
In this context, the (oftentimes clandestine or stealthy) integration of GenAI into numerous platforms, tools, and technologies used by lawyers on a daily basis, and the potential for data exposure this poses, deserves special attention. Lawyers need to attend to the risks that arise when implementing new technology, and risks related to unauthorized information disclosure to legitimate third parties are widely unidentified or underestimated.
This year, July 29 was marked with the release of a long-awaited and much-needed ethics opinion from the American Bar Association on generative artificial intelligence tools, Formal Opinion 512. Section B of the Opinion’s discussion is dedicated to the duty of confidentiality, elaborating on the protection of prospective, current, and former clients’ data from unauthorized use and access both within and outside of a law firm. Several state and local bars have also released their own guidelines on use of GenAI in legal practice, many of which, like those of the California State Bar and the New York City Bar Association, similarly include significant discussion of confidentiality issues.
It is important to note that data risks are not limited to GenAI: Other types of architectures and AI models usually share the same or similar risks. High-quality training data is the precious fuel of any contemporary AI technology; without it, even the most powerful and wealthy AI tech giants will be technically unable to innovate. The legal industry is as affected by this as any other, with the mushrooming of AI-enabled legal software for both lawyers and nonlawyers, ranging from e-discovery triage tools and contract review assistants to more complex systems that may predict the outcome of a trial based on underlying facts and relevant case law. As a result, demand for legal data—including memos, briefs, lawsuits, motions, depositions, contracts and settlements—is surging amid modest supply.
Despite these challenges, a proper implementation of well-established and time-tested data protection best practices will address many AI-related risks and threats.
First, lawyers should bear in mind that even if their law firm does not use specific GenAI tools or solutions, their data—including work product and privileged and confidential client data—may be stealthily utilized by third parties for unauthorized or unexpected purposes, such as commercial large language model (LLM) training. (In simple terms, an LLM is the “brain” of GenAI technology, trained on huge amounts of human-created and other data.) Some vendors, desperate for high-quality AI training data, creatively update their terms of service by playing with semantics to make their terms as unsuspiciously broad or ambiguous as possible to eventually extrapolate the permitted use of customer data for training of proprietary LLM models. Less scrupulous vendors simply update their terms with immediate or even retroactive effect to allow use of customer data for AI training, and then send an unobtrusive notice to customers, for instance, concealed inside a monthly newsletter to distract attention from the perilous change.
Therefore, in the era of AI, it is indispensable to have a comprehensive and up-to-date inventory of technology vendors with access to law firm data and their current terms of service. Importantly, this list of vendors should also encompass the numerous online and software-as-a-service (SaaS) solutions the firm uses, spanning from Google Workspace, which is often favored by solo practitioners and small firms, to complex customer relationship management (CRM) or enterprise resource planning (ERP) platforms tailored for Big Law firms. Even tools like Google Translate or online grammar correction software, which can seem safe and innocent at first glance, may pose a hidden risk if used by law firm employees or external consultants, such as expert witnesses, to process legal or judicial documents, as their content may end up in a place where it should never be. To prevent such incidents, law firms should consider implementing and enforcing a written policy to address permitted use of their data, expressly prohibiting all tools and services that are not present in the list of authorized solutions.
Firm-wide data minimization, or limiting collection and retention of data to the minimum needed for a specific purpose, is arguably even more crucial to reduce a wide spectrum of cybersecurity and privacy risks, including those related to GenAI. If data does not exist, it simply cannot be misappropriated even in the case of the most sophisticated data breach or flagrant human error. Moreover, data minimization is the cornerstone of many emerging privacy laws and regulations. Data minimization is, however, virtually impossible without having a clear understanding of data inventory and data flows in the first place. Thus, the very first step is to document what data a law firm stores and processes, for what purposes, and where, and how that information can be captured in a corporate data management program. Once a firm’s data is mapped and underlying data flows are identified, data minimization can be thoroughly and thoughtfully implemented.
Data minimization strategies help ensure that all data necessary for business, as well as documents that must be preserved as a matter of law, will be duly safeguarded and readily available, while also enabling and facilitating secure deletion of obsolete or redundant data. Data minimization also drives operational costs down by optimizing data storage, processing, and backup bills. Additionally, any data that must be preserved but is not required in daily operations may be securely sent to so-called cold storage, from where it can later be retrieved if necessary. Cold storage facilities are remarkably cost-efficient and are usually beyond the reach of malicious insiders, disgruntled employees, or external cybercriminals. In sum, data minimization is a cybersecurity principle that has been known for decades, and it continues to be a potent tool to reliably address risks when interacting with emerging technology such as AI.
Another business-critical best practice to maintain data privacy is to establish separate data protection agreements with all external parties that may have access to a firm’s data, explicitly prohibiting any unauthorized use of the data. The agreement should have a conspicuous clause that in case of any conflict with clickwrap agreements or similar terms of service from a vendor, the agreement shall always prevail. Notably, data protection agreements are needed not only with those vendors that by design ingest a law firm’s data for storage or processing but with all vendors that may occasionally or tangentially have access to the data or any part of it. For instance, cybersecurity vendors that scan a firm’s laptops, servers, or emails for malware may legitimately send suspicious files to their cloud for further analysis unbeknownst to the law firm. Solo practitioners and boutique law firms, which typically cannot afford to invest many resources in a comprehensive vendor management program, may at least minimize their number of third-party data processing vendors and carefully review the terms of service of those that remain, as well as minimize or anonymize any data that they submit for external processing. Paradigmatically, legal professionals should remember that lack of time or budget is virtually never a valid excuse for breach of ethical or fiduciary duties related to use of AI or any other technologies.
Use of public cloud providers, such as Amazon Web Services (AWS) or Microsoft Azure, deserves a dedicated mention within the context of law firm cybersecurity. According to Gartner, through 2025, 99 percent of cloud security incidents will be the fault of the customer, caused by human error or misconfiguration of cloud services. Unsurprisingly, cybercriminals and unscrupulous data brokers vigorously go after misconfigured cloud storage to access exposed data without any hacking and sometimes, debatably, without even breaking the law. Such carelessly exposed data may be exploited for all imaginable and unimaginable nefarious purposes, including LLM training by unprincipled tech vendors or even sovereign states amid the global race for AI supremacy. To avoid falling victim to a cloud data breach, law firms should maintain a comprehensive inventory of their cloud-stored data and cloud resources and have those resources regularly tested by specialized cloud security providers for possible misconfigurations, vulnerabilities, and weaknesses.
Notably, all of the abovementioned challenges to data confidentiality also silently reside at law firms’ trusted third parties that have legitimate access to firms’ data under a proper data protection agreement. To illustrate this convoluted problem, consider a law firm with an affiliated law firm that uses a cloud backup service provider. Despite a properly implemented data protection agreement between the two law firms, the cloud provider may share, sell, or otherwise exploit the backup data unbeknownst to both law firms. Worse, this practice is not necessarily illegal: For example, the affiliated law firm could simply overlook a tiny clause in its contract with the vendor authorizing use of backup data for LLM training.
Because of the potential for data breaches via trusted third parties, law firms should consider implementing a comprehensive and risk-based third-party risk management (TPRM) program. One of the key purposes of a modern-day TPRM program is to assess, understand, and monitor how trusted third parties protect themselves and data in their possession. Whenever sharing sensitive data with third parties, preference will be given to entities with mature data protection and information security management programs. The strength of such programs can be evidenced and partially validated by conformity with global technical standards and frameworks like ISO 27001 or SOC 2. A truly robust TPRM program should, however, go beyond superficial examination of entities’ certifications, instead meticulously inspecting their risk catalogues and cybersecurity policies and procedures, as well as auditing their compliance with these policies, and regularly reviewing a list of security incidents (including those that may not reach the level of a reportable data breach) with documentation of their aftermath and the response by the third party. Holistic implementation of TPRM will not only help mitigate AI-specific risks but also reduce a broad spectrum of technical risks and threats stemming from more conventional IT tools and solutions.
Another class of high-frequency and high-impact data risk for law firms is human error while using AI. According to Verizon’s 2024 Data Breach Investigations Report, as many as 68 percent of data breaches involved a nonmalicious human error. The current situation in the realm of AI is analogous: Many legal professionals working in law firms are still unaware of the broad and continually growing spectrum of risks created in their office environment by AI technologies. For instance, a paralegal may see nothing wrong in submitting a highly confidential memo to an online chat for a quick spell-check, trying to produce an impeccable document. Likewise, a busy associate may innocently upload a confidential brief to an online platform to get a cogent summary of the brief, trying to accomplish long list of tasks in a timely manner. This is why it is crucial to create, promulgate, and enforce a firm-wide AI use policy, which would specify permitted and prohibited ways to utilize AI in the workplace. Last but not least, ongoing training on risks, threats, and benefits of AI can serve as a powerful enhancement of such policy, which otherwise may simply gather dust on a bookshelf.
Another GenAI-related concern is that even publicly accessible data may be misused by GenAI vendors or their suppliers of training data. Some law firms generously share their expert knowledge, unique know-how, and analytical insights on corporate websites and blogs, providing high-quality articles or presentations on recent developments in the law. For legal technology AI vendors, such data is gold. Obviously, few authors would consent to have their work ingested by an LLM to be later exploited as part of a commercial product without any compensation or credit to the original content creator. However, valuable data can be vacuumed from trustworthy websites without notice through the common method of data scraping. The author has elaborated elsewhere on techniques for investigating and proving unauthorized data scraping in court, but prevention tends to be a better solution than an after-the-fact response.
Reviewing a law firm website’s terms of use is a sound starting point, as increasingly AI vendors—partially due to better self-regulation and partially due to emerging AI legislation, namely the EU AI Act and US state laws on AI—are starting to pay attention to terms of service. With the exception of some “good bots” like Google, automated scanning and crawling of the firm’s website should be prohibited, expressly banning data scraping for AI training. It may also be a good idea to add a liquidated damages clause if enforceable under applicable law. Next, a modern anti-bot protection, such as Cloudflare or a comprehensive web application firewall (WAF), can help protect the website from being crawled by malicious automated bots while ensuring a smooth experience for human visitors.
To summarize, though law firms face substantial risks to their data as technology evolves, protection of a law firm’s data in the GenAI era is not rocket science. While many of the foregoing challenges are bolstered by the rise of GenAI, ongoing attention to data risk management best practices provides corresponding solutions. Law firms should consider implementing and continuously improving the following instruments discussed above as part of a comprehensive and firm-wide data protection program:
Data inventory program
Data minimization strategy
Third-party risk management policy (TPRM)
Inventory of third parties with access to firm’s data
Inventory of third-party terms of service and data protection agreements
This article is Part IV of the Musings on Contracts series by Glenn D. West, which explores the unique contract law issues the author has been contemplating, some focused on the specifics of M&A practice, and some just random.
A recent decision in the English High Court of Justice, BM Brazil I Fundo de Investimento em Participações Multistrategia v. Sibanye BM Brazil (Pty.) Ltd.,[1] is the latest judicial pronouncement by a common-law court on the meaning and effect of a material adverse effect (“MAE”) clause. In BM Brazil, Mr. Justice Butcher determined that a “geotechnical event” (basically a landslide), which occurred at a mine owned by the target company between the signing and closing of a Sale and Purchase Agreement (“SPA”), did not constitute an MAE permitting the buyer to terminate the SPA. And the MAE definition included in the SPA looked like it had been cut and pasted from a standard US acquisition agreement.
The Pattern of an MAE Definition
According to Professor Robert T. Miller, one of the oft-cited academics in MAE jurisprudence, including in BM Brazil,[2] almost all MAE definitions follow a similar pattern.[3] First, there is the “Base Definition,” which consists of (a) a listing of the “Underlying Predicate Events” (“events, acts, occurrences”), followed by (b) an “Expectation Metric” (“has, or would/could reasonably be expected to have”), followed by (c) an “Undefined Term” (“material adverse effect on”), followed by (d) the “MAE Objects” (“business, financial condition, results of operation”). Second, there is a list of “MAE Exceptions,” which eliminate the realization of certain generalized risks so that even if they occur and have a material adverse effect on the target, no MAE has occurred. And last, there is a “Disproportionality Exclusion,” which adds back to the MAE definition some or all of the MAE Exceptions to the extent that their occurrence has disproportionally caused harm to the target compared to a specified group of similarly situated companies.[4] The MAE definition under consideration in BM Brazil followed this common pattern.
Finding That an MAE Has Occurred Continues to Be a Rarity
That the judge determined that there had not been an MAE should surprise no one, even without knowing the facts. Judicial determinations that an MAE has occurred are exceedingly rare.
