Board diversity, long a step-child of corporate governance, has assumed growing prominence. According to the EY Center for Board Matters’ 2018 Proxy Season Review of 60 institutional investors managing $32 trillion in assets, 82 percent of respondents indicated that board composition should be a top priority for 2018, with 67 percent noting that they seek diverse director characteristics and backgrounds.

The business case for corporate diversity in general is well documented. Cited most frequently is McKinsey’s study, Diversity Matters, which found a statistically significant correlation between diversity and financial performance. Specifically, companies in the top quartile for gender and racial/ethnic diversity were 15 percent and 35 percent, respectively, more likely to have financial returns above their national industry median. Although McKinsey’s study applied to corporate as opposed to board leadership, the findings are nevertheless incontrovertible. Diversity enhances the decision-making process and the financial bottom line.

With respect to board diversity, MSCI Inc’s 2016 Women on Board’s Report found that U.S. companies that began the five-year period from 2011–2016 with at least three women on its board (deemed the “tipping point” needed for female directors to exert influence on a board) experienced a 10-percent increase in ROE and a 37-percent gain in EPS. In contrast, those without female directors experienced a -1 and -8 percent decline respectively.

Over the past year, momentum in this space has gained traction as a result of three driving forces: (1) asset managers pushing for change, (2) institutional investors calling for accountability and transparency, particularly by pension funds, and (3) regulation mandates.

Asset Managers Take a Stand

Given diversity’s potential impact on financial performance, the issue of board diversity is now viewed through the lens of investment stewardship by asset managers. The asset management industry has recently become a catalyst for change when it comes to board composition, with Blackrock, Vanguard, and State Street leading the way for greater board gender diversity.

BlackRock, the world’s largest asset manager with $6.3 trillion of assets under management, has received the most prominent coverage, generated in large part by its Annual Letter to CEOs. With respect to boards, BlackRock’s CEO Larry Fink announced that Blackrock will continue to emphasize diverse boards, stating that they are “less likely to succumb to groupthink or miss threats to a company’s business model.” Consistent with the letter, BlackRock’s Proxy Guidelines for 2018 stipulate that it “expects to see at least two women directors on every board.”

Unlike BlackRock, Vanguard, with more than $5 billion in assets under management, did not assign a metric, but nevertheless advocated for gender board diversity, noting in its Open Letter to Directors of Public Companies Worldwide that its position on board diversity is “an economic imperative, not an ideological choice.”

Finally, as a result of State Street’s stewardship on board gender diversity, 152 companies added a woman director to their board, and 34 companies agreed to do so in the future. As encouraging as that may be, it regrettably leaves over 600 more companies remaining on State Street’s original list of publicly traded companies with all-male boards. Equally compelling, State Street voted against 511 companies that failed to address the gender diversity issue.

Pension Funds Call for Accountability and Transparency

The second emerging trend is the increasing role of pension funds in driving board diversity. For example, California’s Public Employees Retirement System (CALPERS) now requests that companies disclose their diversity policy. Similarly, the Massachusetts Pension Reserves Investment Management Board’s 2018 proxy guidelines recommend voting against or withholding votes for all board nominees if less than 30 percent of the board is diverse.

New York’s pension funds on the state as well as municipal level have been particularly aggressive in placing public companies on notice that they are not only holding them to a high level of scrutiny, but also holding them accountable for board diversification. In March, the New York State Common Retirement Fund, with $192 billion in assets held in trust and the third largest pension in the country, announced that it would vote against electing all of the directors standing for re-election at the more than 400 companies without women board members in which it holds shares. Moreover, for the more than 700 companies in which the fund holds shares where there is only one female director, the Fund announced that it would vote against the members of the governance committee standing for re-election. In making the announcement, New York State Comptroller Thomas DiNapoli said, “We’re putting all-male boardrooms on notice—diversify your boards to improve your performance.”

Similarly, last year the New York City Comptroller and New York City’s pension funds launched the Boardroom Accountability Project, Version 2.0. In launching the program, New York City Comptroller Scott M. Stringer said, “. . . we’re doubling down and demanding companies embrace accountability and transparency.” Designed to enhance public disclosure reporting, the Comptroller asked 151 companies to disclose the race, gender, and skills of their board members as well as their board refreshment process.

Mandate by Regulation

Further escalating the dialogue on board diversity is state legislation. Although there are a number of states that encourage or urge companies to enhance board diversity, including the Commonwealth of Pennsylvania through Senate Resolution 255 which seeks a gender minimum of 30 percent by 2020, California is the first state to contemplate mandating board diversity. In January 2018, Senate Bill 826 was introduced in California. If the bill is passed as currently drafted, by the end of 2019, all companies with principal executive offices in California must have a minimum of one female director on its board of directors. As a tiered system, by the end of 2021 the minimum would increase to two female directors if the company has a total of five authorized directors, or to three female directors if the company has six or more authorized directors. Under the bill, each director seat not held by a female during a portion of the year counts as a violation. The penalties, as currently structured, are pegged to the board’s compensation schedule with the fine for the first violation equivalent to the average cash compensation for the directors of the company and the second and subsequent violations equivalent to three times the average annual cash compensation for directors.

Notwithstanding these trends, however, the regulatory environment has the capacity to dictate the velocity of momentum in this area, as we have seen with the recent passage of legislation by the House Financial Services Committee. Under H.R. 5756, the voting thresholds for the resubmission of shareholder proposals were raised significantly. In order for a shareholder proposal to be resubmitted, at least six percent of shareholders must have voted in favor of the proposal the previous year, compared to three percent as currently required by the SEC. Similarly, the threshold is raised to 15 percent for the next resubmission and finally 30 percent for a subsequent resubmission, compared to six and 10 percent, respectively, under the current regulatory regime. By raising the thresholds for shareholder support, the potential impact of this legislation on investor activism and board diversity cannot be underestimated.

Supplementing these trends is the emergence of collective advocacy through organizations such as 2020 Women on Boards, 30% Club, Paradigm for Parity, Women in the Boardroom, and others, all of which aim to combat the gender imbalance in corporate and board leadership. They offer resources and guidelines for increasing the number of women on corporate boards over the next few years, which dovetail well with the above-described initiatives.

The dialogue on board diversity continues to be raised nationally and internationally and shows no signs of abatement. According to the Wall Street Journal, ISS Analytics recently released analysis indicate that in the first five months of 2018, women accounted for 248, or 31 percent, of new board directors at the 3,000 largest publicly traded companies—the highest percentage in 10 years. On the horizon, Glass Lewis, a leading proxy service provider, indicated in its 2018 Proxy Policy Guidelines that beginning in 2019 it will generally recommend voting against the nominating chair of boards without female directors as well as potentially other nominating committee members. Although previously shunned, board diversity can no longer be ignored. The failure to diversify boards is more than an issue of optics. Rather, it is a reflection of an organization’s corporate culture and to the extent that it has the potential to negatively impact shareholder value, it is a governance issue and, as Vanguard so aptly observed, an economic imperative.

