The wave of marijuana legalization that has washed over North America in recent years, with Canada and most U.S. states legalizing the substance for medical and/or recreational uses (although it remains illegal under U.S. federal law), has spurred an increasing number of mergers and acquisitions involving marijuana-related businesses (MRBs).  Despite the surge in deal-making, cannabis remains an emerging industry that presents unique challenges, even for experienced M&A practitioners who have advised on deals in a wide range of industries.  This article will discuss a few of the unique challenges for deal lawyers in marijuana M&A, including industry-specific due diligence issues and risks that may be hard to quantify and (through appropriate representations, warranties, and indemnities) limit for buy-side clients. 

Broadly speaking, marijuana deals entail advising companies engaged in the cultivation, processing, sale, or distribution of marijuana and products derived from marijuana, as well as some ancillary businesses that, while they do not “touch the plant,” primarily or exclusively serve businesses that do.  It is important to note that, while both marijuana and hemp are forms of cannabis, the laws and regulations applicable to the two substances vary dramatically, as hemp was legalized under U.S. federal law in 2018.  

Because of the unique legal status of marijuana as a federally prohibited controlled substance but a legal and highly sought-after commodity under the laws of most U.S. states, due diligence in marijuana M&A must encompass both the extent to which a target’s business is likely to become the subject of federal enforcement actions and its compliance with state and local laws.  The risk of federal enforcement itself is in part dependent upon the target’s compliance with applicable state laws, but it behooves buyers and their counsel to go beyond a pure state-law analysis to include an assessment of the target’s compliance with the factors enumerated by the U.S. Department of Justice in 2013 in the guidance that is commonly referred to as the Cole Memorandum. That document (the effectiveness of which is currently unclear, as it was rescinded by former Attorney General Jeff Sessions in 2018 but subsequently unofficially endorsed by current Attorney General William Barr) established enforcement priorities for federal prosecutors when choosing whether to bringing criminal charges for marijuana-related violations of federal law. 

Those priorities focused on such issues as preventing the distribution of marijuana to minors and ensuring that revenues from the sale of marijuana would not flow to criminal enterprises and that state-legal marijuana activity would not be used as a cover for trafficking other illegal drugs.  In order to get some degree of comfort that federal prosecution is at least a limited risk (although there is no legal protection from federal prosecution as long as marijuana remains illegal under federal law), buyers and their counsel should review the extent to which the target presents identifiable risks of implicating one of the enumerated federal enforcement priorities.  In addition, since a typical “compliance with law” representation and warranty is not feasible in the marijuana industry with respect to U.S. federal law, this provision of the purchase agreement should be tailored to address not only the target’s compliance with applicable state and local law but ideally also the non-implication of the federal enforcement priorities set forth in the Cole Memorandum (although the specific wording of such a provision will likely be heavily negotiated). 

While due diligence relating to a marijuana-industry target’s compliance with federal law is by nature a limited and highly bespoke exercise, diligence relating to state and local law compliance should be tailored to address the specific legal and regulatory requirements of the state(s) and localities in which the target operates.  The marijuana laws that have been adopted in recent years vary widely from state to state and are by nature complex, as they seek to create comprehensive regulatory schemes for the creation of an entirely new (legal) industry in their respective states.  As an example, the law adopted by the most recent state to legalize adult-use marijuana, Illinois (where adult-use marijuana became legal as of January 1, 2020), comprises over 600 pages of detailed provisions addressing licensing, ownership, and operational and marketing requirements, as well as change of control provisions if a licensee changes hands.  The parts of the relevant state laws that are applicable to a target will depend on where along the value chain the target operates (i.e., different rules may apply to a grower as opposed to a dispensary operator).  

Since state marijuana laws generally seek to closely control the issuance and ownership of licenses for cultivation, processing, transport, sale, and distribution of marijuana, a critical issue to be analyzed early in a transaction is whether applicable state laws limit the seller’s ability to assign its license(s), and, if a share deal is contemplated, what impact statutory change of control provisions will have.  Additionally, state law may include ownership limitations that prohibit a single person or entity from owning an interest in more than a fixed number of licenses, and some forms of cross-ownership of licenses may be restricted.  The Illinois law, for example, forbids the ownership by any person or entity of any legal, equitable, or beneficial interest in more than three cultivation centers, more than ten dispensing organizations, or more than three craft grower licenses (and cross-ownership of certain types of licenses is also restricted).  In deals in which a simultaneous signing and closing is not possible, it is also important to analyze whether a provision that grants the buyer extensive pre-closing control rights is consistent with legal prohibitions on license transfers without prior state approval. 

In addition, the Illinois marijuana law contains social equity provisions that offer preferential treatment in the issuance of licenses to applicants that are controlled by or employ a majority of people who have disproportionately suffered the consequences of enforcement of marijuana laws.  These include people who have been arrested or incarcerated for marijuana-related offenses that are eligible for expungement under the law, as well as their family members, and people who reside in high-poverty areas and other areas that have been disproportionately affected by the enforcement of drug laws.  If a target’s license was granted in part based on the participation of such a “social equity applicant,” transfer of that license is subject to additional conditions that the buyer must comply with.  As a result, it is critical that a buyer understand the basis on which the target’s license was issued and how that might impact the buyer’s operation of the business following the acquisition.  

Beyond licensing issues, while marijuana deals present many of the same due diligence topics as targets in other industries, some of these topics have special significance in marijuana M&A.  Two issues that are of particular importance are the target’s access to banking services and insurance, as both areas have proven very challenging for many MRBs.  In connection with the target’s banking relationships (to the extent that it has been able to obtain banking services), the buyer should ascertain whether the target’s bank is fully aware of the nature of the target’s business, as some banks have reportedly terminated banking relationships with customers because of their involvement in the marijuana industry.  Due diligence should also encompass payment processing and money-handling, as many MRBs operate largely on a cash basis due to the lack of available service providers.  MRBs that operate largely or fully on a cash basis present particular safety and security challenges, and due diligence on such targets is complicated by the fact that cash transactions may not generate electronic records that can be used for fraud control and to verify a target’s financial records. 

On the insurance front, due diligence should include an examination of the sufficiency of the target’s coverage, including director and officer insurance, as many MRBs have struggled to obtain adequate coverage.  In this regard, the target’s policies should be reviewed to ensure that there are no exclusions that would effectively prevent it from making a claim in the event of a product liability, recall, or other loss event. 

Finally, federal tax compliance is a critical issue for a buyer’s due diligence, as the Internal Revenue Code prohibits MRBs from deducting many expenses that other businesses can deduct as a matter of course.  As a result, buyers should carefully review the target’s past tax filings to assess the risk that the target has claimed impermissible expense deductions and, therefore underpaid its federal taxes.  It is also essential to review the target’s bookkeeping practices to ensure that expenses of different types (e.g., costs of goods sold vs. other types of business expenses) are appropriately recorded, as some expenses are deductible while others are not. 

