The Consumer Financial Protection Bureau’s (“CFPB”) Acting Director, Mick Mulvaney, recently announced that the CFPB will re-examine its position on disparate impact liability under the Equal Credit Opportunity Act (“ECOA”). Based on recent federal developments that reflect a trend of repudiating Obama-era financial reform and limiting the regulatory discretion of the CFPB, the end of disparate impact enforcement by the CFPB seems likely.
The disparate impact doctrine establishes liability for a facially neutral policy or practice that results in a discriminatory effect, even absent a discriminatory intent. Since the inception of the agency, the CFPB has relied heavily on the disparate impact doctrine in its fair lending enforcement. In an April 2012 Bulletin entitled “Lending Discrimination,” the CFPB “reaffirm[ed that] the legal doctrine of disparate impact remains applicable as the Bureau exercises its supervision and enforcement authority to enforce compliance with ECOA and Regulation B.” A March 2013 Bulletin entitled “Indirect Auto Lending and Compliance with the Equal Credit Opportunity Act” reiterated that the CFPB would apply a disparate impact analysis and provided guidance on how indirect motor vehicle lenders could avoid disparate impact violations of ECOA and Regulation B.
These actions were not without controversy. In December 2017, the Government Accountability Office (“GAO”) concluded that, although the 2013 CFPB Bulletin was not a formal regulation, it still was a “rule” subject to the Congressional Review Act of 1996 (“CRA”). This determination greatly increased congressional oversight of the CFPB, as the CRA allows Congress to effectively veto rules issued by federal agencies. Agencies must submit rules subject to the CRA to Congress after they have been finalized but before they take effect. After submission, Congress has 60 legislative days to approve or veto the rule. The GAO’s conclusion effectively prohibited the CFPB from unilaterally issuing guidance that serves as de facto regulation for anyone subject to CFPB supervision or enforcement.
On May 21, 2018, Congress officially repealed the CFPB’s March 2013 Bulletin through a CRA resolution signed by the President. In a contemporaneous press release, Acting Director Mick Mulvaney stated that the CFPB also will re-examine its use of disparate impact for ECOA enforcement. Mulvaney thanked the President and Congress for “reaffirming that the Bureau lacks the power to act outside of federal statutes” and noted that “[a]s an executive agency, we are bound to enforce the law as written, not as we may wish it to be.” Mulvaney indicated that the Supreme Court’s 2015 decision in Texas Department of Housing and Community Affairs v. The Inclusive Communities Project influenced the decision to re-examine the CFPB’s position on disparate impact. Mulvaney’s announcement followed the Department of Housing and Urban Development’s decision to seek public comment on whether its Disparate Impact Regulation, which it applies to the Fair Housing Act (“FHA”), is consistent with the Inclusive Communities decision.
In Inclusive Communities, the Court held in a 5-4 decision that the FHA recognizes a disparate-impact theory. However, the Court did not extend the application of the disparate impact doctrine to ECOA, and the Court’s analysis strongly suggests that disparate impact would not apply to ECOA. It is likely that the CFPB will look towards the analysis in Inclusive Communities to determine if it will apply disparate impact to ECOA.
The Court’s decision in Inclusive Communities relied heavily on specific language in the FHA that the court found imputed disparate impact liability. The Court noted that, in addition to the FHA, Title VII of the Civil Rights Act of 1964 and the Age Discrimination in Employment Act (ADEA) recognize the disparate-impact doctrine. The Court found that Title VII, the ADEA, and the FHA all have “operative text” that looks at results of a policy or practice, as opposed to the intent. ECOA does not seem to have equivalent language.
The Court also noted that from the time the FHA was enacted to when it was amended, “all nine Courts of Appeals to have addressed the question had concluded the Fair Housing Act encompassed disparate-impact claims.” The Court found the fact that Congress amended the FHA, but still retained the relevant statutory text, indicated that Congress intended for disparate impact to apply. The Court also found that exemptions to liability under FHA, which address the role of property appraisals, drug convictions, and occupancy restrictions, arguably presupposed the application of disparate impact under the FHA. There is likely no similar evidence of legislative intent to apply disparate impact to ECOA.
The Court also found that disparate impact liability was consistent with the “statutory purpose” of the FHA. There is a strong possibility that a court would find that disparate-impact liability was consistent with the statutory purpose of ECOA, an anti-discrimination law. However, it is unlikely that the general intent of the law would be dispositive over statutory language and, arguably, evidenced legislative intent.
Based on Inclusive Communities and policy goals of this presidential administration, it seems likely that the days of CFPB using the disparate impact doctrine to enforce ECOA may be over.
On May 24, 2018, President Trump signed into law a broad rollback of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010. In addition to a number of changes applicable specifically to financial institutions, the Economic Growth, Regulatory Relief, and Consumer Protection Act (the Act) contains a number of reforms to federal securities laws and regulations that will affect privately held, high-growth companies; venture capital funds; and public reporting companies, including:
Rule 701: Directs the U.S. Securities and Exchange Commission (SEC) to raise the threshold amount that triggers mandatory increased issuer disclosure for issuances of securities under a compensatory benefit plan in reliance on Rule 701 from $5 million to $10 million in any 12-month period.
Investment Company Act of 1940 (1940 Act): Exempts from investment company status certain venture capital funds that have no more than 250 investors and no more than $10 million in aggregate capital contributions and uncalled committed capital.
Regulation A: Directs the SEC to permit public reporting companies: (a) to make exempt offerings under Regulation A; and (b) to satisfy the periodic and current reporting requirements for Regulation A Tier 2 offerings by meeting the reporting requirements of section 13 of the Securities Exchange Act of 1934 (Exchange Act).
Although mandated under the law, the reforms to Rule 701 and Regulation A are not immediate. The changes are required to be made by the SEC within 60 days of adoption of the Act, and the SEC already has a substantial rulemaking docket in process. Accordingly, the revisions may not be effective for several months.
Rule 701—Increased Minimum Value to Trigger Enhanced Disclosure
The Act directs the SEC to increase the amount of securities that a private company may offer and sell under employee benefit plans before enhanced disclosure by that company is triggered. The Act increases the threshold amount for enhanced disclosure from $5 million to $10 million over a 12-month period. Rule 701 is an exemption to the registration requirements of the Securities Act of 1933 (the Securities Act) that allows private companies to issue securities under employee benefit plans, including options, restricted stock, and restricted stock units. Rule 701 has an overall limitation on use based on the value of the awards at the time of issuance in any 12-month period not exceeding the greater of: (i) $1 million; (ii) 15 percent of the issuer’s total assets; and (iii) 15 percent of the issuer’s total class of equity offered, in each case measured as of its last balance sheet date. As a result, Rule 701 generally is flexible with the size of the issuer.
In addition, Rule 701 currently includes an enhanced disclosure requirement by an issuer if, in any 12-month period, the issuer awards more than $5 million in securities in the aggregate in reliance on Rule 701. If the enhanced disclosure threshold is exceeded, issuers must provide all recipients of securities issued under Rule 701 with various and potentially onerous required disclosures, including risk factors associated with investing in the issuer’s securities and GAAP-compliant financial statements that are no more than 180 days old. The issuer must give this information to each participant (including participants who received an award before the threshold was exceeded) within a reasonable period of time before the date of sale. The date of sale in some cases may be at the time of grant (for example, RSUs and restricted stock).
The Act directs the SEC to raise the 12-month threshold for enhanced disclosure to $10 million from $5 million. In addition, it provides that the SEC must also include a provision to adjust the threshold for inflation every five years.
Key takeaways: Private companies that issue stock options and other securities to employees, consultants, directors, and other stakeholders should continue to monitor their compliance with Rule 701. As companies remain private for longer periods of time and valuations increase, they have been much more likely to reach the current $5 million disclosure threshold in a 12-month period in recent years. At the same time, the SEC’s enforcement staff recently has demonstrated an increased interest in Rule 701 and has begun imposing civil penalties for failure to comply with Rule 701’s disclosure requirements. Until the SEC rulemaking for Rule 701 is complete, issuers who are nearing the $5 million disclosure threshold should consult their attorneys to discuss strategies for managing Rule 701 securities offerings and any required disclosures. However, some issuers may want to consider delaying certain grants to later dates when the $10 million disclosure threshold becomes available (hopefully in the coming months) to avoid triggering the enhanced disclosure requirements.
1940 Act—Expanded Exemption for Venture Capital Funds
The Act also amends section 3(c)(1) of the 1940 Act to permit certain funds to accept more than the prior limit of 100 investors without being required to register as an investment company, which provides significantly more potential capital fundraising flexibility to venture capital funds that rely on section 3(c)(1). Having an applicable exemption under the 1940 Act is critical for venture fund sponsors to avoid registration requirements that would make the operation of typical venture funds financially impractical. Previously, section 3(c)(1) exempted any fund from the definition of an investment company under the 1940 Act if it was beneficially owned by no more than 100 persons and did not make a public offering of its securities. The new amendments allow a venture capital fund relying on section 3(c)(1) to accept up to 250 investors instead, so long as the fund: (i) has at all times less than $10 million in aggregate capital contributions and uncalled committed capital; and (ii) meets the definition of a “venture capital fund,” which is defined through a cross reference to Rule 203(l)-1 under the Investment Advisers Act of 1940 (the Advisers Act).[1] The $10 million limit will be adjusted every five years to account for inflation.
Key takeaways: Section 3(c)(1)’s 100-investor limit previously was the most significant regulatory factor limiting the size of venture funds that are not able to rely on section 3(c)(7)—the other 1940 Act exemption most relied upon by venture funds. Section 3(c)(7) similarly exempts funds from the definition of an investment company that do not make public offerings, and unlike section 3(c)(1), includes no limitation on the number of investors. In exchange, however, it requires that all investors be “qualified purchasers” (generally, individuals with at least $5 million in investments and entities with $25 million). Many fund managers with funds running up against the 100-investor limitation under section 3(c)(1) simultaneously form a parallel, side-by-side fund that individually relies on section 3(c)(7) to increase the amount of investor capital they can accept. For funds raising $10 million or less in capital, the new amendments may reduce the need for such side-by-side structures and/or may increase the capital raised that otherwise would be left on the table for regulatory purposes in any structure involving a fund that relies on section 3(c)(1).
