INTRODUCTION

While employee benefits and executive compensation issues rarely drive a transaction, one issue that should be discussed at the beginning of every deal is whether there are any payments that could trigger taxation under Section 280G.[1]  Ignoring this Code section or waiting until a few days before closing to address potential Section 280G issues could result in a large tax bill for impacted individuals, as well as a loss of deduction for the corporations involved and angry clients and executives.

Section 280G and its counterpart, Section 4999, were enacted by Congress in 1984 to address Congressional concerns and the then-common belief that corporate executives were receiving financial windfalls in the deluge of mergers and acquisitions occurring in the ‘80s, which in turn was impacting shareholder value and potentially could have a cooling effect on M&A activity.  As with many provisions of the United States Tax Code, Section 280G and its counterpart Section 4999 attempt to curtail behavior by (i) imposing an excise tax on certain compensation received in connection with the change of control by the executives under Section 4999; and (ii) causing the corporation to lose its deduction under Section 280G for any compensation that subject to such taxation. While the concept of taxation and loss of deduction sounds simple, the application creates a web of complexity that requires someone familiar with these rules to navigate its application in corporation transactions.  This article endeavors to assist practitioners unfamiliar with this area in identifying issues in transactions by providing a brief overview of Section 280G and how it can be avoided or if avoidance is impossible, how to offset it or mitigate its impact.

OVERVIEW OF SECTION 280G

Practitioners often refer to the complications caused by Sections 280G and 4999 simply as “280G,” but as noted above, these are two distinct Code sections that work in tandem to penalize both the impacted individual and the corporation.  Section 4999 imposes a 20% excise tax on the disqualified individual (referred to as “disqualified individuals” and discussed more in depth below) payee of an “excess parachute payment.”  Section 280G disallows a deduction for the payor of such “excess parachute payment.”  The 20% excise tax under Section 4999 and the disallowance of deduction under Section 280G only apply if there is an “excess parachute payment,” and there can only be an “excess” if there is first a “parachute payment.” 

Determining whether a parachute payment exists depends upon calculation of the disqualified individual’s “base amount.”  In general terms, payments and other benefits provided as a result of a change of control will not be subject to these provisions if they do not equal or exceed three times the disqualified individual’s five-year average compensation (“base amount”) using compensation for the five most recent tax years ending before the change of control. See Treas. Reg. §1.280G-1, Q&A-34.  If the disqualified individual receives parachute payments in excess of three times the base amount, a 20% excise tax will apply to any amount paid that is in excess of one times the base amount, and the corporation will lose the corresponding deduction for the amount that is subject to the tax.  For example, if the disqualified individual’s five-year average compensation was $500,000, and she received a parachute payment of $2,000,000, the 20% excise tax (and corresponding corporate deduction) would apply to $1,500,000 of the excess parachute payment.

Generally, the disqualified individual’s Form W-2 – Box 1, or for independent contractors or outside directors, Form 1099 – Box 1, is used to determine the compensation for purposes of calculating the base amount.  However, if the disqualified individual has not performed services for the entire five-year period, his or her total employment period during such five-year period will be included with compensation for any partial year being annualized.  Treas. Reg. §1.280G-1, Q&A-35.  If the disqualified individual was hired in the year of the change of control (and had no other compensation from the corporation during the five prior taxable years), generally the individual’s base amount will be his or her annualized compensation that was includible in his or her gross income for the period prior to the change of control that was not contingent on the change of control.  Treas. Reg. §1.280G-1, Q&A-36.  Also, benefits provided to a disqualified individual which have not yet become taxable, such as unexercised stock options or deferred compensation, will have a direct impact on this calculation.  If a disqualified individual earns $500,000 a year, and exercised stock options in the year prior to the change of control resulting in additional compensation income of $1,000,000, that disqualified individual’s base amount will be increased by $200,000 (assuming he has worked for the corporation for at least five years).

Further, if the disqualified individual has changed positions during the five-year period, for instance from outside director to CEO, the base amount may be artificially low.  For example, assume an outside director has been receiving director fees of $50,000 per year for the past five years, and then is promoted to the position of CEO with compensation of $1,000,000 in January of 2020 and then a change of control occurs in July of 2020.  The base amount for this newly-appointed CEO will be three times the average base compensation he received as a director (3 x $50,000) and would not even consider his compensation as CEO.