Since President Trump took office in January 2017, a number of mergers and acquisitions have been challenged, blocked, or abandoned on antitrust grounds in a diverse array of industries, including health insurance, television and media, petroleum storage, and daily fantasy sports, among others. Some of these were large multi-billion dollar transactions, while others were much smaller, under $100 million in size. These antitrust challenges have taken place against the backdrop of an increase in global M&A activity.

This article discusses notable recent developments in antitrust M&A review and practical takeaways for companies looking to do deals.

New Leadership at the Federal Antitrust Agencies

After a lengthy hiatus, there is new leadership in place at both federal antitrust agencies, the Antitrust Division of the U.S. Department of Justice (Antitrust Division or DOJ) and the Federal Trade Commission (FTC).

The Antitrust Division is headed by one Assistant Attorney General (AAG), nominated by the President and confirmed by the U.S. Senate. He or she is the ultimate decision-maker on all antitrust matters, including mergers, that come before the Antitrust Division. The FTC is headed by five Commissioners, also nominated by the President and confirmed by the Senate, who serve staggered 7-year terms, with one Commissioner acting as Chair.  No more than three Commissioners can be of the same political party. Enforcement actions of the FTC require a majority vote. 

While history suggests that a Republican-led Antitrust Division and FTC tend to be somewhat more restrained in antitrust merger enforcement than Democratic-led antitrust agencies, any such expectations (or hopes) that the business community may have had for the Trump Administration have not come to pass. Both the Antitrust Division and the FTC continue to be very active in investigating and challenging M&A transactions on competition grounds. This is not entirely surprising: an aggressive approach to antitrust merger enforcement, which has a primary goal of protecting consumers, is consistent with President Trump’s populist message. Also, the staff attorneys and economists at the agencies who handle the day-to-day investigative work are not political appointees and typically do not move with administrations, providing some degree of continuity.

The main takeaway is that companies doing deals should not expect a free pass from the antitrust agencies under the current administration. Transactions that raise competitive issues will still be carefully reviewed.  Companies and their advisors should continue to build this into their timelines and assessments of completion risk. 

In fact, antitrust authorities may be getting even tougher in some areas of merger enforcement, as discussed below.

Greater Antitrust Risk for Vertical Mergers?

A vertical merger is a combination of businesses operating within the same industry but at different levels of the supply chain, such as a manufacturer of widgets acquiring a distributor of widgets. Unlike a horizontal merger, which directly reduces competition by eliminating a competitor in a particular market, a vertical merger does not combine competitors and can generate valuable cost savings, so its likely impact on competition is more ambiguous and harder to predict. Nevertheless, vertical mergers have attracted greater antitrust scrutiny in recent years, including during the Obama Administration, e.g., Comcast/NBC Universal, Ticketmaster/Live Nation, Google/ITA Software, and General Electric/Avio.

A major change in antitrust policy under the Trump Administration has been a shift in the attitude of the antitrust agencies, especially the Antitrust Division, towards remedies for vertical transactions that raise competitive concerns. Previously, the long-standing policy of the Antitrust Division and the FTC was to resolve concerns in vertical deals with “behavioral” (aka conduct) remedies, which prescribe certain aspects of the merged firm’s post-consummation business conduct. Common behavioral remedies used in numerous vertical transactions included information firewalls, non-discrimination commitments, mandatory licensing, and anti-retaliation provisions. Such remedies were usually not viewed by transaction parties as particularly onerous, hence vertical mergers rarely failed due to antitrust concerns.

However, beginning with a speech on November 16, 2017, and on several occasions thereafter, Makan Delrahim, President Trump’s nominee to head the Antitrust Division who was confirmed last September, has expressed significant skepticism of behavioral remedies for vertical deals, since they often require government oversight for an extended period of time and are difficult to police. Instead, AAG Delrahim has stated a strong preference for structural relief, such as asset divestitures, which historically has been used mostly in horizontal mergers of competitors, and which is much “cleaner” and easier to enforce. 

This shift in approach stems, at least in part, from AAG Delrahim’s view that “antitrust is law enforcement, it’s not regulation,” a statement that has been echoed in recent months by other senior Antitrust Division officials and is consistent with the Trump Administration’s broader goal of reducing regulation. As Delrahim noted in his November 16 remarks: “[A]t times antitrust enforcers have experimented with allowing illegal mergers to proceed subject to certain behavioral commitments. That approach is fundamentally regulatory, imposing ongoing government oversight on what should preferably be a free market.” 

Structural remedies, by contrast, typically do not involve long-term government entanglement in the market at issue. Since Delrahim articulated the Antitrust Division’s current position regarding remedies for vertical mergers, certain FTC officials have made similar remarks, although it is still unclear if all or even a majority of the new Commissioners share Delrahim’s views on this issue.

This policy shift means that companies must now consider the risk of being forced to divest assets as a condition to obtaining antitrust approval for vertical mergers that raise competitive concerns.  Interestingly, the agencies’ resolve on this issue may be tested following DOJ’s recent unsuccessful challenge to AT&T Inc.’s acquisition of Time Warner Inc.

The AT&T/Time Warner Decision

On November 20, 2017, just four days after AAG Delrahim’s first public remarks about remedies in vertical mergers, DOJ sued to block AT&T’s $85 billion acquisition of Time Warner, easily the most high-profile merger challenge since Trump took office. Importantly, this was not a merger of competitors, rather it was a vertical merger of a content creator, Time Warner, which owns a collection of television and film content, and a content distributor, AT&T, which owns satellite pay-TV provider DirecTV. The lawsuit came as a surprise to many and fueled speculation that it was politically motivated, given President Trump’s prior public criticisms of the transaction and his well-known animosity towards CNN, which is owned by Time Warner.

DOJ’s main concern was that the combination would enable AT&T to use its ownership of Time Warner’s “must-have” popular content to increase its bargaining leverage and extract higher fees from traditional video programming distributors such as cable and satellite TV companies, which would be passed on to consumers through higher prices. DOJ also alleged that the proposed combination would slow innovation by giving the merged firm the incentive and ability to impede the growth of online video distribution services, and would allow the parties to restrict competitors’ use of Time Warner’s HBO network as a promotional tool. Reflecting its recent shift in policy towards remedies in vertical mergers, DOJ insisted on a structural remedy that would have required AT&T to divest its entire DirecTV business or Time Warner’s Turner Broadcasting business. AT&T refused, culminating in litigation. 

