Page 120 – Business Law Today from ABA

The Demand Review Committee: How It Works, and How It Could Work Better

Posted on July 17, 2018 by Collins J. Seitz, Jr. - Uncategorized

Stockholders must ordinarily make a demand on their board of directors before initiating litigation on the corporation’s behalf. But the litigation consequences of a stockholder demand—a binding concession of the board’s ability to impartially consider a demand—are so harsh in the ensuing litigation that stockholders rarely choose that path. The demand requirement is thus falling short of its promise as an internal dispute resolution mechanism. If, as we suggest, stockholders typically avoid making a demand and instead prefer to initiate litigation and raise demand futility arguments, no matter how weak, they deprive independent boards of the opportunity to consider the merits of potential litigation outside the court-room. We propose a private-ordering solution, in which stockholders and boards can agree, if they choose, to reserve rights on demand futility arguments while a demand review process is undertaken. This would allow boards to engage with stockholders in the review process, and would replace some demand futility litigation with boardroom deliberation, thereby restoring the internal dispute resolution function to the demand requirement.

I. INTRODUCTION

Stockholder derivative litigation follows a familiar path. The plaintiff files a complaint, alleging that demand is futile. The defendants move to dismiss under Court of Chancery Rule 23.1,¹ arguing that the plaintiff failed to make a demand on the board of directors to bring the suit on behalf of the corporation. The motion is usually coupled with a motion to dismiss under Rule 12(b)(6)² for failure to state a claim. If the Court of Chancery grants the motion to dismiss on either ground, the matter ends. If the Court of Chancery denies the motion, then the parties litigate or propose a settlement of the case, unless and until the corporation forms a special litigation committee to regain control from the plaintiff.³

What happens, though, if instead of pleading demand futility, the plaintiff actually makes a litigation demand? This path appears to be traveled less frequently, and appears to be less well understood by practitioners and directors alike. Accordingly, this article highlights the review process undertaken by a committee that is formed to consider a demand. It also highlights the differences between demand review committee practice and special litigation committee practice. Finally, it proposes a modest adjustment to our law that would restore some of the functionality of the demand requirement, which has eroded over time.

II. BACKGROUND OF THE DEMAND REQUIREMENT

The board of directors has the statutory authority to manage “[t]he business and affairs” of a corporation,⁴ including its legal claims.⁵ As a corollary, the board also has the fiduciary responsibility to manage the corporation’s legal claims with care and loyalty to the corporation and its stockholders.⁶

The demand requirement balances the board’s statutory authority and its accountability to the corporation and its stockholders.⁷ It requires a stockholder who seeks to litigate derivatively on the corporation’s behalf to first demand that the board pursue the claim, unless she can plead particularized facts tending to show that demand would be futile. A derivative action is thus effectively two suits in one, with the question of demand futility at its fulcrum: “First, it is the equivalent of a suit by the shareholders to compel the corporation to sue. Second, it is a suit by the corporation, asserted by the shareholders on its behalf, against those liable to it.”⁸

Demand is futile if a majority of the board is interested in the underlying claim, lacks independence, or faces a substantial risk of personal liability, including because there is a reasonable doubt about whether the challenged transaction was a valid exercise of business judgment.⁹ For purposes of considering a litigation demand, a director is interested if she has a material interest in the subject matter of the demand that is not shared by the corporation or its stockholders.¹⁰ A director lacks independence if she is beholden to a person or entity that is interested in the subject matter of the demand.¹¹ A director who faces a substantial risk of personal liability in the underlying claims is deemed interested in the outcome of the investigation.¹²

The demand requirement thus permits a corporation to dismiss a derivative action “if its board is comprised of directors who can impartially consider a demand.”¹³

III. THE DEMAND REVIEW COMMITTEE

If a stockholder plaintiff makes a litigation demand, the stockholder cedes control of the corporation’s claim to the board of directors.¹⁴ The board determines “the best method to inform itself of the facts relating to the alleged wrong-doing and ‘the considerations, both legal and financial, bearing on a response to the demand.’”¹⁵ In some circumstances, depending on the substance of the demand, the full board will act on the demand without the need for investigation. But if the demand warrants an investigation, the board often forms an ad hoc “demand review committee” to investigate the subject matter of the demand and make recommendations to the full board about how to respond.

A. COMMITTEE FORMATION, AUTHORIZATION, AND MEMBERSHIP

By making a demand on the board, the would-be stockholder plaintiff concedes that a majority of the board is capable of impartially considering the demand.¹⁶ Yet, the disinterestedness and independence of the members of the board remain critical concerns in committee formation, even after a demand has been made:

Simply because the composition of the board provides no basis ex ante for the stockholder to claim with particularity and consistently with Rule 11 that it is reasonable to doubt that a majority of the board is either interested or not independent, it does not necessarily follow ex post that the board in fact acted independently, disinterestedly or with due care in response to the demand. A board or a committee of the board may appear to be independent, but may not always act independently.¹⁷

And, although a stockholder plaintiff concedes the independence of a majority of the board by making a demand, the demand typically does not identify a subset of particular board members to whom the demand is directed.¹⁸ Consider, for example, a five-member board, two of whom are fiduciaries of the corporation’s controlling stockholder and the other three of whom are outside independent directors. A stockholder plaintiff might demand that the board investigate claims against the controlling stockholder, thus conceding that a majority of the board—three of five—is capable of impartially considering the demand. But if the board chooses to form a three-member committee and includes the two dual fiduciaries, it will not fare well.¹⁹ As a result, when considering whether to form a demand review committee, a board should identify a subset of directors whose independence, disinterestedness, and impartiality are as unassailable as possible given the underlying allegations and the composition of the board.²⁰

In addition to vetting board members for their independence and disinterestedness, demand review committee members also must prepare, with the assistance of independent counsel and other advisors as necessary, to do the work required to investigate properly the matters at issue in a demand. This has a practical dimension, in that demand review committee investigations can take many months.²¹ But it also has a legal element; although the effort expended by the committee should be proportional to the issues at stake in the demand, the vigor with which a demand review committee investigates its subject matter from the outset helps to establish the committee’s independence-in-fact.²²

So too does an appropriate committee charter. The charter of a board committee is an important document that delineates the committee’s objective and its authority.²³ For a committee process to be successful, the committee’s charter must provide it contextually sufficient authority to fulfill its mandate; a committee that is not given sufficient authority may never overcome that obstacle.²⁴

In its charter, a demand review committee should be given all of the power and resources it needs to conduct a proportionately thorough, independent investigation into the facts and circumstances giving rise to the demand.²⁵ Because a stockholder who made a demand has already conceded that a majority of the full board can impartially consider the demand, the demand review committee need only make recommendations to the full board on how to respond to the demand.²⁶ It need not be granted the full power and authority of the board to act on behalf of the corporation. Doing so may give rise to a “counter-concession” that the non-committee members of the board are incapable of faithfully considering the demand, even upon recommendation from the demand review committee.²⁷

To avoid any implications or inferences that could be drawn by committee membership, the demand review committee charter should identify the members of the committee, the rationale for their inclusion, and the rationale for the exclusion of others.²⁸ A demand review committee charter should also permit the committee to hire its own advisors, paid for by the company, and should grant the committee access to management and company resources as needed.²⁹

B. COMMITTEE INVESTIGATION

Once a demand review committee investigation is successfully launched, with independent and disinterested committee members, independent advisors,³⁰ and all of the resources it needs, it has wide latitude to chart its own course, and should follow wherever the facts lead. “In any investigation, the choice of people to interview or documents to review is one on which reasonable minds may differ. . . . . Inevitably, there will be potential witnesses, documents and other leads that the investigator will decide not to pursue.”³¹ As with a merger,³² in the demand review context “there is obviously no prescribed procedure that a board must follow.”³³

But if the committee, advised by its own counsel, makes its own decisions about the scope of its investigation, those decisions are given great weight so long as they are well documented and not grossly negligent. Courts have found investigations adequate when the committee chose to interview as few as two³⁴ and as many as “more than 25”³⁵ witnesses. And, courts have rejected arguments that an investigation was deficient for not interviewing certain witnesses, without particularized facts showing that those witnesses had unique knowledge that could have changed the outcome.³⁶

Despite the leeway they are given, demand review committees should consider engaging with the demanding stockholder during the investigation to address in advance any perceived deficiencies.³⁷ They should give serious consideration to interviewing witnesses specifically identified by the demanding stockholder as being witnesses who would corroborate the underlying claims.³⁸ At a minimum, demand review committees should ensure they do not overlook any of the facts and circumstances specifically referenced in the demand.³⁹

C. COMMITTEE RECOMMENDATIONS AND JUDICIAL REVIEW

Following its investigation, a demand review committee has broad discretion about how to develop and present its recommendation to the full board. The committee can, and should, think like a plaintiff and assess the expected value of the corporation’s litigation assets, taking into account the merits of any claims and defenses, damages, and the collectability of any judgment.

It may also make non-litigation recommendations, “including the advisability of implementing internal corrective action.”⁴⁰ This remedial flexibility is part of the flexibility of the demand requirement and committee process. Even assuming that a stockholder plaintiff’s lawyer has the corporation’s best interests in mind, she has available only the blunt instrument of litigation. Directors may pursue less costly, more effective remedies, such as changing corporate policies and practices, making personnel decisions, and revising corporate documents.

The committee’s recommendation should be followed by the board, absent highly unusual circumstances. A board that does not follow the recommendation of a demand review committee acts at its own peril.⁴¹

Whatever its decision, the board should then communicate its decision to the stockholder plaintiff, along with the bases for its decision.⁴² If the plaintiff seeks books and records pursuant to section 220 of the Delaware General Corporation Law⁴³ in support of a claim that the demand was wrongfully refused, the defendants should expect to produce (1) minutes of any meeting of the board or demand review committee where the demand was discussed; (2) reports and presentations by the demand review committee in support of its recommendation; and (3) other materials that formed the basis for the committee’s recommendation.⁴⁴ As a result, the committee and its advisors should proceed with its investigation and recommendation on the assumption that at least those basic materials will be discoverable.

The plaintiff pleading wrongful refusal faces a high burden. To survive a motion to dismiss, a plaintiff must plead “particularized facts . . . supporting an inference that the committee, despite being comprised solely of independent directors, breached its duty of loyalty, or breached its duty of care, in the sense of having committed gross negligence.”⁴⁵ In addition to disputing the substance of the committee’s investigative determinations regarding the merits, the plaintiff must also contend with the board’s business judgments about the cost and distraction of litigation and the effects litigation could have on the company’s business and operations.⁴⁶

Not surprisingly, it appears that the plaintiffs in only two published Delaware decisions have survived motions to dismiss, and both involved egregious and unusual fact patterns.⁴⁷ In Thorpe, a committee investigated the matters at issue in the demand and made recommendations to the board. But the board took no action in response to the demand and did not disclose the substance of the committee’s recommendations. The members of the committee promptly resigned.⁴⁸ And in Seaford Funding Limited Partnership v. M&M Associates II, L.P., the interested general partner of a limited partnership took no action in response to a demand that it investigate claims relating to a debt owed to the partnership by another affiliate of the general partner.⁴⁹

D. DEMAND REVIEW COMMITTEE PRACTICE COMPARED WITH SPECIAL LITIGATION COMMITTEE PRACTICE

As highlighted above, there are many surface-level similarities between the way that a demand review committee functions and that of a special litigation committee formed under Zapata⁵⁰ and its progeny. There are important differences, however, between the structure and function of those two kinds of committees, most owing to their origin and the corporate power dynamics at stake.⁵¹

As its name implies, a demand review committee is formed in response to a stockholder demand. And, as discussed above, a stockholder who makes a demand has effectively conceded that demand is not excused.⁵² In the parlance of the dual-natured derivative suit, a stockholder who makes a demand has conceded phase one—the “suit by the shareholders to compel the corporation to sue.”⁵³ The stockholder thus lacks the power to assert the corporation’s claim, and demands that the board do so instead.

A special litigation committee, by contrast, typically comes into existence only after a stockholder has established demand futility, whether by judicial decision or by the defendants’ concession. Accordingly, a special litigation committee operates to wrest control of the litigation away from a stockholder plaintiff who had assumed “the legal managerial power to maintain a derivative action to enforce the corporation’s claim.”⁵⁴ The statutory power to do so is retained by the board under sections 141(a) and 141(c) of the Delaware General Corporation Law, notwithstanding that the board is “tainted by the self-interest of a majority of its members.”⁵⁵ The power vests, however, only in a special litigation committee whose members are independent and disinterested, and which conducts a reasonable investigation in good faith.⁵⁶

As a result, the independence and disinterestedness inquiries that are important for a demand review committee are vital to a special litigation committee. The independence and disinterestedness of the members of a special litigation committee are the committee’s font of corporate power. And because the board’s power is vested in the special litigation committee, its charter should reflect that power, and should authorize the committee to ultimately decide, on the corporation’s behalf, how to proceed with respect to the claims without interference from other board members. It should not merely make a recommendation.⁵⁷

The skepticism about the potential structural bias in the special litigation committee context also recommends a higher standard of judicial review than the business judgment rule deference that is given to a demand review committee process and recommendation.⁵⁸ The Zapata court was “mindful” that in the special litigation committee context, “directors are passing judgment on fellow directors in the same corporation,” which raises the potential for “perhaps subconscious abuse.”⁵⁹ As a result, the court crafted a two-step standard of judicial review. A special litigation committee seeking to terminate derivative litigation must establish (1) the independence, good faith, and reasonableness of its investigation; and also (2) that the termination or course of action is in the corporation’s best interests, in the business judgment of the Court of Chancery.⁶⁰ This standard is far more rigorous than the business judgment rule standard applicable to demand review committees. It has also been shown empirically to deter special litigation committees from being used as a tool for dismissing meritorious cases.⁶¹

**IV. THE DEMAND REQUIREMENT’S INTERNAL DISPUTE RESOLUTION PROBLEM AND THE AIG SOLUTION**

An aggrieved stockholder who believes that the corporation is sitting on a valuable claim faces a stark choice between making a demand and attempting to plead demand futility. In theory, the interests of a stockholder plaintiff and those of a disinterested, independent board majority should merge. Both should be seeking to maximize the same long-term interests of the corporation, with the directors best suited to deploy the corporation’s assets, including its legal claims, to achieve those goals. Accordingly, in the ideal world of stockholder litigation, a stockholder should be confident of a good outcome for the corporation when she entrusts independent directors with a valuable corporate asset by making a demand, even at the cost of conceding demand futility.

But in practice, much of stockholder litigation is lawyer-driven.⁶² And in many cases, from the perspective of a plaintiff’s lawyer seeking control of a lucrative fee opportunity, making a demand is less appealing than taking a shot at pleading demand futility. The aggregate result is that the demand requirement is underused and falls short of its promise as a tool for promoting internal dispute resolution.⁶³

In Starr International Co. v. United States,⁶⁴ a recent case that arose from the U.S. government bailout of AIG during the 2008 financial crisis, the AIG board crafted an innovative demand procedure that, if deployed in an appropriate case, could help fulfill the internal dispute resolution function of the demand requirement.⁶⁵ The plaintiff, Starr International Company, asserted derivative claims on AIG’s behalf against the federal government, challenging transactions by which the government extended up to $85 billion of credit to AIG to stave off a liquidity crisis.⁶⁶ Starr alleged in its complaint that demand on AIG’s board would be futile, but “Starr and AIG entered into an agreement in which Starr agreed to make a demand on the AIG Board with respect to all derivative claims.”⁶⁷ Critically, notwithstanding the default rule that under Delaware law a stockholder who makes a demand concedes that demand is not excused as futile,⁶⁸ the agreement permitted Starr to reserve the right, if its demand was refused, to “challeng[e] the Board’s decision to refuse the demand by filing amended complaints alleging that the demand was wrongfully refused and/or not required as a matter of law.”⁶⁹

Under this agreement, Starr made its demand, and the parties presented the AIG board with three rounds of adversarial briefing and inperson presentations.⁷⁰ The board asked pointed questions of counsel for the parties, consulted with its own counsel, and ultimately decided unanimously to reject the demand.⁷¹

As the agreement allowed, Starr amended its complaint to advance demand futility and wrongful refusal arguments.⁷² Citing Grimes and Spiegel, the Court of Federal Claims surprisingly rejected Starr’s demand futility argument, reasoning that Starr’s demand “conclusively waive[d] any right to assert demand futility.”⁷³ The court further held that “Starr’s September 5, 2012 agreement with AIG, in which Starr purportedly reserved ‘the right to assert that demand was . . . excused,’ is insufficient to overcome binding black letter law.”⁷⁴

As a matter of corporate power, the black-letter law cited in Starr that a stockholder concedes any arguments about demand futility by making a demand traces back through Grimes and Spiegel to the Delaware Supreme Court’s decision in Stotland v. GAF Corp.⁷⁵ In Stotland, the plaintiffs tried and failed to establish demand futility, and their derivative action was dismissed.⁷⁶ They appealed.⁷⁷ With that appeal pending, one of the plaintiffs made a demand, and the board re-ferred the demand to a demand review committee.⁷⁸ Citing Zapata,⁷⁹ the Stotland court reasoned “that once a demand has been made, absent a wrongful refusal, the stockholders’ ability to initiate a derivative suit is terminated.”⁸⁰

But Zapata itself does not answer the timing question. It holds merely that “[a] demand, when required and refused (if not wrongful), terminates a stockholder’s legal ability to initiate a derivative action. But where demand is properly excused, the stockholder does possess the ability to initiate the action on his corporation’s behalf.”⁸¹ Zapata does not hold that a plaintiff, as in Starr, lacks corporate power to make a demand, provisionally, before it is determined whether demand was, in fact, required or not. Thus, it is questionable whether demand futility in this context should be deemed conclusive, rather than treated as a default rule in the absence of an agreement between the complaining stockholder and the corporation.

It is hard to see the case to be made against private ordering by sophisticated parties to permit a conditional demand. As the landscape currently exists in Delaware, a stockholder gets two bites at the apple if she litigates futility first, then makes a demand as a fallback. If the same stockholder makes a demand first, however, then the futility door is closed.⁸² This is backwards, if the demand requirement is expected to fulfill an out-of-court dispute resolution function.

In weak cases, defense lawyers would likely adopt the same posture they do in the current regime, which is to wait for a stockholder to act and respond accordingly, with either a Rule 23.1/12(b)(6) dismissal motion or a demand refusal. But in stronger cases, a stockholder could make a provisional demand and her attorneys could participate in the dispute resolution process. The parties could follow in the footsteps of the AIG board and make a faithful demand decision, informed by a deep, adversarial process involving a stockholder plaintiff’s counsel. This would allow the demand requirement to once again fulfill its oft-repeated promise of serving as an internal dispute resolution mechanism, and would lead to more informed demand decisions.

V. CONCLUSION

The demand requirement, and the demand review committee process that often follows a demand, are vital cogs in the corporate governance machinery. But they are underused, in part because of the harsh consequences of a stockholder making a demand. If the law allowed for a conditional demand, as we believe it should, the demand requirement could serve an internal dispute resolution function that is often discussed, but rarely put into practice.