It is also important to remember that Sections 280G and 4999 apply to both public and private corporations. The term “corporations” for purposes of these Code sections includes publicly-traded partnerships, Section 854(a) real estate investment trusts, mutual or cooperative corporations, foreign corporations and tax-exempt Section 502(a) corporations.  Generally, payments made by partnerships, limited liability companies taxed as partnerships, S corporations, and corporations that could elect to be S corporations (even if they have not done so) are not subject to Sections 280G and 4999.  Treas. Reg. §1.280G-1, Q&A-6.  However, if an entity is part of an affiliated group that includes a corporation, there may be issues under Sections 280G and 4999 even if the actual payor of the compensation is an entity not otherwise subject to these provisions.  Parties in transactions that include affiliated groups should make sure that counsel familiar with these sections advises on the transaction.

Practitioners also should tread carefully if non-U.S. entities are involved in the transaction.  There is no specific exemption from Section 280G for non-U.S. corporations.  It is possible for the sale of a foreign subsidiary of a U.S. corporation parent to trigger a change of control for Section 280G, or vice versa. 

Who Is a “Disqualified Individual”?

There is a common misconception that Section 280G only applies to “executives,” but in reality, Section 280G can potentially impact non-executive level employees, consultants, directors and shareholders.  A disqualified individual includes any individual (employee or independent contractor) who is an officer, shareholder, or highly-compensated individual with respect to the corporation.  Section 280G(c); Treas. Reg. § 1.280G-1, Q&A-15(a).  Additionally, directors are considered disqualified individuals if the director is also a shareholder, officer, or highly-compensated individual with respect to the corporation.  Treas. Reg. § 1.280G-1, Q&A-15(b).  While an individual may fall within more than one of these categories, all that is required is that the individual fall into one of these three categories within the 12-month period immediately prior to the change of control, and as a result, even former service providers could have concerns under these sections.  For example, an individual who terminated employment six-months prior to the change of control, and was a 1% shareholder, would be treated as a disqualified individual for purposes of the change of control.  Personal service corporations providing services to the corporation are also treated as “individuals” when determining who is a disqualified individual. Treas. Reg. §1.280G-1, Q&A-16. The fact that a consultant has used his or her own single-member limited liability company to provide services to the corporation does not avoid the tendons of Sections 280G and 4999.

Highly-compensated individuals are persons within the lesser of (i) the highest paid 250 employees; or (ii) the highest paid 1% of employees of the corporation. Treas. Reg. § 1.280G-1, Q&A-19.  A shareholder, for these purposes, is only considered a disqualified individual if the shareholder provides services to the corporation (either as an employee or independent contractor, including outside directors) and owns more than 1% of the fair market value of the outstanding shares of all classes of the corporation’s stock.  In determining stock ownership, the attribution rules of Section 318(a) apply.  Stock underlying a vested option is considered owned by the individual who owns the vested option (and stock underlying an unvested option is not considered owned by the holder of the unvested option).  If an unvested option to purchase a corporation’s stock automatically vests upon a change of control, the stock underlying such option is considered owned by the holder of the option for purposes of these rules.  Treas. Reg. § 1.280G-1, Q&A-17.

The determination of whether an individual is an officer is based on the facts and circumstances in each particular case (such as the source of the individual’s authority, the term for which the individual is elected or appointed, and the nature and extent of the individual’s duties).  Treas. Reg. §1.280G-1 Q&A-18(a).  Generally, the term “officer” means an administrative executive who is in regular and continued service.  Any individual who has the title of officer is presumed to be an officer unless the facts and circumstances demonstrate that the individual does not have the authority of an officer.  However, an individual who does not have the title of officer may nevertheless be considered an officer if the facts and circumstances demonstrate that the individual has the authority of an officer.  The term “officer” includes individuals who are officers with respect to other members of the acquired corporation’s controlled group.  Treas. Reg. §1.280G-1 Q&A-18(b).  Treasury Regulations limit the number of employees of the corporation and its controlled group that can be treated as disqualified individuals solely by reason of being an “officer” to the lesser of (i) 50 employees; or (ii) the greater of 3 employees or 10% of employees of the controlled group, rounded up to the nearest integer.  Treas. Reg. §1.280G-1 Q&A-18(c).

What Is a “Parachute Payment”?

Under Section 280G(b)(2), a parachute payment is any payment in the nature of compensation to (or for the benefit of) a “disqualified individual” if (i) the payment is contingent on a change of the ownership or effective control of the corporation or in the ownership of a substantial portion of the assets of the corporation; and (ii) the aggregate present value of the payments in the nature of compensation which are contingent on such change equals or exceeds three times the individual’s base amount.  Section 280(G)(2)(b).