Indeed, in Delaware there has only been one such judicial determination, Akorn, Inc. v. Fresenius Kabi, AG.[5] In Akorn, Vice Chancellor Laster, in concluding that an MAE had occurred because of the “sudden and sustained drop in Akorn’s business performance,”[6] examined a number of metrics regarding the target’s performance following the signing of the merger agreement. This drop in performance was determined by making “period-to-period comparisons [that] . . . involved extremely large declines, with EBITDA always declining more than 50 percent.”[7]
Importantly, however, Vice Chancellor Laster separately concluded that an MAE-qualified “bring down” of a regulatory representation had also been breached where the cost of remediating the regulatory violation exceeded 20 percent of the target’s equity valuation. While that 20 percent did not necessarily establish a bright line, it has been viewed by many in the deal community that a 20 percent value decline is as good a benchmark of what will be deemed an MAE as any.[8]
The English Court Looks to Delaware Cases
Given the relative dearth of English cases discussing MAEs, Mr. Justice Butcher relied upon the more substantial body of cases from Delaware to guide his decision, taking a cue from a pandemic-era English MAE case, Travelport Ltd. v. WEX Inc.[9] In that case, Mrs. Justice Cockerill had noted that
[Delaware has a] better developed body of case law [on MAE clauses] . . . [and] to ignore the thinking of the leading forum for consideration of these clauses, a forum which is both sophisticated and a common law jurisdiction, would plainly be imprudent. . . . The same goes for the academic learning which is often cited in the Delaware Court.[10]
So, turning to that US authority, Mr. Justice Butcher looked first to the oft-quoted statement of then–Vice Chancellor Strine, in In re IBP, Inc. Shareholder’s Litigation,[11] as to the “strong showing” required to invoke an MAE termination condition:
[E]ven where a Material Adverse Effect condition is as broadly written as the one in the Merger Agreement, that provision is best read as a backstop protecting the acquiror from the occurrence of unknown events that substantially threaten the overall earnings potential of the target in a durationally-significant manner. A short-term hiccup in the earnings should not suffice; rather the Material Adverse Effect should be material when viewed from the longer-term perspective of a reasonable acquiror.[12]
Mr. Justice Butcher then took a trip through the other Delaware authorities that have addressed MAE conditions since IBP, quoting or paraphrasing these authorities for a number of different propositions, including the following:
“[D]efining a ‘Material Adverse Effect’ as a ‘material adverse effect’ [as nearly all MAE clauses do] is not especially helpful.’”[13]
Use of the word would in the phrase “would not reasonably be expected to have [an MAE]” suggests “a greater degree (although quantification is difficult) of likelihood than ‘could’ or ‘might,’ which would have suggested a stronger degree of speculation (or a lesser probability of adverse consequences[)].”[14]
“[T]he burden of proving that a MAE had occurred lay on the buyer, irrespective of the form in which the MAE clause was drafted (ie whether as a representation, warranty or condition to closing), absent clear wording to the contrary.”[15]
“There is no ‘bright-line test’ for evaluating whether an event has caused a material adverse effect. To assess whether a financial decline has had or would reasonably be expected to have a sufficiently material effect, this court will look to ‘whether there has been an adverse change to the target’s business that is consequential to the company’s long-term earnings power over a commercially reasonable period.’”[16]
Mr. Justice Butcher also noted that, while the US case decisions indicated that the determination of whether an MAE has occurred “has both quantitative and qualitative aspects,” he was inclined to the view (consistent with the view of Miller) that “if there is no significant impact in financial, or ‘quantitative’, terms on the Group Companies or their business, then it is difficult to see that such ‘qualitative’ matters could on their own mean that the ‘change, event or effect’ was ‘material and adverse’.”[17]
Finally, Mr. Justice Butcher also agreed with Miller that the numerous MAE Objects listed in an MAE definition are not necessarily measuring anything substantively different from each other—and the MAE Objects listed appear to all be simply measuring whether there has been an MAE on the target company.[18]
The Losses Arising from the Landslide Did Not Result in an MAE
Noting Vice Chancellor Laster’s suggestion that a 20 percent decline in equity value would be sufficient to constitute an MAE (without intending thereby to suggest that a “reduction in the equity value of the target of anything less than 20% would necessarily not have been material”), Mr. Justice Butcher agreed that “in the present case . . . a reduction in equity value of 20% or more would indeed be material, but that a somewhat lesser reduction might also be material.”[19] And he was inclined to view 15 percent as the right number for this case. But to cover his bases, he then viewed the evidence presented (expert testimony, for the most part) about the significance of the geotechnical event from the standpoint that even a 10 percent reduction might be sufficient.[20]
In reviewing the evidence, however, he concluded that even at this lower level, no MAE had occurred (it would appear that credible expert testimony is critical in these cases, as well as establishing that invoking the MAE clause has not simply been a means to get out of a deal that has not fared as well as one might have hoped[21]).
A Preexisting Condition Is Not a “Change, Event or Effect”
There have been a number of recent MAE decisions that have focused less on the Base Definition and more on the existence of MAE Exceptions and whether the Disproportionality Exclusion applied.[22] And those decisions have raised questions about how the wording of the lead-in to the MAE Exceptions, which includes “arising from or related to,” may expand the exceptions to include unexcepted matters.[23] Those issues did not figure prominently in Mr. Justice Butcher’s decision in BM Brazil, so I will not delve into those matters here but simply refer the reader to footnote 23.
But one of the more interesting aspects of the BM Brazil decision was Mr. Justice Butcher’s discussion of whether a material adverse condition that is “revealed” as the result of a change, event, or effect after signing and before closing, but that in fact existed prior to signing (even though it was unknown), could constitute an MAE. One of the contentions made by the sellers was that the buyers were including in the material adverse effects of the geotechnical event not just the direct effects of the geotechnical event but also the alleged problems with the “underlying geology” that had been revealed by the geotechnical event. According to the sellers, any problems and costs associated with the underlying geology that had been revealed by the geotechnical event could not be included in any determination of whether an MAE had occurred—only the direct effects of the geotechnical event itself could be included. Mr. Justice Butcher agreed with the sellers on this point, even though he went on to decide the case as if everything were included. Regardless, I think this revelatory issue needs to be thought about more.
The argument that Mr. Justice Butcher was persuaded was correct was as follows:
The Claimants emphasised that the terms of the MAE definition looked to whether the “change, event or effect” itself “is or would reasonably be expected to be material and adverse”. They argued that, unlike the exceptions part of the MAE definition, the general part does not direct any enquiry into the causes of the relevant “change, event or effect”; rather that part directs enquiry to, and only to, the characteristics of the relevant “change, event or effect” itself: is it material and adverse? It would be an abuse of language to say that a “change, event or effect” occurring between signing and closing was “material and adverse” because it reveals some other problem or issue. And further, to construe the clause as meaning that revelatory events may be MAEs would enable the temporal requirement of the clause to be circumvented, in that it would allow a party to identify a relevant “change, event or effect” within the period between signing and closing even though the problem or issue predated the contract, and would or could have been picked up by the buyer’s due diligence, and the risk of which will have been assumed by the seller to the extent of the representations and warranties given, but which are otherwise for the buyer’s account. In the present case, the Claimants pointed out, the representations and warranties in Article 3 of the SPAs are exhaustive and do not include any relating to the geotechnical situation at, or the suitability of the mine design of, the Santa Rita Mine, or any general representations or warranties about the costs of, or operations at, the Mine.[24]
In other words, an MAE condition cannot save you from the failure to obtain a representation and warranty about any existing issue—MAEs focus on future occurrences, not existing facts. In this case, the underlying geological condition “had existed for millennia.”[25] And “[n]o ‘change, event or effect’ had occurred in [that underlying geological condition] by the happening of the [geotechnical event—i.e., the landslide].”[26]
One could imagine a situation where there is a boiler explosion that causes damages to a manufacturing plant after signing and before closing. But assume that those damages are insufficient in themselves to constitute an MAE. Nevertheless, assume that in reviewing the damages caused by the explosion, the buyer discovers other, more serious issues that relate to the plant’s equipment and the costs of deferred maintenance, etc. Can those costs be included in assessing whether there has been an MAE? Probably not.
According to Mr. Justice Butcher, Underlying Predicate Events in the Base Definition of MAE focus on what happened, not on what caused it to happen or the reason it happened. There is nothing in a typical MAE clause that would actually expand an Underlying Predicate Event such that it would include some preexisting condition that may have actually caused it (or is likely to cause future similar events) to occur.
See Robert T. Miller, A New Theory of Material Adverse Effects, 76 Bus. Law. 749 (2021). ↑
This familiar pattern has previously been likened to the consistent ingredients of a McDonald’s “Big Mac.” See Glenn D. West & S. Scott Parel, Revisiting Material Adverse Change Clauses, Corp. Couns. Bus. J. (Sept. 1, 2006). ↑
BM Brazil I Fundo de Investimento em Participações Multistrategia v. Sibanye BM Brazil (Pty.) Ltd., [2024] EWHC 2566 (Comm), at para. 196 (quoting Frontier Oil Corp. v. Holly Corp.). ↑
See Akorn, Inc. v. Fresenius Kabi, AG, No. 2018-0300-JTL, 2018 WL 4719347, at *3 (Del. Ch. Oct. 1, 2018). (“In prior cases, this court has correctly criticized buyers who agreed to acquisitions, only to have second thoughts after cyclical trends or industrywide effects negatively impacted their own businesses, and who then filed litigation in an effort to escape their agreements without consulting with the sellers. In these cases, the buyers claimed that the sellers had suffered contractually defined material adverse effects under circumstances where the buyers themselves did not seem to believe their assertions.”). ↑
This article is Part III of the Musings on Contracts series by Glenn D. West, which explores the unique contract law issues the author has been contemplating, some focused on the specifics of M&A practice, and some just random.
Somewhere in Scotland is the “Sheriffdom of South Strathclyde, Dumfries and Galloway.” And the sheriff (basically the same as a lower-court judge in the United States) of the Hamilton Sheriff Court in that sheriffdom recently issued a decision, Screwfix Direct Ltd. v. Paterson,[1] that caught my attention.[2] Although from an obscure (at least to me) court in Scotland, the case is based on traditional common-law principles that apply in the United States with regard to personal liability for entity-specific contracts. Corporate lawyers, whose clients regularly have deal professionals individually sign documents on behalf of limited liability entities, might want to pay attention.
Personal Liability in Screwfix
The dispute in Screwfix involved the efforts of a building materials supplier to collect overdue sums owed from one of its customers pursuant to a Trade Accounts Card Agreement between the supplier and the customer (“Agreement”). The supplier was Screwfix Direct Limited, trading under the name “Trade UK.” The customer was Paterson Restoration Limited (“Company”). James Paterson was a director and shareholder of the Company. Paterson signed the Agreement on behalf of the Company as its “director.” The Agreement seems to have been a standard form, and it stated that if the person opening the account was a limited company, “the form must be signed by a director.”[3]
But paragraph f of the Agreement contained the following statement: “I, the director, agree to guarantee performance of all the company’s current and future financial obligations to Trade UK, including any subsequent increase/s in credit limit.”[4] The Company subsequently became insolvent and was wound up. Trade UK, the supplier, then sought to recover all past due sums from Paterson personally pursuant to paragraph f.
Paterson only signed the Agreement once, as a director of the Company, and he clearly bound the Company as the named account holder to the Agreement. He did not sign separately to bind himself personally as a guarantor of the Agreement between Trade UK and the Company, and he was not a named party individually. So, Paterson defended the action brought by Trade UK on the basis that “the provision did not impose personal liability upon him as an individual [because] [h]e signed the Agreement solely in his capacity as a director and as such was committing only the company to the performance under the agreement.”[5]
But Trade UK countered that paragraph f only made sense if Paterson were making a personal commitment because Paterson had already bound the Company without paragraph f, simply by signing on behalf of the Company as its director. Indeed, in paragraph c of the Agreement, Paterson had stated that he was “authorised to bind the account holder to this agreement by signing it.”[6]
The sheriff agreed with Trade UK (citing Scottish cases in support) and rendered judgment in Trade UK’s favor against Paterson.
Does this seem fair to you? While the use of the personal pronoun “I” was clearly problematic, Paterson was not a party to the Agreement, only the Company was—so, in a sense, the only “I” or “you” was the Company. And Paterson signed only on behalf of the Company, as its director, not personally.
US Jurisdictions
Would this result occur in New York, Texas, or some other US state?
Well, let’s see. On very similar facts, Texas courts have repeatedly held that an officer signing on behalf of a corporate party to a contract can make themselves personally liable for the corporation’s obligation if there is language in the contract making the corporate signatory liable.[7] “The fact that a person is under an agency relation to another which is disclosed does not prevent him from becoming personally liable where the terms of the contract clearly establish the personal obligation.”[8] And sometimes that language is not as clear-cut as the “guarantee” language that was present in Screwfix. Simple statements such as “the undersigned agrees to personally pay” may be deemed sufficient.
That people signing in a corporate capacity could unwittingly be committing themselves to personal liability should make us all pause. So too should the reality that most of the time these are agreements that the corporate officers of our clients are signing without any real review.
New York has a more nuanced approach to these issues.
In Salzman Sign Co. v. Beck,[9] the New York Court of Appeals refused to hold a corporate officer personally liable for the obligations of his corporate principal where he signed the agreement only in his corporate capacity. And this was despite the fact that the agreement, similar to the contract at issue in Screwfix, stated specifically that “[w]here the Purchaser is a corporation, in consideration of extending credit to it, the officer or officers signing on behalf of such corporation, hereby personally guarantee the payments hereinabove provided for.”[10]
The court refused to find that language sufficient to make the corporate officer personally liable because
[i]n modern times most commercial business is done between corporations, everyone in business knows that an individual stockholder or officer is not liable for his corporation’s engagements unless he signs individually, and where individual responsibility is demanded the nearly universal practice is that the officer signs twice—once as an officer and again as an individual. There is great danger in allowing a single sentence in a long contract to bind individually a person who signs only as a corporate officer. In many situations the signing officer holds little or no stock and if the language of the agreement makes him individually liable his estate may be stuck for a very large obligation which he never dreamed of assuming. We think the better rule is the one used here—that is, that the statement in the contract purporting to bind the signing officer individually is not sufficient for Statute of Frauds purposes without some direct and explicit evidence of actual intent.[11]
A federal court, considering liability of a signatory to a letter agreement, has described New York law on this issue as follows (case citations omitted):
Under New York law, an agent who signs an agreement on behalf of a disclosed principal will not be individually bound to the terms of the agreement “unless there is clear and explicit evidence of the agent’s intention to substitute or superadd his personal liability for, or to, that of his principal.” In assessing whether a signatory intended to be individually bound, the following five factors (the “Lollo factors”) should be examined: “length of the contract, the location of the liability provision(s) in relation to the signature line, the presence of the signatory’s name in the agreement itself, the nature of the negotiations leading to the contract, and the signatory’s role in the corporation.” In addition to these factors, the most obvious indicator of the signatory’s intent is the signature’s form. “‘[W]here individual responsibility is demanded the nearly universal practice is that the officer signs twice—once as an officer and again as an individual.’”[12]
Finding Where the Line Is Drawn
New York is basically looking for more clear intent to be personally liable than Texas and some other jurisdictions. Even in Scotland, it appears that if the guarantee or personal undertaking language is not in the main body of the agreement, but rather in a set of separate terms and conditions incorporated by reference, the courts are inclined to refuse to find the necessary intent to be personally bound.[13] And England long ago appears to have recognized that if one buries onerous terms in a lengthy form agreement, without highlighting those onerous terms to the person sought to be bound to them, they may well be held unenforceable: “a logical development of the common law into modern conditions [is] that . . . if one condition in a set of printed conditions is particularly onerous or unusual, the party seeking to enforce it must show that that particular condition was fairly brought to the attention of the other party.”[14]
But it is far from clear where the line is to be drawn, even in the more nuanced approach offered by New York. There are plenty of decisions from other jurisdictions holding corporate officers personally liable for their company’s agreements on facts similar to Screwfix.[15] And those corporate officers are, many times, just that—employed company officers, not owners of the enterprise. The fact remains that representatives signing contracts on behalf of limited liability entities must do more than merely ensure that they only sign in a representative capacity; they must also ensure that there is not any language in that agreement making them personally liable for the entity’s obligations based on that representative signature. Our private equity deal professionals, who sometimes become officers of portfolio companies, should be aware and act accordingly.