In our view, Delaware law does and should allow for a conditional demand. But it does not do so expressly, and making that position more clear to stockholders and their counsel would be a welcome addition to our law. The change could be implemented on a legislative level, by amendment to the Delaware General Corporation Law. But the derivative suit mechanism and the demand requirements are judge-made creatures of equity,⁸³ making a legislative pronouncement seem unnecessary and perhaps out of place. In our view, a judicial decision in an appropriate case by the Delaware Court of Chancery or Delaware Supreme Court could address the matter, but the wait for an appropriate case might be interminable, as a stockholder plaintiffs’ lawyer aware of the Starr decision might rightly be reluctant to follow a similar path. Perhaps the most appropriate solution, therefore, would be an addition to Court of Chancery Rule 23.1,⁸⁴ which codifies and implements the demand requirement.

Regardless of the form, we believe that Delaware law currently supports the making of a provisional demand with agreement by the parties, and that stockholders, corporations, and their counsel would benefit if that were clearly expressed.

_____________

1. DEL. CT. CH. R. 23.1.

2. DEL. CT. CH. R. 12(b)(6).

3. See generally Zapata Corp. v. Maldonado, 430 A.2d 779 (Del. 1981).

4. DEL. CODE ANN. tit. 8, § 141(a) (2016).

5. E.g., Grimes v. Donald, 673 A.2d 1207, 1215 (Del. 1996) (“If a claim belongs to the corporation, it is the corporation, acting through its board of directors, which must make the decision whether or not to assert the claim.”); In re Ezcorp Inc. Consulting Agreement Derivative Litig., 130 A.3d 934, 943 (Del. Ch. 2016) (“But when a corporation suffers harm, the board of directors is the institutional actor legally empowered under Delaware law to determine what, if any, remedial action the corporation should take, including pursuing litigation against the individuals involved.”); McPadden v. Sidhu, 964 A.2d 1262, 1269 (Del. Ch. 2008) (“A derivative action ‘fetters managerial prerogative’ because it is the directors, not stockholders, who manage the business and affairs of a corporation, which includes determining whether to assert legal claims on behalf of the corporation.” (quoting Caruana v. Saligman, C.A. No. 11135, 1990 WL 212304, at *3 (Del. Ch. Dec. 21, 1990))).

6. Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984); see also Quadrant Structured Prods. Co. v. Vertin, 115 A.3d 535, 548 (Del. Ch. 2015).

7. Cochran v. Stifel Fin. Corp., C.A. No. 17350, 2000 WL 286722, at *10 n.41 (Del. Ch. Mar. 8, 2000) (“As a historical matter, . . . it appears that the derivative suit was a common law development designed to ensure basic fairness and that the demand requirement was judicially created to guarantee that the statutory power of directors to manage the legal affairs of the company was not disregarded except when necessary to serve the policy purpose justifying the recognition of the derivative suit in the first instance.”), aff’d in part & rev’d in part on other grounds, 809 A.2d 555 (Del. 2002).

8. Aronson, 473 A.2d at 811; see also Ezcorp, 130 A.3d at 943–44.

9. See generally Rales v. Blasband, 634 A.2d 927, 933–34 (Del. 1993) (where the board did not make a business decision that is the subject of the underlying litigation, the demand futility test requires the court “to examine whether the board that would be addressing the demand can impartially consider its merits without being influenced by improper considerations”); Aronson, 473 A.2d at 814 (“[I]n determining demand futility the Court of Chancery in the proper exercise of its discretion must decide whether, under the particularized facts alleged, a reasonable doubt is created that: (1) the directors are disinterested and independent and (2) the challenged transaction was otherwise the product of a valid exercise of business judgment.”).

10. Rales, 634 A.2d at 936.

11. Aronson, 473 A.2d at 815–16.

12. Rales, 634 A.2d at 936.

13. In re Oracle Corp. Derivative Litig., 824 A.2d 917, 939 (Del. Ch. 2003).

14. Spiegel v. Buntrock, 571 A.2d 767, 775 (Del. 1990).

15. Belendiuk v. Carrion, C.A. No. 9026-ML, 2014 WL 3589500, at *5 (Del. Ch. July 22, 2014) (quoting Rales, 634 A.2d at 935).

16. Scattered Corp. v. Chi. Stock Exch., Inc., 701 A.2d 70, 74 (Del. 1997) (“If the stockholders make a demand, as in this case, they are deemed to have waived any claim they might otherwise have had that the board cannot independently act on the demand.”); Grimes, 673 A.2d at 1215; Spiegel, 571 A.2d at 775 (“By making a demand, a stockholder tacitly acknowledges the absence of facts to support a finding of futility. Thus, when a demand is made, the question of whether demand was excused is moot.” (citations omitted)). This concession is limited to the issue of demand futility—phase one of the two-part derivative action. Grimes, 673 A.2d at 1218–19 (“If a demand is made, the stockholder has spent one—but only one—‘arrow’ in the ‘quiver.’ The spent ‘arrow’ is the right to claim that demand is excused.”); see also Scattered, 701 A.2d at 74–75 (“It is not correct that a demand concedes independence ‘conclusively’ and in futuro for all purposes relevant to the demand.”).

17. Grimes, 673 A.2d at 1219.

18. See Elena C. Norman & Richard J. Thomas, Special Demand Committees: Practical Insights for the General Counsel, 32 DEL. LAW. 14, 16 (2014).

19. Thorpe v. CERBCO, Inc., 611 A.2d 5, 10 n.5 (Del. Ch. 1991) (“[W]hile the board may have been able to act independently through a fully empowered special committee of independent directors (thus justifying a stockholder in making demand), the board in fact chose not to do so, thus justifying treating the board as not independent.”).

20. Although the legal standards for independence and disinterestedness are the same, the stakes are arguably higher in the context of a special litigation committee than for a demand review committee. See infra Part III.D; see also Beam v. Stewart, 845 A.2d 1040, 1055 (Del. 2004) (“Unlike the demand-excusal context, where the board is presumed to be independent, the SLC has the burden of establishing its own independence by a yardstick that must be ‘like Caesar’s wife’—‘above re-proach.’” (quoting Lewis v. Fuqua, 502 A.2d 962, 967 (Del. Ch. 1985))).

21. See, e.g., Ironworkers Dist. Council of Phila. & Vicinity Ret. & Pension Plan v. Andreotti, C.A. No. 9714-VCG, 2015 WL 2270673, at *26 (Del. Ch. May 8, 2015) (“The Committee . . . over nine months vigorously investigated the circumstances alleged in the Stockholder Demands, including interviewing 23 witnesses, reviewing hundreds of documents, reviewing 25 days of deposition testimony and the entirety of the Monsanto Litigation transcript, and conducting additional research. At the end of this process, the Committee produced the 179–page Report, exclusive of exhibits . . . .”), aff’d, 132 A.3d 748 (Del. 2016).

22. See Grimes, 673 A.2d at 1219.

23. See generally GREGORY V. VARALLO ET AL., SPECIAL COMMITTEES: LAW AND PRACTICE 40–53 (2d ed. 2014).

24. See, e.g., Ams. Mining Corp. v. Theriault, 51 A.3d 1213, 1221–22 (Del. 2012) (“The resolution creating the Special Committee provided that the ‘duty and sole purpose’ of the Special Committee was ‘to evaluate the [Merger] in such manner as the Special Committee deems to be desirable and in the best interests of the stockholders of [Southern Peru],’ and authorized the Special Committee to retain legal and financial advisors at Southern Peru’s expense on such terms as the Special Committee deemed appropriate. The resolution did not give the Special Committee express power to negotiate, nor did it authorize the Special Committee to explore other strategic alternatives.”); see also In re CNX Gas Corp. S’holders Litig., 4 A.3d 397, 404 (Del. Ch. 2010) (“The scope of the authority that the CNX Gas board provided to the Special Committee was limited. The Special Committee was authorized only to review and evaluate the Tender Offer, to prepare a Schedule 14D-9, and to engage legal and financial advisors for those purposes. The resolution did not authorize the Special Committee to negotiate the terms of the Tender Offer or to consider alternatives.”).

25. For efficiency’s sake, the demand review committee charter should be broad enough to en-compass future demands regarding the same subject matter. See Kops v. Hassell, C.A. No. 11982-VCG, 2016 WL 7011569, at *4–5 (Del. Ch. Nov. 30, 2016) (rejecting argument that demand review committee relied on previous demand investigation of similar subject matter); Andreotti, 2015 WL 2270673, at *2 (discussing committee’s investigation of demands made by “several stockholders”).

26. FLI Deep Marine LLC v. McKim, C.A. No. 4138-VCN, 2009 WL 1204363, at *2 (Del. Ch. Apr. 21, 2009) (“[I]n response to the Plaintiffs’ demand letter, the Board formed a special committee to investigate the allegations asserted in the demand letter and to make a recommendation to the Board . . . .”).

27. Cf. Sutherland v. Sutherland, C.A. No. 2399-VCN, 2010 WL 1838968, at *6 (Del. Ch. May 3, 2010) (concluding that by appointing a special litigation committee to investigate claims, defendants conceded that non-committee directors were interested or lacked independence).

28. See VARALLO ET AL., supra note 23, at 66–72.

29. Id.

30. To state what should be obvious, the committee’s counsel should not be the same firm who represented the would-be defendants in the underlying claims. See Taneja v. Familymeds Grp., Inc., C.A. No. HHD-CV-09-4045755-S, 2012 WL 3934279, at *5 (Conn. Super. Ct. Aug. 21, 2012).

31. Mount Moriah Cemetery ex rel. Dun & Bradstreet Corp. v. Moritz, C.A. No. 11431, 1991 WL 50149, at *4 (Del. Ch. Apr. 4, 1991), aff’d, 599 A.2d 413 (Del. 1991); see also Halpert Enters., Inc. v. Harrison, C.A. No. 07-1144, 2008 WL 4585466, at *2 (2d Cir. Oct. 15, 2008) (applying Delaware law) (“[T]here is no rule of general application that a board must interview every possible witness who may shed some light on the conduct forming the basis of the litigation.”).

32. Barkan v. Amsted Indus., Inc., 567 A.2d 1279, 1286 (Del. 1989) (“Nevertheless, there is no single blueprint that a board must follow to fulfill its duties. A stereotypical approach to the sale and acquisition of corporate control is not to be expected in the face of the evolving techniques and financing devices employed in today’s corporate environment.”).

33. Levine v. Smith, 591 A.2d 194, 214 (Del. 1991).

34. Gatz v. Ponsoldt, C.A. No. 174-N, 2004 WL 3029868, at *5 (Del. Ch. Nov. 5, 2004).

35. Scattered Corp. v. Chi. Stock Exch., Inc., C.A. No. 14010, 1996 WL 417507, at *5 (Del. Ch. July 12, 1996), aff’d, 701 A.2d 70 (Del. 1997).

36. Ironworkers Dist. Council of Phila. & Vicinity Ret. & Pension Plan v. Andreotti, C.A. No. 9714-VCG, 2015 WL 2270673, at *26 n.255 (Del. Ch. May 8, 2015).

37. See Mount Moriah Cemetery ex rel. Dun & Bradstreet Corp. v. Moritz, C.A. No. 11431, 1991 WL 50149, at *4 (Del. Ch. Apr. 4, 1991) (“During that time, plaintiff was asked to identify potential witnesses and there was a fairly regular exchange of correspondence as well as several meetings between counsel for plaintiff and counsel for the Special Committee.”), aff’d, 599 A.2d 413 (Del. 1991).

38. Scattered, 1996 WL 417507, at *5.

39. Espinoza ex rel. JPMorgan Chase & Co. v. Dimon, 124 A.3d 33, 37 (Del. 2015) (A committee recommendation could be set aside if a reviewing court found that the committee “ignored a material aspect of the demand letter,” depending on “the contextual importance of that issue in the overall scope of what the committee was charged with investigating.”).

40. Rales v. Blasband, 634 A.2d 927, 933–34, 935 (Del. 1993).

41. Thorpe v. CERBCO, Inc., 611 A.2d 5, 11 (Del. Ch. 1991) (“But in some cases . . . the reasonableness and good faith of the investigation relates to an entity (a special committee) that is not the decision maker. Thus, in such a case, its good faith and prudence may not alone justify deference to someone else’s decision.”).

42. City of Orlando Police Pension Fund v. Page, 970 F. Supp. 2d 1022, 1030–31 (N.D. Cal. 2013) (denying motion to dismiss in part because defendants refused to make review committee’s report public and relied exclusively on “conclusory” demand refusal letter).

43. DEL. CODE ANN. tit. 8, § 220 (2016).

44. La. Mun. Police Emps. Ret. Sys. v. Morgan Stanley & Co., C.A. No. 5682-VCL, 2011 WL 773316, at *8 (Del. Ch. Mar. 4, 2011).

45. Espinoza ex rel. JPMorgan Chase & Co. v. Dimon, 124 A.3d 33, 36 (Del. 2015); see also Grimes v. Donald, 673 A.2d 1207, 1219 (Del. 1996) (“If a demand is made and rejected, the board rejecting the demand is entitled to the presumption of the business judgment rule unless the stockholder can allege facts with particularity creating a reasonable doubt that the board is entitled to the benefit of the presumption.”).

46. Andersen v. Mattel, Inc., C.A. No. 11816-VCMR, 2017 WL 218913, at *7 (Del. Ch. Jan. 19, 2017).

47. Belendiuk v. Carrion, C.A. No. 9026-ML, 2014 WL 3589500, at *7 (Del. Ch. July 22, 2014) (discussing cases).

48. Thorpe v. CERBCO, Inc., 611 A.2d 5, 8 (Del. Ch. 1991).

49. 672 A.2d 66, 72 (Del. Ch. 1995).

50. Zapata Corp. v. Maldonado, 430 A.2d 779 (Del. 1981).

51. See Grimes v. Donald, 673 A.2d 1207, 1216 n.13 (Del. 1996) (“The use of a committee of the board formed to respond to a demand or to advise the board on its duty in responding to a demand is not the same as the [special litigation committee] process . . . . It is important that these discrete and quite different processes not be confused.”).

52. Scattered Corp. v. Chi. Stock Exch., Inc., 701 A.2d 70, 74 (Del. 1997) (“If the stockholders make a demand, as in this case, they are deemed to have waived any claim they might otherwise have had that the board cannot independently act on the demand.”); Grimes, 673 A.2d at 1218–19 (“If a demand is made, the stockholder has spent one—but only one—‘arrow’ in the ‘quiver.’ The spent ‘arrow’ is the right to claim that demand is excused.”); Spiegel v. Buntrock, 571 A.2d 767, 775 (Del. 1990) (“By making a demand, a stockholder tacitly acknowledges the absence of facts to support a finding of futility. Thus, when a demand is made, the question of whether demand was excused is moot.” (citations omitted)). This concession is limited to the issue of demand futility—phase one of the two-part derivative action.

53. Aronson v. Lewis, 473 A.2d 805, 811 (Del. 1984).

54. Levine v. Smith, C.A. No. 8833, 1987 WL 28885, at *2 (Del. Ch. Dec. 22, 1987).

55. Zapata, 430 A.2d at 786 (citing DEL. CODE ANN. tit. 8, § 141(a), (c)).

56. Id. at 788.

57. See VARALLO ET AL., supra note 23, at 70 (“We recommend that an SLC delegation include a specific statement that the determinations made by the SLC shall be final and binding upon the corporation and shall not be subject to review by the board. Such language is a clear statement of the exclusive authority of the committee with respect to the pending litigation.”).

58. See Zapata, 430 A.2d at 787–89.

59. Id. at 787.

60. Id. at 788–89.

61. See generally C.N.V. Krishnan et al., An Empirical Study of Special Limitation Committees: Evidence of Management Bias and the Effect of Legal Standards (Oct. 16, 2017), https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3053449.

62. Laborers’ Dist. Council Constr. Indus. Pension Fund v. Bensoussan, C.A. No. 11293-CB, 2016 WL 3407708, at *11 (Del. Ch. June 14, 2016) (“Each of these contentions is, unfortunately, reflective of undesirable practices that pervade representative litigation as lawyers for stockholders jockey for control of a case in an effort to secure a payday for themselves, assuming they ultimately can confer a benefit upon the stockholders or the corporation.”).

63. Grimes v. Donald, 673 A.2d 1207, 1216 (Del. 1996) (“The demand requirement serves a salutary purpose. First, by requiring exhaustion of intracorporate remedies, the demand requirement invokes a species of alternative dispute resolution procedure which might avoid litigation altogether.”); Aronson v. Lewis, 473 A.2d 805, 812 (Del. 1984) (“Thus, by promoting this form of alternate dispute resolution, rather than immediate recourse to litigation, the demand requirement is a recognition of the fundamental precept that directors manage the business and affairs of corporations.”).

64. 111 Fed. Cl. 459 (2013), vacated in part, 856 F.3d 953 (Fed. Cir. 2017).

65. See generally id.

66. Id. at 466.

67. Id.

68. Scattered Corp. v. Chi. Stock Exch., Inc., 701 A.2d 70, 74 (Del. 1997) (“If the stockholders make a demand, as in this case, they are deemed to have waived any claim they might otherwise have had that the board cannot independently act on the demand.”); Grimes, 673 A.2d at 1218–19 (“If a demand is made, the stockholder has spent one—but only one—‘arrow’ in the ‘quiver.’ The spent ‘arrow’ is the right to claim that demand is excused.”); Spiegel v. Buntrock, 571 A.2d 767, 775 (Del. 1990) (“By making a demand, a stockholder tacitly acknowledges the absence of facts to support a finding of futility. Thus, when a demand is made, the question of whether demand was excused is moot.” (citations omitted)). This concession is limited to the issue of demand futility—phase one of the two-part derivative action.

69. Starr, 111 Fed. Cl. at 467.

70. Id.

71. Id. at 468.

72. Id. at 469.

73. Id. at 471.

74. Id.

75. 469 A.2d 421 (Del. 1983).

76. Id. at 421.

77. Id. at 421–22.

78. Id. at 422.

79. 430 A.2d 779, 784–86 (Del. 1981).

80. Stotland, 469 A.2d at 422.

81. Zapata, 430 A.2d at 784.

82. Thorpe v. CERBCO, Inc., 611 A.2d 5, 11 (Del. Ch. 1991) (“Thus, the current rule may be thought to exact a heavy price from shareholders who elect to try (in a context when they will not have much information) to employ internal corporate mechanisms before filing a claim on behalf of the corporation.”).