These are only a few of the unique aspects of advising clients on marijuana M&A.  The industry continues to develop at a dizzying pace, and law and regulation are struggling to keep up with the market.  This creates an exciting environment for deal lawyers who are prepared to help their clients navigate an emerging industry with many challenges and even more opportunities. 

DISCLAIMER: Morrison & Foerster LLP makes available the information in this article for informational purposes only, and it does not constitute legal advice and should not be relied on as such. Morrison & Foerster LLP renders legal advice only after compliance with certain procedures for accepting clients and when it is legally permissible to do so. Readers seeking to act upon any of the information contained in this article are urged to seek their own legal advice.

Access to capital is critical for start-ups and emerging growth companies to fund operations, finance working capital, and develop and scale products and technology. These companies typically rely on invested capital to raise funds; however, equity financing may not be available and can be dilutive to founders equity. Venture debt can complement equity financing and offers a source of capital to bridge the gap until the company’s next equity round, to cover expenses, or to support growth.

What Is Venture Debt?

Venture debt is nondilutive financing in the form of term loans or lines of credit available to venture-backed growth companies. These organizations typically have limited assets and are not cash-flow positive. Thus, traditional loans are typically unavailable. There are three primary kinds of venture debt:

• Equipment financing. This kind of financing is meant to fund the purchase of equipment, such as network infrastructure, hardware, or research and development.
• Accounts receivable. A start-up borrows against their accounts receivable, thereby smoothing out their spikes in revenue.
• Growth capital. A catch-all category meant for loans that can be used to fund growth, such as M&A, a new round of hiring, or working capital.

Benefits of Venture Debt

Venture debt offers benefits over other forms of financing. Unlike equity financing, venture debt is nondilutive. It allows shareholders to create greater value by providing the necessary capital for the organization to achieve critical milestones and support growth prior to its next round of funding. Venture debt also allows founders and shareholders of the company to maintain control of the business, given that lenders do not generally require board seats or observation rights as a condition.

Venture debt can usually also be arranged much more quickly than raising capital through equity financing. Thus, growth companies can gain access to funds faster and with fewer requirements. In addition, organizations can structure their debt, including venture debt, to lower their overall cost of debt capital.

Is Venture Debt Appropriate for the Business?

Although venture debt does offer certain benefits, it is not ideal for every organization.

Venture debt is typically ideal for start-ups that lack sufficient tangible assets to be eligible for more traditional financing. As such, many venture lenders prefer start-ups with monthly recurring revenue. Venture debt is typically for fast-growing companies with low operating expenses for which revenue growth can ultimately exceed the cost of capital. These kinds of start-ups are frequently found in the technology space, where very little initial capital is needed before a steady stream of revenue is generated.

Venture debt is not suitable as a last resort for companies that already have a low cash balance and high operating expenses. If the debt payment ends up being more than 20 percent of the company’s operating expenses, it is probably too costly for the company. It is also not suggested for companies that have a variable revenue stream or any company that does not have a clear use for the funds.

What Are Typical Terms for Venture Debt Loans?

The terms of venture debt facility will vary depending on a number of factors, including: (1) the company’s current stage of growth; (2) its current cash position; and (3) the industry and market in which the company operates. Some key terms of which emerging companies should be aware include the following:

• Interest rate: Interest rates tend to be higher than a normal commercial loan. Organizations can expect venture debt interest rates to be upwards of 10 percent.
• Term: Given that the purpose of venture debt is to assist the start-up in reaching the next round of equity financing, the terms of the loans are typically short. Thus, the terms of these loans are typically 12 to 48 months.
• Security: The loan will typically be secured by the company’s assets, such that the lenders have priority over the assets in case of insolvency.
• Warrants: The lender will typically receive warrants allowing the lender to purchase shares in the emerging company at a future date.
• Covenants: A loan will normally include both positive covenants and negative covenants. Common covenants include limits on raising additional debt and restrictions on the use of the loaned amount.

Conclusion

Emerging companies exploring venture debt should ensure that it is right for their organization. For mature organizations with assets that a loan can be secured against and a healthy stream of revenue, traditional commercial loans may be more attractive because the interest rates for loans will likely be much lower. However, venture debt offers an attractive source of financing for venture-backed organizations that are in a certain stage of growth.

Due to the significant variability between the terms of venture debt facilities made available, it is advisable that emerging companies seek expert advice for guidance on this form of financing.

The year 2019 was active in the legal space. Legal operations continued to be adopted by major enterprises and mid-market businesses alike. Facebook, British Airways, and Marriott Hotel faced millions in GDPR penalties, and litigation over clickwrap and other online contracts continued to skyrocket. In 2020, we can expect a continuation of these trends and more. Here are three predictions for what you can expect in the legal/litigation space in 2020.

(1) Data privacy legislation will increase, as will the need for third-party solutions like consent tracking. Data privacy regulations are becoming more of a pain point to legal teams. With the California Consumer Privacy Act (CCPA) now in effect, and the GDPR continuing to be fleshed out, we may see more of a push for easy third-party solutions to things like consent tracking. We will also see a surge of privacy policy-related litigation as the courts are called in to resolve ambiguity surrounding CCPA requirements. Depending on what happens in the aftermath, we may see (and in fact have already seen) a push for federal regulation over privacy. With all of these privacy regulations giving the express mandate to produce a privacy policy that outlines to consumers how their data will be used, companies will need third-party solutions to track consent. Especially as scrutiny of back-end records increases and becomes more sophisticated, third-party solutions will be needed to effectively convince the court of compliance with the new privacy regulations. 

(2) eSignature and contract lifecycle management tools won’t be enough. Businesses should want to leverage any technology that gives them more control over legal and/or compliance-driven aspects of the business, especially business models that operate at a massive scale online. Given that businesses must move at breakneck speed to keep up with consumer demand, legacy technologies like eSignature and contract lifecycle management tend to break, particularly with these newer business models. Technology and tools like these cannot scale with fast-paced business while remaining compliant with the increase in data privacy regulations. As compliance grows in focus in the new year, so will the necessity for technology that governs that aspect of the business. 

(3) Tech adoption will increase because of the drive for efficiency. The constant drive toward efficiency will manifest itself in two ways. First, legal teams will take a more data-driven approach to managing outside counsel and the related spend. Technology within legal has proliferated to such an extent that there are now multiple tools that can be used to provide the data necessary to complete this function. As this technology improves and its adoption increases, it will become one of the most important drivers of change, not just for inhouse legal, but for private law firms as well. Second, legal’s adoption of a more holistic approach to enabling their departments using tech will drive not only major increases in efficiency, but in the type of tech solutions offered by vendors. This holistic approach will begin from a fundamentally different foundation—one that focuses on business velocity versus plodding risk management—and for the first time ever, technology will allow for increases in business velocity to occur simultaneously to a decreased risk profile.

Be Prepared to Defend Your Agreements in 2020

With the CCPA in effect as of January 1, there will be even more compliance-related litigation, which will inevitably change the way companies function. Courts will become even more sophisticated in their evaluation of online agreements, and consumers will become more concerned about their data privacy. Businesses must be more prepared than ever to defend the enforceability of their agreements and prove compliance to the new (and old) privacy laws. 