Venture fund sponsors should note that there is no safe harbor or exception in the event that a venture capital fund initially intending to rely on the amended 250-investor limitation subsequently accepts more than $10 million in capital commitments if at that time the fund has more than 100 investors. In addition, based on the plain language of the amendment, fund sponsors should be aware that the standard “general partner” capital commitment may be included within this $10 million limitation. Accordingly, fund sponsors should take care and be deliberate in monitoring their fundraising activities and closings if they intend to rely on the exemption as amended.
Regulation A—Exemption for Public Reporting Companies
Finally, the Act directs the SEC to permit reporting companies to take advantage of the Regulation A exemption for securities offerings and to satisfy the periodic and current reporting requirements for Regulation A Tier 2 offerings by meeting the reporting requirements of section 13 of the Exchange Act. Often referred to as “mini-public offerings,” Regulation A offerings are exempt from securities registration requirements and can be made to the general public, but the issuer must prepare abbreviated disclosure filings that are subject to SEC review and comment. There are two tiers of Regulation A offerings. Tier 1 offerings may not raise more than $20 million in a 12-month period but require less disclosure. Tier 2 offerings may raise up to $50 million in a 12-month period but require issuers to satisfy ongoing, periodic reporting obligations. In addition, Tier 2 offerings preempt state securities registration requirements, although states may still require notice filings, consents to service of process, and filing fees.
Currently, reporting companies cannot issue securities under Regulation A. Once Regulation A is revised, reporting companies will be able to make Regulation A offerings, and reporting companies making Tier 2 offerings will be deemed to have satisfied the periodic disclosure requirements if they have satisfied their Exchange Act periodic disclosure obligations.
Key takeaways: The mandated changes to Regulation A will primarily benefit small public companies. Many small public companies that do not qualify as well-known seasoned issuers may be ineligible to take advantage of the streamlined Form S-3ASR for seasoned offerings. Although registered offerings on Form S-1 can involve a lengthy and expensive drafting and SEC comment process, the disclosures required under Regulation A can be abbreviated and less costly. In addition, reporting companies that do not trade on national exchanges must comply with state securities registration requirements. By making Tier 2 offerings, these companies will be able to avoid the complexity and cost of complying with blue sky laws for every state in which purchasers reside. However, because Tier 1 Regulation A offerings may not exceed $20 million in a 12-month period, and Tier 2 Regulation A offerings may not exceed $50 million in a 12-month period, with further restrictions for selling stockholders, it remains unclear whether this additional flexibility will be of substantial practical benefit for many companies given the alternative of Form S-3.
[1] This cross reference harmonizes the amendment with the exemption from registration under the Advisers Act that is commonly relied upon by many venture fund managers. Rule 203(l)-1 under the Advisers Act defines a “venture capital fund” to generally include private funds that meet specific conditions. These conditions include representing to investors that the private fund pursues a venture capital strategy, holding 80 percent or more of the fund’s aggregate capital contributions and uncalled committed capital in certain “qualifying investments,” conforming to specific limitations regarding the amount and types of leverage they can take on, and placing significant limitations on the ability of investors to redeem their interests. For these purposes, “qualifying investments” generally include equity securities issued by and acquired from operating companies that, among other things, are not reporting companies or foreign traded.
In MHS Capital LLC v. Goggin, the Delaware Chancery Court, in addressing claims for breach of contract and breach of fiduciary duty, provided guidance to members and managers of limited liability companies (LLCs) and their counsel regarding issues to consider when negotiating and adopting fiduciary duty modifications and exculpatory provisions in limited liability company agreements.
Background
In Goggin, a member of East Coast Miner LLC (ECM) brought suit against ECM’s manager and his associates challenging several allegedly self-dealing transactions. The plaintiff alleged, among other things, that ECM’s manager had caused ECM’s part ownership of specified assets to be diverted to different entities that the manager and his associates owned and controlled. The assets in question were subject to a lien that ECM held against a bankrupt entity. Pursuant to the lien, ECM had the right to credit bid on the secured assets in a bankruptcy auction. The plaintiff alleged that ECM’s manager had arranged for the bankruptcy court’s order to transfer the assets to a consortium of entities, all the members of which, other than ECM, were allegedly owned and controlled by ECM’s manager and his associates. The plaintiff brought series of claims against ECM’s manager, including claims for breach of ECM’s LLC agreement and breach of fiduciary duty.
ECM’s manager moved to dismiss, arguing that the provisions of ECM’s LLC agreement operated to preclude any recovery of monetary damages, and that any award of equitable relief was precluded by the bankruptcy court’s order with respect to the asset transfer. In analyzing the claims, the Delaware Chancery Court noted that two provisions of ECM’s LLC agreement were particularly relevant. First, it contained provisions specifying the standard of conduct applicable to the manager, dispensing with traditional fiduciary duties and replacing them with a provision obligating the manager to “discharge his duties in good faith, with the care an ordinarily prudent person in a like position would exercise under similar circumstances.” Second, it contained a broad exculpatory clause providing that “[t]he Manager shall not be liable to [ECM] or any Member [of ECM] for monetary damages for breach of such person’s duty as a Manager, except as otherwise required under the [LLC] Act.”
The Breach of Contract Claims
On the record before it, at the motion to dismiss stage, the Delaware Chancery Court assumed that the conduct of ECM’s manager challenged in the complaint constituted a breach of the LLC agreement’s contractual standard of conduct. The key question, in view of the breadth of the LLC agreement’s exculpatory clause, was whether plaintiff had stated a breach of contract claim for which relief could be granted. Given that the exculpatory clause broadly eliminated claims for monetary damages, the court principally considered whether an award of equitable relief could be granted and, if so, whether any such award would conflict with the bankruptcy court order. That order specified that the purchasers in the bankruptcy sale would take title to the underlying assets free and clear of encumbrances, and that persons holding claims would be enjoined from asserting those claims against the purchasers with respect to the assets.
Ruling on the motion to dismiss, the Delaware Chancery Court found that its “‘broad discretionary power to fashion appropriate equitable relief,’” as well as its ability to “‘depart from strict application of the ordinary forms of relief where circumstances require,’” would potentially allow it to craft an equitable remedy. The Delaware Chancery Court noted that so long as the plaintiff stated a claim for which relief could be granted, its claim would survive defendant’s motion to dismiss, regardless of the nature of the exact relief that would ultimately be granted. By way of illustration, the court cited precedent where it had “declined to dismiss an otherwise well-pled claim for promissory or equitable estoppel that rested on a request for rescission which may have been ‘impossible’ to grant,” on the basis that, in light of its broad equitable powers, “it did not need to evaluate the effect of any remedial order at the pleading stage.” Without speculating as to any specific type of relief (or its viability), the court noted that “it may be possible” to grant equitable relief that would not run afoul of the bankruptcy court’s order. That analysis, however, involved “a fact-intensive question” not capable of resolution at the motion to dismiss stage.
The Breach of Fiduciary Duty Claims
The Delaware Chancery Court next addressed the defendant’s motion to dismiss the plaintiff’s claims for breach of fiduciary duty. It reviewed the nature of the fiduciary duty claims—including the allegations that the defendant failed to act in the best interests of ECM by usurping opportunities belonging to ECM—and held that they were duplicative of the plaintiff’s claim for breach of contract. Noting that “Delaware law is clear that fiduciary duty claims may not proceed in tandem with breach of contract claims absent an ‘independent basis for the fiduciary duty claims apart from the contractual claims,’” the Delaware Chancery Court dismissed plaintiff’s fiduciary duty claims, noting that in order for a breach of fiduciary duty claim to proceed simultaneously with a breach of contract claim, the former would have to “depend on additional facts,” be “broader in scope, and involve different considerations in terms of a potential remedy.’” In the present case, all of the conduct that could have been the subject of a breach of fiduciary duty claim was already the subject of plaintiff’s breach of contract claim—and was being reviewed under the contractual standard. Moreover, the plaintiff was seeking the same remedy for both claims.
Practical Observations
As the Delaware Chancery Court in Goggin indicated, section 18-1101(c) of the Delaware Limited Liability Company Act (the LLC Act) provides members and managers with broad authority to expand, restrict, or eliminate duties (including fiduciary duties) pursuant to an LLC agreement, subject to the implied covenant of good faith and fair dealing. In addition, section 18-1101(e) of the LLC Act provides that an LLC agreement may eliminate or limit the liability of members or managers for breach of contract and breach of duty, including any fiduciary duty, except for bad faith violations of the implied contractual covenant of good faith and fair dealing. The Delaware Chancery Court’s opinion in Goggin serves as an important reminder that fiduciary duty modifications and exculpatory provisions must be considered together, and must be carefully crafted to ensure that in the event of a dispute, they will operate as the parties intended.
Although not expressly addressed in the opinion, several important observations emerge from a review of Goggin. First, the Delaware courts will apply and respect contractual modifications that supplant traditional fiduciary duties of care and loyalty. Parties seeking to modify fiduciary duties, however, should make their desire to override fiduciary duties clear, and they should carefully consider the scope of the duties, if any, that will be used in lieu of the traditional duties of care and loyalty. To that end, parties seeking to pare back fiduciary duties should ensure that the language deployed to that end does not effectively build back traditional duties by contract.