Virtually all payments of cash or valuable property to an employee or independent contractor will be considered to be in the nature of compensation, including bonuses, severance pay, fringe benefits, pension benefits, and other deferred compensation.  Treas. Reg. § 1.280G-1, Q&A-11.  More difficult questions arise in the categorization of items such as stock options, restricted stock, and other benefits subject to vesting or forfeiture, particularly the determination of when a payment has been made and whether a payment is contingent upon a change of control.  Property transferred in connection with services is generally subject to taxation under Section 83, and becomes taxable when it is transferred if it is substantially vested and has an ascertainable value.  However, if the property is subject to forfeiture at the time of transfer or does not have a readily ascertainable value, taxation will occur at a later date.  If property previously transferred to a disqualified individual becomes vested as a result of the change of control, it will be included in the parachute payment computation unless exempt as reasonable compensation for services rendered before the date of the change of control.  Treas. Reg. § 1.280G‑1, Q&A-12.  This result applies even if the disqualified individual made a Section 83(b) election to tax the property as compensation income at the time it was actually transferred to him.  Treas. Reg. §1.280G-1, Q&A-34(d).

A special rule applies with respect to non-qualified stock options.  Under Q&A-13 of the regulations, an option is treated as a payment in the nature of compensation at the time the option vests (regarding of whether the option has a readily ascertainable fair market value as defined in Treas. Reg. § 1.83-7(b)).  Treas. Reg. §1.280G-1, Q&A-13.  If an option is fully vested and also has an ascertainable value prior to the change of control, it will not be considered in the calculation of the parachute payment; similarly, if the option would become substantially vested without regard to the change of control and its value is ascertainable, it would not be included in the calculation.  For parachute payment purposes, an option which vests upon a change of control is valued on the basis of all facts and circumstances, including the option spread at that time, the probability that the spread will increase or decrease, and the length of the option exercise period.  Valuation of such options may be challenging, especially when a disqualified individual’s employment agreement or severance agreement contains a golden parachute cap which is intended to limit the amount of “compensation” he receives as a result of a change of control.  (See the discussion below regarding cut-backs).

Practitioners should continue to ask the parties to the transaction whether there are any new payments being made to any service provider throughout the transaction until to the closing.  A client may advise at the beginning of a transaction that it has none of the payments that would be treated as parachute payments, but as the transaction progresses, decide to pay large change of control bonuses to employees.  Even a small bonus could create a Section 280G issue when added to already existing parachute payments. 

What Transactions Trigger Section 280G?

The term “change of control” can have many meanings, both under the law, and in written agreements between the parties.  In any corporate transaction, it is important to review all change of control definitions in the various agreements to determine whether the proposed transaction would actually constitute a change of control for purposes of the agreements.  In addition, it is important to determine whether the transaction would constitute a “change of control” for purposes of Section 280G (because in some cases, what is a change of control under a written agreement may not be a change of control under Section 280G and vice versa).

“Change of control” is not specifically defined in the statute, other than to provide that transactions that are a change in the “ownership or effective control of the corporation” or “in the ownership of a substantial portion of the assets of the corporation” would constitute a change of control.  See Section 280G(b)(2)(A)(i).  The Treasury Regulations, specifically, Q&A-27, do provide some guidance regarding what constitutes a change of control.  Generally, a change of control occurs under Section 280G on the date that any one person, or more than one person acting as a group, acquires ownership of stock of the corporation that, has more than 50% of the total fair market value or total voting power of the stock of such corporation, referred to as a change in the ownership of a corporation.  However, a change of control also is presumed to occur if there is a change in the effective control of the corporation, which means that there has been either (i) an acquisition of 20% or more of the total voting power of the corporation by any person or group; or (ii) the replacement of a majority of the board members of the corporation (other than the directors whose appointment is approved by a majority of the current board).  This presumption may be rebutted if the parties can establish that the acquisition of stock or replacement of a majority of the board did not result in a transfer of power to control (directly or indirectly) the management and policies of the corporation from any one person (or more than one person acting as a group) to another person (or group).  See Treas. Reg. §1.280G-1, Q&A-28.  Further, a change in the effective control does not occur if the changes do not occur within a 12-month period (for instance, a person could not purchase 10% of the stock in three separate years and trigger a change of control). 

Finally, a change of control occurs when there is a change in the ownership of a substantial portion of the corporation’s assets.  A “substantial portion” means assets having a total gross fair market value equal to or more than one-third of the total gross fair market value of all of the assets of the corporation immediately prior to the acquisition.  Treas. Reg. §1.280G-1, Q&A-29.  A transfer of assets will not be treated as a change of control for Section 280G purposes if the assets are transferred to (i) a current shareholder of the corporation in exchange for or with respect to its stock; (ii) an entity if 50% or more of the voting power is owned (directly or indirectly) by the impacted corporation; (iii) a person that owns 50% or more of the total voting power of all the outstanding stock of the impacted corporation; or (iv) any entity for which 50% or more of the total value or voting power is owned by any of the entities described in (i), (ii) or (iii).