If you are a lawyer who does not specialize in privacy, you may be familiar with the feeling of dread that creeps into your heart when a client requests your counsel on how to comply with data privacy laws. The feeling is well-founded. There is no single statute you can consult to provide the needed advice. In the United States, the law of privacy is commonly referred to as “sectoral,” meaning that there is no overarching legal regime covering privacy generally, but rather a series of federal laws (and often accompanying regulations) that each govern a particular subject matter. Nor is privacy protection exclusively on the federal level; federal law does not generally preempt state privacy laws, and state legislatures have not been shy about enacting their own privacy regulations. If your client operates an internet-based business or otherwise serves customers beyond the borders of the United States, the client may also be subject to the privacy regulations prevailing in other countries and trading blocs, which are in many cases intentionally written to have extraterritorial effect.

For those of you who may be experiencing this sort of dread, the ABA’s Cyberspace Law Committee now offers a helping hand. The committee’s Consumer Privacy and Data Analytics Subcommittee has assembled an international group of privacy experts and tasked them with compiling a guide to privacy laws from multiple jurisdictions around the world—the Global Privacy Checklist. The Checklist is a valuable starting point for any lawyer who counsels clients on complying with privacy laws. It serves as a pointer to the most salient of those laws in multiple jurisdictions: U.S. federal, U.S. states, Australia, Canada, the European Union’s General Data Protection Regulation, and the member states of the European Union.

The Checklist is an Excel spreadsheet, with each of the covered jurisdictions occupying its own tab. It is organized around a user-friendly “if-then” framework. For example, the U.S. federal tab includes the “if” statement: If “You collect and use email addresses for commercial purposes.” The “then” statement points the user to the relevant legal rules: “Then consider the applicability of” the “Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM): 15 U.S.C. §§ 7701–7713.” What follows is a summary of the rules that must be followed to comply with the CAN-SPAM Act.

Defining the scope of laws to include within the privacy rubric is more difficult than it may seem. Laws addressing data privacy are related to, and sometimes overlap with, those addressing data security; therefore, the Checklist’s coverage sometimes includes security laws. Coverage of all U.S. state laws relating in some way to data privacy would exceed the scope of the project and the resources available to it. To make the project manageable, the Checklist’s U.S. states tab is limited to the five most commonly encountered areas of privacy regulation: general privacy, data of children, biometric data, health data, and financial data. Coverage of the EU member states is also limited to a few key subject areas.

As valuable as the Checklist is, it has a few important limitations. It does not cover case law or determinations by regulatory agencies. Nor does it include proposed legislation, which is voluminous in light of the number of jurisdictions included among the U.S. states and the EU member states. The authors of the Checklist have sought to represent the state of the legal landscape as of the date of its publication. Inevitably, however, there will have been recent legal developments in some of the many covered jurisdictions that will not have come to their attention in time to include them. Given the dynamic nature of regulation touching upon privacy and the limited resources available, it is not feasible to keep the list continuously updated. We hope to update the Checklist annually, however, as resources allow.

Readers are encouraged to communicate with the Checklist’s editors and let us know of any new or additional laws or regulations that should be considered when the Checklist is updated. Our contact information: John Isaza, [email protected], and John Rothchild, [email protected]. The editors extend a hearty thanks to the team of volunteers whose efforts made this Checklist possible. They are listed in the contributors tab.

Recently enacted state laws targeting arbitration provisions in employment agreements specifically related to sexual harassment have come into conflict with the Federal Arbitration Act (FAA), as illustrated by recent court decisions in New York and California.

In the shadow of the #MeToo movement, many states sought to strengthen their human rights laws to combat the prevalence of sexual harassment in the workplace. One of the tools put forth in state statutes was to prohibit the use of the arbitral forum for claims of sexual harassment. This has resulted in a predictable clash with the mandates of the FAA, which provide that arbitration provisions in contractual agreements shall be upheld and binding on the parties with limited exceptions.

For instance, in New York, the state passed legislation in 2018, N.Y. C.P.L.R. § 7515, prohibiting the use of arbitration agreements for claims of sexual harassment regardless of the FAA. As a result, in Latif v. Morgan Stanley & Co. LLC, 2019 WL 2610985 (S.D.N.Y., June 26, 2019), the opposing positions of the FAA and the state legislation resulted in District Court Judge Denise Cote holding that the state law ban on mandatory arbitration in sexual harassment cases was preempted by the FAA.

As a general proposition, Judge Cote noted that the FAA preempts any state law that discriminates on its face against the FAA. The New York statute specifically provided that any mandatory arbitration provision in an employment contract which provides that arbitration is the only and final remedy for such a claim is “null and void.” Latif went to the Second Circuit Court of Appeals, where an application for an en banc hearing was submitted. The Second Circuit dismissed the appeal on January 15, 2020, for lack of jurisdiction because the district court had stayed the federal action pending arbitration, citing Katz v. Cellco P’ship, 794 F.3d 341 (2d Cir. 2015), which provides for a stay of the federal action where an arbitration is compelled, as such, there is no final determination to appeal. It is this author’s sense, that but for this stay, that deference still would have been given to the FAA.

California recently passed legislation, Assembly Bill No. 51 (AB 51), banning employers from requiring the execution of an arbitration agreement as a condition of employment and prohibiting any discrimination or retaliation against employees who refuse to sign such an agreement. The legislation was scheduled to take effect on January 1, 2020, and it covered under its rubric not just sexual harassment claims, even though it was inspired by the #MeToo movement, but any employment-related disputes. On December 30, 2019, the federal district court in the Eastern District of California in the case of Chamber of Commerce of the United States of America, et al. v. Bacerra, et al., 2:19-cv-2456 (KJM) (DB), issued a TRO until a hearing could be held on a temporary injunction, and the court noted that this was due to the conflict between the state law and the FAA and the upheaval the law going into effect would have on employment agreements, even in the short term, where there is a serious question as to whether the law is preempted by the FAA. After hearing oral argument, the court temporarily enjoined the enforcement of the California statute on January 31, 2020.

Congressional action to amend the FAA would resolve this dispute. For instance, the Arbitration Fairness Act of 2017 was introduced in the 115th Congress to prohibit forced arbitration agreements for employment claims as well as civil rights and commercial claims. This legislation expired at the end of the 115th session without further action; however, similar legislation was introduced in the 116th Congress as the Forced Arbitration Injustice Repeal Act of 2019. It was approved by the House on September 20, 2019, by a vote of 225-186, but has not been acted upon by the Senate. In addition, there has been bi-partisan legislation specifically targeting sexual harassment arbitration. The legislation, Ending Forced Arbitration of Sexual Harassment Act of 2017, which expired with the 115th Congress before being acted upon, has been reintroduced as Ending Forced Arbitration of Sexual Harassment Act of 2019 in the 116th Congress and is still going through the legislative process. This bill would provide a carve-out in the FAA for sexual harassment claims and may be a compromise versus banning all employment-related arbitrations.