Ensuring (Hopefully!) a Signature Only in a Representative Capacity
While we are on the subject, let’s take a quick quiz on the correct manner of clearly indicating that you are signing only in your representative capacity on behalf of a limited liability entity.
Assume that a contract named a limited liability entity (“Private Equity LLC”) as the party and then an authorized representative of Private Equity LLC (“Sarah Deal Professional”) signed the contract with the following signature line:
_____________________________ Sarah Deal Professional President, Private Equity LLC
True or False: This signature line clearly indicates that Sarah Deal Professional was only signing in her capacity as president of Private Equity LLC, and not individually?
If you answered “True,” thanks for playing, but the case law appears to lean decidedly in favor of this being false. Many cases would find that the language under the name Sarah Deal Professional that indicates she is president of Private Equity LLC is merely descriptio personae, a Latin phrase that simply means that the words “President, Private Equity LLC” only indicate who Sarah is but do not limit the capacity in which she signed. As a result, such a signature has been deemed sufficient to impose personal liability on the signatory, even without guarantee language like that at issue in Screwfix.[16]
The best practice, therefore, is to always follow these guidelines:
The signature itself represents a clear indication that the signator is acting as an agent if: (1) the name of the principal is disclosed, (2) the signature is preceded by words of agency such as “by” or “per” or “on behalf of,” and (3) the signature is followed by the title which represents the capacity in which the signator is executing the document, e.g., “Pres.” or “V.P.” or “Agent.”[17]
Thus, use the traditional formulation:
Private Equity LLC By: _________________________ Name: Sarah Deal Professional Title: President
But again, even this formulation may not save you from the Screwfix issue if there is language in the agreement making the entity representative personally liable—this formulation only works to avoid personal liability being imposed on those who simply fail to clearly indicate their limited capacity.[18]
And finally, please ensure that the officers and deal professionals signing documents on behalf of limited liability entities use the full legal name of the limited liability entity as the named party, both in the body of the contract and in the signature line. Note that one of the rules of limiting liability for an agent acting on behalf of a limited liability principal is that the name of the principal has to be identified. If the limited liability entity operates divisions, or has an assumed name, contracts are often entered into in the name of those divisions or under that assumed name. Many cases have held that naming a division or trade name as the party, rather than the entity itself, using its actual legal name, is a failure to disclose the principal. As a result, the officer signing on behalf of that division or in that assumed name may incur personal liability.[19]
As noted by one Texas court:
Regarding the liability on corporate contracts, officers of corporations are in the same position as agents of private individuals. That is, as is true of agents generally, officers of a corporation are not personally liable on the corporation’s contracts if they do not purport to bind themselves individually, they disclose their representative capacity, and they identify their principal. Even if Burris had filed an assumed name certificate with the Secretary of State and had filed a new assumed name certificate with the clerk of Travis County indicating Burris & Inscore Construction, Inc. was doing business as “B & S Construction, Inc.,” that would be immaterial to his personal liability because an agent has the duty to disclose the name of his principal, not just the principal’s assumed or trade name.[20]
See, e.g., Lachmann v. Hous. Chron. Publ’g Co., 375 S.W.2d 783 (Tex. Civ. App. Austin 1964) (writ ref’d n.r.e.); Empire Off. Machs., Inc. v. Aspen Trails Assocs. LLC, 322 P.3d 424 (Mont. 2014); Bou-Matic LLC v. Legg, 843 N.W.2d 710 (Wis. Ct. App. 2014). ↑
A to Z Rental Ctr. v. Burris, 714 S.W.2d 433, 437 (Tex. App. Austin 1986) (writ ref’d n.r.e.); see alsoRestatement (Third) of Agency § 6.02 cmt. d (Am L. Inst. 2006) (noting that “an agent’s use of a trade name, which may be traced to its registered user through a search of public filings is not sufficient to disclose the principal’s identity”). But see TicketNetwork, Inc. v. Darbouze, 133 F. Supp. 3d 442, 453 (D. Conn. 2015) (“Because Charged.fm was the registered assumed name of a corporation, Plot Commerce, TicketNetwork had constructive notice that the principal with which it was dealing . . . was Plot Commerce. Accordingly, Mr. Darbouze cannot be held personally liable on the contract he signed, because he contracted on behalf of a disclosed corporation.”). ↑
On April 5, 2024, the ABA Business Law Section’s Corporate Laws Committee approved amendments to Section 2.02 of the Model Business Corporation Act (the “MBCA”) that permit a corporation to include in its articles of incorporation a provision limiting or eliminating the monetary liability of certain corporate officers.[1] Prior to the amendments, the articles of incorporation could only provide exculpatory protection to directors. As discussed in this article, the officer exculpation now permitted under Section 2.02 is similar to the director exculpation already authorized by that section. New to the MBCA is a definition of the “officers” that may be exculpated. In defining “officer,” the amendments reinforce freedom of contract principles by providing a default list of the “officers” who may be exculpated while also allowing corporations to expand or contract that definition as needed.
Similar in nature to Delaware’s officer exculpation statute, the MBCA’s amendments provide a complementary template for jurisdictions that are considering amending their corporate code to provide exculpatory protection to officers.
Background
For over three decades, the MBCA has authorized corporations to include a provision in their articles of incorporation that limits or eliminates, with certain exceptions, the monetary liability of directors to the corporation and its shareholders.[2] Commonly referred to as an exculpatory provision, this provision has protected directors from personal liability for monetary damages for breaches of the duty of care. Today, all states provide for some form of director exculpation in their corporate code. These statutes follow three different approaches—charter option statutes, self-executing statutes, and cap on money damages statutes—or some combination thereof.[3] Section 2.02(b)(4) of the MBCA is a charter option statute, which permits corporations to adopt a charter provision that now provides for the exculpation of both directors and designated officers.[4]
At the time director exculpation statutes were initially being adopted, limiting the liability of directors was viewed as vital to addressing a perceived director shortage resulting from the D&O insurance crisis and the Delaware Supreme Court’s groundbreaking decision in Smith v. Van Gorkom.[5] Similar protection for officers, on the other hand, was generally viewed as unnecessary, and their inclusion in exculpation amendments was ultimately rejected in most states.[6] Until recently, the topic of officer exculpation has remained largely dormant. Several recent developments surrounding officer liability, however, have led to renewed interest in exculpating senior management in a manner similar to that which exists for directors. First, Delaware amended its long-arm statute in 2003 to cover senior executive officers of Delaware corporations.[7] Second, the Delaware Supreme Court, in its 2009 Gantler v. Stephens decision, held that officers owe the same fiduciary duties as directors.[8] Finally, in response to several opinions from the Delaware courts clarifying the ability of shareholders to challenge merger transactions, officers are being named as defendants in M&A litigation with increasing frequency.[9] Due to the lack of exculpatory protection, disclosure claims against officers in these lawsuits were allowed to survive while those same claims against corporate directors were dismissed based on exculpation provisions in the charter.[10] In response to those developments, the Delaware legislature amended its corporate code in 2022 to permit exculpation of certain senior executive officers. Under the amendments, exculpated officers largely enjoy the same protection as directors with the exception that officers cannot be exculpated from derivative claims or claims brought by the corporation.[11]
As was the case with the adoption of director exculpation, the Corporate Laws Committee watched these developments and considered whether, and how, to amend the MBCA to provide for officer exculpation.[12] Earlier this year, the Committee adopted amendments to Section 2.02 permitting the articles of incorporation to include a provision exculpating certain officers.
The MBCA Amendments
As amended, Section 2.02(b)(4) authorizes a provision to be included in the articles of incorporation that limits or eliminates monetary liability for specified officers. In general, the protection afforded to officers under a Section 2.02 exculpation provision is similar to that which the MBCA already allows for directors. Like directors, officers may not be relieved of personal liability for (i) financial benefits received to which the officer is not entitled; (ii) any act or omission that intentionally inflicts harm on the corporation or its shareholders; or (iii) any act or omission that is an intentional violation of criminal law. In addition to these carve-outs, officers (but not directors) may not be exculpated for any claim by or in the right of the corporation (e.g., derivative proceedings). Essentially, under the amendments, a provision in the articles of incorporation may exculpate certain officers for breaches of the duty of care in direct claims brought by shareholders (which includes class actions), but not for claims brought by the corporation or in a shareholder derivative proceeding.
In connection with the exculpation amendments, a new subsection (f) was added to Section 2.02 that defines “officer.” This new definition applies only to the use of “officer” in Section 2.02(b)(4)’s exculpation and not to the use of “officer” elsewhere in the MBCA.[13] The definition has three components to it. First, subsection (f) provides a statutory list of executive officers who are covered by default in an exculpatory provision: chief executive officer, president, chief operating officer, chief financial officer, chief legal officer, secretary, controller, treasurer, and chief accounting officer.[14] Second, consistent with freedom of contract principles, subsection (f) allows the articles of incorporation to expand or contract the default list of enumerated officers or specify a procedure for doing so.[15] Third, unless otherwise provided in the articles of incorporation, the board of directors may, by way of resolution, exculpate other officers beyond those listed in the articles. The board may not, however, alter the exculpatory protection provided to the officers listed in the articles without amending that document. Thus, the MBCA allows a board of directors to tailor the definition of “officers” for exculpatory purposes to the specific needs of the corporation as they may vary from time to time, unlike the Delaware statute which defines the term “officer” in the statute itself.
Comparison to Delaware
The MBCA and Delaware’s General Corporation Law serve as the two principal blueprints for state corporate codes. In the case of officer exculpation, Delaware amended its statute two years prior to the final adoption of the MBCA’s amendments. Overall, Delaware and the MBCA provide similar exculpation protection to officers. One particular area of divergence, however, is the exact language used for the carve-outs for nonexculpable liability.[16] Identical to the carve-outs for director exculpation, the MBCA’s language provides greater clarity than that of the Delaware statute through its use of more concrete and narrower exclusions. For example, contrary to Delaware’s statute, the MBCA’s exclusions avoid references to the “duty of loyalty” and “good faith” as bases for exclusion from exculpation, instead excluding “intentional infliction[s] of harm on the corporation or the shareholders” and “intentional violation[s] of criminal law.”[17] Likewise, the MBCA carves out a narrower set of “financial benefits” to which a director or officer is not entitled, as opposed to Delaware’s “improper personal benefit.”[18]
Another difference in the two statutes relates to the definition of the “officers” who can be exculpated. Delaware’s statute relies upon the definition of “officer” found in its long-arm statute[19] while the MBCA has its own definition in the statute. Both Delaware and the MBCA identify the same list of executive officers to be included in the definition of “officer.” After the initial enumerated list of executive officers, Delaware looks to Securities and Exchange Commission filings and an individual’s consent to jurisdiction as the criteria for determining who is an “officer.”[20] The MBCA, on the other hand, provides corporations with more flexibility to individually tailor inclusion in the “officer” definition through specific enumeration in the articles of incorporation or, alternatively, by a board resolution. By authorizing officer exculpation by a board resolution, the MBCA’s definition allows a board to be nimble in addressing officer exculpation on a case-by-case basis, when and if the need arises, without having to pursue the formal process of amending the corporation’s articles.
Officer Exculpation Trends
Corporate Charter Amendment Trends
Under both the MBCA and the Delaware amendments, an exculpation provision for officers must be set forth in the corporation’s charter. For existing corporations this means amending the charter through a statutorily required process that includes approval of the amendment by the board and the shareholders.[21] For publicly traded corporations this also means satisfying federal securities laws requirements such as disclosures in a proxy statement. While the MBCA’s amendments are too new to have been adopted in more than one MBCA jurisdiction and thus there are no statistics for corporate adoptions in those states, there is a growing body of data on adoption rates by Delaware corporations.