Next, once the scope of duties has been identified, parties should consider the circumstances under which members or managers may be held liable for falling short of the standard of conduct. The LLC Act’s authorization of provisions that exculpate members and managers from liability in a broad range of circumstances contrasts sharply with the Delaware General Corporation Law’s (the DGCL) relatively limited authorization of exculpation. Section 102(b)(7) of the DGCL, which deals with exculpation, only permits a corporation, through its certificate of incorporation, to exculpate its directors (not officers) against liability to the corporation or its stockholders for monetary damages for breaches of the duty of care. (Section 102(b)(7) specifically disallows exculpation for any breach of the duty of loyalty as well as for unlawful dividends and stock redemptions and repurchases, acts not in good faith or involving intentional misconduct, or a knowing violation of law or transactions from which a director derives an improper personal benefit.)
Although certificates of incorporation of Delaware corporations routinely provide for exculpation of directors to the fullest extent permitted by the DGCL, LLC agreements are more likely to contain bespoke provisions regarding the exposure of managers and members to liability for breach of contractual or fiduciary duties. Many LLC agreements, for example, will preclude exculpation for damages stemming from specified types of conduct, such as bad faith or willful misconduct. Some agreements, however, will decline to exculpate members or managers for losses resulting from their own gross negligence. See, for example, LLCs, Partnerships, Unincorporated Entities Committee, Single-Member LLC Entity Member Form. Although claims for gross negligence may be difficult to plead, prior decisions of the Delaware courts indicate that successfully pleading such claims may not be as challenging as one might expect. See William T. Allen, Jack B. Jacobs & Leo E. Strine, Jr., Function Over Form: A Reassessment of Standards of Review in Delaware Corporation Law (observing that the Delaware Supreme Court, in two cases following its adoption of a standard of review requiring plaintiffs to plead gross negligence in order to state a claim for a breach of the duty of care, “purport[ed] to apply the gross negligence standard of review [but] in reality applied an ordinary negligence standard”). Indeed, the exposure of directors to liability for action taken in good faith under this pleading standard prompted the adoption of section 102(b)(7) of the DGCL. See generally 1 R. Franklin Balotti & Jesse A. Finkelstein, The Delaware Law of Corporations & Business Organizations § 4.13[B], at 4-99 (3d ed. 2018 Supp.). Accordingly, managers of LLCs who are not entitled to exculpation for conduct that is grossly negligent run a substantial risk of liability for breach of the duty of care (or any analogous contractual duty) in connection with action otherwise taken in good faith. Indeed, managers of an LLC in that scenario may be afforded less protection against claims based on the duty of care than the directors of nearly every Delaware corporation. Even more problematic from the standpoint of a manager is the circumstance in which the LLC agreement establishes an “ordinary negligence” standard of care but fails to provide that the manager is exculpated for monetary liability for breaches of duty.
Conclusion
Given the contractual freedom provided by the LLC Act, there are numerous potential formulations of the standards of conduct of members and managers and of the circumstances under which they will (or will not) be exculpated from liability against breach. Members and managers and their counsel must consider the interplay between the standards of conduct (whether stemming from default fiduciary duties or contractually specified analogues) and the nature and scope of any clauses exculpating members and managers for breach of duty to ensure that the parties achieve the desired balance of incenting (or not unduly discouraging) value-maximizing risk-taking on the one hand, and providing means of policing and enforcing specified classes and categories of misconduct on the other.
The information universe is expanding in truly mind-numbing ways. There is a new exabyte of data created every few hours across the globe. (One exabyte of data is the equivalent of 50,000 years of continuous movies.) That Mount-Everest-sized pile of information is replicated many times every day and continues to grow faster and faster. Big companies typically have millions or billions of files stored in multiple locations, including third-party-owned Clouds. For many companies, that means they can’t keep all their information forever because they are collapsing under its weight. So why are companies hard-pressed to clean house of unneeded information?
Companies historically had records-management programs so that they could manage records and properly dispose of them in accordance with the company retention policy at some future date. At the time, making retention rules work meant that employees had to apply the rules to their records. That was simple when each employee boxed their paper records annually and applied a retention rule to each box. However, having employees apply business rules to millions or billions of files from various systems is like drinking from a firehose through a straw. In other words, cleaning house according to the retention schedule applied to each record one by one for most businesses is no longer doable.
The current business environment is like information’s “perfect storm”—more data in more formats and systems with less visibility into what information assets exist, more laws directing how it must be managed, more consequences for mismanagement, and more challenges in managing it according to old company rules with much of it floating in a Cloud.
Why Does Information Just Pile Up?
Companies relied for years on paper and electronic information, sometimes duplicating each other over and over. Although electronic information legally is on par with its paper counterparts for almost all purposes, lawyers fallaciously believed paper was the “best evidence,” and thus the two piles grew even though paper printouts of electronic records could be legally destroyed.
Today, much of the growth in information volumes comes from communications, social media, and collaboration technologies the output of which may not rise to the level of a company record. Thus, the pile grows further with information that may be “nonrecord,” which need not be retained to satisfy legal or business needs.
While litigants began to focus on electronic information for discovery purposes, sometimes company lawyers over-preserved information so as not to worry about its destruction during the pendency of a matter. What that set in motion was everything, even information ready for destruction pursuant to the retention rules, continuing to be preserved. Wide-sweeping legal holds that took precedence over retention rules stopped the proper destruction of records in the ordinary course of business according to company policy. Thus, the pile grew larger still because employees couldn’t classify and/or manage the growing amount of information, given that the sheer volume of files, documents, and e-mail became overwhelming.
Compounding matters, there was a need to manage information according to other information-related policy regimes, like information security, privacy, attorney-client privilege, etc., which often impacted the same information. Further compounding the problem was that information classification couldn’t be easily accomplished given limited functionality in most technology unless information was being purposefully stored in document and records-management applications. In other words, if employees were so inclined (and they generally weren’t), most technology in use didn’t allow for such compliance rules to be easily applied or applied at all. Thus, the pile grew.
The fallacious belief that storage is cheap further impacted storage growth. Although storage costs per terabyte are decreasing a few percentage points, any cost savings are dwarfed by company information footprints doubling every year or two, and with storage costs between $5–$10 million per year, per petabyte, storage costs are now huge for companies with big information footprints. Thus, the pile grew larger.
Then Big Data happened. Big Data is not about large piles of information. It’s about using analytics or artificial intelligence (AI) software to crawl through large piles of information to answer a business question. Suddenly there was even less pressure to clean house. Business folks want more information for longer periods of time to run queries and see what they learn from a business perspective.
In 2018 the tide seems to be turning in that less information may be retained given significant compliance events. First, with endless information security and privacy failures, companies realize their risk profile declines with smaller information footprints, which can be accomplished by keeping less and for a shorter period. As Jeff Stone, et. al put it in a May 29, 2018 article in the Wall Street Journal:
Cybersecurity threats are relentless, they’re getting stronger and they are coming from more directions than ever . . . more, the consequences of a breach can be disastrous, with staggering losses of customer data and corporate secrets—followed by huge costs to strengthen security, as well as the threat of regulatory scrutiny and lawsuits.
Further, the EU’s General Data Protection Regulation (GDPR) became law and is forcing companies to rethink what information they keep and for how long because GDPR requires it.
What Is Defensible Disposition and How Will It Help?
A solution to the unmitigated data sprawl is to “defensibly dispose” the business content that no longer has business or legal value to the organization. Defensible disposition is a way to take on piles of information without employees classifying .
To apply a retention rule to large chunks of information to make a business decision to dispose of it requires different diligence depending upon the content; thus, there is no one-size-fits-all approach to defensible disposition. In some cases, a software analytics tool may need to crawl the contents looking for specific terms, and in others, knowing the age of the information pile, the business unit that created it, the lack of active litigation, and so on might be enough to purge the entire contents without looking at each file. Having worked with so many companies cleaning up stored information, determining the amount of diligence needed in analyzing information piles to make a company comfortable to purge is rather variable.
In any event, lawyers’ input will be essential to help define a reasonable diligence process to assess the legal requirements for continued information retention and/or preservation, based on the information at issue. Thereafter, lawyers can also help select a practical information assessment and/or classification approach, given information volumes, available resources, and risk profile.
Does Litigation Profile Matter?
A good time to clean up outdated information is when there are fewer legal or compliance issues that require continued preservation of information. Disposing of information when no litigation or government investigations or audits exist is less risky. Otherwise, before information can be purged, the company must conduct sufficient diligence to ensure that nothing is destroyed that will give rise to a spoliation claim. That, of course, begs the questions of how diligence will be performed when it’s impractical to review millions or billions of files or documents.
Can Technology Help?
There are all kinds of analytics and classification technologies that can help analyze information and may help with defensible disposition; however, having used these technologies for years to help companies deal with dead data, the expense and/or complexity should not be underestimated. Putting aside cost, these technologies are better and faster than employees at classifying information. As Maura R Grossman, JD, Ph.D., et. al described in the Richmond Journal of Law and Technology, “[t]his work presents evidence supporting the contrary position: that a technology-assisted process, in which only a small fraction of the document collection is ever examined by humans, can yield higher recall and/or precision than an exhaustive manual review process, in which the entire document collection is examined and coded by humans.”
Studies and courts make clear that when appropriate, companies should not fear using technologies to help manage information. For example, in Moore v. Publicis Groupe, Judge Andrew Peck made clear in the discovery context that “[c]omputer-assisted review appears to be better than the available alternatives, and thus should be used in appropriate cases . . ounsel no longer have to worry about being the “first” or “guinea pig” for judicial acceptance of computer assisted review.”
Can I Clean House with Methodology Alone?
If information has piled up and you don’t think it makes sense to crawl it for records or preservation obligations, then there are other ways to get rid of content.
For example, if your company has 100,000 back-up tapes from 20 years ago, minimal review might be required before the whole lot of tapes can be comfortably disposed. On the other hand, if you have an active shared drive with records and information that is needed for ongoing litigation, there must be deeper analysis with analytics and/or classification technologies. In other words, the facts surrounding the information will help inform whether the information can be properly disposed with minimal analysis or whether it requires deep diligence.