83. Cochran v. Stifel Fin. Corp., C.A. No. 17350, 2000 WL 286722, at *10 n.41 (Del. Ch. Mar. 8, 2000), aff’d in part, rev’d in part, 809 A.2d 555 (Del 2002). (“As a historical matter, . . . it appears that the derivative suit was a common law development designed to ensure basic fairness and that the demand requirement was judicially created to guarantee that the statutory power of directors to manage the legal affairs of the company was not disregarded except when necessary to serve the policy purpose justifying the recognition of the derivative suit in the first instance.”); see alsoKamen v. Kemper Fin. Servs., Inc., 500 U.S. 90, 95 (1991) (“Devised as a suit in equity, the purpose of the derivative action was to place in the hands of the individual shareholder a means to protect the interests of the corporation from the misfeasance and malfeasance of ‘faithless directors and managers.’” (quoting Cohen v. Beneficial Indus. Loan Corp., 337 U.S. 541, 548 (1949))).

84. DEL. CT. CH. R. 23.1.

Emerging Legal Issues in Data Breach Class Actions

Posted on July 17, 2018 by Joseph F. Yenouskas - Uncategorized

INTRODUCTION

Businesses face more than reputational risk when the personally identifiable information (“PII”) of their customers is stolen during a data breach. Many data breaches have spawned multi-plaintiff or class action lawsuits by customers whose PII was accessed by unauthorized third parties as a result of the breach. But, until recently, businesses faced modest litigation risk in these cases because most courts held that litigants lacked standing to sue in federal court, reasoning that plaintiffs had yet to suffer an injury absent allegations that the exposure of their PII resulted in identity theft or unauthorized and unreimbursed charges to their financial accounts. This survey discusses new developments in the law of standing in data breach cases, as well as decisions about the viability of legal claims. Currently, the law is sharply divided, and it is likely to remain so for the foreseeable future.

ARTICLE III STANDING FOR DATA BREACH CASES

BACKGROUND

The recent evolution in case law concerning the standing of plaintiffs in data breach litigation is the outgrowth of two U.S. Supreme Court decisions that established the framework for analyzing Article III’s “injury-in-fact” requirement. In Clapper v. Amnesty International USA,¹ the Supreme Court held that the plaintiffs’ fear that their private communications might be intercepted by government surveillance programs was not an injury in fact because any “threatened injury must be certainly impending to constitute injury in fact,” and “allegations of pos-sible future injury are not sufficient.”² The plaintiffs’ injury was “too speculative” because its occurrence “relie[d] on a highly attenuated chain of possibilities” that “the Government [would] imminently target communications to which [they were] parties.”³ Nor were “measures that they have undertaken to avoid . . . surveillance” an injury; “otherwise, an enterprising plaintiff would be able to secure a lower standard for Article III standing simply by making an expenditure based on a nonparanoid fear.”⁴ Yet, the Clapper Court cautioned that its cases have “not uniformly require[d] plaintiffs to demonstrate that it is literally certain that the harms they identify will come about,” provided there is “a ‘substantial risk’ that the harm will occur, which may prompt plaintiffs to reasonably incur costs to mitigate or avoid that harm.”⁵

In Spokeo, Inc. v. Robins,⁶ the Court reiterated that the injury-in-fact requirement “does not mean [] that the risk of real harm cannot satisfy that requirement.”⁷ The Spokeo Court held that an alleged Fair Credit Reporting Act (“FCRA”) violation did not, ipso facto, confer standing because “a bare procedural violation, divorced from any concrete harm,” does not “satisfy the injury-in-fact requirement of Article III.”⁸ It explained that “[i]n determining whether an intangible harm constitutes injury in fact,” two considerations were important: “whether an alleged intangible harm has a close relationship to a harm that has traditionally been regarded as providing a basis for a lawsuit in English or American courts”; and “because Congress is well positioned to identify intangible harms that meet minimum Article III requirements, its judgment is also instructive and important.”⁹The Spokeo Court re-manded the case to the Ninth Circuit to determine “whether the particular procedural violations alleged in this case entail a degree of risk sufficient to meet the concreteness requirement.”¹⁰

RECENT DEVELOPMENTS

In most data breach cases, the alleged injury resulting from the unauthorized access of PII is the increased risk of identity theft and concomitant expenses associated with mitigating that risk. The courts have reached differing conclusions depending on whether actual identity theft has occurred and whether such an occurrence is found to be a prerequisite for standing.

In Lewert v. P.F. Chang’s China Bistro, Inc.,¹¹ for example, the Seventh Circuit held that theft of debit and credit card information conferred standing to sue. One plaintiff incurred four fraudulent transactions on his debit card, and there-after purchased credit monitoring services, and while the other plaintiff “did not spot any fraudulent charges on his card, nor did he cancel his card and suffer the associated inconvenient or costs,” he alleged that he “spent time and effort monitoring his card statements and his credit report.”¹² The court held that the injuries alleged were sufficient. First, “the increased risk of fraudulent charges and identity theft” was “concrete enough to support a lawsuit” “because [plaintiffs’] data has already been stolen.”¹³ Second, the plaintiffs alleged “time and effort” resolving fraudulent charges and other “measures to mitigate [their] risk.”¹⁴ P.F. Chang’s argued that the data breach “posed a risk only of fraudulent charges to affected cards, not of identity theft,” but the court refused to dismiss the case for lack of standing based on “a factual assumption that has yet to be tested.”¹⁵

In contrast, a Colorado federal court dismissed a case for this very reason in Engl v. National Grocers by Vitamin Cottage, Inc.¹⁶ Because the “card issuer identified the fraudulent activity on his account and unilaterally exonerated [plaintiff] of responsibility for the fraudulent charges” and then “closed the account associated with the stolen card number,” the Engl court concluded that he “brought [his] exposure to any future harm from the [] data breach to an end.”¹⁷

In Welborn v. Internal Revenue Service,¹⁸ a District of Columbia district court held that the plaintiffs alleged an injury in fact arising from a data breach of an online tool used by the Internal Revenue Service (“IRS”) to provide prior-year tax returns to taxpayers because two plaintiffs “allege[d] that they have suffered actual identity theft when someone filed false tax returns (and claimed fraudulent refunds) in their names,” and the third plaintiff “has been the victim of at least two occasions of fraudulent activity in her financial accounts, one of which resulted in the removal of funds from a personal financial account, which occurred after the IRS data breach.”¹⁹ But the plaintiffs’ allegation “that they suffer an increased threat of future identity theft and fraud” was “entirely speculative and depends on the decisions and actions of one or more independent, and unidentified, actor(s), and the risk of such harm occurring was not “imminent harm that is ‘certainly impending.’”²⁰ Other injuries the court found too speculative were “general anxiety,” the “diminished value of their PII,” and “time and money spent monitoring and assessing the potential risk of future harm.”²¹

While each plaintiff in Wellborn alleged an injury, the court observed that the second element of standing, causation, required plaintiffs to “put forward facts showing that their injuries can be traced to the specific data incident of which they complain and not to any previous theft or data loss incident.”²² One plaintiff did not allege that his injury was “fairly traceable” to the IRS’s conduct because he “simply allege[d] that the alleged financial fraud happened after the [] breach.”²³ The court found that the other two plaintiffs alleged a sufficient causal connection to their injuries because they “alleged sufficient facts that, if proved, would tend to show that the information used in the fraudulent tax re-turn was of the same type that was stolen.”²⁴

The Third Circuit held in In re Horizon Services Inc. Data Breach Litigation²⁵ that the plaintiffs, whose PII was contained on stolen laptops, sufficiently alleged an injury in fact even though “none of them had [ ] alleged that the information was actually used to their detriment.”²⁶ The plaintiffs alleged injury based on both an “increased risk of harm from identity theft, identity fraud, and medical fraud” and “the violation of their statutory rights under FCRA.”²⁷ Rather than decide whether the plaintiffs had alleged a non-speculative risk of future injury as required by Clapper, the court “conclude[d] that they have standing due to Horizon’s alleged violation of FCRA.”²⁸ The Horizon Services court reasoned that, while the court’s “pronouncements in this area have not been entirely con-sistent,” “in some circumstances, [ ] the breach of a statute is enough to cause a cognizable injury—even without economic or other tangible harm.”²⁹ It held that “[i]n light of the congressional decision to create a remedy for the unauthorized transfer of personal information, a violation of FCRA gives rise to an injury sufficient for Article III standing purposes. Even without evidence that the Plaintiffs’ information was in fact used improperly, the alleged disclosure of their personal information created a de facto injury.”³⁰ While, under Spokeo, “there are some circumstances where the mere technical violation of a procedural requirement of a statute cannot, in and of itself, constitute an injury in fact,” the Third Circuit found that “[p]laintiffs here do not allege a mere technical or procedural violation of FCRA. They allege instead the unauthorized dissemination of their own private information—the very injury that FCRA is intended to prevent.”³¹

In Beck v. McDonald,³² the Fourth Circuit affirmed the dismissal of the Privacy Act and Administrative Procedure Act claims arising from the theft of laptops containing patient records from a Veterans Affairs hospital.³³ The plaintiffs alleged two injuries: “(i) the increased risk of future identity theft, and (ii) the costs of protecting against the same.”³⁴ The Beck court noted that its “sister cir-cuits are divided on whether a plaintiff may establish an Article III injury-in-fact based on an increased risk of future identity theft,”³⁵ but that where courts rec-ognized such injuries, the plaintiffs’ allegations “sufficed to push the threatened injury of future identity theft beyond the speculative to the sufficiently imminent” because in those cases “the data thief intentionally targeted the personal information compromised in the data breaches.”³⁶ The Beck plaintiffs, however, “have uncovered no evidence that the information contained on the stolen laptop has been accessed or misused or that they have suffered identity theft, nor, for that matter, that the thief stole the laptop with the intent to steal their private information.”³⁷ The court also rejected the plaintiffs’ contention that there was a “substantial risk” of harm occurring, even accepting as true plaintiffs’ allegation that “33% of health-related data breaches result in identity theft.”³⁸ Because the risk was speculative, the cost of protecting against future identity theft also did not confer standing as the harm resulting from such efforts was “self-imposed.”³⁹ Notably, the Beck court distinguished Horizon Services, where the Third Circuit found standing even though there was no allegation that plaintiffs’ PII had been accessed, because their injury was “the very injury that FCRA is intended to prevent”;⁴⁰ whereas in Beck, “[p]laintiffs do not allege that [defendant’s] violations of the Privacy Act alone constitute an Article III injury-in-fact.”⁴¹

In Galaria v. Nationwide Mutual Insurance Co.,⁴² the Sixth Circuit held that the plaintiffs had standing to sue even though none of them pled unauthorized charges or identity theft. The plaintiffs’ allegations amounted to a “substantial risk of harm” because, “[w]here a data breach targets personal information, a reasonable inference can be drawn that the hackers will use the victims’ data for [] fraudulent purposes.”⁴³ This inference was confirmed by the defendant’s actions: “Nationwide seems to recognize the severity of the risk, given its offer to provide credit-monitoring and identity-theft protection for a full year.”⁴⁴ The Galaria court’s finding that the plaintiffs faced “a substantial risk of harm” meant that they “expend[ed] time and money to monitor their credit, check their bank statements, and modify their financial accounts,” which constituted an injury because “it would be unreasonable to expect Plaintiffs to wait for actual misuse—a fraudulent charge on a credit card, for example—before taking steps to ensure their own personal and financial security, particularly when Nationwide recommended taking these steps.”⁴⁵

The Galaria court also addressed whether the plaintiffs satisfied Article III’s causation requirement. The majority of the court held that the plaintiffs’ allegations met the “fairly traceable” requirement for standing because plaintiffs alleged that “the hackers were able to access Plaintiffs’ data only because Nationwide allegedly failed to secure the sensitive personal information entrusted to its custody.”⁴⁶

In Whalen v. Michaels Stores, Inc.,⁴⁷ the Second Circuit affirmed dismissal of claims for breach of implied contract and under the New York General Business Law based on a data breach at Michaels. The plaintiff alleged that at some point after the data breach, her credit card “was physically presented for payment” on two occasions by an unauthorized third party.⁴⁸ Just like the plaintiff in Engl, however, the Whalen plaintiff did not allege that she incurred any fraudulent charges that she was liable to pay, because her credit card company removed the charges and deactivated her account.⁴⁹ The Whalen court concluded that the plaintiff’s alleged injury failed the Clapper test because “she never was either asked to pay, nor did pay, any fraudulent charge.”⁵⁰ Because her credit card was canceled “and no other personally identifying information—such as her birth date or Social Security number—is alleged to have been stolen,” the court reasoned that the plaintiff “does not allege how she can plausibly face a threat of future fraud.”⁵¹ It rejected the plaintiff’s mitigation allegations as conclusory because she “pleaded no specifics about any time or effort that she herself has spent monitoring her credit.”⁵²

While the nature of the breach in Whalen distinguished the case from Galaria, where a broader array of PII was accessed, Whalen is more difficult to reconcile with the Seventh Circuit’s Lewert decision, where the only information obtained by hackers was the plaintiffs’ debit card numbers, and yet the court still held that plaintiffs faced a substantial risk of future injury.

VIABILITY OF DATA BREACH CLAIMS ON THE MERITS

Even if the plaintiffs survive standing challenges in data breach litigation, no federal statute provides a remedy to victims of a data breach, and plaintiffs have been mostly unsuccessful in mooring their claims to other federal statutes, such as the FCRA. Courts have been more receptive to claims under state statutes and the common law, although the outcomes at the pleadings stage vary widely. For instance, in In re Experian Data Breach Litigation,⁵³ a California federal district court granted in part and denied in part Experian’s motion to dismiss claims arising from the theft of PII stored on Experian’s servers. The court dismissed the plaintiffs’ FCRA claims because Experian did not “furnish” a “consumer report” in violation of the FCRA.⁵⁴ Plaintiffs’ New York, Illinois, Ohio, and California negligence claims survived, however, even as to the one plaintiff who was reim-bursed for unauthorized credit card charges. The court held that “[e]ven if, as Defendants argue, a risk of future identity theft isn’t a properly pleaded damage, the complaint also alleges that Plaintiffs have suffered damages by taking measures to both ‘deter’ and ‘detect’ identity theft.”⁵⁵These damages included both unreimbursed credit monitoring expenses and hours spent “addressing issues arising from the Data Breach.”⁵⁶ The court concluded that “[t]he time that Plaintiffs have allegedly spent addressing issues caused by the data breach” stated a claim for damages.”⁵⁷

Some claims against Experian under state consumer protection statutes also survived. The plaintiffs successfully alleged a violation of New York’s deceptive trade practices act on the basis that “Experian . . . misrepresented that it would comply with the requirements of relevant federal and state laws pertaining to the privacy and security of” the plaintiffs’ data.⁵⁸ The court also held that the plaintiffs stated claims under the “unfair” or “unlawful” prongs of California’s Consumers Legal Remedies Act and Unfair Competition Law.⁵⁹

In In re Premera Blue Cross Customers Data Security Breach Litigation,⁶⁰ an Oregon district court held that plaintiffs whose PII was exposed by a data breach of Premera’s computer network could proceed to the merits on their fraud- and contract-based claims. The plaintiffs’ fraud claims under the common law and Oregon consumer protection statutes were based on statements in Premera’s policy booklets, a privacy notice provided to Premera’s members, and the company’s code of conduct posted on its website.⁶¹ The Premera court held that guarantees contained in these documents, such as “[w]e protect your privacy by making sure your information stays confidential,” and aspirational statements concerning “prevent[ing] unauthorized access” had “the capacity to deceive if, as Plaintiffs allege, Premera did not provide adequate data security.”⁶² Because “[a] reasonable person, reading these statements, would believe that Premera provides reasonable and adequate data security,” the court held that plaintiffs alleged an affirmative misrepresentation claim.⁶³

While the Premera court held that the plaintiffs failed to allege any active misrepresentation, their amended pleadings adequately alleged fraud by omission because “Premera should have disclosed that it did not implement industry standard access controls, did not fix known vulnerabilities in its electronic security protocols, failed to protect against reasonably anticipated threats, and otherwise did not comport with its assurances regarding protecting information.”⁶⁴

The Premera court also held that the plaintiffs’ express contract claims survived, except as to claims based on statements in Premera’s code of conduct, which “are not guarantees but are expressions of corporate optimism” rather than “enforceable promises.”⁶⁵ The plaintiffs further alleged that these documents contained “implied terms requiring Premera to implement data security adequate to safeguard and protect the confidentiality of their [] [i]nformation.”⁶⁶ The court held that such a claim was viable under Oregon law, but that Washington law required a finding of “legal necessity” before a term would be implied into a contract, and the court “decline[d] to imply a term into the parties’ contracts that would require adequate data security measures be taken.”⁶⁷

Finally, as to plaintiffs who were not policyholders of Premera but “whose [PII] came into Premera’s possession without any relationship between the parties,” the court rejected the plaintiffs’ alternative argument, that Premera breached an “implied-in-fact contract[] for the provision of data security.”⁶⁸ The complaint failed to “allege facts that plausibly suggest that Plaintiffs other than the Policy-holder Plaintiffs gave information to Premera,” nor were there sufficient allegations of the elements of a contract with plaintiffs who were Premera policyholders.⁶⁹ In an earlier opinion dismissing certain allegations, the court held that the plaintiffs adequately alleged unjust enrichment based on payments they made to Premera.⁷⁰

In Fero v. Excellus Health Plan, Inc.,⁷¹ classes of California, Florida, Indiana, North Carolina, New Jersey, New York, and Pennsylvania customers, federal employee enrollees, and medical providers alleged ten causes of action, including common law negligence and contract claims, and violations of state privacy and consumer protection statutes, arising from a data breach that exposed their PII. The plaintiffs alleged that false tax returns were filed in their names, that they were the victims of identity theft, had fraudulent credit or debit card charges, that they spent money to remediate the breach, and that they spent time mitigating their losses or protecting against future identity theft and were at risk of identity theft in the future.⁷² The Fero court held that plaintiffs who “alleged increased risk of harm, unaccompanied by any concrete misuses of their stolen information,” lacked standing because “none allege any facts indicat-ing that the hackers have misused their personal information since the data breach occurred, or that any other suspicious activity has occurred in the three years since.”⁷³ Rather, “the alleged injuries rely on a chain of possibilities about the actions of independent actors.”⁷⁴ The court also held that causes of action under state statutes did not confer standing because, under Spokeo, “Article III standing requires a concrete injury even in the context of a statutory violation.”⁷⁵

The Fero court held that the plaintiffs whose PII had been misused both had standing and stated a claim under certain state common law causes of action and statutes. Plaintiffs’ contract-based claims were premised on Excellus’s privacy policy, which was incorporated by reference into their contracts.⁷⁶ The court denied Excellus’s motion to dismiss those claims, noting that “the statements from the privacy policies identified by Plaintiffs plausibly could be read to reflect a definite promise by Excellus to maintain the security of the personal information that it collected and stored on its networks.”⁷⁷ But the court dismissed the federal employee plaintiffs’ third-party beneficiary claim, noting that nothing in the contracts evidenced an intent to confer enforcement rights on the insured plaintiffs.⁷⁸ The court also dismissed the plaintiffs’ negligent misrepresentation claims, both because the plaintiffs failed to allege reliance, since “Plaintiffs have failed to allege with any particularity that they actually read or saw the notices concerning privacy policies and practices,” and because no facts “suggest that Plaintiffs have a relationship with [Excellus] that is unique or differs from that of a reasonable consumer.”⁷⁹

Many state statutory claims also survived in Fero. Under the New York prohi-bition of deceptive acts or practices, the court reasoned that “it is at least plausible that the [defendants’] representations in their privacy policies and on their web-sites concerning data security (catalogued above) would lead a reasonable consumer to believe that the [defendants] were providing more adequate data security than they purportedly were,” and that “the [defendants] failure to disclose the purportedly inadequate data security measures would mislead a reasonable consumer.”⁸⁰ The court dismissed the plaintiffs’ California Customer Records Act claims because that law does not apply to a “health care service plan.”⁸¹ Finally, the New Jersey Insurance Information Practices Act and the North Carolina Consumer and Customer Information Privacy Act prohibit the “disclosure” of certain PII. But the court distinguished “disclosure” from “theft,” finding that “the struc-ture of both [statutes] support[s] the conclusion that disclosure does not encom-pass a theft” and, therefore, dismissed these claims.⁸²

In USAA Federal Savings Bank v. PLS Financial Services, Inc.,⁸³ an Illinois district court dismissed state negligence and consumer fraud claims brought by USAA after millions of dollars in counterfeit checks were drawn on the bank’s accounts following a data breach at a check cashing and payday lending company. USAA claimed that PLS breached its duty to USAA “of safeguarding allegedly confidential financial information” of customers.⁸⁴ The court explained, however, that because “Illinois does not recognize a common law duty to safeguard personal information, USAA cannot establish its claim for negligence against PLS.”⁸⁵ The court also dismissed USAA’s claim under the Illinois Consumer Fraud Act, refus-ing to “infer from the allegations of the first amended complaint that the allegedly unfair conduct occurred in Illinois . . . where no allegations suggest that the breach occurred in Illinois or affected Illinois residents.”⁸⁶

CONCLUSION

The law in data breach cases is unsettled, and over the next year, courts will be forced to grapple with two emerging questions. First, as data breaches become larger and more frequent,⁸⁷ and plaintiffs’ PII is stolen through multiple, sepa-rate data breaches, how plaintiffs have suffered an injury, and whether that injury is fairly traceable to the actions of any specific defendant, is less apparent. Second, existing case law is largely based on the assumption that hackers steal PII for financial gain, even though hackers are increasingly motivated by non-commercial ends, such as activism, blackmail, or espionage.⁸⁸ Courts may be forced to reevaluate their framework for analyzing standing where identity theft is not the plausible goal of the data breach.