As of today, the inherent conflict between the FAA and the states’ attempts to take steps to combat sexual harassment by targeting arbitration clauses will continue to be fought in cases such as the ones discussed above until the question reaches the Supreme Court or Congress takes action.

By now, most businesses accept ongoing cyber threats as a fact of life. How could they not with the onslaught of daily news reporting about malware, phishing, ransomware, viruses, and various other hacking attacks? Some firms, accepting the reality of the threats, are deciding whether to ignore their cyber risks, fix them, or transfer them by way of insurance. This article considers this last option, specifically how you can obtain full insurance coverage for your actual cyber exposures at a fair premium.

Although not impossible, the process is a good deal more complex than, say, purchasing adequate fire insurance. What follows is a step-by-step primer on how to get the job done.  In a nutshell, you must first thoroughly assess your IT and non-IT risks and then retain a broker knowledgeable in cyber-risk insurance coverage so you can come to the bargaining table with an accurate understanding of the coverage you actually need.

Essential Steps

Step One. It is absolutely critical that you have a thorough, comprehensive assessment of your cyber exposures in hand to enable your critical decision-making. This assessment should cover your IT risks, including systems security, policies, procedures, and training, and your non-IT risks, including social media usage and policies, bring-your-own-device policies, Cloud-computing contracts, Internet of Things exposures, and compliance issues. Without such a thorough and comprehensive assessment, you simply cannot make informed, cyber risk-management decisions to protect your business.

Step Two. Retain a sophisticated broker who is savvy in the various cyber insurance coverages offered. There are a great number of underwriters offering cyber risk coverage, with the various coverages differing in the risks covered, the assessment of a policyholder’s risks, and the premiums charged. Only a truly qualified broker, experienced in the marketplace, can guide a business through the maze to the right coverage.

Step Three. This is the promised nit and grit. Any business needs two major classes of coverage: first-party liability coverage for risks it cannot remediate but are too pressing to ignore, and third-party liability coverage for damages it might cause, directly or indirectly, to third parties. An example of the former would be the intrusion of a virus that causes a disruption in a firm’s business, and of the latter a hacking attack that causes a breach or loss of a client’s data. The coverages set out below are those you should discuss with your broker and insist upon when you have the data to indicate the real risks.

Primary Liability Coverages

First-party liability coverage is for your firm to cover the costs incurred from a break-in to your systems. The essential elements of the coverage are:

• Theft and fraud coverage for some of the costs of a theft or destruction of your data, or theft of your company’s funds. How much coverage you may be able to obtain may depend on how well-versed you are in the actual costs your business will incur.
• Forensic investigation coverage for determining the cause of the intrusion.
• Network and business interruption coverage can be the most important part of your cyber coverage. The carrier may impose limitations to this coverage, but one of them you should not permit is specifying that the intrusion must be caused by an intentional cyber attack. Not only may “intentional” be hard to prove, but for your business the result is the same: you are losing money because of the attack. Reasonable conditions on the coverage may include a time limit on when the coverage begins and the total length of outage the insurance will cover. You can negotiate these limitations if you are fully prepared to discuss the business exposures giving rise to the coverage you are seeking, including contingent business expenses which you probably will not be able to quantify in advance.
• Extortion is coverage for the cost of the “ransom” you may be required to pay to get your systems back online. Although there is no way to quantify the demand in advance, ransomware tracking shows these demands are on the rise.
• Data loss and retention is coverage for the cost of restoring any data that may have been lost and possibly the cost of diagnosing the cause of the loss. It may be expensive because it is typically subject to substantial retentions. You should ensure, to the extent possible, that this coverage is not limited in terms of the cause of the loss. In this regard, it will be important for you to be able to demonstrate that you have done the necessary measures to remediate, within your firm’s capability, any potential IT or non-IT exposures revealed by your assessment so that the insurer is comfortable with not including a cause-of-loss limitation.

Third-party liability coverage is to cover claims by third parties whose data within your possession has been hacked into or otherwise compromised. The essential elements follow:

• Privacy coverage is to address claims by your firm’s customers, clients, and employees for breaches of their confidential information. This coverage should include any failure to protect the data, rather than specifying that the breach be intentional. You should also seek coverage for any failure to report the breach under applicable state reporting requirements, or failure to disclose a breach under applicable privacy laws.
• Regulatory actions coverage should include defense costs for any governmental or civil investigations or requests for information, beginning with the onset of the investigation, whether or not the investigation is instigated by a formal complaint or “suit.” You also will need coverage for civil fines and penalties.
• Notification costs include notifying third parties who may have been affected by your data breach. You should be prepared to inform the insurer of the number of people to be notified and the method and cost of notification. Ensure this data is included in the policy along with a provision allowing you to update this data on a regular basis. Given the constantly changing landscape of individual state notification laws, it behooves your counsel to keep track of the state requirements that may apply to your clients.
• Crisis management is an important element of this coverage to defray the public relations costs of defending or repairing your reputation. These costs may be difficult to quantify in advance, but you would be advised to consider coverage to support a substantial budget. Reputational restoration can be one of the most important aspects of your post-breach efforts.
• Call-center costs may be one of the most significant of your post­breach expenses. It is important to have coverage for these costs included, along with the number of people eligible to receive call-center services, the specific call-center services to be provided, and the call center’s hours.
• Credit/identity monitoring coverage is included in most policies but may be limited by the individuals who can receive the services and the list of approved vendors.
• Transmission of viruses and malicious code protects against liability claims for damages for the transmission of viruses or other malicious code or data from your system to another system. Although important if your system is capable of this kind of transmission, you do not want to pay for unneeded coverage.

Other Important Considerations

Types of policies. Policies are generally divided into two major categories: “claims made” and “occurrence.” A claims made policy is triggered when a claim is made against the insured during the current policy period, regardless of when the act that gave rise to the claim took place. Occurrence policies cover claims that arise out of damage or injury that took place during a policy period, regardless of when claims are made. Most commercial general liability insurance is written on an occurrence form.

By way of example, a claim made by a customer in the current policy year that it suffered damage 10 years ago would be covered by a current claims made policy. On the other hand, a claim made that the damage occurred in a 10-year-old policy period, but not made until five years later, would be covered by an occurrence policy.

Trigger. Cyber policies, whether claims made or occurrence, typically are triggered by an event that results in the loss of data during the policy period. The claims-made polices typically are more restrictive in terms of the events that can trigger coverage, and the timing of resulting claims in relation to the loss may limit or preclude available coverage. Thus, you may find the occurrence policies preferable, their higher premiums notwithstanding.

Defense obligations. In some cyber policies, the defense obligation can be triggered only by a “suit,” which requires a lawsuit or written demand against the insured. This definition may preclude defense of a claim that has yet to ripen into a lawsuit or written demand, where much of the defense costs on a particular matter may be spent. You should argue for less restrictive defense language so that there are no limitations as to coverage for governmental actions including investigations.