Since Delaware’s adoption of its officer exculpation amendments, there has been a modest, but continually growing, number of public companies that have amended their charters. Overall, commentators have observed that these amendments are being approved by shareholders, with only a handful of proposed officer exculpation amendments failing due to shareholder turnout and a two-thirds supermajority vote standard for approval.[22] To date, most of the officer exculpation amendments have been proposed at small-cap companies (under $2 billion market cap) and mid-cap companies ($2–$10 billion market cap).[23] Commentators predict an increase in the number of large-cap companies (over $10 billion market cap) and dual class companies proposing officer exculpation amendments to their charters moving forward in light of three developments: (i) the clarification by Delaware courts that such amendments do not require a separate class vote of nonvoting shares for approval;[24] (ii) the relative success in approving these amendments at smaller companies;[25] and (iii) the limited impact that negative proxy advisor recommendations have had on the approval of such amendments.[26]
State Statute Adoption Trends
Prior to Delaware’s amendment of its corporate code to provide for officer exculpation, only seven states had such a statutory provision.[27] Around the same time that Delaware adopted its amendments, Pennsylvania amended its corporate statute to limit officer liability.[28] Since that time, a number of additional states have amended or are considering amending their corporate codes to provide for officer exculpation. Both Oklahoma and Alabama have recently adopted officer exculpation amendments. The Oklahoma amendments are nearly identical to the language in Delaware’s statute[29] while Alabama, which is an MBCA state, has adopted an amendment that is based on the MBCA language.[30] As of the writing of this article, it remains to be seen how quickly other states will amend their corporate statutes to provide for officer exculpation as well as whether the MBCA’s or Delaware’s statutory language will serve as the prevailing model.[31] Nevertheless, the adoption of the MBCA amendments as well as the increasing frequency and success of Delaware corporations in adopting officer exculpation charter amendments will likely spur calls for more jurisdictions to consider such changes.
A version of this article originally appeared in the Summer 2024 issue of the MBCA Newsletter, the newsletter of the ABA Business Law Section’s Corporate Laws Committee, under the title “Amendments to the Model Business Corporation Act Permitting Officer Exculpation.” Read the full issue and previous issues at the Corporate Laws Committee’s Model Business Corporation Act Resource Center.
The views expressed in this article are solely those of the author and not the University of Oklahoma College of Law. No legal advice is being given in this article.
SeeModel Bus. Corp. Act § 2.04(b)(4) (1990); Corporate Laws Comm., Changes in the Revised Model Business Corporation Act—Amendment Pertaining to the Liability of Directors, 45 Bus. Law. 695 (1990) (notice of approval on second reading). The director liability amendments were approved by the Corporate Laws Committee on the third and final reading on June 16, 1990. Corporate Laws Comm., Changes in the Revised Model Business Corporation Act—Amendment Pertaining to Liability of Directors, 46 Bus. Law. 319 (1990). ↑
See Corporate Laws Comm., 45 Bus. Law. at 696 (1990). ↑
Delaware’s approach to director exculpation is also a charter option statute. Thirty-one states have adopted the charter option approach to exculpation. See Bryn R. Vaaler, 2.02(b)(4) or Not 2.02(b)(4): That Is the Question, 74 Law & Contemp. Probs. 79, 82 n.19 (2011). ↑
488 A.2d 858 (Del. 1985). See John Mark Zeberkiewicz & Robert B. Greco, Amendments to the DGCL Permit Officer Exculpation, 36 Insights, no. 10, Oct. 2022, at 3. ↑
It is clear that the decision to omit officers from early exculpation statutes was a deliberate one in Delaware and the MBCA. SeeLewis S. Black, Jr. & A. Gilchrist Sparks, III, Analysis of the 1986 Amendments to the Delaware Corporation Law 312 (1986) (explaining the rationale for the exclusion of officers in the adoption of Section 102(b)(7)); Corporate Laws Comm., 45 Bus. Law. at 700 (1990) (explaining the rationale for the decision to omit officers from the MBCA’s original exculpation provision). It is less clear, however, that other jurisdictions approached the officer liability level of analysis when adopting their director exculpation statutes. See Dennis R. Honabach, Smith v. Van Gorkom:Managerial Liability and Exculpatory Clauses—A Proposal to Fill the Gap of the Missing Officer Protection, 45 Washburn L.J. 307 (2006). ↑
See 10 Del. C. § 3114 (2003); Del. Div. of Corps., Amendments to Corporate Law 2003 (June 30, 2003) (describing the rationale for the amendment). ↑
See Zeberkiewicz & Greco, supra note 5 (summarizing the case law developments that led to the officer exculpation amendments). ↑
See, e.g., Morrison v. Berry, 2019 WL 7369431 (Del. Ch. Dec. 31, 2019). In Morrison the court noted that while the disclosure claims against the officers survived a motion to dismiss, an ultimate finding of liability for breach of the duty of care in making the disclosures would be unlikely. Id. at *24. ↑
See James J. Hanks, Jr. & Larry P. Scriggins, Protecting Directors and Officers from Liability–the Influence of the Model Business Corporation Act, 56 Bus. Law. 3, 25 (2000) (describing the history of the MBCA’s director exculpation statute). ↑
In addition, “[t]he use of ‘chief’ in the enumerated list of officers is intended to capture the principal officer, appointed or elected in accordance with section 8.40, performing the functions of such office irrespective of that officer’s title.” Id. ↑
The ability to expand or contract the statutory default list of officers by a provision in the articles is implied in the language of subsection (f)—“unless the articles of incorporation otherwise provide.”Model Bus. Corp. Act § 2.02 (2024). The Official Comment to Section 2.02 confirms this reading of the statute. Seeid. at cmt 3.E. (“That definition includes any individual identified in the enumerated list of officers, although the articles of incorporation may expand or contract this list or specify a procedure for doing so.”). ↑
For a comparison of the language in the MBCA’s and Delaware’s exculpation statutes, see the Model Bus. Corp. Act Ann., § 2.02, at 2-29 to 2-30 (5th ed. 2020); Vaaler, supra note 4, at 82–83. ↑
SeeModel Bus. Corp. Act § 2.02, cmt I. (2013); Vaaler, supra note 4, at 83; Hanks & Scriggins, supra note 12, at 28 (“By focusing on receipt of an improper financial benefit and intentional infliction of harm, section 2.02(b)(4) avoids many of the interpretive questions surrounding the definition of a breach of the duty of loyalty.”). ↑
SeeModel Bus. Corp. Act § 2.02, cmt 3.E. (2024) (stating that the “benefit must be financial rather than in less easily measured and more conjectural forms, such as business goodwill, personal reputation, or social ingratiation.”). ↑
See 8 Del. C. § 102(b)(7) (2022) (“All references in this paragraph (b)(7) to an officer shall mean only a person who at the time of an act or omission as to which liability is asserted is deemed to have consented to service by the delivery of process to the registered agent of the corporation pursuant to § 3114(b) of Title 10 (for purposes of this sentence only, treating residents of this State as if they were nonresidents to apply § 3114(b) of Title 10 to this sentence.”); 10 Del. C. § 3114(b) (defining “officer” as “an officer of the corporation who (1) [i]s or was the president, chief executive officer, chief operating officer, chief financial officer, chief legal officer, controller, treasurer or chief accounting officer of the corporation at any time during the course of conduct alleged in the action or proceeding to be wrongful; (2) [i]s or was identified in the corporation’s public filings with the United States Securities and Exchange Commission because such person is or was 1 of the most highly compensated executive officers of the corporation at any time during the course of conduct alleged in the action or proceeding to be wrongful; or (3) [h]as, by written agreement with the corporation, consented to be identified as an officer for purposes of this section.”). ↑
See 8 Del. C. § 242(b); Model Bus. Corp. Act § 10.03 (2024). For companies that are contemplating going public, these entities can incorporate an officer exculpation provision in the amended charter adopted in connection with the IPO or spin-off transaction. ↑
See Andrew J. Noreuil et al., Recent Developments in Delaware Officer Exculpation Charter Amendments, Mayer Brown Alert (Feb. 6, 2024) (reporting proposal and adoption rates as of the end of January 2024 for Delaware public companies included in any of the major indices). See also Douglas K. Schnell & Daniyal Iqbal, Lessons from the 2023 Proxy Season: Advance Notice Bylaws and Officer Exculpation, Harv. L. Sch. F. on Corp. Governance (Sept. 5, 2023) (reporting on proposal and adoption rates as of July 24, 2023, for Delaware technology companies in the Lonegan Silicon Valley 150); Melissa Sawyer et al., Lessons from the 2023 Proxy Season, Sullivan & Cromwell Alert (Sept. 14, 2023) (reporting on proposal and adoption rates for meetings through H1 2023 at U.S. public companies). ↑
Id. See generally, Glass, Lewis & Co., United States 2024 Benchmark Policy Guidelines at 75 (recommending voting against proposals eliminating monetary liability for certain officers, unless compelling rationale for the adoption is provided by the board, and the provision is reasonable); Institutional Shareholder Services, United States Proxy Voting Guidelines, Benchmark Policy Recommendations at 25 (January 2024) (recommending a case-by-case consideration of the stated rationale and identifying a number of factors to be considered). ↑
Those states are Louisiana, Maryland, Nevada, New Hampshire, New Jersey, Utah, and Virginia. In its Principles of Corporate Governance, the American Law Institute also recommended allowing a corporation’s charter to exculpate a director or officer. SeePrinciples of Corporate Governance: Analysis and Recommendations §§ 7.19-7.20 (1994). ↑
See 15 Pa. Cons. Stat. § 1735 (amended on November 3, 2022; effective January 2, 2023). The Pennsylvania statute differs in several aspects from the Delaware exculpation provision (e.g., the limitation on liability in Pennsylvania can be in a shareholder-adopted bylaw as opposed to the charter). ↑
See 2024 Okla. Sess. Law Serv. Ch. 120, Section 10 (S.B. 620) (2024). The Oklahoma amendments differ from Delaware and the MBCA in that they do not define “officer” for purposes of the exculpation statute. ↑
SeeAla. Code § 10A- 2A-2.02 (amended May 17, 2024, effective Aug. 1, 2024). ↑
See Vaaler, supra note 4, at 82 (describing adoption trends for director exculpation statutes). Of note, thirty-six jurisdictions have corporate codes based on the MBCA, and it is reasonable to expect that they will adopt the MBCA’s officer exculpation language as they update their corporation codes over time. ↑
This article describes recent Delaware decisions that are relevant to the Model Business Corporation Act (the “MBCA”). These include several decisions addressing (i) the validity of governance provisions in agreements and (ii) the requirements for board of directors and stockholder approvals of merger agreements. In addition, this article describes legislation recently enacted in Delaware dealing with a number of the issues raised by these decisions.
Validity of Governance Provisions in Agreements
Delaware Decisions
Moelis Decision
In West Palm Beach Firefighters’ Pension Fund v. Moelis & Company, 311 A.3d 809 (Del. Ch. 2024),[1] the Delaware Court of Chancery held that certain pre-approval rights and board and committee composition provisions in a stockholder agreement entered into by the corporation with its controlling stockholder in anticipation of an initial public offering (“IPO”) by the corporation were facially invalid under Section 141(a) of the Delaware General Corporation Law (the “DGCL”), which provides that the “business and affairs of every corporation . . . shall be managed by or under the direction of the board of directors, except as may be otherwise provided in [the DGCL] or the certificate of incorporation.” The Court held that those provisions infringed on the power of the board to manage the corporation’s affairs under the DGCL’s board-centric model of corporate governance.
The challenged stockholder agreement required the corporation to obtain the stockholder’s approval before taking various corporate actions and granted the stockholder extensive rights designed to ensure that he could elect a majority of the directors and that the composition of board committees would be proportionate to the number of the stockholder’s designees on the board. While the Court characterized the agreement as a “new-wave” stockholder agreement, rights of this kind are often found in agreements entered into in connection with debt and equity financings (including venture capital and private equity investments) and other commercial arrangements, as well as in settlement agreements with activists. The Moelis decision raises significant questions regarding the validity of these provisions when they are included in this kind of agreement. Because the decision is likely to be appealed, it may not be the last word from the Delaware courts on these issues.
The Court held that the pre-approval requirements in the Moelis agreement, viewed collectively, and some of the stockholder’s rights involving the composition of the board and its committees were facially invalid under Section 141(a). In addition, the Court held that the provisions related to the composition of board committees were also invalid under Section 141(c)(2), which vests the board with the authority to designate committees. The Court noted that most of the invalidated provisions (but not those relating to the composition of board committees or that are inconsistent with a mandatory feature of the DGCL) would have been valid if they had been included in the certificate of incorporation. This could have been accomplished by either (i) including them expressly in the certificate or by incorporating them by reference to an agreement as permitted by Section 102(d) regarding reference to extrinsic facts, or (ii) if the board is authorized to create new classes or series of stock (“blank check” authority), including them in a certificate of designation and issuing a single “golden” preferred share. An amendment of the certificate of incorporation would, of course, require stockholder approval, but a new class or series of stock could be created by the board alone if it has blank check authority.
The Court noted that, although Delaware is a contractarian state that favors private ordering, the ability to do so is subject to the limitations of the DGCL. The Court emphasized the need to differentiate between an agreement creating an internal governance arrangement and an external commercial contract that constrains board actions, like a credit agreement with restrictive covenants or an exclusive supply contract, while it also recognized the challenge in differentiating between the two. The Court identified several factors that indicate that an agreement creates an “internal governance” arrangement, including whether it arose out of an obvious commercial exchange and whether the purpose of the restrictions was to allocate governance rights. However, the Court did not specify how those factors should be weighted, other than that all of them are matters of degree and none are essential. It then indicated that once a contractual provision appears to be part of the corporation’s internal governance arrangements, a court must assess whether the provision prevents or limits in a substantial way the ability of the directors to use their own best judgment and make decisions in managing the corporation’s affairs. Applying these standards, the Court had no problem concluding that the Moelis stockholder agreement involved an internal governance arrangement that was not tied to any underlying commercial transaction and finding that most of its provisions violated Section 141 and were invalid. The Court found, however, that several provisions in the agreement that related to the rights of the stockholder to nominate board members and for the corporation to use its best efforts to cause them to be elected were valid.