_____________

* Joseph F. Yenouskas is a partner and Levi W. Swank is an associate in the Washington, D.C. office of Goodwin Procter LLP. The statements and views expressed in this survey are solely those of the authors, not those of their firm or its clients; accordingly, none of the views or statements should be attributed to their firm or any of its clients, or construed as a comment on non-public as-pects of cases that are discussed herein.

1. 568 U.S. 398 (2013).

2. Id. at 409 (quotation marks and alterations omitted).

3. Id. at 401, 411.

4. Id. at 415–16.

5. Id. at 414 n.5.

6. 136 S. Ct. 1540 (2016).

7. Id. at 1543.

8. Id. at 1549; see also Anna-Katrina S. Christakis, Jeffrey D. Pilgrim & Jennifer L. Majewski, Post-Spokeo: The Impact of Article III Standing on Consumer Finance Litigation, 73 BUS. LAW. 565 (2018) (in this Annual Survey); Matthew O. Stromquist, Anna-Katrina S. Christakis & Jeffrey D. Pilgrim, The High Court Speaks on Standing, Mootness, Arbitration, and Representative Evidence, 72 BUS. LAW. 567, 567–69 (2017) (in the 2017 Annual Survey).

9. Spokeo, 136 S. Ct. at 1549.

10. Id. at 1550. On remand, the Ninth Circuit found that the “alleged injuries were sufficiently concrete for the purposes of Article III.” Robins v. Spokeo, Inc., 867 F.3d 1108, 1118 (9th Cir. 2017). A cert petition is pending in the Supreme Court. Petition for a Writ of Certiorari, Spokeo, Inc. v. Robbins, No. 17-806 (U.S. Dec. 6, 2017).

11. 819 F.3d 963 (7th Cir. 2016).

12. Id. at 965.

13. Id. at 967.

14. Id.

15. Id. While plaintiffs also alleged that the “cost of their meals” was an injury because “they would not have dined at P.F. Chang’s had they known of its poor data security,” and that “they have a prop-erty right to their personally identifiable data,” the court was skeptical that “any of these would be sufficient injury for Article III standing.” Id. at 968.

16. No. 15-cv-02129-MSK-NYW, 2016 WL 8578252 (D. Colo. Sept. 21, 2016).

17. Id. at *6.

18. 218 F. Supp. 3d 64 (D.D.C. 2016), app. dismissed, No. 16-5365, 2017 WL 2373044 (D.C. Cir. Apr. 18, 2017).

19. Id. at 76–77.

20. Id.

21. Id. at 78.

22. Id. at 79.

23. Id.

24. Id. As to these two plaintiffs, the court nonetheless dismissed their claims on the grounds of statutory standing, preemption, and failure to state a claim. Id. at 85.

25. 846 F.3d 625, 629 (3d Cir. 2017).

26. Id. at 629.

27. Id. at 634.

28. Id. at 635.

29. Id.

30. Id. at 629.

31. Id. at 638, 640.

32. 848 F.3d 262 (4th Cir. 2017).

33. Id. at 266–67.

34. Id. at 273.

35. Id.

36. Id. at 274.

37. Id.

38. Id. at 275–76.

39. Id. at 276–77.

40. In re Horizon Healthcare Servs. Inc. Data Breach Litig., 846 F.3d 625, 640–41 (3d Cir. 2017). 41. 848 F.3d at 271 n.4.

42. 663 F. App’x 384 (6th Cir. 2016).

43. Id. at 388.

44. Id. The court explained that “[a]lthough Nationwide offered to provide some of these services for a limited time, Plaintiffs allege that the risk is continuing, and that they have also incurred costs to obtain protections—namely, credit freezes—that Nationwide recommended but did not cover.” Id. at 388–89.

45. Id. at 388.

46. Id. at 390 (citing Parsons v. U.S. Dep’t of Justice, 801 F.3d 701, 714 (6th Cir. 2015)).

47. 689 F. App’x 89 (2d Cir. 2017).

48. Id. at 90.

49. Id.

50. Id. at 90–91 (citing Galaria, 663 F. App’x at 386).

51. Id.

52. Id.

53. No. SACV 15-1592 AG, 2016 WL 7973595 (C.D. Cal. Dec. 29, 2016).

54. Id. at *1 (citing 15 U.S.C. § 1681b). While the term “furnish” is not defined in the statute, the court noted that “courts generally use the term to describe the active transmission of information to a third-party rather than a failure to safeguard the data.” Id. (internal quotation marks omitted).

55. Id. at *3.

56. Id. at *3, *5.

57. Id. at *5. The court declined to dismiss negligence per se claims based on the Gramm-Leach-Bliley Act and the Interagency Guidelines Establishing Information Security Standards, except as to California plaintiffs because “there is no negligence per se claim in California.” Id. at *8.

58. Id. at *5 (citing N.Y. GEN. BUS. LAW § 349).

59. Id. at *9.

60. No. 3:15-md-2633-SI, 2017 WL 539578 (D. Or. Feb. 9, 2017).

61. Id. at *3.

62. Id. at *6.

63. Id. at *6–7. The court dismissed the fraud-based claims as to one specific policy because that policy only “contains a promise to have a company confidentiality policy and to have employees sign that policy.” Id. at *6.

64. Id. at *8.

65. Id. at *13.

66. Id.

67. Id. at *14.

68. Id. at *16.

69. Id.

70. In re Premera Blue Cross Customer Data Sec. Breach Litig., 198 F. Supp. 3d 1183, 1201 (D. Or. 2016).

71. 236 F. Supp. 3d 735 (W.D.N.Y. 2017).

72. Id. at 744.

73. Id. at 753.

74. Id. The court also held that “mitigation efforts following a data breach do not confer standing where the alleged harm is not imminent.” Id. at 754. Nor was it sufficient to allege that plaintiffs over-paid for their health insurance in light of Excellus’s allegedly lax data security. Id. And, as every other court to consider the question has held, the court rejected the argument that “the diminution in value of personal information can support standing.” Id. at 755.

75. Id.

76. Id. at 759–60.

77. Id. at 761. The court dismissed plaintiffs’ implied covenant claim “as duplicative of their breach of contract claim because both claims arise from the same facts and seek the same damages for each alleged breach,” id. at 763, but permitted plaintiffs’ unjust enrichment claim to proceed because there was a dispute as to whether “the parties have an enforceable contract with definite and material terms regarding the provision of data security,” which would bar such a remedy. Id. at 770.

78. Id. at 763–64, 769–70.

79. Id. at 773.

80. Id. at 776 (citing N.Y. GEN. BUS. LAW § 349).

81. Id. at 782.

82. Id. at 784; see also Hapka v. Carecentrix, Inc., No. 16-2372, 2016 WL 7336407, at *5 (D. Kan. Dec. 19, 2016) (plaintiffs adequately pleaded a negligence claim despite failing to identify a statutory duty because “[g]iven plaintiff’s allegations that the harm was foreseeable, defendant had the duty to exercise reasonable care to prevent that harm”).

83. No. 16-cv-7911, 2017 WL 2345537 (N.D. Ill. May 30, 2017).

84. Id. at *2.

85. Id. at *3.

86. Id. at *4.

87. See, e.g., AnnaMaria Andriotis & Ezequial Minaya, Equifax Reports Data Breach Possibly Affecting 143 Million U.S. Consumers, WALL ST. J. (Sept. 8, 2017), https://www.wsj.com/articles/equifax-reports-data-breach-possibly-impacting-143-million-u-s-consumers-1504819765.

88. See, e.g., Michael S. Schmidt & Steven Lee Myers, Panama Law Firm’s Leaked Files Detail Offshore Accounts Tied to World Leaders, N.Y. TIMES (Apr. 3, 2016) (data breach of Panamanian law firm Mossack Fonseca), https://www.nytimes.com/2016/04/04/us/politics/leaked-documents-offshore-accounts-putin.html; Byron Tau & Damian Paletta, DNC Says Computers Breached by Russian Government-Linked Hackers, WALL ST. J. (June 14, 2016), https://www.wsj.com/articles/democratic-national-committee-computers-breached-by-hackers-linked-to-russian-government-1465920304 (data breach of Democratic National Committee’s computer systems).

The Antitrust Boundaries of Nonsolicitation Agreements

Posted on July 17, 2018 by Karma Giulianelli - Uncategorized

For well over a century, the Sherman Antitrust Act has prohibited agreements to allocate productive resources or inputs. An agreement with a competitor to allocate the supply of steel, for instance, would be per se unlawful. So, too, are agreements to allocate customers or territories. Yet agreements between competitors or potential competitors not to “poach” one another’s employees—a potentially scarce resource, particularly for high-level talent in a tight labor market—are surprisingly common.

Since the high-profile case against major Silicon Valley companies—Apple, Google, Intel, and others—condemning such agreements, lawyers have become increasingly aware of the issues surrounding competitor agreements regarding the allocation of labor. See United States v. Adobe Sys., Inc., No. 1:10-cv-01629-RBW (D.D.C. Mar. 18, 2011); In re High-Tech Emp. Antitrust Litig., No. 5:11-cv-02509-LHK (N.D. Cal. Sept. 2, 2015). The Department of Justice and the Federal Trade Commission issued guidance in October 2016 on such agreements, noting that the antitrust laws apply to “competition among firms to hire employees.” Since then, they have pursued actions against companies that have agreed to allocate labor resources, as evidenced by the recent settlement with Knorr-Bremse AG and Westinghouse Air Brake Technologies Corporation, following an agreement not to solicit, recruit, hire, or otherwise compete with one another for employees. The Department of Justice has even recently announced that “naked” agreements not to compete for talent may be pursued criminally. In addition, private suits have been filed, with one alleging recently that McDonalds’ franchisees have agreed to limit competition for employees. See Leinani Deslandes v. McDonald’s USA, LLC et al., No. 1:17-cv-04857 (E.D. Ill June 2018).

Yet little has been written about the boundaries of agreements between competitors or potential competitors when it comes to such talent. Some agreements, of course, are clearly “naked,” per se unlawful agreements. Those are agreements that are not reasonably necessary to support a separate, legitimate business transaction or collaboration, and they would eliminate competition in the same way as agreements to fix prices or to allocate customers. For those agreements that might be something other than a naked agreement to eliminate competition, however, it is not always easy to ascertain the line between that which is permissible and impermissible under the “rule of reason,” a construct in antitrust law where a fact finder would weigh any competitive harm against potential legitimate justifications.

This piece examines the implications under U.S. antitrust laws of transactional agreements that commonly include nonsolicitation provisions.

Merger and Acquisition Transactions

Mergers and other acquisition transactions commonly include nonsolicitation covenants that prohibit the seller’s solicitation of employees of the divested business for some period after the transaction closes. Variants of these types of provisions may include exceptions for solicitations made generally in advertising job openings so long as they do not target the restricted employees specifically, or for hiring an otherwise restricted employee that makes unsolicited first contact with the seller seeking employment. The restrictions may also be broader in their scope, extending to employees of the buyer or its affiliates.

Also ancillary to the “due diligence” process leading up to mergers and acquisitions, parties commonly enter into agreements restricting the use and disclosure of confidential information shared by the parties in connection with those transactions. Those confidentiality agreements typically prohibit the receiving party’s use of confidential information for any purpose other than the narrowly defined purpose of the transaction. Although the restriction on use might generally prevent the receiving party from using confidential information (such as salary data) to its advantage in soliciting the disclosing party’s employees, confidentiality agreements frequently include express employee nonsolicitation provisions that go beyond restrictions on use of confidential information in their scope and specificity.

If these types of nonsolicitation agreements are entered into in connection with a potential merger or acquisition and are reasonably ancillary to the transaction (as opposed to a mere cloak to engage in the allocation of labor inputs or the fixing of employee salaries), they should not qualify as “naked” per se illegal restraints on competition.

Real-world concerns in fact often motivate these restrictions. For instance, a company that opens its plant and access to employees to a competitor evaluating an acquisition might be concerned that the competitor will simply take note of its key employees and, rather than continuing with the acquisition, decide to poach the talent. This is particularly the case with key employees in which the company might have years of training and investment, and where the assets of the company are largely found in human talent and know-how.

The Department of Justice implicitly recognized this in the final judgment of the Adobe Systems Inc. case where it agreed that a no “direct solicitation” agreement is not prohibited if it is “reasonably necessary for mergers or acquisitions, consummated or unconsummated, investments, or divestitures, including due diligence related thereto.” See United States v. Adobe Sys., Inc., No. 1:10-cv-01629-RBW (D.D.C. Mar. 18, 2011), ECF No. 17.

This leaves the question of what is “reasonably necessary” for a transaction and, if such agreements are “reasonably necessary,” whether the agreements would survive scrutiny after determining potential competitive consequences.

For purposes of considering the legitimacy of nonsolicitation agreements in these types of transactions, it is helpful to divide this category into two subcategories of merger or acquisition transactions: those involving a “financial buyer,” such as a private equity sponsor or other acquisition fund, and those involving a “strategic buyer,” such as a competitor of the target company. In the context of a financial buyer, the transaction does not diminish competition for employees in the applicable market—the owner of one employer is merely replaced with the financial buyer, who is unlikely to become an independent competitor for the labor inputs otherwise. Competition for employees, therefore, is unlikely to be diminished in this kind of arrangement. To the extent that the antitrust laws are concerned with competitive effects in a relevant market (here, the market for employees or talent), or foreclosure of inputs to actual or otherwise potential competitors, these types of agreements should not be problematic.

In the strategic buyer context, by contrast, competition for employees may be diminished as two previous employers in the market consolidate into one, which consequently has greater market power. In this context, as in any rule of reason inquiry, lawyers should inquire into the potential effects of any nonsolicitation agreements. This involves examining how consolidated the market might become after the transaction (i.e., how many options the employees might have elsewhere); how broad the nonsolicitation agreements are; and how many employees might be bound by them (i.e., do they apply only to executives or all employees?). The inquiry revolves around foreclosure of potential competition for employees and the tying up of potentially scarce labor inputs. The inquiry is context specific, and the answer to whether such agreements might pose problems in any circumstance depends on balancing the degree of impact on the labor market against the necessity of such agreements to consummate a potentially beneficial transaction for consumers more broadly.

Whether nonsolicitation provisions accompanying merger or acquisition transactions in the due diligence context are reasonably necessary to encourage what might otherwise be a beneficial transaction depends largely on the purpose motivating the nonsolicitation clauses, as well as the foreclosing effects of such agreements.

Employment Agreements and Other Commercial Transactions

Employment agreements often contain restrictive covenants made by the employee, commonly including nonsolicitation clauses. Those nonsolicitation covenants are designed to prevent the employee, who is frequently in a position of leadership over the company’s other employees, from using that relationship as an advantage in poaching other employees. These covenants typically apply during the employee’s employment and for a specified period (often a year or more) after that employment ends. Outside of the context of a customary employment agreement, nonsolicitation covenants are also commonly found in form confidentiality, intellectual property assignment, incentive equity, and similar uniform agreements that even nonexecutive employees are expected to sign as a condition of their employment or incentive equity participation.

Employee nonsolicitation agreements may also appear in supply agreements, distribution agreements, joint development agreements, executive search arrangements, and other service relationships with independent contractors, among others. The common thread in these types of relationships is the familiarity that the parties develop with each other’s employees, whether through information sharing, direct interaction, or otherwise, and each party seeks to prevent that familiarity from enhancing the other’s efforts to hire away that party’s employees. For example, a company may enter into an agreement with a marketing firm to promote the company’s products. The service agreement may contain a covenant of the company not to solicit the marketing firm’s employees to prevent the company from bringing the services in-house with the use of the marketing firm’s former employees. These agreements often apply both during the term of the relationship and for a specified period after the relationship ends.

To the extent that these agreements are widespread, attaching to employees throughout the company, one should determine their breadth, ensuring that they are narrowly tailored to address procompetitive, legitimate concerns and that they do not unreasonably hinder competition or potential competition for employees in a particular industry or market. Imagine, for instance, a situation where a company employs half of all relevant skilled employees in a geographic or product area, and where that company has included form nonsolicitation covenants in every employment or equity grant agreement. If an employee were to leave, either to start a competing venture on his or her own, or to work for an established competitor, that employee’s new venture (especially if the employee starts the venture) might have significantly diminished opportunities to recruit talent and therefore to compete. This would be an example of a situation in which the breadth and prevalence of such agreements might foreclose competition, outweighing any potential justifications.