Choice of defense counsel. In some cyber policies, defense costs are covered only to the extent that the insured chooses from the insurer’s list of “panel” law firms. If the insured chooses a different firm, its defense costs probably will not be covered.

Given the substantial costs likely to be associated with a significant data breach—costs that could exceed the limits of the primary and applicable excess policies—you should have substantive input in the choice of counsel. Accordingly, you should argue for a policy with a balanced choice of counsel language, e.g., the insured and the insurer should mutually agree on defense counsel, and if they cannot agree, the insured will choose counsel for which the insurer shall pay up to a set hourly rate.

Retroactive coverage. Cyber policies often contain a “retroactive date” in which losses arising from events prior to the retroactive date will not be covered. Insurers often would like to fix the retroactive date at the initial date of coverage. Given that exposures unknown to you may have occurred some time ago, you should negotiate a retroactive date as far back as you can reasonably determine your exposures may have arisen.

Vendor liability. Acts and omissions of third parties may not be covered expressly, or may even may be excluded, under some cyber policies. By way of example, if a company uses the services of a third-party vendor to maintain its confidential customer or employee information in the Cloud, and the vendor experiences a data breach, your firm could be sued by its customers or employees. Whether you have coverage will depend on the policy language. Some cyber policies provide coverage for breaches of data maintained by third parties so long as there is a written agreement between the insured and the vendor to provide such services.

If you rely on a third party to maintain any of your confidential information, you should consider seeking a policy that expressly covers breaches of data maintained by the third party.

In the alternative, your contract with your cloud provider should include indemnification language backed up by a provision that the provider will maintain verifiable cyber-risk insurance. Self-insured retention language applicable to your coverage should be clear that any payments made by the third party indemnifying the company for loss sustained by the breach count toward satisfaction of the retention.

Loss of unencrypted data. Coverage for data lost from unencrypted devices is often excluded in cyber policies. If you must live with this limitation, ensure you have an enforceable policy that all personal information or sensitive firm information, in any format, is encrypted on individual devices. The better firm policy would prohibit personal information and sensitive firm information from personal devices, period.

Identity of covered entity. Many cyber policies define covered persons, for liability purposes, to include only natural persons. Your policy should accurately define the entity or entities who may be affected. This would also be the place to include any other entities who should be listed as additional insureds.

Policy territory outside the United States. Even if your firm does not operate outside the United States, your employees may lose their laptops, PDAs, and other electronic devices containing confidential information, or have them stolen, while traveling abroad. Many cyber policies attempt to restrict the applicable coverage territory to the United States and its territories. You should ensure that your cyber policy provides coverage for losses or thefts of confidential information that occur outside the United States.

Breaches unrelated to electronic records. Some cyber liability policies restrict coverage to loss or theft of electronic data. Given that many breaches occur as a result of loss or theft of paper or other nonelectronic records, your policy should cover both electronic and other forms of records.

Location of security failure. Some cyber insurers attempt to limit coverage to physical theft of data from company premises. This limitation would deny coverage from claims arising from laptop, PDA, or thumb drive thefts. Other policies limit coverage for data breaches resulting from password theft to situations where the theft occurs by nonelectronic means. You would be well advised not to permit these kinds of limitations, which could be costly in the long run.

Exclusions for generalized acts or omissions. Some cyber insurers will attempt to exclude coverage for losses arising from: (1) shortcomings in security of which the insured was aware prior to the inception of coverage; (2) the insured’s failure to take reasonable steps to design, maintain, and upgrade its security; and (3) certain failures of security software. If your firm performs a thorough cyber-risk assessment and acts on the remediation recommendations in the assessment, you should be able to demonstrate that, in your case, these kinds of exclusions should not be included.

Exclusions for acts of terrorism or war. Many cyber policies include this common exclusion, which would seem to apply to an attack by a foreign nation. If you cannot get the insurer to leave this exclusion out, then consider purchasing alternative coverage that would address your concerns.

Conclusion

You absolutely can achieve your goal of obtaining cyber-risk coverage for your full range of cyber exposures, but only if you have a thorough assessment of your IT and non-IT risks in hand, retain a broker knowledgeable in cyber-risk insurance coverage, and come to the bargaining table fully prepared with the essential facts as outlined above.

Please feel free to contact the author:
Edward (“Ned”) M. Dunham, Jr.
Spector Gadon Rosen Vinci P.C.
1635 Market Street, 7^th floor
Philadelphia, PA  19103
[email protected]
(215) 241-8802

For over a decade, financial firms have been collaborating with financial technology (fintech) companies on an array of products and services. The explosive growth of these collaborations has resulted in massive investments. As of Q3’19, these collaborations raised $24.6B. The growing use of fintech may be attributable to: (1) ongoing innovation, (2) more options and benefits for consumers, and (3) enhanced operational capabilities and efficiencies for financial institutions. Financial firms can use fintechs in place of outdated legacy models to deliver financial services to consumers. Tech-savvy consumers have access to services (often on their smartphones) that enable them to conduct trades, pay bills, and manage their funds. Start-up fintechs can leverage the name, resources, and access to well-established financial firms to deliver their technology products and services to a growing consumer pool.

Although these collaborations appear to be a win-win situation for all parties, growing risks have prompted greater regulatory focus, not to mention the need for better-defined compliance frameworks to manage risks.

Limited Oversight

For years, there was little to no oversight of fintech collaborations. The evolving and innovative nature of fintechs created the perfect environment for unknown or undetected compliance risks. Financial regulators were unfamiliar with these products and, as a result, unsure about how to regulate them. Requirements were murky at best, leaving the financial industry vulnerable to fraud, money laundering, terrorist financing, cybercrime, and other illegal activity.

More Focus, More Regulation

The “limited oversight” approach proved to be unsustainable as the growth and complexity of fintech partnerships triggered unique legal, regulatory, reputational, and other risks. In response, financial services regulators are stepping up their efforts to ensure better and more specific oversight of fintechs.

In the United States, regulators are incorporating fintechs into enforcement and rulemaking actions involving: (1) consumer protection laws; (2) licensing requirements; (3) anti-money laundering and know-your-customer rules and regulations; (4) privacy and data security regulations; (5) cybersecurity regulations; and (6) special considerations involving Blockchain and cryptocurrency.

As this is happening, regulators are trying to strike the right balance between promoting innovation and regulating these efforts properly. At the federal level, the Consumer Financial Protection Bureau (CFPB) has launched its Innovation Office that houses various resources, including a Compliance Assistance Sandbox, to help companies test innovative products and services for a limited period while sharing data with the CFPB. The CFPB has also launched the American Consumer Financial Innovation Network (ACFIN), a partnership with multiple state regulators to serve as a network that will help enhance coordination among federal and state regulators to facilitate financial innovation.

States are also getting into the act. Arizona’s fintech sandbox was the first state sandbox that allows participants to test-drive their products, under regulatory supervision temporarily. Other states such as Wyoming, Utah, and Nevada are following Arizona’s lead with similar models.