Conclusion
Defensible disposition is needed like never before, given that information is growing unfettered for most businesses and impacting their ability to function. In addition, a bloated information footprint further increases a business’s privacy and information security risk profile. Although there are many reasons why retention is no longer happening as it used to, what is clear is that keeping everything forever is not without great costs or risks that must be addressed. In the end, lawyers must find a way to get rid of information without creating greater business and legal issues for their clients. Without their guidance, no one will destroy data, and it will continue to overwhelm.
There is a very tiny world out there in which people pay millions of dollars in advance payments for “factory-manufactured” balloon animal stainless steel sculptures—some in the shape of Greek and Roman goddesses—only to be told by “sales and contract performance drones” that there would be years of delay due to “the high volume of data” from “numerous scans of balloons,” along with technical difficulties in “reverse engineering” and “Computer-Aided Design processes (known as ‘CAD’).” This world—rich, strange— is detailed in Steven Tananbaum’s filed on April 19 in New York County court against the Gagosian Gallery and artist Jeff Koons. Eight days later, on April 27, Hollywood producer Joel Silver filed a similar referencing Tananbaum’s complaint.
Tananbaum alleges breach of contract and violations of New York UCC §2-609 (Right to adequate assurances) and Article 15 of New York’s Arts and Cultural Affairs Law, specifically which is meant to protect art buyers of sculptures. According to Tananbaum, the world of Gagosian features “unadorned avarice and conspiratorial actions in connection with factory-manufactured industrial products called Jeff Koons sculptures,” all run by a “well-oiled machine” that “exploit[s] art collectors’ desire to own Jeff Koons sculptures.” And underneath it all lies a “fraudulent financial routine that harkens the name Ponzi.”
Gagosian Gallery is the largest art gallery in the world, a complex economic and cultural entity whose workings are central to the complaints. There are 16 locations globally and several hundred employees. It has its own private planes. Art galleries can purchase art directly from the artist and represent them to the public (i.e. primary market) or they can purchase art from entities other than the artist (i.e. secondary market): Gagsosian Gallery does it all. It represents living artists, artists’ estates and resells secondary market art. It clears about $1 billion in art sales each year while publishing about 40 books annually. When representing an artist, it is in the best interest of Gagosian, like any art gallery, to create buzz around the artist’s work; one way to create buzz and to sell to the global market is by attending art fairs. In 2000, there were 55 major art fairs around the world. Last year there were 260. A booth at Frieze art fair in New York City might cost $125,000 to rent for a weekend. With added on-site handling costs to build out the booth and shipping and handling costs of the art itself, a large gallery may need to sell hundreds of thousands of dollars of art just to break even.
Jeff Koons is the most commercially successful artist of all time; he has managed to create intrigue and interest for his balloon animal sculptures. In 2012, Koons’ stainless steel Tulips sold at Christie’s for $33,700,000.00—this was a record high for Koons, and the second highest auction price ever recorded for a living artist. Only one year later, in November 2013, his Balloon Dog (Orange) sculpture, which is a stainless-steel sculpture in the shape of a balloon animal that stands 121 inches tall, sold at Christie’s for a realized price of $58.4 million and became the record price at auction for a work of art by a living artist. Bottom line: Jeff Koons’ auction price high went from $33.7 million to $58.4 million in a single year.
The demand for Koons’ balloon animal sculptures has only increased. Last year, rapper and businessman Jay Z commissioned a 40-foot balloon dog from Koons to be on stage with him at the V-Festival in Weston Park, England. Koons has entered commercial deals with Google to design phone cases inspired by his Gazing Ball series, which involve generic classical Greek sculptures of plaster with a shiny blue glass sphere attached. Last year, with much fanfare, Louis Vuitton released a line of handbags designed by Koons called the “Masters Collection.” Each handbag was covered in one of a series of paintings by artists such as Rubens, Da Vinci, or Van Gogh; they could easily be mistaken for a bag at any museum gift shop. They were priced at around $4000 and bore the LV monogram in one corner and a Koons monogram in another. This October, Louis Vuitton will release a second line of “Masters” designed by Koons—they feature the same concept, only with paintings of different artists like Turner and Monet. As Tananbaum’s complaint alleges, this is the commercial world of Jeff Koons and the gatekeeper is Gagosian Gallery.
In September 2013, Steven Tananbaum agreed to purchase Balloon Venus Hohlen Fels (Magenta) for $8 million from Gagosian Gallery with an estimated completion date of December 2015 and paid a deposit of $1.6 million. A few months later in early 2014, Joel Silver agreed to purchase Balloon Venus (Yellow) from Gagosian Gallery for $8 million with an estimated completion date of June 2017 and made a deposit of $1,600,000.00. In 2014 and early 2015, Tananbaum made additional payments totaling $3.2 million and Silver made additional payments totaling $2.2 million.
In 2015 and 2016, both Tananbaum and Silver were periodically informed that the completion dates for their works would be pushed back a few months; later, they were informed the art would be delayed two years. During this time, Tananbaum made his third payment of $1.6 million and Silver did not make his two scheduled payments.
Then, despite the delayed delivery of the previous piece, in December 2016, Tananbaum agreed to purchase two more stainless steel balloon sculptures by Koons: Eros for $6 million with an estimated completion date of January 2019 and Diana (edition 3 of 3, an edition being part of a limited-run series) for $8.5 million with an estimated completion date of August 2019.Tananbaum made an additional deposit of $1.2 million for Eros. Regarding the Diana series, in January 2017, Gagosian gave Tananbaum an option to cancel after review of the first edition of Diana (which had a completion date of October 2018), and Tananbaum paid a deposit of $2.125 million for the third edition of Diana.
In January 2017, after learning that the completion date had been pushed back another two years to July 2019, Silver attempted to cancel the purchase and requested a refund. Gagosian counsel informed Silver that any more missed payments would result in a forfeit of payments already made. A was subsequently signed by Gagosian, Silver, and Koons. It included a new payment schedule for the remaining $4.8 million owed and a new completion date of December 2020.
By January 2018, Tananbaum had paid $4.8 million on the Balloon Venus agreement, $2.4 million on the Eros agreement and $4.25 million on the Diana agreement. It was at this time Tananbaum was informed that the new completion date for Balloon Venus would be August 2019 and for Eros would be October 2019. In February 2018, he was informed that Diana edition 1 would “not be ready this year.” In April 2018, Tananbaum filed the complaint. Around the same time, Joel Silver filed a similar complaint after his offer to make additional payments to an escrow account was rejected by Gagosian.
When a work of art is on display or for sale, the year the work was completed is always shown next to information such as size and medium. For Jeff Koons’ balloon animal stainless steel sculptures, the completed date is instead usually a range of 6 to 8 years. His “iconic” Play-Doh sculpture—which was on view at the Whitney Museum for the Koons retrospective in 2014 and is currently on view at the Rockefeller Center in advance of its auction date at Christie’s—took nearly twenty years to complete (1994-2012). Play-Doh is made of aluminum, stands at 11 feet tall, and resembles the leftovers of a Play-Doh project.
According to their complaints, Tananbaum and Silver asked for information about the foundry, fabricator, studio, photos, production schedules and any evidence that production had even started when learning of production delays. Neither received any photos nor specific information about production. Tananbaum’s complaint detailed a number of works—including one that was the subject of another lawsuit involving Gagosian—that were prioritized before Tananbaum’s. These actions and inactions may support Tananbaum’s NYUCC claims and both Tananbaum and Silver’s NYACAL claims. Defendants’ responses are due June 20, 2018 in the Tananbaum case.
In a landmark victory for employers, the U.S. Supreme Court held that agreements requiring employees to arbitrate claims on an individual basis are enforceable. The case, Epic Systems Corp. v. Lewis, 584 U.S. ____ (2018), consolidated three different cases on appeal from the Fifth Circuit, Seventh Circuit, and Ninth Circuit. Murphy Oil U.S.A., Inc. v. NLRB, 808 F.3d 1013 (5th Cir. 2015); Epic Systems Corp. v. Lewis, 823 F.3d 1147 (7th Cir. 2016); Morris v. Ernst & Young, LLP, 834 F.3d 975 (9th Cir. 2016). In each of those cases, employees challenged the validity of an arbitration agreement that provided employees were required to arbitrate disputes, but not on a class or collective basis. Justice Neil Gorsuch, writing for the majority, boiled down the dispute to two simple questions:
Should employees and employers be allowed to agree that any disputes between them will be resolved through one-on-one arbitration?
Or should employees always be permitted to bring their claims in class or collective actions, no matter what they agreed with their employers?
The Court, recognizing that these questions are debatable as a matter of policy, held that the answer was clear as a matter of law. “You might wonder if the balance Congress struck in 1925 between arbitration and litigation should be revisited in light of more contemporary developments. You might even ask if the [Federal Arbitration] Act was good policy when enacted. But all the same you might find it difficult to see how to avoid the statute’s application.” First, the Court reaffirmed the principle that the Federal Arbitration Act (FAA), 9 U.S.C. § 2, instructs courts to enforce arbitration agreements according to their terms, including those terms providing for individualized arbitration proceedings. Second, the Court held that the National Labor Relations Act (NLRA) does not create a right to class actions in the courtroom or arbitral forum. As such, the Court held that neither the FAA nor NLRA permits the Court to declare agreements to arbitrate one-on-one as illegal.
The Federal Arbitration Act
In holding that the FAA required the Court to enforce agreements to arbitrate individually, the Court acknowledged that the FAA directs courts to “enforce arbitration agreements according to their terms, including terms that specify with whom the parties choose to arbitrate their disputes and the rules under which that arbitration will be conducted.”
The Court then examined the saving clause of the FAA. The saving clause allows courts to refuse to enforce arbitration agreements “upon such grounds as exist at law or in equity for the revocation of any contract.” The employees argued that the NLRA renders class and collective action waivers illegal; therefore, their illegality was a “ground” that “exists at law” to revoke an arbitration agreement. The Court rejected this argument. Temporarily setting aside the NLRA issue, the Court held that the saving clause’s use of the language “any contract” means that it applies only to generally applicable contract defenses—like fraud, duress, or unconscionability—not defenses specific to arbitration contracts. The Court held that the FAA saving clause did not apply to a contract merely because it requires bilateral arbitration.