Wagner Decision
Following the Moelis decision, the Court of Chancery, in Wagner v. BRP Group, Inc., 2024 WL 2741191 (Del. Ch. May 28, 2024), found invalid provisions in another pre-IPO stockholder agreement, as it was initially executed, that required pre-approval by the controlling stockholder of (i) any significant decision regarding a senior officer because it contravened Section 141(a) and Sections 142(b) and (e), (ii) any charter amendment because it contravened Sections 141(a) and 242, and (iii) certain significant transactions, most involving the corporation’s sole operating subsidiary, because it violated Section 141(a). Wagner differed from Moelis, however, because following the filing of the lawsuit, the parties modified the challenged stockholder agreement to provide that the stockholder would approve any action that a committee of the independent directors unanimously determined in good faith was in the best interest of the corporation. The Court considered the effect of the modification on the validity of the governance provisions. Although it recognized that the unanimity requirement permitted any one committee member to block a determination, since the DGCL permits bylaws to establish procedural limitations, like high vote and even unanimity requirements for a corporate action,[2] the Court held that the committee mechanism was sufficient to overcome the invalidity under Section 141(a), but not the invalidity of the senior officer provision under Section 142 or the pre-approval requirement for charter amendments under Section 242.
N-able Decision
After the legislation described below was enacted and before it became effective, the Court of Chancery decided Seavitt v. N-able, Inc., 2024 WL 3534476 (Del. Ch. July 25, 2024), which involved similar issues to those in Moelis and Wagner regarding the validity of a pre-IPO stockholder agreement with controlling stockholders that contained pre-approval covenants and board and committee composition and director removal provisions. Like Moelis and Wagner, the Court found many of the provisions facially invalid in violation of the DGCL, an issue that was not resolved by the legislation because agreements subject to litigation at the legislation’s effective date were excluded from coverage under the legislation. As a harbinger of issues that can arise under the new legislation, the Court suggested that provisions in a stockholder agreement modifying the requirement for stockholder approval under the DGCL or permitting identified stockholders to remove directors might not be valid under the legislation because those provisions would not have been permissible in the certificate of incorporation.
Unlike in Moelis and Wagner, some of the provisions in the N-able certificate of incorporation stated that they were “subject to” the stockholder agreement. That raised the issue whether (as characterized by the Court) “this laconic prepositional phrase” effectively incorporates the stockholder agreement into the charter by reference under Section 102(d) of the DGCL. Not surprisingly in view of this characterization, the Court held that the reference was not sufficient to incorporate the agreement into the charter and, moreover, indicated that a private agreement cannot be incorporated into a charter, which is a foundational public document, noting that the statute only authorizes incorporation of “facts ascertainable” outside the charter.[3]
Delaware Legislation
In response to the uncertainties created by the Moelis decision, legislation has been enacted in Delaware to add a new clause (18) to Section 122 of the DGCL to give corporations the power, notwithstanding Section 141(a), to enter into governance agreements—like the ones in Moelis, Wagner, and N-able—that include approval rights and board composition provisions that otherwise could be included in the certificate of incorporation.[4] The legislation, which encountered some criticism, principally from academics and some in the Delaware judiciary, became effective on August 1, 2024, and applies retroactively except to litigation begun before that date. Section 122(18) eliminates some of the uncertainties for Delaware corporations arising from the Moelis, Wagner, and N-able decisions, but interpretive issues in applying the new provision, such as the scope of agreements authorized under it and how those agreements mesh with fiduciary duties, will need to be considered.
Relevance for the MBCA
Although the Moelis, Wagner, and N-able decisions apply to Delaware corporations, their reasoning could be applied to business corporations formed in other jurisdictions that have provisions similar to Section 141, such as Section 8.01 of the MBCA. Whether other states will follow the reasoning in the Moelis, Wagner, and N-able decisions is not certain. Unlike Delaware, many state corporation statutes, such as those based on the MBCA, expressly permit stockholder agreements, in addition to provisions in the charter, to vary the director management norm. Typically, however, the stockholder agreements authorized by a statute like Section 7.32(b) of the MBCA require that all stockholders be a party to the agreement.[5] Some jurisdictions, including Delaware, have close corporation provisions that permit stockholder agreements. A court might read these provisions to exclude stockholder agreements among less than all of the stockholders as permitted vehicles for varying the director management norm, and if so, the issues raised by Moelis, Wagner, and N-able could be even more difficult in those jurisdictions. On the other hand, a court could preferably read these provisions as nonexclusive for these purposes. The ABA Corporate Laws Committee is currently considering how, if at all, to respond to the Moelis, Wagner, and N-able decisions and the recent Delaware legislation.
In deciding whether governance provisions that do not have the benefit of the Delaware legislation may be validly included in an agreement, practitioners should consider whether the provisions limit the authority and exercise of discretion by the board of directors. In the case of an agreement with these limitations, practitioners should then determine whether those provisions are external commercial contractual arrangements or are internal governance arrangements to be tested against the statutory provisions like Section 141 of the DGCL and Section 8.01 of the MBCA and other provisions of the applicable corporation statute. The Court of Chancery distinguished traditional commercial contracts from the agreements in Moelis, Wagner, and N-able, which were not tied to any underlying commercial transaction and were designed to address corporate governance in an extensive way, thus constituting an “internal governance” arrangement. Accordingly, traditional commercial credit agreements with institutional lenders and securities purchase agreements with equity investors that contain customary restrictive covenants associated with protecting the credit or the investment should not be viewed as an internal governance arrangement. The dividing line is not clear between these customary agreements and agreements with extensive protective and governance provisions that fall between these two.
Analyzing provisions implicated by the Moelis, Wagner, and N-able decisions and giving legal opinions on the validity of those provisions, especially outside of Delaware, may be problematic, and the need to do so should be weighed in the context of the specific transaction. If practitioners are concerned about the validity of provisions in an agreement, they could redraft the provisions, for example by including a fiduciary duty out[6] or similar exception, or they could include some or all of the provisions in the charter, either through an amendment or, if authorized, in a certificate of designation creating a new class or series of stock that becomes part of the charter. Section 102(d) of the DGCL permits certain provisions of the certificate of incorporation to “be made dependent upon facts ascertainable outside such instrument, provided that the manner in which such facts shall operate upon such provision is clearly and explicitly set forth therein,” and Section 2.02(d) of the MBCA permits such provisions to be “made dependent upon facts objectively ascertainable outside the articles of incorporation” if the requirements of Section 1.20(k) of the MBCA are met, one of which authorizes reference to terms of an agreement to which the corporation is a party.[7] Even when governance provisions are included in a corporation’s charter, however, they still should be analyzed to ensure that they are of a type permitted to be included in the charter. For example, as noted above, limitations on the board’s authority to designate committees under Section 141(c) can raise issues, as can provisions that are inconsistent with a mandatory feature of the DGCL.
Actions to Approve Mergers and Other Fundamental Changes
Delaware Decision
In Sjunde AP-fonden v. Activision Blizzard, Inc., 2024 WL 863290 (Del. Ch. Feb. 29, 2024) (corrected Mar. 19, 2024), the Delaware Court of Chancery declined to grant a motion to dismiss a complaint challenging the approval of a merger, which serves as reminder to practitioners of the importance of strictly following the requirements to approve a merger under Section 251 of the DGCL. These requirements relate to the need for a sufficiently final merger agreement to be approved by the board of directors and to the contents of the notice that must be sent to the stockholders when soliciting their approval of the merger.
In Delaware an essentially final merger agreement must first be approved by the board. The key question addressed by the Court in Activision was what “essentially final” means. The plaintiff argued for the execution version to be approved, while the defendants asked the Court to recognize the market practice of submitting a draft or near-final form to the board for approval. The Court held that, at least for purposes of dealing with the motion to dismiss, in order to comply with Section 251(b) of the DGCL, the board had to approve an essentially complete version of the merger agreement. It then went on to conclude that the plaintiff adequately pled that the merger agreement approved by the board was not essentially complete because it omitted the name of the company being acquired, the merger consideration, a disclosure letter that qualified a number of provisions of the agreement, the disclosure schedules called for by the agreement, and the surviving corporation’s charter[8] and because the board delegated a decision on the amount of the dividends that the acquired company may pay prior to closing to an ad hoc committee of the board. The defendants may be able to establish at trial that the board had before it some of the omitted information, such as the name of the company to be acquired and the merger consideration. The Court recognized as an open issue whether the disclosure schedules were essential, but the Court’s decision indicates that a merger agreement that the board approves, to be essentially complete, must be close to being the execution version.
The Court then examined whether the information required under Section 251(c) to be included in the notice of the stockholder meeting was satisfied. It acknowledged that the notice purported to provide a copy of the merger agreement by referring to the exhibit to the accompanying proxy statement, but the Court determined that the merger agreement provided with the notice did not satisfy Section 251(b) because, among other things, it omitted the surviving corporation’s charter.[9] The Court also ruled that the notice did not satisfy the alternative permitted under Section 251(c) of containing a brief summary of the merger agreement because, although the proxy statement sent with the notice contained a summary of the merger agreement, the proxy statement was not part of the notice.[10]
Finally, the Court ruled that the board’s delegation to a committee to finalize the provision of the merger agreement permitting the payment of certain pre-closing dividends by the target was invalid because under Section 141(c) a committee cannot approve on its own matters for which stockholder approval is required under the DGCL, such as approval of a merger agreement.[11]
Delaware Legislation
The recently enacted Delaware legislation[12] includes provisions to address the issues identified by the Activision decision. It adds a new Section 147 to the DGCL to recognize that the board of directors can approve a merger agreement and other agreements requiring board approval in substantially final form, not necessarily the final form, and can ratify a previously approved agreement before a filing is made with the Secretary of State. Also, Section 232 dealing with notices to stockholders is amended to provide that any materials included with, or attached to, a notice to stockholders, like a proxy statement, is considered to be part of the notice. In addition, (i) a new Section 268(a) is added to eliminate the need for the certificate of incorporation of the surviving corporation to be attached to the merger agreement or approved by stockholders of the target where those stockholders will not become stockholders of the surviving corporation, as is the case for an all cash reverse triangular merger, and (ii) a new Section 268(b) is added to make clear that disclosure letters and schedules are not part of the merger agreement and therefore, as a statutory matter, do not need to be approved by the board.[13]
Relevance for the MBCA
The Activision decision highlights the importance of strict compliance with notice and approval requirements, even after enactment of the Delaware legislation, under both Delaware law and the law of other relevant jurisdictions. Those requirements, which are not limited to mergers, differ among jurisdictions, and thus the particular jurisdiction’s law needs to be carefully reviewed. For example, under Section 11.04 of the MBCA a “plan of merger” meeting the requirements of Section 11.02(d) must first be adopted by the board and then, with certain exceptions, approved by the stockholders; if approval is to be sought at a meeting, the notice of the meeting shall “contain or be accompanied by a copy or summary of the plan,” in some cases with a copy or summary of the surviving entity’s governing documents.[14] It is common, at least in states outside of Delaware, to structure mergers using both a transactional agreement, usually called a merger agreement or acquisition agreement that describes the transaction and contains representations, covenants, conditions to closing and other provisions, and a separate plan of merger that is typically attached as an exhibit to the transactional agreement. The plan of merger is typically a relatively short document that contains only the terms and conditions of the merger as required by the corporation statute, which in MBCA jurisdictions are those set forth in Section 11.02(d). Only the plan of merger needs to be submitted to stockholders for adoption in those jurisdictions. The statutory pattern in Delaware is somewhat different, and that difference may account for a difference in practice and the Court’s rulings in Activision. Section 251(b) of the DGCL requires that the board approve an agreement of merger and declare its advisability and that the agreement of merger be executed by the corporation and submitted to the stockholders for approval. Under the MBCA, the plan of merger need not be executed by the corporation, and as long as there is a plan of merger approved by the board and the stockholders, the transactional agreement signed by the parties to the merger need not be submitted to or approved the stockholders.
This piece originally appeared in the Summer 2024 issue of the MBCA Newsletter, the newsletter of the ABA Business Law Section’s Corporate Laws Committee. Read the full issue and previous issues, including previous articles in the Recent Decisions Relevant to the MBCA series, at the Corporate Laws Committee’s Model Business Corporation Act Resource Center.
The views expressed in this article are solely those of the author and not his law firm or clients. No legal advice is being given in this article.