When analyzing whether a change of control has occurred in a controlled group of corporations, it generally must be a change of control of the parent entity.  The sale of a subsidiary of the parent would not trigger a change of control unless the subsidiary’s assets equal more than one-third of the parent’s assets.  It is important to identify which entity is undergoing the change of control so that the proper analysis can be completed for Section 280G purposes.

What Is an “Excess Parachute Payment”?

Loss of deductibility and application of the excise tax only apply to the “excess parachute payment.”  Once it has been determined that there is a parachute payment (that the payments contingent on change of control exceed three times the base amount), the excess of such contingent payments over one times the base amount will be considered the “excess parachute payment” to which the excise tax and loss of deduction apply.  In other words, going one dollar over the three times base amount threshold results in the entire amount of the contingent payments, reduced only by one times the base amount, being subject to these tax provisions.

What Payments Are Contingent on a Change of Control?

As noted previously, the payments must not only be in the nature of compensation, but also must be contingent on the change of control.  Most executive employment agreements and compensation plans (i.e., severance agreements, bonus plans, nonqualified deferred compensation plans, stock option plans) contain change of control provisions that will most likely be triggered by a merger, asset sale or stock sale, resulting in bonus payments, higher severance payments and acceleration of equity in connection with the transaction.  These types of payments, that clearly are triggered on the change of control, are easy to identify, but rarely are the only payments that are treated as contingent on a change of control.

Whether a payment is contingent on a change of control is generally determined under a “but for” test.  To exclude the payment, it must be substantially certain, at the time of the change, that the payment would have been made whether or not the change occurred.  Acceleration of vesting or acceleration of the time for payment will cause the payment to be treated as contingent upon the change, at least to some extent.  Treas. Reg. §1.280G-1, Q&A-29.  The portion of the payment treated as contingent is the amount by which the payment exceeds the present value of the payment absent the acceleration.  Treas. Reg. §1.280G-1, Q&A-24.  However, if the payment of deferred compensation was not vested (for example, it would have been forfeited had the disqualified individual terminated employment prior to age 65), the entire amount of the payment will be included in the computation if the change results in substantial vesting.

If a payment is merely accelerated by a change of control, it will not be treated as contingent upon the change of control if the acceleration does not increase the present value of the payment.  These calculations are complicated if the payment that is accelerated would have been paid without regard to the change so long as the individual continued to perform services for a specified period of time.  In that event, the value of the acceleration will take into account not only the value provided to the disqualified individual by earlier payment, but also the value added by elimination of the risk of forfeiture for failure to continue to perform services.  If the disqualified individual and the employer are unable to establish a reasonably ascertainable value for both of these elements, then the entire amount of the accelerated payment will be included in the computation.  This typically occurs with respect to performance-based bonuses or awards that are accelerated and vested upon the change of control regardless of whether the performance criteria have been achieved, in which case the entire amount of the payment would be treated as the parachute payment.  

The present value of a payment which is to be made in the future is determined as of the date on which the change of control occurs, or on the date of payment if the payment is made before the change of control.  First, the payment is discounted at a rate equal to 120% of the applicable federal rate.  Treas. Reg. §1.280G-1, Q&A-32.  Secondly, if the payment is contingent on an uncertain future event or condition, then the likelihood of whether the payment will be made must be reasonably estimated.  If it is reasonably estimated that there is a 50% or greater probability that the payment will be made, then the full amount of the payment is considered for purposes of the 3-times the base amount test and the allocation of the base amount.  Treas. Reg. §1.280G-1, Q&A-33.  If it is reasonably estimated that there is a less than 50% probability that the payment will be made, the payment is not considered for either of these purposes.  If the likelihood estimate is later determined to be incorrect, the 3-times the base amount test must be reapplied (and the portion of the base amount allocated to previous payments must be reallocated (if necessary) to such payments) to reflect the actual timing and amount of the payment.

For example, if a disqualified individual will be entitled to payment of $1,000,000 in the event his employment is terminated within one year after a change of control, and the corporation reasonably estimates that there is a 50% probability the disqualified individual’s employment will be terminated within one year, then the entire payment would be considered.  If the timing of the payment can also be reasonably estimated, an additional discount may be applied.  The determination of the likelihood of an event occurring can be made as late as the date the corporation files its income tax return for the year in which the change of control occurs.  For example, if a change of control occurs on June 1 and the corporation files its income tax return in April of the following year, the corporation can look back and determine whether or not the event has occurred or has become likely to occur.