On June 12, 2018, after a six-week trial, U.S. District Court Judge Richard Leon ruled in favor of the companies. In his 172-page opinion, Judge Leon provided a very fact-specific analysis of how the government failed to meet its burden to show that the combination was likely to substantially lessen competition in violation of Section 7 of the Clayton Act. In so doing, he ruled that DOJ’s evidence fell far short of adequately supporting any of its theories of competitive harm. Judge Leon found that the government’s case depended on a flawed economic model that raised too many questions about the potential price increase to consumers, noting that it lacked “both reliability and factual credibility,” and accepting instead the defendants’ economist’s attacks on the model’s input data and assumptions. Neither was the court persuaded by internal company documents and regulatory filings submitted by DOJ as evidence, nor the testimony of competitor witnesses. Though he accepted DOJ’s contention that Time Warner’s content is valuable and does provide some bargaining leverage, Judge Leon explained that this is already true today, and the government had failed to show how the merger would materially alter the current landscape.

By contrast, the opinion referenced multiple times the changing nature of the industry and the rise in competing internet-based video distribution services, including “virtual” programming distributors such as DISH’s Sling TV, Sony’s Playstation Vue, Google’s YouTube TV, and AT&T’s DirecTV Now, as well as subscription video on demand services such as Netflix, Hulu, and Amazon Prime. Judge Leon also noted a shift from reliance on television advertising to targeted digital advertising and seemed to accept defendants’ position that the combined company would be able to better compete against large technology companies with powerful digital advertising platforms such as Facebook and Google.

Two days after Judge Leon’s decision, AT&T and Time Warner closed their deal, with DOJ announcing that it would not to seek a stay of Judge Leon’s ruling. DOJ agreed to this only after receipt of a letter from AT&T outlining separations that the parties would put in place between Time Warner’s Turner Broadcasting unit and AT&T’s communications business until the earlier of February 2019 or the conclusion of any appeal. On July 12, DOJ announced that it would appeal the district court’s decision.

While the outcome at trial was a blow to the government, Judge Leon’s decision turned on specific facts and evidence and certainly should not be seen as removing all antitrust barriers to vertical mergers. However, it does highlight the difficulties with successfully challenging a vertical merger on competition grounds and will likely give transacting parties more confidence to pursue large vertical tie-ups. It is no coincidence that the day after the AT&T/Time Warner decision, Comcast Corp. made a $65 billion cash offer for 21st Century Fox’s entertainment assets.

Despite the widespread media attention lavished on the AT&T/Time Warner case, companies should also keep in mind that competitors wishing to merge in horizontal combinations will find little or no solace in Judge Leon’s decision. Both federal antitrust agencies have an excellent track record in recent years of successfully challenging problematic horizontal mergers.

More Post-Closing Merger Challenges

Since President Trump’s inauguration, there has been a flurry of antitrust challenges to consummated M&A deals, even more than the annual average under the Obama Administration. These challenges serve as a stark reminder that, first, antitrust enforcers have legal jurisdiction over all M&A transactions that affect U.S. commerce, irrespective of the size of the parties, the transaction, or the markets involved; and second, deals can be challenged anytime, even after closing.

Most of the recent post-closing challenges involved deals that were not reportable under the Hart-Scott-Rodino (HSR) Act, because they fell below the statutory size thresholds that trigger a mandatory HSR notification to the FTC and DOJ. For example, in December 2017 DOJ filed a complaint against TransDigm Group Inc.’s $90 million acquisition of two commercial airplane restraint system businesses from Takata Corporation, a non HSR-reportable deal that had closed in February 2017. DOJ found that the transaction had eliminated TransDigm’s closest (and in some cases, only) competitor in the markets for various types of restraint systems, which was likely to lead to higher prices and less innovation.  To avoid the expense and burden of continued investigation and litigation, TransDigm entered into a settlement with DOJ in which it agreed to divest the airplane restraint system assets it had acquired from Takata, effectively unwinding the acquisition. 

Also in December 2017, the FTC filed an administrative complaint seeking to unwind a merger consummated three months earlier between two manufacturers and suppliers of microprocessor prosthetic knees, Otto Bock HealthCare North America, Inc. and FIH Group Holdings, LLC (aka Freedom Innovations). According to the FTC’s complaint, the transaction eliminated direct and substantial competition between Otto Bock and its most significant and disruptive competitor, Freedom Innovations, further entrenching Otto Bock’s position as the dominant supplier of microprocessor prosthetic knees. After closing the acquisition in September 2017, Otto Bock had already begun to integrate the Freedom Innovations business, but in light of the FTC action and the possibility of a forced divestiture, it agreed to take steps to hold separate and preserve the acquired business until the case is resolved.

We have also seen a rare post-closing challenge to a deal that was HSR-reportable, involving Parker-Hannifin Corporation’s $4.3 billion acquisition of CLARCOR Inc., a manufacturer of filtration products. In an unusual twist, DOJ challenged this transaction in September 2017, nine months after it had allowed the HSR waiting period to expire.  Reportedly, after the transaction received HSR clearance, a third party notified DOJ of a small competitive overlap in aviation fuel filtration systems.  DOJ investigated and found that Parker-Hannifin and CLARCOR were the only two domestic manufacturers of such products.  DOJ filed a lawsuit to force Parker-Hannifin to divest the aviation fuel filtration assets it acquired from CLARCOR, which the company ultimately agreed to do. Notably, the divested business had annual revenues of around $60 million, which accounted for less than half of one percent of the merged companies’ combined annual revenues of over $13 billion, and yet DOJ still expended the time and resources to investigate and bring a challenge.

As these recent cases demonstrate, companies that assume a small deal is safe from antitrust scrutiny do so at their peril, especially if the merging businesses are close competitors in a market with few players. Non HSR-reportable acquisitions involve unique risks and strategic considerations, particularly for the buyer. In addition, the agencies will examine even relatively minor overlaps between large companies.

Uptick in State Antitrust M&A Enforcement

In addition to the federal antitrust agencies, state attorneys general can and do investigate M&A transactions on antitrust grounds, and they can go to court to challenge deals that could harm consumers in a particular state. There is a long history of cooperation between federal and state antitrust enforcers in merger investigations. Several recent merger challenges brought by the Antitrust Division or the FTC were joined by one or more state AGs, including large national mergers such as Anthem/Cigna (eleven states and the District of Columbia) and Aetna/Humana (eight states and the District of Columbia), as well as smaller local transactions such as Sanford Health/Mid-Dakota Clinic (North Dakota).

Before Trump took office, there was speculation that if the Antitrust Division and the FTC became lax and took their foot off the merger enforcement pedal, the states would engage to fill the void. Despite the fact that the federal agencies have remained active, there has nevertheless been a recent increase in state AG merger enforcement, with a number of states, especially those with Democratic attorneys general, seemingly more willing to take the lead on matters or even “go it alone.”