Nonsolicitation agreements are common across industries through a variety of transactions and otherwise. Although nothing in the law of agreements in restraint of trade has changed, recent events—as well as agency guidance—have highlighted the potential perils of these agreements. As with any agreement between competitors or potential competitors, companies competing (or potentially competing) for labor inputs must take care to ensure that they only enter into agreements that are narrowly tailored to meet a legitimate, procompetitive, business purpose. This requires an analysis of the potentially foreclosing effect of such agreements on employee movement, the breadth and prevalence of such agreements, and whether the agreements are no more restrictive than necessary to meet their legitimate objectives.

SCOTUS Issues Landmark Decision on Cell Phone Location Information with Major Implications for Fourth Amendment Privacy

Posted on July 17, 2018 by Allen O'Rourke - Uncategorized

On Friday, June 22, 2018, the Supreme Court issued its much-anticipated opinion in Carpenter v. United States, 585 US. __ (2018), and declared a Fourth Amendment privacy right for cell phone location data. Seeing how “seismic shifts” in technology have altered our conceptions of privacy, the court revised its long-held “reasonable expectation of privacy” test and ruled that police obtaining cell site location information (CLSI) records from a person’s cell phone service provider constitutes a Fourth Amendment “search” requiring a warrant.

The case involved a string of nine robberies in Michigan and Ohio. One man arrested early on for several of these robberies confessed to the crime spree and identified a number of accomplices, giving the police their cell phone numbers. The police then obtained court orders under section 2703(d) of the Stored Communications Act (SCA) to require their cell phone service providers to share historical CLSI records for these cell phones from the four-month period of the robberies. (Section 2703(d) enables the government to seek a court order requiring disclosure of certain “noncontent” business records from an electronic communications service provider upon presenting “specific and articulable facts showing that there are reasonable grounds to believe that . . . the records or other information sought[] are relevant and material to an ongoing criminal investigation.” 18 U.S.C. § 2703(d).) In general, cell phone service providers maintain a vast network of towers with sensors mounted on top (usually three sensors forming a triangle) that send and receive radio signals to and from people’s cell phones when they make or receive calls, text messages, or otherwise transmit data over the cellular network. The providers maintain a record of which tower and sensor—or “cell site”—was used whenever a cell phone makes or receives a call or text message. By analyzing such business records, the police can infer the approximate location of the cell phone at the time of the call or text message. In the Carpenter case, the historical CLSI records obtained by the police indicated that Carpenter’s cell phone was near four of the charged robberies when they were committed. He was convicted of multiple robbery charges following a trial and then appealed.

Writing for the court, Chief Justice Roberts reasoned that CSLI records do not “fit neatly under existing precedents” and instead lie at the “intersection of two lines of cases” about the scope of a person’s reasonable expectation of privacy protected by the Fourth Amendment. Id. at *7. On one hand, there is the third-party doctrine established by Smith v. Maryland, 442 U.S. 735 (1979) (no reasonable expectation of privacy in records of dialed telephone numbers held by a telephone company) and United States v. Miller, 425 U.S. 435 (1976) (no reasonable expectation of privacy in financial records held by a bank). Under that doctrine, “‘a person has no legitimate expectation of privacy in information he voluntarily turns over to third parties,’” id. at *9 (quoting Smith, 442 U.S. at 743–44), and “[t]hat remains true ‘even if the information is revealed on the assumption that it will be used only for a limited purpose,’” id. (quoting Miller, 425 U.S. at 443).

On the other hand, there are the court’s cases about police use of “sophisticated technology” to track the location and movements of a vehicle, including United States v. Knotts, 460 U.S. 276 (1983) (use of a beeper hidden inside a barrel of chemicals sold to the suspect to help police conduct aerial surveillance of his vehicle) and United States v. Jones, 565 U.S. 400 (2012) (covert installation of a GPS tracking device on a suspect’s vehicle that enabled police to remotely monitor its movements for 28 days). These decisions address what Chief Justice Roberts called “a person’s expectation of privacy in his physical location and movements.” Carpenter at *7. Although finding no Fourth Amendment violation in Knotts because generally a vehicle’s public movements implicate no privacy interest, the court specifically reserved the question of whether “different constitutional principles may be applicable” if “twenty-four hour surveillance of any citizen of this country [were] possible.” Knotts, 406 U.S. at 283–84. More recently, although the Fourth Amendment violation found by the Jones decision was premised on the act of trespass when police installed the GPS tracking device, five concurring Justices concluded agreed that “‘longer term GPS monitoring in investigations of most offenses impinges on expectations of privacy’—regardless whether those movements were disclosed to the public at large.” Carpenter at *8 (quoting Jones, 565 U.S. at 430 (Alito, J., concurring); Jones, 656 at 415 (Sotomayor, J., concurring)).

In the face of these two competing lines of cases, the court elected to continue down the path indicated by the Jones concurring opinions, declaring, “[w]hether the Government employs its own surveillance technology as in Jones or leverages the technology of a wireless carrier, we hold that an individual maintains a legitimate expectation of privacy in the record of his physical movements as captured through CSLI.” Carpenter at *11. The court noted that after the Jones decision, five Justices had “already recognized that individuals have a reasonable expectation of privacy in the whole of their physical movements.” Id. at *12. In the Carpenter decision, the court simply adopted their reasoning about long-term GPS monitoring—namely, that such precise and lengthy location monitoring contravenes society’s expectations about the degree of physical surveillance to be expected from law enforcement, and that such comprehensive location records can uncover a person’s most private affairs. “As with GPS information,” the court explained, “the time-stamped [CSLI] data provides an intimate window into a person’s life, revealing not only his particular movements, but through them his ‘familial, political, professional, religious, and sexual associations.’” Id. at *12 (quoting Jones, 565 U.S. at 415 (Sotomayor, J., concurring)).

Finally, Carpenter distinguished the third-party doctrine from Smith and Miller by emphasizing “the deeply revealing nature of CSLI, its depth, breadth, and comprehensive reach, and the inescapable and automatic nature of its collection.” Id. at *22. On this last point, the court reasoned that CSLI records “[are] not truly ‘shared’ as one normally understands the term” because they are generated “by dint of [the cell phone’s] operation, without any affirmative act on the part of the user beyond powering up,” and now “cell phones and the services they provide are ‘such a pervasive and insistent part of daily life’ that carrying one is indispensable to participation in modern society.” Id. at *17 (quoting Riley v. California, 134 S. Ct. 2473, 2484 (2014)). The court added: “After all, when Smith was decided in 1979, few could have imagined a society in which a phone goes wherever its owner goes, conveying to the wireless carrier not just dialed digits, but a detailed and comprehensive record of the person’s movements.” Id. at *11.

Chief Justice Roberts’s majority opinion claims that “[o]ur decision today is a narrow one” relating only to historical CSLI records. Id. at *17. However, the implications of this decision are manifold and far-reaching. Whereas previously this line of cases consisted of Knotts dicta and Jones concurring opinions, now the court has firmly declared that “individuals have a reasonable expectation of privacy in the whole of their physical movements” that will be protected from police intrusion by the Fourth Amendment. Id. at *12. In addition, whereas the Jones concurrence focused on “longer term GPS monitoring,” the Carpenter decision provided no clear guidance on the duration of the time period of cell phone location data that is protected by this Fourth Amendment right. What is more, the court applied its ruling to historical CSLI records that had been originally collected and maintained by a private company for its own commercial purposes. Before now, private surveillance or data collection (even unlawful wiretapping) that had not been conducted at the government’s behest was considered to be beyond the scope of the Fourth Amendment, which applies only to government searches and seizures. See United States v. Jacobsen, 466 U.S. 109, 113–14 (1984). Thus, Carpenter disrupted more than just the third-party doctrine of Smith and Miller.

Ultimately, Carpenter may have even greater implications for Fourth Amendment jurisprudence. In the seminal decision of Katz v. United States, 389 U.S. 347 (1967), the court overruled earlier case law that limited Fourth Amendment protection to police trespassing upon one’s property, and declared that the Fourth Amendment also protects a person’s reasonable expectation of privacy. In what became settled law, this “expectation of privacy” test required “that a person has exhibited an actual (subjective) expectation of privacy . . . that society is prepared to recognize as ‘reasonable.’” Id. at 361 (Harlan, J., concurring). At a basic level, this involved “draw[ing] a line between what a person keeps to himself and what he shares with others.” Carpenter at *9. Although the Carpenter court invoked the Katz test like always, its decision actually moved away from this classic analysis and embarked upon a different approach to the scope of the Fourth Amendment. Under Carpenter, the test is not “reasonable expectation of privacy” as such, but instead “reasonable expectation of privacy from the Government.” The touchstone is not protecting “what [one] seeks to preserve as private,” Katz, 389 U.S. at 351, but instead “‘plac[ing] obstacles in the way of a too permeating police surveillance.’” Carpenter at *6 (quoting United States v. Di Re, 332 U.S. 581, 595 (1948) Notably, Congress had already drawn a similar line in the SCA, 18 U.S.C. §§ 2701 et seq., which was part of the Electronic Communications Privacy Act of 1986 responding to the Smith decision. Section 2702(c)(6) expressly authorizes cell phone and other electronic communication service providers to disclose non-content business records such as CSLI “to any person other than a governmental entity,” who alone must obtain court authorization under Section 2703. 18 U.S.C. § 2702(c)(6). Curiously, when examining the expected privacy of CSLI records, the Carpenter Court did not address Section 2702(c)(6).).

Another key feature of Carpenter is how the court grapples with the technological and social changes of modern society. As observed in Justice Kennedy’s dissenting opinion, “[cell phone service] providers contract with their customers to collect and keep these [CSLI] records because they are valuable to the providers . . . [who] aggregate the records and sell them to third parties along with other information gleaned from cell phone usage.” Id. at *5 (Kennedy, J., dissenting). Likewise, customers routinely agree to share with private companies their GPS location data, web browsing habits, social networking communications, and all manner of sensitive personal data when using online services and connected devices. In such a world where personal information has become a proliferating commodity that is widely shared and utilized in the digital economy, the classic “reasonable expectation of privacy” test requiring actual privacy would, in the end, chip away at the Fourth Amendment as a bulwark against unfettered police surveillance. In this context, the Carpenter decision makes sense and may represent the future of the Fourth Amendment.

How Can I Be a Party to a Contract and Yet Lack Standing to Sue Another Party for Breach?

Posted on July 16, 2018 by Daniel S. Kleinberger - Uncategorized

The distinction between direct and derivative claims follows necessarily from the concept of a legal person being separate and distinct from its owners, raises and resolves a question of standing, has serious practical consequences in litigation, and is central to the governance of any business entity. In a closely held business, the distinction usually protects the deal the owners have made for themselves. On some occasions, however, the distinction helps shelter a miscreant majority owner who has managed to harm a fellow owner indirectly.

This column will briefly describe the three approaches to the direct-derivative distinction found in the case law, explain why the “direct harm” approach is logically and doctrinally correct, and outline the distinction’s practical consequences. With that information as background, the column will address the issue reflected in the column’s caption—that is, how can a party to a contract lack standing to sue another party for breach?

Courts have considered three different approaches to the direct-derivative distinction: (i) direct harm, (ii) special injury, and (iii) to whom the duty is owed. The last-named approach, which by far has the fewest judicial adherents, makes the distinction by looking at the duty alleged to have been breached and asks, “to whom is that duty owed?” The approach makes no sense either practically or conceptually. As a practical matter, courts frequently refer (imprecisely) to a duty owed to both the entity (e.g., an LLC) and its owners (e.g., members). As to concept, standing is everywhere else an issue of injury rather than duty.

The second-listed approach deems any claim derivative unless the owner asserting the claim can prove a type of injury different than the type of injury suffered by other owners. It is true that an injury suffered by an entity indirectly causes the same type of injury to all the entity’s owners. However, the converse is not necessarily true—that is, suppose this statement is true: if P then Q. The converse, if Q then P, might happen to be true but is not necessarily so. (Logic geeks will recognize “the fallacy of affirming the consequent.”)

Think, for example, of the famous Revlon duty to use appropriate efforts to maximize shareholder benefits when a publicly traded corporation is destined to be sold. Revlon, Inc. v. MacAndrews & Forbes Holdings, Inc., 506, A.2d 173 (Del. 1986). The special injury rule would deem a shareholder’s Revlon claim to be derivative, which makes no sense.

The direct injury approach is both simple and conceptually sound. Has an owner been harmed directly or merely as a result of an injury suffered by the entity? As ULLCA (2103) § 801(b) provides, a claim is derivative unless the member asserting the claim can “plead and prove an actual or threatened injury that is not solely the result of an injury suffered or threatened to be suffered by the limited liability company.” See also Tooley v. Donaldson, Lufkin & Jenrette, Inc., 845 A.2d 1031 (Del. 2004) (abandoning the special-injury approach in favor of the direct-harm analysis).

Whether a claim is direct or derivative has substantial, often dispositive, consequences. First, in almost all jurisdictions, a derivative plaintiff must either: (i) before bringing suit, address the entity’s top-level managers (e.g., a corporate board, the managers of a manager-managed limited liability company) and demand that they address the alleged problem, or (ii) plead (typically with particularity) that demand would be futile. In some jurisdictions, a plaintiff who makes a demand creates almost insurmountable obstacles to bringing a derivative claim if (typically when) the managers reject the demand.

Second, even when demand is excused as futile, a derivative claim may be subject to a “special litigation committee” (SLC) appointed by the top-level managers with the power to investigate and decide whether the entity’s best interests will be served by the claim going forward under the control of the derivative plaintiff, being dismissed, or continuing under the control of the SLC. As a matter of fact, almost all SLCs decide in favor of dismissal (sometimes conditioned on changes in the entity’s policies or practices) and so recommend to the court. If the would-be derivative plaintiff contests the SLC’s recommendations, in most instances the court will adopt the recommendation. No such ADR technique exists for direct claims.

Third, with a direct claim, any recovery comes directly to the plaintiff-owner(s). With a derivative claim, the recovery goes to the entity, with no guarantee that the entity will distribute any of the recovery to the entity’s owners. Wilderman v. Wilderman, 315 A.2d 610, 612 (Del. Ch. 1974), is a classic example. The case involved a corporation in which, as the result of a divorce court’s error in judgment, an ex-husband was the majority shareholder and the ex-wife was the minority shareholder. The ex-wife believed the corporation was paying excess compensation to the ex-husband. She sued derivatively to recover the excessive compensation and directly to have the corporation distribute any recovery to the shareholders. The ex-wife won on the derivative claim but lost on the direct. The court was unwilling to interfere with the discretion of the board of directors regarding dividends, even though the board consisted solely of the ex-husband and one of his hunting buddies.

Against this backdrop, we come now to this question: how can a person (e.g., a member of a limited liability company) be a party to a contract (e.g., the company’s operating agreement) and yet lack standing to sue another party (e.g. a fellow member) for breach of the agreement? Such is the situation. As the Delaware Supreme Court has opined (for example), Delaware law:

does not support the proposition that any claim sounding in contract is direct by default, irrespective of [the direct harm analysis]. Nor does [Delaware law hold that a person’s] status as a limited partner and party to the LPA [limited partnership agreement] enable him to litigate directly every claim arising from the LPA. Such a rule would essentially abrogate [the direct harm analysis] with respect to alternative entities merely because they are creatures of contract.

El Paso Pipeline GP Co., L.L.C. v. Brinckerhoff, 152 A.3d 1248, 1259–60 (Del. 2016) (footnotes omitted).

Similarly, the official comment to ULLCA § 801(b) states that, “[a]lthough in ordinary contractual situations it is axiomatic that each party to a contract has standing to sue for breach of that contract,” the situation is different with an operating agreement.:

A member does not have a direct claim against a manager or another member merely because the manager or other member has breached the operating agreement. . . . To have standing in his, her, or its own right, a member plaintiff must be able to show a harm that occurs independently of the harm caused or threatened to be caused to the limited liability company.

The comment provides several examples, of which the following is a composite:

The manager of a manager-managed LLC engages in grossly negligent conduct, in violation of ULLCA § 409(c) (duty of care) and in breach of an express provision of the operating agreement. As a result, the LLC’s net assets shrink by fifty percent. In turn, and as an indirect result, the value of the membership interest of Member A (who perforce is a party to the operating agreement) shrinks by $3,000,000. Member A has no standing to bring a direct claim—neither on the statute nor on the agreement. Member A’s damages are merely derivative of the damage first suffered by the LLC.

Thus, to paraphrase James Carville’s famous statement about the economy being a key political issue, it’s all about standing.

Our next column will discuss another remedy-related question: What is a charging order and why should a business lawyer care?

Working Capital Adjustments: Mitigation of Post-Closing Disputes through Customization

Posted on July 16, 2018 by A. Vincent Biemans - Uncategorized

Private target M&A agreements often provide for one or more post-closing purchase-price adjustment mechanisms, which may have a material effect on the value of the transaction to a buyer and seller. Indeed, 86 percent of the sampled transactions used in the ABA’s own Private Target Deal Points Study (transactions from 2016 and H1 2017) incorporate post-closing purchase-price adjustments. The most common purchase-price adjustment mechanism is to adjust the purchase price for the target company’s working capital at closing, which we address in this article.

Stepping back to establish a basis for more in-depth discussion, a company’s working capital consists of its current assets, such as accounts receivable and inventory, minus its current liabilities, such as accounts payable. The composition and the amount of working capital is subject to near-continuous change during the course of a company’s operating cycle, and its measurement generally involves many accounting methodology determinations, estimations, and judgments.

In a nutshell, working capital adjustment mechanisms in an M&A transaction work as follows. After the transaction closes, the parties painstakingly determine the amount of working capital, however defined by the parties, that was transferred with the business at the closing. That final working capital amount is then compared to the target working capital agreed to be delivered by the seller to the buyer with the target company. The contractual amount of target working capital is customarily based on the target company’s (normalized) historical working capital needs or reflective of anticipated future needs, but is ultimately a negotiated amount and can be determined however the parties mutually agree for the transaction at hand. Ultimately, the purchase price is adjusted upward or downward to reflect the surplus or shortage of actual working capital at closing relative to the target working capital, and a corresponding true-up payment is made between the parties (net of any preliminary working capital adjustments made at closing).

Defining Working Capital; Establishing the Target Working Capital

Not surprisingly, working capital provisions are often heavily negotiated, beginning with the contractual definition of working capital, closely followed by the determination of the amount of target working capital. Possibly the most significant negotiation point between a buyer and seller is the methodology that is to be used by the parties to measure the amount of working capital at the closing. The parties commonly agree to rely on (i) generally accepted accounting principles (GAAP), (ii) the target company’s historical accounting practices, or (iii) a combination of the foregoing.