AVOIDING, OFFSETTING AND MITIGATING THE IMPACT OF SECTION 280G

Once the parties have identified that there are payments that may trigger taxation under Sections 280G and 4999, the next step is to outline those potential payments and determine whether there is any way to avoid, offset or mitigate the potential impact of these sections.  It is important to note that while legal counsel can certainly run some initial calculations, most often an accounting firm is charged with running the final calculations that will be relied upon for analyzing the Section 280G issues, withholding taxes, and filing returns.  

There are three primary approaches to avoiding, mitigating or offsetting Section 280G liability: (i) if it is a non-public corporation, relying upon the shareholder vote exception; (ii) reducing the amounts payable to the disqualified individual to one dollar less than the amount that would trigger the excise tax (called a “cut-back”); or (iii) “grossing-up” the payments so that the disqualified individual receives the same amount after application of the excise tax under Section 4999 as he or she would have received had Section 4999 not applied.

Law firms often work closely with the accounting firms and clients to determine the best approach to avoid, mitigate, or offset Section 280G liability.  The law firms also will draft the documents outlined below (whether it be the documents for the shareholder vote, cut-back, or gross-up language for agreements with the disqualified individuals).  Both counsel for the buyer and the seller will review these documents, so practitioners should focus on getting documents drafted with enough time for both sides to review and provide comments.  This process is generally collegial when both law firms handle a high volume of deals but becomes more challenging when one side’s counsel is unfamiliar with Section 280G or does not have executive compensation counsel assisting with the transaction.

Private Companies with Shareholder Vote

As noted earlier, part of the reason Section 280G and 4999 were adopted was to protect shareholders from executives diverting value from shareholders and into their own pockets.  Since shareholder protection was one of the primary goals, if the shareholders do not have an issue with the payments, then there is no reason for the taxes to apply.  Congress included the shareholder vote exception in Section 280G for this exact reason.  Under this exception, payments with respect to a change in ownership of a private company are not treated as parachute payments if the payments are approved by 75% of the shareholders entitled to vote immediately before the change in ownership, after adequate disclosure to all shareholders entitled to vote. Section 280G(b)(5) and Treas. Reg. §1.280G-1, Q&A 6 and Q&A 7.  For these purposes, shareholder approval can be retroactively obtained.  In order to rely on this exception, neither the company undergoing the change of control nor any members of its controlled group can be publicly-traded.

The shareholder population means the shareholders of record, as determined no more than six months before the date of the change in ownership or control.  If a substantial portion of the assets of an “entity shareholder” (within the meaning of Treas. Reg. § 1.280G-1, Q&A-7(b)(3)) consists (directly or indirectly) of stock in the corporation undergoing the change in control (i.e., the total fair market value of the stock held by the “entity shareholder” in the corporation undergoing the change in control equals or exceeds one-third of the total gross fair market value of all of the assets of the “entity shareholder” without regard to any liabilities associated with such assets), approval of the payment by that “entity shareholder” must be made by a separate vote of the persons who hold, immediately before the change in control, more than 75% of the voting power of the “entity shareholder” (unless the entity shareholder owns, directly or indirectly, 1% or less of the total value of the corporation undergoing the change in control).  Shares owned (directly or constructively) by a person who is to receive a payment that would be a parachute payment if shareholder approval is not obtained are not eligible to vote (and are not counted as outstanding for purposes of the vote).  As a practical matter, practitioners may find it challenging to determine whether a shareholder constructively owns shares, making it crucial that parties start evaluating this issue as soon as the disqualified individuals are identified.

In order for the disclosure to the shareholders to be adequate, the “disclosure must be full and truthful disclosure of the material facts and such additional information as is necessary to make the disclosure not materially misleading at the time the disclosure is made.”  Treas. Reg. §1.280G-1, Q&A 7(c).  The description needs to include: (i) a description of the event triggering the payment(s); (ii) the total amount of the payment(s) that would be parachute payment(s) if the shareholder approval requirements are not satisfied; and (iii) a brief description of the payment(s) (e.g., accelerated vesting of options, bonus, or salary).  The disclosure should give information on the effect of approval or disapproval.  In addition, the disclosure must be delivered to all shareholders, not just the 75% needed to approve the payments. 

The shareholder vote must be meaningful, which means that the amounts being approved must be at risk.  Typically, if the disqualified individual has an existing contractual right to the payment being approved, the individual will be asked to sign a waiver agreement prior to the shareholder vote.  The waiver agreement will provide that if the shareholders do not approve the payments, then any payments in the nature of compensation being paid in connection with the change of control will be reduced to one dollar less than the amount that would otherwise trigger the excise tax.  Further, the shareholder vote must be independent of the shareholders vote on the underlying transaction.  It is not permissible to include as a closing condition to the transaction that the shareholders have approved the payments.  The only requirement that can be included in the purchase agreement is that the seller provide evidence that they conducted the shareholder vote in accordance with the requirements of Section 280G. 