In July 2017, California Attorney General Xavier Becerra sued to block Valero Energy’s proposed acquisition from Plains All American Pipeline of two petroleum storage and distribution terminals in the San Francisco Bay area. Notably, the challenge came after the FTC had already reviewed and cleared the transaction. The companies subsequently abandoned the deal.  In August, Washington State Attorney General Bob Ferguson filed a suit seeking to unwind Franciscan Health System’s consummated 2016 acquisition of WestSound Orthopaedics. That case is currently in litigation. Other Democratic state AGs, such as New York, have publicly stated a willingness to pursue antitrust cases, including merger cases, independently of the federal agencies.

State antitrust involvement is most likely in transactions that impact local geographic markets (e.g., hospitals, funeral homes, waste services, gas stations, grocery stores, other brick & mortar retail), national mergers with the potential to affect a large number of the state’s consumers (e.g., health insurance), and those where the state or its subdivisions are significant purchasers of the merging parties’ products or services.

As the recent cases in California and Washington demonstrate, companies increasingly must consider state reactions to proposed M&A deals and also need to recognize that state concerns do not always replicate federal views. State AGs tend to heavily scrutinize a transaction’s likely impact on local market conditions in their state and will sometimes challenge deals that are cleared by the FTC or DOJ, as in Valero/Plains. States may also influence the scope of remedies required for transaction approval: for example, an investigation by the New York AG’s office (in conjunction with the FTC and several other states) caused retail pharmacy chain Walgreens to restructure its 2017 purchase of almost two thousand Rite Aid stores to acquire 184 fewer Rite Aid stores in New York State than had been identified in its original acquisition proposal. Another important difference between federal and state M&A enforcement stems from the fact that the vast majority of state AGs are publicly elected rather than appointed, resulting in some states including non-antitrust-based concerns, such as job preservation, within the scope of merger investigations.

Conclusion

These recent developments highlight the importance of transacting parties performing antitrust due diligence early and irrespective of deal size. Often, parties will be able to rule out any serious antitrust issues with minimal time and expense. An upfront antitrust risk assessment can ensure companies go into a deal with their eyes wide open and can help avoid unpleasant surprises.

Facts of the LabMD Case

LabMD, Inc. was a cancer diagnostic testing facility that used medical specimen samples and patient information to provide diagnostic information to health care providers. The company was subject to the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and had a HIPAA compliance program in place that prohibited the downloading of peer-to-peer (P2P) file-sharing applications on company computers. LabMD v. FTC, Case No. 16-16270 (11^th Cir. June 6, 2018), at 2. Now defunct as an operating company, LabMD nonetheless exists as a company and continues to protect its information.

In violation of this prohibition, a company billing manager installed LimeWire on a company computer. This P2P software permits users to make computer documents accessible to the larger LimeWire community. The manager made a file containing the personal information of 9,300 consumers (the 1718 File) available to approximately two to five million LimeWire users. The 1718 File included names, dates of birth, Social Security numbers, laboratory diagnostic and testing codes, and for some patients health insurance information.

A data security firm, Triversa Holding Corporation (Triversa), downloaded the 1718 File and contacted LabMD to offer remediation services, which were refused. The LimeWire was deinstalled from the billing manager’s computer. Triversa sent the 1718 File to the FTC.

In its resulting complaint, the FTC alleged a variety of general security failures around LabMD’s policies and procedures that the FTC decided ultimately led to the posting of the 1718 File.

The Eleventh Circuit noted that there was no evidence that any of the 1718 File information was accessed by anyone other than Triversa or that it was otherwise improperly used.

FTC Consent Orders and Reasonable Information Security Programs

The FTC has filed enforcement actions against a variety of companies for security program failures, alleging that such failures constitute an “unfair act or practice” under Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a) (the FTC Act or Section 5(a)). The resulting consent orders generally require the defendant companies to implement and maintain information security policies and procedures designed to protect consumer information.

In this manner, the FTC has for years been building a “common law” body of orders intended to require companies to maintain reasonable information security programs. The FTC published in 2015 a guide for companies based on these consent orders, Start with Security, which it updated in 2017 with its “Stick with Security” blog series. These guides are crafted as “lessons-learned” guidance and focus on the following:

1. Security and privacy programs aligned with the following principles: purpose or minimization limitation on the collection of personal information; retention for only as long as necessary; appropriate employee training and education; and consumer choice.
2. Data access controls designed to restrict access to personal information and limit administrative access.
3. Operational access controls, such as passwords and authentication processes.
4. Protection of data in storage and in transit.
5. Network firewalls and monitoring.
6. Remote access controls.
7. Addressing security in the development of new products or services.
8. Vendor management of security risks posed by third-party service providers.
9. Ongoing monitoring and evaluation of security processes.
10. Physical security of storage media.

The enforcement actions tend to arise out of fairly egregious facts and are usually precipitated by a significant data breach. Accordingly, the specific “lessons learned” are often a list of “do-nots.” For example, a do-not of LabMD is “do not allow downloading of P2P (or noncompany) software on company systems.” The FTC has leveraged these specific do-nots into a larger concept of reasonable security. In LabMD, the FTC reasoned that a general laxity of information security policies and procedures led to the installation and failure to detect the presence of the P2P software on the billing manager’s computer.

In its press release regarding its 2017 Annual Privacy and Security Update (the Update), the FTC expressly stated that it “uses a variety of tools to protect consumers’ privacy and personal information including bringing enforcement actions to stop law violations and require companies to take affirmative steps to remediate the unlawful behavior.” The FTC regularly includes comprehensive information security program requirements in its consent orders, attributing identified security lapses or breaches as resulting from weak security generally.

The FTC consent order security programming requirements tend to be: (1) technology-neutral; (2) intended to be evaluated and updated on a regular basis; and (3) focused on the individual company’s risk-management efforts, taking into account the amount of practical risk, costs involved, industry standards, and sensitivity of information, among other factors.

Other Regulatory Approaches to “Reasonable Security”

The FTC’s concept of “reasonable security” is consistent with approaches taken by other laws and regulatory guidance regarding information security programs. The consensus seems to be that as technology and innovation is evolving faster than the law, the applicable laws should focus on security management standards and goals, rather than express prescriptive rules.

For example, the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity https://www.nist.gov/cyberframework/framework (RMF) offers a general set of standards, guidelines, and best practices to manage cybersecurity risk in critical infrastructure. The NIST RMF is neither prescriptive nor specific. Rather, it allows companies to evaluate their security programs in light of “their organizational requirements and objectives, risk appetite, and resources against” certain “core” cybersecurity principles.