When negotiating the measurement of working capital, sellers favor the target company’s historical accounting practices, and buyers prefer to prioritize GAAP. The parties’ respective preferences correspond with their disparate desires to avoid unfavorable post-closing surprises. A seller wants to ensure that the comparison between target working capital and closing working capital is made on an “apples-to-apples” basis in reliance on the target company’s historical accounting practices. A buyer, on the other hand, wants to be able to rely on GAAP to safeguard against non-GAAP errors in the target company’s historical accounting practices, which could otherwise result in overstated working capital. Compare the following examples:

Example of Seller Preferred Language: “Closing working capital shall be determined in accordance with the target company’s historical accounting practices, including any exclusions or deviations from GAAP incorporated therein, ….”
Example of Buyer Preferred Language: “Closing working capital shall be determined in accordance with GAAP applied on a basis consistent with the target company’s historical accounting practices. If there is a conflict between GAAP and the target company’s historical accounting practices, GAAP shall prevail….”

In the remainder of this article, we discuss a more customized mechanism for selected working capital accounts in order to minimize undesirable adjustment surprises and post-closing disputes. We specifically highlight revenue recognition issues and the allowance for doubtful accounts, which are commonly disputed and may be ripe for customized solutions. For both items, we provide more seller-friendly and more buyer-friendly approaches, each of which potentially adds to comparability and mitigates uncertainty that can be associated with ambiguous documentation of accounting practices and the existence of multiple GAAP-compliant accounting outcomes. Notably, these discussed approaches in some circumstances may be analogously customized to apply to other potentially problematic elements of working capital. Of course, in discussing a more customized mechanism for selected working capital accounts, we assume that the parties are willing—and the deal circumstances reasonably permit the opportunity—to consider and negotiate the working capital adjustment mechanism on a more granular, tailored basis.

Repeated Errors—Revenue Recognition

Although revenue is reflected on a company’s income statement, the application of accrual accounting and the associated matching of sales to the appropriate accounting period is realized by using balance sheet accounts. For example, a cash receipt for services that have not yet been performed can be booked as a deferred revenue liability on the balance sheet until the service is performed. The balance sheet then also appropriately reflects the company’s obligation to perform the service.

As a result, perhaps counterintuitively, flaws in revenue recognition accounting (i.e., errors in determining what revenue should be included on the current period income statement as opposed to being deferred to a later period) can result in balance sheet errors. These errors may in turn impact the amount of working capital at the closing. In practice, a company may have relied on its original revenue recognition approach through years of growth, overhauls of its products and services mix, and other changes in facts and circumstances, such as technical developments. Combined with complex and changing GAAP guidance, revenue recognition mistakes can result, and the impact of correcting revenue recognition errors may be significant.

A seller’s and buyer’s respective views of revenue recognition flaws, of course, diverge. A buyer desires to avoid owing post-closing performance obligations that it perceives as uncompensated due to past errors in revenue recognition. Accordingly, buyers generally prefer contractually mandated GAAP compliance for purposes of revenue recognition accounting when determining closing working capital. A seller, however, perceives a significant risk of a distinction without a difference that drives a wedge between the target working capital and the closing working capital in the event of GAAP-driven adjustments, i.e. from a seller’s perspective, two wrongs can make a right. Although that seller’s perspective may be directionally true in certain instances, the net effect is uncertain at best, and absent specific circumstances, two wrongs are unlikely to cancel each other.

A possible customized solution would be to provide for true parallel adjustments between the target working capital and closing working capital if revenue recognition errors are discovered. For example, a business that sells annual service contracts may have recognized quarterly revenue in violation of GAAP by accruing revenue for each contract entered into during a quarter from the start of that quarter, effectively recognizing revenue early across its service contracts. As a result of this error, the target company may understate the deferred revenue as of the closing date. Utilizing a parallel adjustment methodology after the transaction closes, the deferred revenue liability included in closing working capital and also included in the target working capital would be recalculated by prorating revenues from service contracts in accordance with GAAP. This approach would prevent both the “apples-to-oranges” comparison dreaded by sellers and the existence of an understated deferred revenue obligation in violation of GAAP, to a buyer’s dismay. Importantly, the parallel adjustment could still result in a purchase price adjustment as a result of changes in the ordinary course of business.

Customized contractual language to implement an agreed upon parallel adjustment approach for revenue recognition can vary, either being more seller or buyer friendly:

Example—Seller Friendly: “If the target company’s revenue recognition accounting principles are not in accordance with GAAP, those accounting principles shall be modified to comply with GAAP for purposes of calculating both the closing working capital and also the target working capital in a manner that results in the smallest absolute difference between the outcomes of two calculations: (i) the so-adjusted closing working capital minus the so-adjusted target working capital and (ii) the unadjusted closing working capital minus the unadjusted target working capital.”
Example—Buyer Friendly: “If the application of the company’s revenue recognition accounting principles as of the closing date would result in the recognition of revenue prior to the closing for which not all of the GAAP recognition criteria were met at that time, the buyer may adjust those accounting principles to be in compliance with GAAP and may determine the closing working capital using the adjusted accounting principles; provided, however, that if the buyer elects to make such adjustments to the accounting principles for purposes of determining the closing working capital, it shall also adjust the target working capital calculation using the same adjusted accounting principles to the extent necessary to bring revenue recognition into compliance with GAAP as of the date on which target working capital is determined.”

Both illustrative provisions implement a parallel adjustment methodology, but with potentially significant differences in outcome. The seller-friendly approach minimizes the impact of any GAAP required adjustments to the purchase price adjustment, and the GAAP adjustment could even be in seller’s favor. The buyer-friendly approach is permissive in the discretion of the buyer and allows the buyer to select the GAAP compliant approach to be used in the event of accounting errors (from among the acceptable GAAP compliant accounting treatments, which may vary significantly in outcome), meaning that the seller is highly unlikely to benefit from past revenue recognition errors.

Of course, when implementing parallel adjustments for one or more components of working capital, counsel should carefully consider whether parallel adjustment is practicable for the account at issue. The implementation of a parallel adjustment mechanism assumes that an underlying, granular calculation of the target working capital exists. That may not be the case if it is a negotiated amount or is based on, for example, averages. In addition, a parallel adjustment mechanism is not particularly suitable for accounts that are estimates as of the balance sheet date based on the facts and circumstances at the time, such as the allowance for doubtful accounts, which we discuss next.

Estimations and Judgments—Accounts Receivable and the Allowance for Doubtful Accounts

Companies that sell products or services on credit record an allowance for doubtful accounts for the potentially uncollectable portion of their outstanding accounts receivable as of a balance sheet date. Deriving the appropriate amount for the allowance for doubtful accounts in accordance with GAAP requires estimations and judgments as to collectability. Reasonable minds may differ, and post-closing a buyer’s and seller’s respective estimations and judgments may well diverge, easily escalating into formal disputes.

Buyers don’t want to pay dollar-for-dollar for uncollectable accounts receivable balances. Accordingly, a buyer will likely be reluctant to rely solely on the target company’s historical accounting practices because (i) a seller is incentivized to be unrealistic about the collectability of its accounts receivable in general (resulting in a lower allowance for doubtful accounts and a higher working capital balance in favor of the seller), and (ii) a seller is incentivized to use less stringent credit standards during the period prior to the closing date (also resulting in a higher working capital balance). Further, a target company’s historical estimation and judgment practices may be vague and poorly documented. Accordingly, buyers prefer to rely on the GAAP safeguard for accounts receivable and the corresponding allowance for doubtful accounts.

All else being equal, however, a seller will be concerned that its estimations and judgments may be supplanted after the fact by a buyer’s estimations and judgments based on the buyer’s perceived GAAP noncompliance of the target company’s preclosing accounting practices. Even if facts and circumstances have changed as of the closing date in a manner that requires a change in accounting relative to the target company’s historical estimations, a seller will not want open-ended exposure to a buyer’s potentially very conservative allowance estimate (GAAP allows a range of possible outcomes). A seller will be concerned about comparing apples to oranges at its expense.

A possible customized solution is to retreat from the judgments and estimations involved when applying either GAAP or the target company’s historical accounting practices in favor of a contractually agreed-upon mechanical calculation. For example, the parties may include a provision (and example calculation) that mandates the quantification of the allowance for doubtful accounts based on increasing percentages across accounts receivable aging brackets.

Example: “The allowance for doubtful accounts shall be calculated as the sum of (i) 25 percent multiplied by the part of the gross accounts receivable balance that is older than 30 days but not older than 60 days, (ii) 50 percent multiplied by the part of the gross accounts receivable balance that is older than 60 days but not older than 90 days, (iii) 75 percent multiplied by the part of the gross accounts receivable balance that is older than 90 days but not older than 120 days, and (iv) 100 percent multiplied by the part of the gross accounts receivable balance that is older than 120 days.”

Of course, a broad range of potential customizations and negotiation points exists when electing this solution. For example, the parties likely will negotiate the allowance percentages for each aging bracket as well as the aging brackets themselves. The parties may also want to customize the provision by including, for example, a cap on the allowance for doubtful accounts and by specifying how write-offs factor into the calculation.

An analogous approach—utilizing an agreed-upon mechanical calculation—may also be negotiated for other accounts that exhibit similar point-in-time estimation issues, such as the inventory allowance. The inventory allowance is used to record the estimated portion of the cost of inventory that exceeds the net realizable value or market value of the inventory reflected on the balance sheet of the target company.

A myriad of other solutions occurs in practice. For example, the allowance for doubtful accounts amount may be frozen (without increase or decrease, or one direction only) for purposes of calculating closing working capital at the amount included in the latest balance sheet that is included in the target company’s financial statement representations and warranties, except for adjustments for actual collections and write-offs following the date of the latest balance sheet. This approach provides rough justice to both a buyer and a seller by not accounting for the passage of time and changes in collectability of accounts receivable from the date of the latest balance sheet to the closing date, but is easily applied and assumes that the allowance for doubtful accounts and accounts receivable remain relatively stable over time. Assuming that post-closing events are an acceptable basis for consideration, the parties also may agree that, utilizing actual post-closing experience, the buyer would receive a repayment from the seller for any accounts receivable that remain outstanding after, for example, the 120th day following the closing date (assuming that the parties can agree on the collection efforts required by the buyer during the post-closing period), and the seller then may be entitled to seek to collect such stale accounts receivable for the seller’s benefit (assuming that the buyer does not mind the seller pursuing collection from the buyer’s continuing customers).

Notably, questions regarding the impact of post-closing events on the determination of the closing working capital—as provided for explicitly in the example in the preceding paragraph—exist more broadly for accounting estimates that are not replaced by another arrangement. This issue of determining the extent to which post-closing events may be considered when performing accounting estimates is an issue with which the parties commonly grapple. For example, should post-closing, actual collection information impact the allowance for doubtful accounts as of the closing date in the absence of a specific provision? If so, through which date should those collections be considered?

GAAP includes guidance on the consideration of subsequent events for purposes of preparing financial statements and distinguishes between types of events. That guidance, however, is tied to the date the financial statements are available to be issued (for non-SEC filers). Assuming the parties are willing to rely on GAAP for purposes of its subsequent event guidance, they could contractually agree to an equivalent date to mitigate post-closing disagreements.

Additional Mitigation Options and Overriding Provisions

In addition to the above approaches, there are a variety of other options to deal with potentially problematic working capital accounts. The parties may afford special treatment to specific items, either excluding particularly problematic items from the transaction economics altogether or excluding items from working capital and relying on other provisions, such as representations and warranties and indemnification rights for breaches thereof, or covenants among the parties (e.g., the tax and indemnification provisions addressing the allocation of pre- and post-closing taxes between the buyer and the seller, rather than addressing taxes in part via the working capital adjustment).

In doing so, the parties should of course be mindful of contractual gaps and overlap, differences between provisions, and potential unintended consequences, avoiding the over- or under-inclusion of the effects of working capital accounts in the determination of the purchase price and components thereof, and in the determination of indemnified losses. Importantly, any departures from the overall working capital adjustment mechanism for specific working capital accounts also should be considered when negotiating the target working capital.

In addition to addressing specific accounts, the parties may also use overriding provisions to mitigate potential working capital issues, including the following:

The parties may define global working capital terms such as GAAP, which is not static and may change between the date on which target working capital is determined and the closing date, to be as of a specific date so that the same GAAP applies to the determination of target working capital and closing working capital.
The parties may establish a post-closing true-up process in the purchase agreement that can be objectively applied and that cannot be unduly sabotaged or delayed by one of the parties through, for example, one party’s refusal to agree to and retain a neutral accountant or meet a specified milestone date (e.g., the date on which a buyer is required to deliver its post-closing working capital analysis). This issue could arise if the purchase agreement simply leaves it to the parties to mutually agree (without an objective process for doing so) to a neutral accountant if and when actually needed during the post-closing working capital true-up process, often at a time when the relationship has soured. In addition, in respect of the failure of a party to meet an agreed milestone, this issue could arise if the parties remain silent as to the effect of such a breach of contract (which is commonly the case for a buyer’s failure to timely transmit its proposed final closing working capital statement following the closing), the amount of contractual damages potentially being difficult to determine, and the cost of enforcement being potentially prohibitive.
The parties may agree to a contractual cap on the post-closing adjustment or utilize a working capital range to only adjust the purchase price for working capital if closing working capital exceeds or falls below target working capital by a specified percentage.

We have highlighted some commonly encountered, often complex problems with working capital true-ups and possible strategies that parties to a purchase agreement may consider to mitigate potential post-closing working capital disputes. In evaluating the options that may be implemented, if any, the parties should of course consider the facts and circumstances of the transaction at issue. In some instances, the working capital and related exposure can be a large component of purchase price, and the additional effort and expense associated with negotiating and incorporating customized solutions in the purchase agreement via the coordinated efforts of the parties and their respective accountants and legal counsel may well be worth it.

The views expressed herein are the authors’ own and are not attributable to their firms, those firms’ members/partners, or their clients. We utilize sample agreement language in this article to highlight some of the issues. Such agreement language is, of course, necessarily abbreviated, incomplete, lacking in defined terms, and for illustrative purposes only.

Corporate Board Diversity: Gaining Traction Through Investor Stewardship

Posted on July 16, 2018 by Pamela M. Harper - Uncategorized

Board diversity, long a step-child of corporate governance, has assumed growing prominence. According to the EY Center for Board Matters’ 2018 Proxy Season Review of 60 institutional investors managing $32 trillion in assets, 82 percent of respondents indicated that board composition should be a top priority for 2018, with 67 percent noting that they seek diverse director characteristics and backgrounds.

The business case for corporate diversity in general is well documented. Cited most frequently is McKinsey’s study, Diversity Matters, which found a statistically significant correlation between diversity and financial performance. Specifically, companies in the top quartile for gender and racial/ethnic diversity were 15 percent and 35 percent, respectively, more likely to have financial returns above their national industry median. Although McKinsey’s study applied to corporate as opposed to board leadership, the findings are nevertheless incontrovertible. Diversity enhances the decision-making process and the financial bottom line.

With respect to board diversity, MSCI Inc’s 2016 Women on Board’s Report found that U.S. companies that began the five-year period from 2011–2016 with at least three women on its board (deemed the “tipping point” needed for female directors to exert influence on a board) experienced a 10-percent increase in ROE and a 37-percent gain in EPS. In contrast, those without female directors experienced a -1 and -8 percent decline respectively.

Over the past year, momentum in this space has gained traction as a result of three driving forces: (1) asset managers pushing for change, (2) institutional investors calling for accountability and transparency, particularly by pension funds, and (3) regulation mandates.

Asset Managers Take a Stand

Given diversity’s potential impact on financial performance, the issue of board diversity is now viewed through the lens of investment stewardship by asset managers. The asset management industry has recently become a catalyst for change when it comes to board composition, with Blackrock, Vanguard, and State Street leading the way for greater board gender diversity.

BlackRock, the world’s largest asset manager with $6.3 trillion of assets under management, has received the most prominent coverage, generated in large part by its Annual Letter to CEOs. With respect to boards, BlackRock’s CEO Larry Fink announced that Blackrock will continue to emphasize diverse boards, stating that they are “less likely to succumb to groupthink or miss threats to a company’s business model.” Consistent with the letter, BlackRock’s Proxy Guidelines for 2018 stipulate that it “expects to see at least two women directors on every board.”

Unlike BlackRock, Vanguard, with more than $5 billion in assets under management, did not assign a metric, but nevertheless advocated for gender board diversity, noting in its Open Letter to Directors of Public Companies Worldwide that its position on board diversity is “an economic imperative, not an ideological choice.”

Finally, as a result of State Street’s stewardship on board gender diversity, 152 companies added a woman director to their board, and 34 companies agreed to do so in the future. As encouraging as that may be, it regrettably leaves over 600 more companies remaining on State Street’s original list of publicly traded companies with all-male boards. Equally compelling, State Street voted against 511 companies that failed to address the gender diversity issue.

Pension Funds Call for Accountability and Transparency

The second emerging trend is the increasing role of pension funds in driving board diversity. For example, California’s Public Employees Retirement System (CALPERS) now requests that companies disclose their diversity policy. Similarly, the Massachusetts Pension Reserves Investment Management Board’s 2018 proxy guidelines recommend voting against or withholding votes for all board nominees if less than 30 percent of the board is diverse.

New York’s pension funds on the state as well as municipal level have been particularly aggressive in placing public companies on notice that they are not only holding them to a high level of scrutiny, but also holding them accountable for board diversification. In March, the New York State Common Retirement Fund, with $192 billion in assets held in trust and the third largest pension in the country, announced that it would vote against electing all of the directors standing for re-election at the more than 400 companies without women board members in which it holds shares. Moreover, for the more than 700 companies in which the fund holds shares where there is only one female director, the Fund announced that it would vote against the members of the governance committee standing for re-election. In making the announcement, New York State Comptroller Thomas DiNapoli said, “We’re putting all-male boardrooms on notice—diversify your boards to improve your performance.”

Similarly, last year the New York City Comptroller and New York City’s pension funds launched the Boardroom Accountability Project, Version 2.0. In launching the program, New York City Comptroller Scott M. Stringer said, “. . . we’re doubling down and demanding companies embrace accountability and transparency.” Designed to enhance public disclosure reporting, the Comptroller asked 151 companies to disclose the race, gender, and skills of their board members as well as their board refreshment process.

Mandate by Regulation

Further escalating the dialogue on board diversity is state legislation. Although there are a number of states that encourage or urge companies to enhance board diversity, including the Commonwealth of Pennsylvania through Senate Resolution 255 which seeks a gender minimum of 30 percent by 2020, California is the first state to contemplate mandating board diversity. In January 2018, Senate Bill 826 was introduced in California. If the bill is passed as currently drafted, by the end of 2019, all companies with principal executive offices in California must have a minimum of one female director on its board of directors. As a tiered system, by the end of 2021 the minimum would increase to two female directors if the company has a total of five authorized directors, or to three female directors if the company has six or more authorized directors. Under the bill, each director seat not held by a female during a portion of the year counts as a violation. The penalties, as currently structured, are pegged to the board’s compensation schedule with the fine for the first violation equivalent to the average cash compensation for the directors of the company and the second and subsequent violations equivalent to three times the average annual cash compensation for directors.