If the seller is owned by a small number of shareholders or only a handful of shareholders own the required 75% of the vote needed and the shareholders are supportive of the executive team, obtaining the shareholder vote tends to be a rather routine part of the deal that merely requires deal counsel to get the proper disclosures, waivers and resolutions timely drafted and submitted to the shareholders.  However, if there are a large number of shareholders or the shareholders have an adversarial relationship with management, the shareholder approval approach may not work.  In such cases, the parties need to look at potentially cut-back the payments or grossing up the payments as discussed below.

Cut-backs, Gross-Ups and Best Net Clauses

For public corporations, or private corporations where the shareholder vote is not a viable alternative, the parties have two primary options to address Section 280G issues: (i) cut-back the payments so that Section 280G and the taxes under Section 4999 are not triggered; or (ii) gross-up the payments.  Before deciding on which approach to use, practitioners should first review the relevant agreements to determine whether Section 280G was addressed in the contract when signed.  Often employment agreements and severance agreements will include paragraphs that specifically address how the compensation will be treated under Section 280G in the event of a change of control.  If the parties want to take an approach that differs from the underlying agreements, the disqualified individual subject to the agreements will need to consent to the new approach.  The disqualified individual’s consent may not be easy to obtain if the disqualified individual will receive less compensation under the new approach. 

Cut-back. If the parties elect to use the cut-back approach, the disqualified individual’s parachute payments are reduced to an amount that is one dollar less than the amount that would trigger the 20% excise tax.  A disqualified individual without a gross-up agreement may prefer to have his or her payments capped if it appears likely that he or she will be close to the three times base amount threshold or just over that threshold.  For example, a disqualified individual with a base amount of $300,000 could receive contingent payments of up to $899,999 without being subject to the 20% excise tax.  However, if that disqualified individual receives contingent payments of $900,001, he or she would be subject to an excise tax of $120,000 ($600,001 times 20%).  By agreeing to give up $2, the disqualified individual saves $120,000.  However, if that same individual was entitled to contingent payments of $1,100,000, the excise tax would be $160,000 (an excess parachute payment of $800,000 multiplied by 20%), and the disqualified individual would receive $40,000 more by taking the payment rather than having it capped.  The corporation will generally prefer to cap the benefits, because going over the three times base amount threshold by $1 results in loss of the deduction for the entire amount of the excess parachute payment.  However, if capping or cutting back the compensation would result in payments being less than the disqualified individual would receive if the full amount was paid and the 20% tax was applied, he or she may not be willing to agree to a cut back. 

Gross-up. Even if the amount would not be less under the cut-back, the disqualified individual may feel like the corporation is breaking its promise to the individual of a certain amount of compensation in the transaction, and that the corporation should have warned the individual at the time the promise to pay the compensation was made that the amount might be substantially less because of Section 4999.  In such cases, the parties may consider adding a gross-up so that once the taxes under Section 4999 are deducted, the disqualified individual receives the same amount he would have received had the excise tax not applied.  If the disqualified individual is provided a full gross-up, the cost to the employer can be significant, because not only will the initial 20% excise tax be paid by the corporation (and non-deductible), but also all income tax and additional excise taxes applicable to the gross-up amount must also be paid.  Because of this increased cost to the employer, gross-up clauses have been attacked as excessive pay practices by Institutional Shareholder Services and other similar institutional shareholder watch-dog organizations.  If either corporation in the transaction is a publicly-held corporation that has a large percentage of shareholders following ISS or other such organizations, use of a gross up can result in significant shareholder backlash, and potentially a “no” vote recommendation on other matters. 

Best net. A third option, which is often used by publicly-held corporations, is to apply a “best net” approach to the payment.  Under the best net approach, the disqualified individual receives the greater of the (i) full amount of the payments, less the 20% excise tax; or (ii) one dollar less than the amount that would trigger the 20% excise tax.  This approach could still result in a loss of deduction for the corporation if the greater amount is the full amount of the payment less the excise tax, but many corporations still agree to this approach because it is better than a gross up and usually satisfies the disqualified individual once the individual understands the potential backlash causes by a gross up payment. 

It is not often easy to determine whether a disqualified individual will be close to his or her threshold amount, significantly under it, or significantly over it.  Questions may arise about inclusion of certain benefits and payments in the calculation of the base amount.  Moreover, as noted above, calculation of the present value of future contingent payments may be quite difficult and subject to adjustment based upon later events, and treatment of particular payments as contingent on a change of control may not be certain.  If this issue is addressed sufficiently far in advance of the effective date of the change of control, each disqualified individual can review his or her own situation and work with the buyer and seller on the best approach for all parties.