Similarly, the Federal Financial Institutions Examination Council (FFIEC) Cyberscurity Assessment Tool (CAT) provides a “repeatable and measurable process for financial institutions to measure their cybersecurity preparedness over time.” Like the NIST RMF, the FFIEC CAT offers core principles and goals but relies on the company’s own risk-management assessment and strategies. The FFIEC CAT maturity domains include general statements like, “[d]edicated cybersecurity staff develops, or contributes to developing, integrated enterprise-level security and cyber defense strategies” or “[t]he institution benchmarks its cybersecurity staffing against peers to identify whether its recruitment, retention, and succession planning are commensurate.”

State statutory and regulatory requirements around security programs are also general. For example, the New York State Department of Financial Services Cybersecurity Requirements for Financial Services Companies (the NY Cyber Reg) requires such companies to develop cybersecurity programs based on a risk inventory and assessment process, with the goal of developing a policy that addresses all of the following:

1. information security
2. data governance and classification
3. asset inventory and device management
4. access controls and identity management
5. business continuity and disaster recovery planning and resources
6. systems operations and availability concerns
7. systems and network security
8. systems and network monitoring
9. systems and application development and quality assurance
10. physical security and environmental controls
11. customer data privacy
12. vendor and third-party service provider management
13. risk assessment
14. incident response

Like the NIST RMF and the FFIEC CAT, which address the use of multifactor authentication and penetration testing, as appropriate, the NY Cyber Reg does not require the use of specific technology.

The more comprehensive Massachusetts cybersecurity regulation, Standards for the Protection of Personal Information of Residents of the Commonwealth (the MA Cyber Reg), requires companies to maintain cybersecurity programs that, at a minimum and to the extent technically feasible, should have the following elements:

1. Secure user authentication protocols including:
   (a) control of user IDs and other identifiers;
   (b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
   (c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
   (d) restricting access to active users and active user accounts only; and
   (e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;
2. Secure access control measures that:
   (a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
   (b) assign unique identifications plus passwords, which are not vendor-supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;
3. Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly;
4. Reasonable monitoring of systems for unauthorized use of or access to personal information;
5. Encryption of all personal information stored on laptops or other portable devices;
6. For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
7. Reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
8. Education and training of employees on the proper use of the computer security system and the importance of personal information security.

The MA Cyber Reg is technology-neutral, industry standards- and risk-based, and tied to a “reasonableness” concept.

Other state laws are even more broad. The recently enacted Alabama State Data Breach Notification Act (the AL Act) requires companies to maintain “reasonable security measures” to protect personal information. “Reasonable” means “practicable” in relation to a cost-benefit analysis, the type and volume of information involved, and the size of the entity, and with emphasis to be placed on “data security failures that are multiple or systemic” and taking into account consideration of all of the following measures:

1. designation of one or more managers of the security program;
2. risk inventory—both internal and external;
3. vendor management with contractual security obligations;
4. continuous monitoring and evaluation of threats and measures; and
5. board or management oversight.

LabMD Consent Order

The FTC’s consent order in this case, FTC Consent Order In the Matter of LabMD, Inc., Docket No. 9357, at 2–3, imposed security requirements that were commensurate with those imposed by previous consent orders, which required LabMD to:

establish and implement, and thereafter maintain, a comprehensive information security program that is reasonably designed to protect the security, confidentiality, and integrity of personal information collected from or about consumers by respondent or by any corporation, subsidiary, division, website, or other device or affiliate owned or controlled by respondent. Such program, the content and implementation of which must be fully documented in writing, shall contain administrative, technical, and physical safeguards appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the personal information collected from or about consumers, including:

1. the designation of an employee or employees to coordinate and be accountable for the information security program;
2. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;
3. the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;
4. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and
5. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by [the order], any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

Eleventh Circuit Holding and Reasoning in LabMD

The Eleventh Circuit held that the LabMD consent order was void for lack of specificity:

In the case at hand, the cease and desist order contains no prohibitions. It does not instruct LabMD to stop committing a specific act or practice. Rather, it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness. This command is unenforceable.

The Eleventh Circuit acknowledged that due to limitations on legislating “an extensive list of unfair acts or practices,” Congress authorized the FTC “to establish unfair acts or practices through case-by-case litigation.” Notably, the court did not squarely address the issue of whether the FTC has data security enforcement authority under section 5(a).

The court focused on the FTC’s own two-prong test to determine whether an act or practice is “unfair” under section 5(a):

1. whether there is a “consumer injury,” which is substantial, not outweighed by a countervailing benefit to the consumer, and not reasonably avoidable by the consumer; and
2. whether the act “offended public policy as established by statute, the common law, or otherwise.”

The court found that “the [FTC’s] complaint alleges no specific unfair acts or practices” by LabMD other than the installation of P2P software on a single LabMD computer. The FTC complaint did not state that the installation of the P2P software violated a specific company policy. The court assumes that LabMD had a policy against the download. The court’s focus appears to be on this single violation, which, according to the court’s reasoning below, would justify an express prohibition in the consent order against policies or procedures permitting such an installation. The court did not discuss the FTC’s more holistic approach in the context of whether the company could have exercised better practices generally in implementing controls to actually prevent the employee from downloading external programs on a company computer, and whether such failure would warrant the imposition of more comprehensive security requirements, as was done in the order.

The opinion, however, assumed arguendo “that LabMD’s negligent failure to design and maintain a reasonable data security program invaded consumers’ right of privacy and thus constituted an unfair act or practice” under section 5(a).

The Eleventh Circuit recognized that although “[n]othing in the FTC Act addresses what content must go into a cease and desist order,” the FTC’s own procedural rule requires that “a complaint must contain a “clear and concise factual statement sufficient to inform each respondent with reasonable definiteness of the type of acts or practices alleged to be in violation of the law.” The court concluded that (1) the complaint must state violations with “reasonable definiteness,” and (2) the remedy (in this case, the requirements of the consent order) “must comport with this requirement of reasonable definiteness.” Accordingly, the opinion states that “the order’s prohibitions must be stated with clarity and precision.”

The opinion further explains how enforcement of FTC consent orders occur procedurally, either with enforcement by the administrative law judge (ALJ) or the district court. These authorities are charged with enforcement of injunctions of specific prohibited conduct enumerated in the consent order. The court concludes that the effect of indefinite requirements would lead to micromanagement in the form of constant interpretation and modification of the order by the ALJ or court.

The opinion holds that the order is void for lack of enforceability in that the order contained no express prohibited acts or practices: “it commands LabMD to overhaul and replace its data security program to meet an indeterminable standard of reasonableness.”

Implications for FTC Cybersecurity Enforcement

The FTC’s consent order in this case included comprehensive but general information security program requirements, which is consistent with its approach in many previous cybersecurity consent orders. The intent of the FTC appears to have been to craft an evolving concept of “reasonable security” and to require companies to monitor and develop their security programs over time. The Eleventh Circuit, however, rejected this approach as lacking in specificity. The implications for the enforceability of existing FTC consent orders is significant. If courts follow the LabMD holding, a domino effect voiding a long line of consent orders may well follow. Moreover, going forward, the FTC must consider including very specific security requirements and prohibitions in its consent orders.