Notwithstanding these trends, however, the regulatory environment has the capacity to dictate the velocity of momentum in this area, as we have seen with the recent passage of legislation by the House Financial Services Committee. Under H.R. 5756, the voting thresholds for the resubmission of shareholder proposals were raised significantly. In order for a shareholder proposal to be resubmitted, at least six percent of shareholders must have voted in favor of the proposal the previous year, compared to three percent as currently required by the SEC. Similarly, the threshold is raised to 15 percent for the next resubmission and finally 30 percent for a subsequent resubmission, compared to six and 10 percent, respectively, under the current regulatory regime. By raising the thresholds for shareholder support, the potential impact of this legislation on investor activism and board diversity cannot be underestimated.

Supplementing these trends is the emergence of collective advocacy through organizations such as 2020 Women on Boards, 30% Club, Paradigm for Parity, Women in the Boardroom, and others, all of which aim to combat the gender imbalance in corporate and board leadership. They offer resources and guidelines for increasing the number of women on corporate boards over the next few years, which dovetail well with the above-described initiatives.

The dialogue on board diversity continues to be raised nationally and internationally and shows no signs of abatement. According to the Wall Street Journal, ISS Analytics recently released analysis indicate that in the first five months of 2018, women accounted for 248, or 31 percent, of new board directors at the 3,000 largest publicly traded companies—the highest percentage in 10 years. On the horizon, Glass Lewis, a leading proxy service provider, indicated in its 2018 Proxy Policy Guidelines that beginning in 2019 it will generally recommend voting against the nominating chair of boards without female directors as well as potentially other nominating committee members. Although previously shunned, board diversity can no longer be ignored. The failure to diversify boards is more than an issue of optics. Rather, it is a reflection of an organization’s corporate culture and to the extent that it has the potential to negatively impact shareholder value, it is a governance issue and, as Vanguard so aptly observed, an economic imperative.

The Trump Effect on Antitrust M&A Enforcement

Posted on July 16, 2018 by Daniel Hemli - Uncategorized

Since President Trump took office in January 2017, a number of mergers and acquisitions have been challenged, blocked, or abandoned on antitrust grounds in a diverse array of industries, including health insurance, television and media, petroleum storage, and daily fantasy sports, among others. Some of these were large multi-billion dollar transactions, while others were much smaller, under $100 million in size. These antitrust challenges have taken place against the backdrop of an increase in global M&A activity.

This article discusses notable recent developments in antitrust M&A review and practical takeaways for companies looking to do deals.

New Leadership at the Federal Antitrust Agencies

After a lengthy hiatus, there is new leadership in place at both federal antitrust agencies, the Antitrust Division of the U.S. Department of Justice (Antitrust Division or DOJ) and the Federal Trade Commission (FTC).

The Antitrust Division is headed by one Assistant Attorney General (AAG), nominated by the President and confirmed by the U.S. Senate. He or she is the ultimate decision-maker on all antitrust matters, including mergers, that come before the Antitrust Division. The FTC is headed by five Commissioners, also nominated by the President and confirmed by the Senate, who serve staggered 7-year terms, with one Commissioner acting as Chair. No more than three Commissioners can be of the same political party. Enforcement actions of the FTC require a majority vote.

While history suggests that a Republican-led Antitrust Division and FTC tend to be somewhat more restrained in antitrust merger enforcement than Democratic-led antitrust agencies, any such expectations (or hopes) that the business community may have had for the Trump Administration have not come to pass. Both the Antitrust Division and the FTC continue to be very active in investigating and challenging M&A transactions on competition grounds. This is not entirely surprising: an aggressive approach to antitrust merger enforcement, which has a primary goal of protecting consumers, is consistent with President Trump’s populist message. Also, the staff attorneys and economists at the agencies who handle the day-to-day investigative work are not political appointees and typically do not move with administrations, providing some degree of continuity.

The main takeaway is that companies doing deals should not expect a free pass from the antitrust agencies under the current administration. Transactions that raise competitive issues will still be carefully reviewed. Companies and their advisors should continue to build this into their timelines and assessments of completion risk.

In fact, antitrust authorities may be getting even tougher in some areas of merger enforcement, as discussed below.

Greater Antitrust Risk for Vertical Mergers?

A vertical merger is a combination of businesses operating within the same industry but at different levels of the supply chain, such as a manufacturer of widgets acquiring a distributor of widgets. Unlike a horizontal merger, which directly reduces competition by eliminating a competitor in a particular market, a vertical merger does not combine competitors and can generate valuable cost savings, so its likely impact on competition is more ambiguous and harder to predict. Nevertheless, vertical mergers have attracted greater antitrust scrutiny in recent years, including during the Obama Administration, e.g., Comcast/NBC Universal, Ticketmaster/Live Nation, Google/ITA Software, and General Electric/Avio.

A major change in antitrust policy under the Trump Administration has been a shift in the attitude of the antitrust agencies, especially the Antitrust Division, towards remedies for vertical transactions that raise competitive concerns. Previously, the long-standing policy of the Antitrust Division and the FTC was to resolve concerns in vertical deals with “behavioral” (aka conduct) remedies, which prescribe certain aspects of the merged firm’s post-consummation business conduct. Common behavioral remedies used in numerous vertical transactions included information firewalls, non-discrimination commitments, mandatory licensing, and anti-retaliation provisions. Such remedies were usually not viewed by transaction parties as particularly onerous, hence vertical mergers rarely failed due to antitrust concerns.

However, beginning with a speech on November 16, 2017, and on several occasions thereafter, Makan Delrahim, President Trump’s nominee to head the Antitrust Division who was confirmed last September, has expressed significant skepticism of behavioral remedies for vertical deals, since they often require government oversight for an extended period of time and are difficult to police. Instead, AAG Delrahim has stated a strong preference for structural relief, such as asset divestitures, which historically has been used mostly in horizontal mergers of competitors, and which is much “cleaner” and easier to enforce.

This shift in approach stems, at least in part, from AAG Delrahim’s view that “antitrust is law enforcement, it’s not regulation,” a statement that has been echoed in recent months by other senior Antitrust Division officials and is consistent with the Trump Administration’s broader goal of reducing regulation. As Delrahim noted in his November 16 remarks: “[A]t times antitrust enforcers have experimented with allowing illegal mergers to proceed subject to certain behavioral commitments. That approach is fundamentally regulatory, imposing ongoing government oversight on what should preferably be a free market.”

Structural remedies, by contrast, typically do not involve long-term government entanglement in the market at issue. Since Delrahim articulated the Antitrust Division’s current position regarding remedies for vertical mergers, certain FTC officials have made similar remarks, although it is still unclear if all or even a majority of the new Commissioners share Delrahim’s views on this issue.

This policy shift means that companies must now consider the risk of being forced to divest assets as a condition to obtaining antitrust approval for vertical mergers that raise competitive concerns. Interestingly, the agencies’ resolve on this issue may be tested following DOJ’s recent unsuccessful challenge to AT&T Inc.’s acquisition of Time Warner Inc.

The AT&T/Time Warner Decision

On November 20, 2017, just four days after AAG Delrahim’s first public remarks about remedies in vertical mergers, DOJ sued to block AT&T’s $85 billion acquisition of Time Warner, easily the most high-profile merger challenge since Trump took office. Importantly, this was not a merger of competitors, rather it was a vertical merger of a content creator, Time Warner, which owns a collection of television and film content, and a content distributor, AT&T, which owns satellite pay-TV provider DirecTV. The lawsuit came as a surprise to many and fueled speculation that it was politically motivated, given President Trump’s prior public criticisms of the transaction and his well-known animosity towards CNN, which is owned by Time Warner.

DOJ’s main concern was that the combination would enable AT&T to use its ownership of Time Warner’s “must-have” popular content to increase its bargaining leverage and extract higher fees from traditional video programming distributors such as cable and satellite TV companies, which would be passed on to consumers through higher prices. DOJ also alleged that the proposed combination would slow innovation by giving the merged firm the incentive and ability to impede the growth of online video distribution services, and would allow the parties to restrict competitors’ use of Time Warner’s HBO network as a promotional tool. Reflecting its recent shift in policy towards remedies in vertical mergers, DOJ insisted on a structural remedy that would have required AT&T to divest its entire DirecTV business or Time Warner’s Turner Broadcasting business. AT&T refused, culminating in litigation.

On June 12, 2018, after a six-week trial, U.S. District Court Judge Richard Leon ruled in favor of the companies. In his 172-page opinion, Judge Leon provided a very fact-specific analysis of how the government failed to meet its burden to show that the combination was likely to substantially lessen competition in violation of Section 7 of the Clayton Act. In so doing, he ruled that DOJ’s evidence fell far short of adequately supporting any of its theories of competitive harm. Judge Leon found that the government’s case depended on a flawed economic model that raised too many questions about the potential price increase to consumers, noting that it lacked “both reliability and factual credibility,” and accepting instead the defendants’ economist’s attacks on the model’s input data and assumptions. Neither was the court persuaded by internal company documents and regulatory filings submitted by DOJ as evidence, nor the testimony of competitor witnesses. Though he accepted DOJ’s contention that Time Warner’s content is valuable and does provide some bargaining leverage, Judge Leon explained that this is already true today, and the government had failed to show how the merger would materially alter the current landscape.

By contrast, the opinion referenced multiple times the changing nature of the industry and the rise in competing internet-based video distribution services, including “virtual” programming distributors such as DISH’s Sling TV, Sony’s Playstation Vue, Google’s YouTube TV, and AT&T’s DirecTV Now, as well as subscription video on demand services such as Netflix, Hulu, and Amazon Prime. Judge Leon also noted a shift from reliance on television advertising to targeted digital advertising and seemed to accept defendants’ position that the combined company would be able to better compete against large technology companies with powerful digital advertising platforms such as Facebook and Google.

Two days after Judge Leon’s decision, AT&T and Time Warner closed their deal, with DOJ announcing that it would not to seek a stay of Judge Leon’s ruling. DOJ agreed to this only after receipt of a letter from AT&T outlining separations that the parties would put in place between Time Warner’s Turner Broadcasting unit and AT&T’s communications business until the earlier of February 2019 or the conclusion of any appeal. On July 12, DOJ announced that it would appeal the district court’s decision.

While the outcome at trial was a blow to the government, Judge Leon’s decision turned on specific facts and evidence and certainly should not be seen as removing all antitrust barriers to vertical mergers. However, it does highlight the difficulties with successfully challenging a vertical merger on competition grounds and will likely give transacting parties more confidence to pursue large vertical tie-ups. It is no coincidence that the day after the AT&T/Time Warner decision, Comcast Corp. made a $65 billion cash offer for 21st Century Fox’s entertainment assets.

Despite the widespread media attention lavished on the AT&T/Time Warner case, companies should also keep in mind that competitors wishing to merge in horizontal combinations will find little or no solace in Judge Leon’s decision. Both federal antitrust agencies have an excellent track record in recent years of successfully challenging problematic horizontal mergers.

More Post-Closing Merger Challenges

Since President Trump’s inauguration, there has been a flurry of antitrust challenges to consummated M&A deals, even more than the annual average under the Obama Administration. These challenges serve as a stark reminder that, first, antitrust enforcers have legal jurisdiction over all M&A transactions that affect U.S. commerce, irrespective of the size of the parties, the transaction, or the markets involved; and second, deals can be challenged anytime, even after closing.

Most of the recent post-closing challenges involved deals that were not reportable under the Hart-Scott-Rodino (HSR) Act, because they fell below the statutory size thresholds that trigger a mandatory HSR notification to the FTC and DOJ. For example, in December 2017 DOJ filed a complaint against TransDigm Group Inc.’s $90 million acquisition of two commercial airplane restraint system businesses from Takata Corporation, a non HSR-reportable deal that had closed in February 2017. DOJ found that the transaction had eliminated TransDigm’s closest (and in some cases, only) competitor in the markets for various types of restraint systems, which was likely to lead to higher prices and less innovation. To avoid the expense and burden of continued investigation and litigation, TransDigm entered into a settlement with DOJ in which it agreed to divest the airplane restraint system assets it had acquired from Takata, effectively unwinding the acquisition.

Also in December 2017, the FTC filed an administrative complaint seeking to unwind a merger consummated three months earlier between two manufacturers and suppliers of microprocessor prosthetic knees, Otto Bock HealthCare North America, Inc. and FIH Group Holdings, LLC (aka Freedom Innovations). According to the FTC’s complaint, the transaction eliminated direct and substantial competition between Otto Bock and its most significant and disruptive competitor, Freedom Innovations, further entrenching Otto Bock’s position as the dominant supplier of microprocessor prosthetic knees. After closing the acquisition in September 2017, Otto Bock had already begun to integrate the Freedom Innovations business, but in light of the FTC action and the possibility of a forced divestiture, it agreed to take steps to hold separate and preserve the acquired business until the case is resolved.

We have also seen a rare post-closing challenge to a deal that was HSR-reportable, involving Parker-Hannifin Corporation’s $4.3 billion acquisition of CLARCOR Inc., a manufacturer of filtration products. In an unusual twist, DOJ challenged this transaction in September 2017, nine months after it had allowed the HSR waiting period to expire. Reportedly, after the transaction received HSR clearance, a third party notified DOJ of a small competitive overlap in aviation fuel filtration systems. DOJ investigated and found that Parker-Hannifin and CLARCOR were the only two domestic manufacturers of such products. DOJ filed a lawsuit to force Parker-Hannifin to divest the aviation fuel filtration assets it acquired from CLARCOR, which the company ultimately agreed to do. Notably, the divested business had annual revenues of around $60 million, which accounted for less than half of one percent of the merged companies’ combined annual revenues of over $13 billion, and yet DOJ still expended the time and resources to investigate and bring a challenge.

As these recent cases demonstrate, companies that assume a small deal is safe from antitrust scrutiny do so at their peril, especially if the merging businesses are close competitors in a market with few players. Non HSR-reportable acquisitions involve unique risks and strategic considerations, particularly for the buyer. In addition, the agencies will examine even relatively minor overlaps between large companies.

Uptick in State Antitrust M&A Enforcement

In addition to the federal antitrust agencies, state attorneys general can and do investigate M&A transactions on antitrust grounds, and they can go to court to challenge deals that could harm consumers in a particular state. There is a long history of cooperation between federal and state antitrust enforcers in merger investigations. Several recent merger challenges brought by the Antitrust Division or the FTC were joined by one or more state AGs, including large national mergers such as Anthem/Cigna (eleven states and the District of Columbia) and Aetna/Humana (eight states and the District of Columbia), as well as smaller local transactions such as Sanford Health/Mid-Dakota Clinic (North Dakota).

Before Trump took office, there was speculation that if the Antitrust Division and the FTC became lax and took their foot off the merger enforcement pedal, the states would engage to fill the void. Despite the fact that the federal agencies have remained active, there has nevertheless been a recent increase in state AG merger enforcement, with a number of states, especially those with Democratic attorneys general, seemingly more willing to take the lead on matters or even “go it alone.”

In July 2017, California Attorney General Xavier Becerra sued to block Valero Energy’s proposed acquisition from Plains All American Pipeline of two petroleum storage and distribution terminals in the San Francisco Bay area. Notably, the challenge came after the FTC had already reviewed and cleared the transaction. The companies subsequently abandoned the deal. In August, Washington State Attorney General Bob Ferguson filed a suit seeking to unwind Franciscan Health System’s consummated 2016 acquisition of WestSound Orthopaedics. That case is currently in litigation. Other Democratic state AGs, such as New York, have publicly stated a willingness to pursue antitrust cases, including merger cases, independently of the federal agencies.

State antitrust involvement is most likely in transactions that impact local geographic markets (e.g., hospitals, funeral homes, waste services, gas stations, grocery stores, other brick & mortar retail), national mergers with the potential to affect a large number of the state’s consumers (e.g., health insurance), and those where the state or its subdivisions are significant purchasers of the merging parties’ products or services.

As the recent cases in California and Washington demonstrate, companies increasingly must consider state reactions to proposed M&A deals and also need to recognize that state concerns do not always replicate federal views. State AGs tend to heavily scrutinize a transaction’s likely impact on local market conditions in their state and will sometimes challenge deals that are cleared by the FTC or DOJ, as in Valero/Plains. States may also influence the scope of remedies required for transaction approval: for example, an investigation by the New York AG’s office (in conjunction with the FTC and several other states) caused retail pharmacy chain Walgreens to restructure its 2017 purchase of almost two thousand Rite Aid stores to acquire 184 fewer Rite Aid stores in New York State than had been identified in its original acquisition proposal. Another important difference between federal and state M&A enforcement stems from the fact that the vast majority of state AGs are publicly elected rather than appointed, resulting in some states including non-antitrust-based concerns, such as job preservation, within the scope of merger investigations.

Conclusion

These recent developments highlight the importance of transacting parties performing antitrust due diligence early and irrespective of deal size. Often, parties will be able to rule out any serious antitrust issues with minimal time and expense. An upfront antitrust risk assessment can ensure companies go into a deal with their eyes wide open and can help avoid unpleasant surprises.

The LabMD Case and the Evolving Concept of “Reasonable Security”

Posted on July 16, 2018 by Paige M. Boshell - Uncategorized

Facts of the LabMD Case

LabMD, Inc. was a cancer diagnostic testing facility that used medical specimen samples and patient information to provide diagnostic information to health care providers. The company was subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and had a HIPAA compliance program in place that prohibited the downloading of peer-to-peer (P2P) file-sharing applications on company computers. LabMD v. FTC, Case No. 16-16270 (11^th Cir. June 6, 2018), at 2. Now defunct as an operating company, LabMD nonetheless exists as a company and continues to protect its information.

In violation of this prohibition, a company billing manager installed LimeWire on a company computer. This P2P software permits users to make computer documents accessible to the larger LimeWire community. The manager made a file containing the personal information of 9,300 consumers (the 1718 File) available to approximately two to five million LimeWire users. The 1718 File included names, dates of birth, Social Security numbers, laboratory diagnostic and testing codes, and for some patients health insurance information.

A data security firm, Triversa Holding Corporation (Triversa), downloaded the 1718 File and contacted LabMD to offer remediation services, which were refused. The LimeWire was deinstalled from the billing manager’s computer. Triversa sent the 1718 File to the FTC.

In its resulting complaint, the FTC alleged a variety of general security failures around LabMD’s policies and procedures that the FTC decided ultimately led to the posting of the 1718 File.

The Eleventh Circuit noted that there was no evidence that any of the 1718 File information was accessed by anyone other than Triversa or that it was otherwise improperly used.

FTC Consent Orders and Reasonable Information Security Programs

The FTC has filed enforcement actions against a variety of companies for security program failures, alleging that such failures constitute an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) (the FTC Act or Section 5(a)). The resulting consent orders generally require the defendant companies to implement and maintain information security policies and procedures designed to protect consumer information.