The National Labor Relations Act
After holding that the FAA normally requires courts to enforce class and collective action waivers, the Court then turned to the issue of whether the NLRA overrides the FAA. The employees argued that section 7 of the NLRA, which protects “concerted activities” of employees, encompasses class and collective actions. The Court rejected this argument.
First, examining the language of the NLRA and its regulatory scheme, the Court held that section 7 does not speak to class or collective actions, despite heavily addressing collective bargaining and labor organization practices.
Second, because the underlying lawsuits arose under the Fair Labor Standards Act (FLSA), the Court would be required to interpret the NLRA as dictating the FLSA’s procedures and then overriding the FAA. The Court refuses to do so: “It’s a sort of interpretive triple bank shot, and just stating the theory is enough to raise a judicial eyebrow.”
Third, citing examples, the Court decided that its own precedent rejects the notion that Congress intended to displace the FAA with another statute. The Court held that under its own case law, section 7 applies to efforts by employees to organize and collectively bargain in the workplace—not the treatment of class or collective actions in court or arbitration proceedings.
Finally, the Court refused to apply Chevron deference to the National Labor Relations Board (NLRB) because the NLRB sought to interpret not only the NLRA, but also the FAA, which is outside the purview of the NLRB. In addition, the Court held, “Chevron leaves the stage” because there is not an unresolved ambiguity in the statutes after employing traditional tools of statutory construction.
The Dissenting Opinion and Response
The dissent, authored by Justice Ruth Bader Ginsburg, accused the majority of harking back to the Lochner era and the days of the Court readily enforcing “yellow dog” contracts that prevented union organizing. (In Lochner v. New York, the Court held that “freedom of contract” made a state law limiting employee work time unconstitutional. 198 U.S. 45 (1905). The so-called Lochner era came to an end when the Court upheld a state minimum wage law in West Coast Hotel Co. v. Parrish, 300 U.S. 379 (1937)). The dissent would hold that the text, legislative history, purposes, and longstanding construction of the NLRA suggest that Congress “likely meant to protect employees’ joining together to engage in collective litigation.” The dissent also rejects the notion that anything in the FAA or the Court’s case law requires subordination of the NLRA to the FAA. Rather, even assuming that the FAA and NLRA were in conflict, the dissent would hold that the NLRA controls.
Taking the dissent head-on, the majority refused to engage in a discussion of policy, and instead sought to interpret the FAA and NLRA in a way “that gives effect to all of Congress’s work, not just the parts we might prefer.” Addressing the accusation that the Court was returning to the Lochner era, the Court stated, “This Court is not free to substitute its preferred economic policies for those chosen by the people’s representatives. That, we had always understood, was Lochner’s sin.”
Advice for Employers
The Supreme Court’s decision clears the way for class and collective action waivers. The decision should lead any employer that does not already utilize mandatory arbitration agreements with these waivers to consider whether implementing these agreements makes sense for its business. From a pure cost standpoint, for many employers and certainly most large employers, the ability to prevent higher-dollar class and collective actions has a lot of appeal. We have seen many cases in which, even if the underlying claims are not strong, the class or collective action procedure is used as a vehicle to increase costs and try to force settlement.
On the flip side, companies must consider what impact requiring arbitration agreements with class and collective action waivers could have on employee morale. The anger in Justice Ginsburg’s dissent is echoed by many employee-side commentators who decry the decision as undermining employee rights. Similarly, many on the employee-rights side argue that arbitration itself disfavors employees. These conclusions overlook the laudable attributes of arbitration proceedings and the frequent reality that it is plaintiffs’ attorneys, and not employees, who reap the most benefit from class and collective procedures. Still, the view that arbitration and class and collective action waivers disfavor employees is genuinely held by many.
No matter what, in light of the decision, all employers should consider whether mandatory arbitration agreements with class and collective action waivers make sense for their workforce.
Lawyers should not expect their clients to have the expertise of a professional records manager; however, there are some basic fundamentals about how records should be managed that every organizational employee should know to protect company interests. Many large organizations can afford to employ an army of professional records managers, but for the hundreds of thousands of organizations that either cannot afford that luxury or who depend on its lawyers for that expertise, it is the lawyers’ responsibility to make sure an organization’s employees have the fundamentals of records management permanently inscribed in their daily work.
The problem is that lawyers assigned the records-management responsibility for the overall organization cannot be physically available on a minute-by-minute basis to address questions each employee confronts with respect to managing each and every record he or she either creates or receives regularly. By thoroughly educating each and every organizational employee on these fundamentals, however, the professional records manager and the lawyers serving in this capacity can be available to deal with the more complex and specialized record-management issues that arise. In addition, training employees on the fundamentals of managing their records accomplishes at least three important organizational purposes: (1) employees are better able to protect the organizational interests with this knowledge; (2) lawyers will gain a higher degree of employee respect when they demonstrate how straightforward managing their records is when done on a regular basis; and (3) lawyers will earn a higher degree of trust from employees when those employees know that the lawyers are a source of records management expertise when needed.
Below are 20 questions pertaining to some of the fundamentals of records management employees should be asking, and the answers lawyers can provide.
What qualifies as a record?
In its simplest and most straightforward form, a record is data, information, knowledge, and/or expertise recorded or received in any medium because there is a chance it will be needed in the future, the disposition of which is determined by the organization’s approved record schedule.
When and how do I dispose of records I no longer need?
Find an item on the organization’s record schedule that specifies how long that record must be retained and after that period has expired, follow the disposition method specified in the schedule.
What is an organization’s record schedule?
A functional listing specifying different types of organizational records that must be retained and for how long. It is not the form in which the record exists that determined how long it must be retained, but the substance of that record’s content.
What if no item on the schedule describes the record in hand?
The person in the organization designated as the organization’s records manager should be notified so that an item covering those kinds of records can be drafted, approved, and added to the schedule.
What else about the record schedule should I understand?
An effective record schedule specifies which records should be stored and maintained in the organization’s working areas for how long, and when those records should be transferred to off-site storage and for how long.
Who in an organization is responsible for managing its records?
The individual who either creates or receives the record is responsible for determining if it is a record, where it should be retained, how long it should be retained, and how it should be disposed of in compliance with the organization’s record schedule.
How should I “file” a record I create or receive so it can be found if I am not available?
The person in the organization designated as the organization’s records manager should be responsible for creating a file structure for each organizational unit with read access shared by all members of that unit.
What organizational records am I permitted to share with those outside of my organization?
The person in the organization designated as the organization’s records manager should draft a records-sharing policy that is approved by the organization’s top management for sharing records with those outside the organization.
Am I allowed to share my personal knowledge of the organization that is not recorded in its records with those outside the organization?
The sharing of an employee’s tacit knowledge with those outside the organization should be covered in the organization’s policy about sharing the organization’s data, information, knowledge, and expertise with those outside the company.
Why should a professional records manager understand and appreciate many of the details of the organization’s operations?
It is only with an understanding and appreciation of many of the details of the organization’s operations that a professional records manager can help the organization’s employees make the quality of the data, information, knowledge, and expertise in those records as accurate and as complete as possible. Further, with this knowledge of its operations, the records manager will likely spot potential trouble about which he or she can seek legal advice.
What and why should an employee know about records that are “vital”?
Vital records are those absolutely necessary for a unit, department, or the entire organization to operate. Given that most employees are creating and receiving records, some of which may qualify as vital, he or she should be able to recognize which records are vital and properly store and protect them.
Should records created or received electronically be treated any differently than those created by other means?
No, all records, no matter how they were created or received should be handled, stored, and disposed of the same way based on the content of the record.
Are voice-mail messages records?
They are, and they should be reduced to some physical form so they can be handled, stored, and disposed of in the same ways as all other organizational records.
Are there special records requirements for the industry to which my organization belongs?
Yes. A great number of industries, such as banks, health care providers, pharmaceutical developers, manufactures, and many more, have their own record-keeping requirements.
Are there operational subject areas that have special record-keeping requirements?
Yes. Any number of operational subject areas such as hiring, firing, fair employment, occupational health and safety, products liability, securities, antitrust, and any number of others have their own record-keeping requirements. If in doubt, seek the advice of the person in the organization designated as the organization’s records manager. If that is not satisfactory, seek the answer from a lawyer responsible for the legal matters of the organization.
What can I do to help the organization’s records manager be more effective and efficient?
One can work to be a prime example of a great record keeper. Setting this example will encourage coworkers and peers to see that effective record keeping is possible, not that difficult, and significantly beneficial when one or others need the data, information, knowledge, and/or expertise in one’s records. Equally important, one should work to continually record new information, knowledge, and expertise that one learns, or observes in others, while working.
Will I be rewarded or recognized if I invest enough time and keep my records properly?
Most records will never be needed again; the unanswerable question is which ones will be needed sometime in the future. When one of the organization’s top executives or managers has a vague recollection of having seen a record that he or she now desperately needs—particularly to defend or protect the organization—and you are the one to produce it, hopefully you will be considered a hero and eventually promoted and/or financially rewarded.
What could be the consequences if I keep poor, inattentive, or sloppy records?
One could lose one job if one’s poor record keeping puts the company in significant jeopardy, or one could be subject to civil or criminal penalties if the information one has recorded is used to support and prove such legal actions.
What should I do if I see others in the organization destroying records that must be preserved?
Report it to one’s own manager, the person in the organization designated as the organization’s records manager, and/or the lawyer responsible for the legal matters of the organization.
What do I do if I have a technical question about a record I have created or received?
The person in the organization designated as the organization’s records manager should be able to answer such questions; if not, seek the answer from a lawyer responsible for the legal matters of the organization.