At a recent conference, an FTC attorney advisor, speaking in her “personal capacity” and not on behalf of the agency, indicated in an off-the-cuff remark that they were “considering [their] options” in light of the opinion. Hot Topics in Advertising Law 2018, “FTC Year in Review” Practising Law Institute webinar (Christine DeLorme, 6/26/18).

The Eleventh Circuit emphasized that:

1. the posting of the 1718 File was in direct violation of a specific LabMD policy against downloading P2P software on company systems; and
2. the FTC did not demonstrate that any alleged general laxity in security programming resulted in this specific company policy violation.

Does this mean that if the FTC concludes that a company’s failure to implement adequate cybersecurity programs caused a specific unfair act or practice, the FTC must:

1. limit the remedy in the consent order to the specific act or practice; and/or
2. expressly demonstrate that the specific violation was caused by a broader, but still definite, series of security lapses?

The FTC cybersecurity consent orders generally require a long-term information security program (20 years is typical) that encompasses all of the company’s activities related to consumer information. Does the LabMD decision mean that the order must focus on the specific violation as of a definite point in time?

Consider a company that does not honor consumer choices regarding information offered through its website. For example, the company may not give the opportunity to consent to or opt out of sharing of personal information with unrelated third parties for marketing purposes, or may offer that choice but not honor it. Must the consent order be limited to requiring that consumer choices regarding such sharing of personal information collected via the website for marketing purposes be offered and honored? In that event, would other types of sharing not violate the order, even if consumer choices are offered but not honored? Alternatively, would the same company be liable if it later offered a mobile application and failed to offer or honor the same consumer choices via the app? Would the FTC have to micromanage the company’s information security program through a series of enforcement actions over time?

Conversely, should the FTC focus its efforts on promulgating regulations to require companies to implement reasonable security programs, as has been done with the other laws and regulatory guidance discussed above?

The potential importance of this opinion cannot be overstated, both with respect to its impact on existing FTC consent orders and the FTC’s ability to continue developing a concept of “reasonable security” while prosecuting unfair privacy and security practices on an action-by-action basis.

In principle, every case should be decided according to the facts and the law, no matter who is making the decision or in which forum. In practice, the forum making the decision can make a huge difference. In particular, the differences between litigation in court and arbitration before a private panel can be dispositive because of the differences in procedures, the nature of the forum, opportunities to seek fees and costs, and the opportunities for review after the proceeding is over. Those differences may also be critical regarding certain preliminary aspects of the dispute, such as requests for injunctive relief. Each stage of the process presents different kinds of strategic decisions.

The first question a litigator should ask herself when a dispute arises is where the dispute should be heard. Is there an arbitration clause that might be applicable? If there is, does it in fact apply? To a large extent, whether the clause applies will depend on the language of the clause and how it relates to the facts, although the Eleventh Circuit has cautioned that “‘[t]he case law yields no clear answer’ to the question of how broadly to construe an arbitration clause.” Hemispherx Biopharma, Inc. v. Johannesburg Consol. Invs., 553 F.3d 1351, 1366 (11th Cir. 2008) (quoting Telecom Italia, SpA v. Wholesale Telecom Corp., 248 F.3d 1109, 1114 (11th Cir. 2001)). For example, a clause that required arbitration of disputes that “arise out of or relate to” an agreement settling a dispute did not require arbitration of later conduct similar to what caused the settled dispute because that is a new dispute. Zetor N. Am., Inc. v. Rozeboom, 861 F.3d 807, 810 (8th Cir. 2017). A clause calling for arbitration of “[a]ny dispute arising from the [fundraising] Activity” covered by the contract did require arbitration of a minimum wage claim by a fundraiser. Leonard v. Delaware N. Am. Cos. Sports Serv., Inc., 861 F.3d 727, 729 (8th Cir. 2017). “‘[A]rising under’ language is narrower in scope than language, such as “relating to,” under which a claim may be arbitrable if it has a “significant relationship” to the contract, regardless of whether it arises under the contract itself.” Evans v. Building Materials Corp. of Am., 858 F.3d 1377, 1381 (Fed. Cir. 2017). An arbitration clause covering disputes that “arise out of or in any way relate to” the services provided covers antitrust claims by customers. In re Cox Enters., Inc. Set-top Television Box Antitrust Litig., 835 F.3d 1195, 1202 (10th Cir. 2016).

If the clause arguably does not apply, the attorney should ask herself whether it is worth trying to litigate the case in court. The other side may commence motion practice under section 3 of the Federal Arbitration Act to stay the action and have the dispute referred to arbitration. Even if that motion does not succeed, the exercise may take several months. Is the delay worth it? More to the point, what are the chances the case can stay in the court system? There is a strong policy in pretty much every court system in favor of arbitrating disputes. That means a party resisting arbitration needs a very strong argument as to why an arbitration clause does not apply. See, for example, Chassen v. Fidelity Nat’l Fin., Inc., 836 F.3d 291, 304 (3d Cir. 2016) (“[I]f the language of the contract is ambiguous, the presumption of arbitrability applies because we must resolve any doubts concerning the scope of arbitrable issues in favor of arbitration.” (internal quotations and alterations omitted)).

If there is no arbitration clause, should the parties consider whether to enter into a post-dispute arbitration submission agreement? Certain kinds of disputes might be well-suited for such a submission. For example, if the parties prefer not to have their dispute become a matter of public record, they might prefer to construct an appropriate arbitration procedure and panel for their dispute in order to avoid public scrutiny and press coverage. Alternatively, the nature of the dispute may require that it be heard in a court that is utterly unfamiliar with the type of case at issue; if the parties want a decision maker who has at least some clue about how to think about their dispute, they can agree to have their dispute arbitrated by a credentialed person.

There are limited opportunities to choose your judge if your case is in court. Most courts assign cases out of a wheel or similar random assignment system. It is easier to avoid a disfavored judge (by discontinuing under Rule 41(a)(1) and refiling) than to steer a case to a favored one. Arbitration affords greater opportunities for choosing the decision maker. The American Arbitration Association typically provides lists of proposed arbitrators and invites the parties to strike disfavored names. The arbitration agreement might provide procedures for selecting the arbitrator, set forth minimum qualifications, or name a specific person. In all events, the litigant should think hard about the characteristics of the person she wants deciding the case and plan the strikes and nominations with those goals in mind. One common procedure calls for each side to name one arbitrator and then the two named arbitrators pick the third. For this type procedure it is necessary to consider how persuasive your named arbitrator can be in order to keep the selection of the third arbitrator within acceptable bounds.