Reasonable Compensation

If it has already been determined that a disqualified individual has an excess parachute payment, the amount of that excess parachute payment may be reduced by the portion of the payment that the disqualified individual establishes by clear and convincing evidence is reasonable compensation for services prior to or after the change of control.  Treas. Reg. §1.280G-1, Q&A 3, 9, 24(a)(2) and 39. 

Only payments that can be established by “clear and convincing evidence” to be reasonable compensation for services rendered are not treated as parachute payments.  Section 280G(b)(5) and Treas. Reg. § 1.280G-1, Q&A-6 and Q&A-9.  The determination of whether a payment is “reasonable” is based on the facts and circumstances relating to each payment and each disqualified individual.  Treas. Reg. §1.280G-1 Q&A 40.  The regulations issued under Section 280G provide that the relevant factors to the determination of whether a payment is reasonable compensation include, but are not limited to, (i) the nature of the services rendered or to be rendered; (ii) the individual’s historic compensation for performing such services; and (iii) the compensation of individuals performing comparable services in situations where the compensation is not contingent on a change of control.  Treas. Reg. § 1.280G-1, Q&A-40(a). 

All payments in connection with a change of control are presumed unreasonable.  For purposes of determining whether a payment is contingent on a change of control, there is a presumption that any payment that is made within the period beginning one year before and ending one year after the date of the change in ownership or control is made in connection with the change of control.  Treas. Reg. §1.280G-1, Q&A-22(b)(3).  Conversely, there is a presumption that any payment made outside of this two-year time period is not made in connection with a change of control.   

There also is a distinction between the treatment of compensation for services rendered before the change of control and compensation for services rendered on or after the change of control.  Payments of compensation that were clearly earned before the change of control generally are considered reasonable compensation for personal services actually rendered before the change of control if the payments qualified as reasonable compensation under Section 162.  Treas. Reg. §1.280G-1, Q&A-43.  Examples of payments that are commonly treated as payments for services rendered include bonuses paid in the ordinary course in accordance with the corporation’s bonus plan in the year prior to the change of control, or pro rata bonuses paid to an employee prior to the change of control based on actual performance.  The Treasury Regulations also provide that a showing that payments are made under a nondiscriminatory employee plan or program generally is considered to be clear and convincing evidence that the payments are reasonable compensation.  Treas. Reg. § 1.280G-1, Q&A-26.  Examples of nondiscriminatory employee plans include group term life instance, cafeteria plans, and educational assistance plans. 

However, new programs or increases in base salary that occur within the one-year period prior to a change of control can be problematic.  The parties to the transaction should use care to support any large increase or adoption of new programs with market data and other objective evidence to show it is comparable to other peer group members when trying to argue it is reasonable compensation.

Payments for services rendered within the one-year period prior to the change of control are considered “parachute payments,” but are not considered “excess parachute payments” to the extent they are reasonable compensation.  Section 280G(b)(4)(B) and Tress. Reg. §1.280G-1, Q&A-3.  Thus, payments for services rendered in the one-year period before a change of control (i) are included for purposes of determining whether all payments received in connection with a change of control exceed the three times base amount threshold; but (ii) are exempt from the 20% excise tax; and (iii) may be deducted by the payor.  Again, the burden is on the corporation to establish by clear and convincing evidence that these payments are reasonable compensation for services rendered prior to the change of control.

If payments are received for services rendered on or after the change of control (e.g., continued salary, post-transaction consulting arrangements, bonuses for performance periods after the change of control) or pursuant to an agreement entered into after the change of control, they generally are not considered “parachute payments,” and thus are excluded from the determination of whether all payments in connection with a change of control exceed the three times base amount threshold.  Section 280G(b)(4)(A) and Treas. Reg. §1.280-1, Q&A-9 and Q&A-23.  One exception to this general rule is if the payments are made pursuant to an agreement that is executed after a change in ownership or control pursuant to a legally enforceable agreement that was entered into before the change, in which case, the agreement is considered to have been entered into before the change.  Treas. Reg. §1.280-1 Q&A 25.  For instance, if the purchase agreement requires the buyer to provide retention bonuses to the seller’s employees that it hires, and the buyer enters into those agreement post-closing, the agreement would be treated as entered into prior to the change of control.  In addition, if the disqualified individual post-closing gives up a right made under an agreement that was entered into prior to the change of control in exchange for benefits under a post-closing agreement, the new agreement will only be treated as a post-closing agreement to the extent the value exceeds the value of the payments under the pre-closing agreement.  Treas. Reg. §1.280-1 Q&A 25.