With these answers firmly in employees’ minds, any organization will be able to significantly improve its overall record keeping, lawyers for the organization and its professional records manager will have fewer questions to answer about the organization’s record keeping, and employees will be much more satisfied that they are keeping their records effectively.
In the previous installment, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we explored the text and implications of the recently issued SEC guidance. When that guidance was issued, the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents. But the timing of the issuance of the guidance did make you wonder: was the SEC just taking the opportunity to reiterate and expand on past guidance or was it signaling that an enforcement action might be imminent? Was it just a gentle reminder or a warning shot?
In 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: in April, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
In its Order, the SEC found that, in late 2014, Yahoo learned of a massive cyber breach by hackers associated with the Russian Federation—at that time considered the largest breach of its kind—that affected over 500 million user accounts, resulting in the “theft, unauthorized access, and acquisition of hundreds of millions of its users’ data, including usernames, birthdates, and telephone numbers,” referred to internally as the company’s “crown jewels.” The company neither admitted nor denied the findings in the Order.
By December, the Order indicates, after the company’s information security team had drilled down and reached certain conclusions about the breach (including the hacking of the “email accounts of 26 Yahoo users specifically targeted by the hackers because of their connections to Russia”), the company’s Chief Information Security Officer advised members of senior management and legal teams of the problem. Throughout 2015 and early 2016, the company’s security team found that the same hackers continued to target the company, and by June 2016, the company’s new Chief Information Security Officer concluded and communicated to senior management that the company’s “entire user database, including the personal data of its users, had likely been stolen by nation-state actors through several hacker intrusions (including the 2014 breach), and ultimately could be exposed on the dark web in the immediate future.” But, the Order found, this information was not disclosed.
The Order charges that the company’s “senior management and relevant legal staff did not properly assess the scope, business impact, or legal implications of the breach, including how and where the breach should have been disclosed in Yahoo’s public filings or whether the fact of the breach rendered, or would render, any statements made by Yahoo in its public filings misleading….Furthermore, Yahoo’s senior management and legal teams did not share information regarding the breach with Yahoo’s auditors or outside counsel in order to assess the company’s disclosure obligations in its public filings. Yahoo did not maintain disclosure controls and procedures designed to ensure that reports from Yahoo’s information security team raising actual incidents of the theft of user data, or the significant risk of theft of user data, were properly and timely assessed to determine how and where data breaches should be disclosed in Yahoo’s public filings, including, but not limited to, in its risk factor disclosures or MD&A. To the extent that Yahoo shared information regarding the breach with affected users, they only notified the 26 users whose email accounts were accessed during the breach.”
Observations and Commentary
You might note that there seems to be a certain consistency between the issues identified in this Order and the SEC’s advice in its new guidance on cybersecurity disclosure. For example, the new guidance emphasized the importance of disclosure controls and procedures related to cybersecurity. In that regard, the guidance urged companies to regularly assess whether their disclosure controls and procedures adequately captured information about cybersecurity risks and incidents and ensured that it was reported up the corporate ladder to enable senior management to make decisions about whether disclosure is required and whether other actions should be taken. In addition, given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers would need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents.
In particular, the Order found that the company’s “risk factor disclosures in its annual and quarterly reports from 2014 through 2016 were materially misleading in that they claimed the company only faced the risk of potential future data breaches” that might expose the company to loss and liability “without disclosing that a massive data breach had in fact already occurred.” These risk factor disclosures “misleadingly suggested that a significant data breach had not yet occurred, and that therefore the company only faced the risk of data breaches and any negative effects that might flow from future breaches.” In addition, according to the Order, the company’s MD&A did not address the breach as a known trend or uncertainty.
Observations and Commentary
In its new guidance, the SEC advised that, in crafting risk factors, companies should consider whether cybersecurity risks and incidents were among the company’s most significant risks, taking into account prior incidents and the probability of occurrence and potential magnitude of future incidents. The SEC emphasized that companies needed to disclose information regarding material prior incidents to provide appropriate context. As emphasized in the guidance, “if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”
In addition, the guidance advised that, in MD&A, companies should consider whether risks related to cybersecurity could represent an event, trend or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition. Likewise, a material cyber incident could cause reported financial information not to necessarily be indicative of future operating results or financial condition.
In addition, the SEC found that there were also disclosure violations in connection with the proposed sale of the company’s operating business in July 2016: although the company “was aware of additional evidence in the first half of 2016 indicating that its user database had been stolen, Yahoo made affirmative representations denying the existence of any significant data breaches in a July 23, 2016 stock purchase agreement [that] was attached to a Form 8-K filed with the Commission on July 25, 2016.”
Observations and Commentary
You might recall that, in 2005, the SEC issued a Section 21(a) Report of Investigation concerning The Titan Corporation, to “provide guidance concerning potential liability under the antifraud and proxy provisions of the federal securities laws for publication of materially false or misleading disclosures regarding provisions in merger and other contractual agreements.” The report enunciated the SEC’s view that disclosures regarding material contractual terms, such as representations, may be actionable and highlighted the SEC’s intent to consider bringing enforcement actions if it “determines that the subject matter of representations or other contractual provisions is materially misleading to shareholders because material facts necessary to make that disclosure not misleading are omitted.” The report emphasized that companies should ensure that disclosures regarding material contractual provisions such as representations are not misleading: “When an issuer makes a public disclosure of information—via filing a proxy statement or otherwise—the issuer is required to consider whether additional disclosure is necessary in order to put the information contained in, or otherwise incorporated into that publication, into context so that such information is not misleading. The issuer cannot avoid this disclosure obligation simply because the information published was contained in an agreement or other document not prepared as a disclosure document.”
In the Order, the SEC also found that, in September 2016, the company issued a press release disclosing the data breach and attached it as an exhibit to a Form 8-K. The company also amended various disclosures, including risk factors and MD&A, to reflect the occurrence of the breach and corrected its prior statements regard the effectiveness of its disclosure controls. The day following the announcement, the company’s market cap fell nearly $1.3 billion. In addition, the disclosure led to a renegotiation of the acquisition agreement, including a 7.25% price reduction.
The SEC concluded that the company “acted negligently in filing materially misleading periodic reports with the Commission” and violated a number of provisions of the Securities Act and the Exchange Act, as well as related rules. In settlement, the company agreed to cease and desist and pay $35 million; Yahoo also agreed to certain undertakings, including cooperation in connection with any further SEC investigation of the matter.
In February, the SEC announced that it had adopted long-awaited new guidance on cybersecurity disclosure. While the new guidance builds on Corp Fin’s 2011 guidance on this topic, it carries more weight because it bears the imprimatur of the Commission itself rather than its staff. The guidance itself is not a revelation: its significance is less in what it says than in the fact that the SEC felt compelled to issue it. The message is this—with the increasing importance of cybersecurity and the increasing incidence of cyber threats and breaches, companies need to review their disclosures regarding cybersecurity and consider how to augment their policies and procedures to ensure that information regarding cybersecurity risks and incidents is effectively communicated to management to allow timely decisions regarding required disclosure and compliance with insider trading policies.
The guidance highlights companies’ increasing reliance on digital technology to conduct their operations and engage with customers and others. That makes companies in all industries vulnerable to the threat of cybersecurity incidents, such as stolen access credentials, malware, ransomware, phishing, structured query language injection attacks and distributed denial-of-service attacks. Whether these incidents are a consequence of unintentional events or deliberate attacks, the SEC cautions that they represent a continuous risk to the capital markets and to companies, their customers and business partners—a risk that calls for more timely and transparent disclosure.
In a published statement, SEC Chair Jay Clayton expressed his view that the guidance “will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He encouraged “public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.” He also indicated that Corp Fin will be monitoring cybersecurity disclosures as part of the selective filing review process. Experience teaches that we can expect to see new staff comments on cybersecurity disclosures (or the lack thereof) in the near future.
Procedures and policies
While the new guidance addresses disclosure obligations under existing laws and regulations (much like the 2011 guidance), the real focus is on cybersecurity policies and procedures, particularly with respect to disclosure controls and procedures and insider trading and selective disclosure prohibitions.
Disclosure controls and procedures
In the guidance, the SEC encourages companies to adopt, and regularly assess compliance with, comprehensive policies and procedures related to cybersecurity, particularly disclosure controls and procedures. “Disclosure controls and procedures” are controls and other procedures designed to ensure that information required to be disclosed in the reports that a company files under the Exchange Act is recorded, processed, summarized and reported within the time periods specified in the SEC’s rules and forms and is communicated to management to allow timely decisions regarding required disclosure. The guidance urges companies to assess whether their disclosure controls and procedures capture information about cybersecurity risks and incidents and ensure that it is reported up the corporate ladder to enable senior management to make decisions about whether disclosure is required and whether other actions should be taken. According to the guidance, “[c]ontrols and procedures should enable companies to identify cybersecurity risks and incidents, assess and analyze their impact on a company’s business, evaluate the significance associated with such risks and incidents, provide for open communications between technical experts and disclosure advisors, and make timely disclosures regarding such risks and incidents. The controls should also ensure that information is communicated to appropriate personnel to facilitate compliance with insider trading policies.”
Given that CEO and CFO certifications required as part of periodic reporting address the effectiveness of disclosure controls, the certifying officers will need to take into account the adequacy of controls and procedures for identifying cybersecurity risks and incidents. Moreover, the guidance advises, “to the extent cybersecurity risks or incidents pose a risk to a company’s ability to record, process, summarize, and report information that is required to be disclosed in filings, management should consider whether there are deficiencies in disclosure controls and procedures that would render them ineffective.”
Insider trading policies
Information regarding cybersecurity risks and incidents may be material nonpublic information, and insiders could violate the antifraud provisions or their own internal company codes of ethics and insider trading policies if they traded company securities on the basis of that information. The SEC advocates that companies put in place prophylactic policies designed to avoid even the appearance of improper trading during the period following an incident—when the company is investigating and determining the facts, consequences and materiality of an incident—and prior to the dissemination of disclosure. Accordingly, companies should be in the habit of analyzing when it would be appropriate to implement trading restrictions and consider imposing restrictions under their insider trading policies once it is known that a cyber incident has occurred that could be material.