Choosing your decision maker should be part of your decision about what your overall approach to the dispute should be. In court the tools are well known: motions to dismiss to narrow the issues, discovery to learn the facts and lock the other side into their story, and motion for summary judgment to win the case or get as much of it decided in your favor as possible ahead of trial. Which tools you use and how, and which grounds you will raise at which stage of the proceeding, will vary from case to case, of course.

Arbitration presents a different set of challenges because you have fewer tools readily available. In most arbitrations, motions to dismiss are not contemplated. Discovery is more limited—typically there are no interrogatories or depositions. Specific types of arbitration might vary, such as FINRA arbitrations, and parties can always agree to additional procedures, but it is never advisable to rely on the other side’s agreeing to your preferred procedure.

In at least some federal courts, there is no third-party discovery in arbitration: third-party evidence either is before the arbitrators or not at all. See, for example, Life Receivables Tr. v. Syndicate 102 at Lloyd’s of London, 549 F.3d 210 (2d Cir. 2008); Hay Group, Inc. f. E.B.S. Acquisition Corp., 360 F.3d 404 (3d Cir. 2004). The Sixth and Eighth Circuits disagree. See In re Sec. Life Ins. Co. of Am., 228 F.3d 865, 870–71 (8th Cir. 2000); American. Fed’n. of Television and Radio Artists, AFL–CIO v. WJBK–TV (New World Commc’ns of Detroit, Inc.), 164 F.3d 1004, 1009 (6th Cir. 1999). This doesn’t necessarily mean the third party has to show up and testify; the arbitrator may and often will facilitate third-party discovery by directing that documents be produced before him or her at an interim hearing called for the sole purpose of having the third party produce documents. Often the adversary will see which way the wind is blowing and consent to having the production done without the arbitrator present. But a good litigator must bear in mind the relative ease of access to third-party proof.

The likelihood in arbitration is that you are going to trial. That means arbitration may provide you with tools that may not be available in court. Bear in mind the grounds on which arbitration awards can be vacated. They are set forth in section 10(a) of the Federal Arbitration Act:

1. where the award was procured by corruption, fraud, or undue means;
2. where there was evident partiality or corruption in the arbitrators, or either of them;
3. where the arbitrators were guilty of misconduct in refusing to postpone the hearing, upon sufficient cause shown, or in refusing to hear evidence pertinent and material to the controversy; or of any other misbehavior by which the rights of any party have been prejudiced; or
4. where the arbitrators exceeded their powers, or so imperfectly executed them that a mutual, final, and definite award upon the subject matter submitted was not made.

Although these grounds are narrow, they are real, and arbitrators don’t like being overturned any more than judges do. So they are likely to run the hearing in a way that will keep them far away from any of these. The ones that give parties the most scope for affecting the proceeding are subsection 3 and 4.

Defendants in particular can—and often do—use the prospect of a post-award vacatur proceeding under subsection 3 as a tool to obtain adjournments and to keep the record open for all kinds of evidence that in court might be viewed as cumulative or of limited probative force or questionable admissibility. Of course, it is possible to overdo it, and a good arbitrator will see through the more egregious misuses of this strategy.

Similarly, the parties may wrangle over the scope of the arbitrator’s power and how it is exercised because subsection 4 permits challenges on those grounds. These arguments will turn on the language of the contract that empowered the arbitrators in the first place (which may or may not be idiosyncratic, unclear, or debatable). In court, though, such issues typically are pitched in terms of jurisdiction, finality, or scope of discretion, and there is usually a wealth of case law to inform the parties’ arguments.

Courts, especially federal courts, have much more rigid guidelines for the procedures to be followed, well-defined evidentiary rules, and, in the main, a case-management ethic that expects judges to keep cases moving along smartly. Although the number of tools is greater (motions, discovery), the opportunities for delay in each part of the proceeding are far fewer. Unlike arbitrators, whose decisions are highly insulated from substantive review, judges can be reversed on appeal. Although appellate courts reverse trial courts in only a small percentage of cases, see, e.g., Just the Facts, (Dec. 20, 2016) (fewer than 9% of federal appeals resulted in reversals in 2015); National Center for State Courts, Caseload Highlights (March 2007) (of appeals prosecuted to decision, 70% were affirmed), the prospect of a reversal on appeal can occasionally be a useful tool for a litigant.

The bottom line: no matter which forum you are in, each stage of the proceeding requires that you keep in mind the rules of the forum so that you can construct your strategy to fit the forum and maximize your client’s chances.

Stuart Riback gratefully acknowledges the assistance and input of Judge Gail Andler (ret.), Peter Valori and Mian Wang.

Two recent decisions from the Delaware Court of Chancery offer new insight into the court’s application of an important exception to the attorney-client privilege in breach of fiduciary duty actions. The Garner exception to the attorney-client privilege, first articulated by the Fifth Circuit Court of Appeals in Garner v. Wolfinbarger, 430 F.2d 1093 (5th Cir. 1970), cert. denied, 401 U.S. 974 (1971), requires fiduciaries defending claims for breaches of fiduciary duty to produce otherwise privileged documents upon a showing of good cause by the party asserting the claims. The Supreme Court of Delaware has emphasized that the exception is “narrow, exacting, and intended to be very difficult to satisfy.” Wal-Mart Stores, Inc. v. Indiana Elec. Workers Pension Trust Fund IBEW, 95 A.3d 1264, 1278 (Del. 2014). Consistent with this view, in Buttonwood Tree Value Partners, L.P. v. R.L. Polk & Co., Inc., 2018 WL 346036 (Del. Ch. Jan. 10, 2018) and Morris v. Spectra Energy Partners (DE) GP, LP, 2018 WL 2095241 (Del. Ch. May 7, 2018), the Court of Chancery found the Garner exception inapplicable while providing new guidance on its limits.

Buttonwood Tree Value Partners, L.P. v. R.L. Polk & Co., Inc.

In this case, former minority stockholders of R.L. Polk & Co., Inc. (Polk) asserted direct breach of fiduciary duty claims against the Polk family, which collectively held approximately 90 percent of Polk common stock, and against directors affiliated with the Polk family. Plaintiffs alleged that these defendants breached their duties of loyalty and care in connection with a self-tender transaction orchestrated by the Polk family. According to plaintiffs, the transaction enriched the Polk family, who afterwards received dividends amounting to one-third of the self-tender price and sold the company for three times the self-tender valuation.