Growing regulatory focus at both the federal and state level is creating the potential for a patchwork of state and federal requirements. This potential outcome is further complicated by global regulations in that fintech arrangements often facilitate access to a global consumer base. With access comes the application of complex and often restrictive laws, such as the European Union’s General Data Protection Regulations (GDPR). Additionally, various countries around the world are assessing current requirements to ensure they adequately manage the risks posed by fintechs. The Global Financial Innovation Network (GFIN) has emerged as an international effort for collaboration by regulators and numerous U.S. federal and state regulatory agencies, including the CFPB and the New York Department of Financial Services.

Embrace Compliance

So, what should fintech collaborations do? In response, these collaborations should have a practical and documented plan to establish and maintain a strong compliance program to manage risks and to prepare for expanded regulatory scrutiny. Begin with the following preliminary steps: (1) know the current regulatory environment and applicable requirements at the state, federal, and international levels; (2) document current controls (no one needs to begin with a blank slate); and (3) identify risks (by priority) for engaging in these collaborations.

The next step should be to launch efforts to establish and maintain effective compliance controls. A sample framework for a fintech compliance program can include: (1) a dedicated compliance program administrator; (2) risk assessments to identify and address risks; (3) policies and procedures; (4) oversight measures to periodically assess the effectiveness of program controls; (5) maintenance of program controls through ongoing monitoring of regulatory and internal developments; (6) third-party management; (7) delivery of training; (8) recordkeeping requirements; (9) an escalation process for reporting violations; and (10) periodic reporting on the program. Feel free to make adjustments based on your needs and requirements, but do not procrastinate critical measures, and plan for what cannot be done immediately.

Make sure to factor in special considerations for a fintech compliance program, such as: (1) controls around how personal information is collected, managed, stored, and handled in any other way; (2) AML/CFT and KYC controls to help flag, address, and manage money laundering and suspicious activities as well as maintain customer due diligence protocols; (3) information security controls to manage breaches of company information to ensure a timely and effective response.

Some final considerations revolve around who must be involved. It is critical to engage legal, compliance, and risk personnel early and throughout the planning and implementation of fintech collaborations and compliance programs. Separately, regular presentations should be made to educate and inform boards and management on the fintech compliance program, as well as existing and emerging fintech-related issues and challenges. Management and the governing authority of the company must be knowledgeable about risks to make well-informed decisions.

Conclusion

Fintechs are no longer market disrupters and are here to stay as integral players in the financial services sector.  However, their success cannot be sustained without the responsible delivery of products and services, which is why fintech compliance must be an integral part of any collaboration. Effective compliance requires, at a minimum, knowledge of fintech regulatory requirements and issues. It also requires a documented and effective compliance program to help identify, manage, and possibly prevent regulatory, reputational, and unforeseen risks. Anything less could have an immediate or long-term impact on the fintech’s credibility, bottom line, and ultimately its business viability.

On December 10, 2019, the Federal Trade Commission (FTC) and Consumer Financial Protection Bureau (CFPB) held a joint workshop on accuracy in consumer reporting. The workshop included remarks from FTC Commissioner Noah Joshua Phillips, CFPB Assistant Director for Supervision Policy Peggy Twohig, CFPB Deputy Director Brian Johnson, and FTC Deputy Director for the Bureau of Economics Andrew Stivers. The workshop included four panels:

• Panel 1: Furnisher Practices and Compliance with Accuracy Requirements
• Panel 2: Current Accuracy Topics for Traditional Credit Reporting
• Panel 3: Accuracy Considerations for Background Screening
• Panel 4: Navigating the Dispute Process

Panelists included a range of stakeholders in the consumer reporting ecosystem, including representatives from consumer reporting agencies (CRAs), trade associations, furnishers, and consumer advocacy organizations.

In her closing remarks, Maneesha Mithal, associate director in the FTC’s Division of Privacy & Identity Protection, discussed three key takeaways and themes from the workshop:

• Alternative Data. Mithal noted that the issue of alternative data came up on almost every panel, and that there appeared to be a consensus that using some types of alternative data may benefit consumers and the industry. Mithal noted that a number of panelists expressed caution about using “fringe data,” including social media data. In a panel discussion, Michael Turner, founder and president of the Policy and Economic Research Council (PERC), drew a distinction between “proven payment data,” including payments for utilities, media, and rent, and unproven “fringe data” or “unstructured data,” including information from social media. Turner, along with a number of other panelists, believed that reporting proven payment data would be beneficial for consumers. Francis Creighton, president and CEO of the Consumer Data Industry Association (CDIA), noted that consumers are currently experiencing the “downside” impacts of the reporting of negative information about the nonpayment or late payment of obligations for utilities, media, and rental housing, but are not receiving the “upside” benefits of reporting on the positive payment histories on those recurring obligations. Consumer advocates, such as Ed Mierzwinski of the U.S. Public Interest Research Group (PIRG), expressed skepticism regarding the use of certain alternative data, such as utility payment data, and the ability of the industry to ensure the accuracy of such data.
• Role of Technology. Mithal also noted that there was some consensus that technology, including artificial intelligence (AI) and pattern recognition, may improve the quality and accuracy of consumer report information. Mithal stated that there appeared to be less consensus regarding the use of technology in data matching, with some panelists expressing the view that manual review is still necessary to ensure maximum possible accuracy. Mithal also noted that some panelists expressed the view that the CFPB should exercise its supervisory authority to examine CRAs and furnishers’ use of technology in consumer reporting.

  In general, industry panelists spoke favorably about the prospects for AI and other technologies. For example, Eric Ellman, senior vice president of public policy and legal affairs at CDIA, discussed the use of technology in dispute intake, including filtering credit repair disputes from legitimate consumer disputes. Chi Chi Wu of the National Consumer Law Center expressed skepticism about relying on AI and other technologies for data matching and dispute investigations.

• Accuracy. Mithal concluded by discussing the accuracy of consumer reporting more generally, and stated that some panelists believe that regulators should issue specific guidance in this area. Mithal also noted that panelists discussed both the importance of data accuracy with respect to consumer reports and furnished data, including ways in which CRAs may oversee furnishers.

  In general, industry panelists pointed to substantial improvements made in recent years with regard to the accuracy of consumer reports, with repeated emphasis on improvements brought about by the National Consumer Assistance Plan (NCAP), an outgrowth of a multistate attorney general settlement with the three nationwide CRAs in May 2015. Turner discussed improvements between the early and more recent studies of data accuracy. Consumer advocates stressed continuing problems with data accuracy, including the reappearance of derogatory information on consumer reports.