Corporate communication policies
The SEC reminds companies that they may have disclosure obligations under Regulation FD in connection with cybersecurity matters. Regulation FD prohibits the selective disclosure of material nonpublic information to certain enumerated persons unless that information has been publicly disclosed within the meaning of Regulation FD.
Accordingly, the SEC stated that it expects companies to have policies and procedures to ensure that any disclosures of material nonpublic information related to cybersecurity risks and incidents are not made selectively, and that any Regulation FD required public disclosure is timely made.
Observations and commentary
Companies should review their disclosure controls and procedures to ensure that they appropriately address cybersecurity risks and incidents. In developing disclosure controls, companies should be sure to include appropriate escalation procedures for cyber incidents, both for purposes of evaluating the significance of the event and determining whether it is likely to develop into a material event that requires the imposition of trading restrictions on insiders. Boards may want to assign oversight of cybersecurity (including data privacy and protection) to an appropriate committee, often the audit committee or a risk committee.
In addition, controls should require the input of both IT and business personnel. In previewing the expected guidance in a 2017 presentation, Corp Fin Director William Hinman advocated that, because it may be hard to determine the significance of attacks initially, IT and business personnel should promptly consider the impact of the event together, with an eye toward understanding the business implications.
SEC Commissioner Kara Stein expressed similar views in a recent speech at Stanford. Why, she asked, in light of the general agreement on the importance of cybersecurity, were companies “not doing more to implement robust cybersecurity frameworks and to provide meaningful disclosures regarding the risks of data loss.” One possible reason could be that companies “tend to view cyberthreats as a technology problem instead of, more appropriately, a business risk.” However, when cybersecurity is viewed to be simply an “IT” problem, it is then “hoisted on the shoulders of a company’s chief information officer. Too often, this has led to a failure to integrate cybersecurity into a firm’s enterprise risk management framework. To be sure, some companies are focused on cyberthreats and recognize their potential economic threat. But companies need to do more than simply recognize the problem. They need to heed the calls of their shareholders and treat cyberthreats as a business risk.”
That view was echoed by new Commissioner Robert Jackson recently in remarks to the Tulane Corporate Law Institute. The difficulty in developing effective controls and procedures related to cybersecurity, he contended, is that the “technologists,” who best understand the cyber threats, are typically in a separate silo from the lawyers and business people who would usually be involved in developing controls and procedures: “One recent survey noted that 70% of executives at the S&P 500 named their IT department as a primary owner for cyber risk management—compared to just 37% who identified the C-suite or the board. The same survey noted that, especially at large and growing companies, responsibility for these issues is often scattered throughout the organization, creating the risk that key information might not make its way to the decisionmakers who need it most.” But Jackson saw a critical role for counsel in overcoming these barriers: counsel should act as ”ambassadors” to reach across the knowledge and cultural divide, much as they did with the accounting profession when SOX was initially enacted. Many lawyers then learned “more than [they] ever wanted to know about the ‘dismal science’ of accounting” to help their corporate clients build SOX 404-compliant systems of internal control over financial reporting. Now, he suggested, counsel “might even have to sit in front of a computer and open a program other than Microsoft Word” to learn more about corporate clients’ information technology systems.
Companies should review their insider trading policies and Regulation FD or similar corporate communication policies to ensure that they address cyber incidents. Insider trading policies should contemplate appropriate trading holds and restrictions in the event a cyber incident has occurred that could be material.
Disclosure obligations
In general
With regard to disclosure, the SEC has continued Corp Fin’s principles-based approach and has elected not to adopt more prescriptive new rules—so far at least. Much like the 2011 guidance, the new guidance explains that, although there are no disclosure requirements that specifically refer to cybersecurity risks and incidents, the obligation to disclose material cybersecurity risks and incidents could still arise in the context of many of the disclosure documents required of public companies, including registration statements and periodic and current reports.
In determining whether disclosure regarding cybersecurity risks and incidents is necessary, companies will need to assess the potential materiality of any identified risk and the impact of any incidents. But how is “materiality” assessed in the context of cybersecurity? The SEC notes that the Basic v. Levinson test, which involves weighing the probability of an event against the magnitude of its potential impact, is still a relevant part of the analysis. Thus, the materiality of cybersecurity risks or incidents may depend on the likelihood of an incident, the frequency of prior incidents, the impact on operations—particularly with regard to any compromised information, including personally identifiable information, trade secrets or other confidential business information—and the harm that could result, such as harm to reputation, financial performance and customer and vendor relationships. Also at issue are the possibility of litigation or regulatory investigations or actions, including regulatory actions by state and federal governmental authorities and non-US authorities.
The SEC advises companies to consider revisiting prior disclosures as they may have a “duty to update” (where disclosure that is still alive in the marketplace becomes false as a result of subsequent developments) or a “duty to correct” (where prior disclosures are determined to have been untrue when made, including, the SEC observes, “if the company subsequently discovers contradictory information that existed at the time of the initial disclosure.”) With respect to the existence of a general duty to update, the SEC at least tacitly acknowledged (in Footnote 37) that there is a considerable split of judicial authority on this topic.
Although companies are expected to disclose cybersecurity risks and incidents that are material to investors, the SEC makes clear that they are not expected to provide detailed roadmaps or specific technical information about potential system vulnerabilities that would compromise a company’s security protections.
While the guidance recognizes that it may take time to investigate and understand the implications of an incident, the need for an investigation will not, by itself, let the company off the hook: “an ongoing internal or external investigation—which often can be lengthy—would not on its own provide a basis for avoiding disclosures of a material cybersecurity incident.”
Observations and commentary
Companies may find some of the guidance here difficult to navigate: providing adequate non-generic disclosure about risk, protections or incidents that does not, at the same, increase the company’s exposure or jeopardize cybersecurity efforts could turn out to be a tricky exercise. And it could be equally challenging to find the point at which the company has sufficient factual information about a breach to make disclosure that is timely. There is an inherent tension between the need to disclose promptly to satisfy requirements to inform investors and the need to keep the matter confidential to allow the investigation to proceed without tipping off the malefactors and to gain a satisfactory understanding of the facts and implications of the incident. This tension requires that companies make a difficult judgment call in every case. That may explain why, although, according to Audit Analytics, there were 64 cyber breaches at public companies in 2017, only 24 breaches were disclosed in SEC filings, and the substance of those disclosures varied widely. Companies may want to look to Chair Clayton’s statement regarding the hack of the SEC’s own systems in August 2017. Whether the new guidance provides an impetus for companies to disclose these incidents more frequently remains to be seen.
Risk factors
Companies should consider whether cybersecurity risks and incidents are among the company’s most significant risks, taking into account prior incidents and the probability of occurrence and potential magnitude of future incidents. Among other things, a company’s risk factors could appropriately address the adequacy and costs of preventative actions and protections (such as insurance), the possibility of theft of assets (such as intellectual property and personal information), the potential for reputational harm, disruption to operations and loss of revenue, legal and regulatory requirements and, with regard to any incidents, the costs associated with remediation, investigation and litigation.
One important point to consider in crafting risk factors is the need to provide context by including disclosure regarding prior material incidents. As emphasized in the guidance, “if a company previously experienced a material cybersecurity incident involving denial-of-service, it likely would not be sufficient for the company to disclose that there is a risk that a denial-of-service incident may occur.”
As always, the SEC cautions companies to “avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” Generic disclosure is an issue that applies to all disclosure, but seems to be especially problematic in connection with risk factors.
Observations and commentary
According to Audit Analytics, over 90% of the Russell 3000 include risk factors regarding cybersecurity.
At a meeting of the SEC’s Investor Advisory Committee at the end of 2017, the Committee debated a discussion draft regarding cybersecurity risk disclosure. The draft advocated that, when it comes to disclosure of cybersecurity risk, public companies could and should be doing more: “Although under the current regulatory regime companies disclose certain risks or loss events associated with cybercrime, such disclosures often appear to be minimal and/or boilerplate, and do not provide investors with sufficient information on the company’s ability to address cybersecurity concerns. The nature of the…past attacks is commonly described in terms so general investors have no ready way of assessing whether those attacks are likely to recur. Given the gravity of risks associated with cyberattacks, investors have a right to know whether public companies are prioritizing cybersecurity and whether they have directors who can play an effective role in cyber-risk oversight.” The draft advocated disclosing “specific, non-proprietary and non- sensitive information” about prior cyberattacks, including “summary information derived from root-causes analyses of how the attacks were or were not successful, to clarify the nature and significance of ongoing risks.”
Other disclosure areas
The guidance also advises that companies consider whether cybersecurity or cyber incidents should be included as part of their discussions of MD&A, business, legal proceedings, financial statements and board risk oversight. For example, in MD&A, risks related to cybersecurity could represent an event, trend or uncertainty that is reasonably likely to have a material effect on results of operations, liquidity or financial condition. Likewise, a material cyber incident could cause reported financial information to be a poor indicator of future operating results or financial condition. In this analysis, factors to be considered include the cost of cybersecurity efforts and ongoing enhancements, the costs and other consequences of cybersecurity incidents, and the risks of potential cybersecurity incidents. Other factors may include the potential loss of intellectual property; the costs of insurance; and costs related to litigation and regulatory investigations, preparing for and complying with proposed or current legislation, engaging in remediation effortsand addressing harm to reputation; as well as the loss of competitive advantage that could result from an incident. The impact on reportable segments should also be considered.
With regard to business operations, companies should consider disclosing incidents or risks that could materially affect their products, services, relationships with customers or suppliers or competitive conditions. That could include, for example, incidents that affect the viability of a new product or theft of customer information that might affect the company’s reputation and competitive position.