The Court distinguished Colon v. Bumble, Inc., 305 A.3d 352 (Del. Ch. 2023), which upheld super-voting power granted to stockholders identified in a stockholder agreement on the grounds that the identified stockholders were ascertainable facts outside of the charter as permitted by Section 151(a). See Stanley Keller, Delaware Court of Chancery Approves Differential Voting Within Same Class, In Our Op. (ABA Bus. Law Section Legal Ops. Comm.), Fall 2023 (Vol. 23, No. 1), at 17–18. ↑
S.B. 313, 152nd Gen. Assemb., An Act to Amend Title 8 of the Delaware Code Relating to the General Corporation Law, 84 Del. Laws ch. 309 (enacted on July 17, 2024). ↑
The MBCA uses the term “shareholders,” but for consistency this article follows the DGCL usage of “stockholders.” ↑
The question of whether a fiduciary out alone will validate certain governance provisions in a stockholder agreement could be an issue in Dollens v. Goosehead Ins., Inc., C.A. No. 2022-1018-JTL (Del. Ch. Nov. 10, 2022), in which the plaintiffs challenged a stockholder agreement as being in violation of Section 141(a). A proposed settlement involving amendments to the stockholder agreement has been agreed to by the parties to the litigation and is pending approval. The amendments narrow the governance provisions and add fiduciary outs for the board. The notice of the proposed settlement is available from plaintiff’s counsel. ↑
As noted above, the question of whether and the extent to which the terms of an agreement may be incorporated by reference in a certificate of incorporation pursuant to Section 102(d) of the DGCL is addressed in N-able. ↑
The Court’s reference to Section 251(b) requiring the surviving corporation’s charter to be included in the merger agreement does not appear to be apt because the requirement of Section 251(b)(4) applies only to a consolidation. For a merger, Section 251(b)(3) requires only a statement that the surviving corporation’s charter shall be its charter, unless it is to be amended or restated, in which event that shall be stated. ↑
The Court noted that Section 251 did not contain the amendments to Sections 228 on stockholder consents and 242 on certificate of incorporation amendments that permit notice of internet availability of proxy material to satisfy the merger agreement notice requirement. An alternative that could have satisfied Section 251 would have been for the notice to have referred to the summary of the merger agreement in the proxy statement instead of referring just to the merger agreement attached as an exhibit to the proxy statement. ↑
An application has been filed with the Court of Chancery to validate the merger at issue in the Activision decision under Section 205 of the DGCL. The MBCA has similar provisions to validate defective corporate acts and stock issuances in Subchapter E of Chapter 1 (Sections 1.45–1.52). ↑
The Delaware legislation also adds a new Section 261 to address the holding in Crispo v. Musk, 304 A.3d 567 (Del. Ch. 2023), regarding remedies for breaches of a merger agreement by recognizing a provision in the agreement that allows a target company to seek damages, including lost stockholder premium, for a breach by the acquirer and, if so provided, to retain such damages. It also allows the stockholders, by approving the merger agreement, to appoint a stockholder representative to enforce their rights under the merger agreement. ↑
If appraisal rights under Chapter 13 of the MBCA are available, additional information is required. ↑
This article is Part II of the Musings on Contracts series by Glenn D. West, which explores the unique contract law issues the author has been contemplating, some focused on the specifics of M&A practice, and some just random.
In a Delaware Court of Chancery decision earlier this year, Labyrinth, Inc. v. Urich,[1] Vice Chancellor Zurn likened the not-uncommon busted cross-reference in a stock purchase agreement (“SPA”) to the misunderstood orders that led to the disastrous Charge of the Light Brigade during the Crimean War in 1854.
Lord Raglan’s order was to “advance rapidly to the front—follow the enemy and try to prevent the enemy carrying away the guns.”[2] But which front and what guns? From Lord Raglan’s vantage point high on the cliffs above the battle, his orders were perfectly clear. He could see the “captured guns” that he wanted recaptured being carried away by the enemy nearby. However, from the vantage point of the recipient of the orders, Lord Lucan, the only guns that he could see were at the end of the long valley in a fortified position. And, thus, “[i]nto the valley of Death [r]ode the six hundred.”[3]
According to Vice Chancellor Zurn, the SPA in dispute in Labyrinth was “rife with blunders and omissions.”[4] Using as a cautionary tale the bad decision made by Lord Lucan in hastily interpreting an ambiguous order, Vice Chancellor Zurn refused to choose between “two reasonable interpretations . . . [and] just charge on.”[5] Instead of resolving the matter on a motion to dismiss, the matter must now be resolved through an expensive trial, with a full “factual inquiry to determine the parties’ intent.”[6]
And what were these “blunders and omissions”? Well, there were really only two significant ones, and they both involved “contractual signals to nonexistent provisions”[7]—that is, busted cross-references.
The Busted Cross-References in Labyrinth
The first busted cross-reference involved the signature block for an individual party to the agreement. In that signature block, there was a reference to “Section 7.5” as being one of only two sections of the SPA to which the signatory was agreeing to be bound. The problem was that there was no Section 7.5 in the agreement. There was a Section 6.7.5, which seemed pretty clearly to be the section that the agreement intended to reference. However, Vice Chancellor Zurn concluded:
Perhaps the parties meant Section 7.5 to be Section 6.7.5; perhaps the parties intended something entirely different. The ambiguity, while perhaps so minor as to be a typo, requires a greater factual inquiry to determine the parties’ intent. It is here that I refrain from charging “forward” with the “Light Brigade.”[8]
The second busted cross-reference was even more problematic.
The exclusive remedy provision (Section 8.9) read as follows:
Subject to Section 10.12, the parties acknowledge and agree that their sole and exclusive remedy with respect to any and all claims for any breach of any representation, warranty, covenant, agreement or obligation set forth herein or otherwise relating to the subject matter of this Agreement, shall be pursuant to the indemnification provisions set forth in this Section 8. In furtherance of the foregoing, except with respect to Section 10.12, each party hereby waives, to the fullest extent permitted under Law, any and all rights, claims and causes of action for any breach of any representation, warranty, covenant, agreement or obligation set forth herein or otherwise relating to the subject matter of this Agreement it may have against the other parties hereto and their Affiliates and each of their respective Representatives arising under or based upon any Law, except pursuant to the indemnification provisions set forth in this Section 8. Nothing in this Section 8.9 shall limit any Person’s right to seek and obtain any equitable relief to which any Person shall be entitled pursuant to Section 10.12.[9]
The plaintiffs were seeking injunctive relief to prevent violations of certain of the post-closing covenants set forth in the SPA. Once again, however, the provision referred to a section that did not exist—there was no Section 10.12. Instead, there was a Section 9.12, which provided as follows:
Each of the parties acknowledges and agrees that the other parties would be damaged irreparably in the event that any of the provisions of this Agreement were not performed in accordance with their specific terms or were otherwise breached or violated. Accordingly, each of the parties covenants and agrees that, without posting bond or similar undertaking, each of the other parties shall be entitled to an injunction or injunctions to prevent breaches or violations of the provisions of this Agreement and to the remedy of specific performance of this Agreement and the terms and provisions hereof in any action, suit or proceeding instituted in any court as specified in Section 9.8 having jurisdiction over the parties and the subject matter, in addition to any other remedy to which such party may be entitled, at law or in equity. Each party further covenants and agrees that, in the event of any action, suit or proceeding for specific performance in respect of such breach or violation, it shall not assert that a remedy at law would be adequate.[10]
So, again, Vice Chancellor Zurn was faced with a busted cross-reference. While she thought it likely that the reference to Section 10.12 was intended to be a reference to Section 9.12, and that the blunder had probably resulted from a section of the agreement being deleted at some point, she could not conclude so at the motion to dismiss stage: “I will not yet say the SPA precludes injunctive relief, but without greater factual confidence, neither will I say the SPA permits it.”[11]
Say What You Mean and Mean What You Say
Obviously, more care should have been taken in checking these cross-references before finalizing the SPA. But here are a few tricks that could have helped (other than using Word’s auto cross-reference feature, which may or may not always be reliable). First, if you ever need to delete a section, just delete the text of the section (not the section number itself) and replace the deleted text with “[intentionally deleted]”—then nothing like the 10.12 becoming 9.12 could happen. Second, I always bolded or underlined cross-references; it makes them easier to spot when you are proofing. And last, I always included parenthetical section titles with my cross-references. Thus, even if I left off the “6” in 6.7.5, if the section title was “Noncompetition Agreement,” it would probably be easy enough for the court to see the obvious intent if the reference to Section 7.5 was stated as “Section 7.5 (Noncompetition Agreement).”
Some may think this is all hyper-technical silliness. But such is the life you have chosen. The objective theory of contracts requires that courts determine what parties intended by their contracts from the words used in them. Courts assume that what you meant by your contract is what the contract actually says. So, make sure that your contract actually says what you mean. Words matter, and cross-references matter.
From large language models like ChatGPT to image generation tools like DALL-E, artificial intelligence (“AI”) has undeniably become part of the public consciousness—providing utility, amusement, and commercial opportunities for individuals and companies alike. Amid their popularity for creating text based on user prompts in fun and novel ways, AI chatbots have also proven useful as quasi search engines—scraping and synthesizing vast quantities of data to respond to a variety of inquiries and requests in a clear and concise manner.
This functionality blurs the line between traditional search engines, such as Google or Yahoo, which typically provide links to websites, and content creators—raising questions about the nature of information retrieval and synthesis. Such a shift in functionality has elicited scrutiny about whether these tools might be considered “information content providers” under section 230 of the Communications Decency Act (“Section 230”),[1] the federal law that (in relevant part) governs the moderation of online content by interactive computer service providers and immunizes them from most lawsuits based on third-party content. As a result of this evolution, providers of AI technology, particularly AI search engines, may find themselves potentially exposed to greater liability than their Internet-age predecessors.
The Emergence of a New Type of Generative AI
Technology companies and users alike are increasingly recognizing and embracing generative AI’s capabilities in the search space. Google quickly capitalized on its search engine prowess and unveiled an “AI Overviews” feature, which now sits atop many Google search queries.[2] And just recently, OpenAI opened its “SearchGPT” for closed beta testing, launching it as “a temporary prototype of new AI search features that give you fast and timely answers with clear and relevant sources.”[3]
By way of illustration, when a user types a prompt into Google such as “what is the role of a lawyer?” a traditional search would simply generate a list of links to informative third-party websites with relevant information. Today, Google AI Overviews will generate a narrative answer above that list; in one search of the example prompt by the authors, it explained, “Lawyers, also known as attorneys, counselors, or counsel, are licensed professionals who advise and represent clients in legal matters. Their role is to provide legal counsel and advocacy for individuals, businesses, and government organizations.” An accompanying quasi-footnote link points readers to its source material (in this example, the ABA website[4]).
Under the hood, both Google’s AI Overviews and OpenAI’s SearchGPT operate on similar principles: They use large language models to process and synthesize information from web searches they perform. These models are already trained on diverse Internet content, including not only reputable sources but also user-generated content and potentially unreliable information. When a query is received, the AI rapidly scans its knowledge base and retrieves relevant, up-to-date information from the Internet or relevant index of consistently updated Internet data. The AI then identifies the most relevant details and generates a response using its language model, which predicts the most probable text based on the query and all information available to it at the moment of execution. Oftentimes, the same prompt will result in a different response, which is generally true of generative AIs due to their use of stochastic optimization algorithms. These algorithms incorporate controlled randomness into the process of generating answers for problems that rely on probabilities.
However, this process is not infallible. AI models can sometimes conflate facts from different sources, misinterpret context, place too much weight on a particular source to the detriment of others, or fail to distinguish between reliable and unreliable information. These possibilities in the context of search engine functionality can lead to the propagation of misinformation, ranging from harmless misconceptions to potentially dangerous advice, all presented with the same air of authority as accurate information. Examples have cropped up since AI Overviews was unveiled by Google in July that have subsequently caused the feature’s incorporation to be partially rolled back by the company.[5] For example, after a user complained that their car’s blinker wasn’t making an indicator noise, AI Overviews suggested the user change their blinker fluid. The problem with this advice? Blinker fluid doesn’t exist and is an inside joke among car connoisseurs.[6] Further, these systems may occasionally “hallucinate”—generating plausible-sounding but entirely fabricated information—especially when dealing with queries outside their training data or when attempting to bridge gaps in their knowledge.
But the potential for harm goes further than bad advice about car maintenance. Generative AI search engines also risk the proliferation of defamatory content by responding to a user’s query with misleading or blatantly false characterizations of real people. By way of illustration, one anecdote reported that in response to a query about cheating in chess, Google’s AI Overviews produced a response stating that chess grandmaster Hans Niemann had admitted to cheating by using an engine or chess-playing AI when playing against the world’s top chess player, Magnus Carlsen.[7] The problem? Niemann hadn’t admitted to cheating against Carlsen, and in fact had vociferously denied any wrongdoing, including filing a $100 million lawsuit against those who had accused him of cheating.[8] The misleading response from Google AI Overviews was likely paraphrased from statements made by Niemann about prior online games when he was much younger. But given the predictive mechanics of Google Overviews’s AI, that context was absent from the response.
When an AI search engine promulgates inaccurate, misleading, or tortious content, who should be liable for the fallout? Google’s AI Overviews and OpenAI’s SearchGPT present unique challenges to the traditional understanding of online platforms’ roles and responsibilities. These search-integrated AI tools operate on a spectrum between traditional search engines and creative content producers. Unlike standard AI chatbots, which primarily generate responses based on preloaded training data, or traditional search engines that merely display preexisting information, these tools actively retrieve, synthesize, and produce content using information from the Internet in real time. This real-time integration of web content allows these AI search tools to create new, synthesized content from multiple sources.
As a result, these tools are increasingly taking on the role of a content creator rather than a neutral platform. This shift may have implications for the platforms’ legal liability, as it poses the question: Are providers of these AI services akin to a publisher, acting as a neutral conduit for information, or are they more analogous to an author, exercising discretion, albeit algorithmically, to generate unique content? As we explore Section 230 of the Communications Decency Act and its implications, this distinction will be crucial in understanding the potential legal challenges these new AI tools may face, and the consequences for consumers harmed by their content.
Background on Section 230
Section 230 was enacted at the beginning of the Internet’s social media era to encourage innovation by protecting interactive computer service providers from liability stemming from tortious content posted by third parties on their platforms. Under Section 230, the provider will be liable only if it “contribute[s] materially” to the alleged unlawfulness published on the platform.[9] Section 230’s protections apply specifically when the provider “merely provides third parties with neutral tools to create web content.”[10]
These standards have been applied to protect interactive computer service providers from liability for the publication of tortious content on their platforms. For example, in Blumenthal v. Drudge, the District Court for the District of Columbia dismissed the plaintiff’s defamation claim against AOL for its publication of an allegedly defamatory Internet article written by codefendant Matt Drudge.[11] The Court concluded that AOL’s role in disseminating the article (providing the Internet service platform upon which the article was published) fell under Section 230’s protective umbrella. The Court explained that, in enacting the statute, Congress “opted not to hold interactive computer services liable for their failure to edit, withhold or restrict access to offensive material disseminated through their medium.”[12] Because AOL had not authored the article, but instead only served as an intermediary for the allegedly injurious message, the Court concluded that the Internet service provider was immune under Section 230.