In this manner, the FTC has for years been building a “common law” body of orders intended to require companies to maintain reasonable information security programs. The FTC published in 2015 a guide for companies based on these consent orders, Start with Security, which it updated in 2017 with its “Stick with Security” blog series. These guides are crafted as “lessons-learned” guidance and focus on the following:

Security and privacy programs aligned with the following principles: purpose or minimization limitation on the collection of personal information; retention for only as long as necessary; appropriate employee training and education; and consumer choice.
Data access controls designed to restrict access to personal information and limit administrative access.
Operational access controls, such as passwords and authentication processes.
Protection of data in storage and in transit.
Network firewalls and monitoring.
Remote access controls.
Addressing security in the development of new products or services.
Vendor management of security risks posed by third-party service providers.
Ongoing monitoring and evaluation of security processes.
Physical security of storage media.

The enforcement actions tend to arise out of fairly egregious facts and are usually precipitated by a significant data breach. Accordingly, the specific “lessons learned” are often a list of “do-nots.” For example, a do-not of LabMD is “do not allow downloading of P2P (or noncompany) software on company systems.” The FTC has leveraged these specific do-nots into a larger concept of reasonable security. In LabMD, the FTC reasoned that a general laxity of information security policies and procedures led to the installation and failure to detect the presence of the P2P software on the billing manager’s computer.

In its press release regarding its 2017 Annual Privacy and Security Update (the Update), the FTC expressly stated that it “uses a variety of tools to protect consumers’ privacy and personal information including bringing enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior.” The FTC regularly includes comprehensive information security program requirements in its consent orders, attributing identified security lapses or breaches as resulting from weak security generally.

The FTC consent order security programming requirements tend to be: (1) technology-neutral; (2) intended to be evaluated and updated on a regular basis; and (3) focused on the individual company’s risk-management efforts, taking into account the amount of practical risk, costs involved, industry standards, and sensitivity of information, among other factors.

Other Regulatory Approaches to “Reasonable Security”

The FTC’s concept of “reasonable security” is consistent with approaches taken by other laws and regulatory guidance regarding information security programs. The consensus seems to be that as technology and innovation is evolving faster than the law, the applicable laws should focus on security management standards and goals, rather than express prescriptive rules.

For example, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity https://www.nist.gov/cyberframework/framework (RMF) offers a general set of standards, guidelines, and best practices to manage cybersecurity risk in critical infrastructure. The NIST RMF is neither prescriptive nor specific. Rather, it allows companies to evaluate their security programs in light of “their organizational requirements and objectives, risk appetite, and resources against” certain “core” cybersecurity principles.

Similarly, the Federal Financial Institutions Examination Council (FFIEC) Cyberscurity Assessment Tool (CAT) provides a “repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” Like the NIST RMF, the FFIEC CAT offers core principles and goals but relies on the company’s own risk-management assessment and strategies. The FFIEC CAT maturity domains include general statements like, “[d]edicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies” or “[t]he institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate.”

State statutory and regulatory requirements around security programs are also general. For example, the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (the NY Cyber Reg) requires such companies to develop cybersecurity programs based on a risk inventory and assessment process, with the goal of developing a policy that addresses all of the following:

information security
data governance and classification
asset inventory and device management
access controls and identity management
business continuity and disaster recovery planning and resources
systems operations and availability concerns
systems and network security
systems and network monitoring
systems and application development and quality assurance
physical security and environmental controls
customer data privacy
vendor and third-party service provider management
risk assessment
incident response

Like the NIST RMF and the FFIEC CAT, which address the use of multifactor authentication and penetration testing, as appropriate, the NY Cyber Reg does not require the use of specific technology.

The more comprehensive Massachusetts cybersecurity regulation, Standards for the Protection of Personal Information of Residents of the Commonwealth (the MA Cyber Reg), requires companies to maintain cybersecurity programs that, at a minimum and to the extent technically feasible, should have the following elements:

Secure user authentication protocols including:
(a) control of user IDs and other identifiers;
(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(d) restricting access to active users and active user accounts only; and
(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
Secure access control measures that:
(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(b) assign unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
Reasonable monitoring of systems for unauthorized use of or access to personal information;
Encryption of all personal information stored on laptops or other portable devices;
For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
Reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The MA Cyber Reg is technology-neutral, industry standards- and risk-based, and tied to a “reasonableness” concept.

Other state laws are even more broad. The recently enacted Alabama State Data Breach Notification Act (the AL Act) requires companies to maintain “reasonable security measures” to protect personal information. “Reasonable” means “practicable” in relation to a cost-benefit analysis, the type and volume of information involved, and the size of the entity, and with emphasis to be placed on “data security failures that are multiple or systemic” and taking into account consideration of all of the following measures:

designation of one or more managers of the security program;
risk inventory—both internal and external;
vendor management with contractual security obligations;
continuous monitoring and evaluation of threats and measures; and
board or management oversight.

LabMD Consent Order

The FTC’s consent order in this case, FTC Consent Order In the Matter of LabMD, Inc., Docket No. 9357, at 2–3, imposed security requirements that were commensurate with those imposed by previous consent orders, which required LabMD to:

establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:

the designation of an employee or employees to coordinate and be accountable for the information security program;
the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by [the order], any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

Eleventh Circuit Holding and Reasoning in LabMD

The Eleventh Circuit held that the LabMD consent order was void for lack of specificity:

In the case at hand, the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.

The Eleventh Circuit acknowledged that due to limitations on legislating “an extensive list of unfair acts or practices,” Congress authorized the FTC “to establish unfair acts or practices through case-by-case litigation.” Notably, the court did not squarely address the issue of whether the FTC has data security enforcement authority under section 5(a).

The court focused on the FTC’s own two-prong test to determine whether an act or practice is “unfair” under section 5(a):

whether there is a “consumer injury,” which is substantial, not outweighed by a countervailing benefit to the consumer, and not reasonably avoidable by the consumer; and
whether the act “offended public policy as established by statute, the common law, or otherwise.”

The court found that “the [FTC’s] complaint alleges no specific unfair acts or practices” by LabMD other than the installation of P2P software on a single LabMD computer. The FTC complaint did not state that the installation of the P2P software violated a specific company policy. The court assumes that LabMD had a policy against the download. The court’s focus appears to be on this single violation, which, according to the court’s reasoning below, would justify an express prohibition in the consent order against policies or procedures permitting such an installation. The court did not discuss the FTC’s more holistic approach in the context of whether the company could have exercised better practices generally in implementing controls to actually prevent the employee from downloading external programs on a company computer, and whether such failure would warrant the imposition of more comprehensive security requirements, as was done in the order.

The opinion, however, assumed arguendo “that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice” under section 5(a).

The Eleventh Circuit recognized that although “[n]othing in the FTC Act addresses what content must go into a cease and desist order,” the FTC’s own procedural rule requires that “a complaint must contain a “clear and concise factual statement sufficient to inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law.” The court concluded that (1) the complaint must state violations with “reasonable definiteness,” and (2) the remedy (in this case, the requirements of the consent order) “must comport with this requirement of reasonable definiteness.” Accordingly, the opinion states that “the order’s prohibitions must be stated with clarity and precision.”

The opinion further explains how enforcement of FTC consent orders occur procedurally, either with enforcement by the administrative law judge (ALJ) or the district court. These authorities are charged with enforcement of injunctions of specific prohibited conduct enumerated in the consent order. The court concludes that the effect of indefinite requirements would lead to micromanagement in the form of constant interpretation and modification of the order by the ALJ or court.

The opinion holds that the order is void for lack of enforceability in that the order contained no express prohibited acts or practices: “it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness.”

Implications for FTC Cybersecurity Enforcement

The FTC’s consent order in this case included comprehensive but general information security program requirements, which is consistent with its approach in many previous cybersecurity consent orders. The intent of the FTC appears to have been to craft an evolving concept of “reasonable security” and to require companies to monitor and develop their security programs over time. The Eleventh Circuit, however, rejected this approach as lacking in specificity. The implications for the enforceability of existing FTC consent orders is significant. If courts follow the LabMD holding, a domino effect voiding a long line of consent orders may well follow. Moreover, going forward, the FTC must consider including very specific security requirements and prohibitions in its consent orders.

At a recent conference, an FTC attorney advisor, speaking in her “personal capacity” and not on behalf of the agency, indicated in an off-the-cuff remark that they were “considering [their] options” in light of the opinion. Hot Topics in Advertising Law 2018, “FTC Year in Review” Practising Law Institute webinar (Christine DeLorme, 6/26/18).

The Eleventh Circuit emphasized that:

the posting of the 1718 File was in direct violation of a specific LabMD policy against downloading P2P software on company systems; and
the FTC did not demonstrate that any alleged general laxity in security programming resulted in this specific company policy violation.

Does this mean that if the FTC concludes that a company’s failure to implement adequate cybersecurity programs caused a specific unfair act or practice, the FTC must:

limit the remedy in the consent order to the specific act or practice; and/or
expressly demonstrate that the specific violation was caused by a broader, but still definite, series of security lapses?

The FTC cybersecurity consent orders generally require a long-term information security program (20 years is typical) that encompasses all of the company’s activities related to consumer information. Does the LabMD decision mean that the order must focus on the specific violation as of a definite point in time?

Consider a company that does not honor consumer choices regarding information offered through its website. For example, the company may not give the opportunity to consent to or opt out of sharing of personal information with unrelated third parties for marketing purposes, or may offer that choice but not honor it. Must the consent order be limited to requiring that consumer choices regarding such sharing of personal information collected via the website for marketing purposes be offered and honored? In that event, would other types of sharing not violate the order, even if consumer choices are offered but not honored? Alternatively, would the same company be liable if it later offered a mobile application and failed to offer or honor the same consumer choices via the app? Would the FTC have to micromanage the company’s information security program through a series of enforcement actions over time?

Conversely, should the FTC focus its efforts on promulgating regulations to require companies to implement reasonable security programs, as has been done with the other laws and regulatory guidance discussed above?

The potential importance of this opinion cannot be overstated, both with respect to its impact on existing FTC consent orders and the FTC’s ability to continue developing a concept of “reasonable security” while prosecuting unfair privacy and security practices on an action-by-action basis.

Strategizing a Case in Litigation Versus Arbitration

Posted on July 16, 2018 by Stuart M. Riback - Uncategorized

In principle, every case should be decided according to the facts and the law, no matter who is making the decision or in which forum. In practice, the forum making the decision can make a huge difference. In particular, the differences between litigation in court and arbitration before a private panel can be dispositive because of the differences in procedures, the nature of the forum, opportunities to seek fees and costs, and the opportunities for review after the proceeding is over. Those differences may also be critical regarding certain preliminary aspects of the dispute, such as requests for injunctive relief. Each stage of the process presents different kinds of strategic decisions.

The first question a litigator should ask herself when a dispute arises is where the dispute should be heard. Is there an arbitration clause that might be applicable? If there is, does it in fact apply? To a large extent, whether the clause applies will depend on the language of the clause and how it relates to the facts, although the Eleventh Circuit has cautioned that “‘[t]he case law yields no clear answer’ to the question of how broadly to construe an arbitration clause.” Hemispherx Biopharma, Inc. v. Johannesburg Consol. Invs., 553 F.3d 1351, 1366 (11th Cir. 2008) (quoting Telecom Italia, SpA v. Wholesale Telecom Corp., 248 F.3d 1109, 1114 (11th Cir. 2001)). For example, a clause that required arbitration of disputes that “arise out of or relate to” an agreement settling a dispute did not require arbitration of later conduct similar to what caused the settled dispute because that is a new dispute. Zetor N. Am., Inc. v. Rozeboom, 861 F.3d 807, 810 (8th Cir. 2017). A clause calling for arbitration of “[a]ny dispute arising from the [fundraising] Activity” covered by the contract did require arbitration of a minimum wage claim by a fundraiser. Leonard v. Delaware N. Am. Cos. Sports Serv., Inc., 861 F.3d 727, 729 (8th Cir. 2017). “‘[A]rising under’ language is narrower in scope than language, such as “relating to,” under which a claim may be arbitrable if it has a “significant relationship” to the contract, regardless of whether it arises under the contract itself.” Evans v. Building Materials Corp. of Am., 858 F.3d 1377, 1381 (Fed. Cir. 2017). An arbitration clause covering disputes that “arise out of or in any way relate to” the services provided covers antitrust claims by customers. In re Cox Enters., Inc. Set-top Television Box Antitrust Litig., 835 F.3d 1195, 1202 (10th Cir. 2016).

If the clause arguably does not apply, the attorney should ask herself whether it is worth trying to litigate the case in court. The other side may commence motion practice under section 3 of the Federal Arbitration Act to stay the action and have the dispute referred to arbitration. Even if that motion does not succeed, the exercise may take several months. Is the delay worth it? More to the point, what are the chances the case can stay in the court system? There is a strong policy in pretty much every court system in favor of arbitrating disputes. That means a party resisting arbitration needs a very strong argument as to why an arbitration clause does not apply. See, for example, Chassen v. Fidelity Nat’l Fin., Inc., 836 F.3d 291, 304 (3d Cir. 2016) (“[I]f the language of the contract is ambiguous, the presumption of arbitrability applies because we must resolve any doubts concerning the scope of arbitrable issues in favor of arbitration.” (internal quotations and alterations omitted)).

If there is no arbitration clause, should the parties consider whether to enter into a post-dispute arbitration submission agreement? Certain kinds of disputes might be well-suited for such a submission. For example, if the parties prefer not to have their dispute become a matter of public record, they might prefer to construct an appropriate arbitration procedure and panel for their dispute in order to avoid public scrutiny and press coverage. Alternatively, the nature of the dispute may require that it be heard in a court that is utterly unfamiliar with the type of case at issue; if the parties want a decision maker who has at least some clue about how to think about their dispute, they can agree to have their dispute arbitrated by a credentialed person.

There are limited opportunities to choose your judge if your case is in court. Most courts assign cases out of a wheel or similar random assignment system. It is easier to avoid a disfavored judge (by discontinuing under Rule 41(a)(1) and refiling) than to steer a case to a favored one. Arbitration affords greater opportunities for choosing the decision maker. The American Arbitration Association typically provides lists of proposed arbitrators and invites the parties to strike disfavored names. The arbitration agreement might provide procedures for selecting the arbitrator, set forth minimum qualifications, or name a specific person. In all events, the litigant should think hard about the characteristics of the person she wants deciding the case and plan the strikes and nominations with those goals in mind. One common procedure calls for each side to name one arbitrator and then the two named arbitrators pick the third. For this type procedure it is necessary to consider how persuasive your named arbitrator can be in order to keep the selection of the third arbitrator within acceptable bounds.

Choosing your decision maker should be part of your decision about what your overall approach to the dispute should be. In court the tools are well known: motions to dismiss to narrow the issues, discovery to learn the facts and lock the other side into their story, and motion for summary judgment to win the case or get as much of it decided in your favor as possible ahead of trial. Which tools you use and how, and which grounds you will raise at which stage of the proceeding, will vary from case to case, of course.

Arbitration presents a different set of challenges because you have fewer tools readily available. In most arbitrations, motions to dismiss are not contemplated. Discovery is more limited—typically there are no interrogatories or depositions. Specific types of arbitration might vary, such as FINRA arbitrations, and parties can always agree to additional procedures, but it is never advisable to rely on the other side’s agreeing to your preferred procedure.

In at least some federal courts, there is no third-party discovery in arbitration: third-party evidence either is before the arbitrators or not at all. See, for example, Life Receivables Tr. v. Syndicate 102 at Lloyd’s of London, 549 F.3d 210 (2d Cir. 2008); Hay Group, Inc. f. E.B.S. Acquisition Corp., 360 F.3d 404 (3d Cir. 2004). The Sixth and Eighth Circuits disagree. See In re Sec. Life Ins. Co. of Am., 228 F.3d 865, 870–71 (8th Cir. 2000); American. Fed’n. of Television and Radio Artists, AFL–CIO v. WJBK–TV (New World Commc’ns of Detroit, Inc.), 164 F.3d 1004, 1009 (6th Cir. 1999). This doesn’t necessarily mean the third party has to show up and testify; the arbitrator may and often will facilitate third-party discovery by directing that documents be produced before him or her at an interim hearing called for the sole purpose of having the third party produce documents. Often the adversary will see which way the wind is blowing and consent to having the production done without the arbitrator present. But a good litigator must bear in mind the relative ease of access to third-party proof.

The likelihood in arbitration is that you are going to trial. That means arbitration may provide you with tools that may not be available in court. Bear in mind the grounds on which arbitration awards can be vacated. They are set forth in section 10(a) of the Federal Arbitration Act:

where the award was procured by corruption, fraud, or undue means;
where there was evident partiality or corruption in the arbitrators, or either of them;
where the arbitrators were guilty of misconduct in refusing to postpone the hearing, upon sufficient cause shown, or in refusing to hear evidence pertinent and material to the controversy; or of any other misbehavior by which the rights of any party have been prejudiced; or
where the arbitrators exceeded their powers, or so imperfectly executed them that a mutual, final, and definite award upon the subject matter submitted was not made.

Although these grounds are narrow, they are real, and arbitrators don’t like being overturned any more than judges do. So they are likely to run the hearing in a way that will keep them far away from any of these. The ones that give parties the most scope for affecting the proceeding are subsection 3 and 4.

Defendants in particular can—and often do—use the prospect of a post-award vacatur proceeding under subsection 3 as a tool to obtain adjournments and to keep the record open for all kinds of evidence that in court might be viewed as cumulative or of limited probative force or questionable admissibility. Of course, it is possible to overdo it, and a good arbitrator will see through the more egregious misuses of this strategy.

Similarly, the parties may wrangle over the scope of the arbitrator’s power and how it is exercised because subsection 4 permits challenges on those grounds. These arguments will turn on the language of the contract that empowered the arbitrators in the first place (which may or may not be idiosyncratic, unclear, or debatable). In court, though, such issues typically are pitched in terms of jurisdiction, finality, or scope of discretion, and there is usually a wealth of case law to inform the parties’ arguments.

Courts, especially federal courts, have much more rigid guidelines for the procedures to be followed, well-defined evidentiary rules, and, in the main, a case-management ethic that expects judges to keep cases moving along smartly. Although the number of tools is greater (motions, discovery), the opportunities for delay in each part of the proceeding are far fewer. Unlike arbitrators, whose decisions are highly insulated from substantive review, judges can be reversed on appeal. Although appellate courts reverse trial courts in only a small percentage of cases, see, e.g., Just the Facts, (Dec. 20, 2016) (fewer than 9% of federal appeals resulted in reversals in 2015); National Center for State Courts, Caseload Highlights (March 2007) (of appeals prosecuted to decision, 70% were affirmed), the prospect of a reversal on appeal can occasionally be a useful tool for a litigant.

The bottom line: no matter which forum you are in, each stage of the proceeding requires that you keep in mind the rules of the forum so that you can construct your strategy to fit the forum and maximize your client’s chances.

Stuart Riback gratefully acknowledges the assistance and input of Judge Gail Andler (ret.), Peter Valori and Mian Wang.