Additional themes from the panels include:

• Market Interest in Ensuring Accuracy.Many industry panelists emphasized that CRAs and furnishers benefit from an accurate and reliable consumer reporting system. These panelists explained that it is not beneficial to the market for CRAs or furnishers to provide inaccurate information, which could lead to financial institutions making incorrect credit or employment decisions. Creighton pointed to the financial crisis as an example of the risks associated with providing credit to consumers who cannot afford it. Mierzwinski disputed these accounts, pointing to certain studies that found high rates of inaccuracies on consumer reports and claiming that CRAs should invest more in technology. Representatives from the nationwide credit bureaus disagreed and described significant investments in technology to improve data accuracy and monitor furnishers.
• Encouraging Smaller Furnishers to Furnish.Elisabeth Johnson-Crawford, the chief technical officer at Credit Builders Alliance (CBA), explained that CBA’s members would like to furnish information about their clients, who are typically low-income individuals seeking to build good credit. Johnson-Crawford described the standard Metro-2 format used for reporting information to the three nationwide CRAs as complex and a potential barrier for smaller companies to furnish information. Johnson-Crawford also discussed her members’ reliance on software vendors for furnishing data, and stated that regulators should provide additional incentives for these software vendors to ensure the accuracy and integrity of credit reporting data. Johnson-Crawford emphasized that in light of the regulatory environment, smaller furnishers are hesitating to furnish data to CRAs unless they are sure they can do it correctly.
• Credit Repair Companies.There was a general consensus among panelists that the rise of credit repair companies is a negative factor in the credit reporting ecosystem. According to panelists, some credit repair companies are charging consumers high fees in exchange for submitting a large volume of disputes to CRAs for the purpose of removing accurate but negative information from consumer reports. Some panelists called for regulatory intervention to address this issue.
• Supervisory Highlights.Several panelists referenced the Supervisory Highlights Consumer Reporting Special Edition that the CFPB released on December 10, 2019, which includes key findings from the bureau’s supervisory work with CRAs and furnishers. Some panelists praised the publication as a way for furnishers and CRAs to benchmark their own policies and procedures with respect to credit reporting, and to learn lessons from the mistakes of others. Wu cited the report’s findings that some CRAs are still relying on furnishers for reinvestigations without conducting an independent review. However, the CFPB found that examiners “have also observed significant improvements in [FCRA and Regulation V protections], including continued investment in FCRA-related CMS.”

The FTC and CFPB accepted comments on a wide range of topics affecting the accuracy of consumer reports until January 10, 2020. The FTC and CFPB did not discuss how they might use the workshop discussion and comments received.

Legal commentators have long lamented that chapter 11’s high costs and complexities make it too difficult for small businesses to successfully reorganize.[i] In response to these concerns, Congress recently passed amendments to the Bankruptcy Code known as the Small Business Reorganization Act (SBRA). On August 23, 2019, SBRA was signed into law.[ii]

Before SBRA, struggling businesses considering bankruptcy had two options: chapter 7 or chapter 11. Upon the filing of a chapter 7 case, a bankruptcy estate is created that is comprised of the debtor’s nonexempt property. A trustee is appointed to liquidate the assets of the bankruptcy estate and distribute the proceeds to the debtor’s creditors. Chapter 7 is not an option for businesses hoping to survive bankruptcy and retain control of its operations.

In contrast, a chapter 11 debtor retains control over its operations and restructures its debts through a court-approved plan. Although the chapter 11 debtor retains control, the debtor is subject to increased oversight from the bankruptcy court and the U.S. trustee. The chapter 11 debtor’s plan to repay its debts must meet stringent requirements and be confirmed (i.e., approved) by the bankruptcy court before the debtor can exit bankruptcy. While in bankruptcy, the debtor is required to obtain the court’s approval of all nonordinary course-of-business transactions and must comply with the U.S. trustee’s monthly reporting requirements. As a result, a small business may not be able to afford the costs of a chapter 11.

The SBRA endeavors to strike a balance between chapter 7 and chapter 11. Under the SBRA, certain debtors can retain control over their business operations while reorganizing.[iii] However, they will no longer be subject to the more costly requirements in chapter 11.[iv] Unlike chapter 11, a trustee will be appointed to each small-business debtor case. The SBRA’s sponsors explain that the trustee will “perform duties similar to those performed by a . . . Chapter 13 trustee and help ensure the reorganization stays on track.”[v]

In addition, the SBRA provides that a committee of creditors will not be appointed unless ordered by the bankruptcy court for cause.[vi] This should decrease the costs of a chapter 11. When a creditor committee is formed in a chapter 11 case, the committee can hire its own professionals. However, the debtor is required to pay for the fees and costs of the committee’s professionals. Generally, the SBRA will now allow the small business debtor to avoid this additional expenditure.

Many of the SBRA’s amendments will streamline the plan confirmation process and potentially reduce plan confirmation costs. In a chapter 11 case, the debtor must file a disclosure statement with the bankruptcy court. The disclosure statement is a detailed document intended to inform creditors of key provisions in the debtor’s plan. It must be approved by the bankruptcy court before creditors can vote to accept the debtor’s plan. Under the SBRA, a debtor will generally not be required to prepare a disclosure statement.[vii] In a chapter 11 case, the debtor’s exclusive right to file a plan is limited. Once this exclusivity period expires, creditors are free to file their own competing plans. The SBRA permits only the debtor to file a plan of reorganization.[viii] The SBRA’s elimination of a disclosure statement and potential competing plans will prevent contested hearings that prolong the reorganization process and increase costs for debtors.

The SBRA also relaxes the requirements to confirm a plan. First, the owners of small-business debtors can retain their ownership interest provided the plan does not “discriminate unfairly” and is “fair and equitable.”[ix] It is also easier for the small-business debtor to confirm a plan over creditors’ objections. Essentially, a plan will be confirmed so long as it provides that all projected disposable income for three to five years will be used to make plan payments.[x] In addition, the required plan contents under the SBRA are less stringent than those for chapter 11 plans.[xi]

Ultimately, by lowering costs and simplifying the plan confirmation process, the SBRA aims to provide another option for small businesses wishing to reorganize.

[i] See H.R. Rep. No. 116-171, at 3 (2019); American Bar Association Business Law Section, 2019 Spring Meeting Materials and Audio, Too Broke to Go Bankrupt? The Impact of New US Trustee Fees on Midcap Bankruptcy Debtors (Mar. 29, 2019).

[ii] The SBRA will go into effect 180 days after the date of enactment. See H.R. 3311, § 5.

[iii] 11 U.S.C. § 1182 defines a “debtor” as a small-business debtor. Under 11 U.S.C. § 101(51D)(A), “small-business debtor” is defined as a “person engaged in commercial or business activities (including any affiliate of such person that is also a debtor under this title and excluding a person whose primary activity is the business of owning or operating real properties or activities incidental thereto) that has aggregate noncontingent liquidated secured and unsecured debts as of the of the date of the filing of the petition or the date of the order for relief in an amount not more than $2,725,625. . . .”

[iv] 11 U.S.C. § 1184.

[v] See Senator Chuck Grassley et al., The Small Business Reorganization Act (Apr. 9, 2019).

[vi] 11 U.S.C. § 1181(b).

[vii] A small-business debtor will not be required to file a disclosure statement unless ordered to do so by a bankruptcy court for cause. See 11 U.S.C. § 1181(b).