Neutral Intermediary or Content Contributor: Where Will Generative AI Land?
Against this backdrop, it becomes evident that generative AI search engines do not fit squarely within the existing legal framework, as they potentially occupy the roles of Internet platform and content creator simultaneously. On the one hand, a service like Google AI Overviews isn’t authoring articles in the traditional sense. But on the other hand, Google AI Overviews does more than merely provide a medium through which information can be funneled. How courts view that activity will be critical for whether generative AI search engines fit within the limitations of Section 230 immunity.
The case of Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, illustrates how courts have assessed the “contributor” versus “neutral tool” dichotomy for Section 230 immunity purposes. In that case, the Court held that the website operated by the defendant had not acted as a neutral tool when the website did not “merely provide a framework that could be utilized for proper or improper purposes” but instead was directly involved in “developing the discriminatory [content].”[13] Specifically, the defendant “designed its [website’s] search and email systems to limit [roommate] listings available to subscribers based on sex, sexual orientation and presence of children,” and “selected the criteria used to hide listings.”[14] The Court reasoned that “a website operator who edits in a manner that contributes to the alleged illegality . . . is directly involved in the alleged illegality and thus not immune” under Section 230.[15]
By contrast, in O’Kroley v. Fastcase, Inc., the Sixth Circuit Court of Appeals held that Section 230 barred a defamation lawsuit against Google’s presentation of its search results.[16] In that case, the plaintiff argued that based upon the manner in which its search results were displayed, “Google did more than merely display third-party content” and was instead “responsible” for the “creation or development” of the content.[17] The Court disagreed, noting that although Google “performed some automated editorial acts on the content, such as removing spaces and altering font,” its alterations did not “materially contribute” to the allegedly harmful content given that “Google did not add” anything to the displayed text.[18]
Here, the functionality of Google AI Overviews functionality is arguably more akin to the Roommates platform than Google’s display of search results in O’Kroley. AI Overviews collects and curates preexisting information authored by other sources, synthesizing it to form a narrative response that is (in theory) directly responsive to the user’s query. In this regard, Google AI Overviews is analogous to an academic researcher reporting on preexisting literature in a review article. While the individual studies cited aren’t the researcher’s original work, the synthesis, analysis, and presentation of that information constitute a valuable and original contribution in the form of an academic survey. Similarly, AI Overviews’s curation and synthesis of information, while based on existing sources, results in a unique product that reflects its own algorithmically “analytical” process.
Because of the way generative AI works, even when there are independent sources of information being used to generate Google AI Overviews’s narrative answer, the response is promulgated by Google, rather than the independent sources themselves. While one might argue that AI Overviews is deciding which third-party content to include or exclude—similar to traditional search engines—AI Overviews’s role goes beyond that of an editor. In other words, Google isn’t merely a conduit for other sources of information or simply filtering which content to display; Google is serving as the speaker—essentially paraphrasing the information provided by the independent sources and sometimes doing so imperfectly. Simply put, Google’s editorial role is more substantive than merely changing the font or adding ellipses.
The following example illustrates Google AI Overviews’s editorial functionality, and how it can take seemingly innocuous content on the Internet and edit it to convey a message that could pose harm to the public. In May, Google AI Overviews went viral for suggesting its users ingest one serving of rock per day since, according to AI Overviews, rocks are “a vital source of minerals and vitamins that are important for digestive health”: “Dr. Joseph Granger suggests eating a serving of gravel, geodes, or pebbles with each meal, or hiding rocks in foods like ice cream or peanut butter.”[19] Google’s cited source was ResFrac Corporation, a hydraulic fracturing simulation software company, which had reposted[20] an article by The Onion,[21] a well-known satirical news organization that publishes fictional, humorous articles parodying current events and societal issues. Pictured in the Onion article was an advisor to ResFrac, explained ResFrac in its repost.
Authors’ reproduction of a Google AI Overviews response about eating geodes.
But much was left out by Google AI Overviews, including the important contextual clues that would tip a reader off to the satirical nature of the original content. For instance, the article states that sedimentary supplements “could range in size from a handful of dust to a medium-sized 5-pound cobblestone,” and that rocks should be hidden “inside different foods, like peanut butter or ice cream” to mask the texture. So, while the original content was lifted from the ResFrac post and properly cited, the meaning and intent were substantially altered in a way that goes beyond a neutral publisher’s alteration (e.g., changing font or adding punctuation). Google AI Overviews is unambiguously advocating for rock consumption—a position that, if adhered to, could undoubtedly cause real harm. If applied, Section 230’s umbrella of immunity would allow Google AI Overviews to escape liability for harm caused by its dissemination of this nonsensical position.
The Potential Repercussions of Section 230 Application to New AI Search Engines
Under traditional Section 230 principles, the plaintiff may be barred from suing interactive computer service providers for tortious speech but nevertheless can seek to recover from the original creator of the harmful content. For example, in the Drudge case discussed above, the plaintiff was barred from suing AOL but was permitted to continue the case against the original author of the defamatory article. Articulating this principle, the Fourth Circuit has opined that Section 230 immunity does not mean “that the original culpable party who posts [tortious content] would escape accountability.”[22]
But no such parallel accountability exists in the generative AI search engine context. Simply put, there may not be an “original creator” to take the blame for the publication of harmful content. Consider the example of AI Overviews recommending eating rocks discussed above. The Onion’s original article was published as, and intended to be, purely satirical. Indeed, when ResFrac reposted the article, there was no indication that it was intended to be taken literally or was being provided as medical advice. Neither The Onion nor ResFrac was negligent or reckless in publishing the article, and the article’s language only became potentially harmful when reframed and relied upon, without proper context, by Google AI Overviews. In other words, the “original creator” would not be the tortfeasor—AI Overviews would be. If applying Section 230 immunity, a plaintiff harmed by Google AI Overviews’s advocacy for rock consumption would be left without recourse.
Similarly, in the context of defamation, a plaintiff harmed by a libelous generative AI search engine result would be left without recourse. Generally, to bring a cause of action for defamation, the plaintiff must establish the following: (1) a false statement purporting to be fact; (2) publication or communication of that statement to a third person; (3) fault amounting to at least negligence; and (4) damages or some harm caused to the reputation of the person or entity who was the subject of the statement.[23] But how can a plaintiff allege negligence or an intent to defame when the original publications from which the defamatory search result were taken were not defamatory in the first place? In the chess player example discussed above, the available information online was only defamatory when it was taken out of context and mischaracterized by the generative AI search engine. Thus, the original speakers—i.e., the sources from which the search engine pulled its information—were neither negligent nor intentionally defamatory in publishing the content. As a result, a defamed plaintiff would be unable to establish the elements of their case against the “original speaker.”
These scenarios further highlight why generative AI search engines don’t fit neatly within the existing Section 230 framework, and the legal principles underlying the statutory framework.
A recent and tragic case out of the Third Circuit Court of Appeals illustrates the serious harm that algorithmically generated content can cause, and the way in which courts are attempting to grapple with the issue of accountability. In Anderson v. TikTok, Inc., at issue was the question of whether TikTok could rely on Section 230 immunity to dismiss a lawsuit brought by the estate of a child who accidentally died while performing a TikTok trend known as the “Blackout Challenge.”[24] Videos depicting the challenge were shown to the child via the TikTok “For You Page” or “FYP”—a feature of the app that relies on algorithmic curation to recommend a “tailored compilation of videos” to the user based on data about their interests and characteristics.[25] The plaintiff argued that TikTok should be held liable for recommending and promoting Blackout Challenge videos to minors’ FYP through its algorithm.[26]
The Third Circuit agreed with the plaintiff, concluding that TikTok’s algorithmic recommendations via the FYP constituted “expressive activity” not immunized under Section 230.[27] The Court explained that because the TikTok algorithm “‘[d]ecid[ed] on the third-party speech that [was] included in or excluded from a compilation—and then organiz[ed] and present[ed] the included items’ on users’ FYPs,” the recommendation was the “first-party speech” of TikTok.[28] Simply put, because TikTok’s algorithm curated an individualized FYP for each user, the platform served not merely as conduit for third-party information, but instead, created unique, expressive content.
Although the case did not involve a generative AI search engine like Google AI Overviews, the Third Circuit’s analysis is instructive as to the way in which courts may apply traditional Section 230 jurisprudence to algorithmically generated content. Indeed, the Third Circuit’s reasoning is easily extendable to the content generated by generative AI search engines that, like the FYP generated by TikTok, curate unique content in response to user activity.
Conclusion
Given its characteristics and capabilities, AI search engines such as Google AI Overviews should be categorized as “material contributors” rather than “neutral tools” under the Section 230 analytical framework. We reach this conclusion given that generative AI search engines actively synthesize information from multiple real-time sources, determine relevance and importance of such information, and generate new content that goes beyond mere aggregation and indifferent publication. Under such circumstances, the technology functions far more like an academic curating and paraphrasing her research findings than a neutral message board or conduit for information. This nuanced characterization may seem slight but could have meaningful implications for both developers of AI technology and those who may be harmed by it.
If the opposite conclusion is reached, and Section 230 immunity applies, those who are harmed by AI-generated search results would be left with little to no recourse. Unlike traditional Section 230 immunity, which leaves the door open for recovery from the original tortious speaker, the potential harm caused by AI search engine results can typically be traced back to only one source—the AI algorithm itself. It’s easy to imagine a world in which Google AI Overviews produces a search result that’s missing context or mischaracterizes the original content in a manner that is either negligent or defamatory. But with Section 230 immunity, AI companies would face no consequences for irresponsible development of their models and injured plaintiffs would have no “original speaker” to blame for their injuries. This lack of accountability could lead to proliferation of misinformation and harmful or defamatory content, as companies prioritize speed and efficiency over safety.
On the other hand, if generative AI search engines aren’t protected under Section 230, the AI ecosystem may become more restrained. It’s important to remember that the primary motivation behind the passage of Section 230 was to “preserve the vibrant and competitive free market that presently exists for the Internet”—i.e., to ensure that innovation would not be stifled by the fear of liability.[29] These principles are equally, if not more applicable, in the context of AI. AI companies might feel pressured to rein in their advancements to avoid content creator liability while the ongoing AI arms race incentivizes them to push those boundaries.
The tension between innovation and legal liability is exacerbated by the absence of comprehensive AI regulation clearly defining the contours and applicability of Section 230 immunity in the context of generative AI. This dearth of regulation may remain the status quo for the foreseeable future, as congressional attempts to regulate AI have largely fallen flat in recent years. There have been two notable, but unsuccessful, efforts to address the issue posed by generative AI with regard to Section 230 immunity. In March 2023, Senator Marco Rubio introduced legislation to amend Section 230.[30] The proposed legislation would classify platforms that amplify information using an algorithm as “content providers” with respect to the information they promulgate via AI. This amendment would impose liability on those platforms for the content amplified algorithmically or by some other automated processes. In June 2023, Senator Josh Hawley introduced a bill that would waive immunity under Section 230 for claims and charges related to generative artificial intelligence, which was defined to mean “an artificial intelligence system that is capable of generating novel text, video, images, audio, and other media based on prompts or other forms of data provided by a person.”[31] Both bills died in the Committee on Commerce, Science, and Transportation. And although the Biden administration issued an executive order addressing the federal regulation of AI, the action did nothing to answer the question of whether Section 230 immunity should be applied to content generated by AI.[32]
Given these circumstances, it seems likely that courts, rather than legislators, will take the lead in defining the limits of Section 230’s applicability to generative AI technology. Leaving such a complex task to judges and lawyers—most of whom are likely not technological experts in artificial intelligence—may lead to unpredictable, undesirable, and inconsistent results. For example, while the Third Circuit may view algorithmic curation as “expressive activity,” courts in other parts of the country may adopt a different approach, resulting in a patchwork of protection for those harmed by tortious content generated and promulgated by artificial intelligence.
Generative AI search engines highlight the need for a more nuanced approach to online content regulation in a world where generative AI exists. These tools challenge our traditional understanding of content creation and distribution, with their ability to synthesize and generate novel content from multiple sources under the guise of unlimited information access and apparent expertise. Without appropriate legislation or regulation that balances innovation and liability, we risk creating an AI landscape that neither companies nor individuals can navigate safely or effectively.
Goddard v. Google, Inc., 640 F.Supp.2d 1193,1196 (N.D. Cal. 2009) (under Section 230, a website will be liable only if it “contribute[s] materially” to the alleged unlawfulness, not when it “merely provides third parties with neutral tools to create web content”); Fair Housing Council of San Fernando Valley v. Roommates.com, LLC, 521 F.3d 1157, 1172 (9th Cir. 2008) (explaining that Section 230 immunity applies when “the website operator [is] merely a passive conduit” for the publication of the allegedly defamatory content). ↑
116 F.4th 180 (3d Cir. 2024). According to the Court’s opinion, the “Blackout Challenge” encouraged users “to choke themselves with belts, purse strings, or anything similar until passing out.” Id. at 182. ↑
This article is Part I of the Musings on Contracts series by Glenn D. West, which explores the unique contract law issues the author has been contemplating, some focused on the specifics of M&A practice, and some just random.