Companies are required to disclose the extent of their boards’ role in risk oversight, including how the board administers that function. If cybersecurity risks are material, the SEC believes that the board’s role in overseeing that risk should be discussed, along with the company’s cybersecurity risk management program and how the board engages with management on cybersecurity issues.
Observations and commentary
While the guidance was adopted unanimously, some of the SEC Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. The SEC will be looking at feedback about whether any further guidance or rulemaking is needed.
Some of that feedback is already here—from two of the Commissioners. In a published statement, Commissioner Jackson expressed his reluctant support for the guidance, which, he said, “essentially reiterates years-old staff-level views on this issue. But economists of all stripes agree that much more needs to be done.” That includes the White House’s own Council of Economic Advisers, which Jackson quoted at length: Companies may tend to underinvest in cybersecurity, the Council’s report said, but regulators can provide investment incentives through, for example mandatory disclosure requirements. However, the report continued, “the effectiveness of the SEC’s 2011 Guidance is frequently questioned. There are concerns that companies underreport events due to alternative interpretations of the definition of ‘materiality’…. There are also concerns that the disclosure requirements are too general and do not provide clear instructions on how much information to disclose, and that they therefore ‘fail to resolve the information asymmetry at which the disclosure laws are aimed.'”
In his Tulane remarks, Jackson shed more light on the reasons for his reluctance to fully endorse the SEC guidance: the “rising cyber threat,” he maintained, is “the most pressing issue in corporate governance today,” and guidance alone was not enough to address it. In particular, Jackson advocated adoption of an 8-K disclosure requirement in the event of a material cyber incident. He was apprehensive that the types of judgments required under the guidance “have, too often, erred on the side of nondisclosure, leaving investors in the dark—and putting companies at risk.” In a study by Jackson and his staff, in 2017, 97% of companies that suffered data breaches did not file an 8-K, although he acknowledged that it was likely that not all of those incidents were material. What’s more, Jackson expressed concern that financially motivated hackers would seek to profit by trading on their knowledge of the breach before the investing public discovered what they had done. To tackle this problem, Jackson suggested that the insider trading laws might be expanded beyond “insiders” to address traders that take advantage of nonpublic information about a breach, even when the trader is not a corporate insider. As these remarks signal, Jackson, who has just begun his term at the SEC, has a lot of ideas on this topic and appears to have no plans to drop the subject.
Commissioner Kara Stein likewise “supported the Commission’s guidance, but not without reservation.” In her statement, she indicated that she was “disappointed with the Commission’s limited action.” While the guidance includes “valuable reminders,” she said, the problem “is that many of these reminders were offered by the staff back in 2011. If our staff has already provided guidance regarding cyber-related disclosures, the question, then, is what we, as the Commission, should be doing to add value given seven additional years of insight and experience…. The more significant question is whether this rebranded guidance will actually help companies provide investors with comprehensive, particularized, and meaningful disclosure about cybersecurity risks and incidents. I fear it will not…. That is why, as I have remarked before, it is imperative that the Commission do more. As we have heard from a variety of commenters since the 2011 staff guidance, guidance, alone, is plainly not enough. This makes it all the more confusing that the Commission more or less reissued that very guidance. Simply put, seven years since the staff guidance was released, despite dramatic increases in cyberattacks and their related costs, there have been almost imperceptible changes in companies’ disclosures. This to me strongly suggests that guidance alone is inadequate.” These critiques may suggest that the SEC is primed for further rulemaking if the new guidance does not bring improved results.
According to a study from the NACD, only 19% of corporate directors agreed that their boards have “a high level of understanding” of cyber risks, and a survey from the Harvard Business Review found that only 8% of directors viewed cybersecurity as a “strategic threat.” Nevertheless, notably absent from the SEC’s guidance was a proposed recommendation from the SEC Investor Advisory Committee to require companies to provide disclosure about board cybersecurity expertise, using essentially a “comply or explain” approach. The potential recommendation would have required information on whether any director “has experience, education, or expertise in cybersecurity, and if not, why a company believes that such board-level resources are not necessary for the company to adequately manage cyber risks.” Those advocating the disclosure viewed cybersecurity as analogous to financial statement audit risk in that it is a risk to which all companies are exposed; as a result, like financial expertise, board cyber expertise was appropriate. However, the possible recommendation was certainly contentious: one committee member viewed board expertise in cybersecurity as a bit like a “melting ice cube.” Instead, he argued, the question should be whether adequate resources have been made available to the board. Notably, a bipartisan bill introduced in the Senate, the “Cybersecurity Disclosure Act of 2017,” would have mandated SEC rules requiring disclosure of board expertise or experience in cybersecurity, and, if none, disclosure of other cybersecurity-related actions performed by the company that were taken into account by the nominating committee. According to Audit Analytics, the number of directors of public companies with cybersecurity experience grew from five in 2012 to more than 20 in 2016.
In the fall 2016 issue of In Our Opinion, I wrote an article entitled Dealing with Government Investigations in Audit Responses that focuses on the SEC enforcement action against RPM International Inc. and its general counsel. A federal court subsequently denied the defendants’ motions to dismiss the SEC action. Sec. & Exch. Comm’n v. RPM Int’l, Inc., 282 F. Supp. 3d 1 (D.D.C. 2017). RPM involved a qui tam complaint against the company for violation of the False Claims Act. Although filed confidentially, the complaint was shared along the way by the government with the company, but the underlying potential liability was not disclosed by the company until later. The article also discusses Indiana Pub. Ret. Sys. v. SAIC, Inc., 818 F.3d 85 (2d Cir. 2016), which involved a company’s failure to disclose a government investigation regarding its overcharging the City of New York following indictment of two employees and threats for recoupment by the mayor of New York.
In September 2017, the U.S. District Court for the Southern District of New York in Menaldi v. Och-Ziff Capital Mgmt. Group LLC, 277 F. Supp. 3d 500 (S.D.N.Y. 2017), found that Och-Ziff did not comply with generally accepted accounting principles by failing to disclose, as required by Accounting Standards Codification 450-20, potential loss contingencies after it received subpoenas from the U.S. Department of Justice (DOJ) and the SEC relating to violations of the Foreign Corrupt Practices Act (FCPA). Although the court dismissed Rule 10b-5 claims against Och-Ziff for failure to disclose the potential loss contingency, finding that the plaintiff failed to adequately plead scienter, the decision could be read to indicate that receipt of a subpoena is sufficient to show a claimant’s manifestation of awareness of a claim. This shifts the standard for required disclosure (and potentially accrual) under ASC 450-20, as interpreted by the Second Circuit in SAIC, from being probable of assertion as an unasserted claim to being reasonably possible as a threatened claim. In my view, however, a proper reading of the court’s decision in Menaldi indicates that whether a subpoena is sufficient to show manifestation of awareness of a claim depends upon the particular circumstance, including what the subpoena indicates about a possible claim, and what the company knows of the underlying basis for that claim.
Menaldi was a securities class action lawsuit against Och-Ziff and certain of its officers and employees alleging various violations of the federal securities laws for failure to disclose improper payments and related government regulatory proceedings and investigations involving its mining activities in Africa. After Och-Ziff entered into a deferred prosecution agreement with the DOJ admitting violations of the FCPA and a settlement with the SEC under which it paid over $400 million as disgorgement, the plaintiff filed a new complaint that included a claim that Och-Ziff engaged in fraudulent financial reporting because it failed to disclose the potential financial impact of the government investigation as required by ASC 450-20.
The court analyzed the requirements of ASC 450-20 and found that Och-Ziff’s failure to disclose the FCPA investigation and its potential consequences was a violation of those requirements. The court, citing the SAIC decision, began with what it called the “threshold question” of whether there was a manifestation by the government of an awareness of a possible claim, shifting the applicable standard for disclosure from the “probability standard” to the “reasonable possibility standard.” The court acknowledged that the manifestation in this case was not as strong as in SAIC, but nevertheless found adequate allegations that the detailed subpoenas concerning its African ventures made Och-Ziff aware that there was an active investigation that could lead to the government’s filing of a claim against it, and that a loss was reasonably possible (i.e., in ASC 450-20 terms, that the likelihood of an adverse outcome was “more than remote”).
Although the court found that ASC 450-20 had been violated, it ruled that the plaintiff had not adequately pled scienter as a basis for a Rule 10b-5 claim, distinguishing SAIC where the defendant company received the results of its internal investigation, knew about the kickback scheme, and was aware of the potential fines and penalties and loss of contracts. Quoting from Godinez v. Alere, Inc., 272 F. Supp. 3d 201, 219 (D. Mass. 2017) (plaintiff adequately alleged that company had sufficient reason to know a product recall was likely so that it should have accrued or disclosed a loss contingency under ASC 450-20), the court stated that, “[T]he existence of a subpoena does not, without more, give rise to a strong inference of scienter on the part of senior management.” In finding as well the absence of reckless conduct, the court described ASC 450-20 in terms that should provide some comfort as follows:
ASC450 is not a ‘reasonably simple and straightforward accounting rule.’ . . . The rule requires many judgment calls in deciding how to respond to contingencies. . . . [T]his claim involves an omission that is based on a qualitative accounting rule rather than an affirmative misstatement about a pending investigation.
277 F. Supp. 3d at 516.
Thus, although a subpoena can be the basis for having to disclose a loss contingency under ASC 450-20, that is not always the case, and a more detailed analysis is required. One lesson from Menaldi is that a company is well advised to look harder at the need for disclosure when it has received a subpoena, and to accelerate internal efforts to determine if there is an underlying basis for claims related to the subject matter of the subpoena. A company may take some comfort in the ability to exercise judgment regarding the requirements of ASC 450-20 based upon the court’s characterization of that accounting rule. However, for a lawyer responding to an audit request, the effect of Menaldi when there is a subpoena that may be a harbinger for government claims likely will be to prompt disclosure in more circumstances of a matter as a threatened claim, rather than as an unasserted claim.
Connect with a global network of over 30,000 business law professionals