[viii] 11 U.S.C. § 1189. The SBRA’s deadline for a small-business debtor to file a plan is 90 days from the order for relief with such deadline to be extendable by the court if the extension is “attributable to circumstances for which the debtor should not justly be held accountable.” 11 U.S.C. § 1189(d).

[ix] 11 U.S.C. § 1191(b).

[x] See 11 U.S.C. § 1191(c). Disposable income is defined to mean income that is received by the debtor and that is not reasonably necessary to be expended—

                (1) for—(A) the maintenance or support of the debtor or a dependent of the debtor; or (B)  a domestic support obligation that first becomes payable after the date of the filing of the petition; or

                (2) for the payment of expenditures necessary for the continuation, preservation, or operation of the business of the debtor. 11 U.S.C. § 1191(d).

[xi] Compare 11 U.S.C. § 1190 with 11 U.S.C. § 1123.

High-profile cyber breaches have affected millions of customers and employees, resulting in unprecedented losses to businesses through direct costs in responding to the breaches, regulatory penalties, lawsuits brought by customers and business partners, business disruption, reputational damage, and loss of shareholder value. Officers and directors are increasingly facing the possibility of personal liability for these losses.

1. A Director’s Fiduciary Duties

In the past, directors were generally free from personal liability for cybersecurity breaches because directors’ cybersecurity duties were unclear. Personal fiduciary liability claims against Wyndham, Target, and Home Depot directors were all dismissed because the directors’ cybersecurity monitoring duties were not clear enough to be “known duties” that would give rise to personal liability. Courts also concluded that claims that directors should have known of threats or had access to information about threats did not create liability for fiduciaries.

However, current trends suggest that directors might be more likely to face personal liability for cybersecurity breaches in the future as directors’ cybersecurity responsibilities become clearer. Just this year, a judge in Georgia declined to dismiss a claim against a director of Equifax, Inc. who had personal knowledge of cybersecurity vulnerabilities, yet misrepresented the strength of the organization’s technology. Also this year, a judge in California approved the first settlement against directors and officers of Yahoo! Inc. relating to a data breach. The complexity and frequency of cybersecurity breaches, the severe consequences of a breach to corporations, and the growth of the cybersecurity industry all appear to clarify directors’ cybersecurity duties.

When directors fail to institute or monitor cybersecurity measures, or when they consciously disregard red flags that they have a known duty to address, shareholders may bring claims to hold directors personally liable. A recent decision by the Delaware Supreme Court in June of 2019, Marchand v. Barnhill, 212 A.3d 805 (Del. 2019), illustrates the importance of boards exercising reasonable oversight.

Marchand involved an ice cream manufacturer, Blue Bell Creameries, which operated numerous manufacturing plants in the United States. In 2015, Blue Bell suffered a listeria outbreak in several of its manufacturing plants that spread and caused the deaths of three people. The company was forced to recall its products, shut down production at several of its plants, and lay off a large part of its workforce. Blue Bell had a history of food safety violations, but there was little evidence that the board was addressing those concerns. Shareholders sued the officers and directors, alleging that they breached their fiduciary duties of loyalty by failing to make good-faith efforts to ensure that the company’s regulatory compliance programs were adequate. According to the complaint, the board had no committee overseeing food safety, no board-level process to address food-safety issues, and no process to be advised of food-safety reports or developments. Although the Delaware Court of Chancery dismissed the case against the directors, the Delaware Supreme Court reinstated the case, ruling that the complaint adequately alleged that the directors violated their duty of loyalty by consciously failing to attempt to assure that reasonable information and reporting systems existed and by failing to conduct reasonable investigations.

On October 1, the Delaware Court of Chancery denied a motion to dismiss a Caremark claim in In re Clovis Oncology, Inc. Derivative Litigation, C.A. No. 2017-0222 (Oct. 1, 2019). Clovis is the first decision to allow a Caremark claim to proceed beyond the pleadings since the Delaware Supreme Court’s decision in Marchand. The Clovis decision highlights (1) the importance of board-level efforts to oversee compliance with governing law and regulatory mandates, particularly in situations where compliance issues are critical to a “monoline” company, and (2) how stockholders are using books and records demands under 8 Del. C. § 220 to pursue fiduciary claims focused on those same compliance issues.

The principles of Marchand apply directly to cybersecurity risk. If a company suffers significant losses due to data breach, and it is revealed that the directors failed to design board-level systems to oversee and monitor organization risk, or consistently failed to monitor those systems for red flags or cyber threats or conduct reasonable investigations, they could face personal liability. In June of 2014, then-SEC Commissioner Luis Aguilar counseled boards of directors that they are “already responsible for overseeing the management of all types of risks . . . and there can be little doubt that cyber risk also must be considered as part of the board’s overall risk oversight.”

2. Practical Guidance for Directors and Officers

The following are practical steps that directors and officers should take to minimize cybersecurity risks to their organizations as well as to themselves of personal liability.

• Understand the laws, regulations, and guidance relating to data security and privacy that are applicable to your organization by consulting with the appropriate experts. Be aware of which regulatory bodies have authority over the organization.
• Ensure that your organization has conducted a cyber-risk assessment and understand your vulnerabilities. Be aware of what type of data your organization collects or maintains and how the data flows through the organization.
• For public companies, ensure that there are effective controls and procedures to address cybersecurity risks and incidents in required public filings and disclosures.
• Ensure that your organization has a written information security program and data privacy and security policies that are tailored to your risk profile. Ensure that employees receive regular and frequent security and privacy training, that policies are regularly updated, and that policies are properly implemented and enforced.
• Implement cybersecurity reporting systems and controls and monitor these systems to remain abreast of potential risks, red flags, and cybersecurity threats.
• Ask cybersecurity personnel about the security practices and policies of the organization and about any changes or red flags related to cybersecurity. Consider deficiencies revealed in audits and adopt a security plan that is tailored to the organization’s specific risk profile.
• Be aware of which members or committees of the board have cybersecurity responsibilities. Ensure that at least one director is sufficiently technically educated to lead board discussions and questions on information security.
• Include cybersecurity as a regular topic at board meetings and ensure that, in both appearance and substance, the board is focused on the organization’s security.
• Establish a culture of security by consistently updating and enforcing physical and technological security policies. A “tone at the top” is critical to achieving a culture of security.
• Oversee the prudent selection and monitoring of vendors and service providers to ensure that the organization’s information remains free of unnecessary risk and that contracts with vendors contain appropriate security and privacy obligations, remedy for breach, and audit rights.
• Be familiar with insurance policies that cover cyber risk and data breach response. Ask about their policy limits and exclusions, and whether they cover both first- and third-party data losses.

3. Conclusion

Directors and officers have a duty to oversee an organization’s management of its cybersecurity risks. Instituting, updating, and monitoring system controls is key to avoiding personal fiduciary liability, and directors should give special attention to any red or yellow flags. As cybersecurity threats continue to proliferate, directors’ good-faith efforts to fulfill their oversight duties will not only protect them from potential personal liability, it will also protect the organization, its customers, employees, and shareholders.