Invoking the Garner exception, plaintiffs moved to compel the production of privileged documents withheld by defendants that related to the sale of the company, the self-tender, and various restructuring options under consideration at the time of the self-tender. The court explained that in evaluating whether a stockholder has established sufficient “good cause” to warrant application of the Garner exception, Delaware courts focus on three of the factors identified by the Fifth Circuit in Garner: “(1) the colorability of the claim; (2) the extent to which the communication is identified versus the extent to which the shareholders are blindly fishing; and (3) the apparent necessity or desirability of shareholders having the information and availability of it from other sources.” In its view, the first and second of these factors act as “gatekeepers” that “strain out frivolous attempts to vitiate the privilege.” The third factor, applicable only when the first two are satisfied, reflects “a balancing test to see whether the interest in discovery, or that of maintaining the privilege, is paramount.” The court noted that Garner “balances the [attorney-client] privilege’s purpose of encouraging open communication between counsel and client against the right of a stockholder to understand what advice was given to fiduciaries who are charged with breaching their duties.” (Quotations and citations omitted.)

The court found that the first factor weighed in favor of disclosure of the privileged documents at issue because the court previously held that the complaint stated claims against the Polk family and its affiliated directors for breaches of fiduciary duty, and therefore the claims were colorable. The court found that the second factor also weighed in favor of disclosure because the documents at issue, although “relatively large” in number (1,200), were tailored to plaintiffs’ allegations, and there was no indication that production of the documents would be overly burdensome.

Having found that plaintiffs “cleared the initial hurdle” imposed by the first two factors, the court turned to the third factor and found that it weighed against disclosure because the plaintiffs had not demonstrated that the information sought was unavailable from other nonprivileged sources. In so finding, the court noted that plaintiffs had yet to depose any witnesses, and there was no reason to believe that depositions would fail to reveal information about the sale of the company, the self-tender, and the restructuring options considered at the time of the self-tender. The court rejected plaintiffs’ argument that the documents at issue were necessary to prepare for the forthcoming depositions or to test the witnesses’ credibility. The court reasoned that such concerns are always present, and if the court were to adopt them as a basis to apply the Garner exception, the scope of the exception “would expand significantly, an outcome contrary to our Supreme Court’s admonition that the exception is ‘narrow, exacting, and intended to be very difficult to satisfy.’” (quoting Wal-Mart, 95 A.3d at 1278). The court emphasized that a stockholder invoking Garner must establish that they “have exhausted every available method of obtaining the information they seek.” Given that plaintiffs did not do so, the court concluded that the balancing test under the third factor “tip[ped] against disclosure of the privileged documents,” and held that the Garner exception did not apply.

Having held that plaintiffs failed to demonstrate that their motion to compel should be granted, the court found it unnecessary to decide whether Garner could apply to the direct, as opposed to derivative, claims in issue. Defendants argued that Garner applies only to derivative claims “where [the] defendant corporate actors assert the privilege on behalf of the very entity that the plaintiffs purport to represent derivatively, in which case the assertion of the privilege on behalf of the corporation and its principals may be inimical to the corporate interest.” Without deciding the issue, the court noted that the Garner exception logically applied in the context of direct claims for breach of fiduciary duty, “but that the nature of the action must be accounted for in the balance of interests that Garner requires.”

Morris v. Spectra Energy Partners (DE) GP, LP

The discovery dispute at issue in this decision arose in the context of a challenge to a transfer of certain assets of Spectra Energy Partners, LP (Spectra LP) to a principal of Spectra LP’s general partner, Spectra Energy Partners (DE) GP, LP (Spectra GP). Spectra LP’s limited partnership agreement (the LPA) eliminated common-law fiduciary duties, but required Spectra GP to act in good faith with respect to such transfers. The plaintiff, a common unitholder of Spectra LP, claimed that Spectra GP breached its duty to act in good faith by knowingly approving a transfer of assets for approximately $500 million less than the assets were purportedly worth.

The plaintiff moved to compel the production of two documents in unredacted form under the Garner exception. In a matter of first impression, the court considered whether the Garner exception applies in circumstances where a limited partnership has eliminated common-law fiduciary duties. Relying on precedent holding that the Garner exception is limited to circumstances where there is a fiduciary relationship between the party challenging the privilege and the party asserting it, the court concluded that the Garner exception does not apply when fiduciary duties are expressly disclaimed.

In so finding, the court emphasized the policy underlying the Garner exception, which rests on the “mutuality of interest” between a stockholder and a fiduciary when the fiduciary seeks legal advice in connection with actions taken or contemplated in his role as a fiduciary. In such circumstances, the court reasoned, the stockholder is “the ultimate beneficiary of legal advice sought by fiduciaries qua fiduciaries,” making it appropriate for the stockholder to view the communications reflecting the advice in certain circumstances. The court recognized that the Garner exception has been applied in situations far removed from stockholder derivative suits (i.e., actions by trust beneficiaries against the trust and trustee, and actions by creditors against a bankruptcy creditor’s committee), but a fiduciary relationship existed in these cases, establishing the requisite mutuality of interest between the parties.

Given that there was no fiduciary relationship between the plaintiff and Spectra GP under the express terms of the LPA, the court concluded that the mutuality of interest underpinning the Garner exception did not exist, and the Garner exception therefore did not apply.

Key Takeaways

Although application of the Garner exception is necessarily a fact-specific inquiry, these recent decisions offer certain key insights for litigants prosecuting or defending breach of fiduciary duty claims in the Delaware Court of Chancery:

• Fiduciary relationship required, and contractual duties are not enough. The court’s decision in Morris makes clear that the Garner exception is unavailable where common-law fiduciary duties are disclaimed by contract and therefore no fiduciary relationship exists. The LPA in Morris replaced common-law fiduciary duties with contractual duties, and although not expressly addressed, the court’s decision appears to render Garner inapplicable to actions involving breaches of contractual duties. Therefore, even if a plaintiff asserting breaches of contractual duties could otherwise satisfy the high burden required for Garner’s application, it is unavailable in that setting.
• Garner likely applies to direct fiduciary breach claims, but the burden of establishing good cause may be higher in that context. Although the court in Buttonwood did not decide the issue, it surmised in dicta that the Garner exception would apply to direct fiduciary duty claims as well as derivative claims. In Garner, where the claims were both direct and derivative, the Fifth Circuit noted that its decision was not dependent on whether the derivative claim was “in the case or out.” Garner, 430 F.2d at 1097 n.11. In Buttonwood, however, the court cautioned that the nature of the claim should be considered when balancing the interests inherent in the attorney-client privilege against the interests of a stockholder seeking to review privileged communications. This suggests that stockholders invoking the Garner exception in the context of direct fiduciary duty claims may face a higher burden of establishing the requisite “good cause” necessary to invoke the exception.
• Garner does not apply if information sought is potentially available through depositions. When evaluating “the apparent necessity or desirability of shareholders having the information and availability of it from other sources,” the court will not likely find sufficient good cause to invoke Garner if the moving stockholder can obtain the information sought through depositions. Similarly, the potential usefulness of otherwise privileged documents to deposition preparation is not enough under Garner. Rather, a stockholder must exhaust other available options, consistent with the Delaware Supreme Court’s expectation that the Garner exception should “be very difficult to satisfy.”