Golfers the world over are familiar with the famous “Arnold Palmer”—not just the actual human golfer but also the drink consisting of half tea and half lemonade. AriZona Beverages has been selling its “Big Can” of “Arnold Palmer” drinks (as well as its many other flavors of iced tea) prepriced for retail at just 99 cents per can since 1998. How has the company done that? Well, according to a recent trial court decision out of the New York Supreme Court of Nassau County, AriZona Beverages USA, LLC v. Evercore, Inc.,[1] part of the secret has been that it has been able to ensure “that [it is] supplied with [its] requirements of beverage cans by reliable suppliers at the contracted price.”[2] Those “Big Cans” are critical, and there are apparently only two suppliers of those cans west of the Mississippi: Ball Corporation and VoBev, LLC.
The Evercore decision arose out of a
special proceeding . . . seeking narrow pre-action discovery of the identity of the entities and/or individuals who [AriZona Beverages] claim[s] have aided and abetted and conspired with EVERCORE to tortiously interfere with the supply of Big Cans (and other size cans) to [AriZona Beverages] and tortiously induce VoBev, LLC to breach its March 2023 Can Supply and Production Agreement with [AriZona Beverages].[3]
The case highlights the potential consequences of violating a confidentiality obligation in a target’s material contract as part of the target’s sales process.
Case Background
Evercore was the investment banker for VoBev in connection with a potential sale of VoBev, and, as “is common in the industry, EVERCORE hosted an electronic data room to facilitate due diligence by a third party (‘Party A’) on VoBev.”[4] One of the documents uploaded to that data room was the March 2023 Can Supply and Production Agreement between AriZona Beverages and VoBev (“Can Supply Agreement”). The Can Supply Agreement apparently contained confidentiality obligations that prohibited disclosure of its terms to a third party without AriZona Beverages’ approval.
AriZona Beverages was concerned that Party A may have been Ball Corporation, which AriZona Beverages believed was trying to acquire VoBev and then seek to terminate the Can Supply Agreement. AriZona Beverages had been separately involved in arbitration proceedings with Ball Corporation concerning the alleged undersupply of cans by Ball Corporation pursuant to a supply agreement between AriZona Beverages and a company that Ball Corporation had previously acquired (and, in fact, AriZona Beverages had prevailed in that arbitration and obtained a judgment against Ball Corporation for more than $14.5 million, with additional potential disputes still to come).[5] In addition, AriZona Beverages apparently was informed that a purported representative of Ball Corporation had been seen at VoBev’s plant with a copy of the confidential information memorandum related to VoBev’s proposed sale in hand. According to AriZona Beverages,
if [AriZona Beverages] [is] unable to obtain the Big Cans under the Can Supply Agreement [it] will suffer millions in damages and Ball [Corporation] will gain leverage over the supply “. . . especially if VoBev is sold to Ball and/or Ball causes VoBev to terminate its Supply Can Agreement with [AriZona Beverages] as part of any transaction.”[6]
Evercore claimed that, even though it was in control of the data room, it was not permitted to reveal the name of Party A, or anyone else who may have had access to the data room, because of the terms of a nondisclosure agreement (“NDA”) that was entered into between VoBev and each party that was given access to the data room, including Party A. One would assume that the NDA permitted disclosure of otherwise confidential information, like the names of the parties seeking data room access, if it was required by virtue of a court order.
Court Ruling
The court found that AriZona Beverages had “brought forth sufficient information to confirm that the Can Supply Agreement is crucial to [AriZona Beverages’] business and the breach of the requirement of non disclosure permitting other part(ies) to obtain confidential and proprietary information must be addressed through the disclosure sought herein.”[7] In addition, the court specifically found that the acts complained of by AriZona Beverages “could conceivably form the basis of a cause of action including, but not limited to, tortious interference with contract.”[8]
Accordingly, the court ordered Evercore “to disclose the identity of each entity or individual to whom it provided access to the data room . . . [or] supplied a copy of the Can Supply Agreement or otherwise disclosed its terms.”[9]
And this seems like a straightforward holding. Uploading the Can Supply Agreement to the data room would appear to constitute a violation of most confidentiality obligations regarding the disclosure of an agreement’s terms. As such, AriZona Beverages is presumably entitled to know who had access to that data room to access how it may have been damaged by that apparent violation. The fact that Evercore may have separately been under a confidentiality agreement with the bidders not to disclose their names was irrelevant to AriZona Beverages’ claim related to the violation of the Can Supply Agreement’s confidentiality obligations.
The situation that arose in Evercore should serve as a reminder that sell-side diligence in readying a company for sale is as important as buy-side diligence. Violating a confidentiality obligation in a material contract of the target could have serious consequences. Indeed, in an English case decided a few years ago, Kason Kek-Gardner Ltd. v. Process Components Ltd.,[10] the disclosure of a target’s intellectual property license agreement to a potential buyer, in violation of the license’s confidentiality obligation, was deemed sufficient to permit the counterparty to terminate the target’s license.
Practical Considerations
But wait, some may say: How exactly can you disclose the terms of a material contract of a target to a potential buyer, which understandably needs to know those terms if it is to acquire the target, when those terms are specifically prohibited from being disclosed to any third party without the consent of the counterparty? Well, obviously, you can seek the counterparty’s consent to such disclosure—but what if that is not practical or is inopportune given the need to disclose the terms when it still may not be clear that any sale will actually occur?
If the potential buyer enters into an NDA promising not to disclose anything it learned about the target during due diligence, isn’t that a sufficient safeguard to avoid violating the underlying confidentiality obligation in the target agreement? The answer seems to be no. We all learned long ago that when you agree with a friend to keep something in confidence, disclosing that confidence to another friend who promises not to further disclose the confidence is still a violation of your original agreement to keep that confidence.
It remains to be seen whether AriZona Beverages was actually damaged by the alleged violation of the Can Supply Agreement’s confidentiality agreement. But regardless, there are no easy solutions to how to address confidentiality obligations in a target’s material agreements when setting up a data room on the sell side, or even in preparing the confidential information memorandum—but these confidentiality obligations do need to be addressed. Unless there is an actual exception to the material contract’s confidentiality obligation that permits disclosure in connection with a potential sale of the target, one should not assume that one will be implied,[11] particularly if one of the potential buyers is a competitor to the target or to one of the counterparties to the target’s confidential, material agreements.
No. 608480/2024 (Sup. Ct., Nassau Cnty,. Aug. 27, 2024). ↑
[2017] EWCA (Civ) 2132, at paras. 56–61. The license agreement specifically provided that the agreement could be terminated by either party “immediately by written notice to the other in the event of . . . any material [non-remediable] breach by the other party of any of its obligations under the Agreement.” And a “breach of the confidentiality obligations under clause 10” was deemed to “constitute[] a non-remediable material breach.” Id. at para. 48. ↑
Id. at paras. 49–55. This suggests that there needs to be more care in the initial drafting of these important portfolio company contracts. Just as an unconsidered anti-assignment or change of control provision in a target’s material contract could constitute an “exit blocker,” a confidentiality provision in that target’s material contract, with no exemptions that permit limited disclosure in connection with a potential sale, could also end up being an “exit blocker.” For those unfamiliar with the term, exit blocker is an expression used in the private equity industry to describe a provision contained within a material contract of a portfolio company that effectively makes a sale of that portfolio company extremely difficult without obtaining the consent of the counterparty to that material contract. ↑
The process of creating a privilege log has evolved significantly over the past few decades. As former U.S. Magistrate Judge Andrew J. Peck remarked,
When I got on the bench in 1995, the privilege logs in a typical case [were] two to three pages, maybe 50–100 entries. Now the privilege logs are like little novels, and there may be 10,000 or more entries. That is very expensive and is often useless to the other side in figuring out what is or isn’t privileged.[1]
His observation highlights the critical need for well-crafted, efficient privilege logs that serve the needs of all parties in litigation without becoming burdensome or unclear. This article will outline the federal rules guiding privilege logs, explore the different types of privilege logs, and provide best practices to create comprehensive and manageable logs.
Federal Rules Guiding Privilege Logs
The Federal Rules of Civil Procedure (“FRCP”) do not use the term privilege log or otherwise spell out procedures for logging privileged documents. Instead, FRCP 26(b)(5)(A)(ii) requires parties who withhold documents on the grounds of privilege to provide sufficient detail about those documents so the opposing party can assess the privilege claim. Specifically, the rule states that the withholding party must “describe the nature” of the documents, communications, or tangible things withheld “in a manner that, without revealing information itself privileged or protected, will enable other parties to assess the claim.”
Types of Privilege Logs
The absence of strict procedural guidance leaves much room for interpretation, prompting the emergence of various types of privilege logs tailored to different legal contexts.
A. Traditional Privilege Logs
The traditional privilege log is the most detailed and burdensome form. It requires a line-by-line description of each document, including the author, recipients, date, and a description of the subject matter sufficient to explain the claim of privilege. Traditional logs are often time-consuming and expensive to produce, particularly in large-scale litigation involving thousands of documents. Despite their complexity, they provide the most thorough level of detail, making them common in high-stakes litigation.
B. Metadata Privilege Logs
A metadata log simplifies the process by providing only the metadata extracted from withheld documents—such as date, author, recipients, file type, and document title—without including a narrative description.[2] These logs streamline the process by automating much of the data entry, reducing time and costs. However, the lack of a detailed narrative can leave privilege claims vulnerable to challenges, particularly when more context is needed to substantiate the privilege.
C. Categorical Privilege Logs
Categorical logs group documents into broad categories based on shared characteristics (e.g., all emails between specific parties during a certain date range). Instead of providing a line-by-line description, the log assigns a common description of privilege to an entire group of documents.[3] This method is particularly useful in large-scale litigation and is often negotiated between parties to reduce the burden of creating a traditional log. While categorical logs are efficient, they can be problematic if the descriptions lack sufficient detail to justify the privilege.
Best Practices for Creating an Effective Privilege Log
Given the varying complexity and scope of privilege logs, attorneys should follow several best practices to ensure that their logs meet the legal requirements and facilitate smooth litigation.
1. Negotiate Privilege Log Requirements Early
To avoid disputes down the line, it is critical for parties to meet and confer to come to a mutual decision on privilege log requirements at the beginning of discovery. Ideally, this will take the form of a written document such as an electronically stored information (“ESI”) agreement or privilege review protocol. Procedures for privilege review and parameters for privilege logs can also be incorporated into broader e-discovery protocol documents. Documenting the privilege review process early puts the parties in a better position to provide and receive the information needed to properly assess privilege claims for a particular matter. This collaborative decision can also help prevent misunderstandings and costly discovery disputes later in the litigation process.
2. Check Local Rules
While many courts leave the issue to the parties, some have significant privilege log requirements. Some jurisdictions have local rules that dictate the format or content of privilege logs, so it is important for counsel to learn these requirements early in the litigation process. For example, New York State courts strongly promote categorical logs through local rules.[4] Tailoring your privilege log to meet local court requirements ensures compliance and reduces the risk of objections.
3. Choose the Right Type of Privilege Log
The parties should decide whether to use a traditional, metadata, or categorical privilege log, depending on the case’s complexity and the volume of documents.
4. Agree on Required Fields for the Privilege Log
To comply with FRCP 26(b)(5)(A)(ii), the log must contain sufficient information to allow the receiving party to understand the basis for the claim. Agreement should be reached on which fields to include in a privilege log. At a minimum, the log should contain the date of the document, the author and recipients, the privilege asserted, and a brief description of the privileged content. In addition to these basic fields, parties should consider including more specific details based on the scope and complexity of the case, such as document type, document Bates number or unique identifier, and purpose of the communication.
5. Include Clear Descriptions of Privilege
Clearly denoting the basis for the privilege is essential. In addition to the attorney-client privilege and work-product doctrine, be prepared to discuss and include other relevant privileges, such as common interest, doctor-patient, accountant-client, and priest-penitent privileges, depending on the case and jurisdiction. Accurate privilege descriptions reduce the likelihood of challenges and ensure that the withheld information is properly protected.
6. Establish Date Ranges
Parties should agree on a relevant date range for logging privileged documents. Typically, attorney-client communications postdating the filing of the complaint are not logged unless the case involves ongoing conduct relevant to the claims. Establishing clear parameters around which communications must be logged can significantly reduce the burden on both parties.
7. Consider Redaction Instead of Withholding
Redacting privileged content, particularly in email strings—instead of withholding entire documents—can preserve context and reduce disputes. Often, the author, recipients, and dates of emails are not privileged. By redacting, it preserves so-called parent-child relationships, and the face of the document provides most of what one would otherwise have to log, save for the nature of the privilege asserted. Whether redaction is an appropriate aspect of a privilege review process depends on the facts and circumstances of each case.
8. Assess Attachments Separately
Attachments to privileged emails are not automatically privileged. Each attachment must be independently assessed for privilege claims. Failing to do so can result in nonprivileged documents being improperly withheld, leading to challenges.
9. Utilize Name Normalization
Normalization refers to writing a person’s name the same way each time it appears on the log. This normalization reduces confusion and makes it easier for the opposing party to review the log. For instance, all variations of “John Smith” (e.g., “J. Smith,” “[email protected]”) should be standardized to a single format throughout the log.
10. Be Transparent with Third-Party Communications
When third parties are involved in communications, assess whether disclosure to those third parties waives privilege. Privilege claims involving third-party recipients are frequently challenged, so proactively identifying these parties can help prevent future disputes.
11. Coordinate the Timing of Production
Privilege logs are typically produced after the final document production. Agreeing to a specific deadline, such as thirty to sixty days after production, can prevent unnecessary administrative burdens and ensure completeness. Rolling logs are administratively inefficient as there may be corrections, omissions, or documents that need to be clawed back.
Conclusion
Preparing a privilege log is a fundamental aspect of the discovery process in litigation. While there is no one-size-fits-all approach, understanding the numerous considerations can help attorneys create effective and compliant logs.
Disclaimer: The content is intended for general informational purposes only and should not be construed as legal advice. If you require legal or professional advice, please contact an attorney.