In the event the agreement entered into prior to the change of control includes severance payable after the change of control and a non-compete provision, the parties may be able to argue that some portion of the severance is reasonable compensation as a payment made in exchange for a covenant not to compete.  Under the Treasury Regulations, payments that can be established to be made in exchange for a covenant not to compete are reasonable compensation for services to be rendered on or after the change of control.  Treas. Reg. §1.280G-1, Q&A-40(b) and PLR 9314034 (1/8/1993).  However, this does not mean that the entire amount of the payment that is linked to the non-compete is automatically excluded.  The non-compete must be enforceable, which means it must be both enforceable in the jurisdiction where it applies, and the corporation must not have a history of waiving non-competes.  If the corporation never enforces non-competes, then the payments will not be deemed reasonable compensation.  Further, the parties must consider the amount of damage the disqualified individual may inflict on the business if he or she competes.  This value might be different for each disqualified individual, and likely has a higher value for someone in his or her 40s versus an 80-year-old disqualified individual who intends to retire after the transaction.  Typically, accounting firms value the non-compete and determine what, if any, value can be treated as reasonable compensation.  It is important to make sure both the seller and the buyer agree to the value.  If the buyer does not agree with the value and determines later when taking the deduction that the assigned value was too aggressive, it could result in an increase in the parachute payments and tax liability for the disqualified individuals after the transaction closes. 

Conclusion

Navigating the issues raised by Section 280G and 4999 can be complicated.  However, if issues are addressed early in the transaction, then all parties involved can better understand the impact of the excise taxes, or the actions the parties need to take in order to mitigate or offset the impact of these sections.  With time, and careful planning, the parties can avoid the pitfalls outlined above, and prevent these sections from unduly burdening a transaction.  

[1] All references to Section mean a section of the U.S. Internal Revenue Code of 1986, as amended.

The Risk Allocation Landscape

Historically, escrows have served as a classic deal protection mechanism in mergers and acquisitions (M&A) transactions. Recently, however, representations and warranties (R&W) insurance has emerged as an escrow alternative, offering seller-friendly terms and competitive premiums. Is there room for two products on the market? Is one better than the other? Bottom line, it all depends. In this article, we will explore some areas to consider when evaluating the optimal deal protection mechanism for your transaction.

ESCROWS: A primer

Holdback escrows are generally used by Buyers to segregate a portion of the purchase price for various reasons, with the most common reasons being to:

• Provide a means for the Buyer to claim back a portion of the purchase price for breaches of representations and warranties from the Seller.
• Secure post-close purchase price adjustments until finalization of such amounts.

Escrows can also be used for other M&A purposes:

• Good Faith Deposit: can demonstrate serious interest and/or comply with regulations (e.g., if government approval is needed); can also be used to hold potential termination fees.
• Closing Agent / Paying Agent: can centralize funding sources and enable funds to be on hand prior to close; can also facilitate exchange of company stock from Seller for payment of cash from Buyer.

R&W INSURANCE

While there are Seller and Buyer R&W policies, the latter is more common. Under a buy-side R&W policy, the Buyer in an M&A transaction recovers directly from an insurer for losses arising from certain breaches of the Seller’s representations and warranties in the purchase agreement. By shifting the risk of such losses from the Seller to an insurer, a policy can limit the Seller’s liability for certain representation breaches. The Buyer retains the risk of receiving payment from the insurer for any claims submitted.

Claim Event Comparison (Escrow agent not involved in claim resolution)

Vital Parameters to Consider

CLAIM COVERAGE

For both escrows and R&W policies, claim coverage is particularly important for a Buyer seeking to mitigate risk in its acquisition. In general, an escrow can provide a clear solution to resolve risks between the parties and may be customized to facilitate a comprehensive coverage model. Conversely, many R&W policies cover only specific, targeted areas.

Currently, in a typical R&W policy, known issues may be excluded, whether or not reported to the insurer or included in a due diligence memo. In addition, in many instances R&W policies will not cover breaches of covenants, forward-looking statements, or purchase price adjustments. Depending on the specific policy, common indemnity claim types such as tax, litigation / product liability, collectability of accounts receivable, pension underfunding issues and environmental liabilities may require separate policies or increased premiums.

CLAIM PAYOUTS

Traditionally, claim payouts are not influenced by the escrow agent, as it serves as a neutral third party, acting generally on joint instructions to release funds. Existing R&W insurance studies provide limited visibility on claim payouts and timing. This calls into question whether or not certain R&W providers will face increased pressure to pay on claims and potentially to increase premium fees to ensure claim payouts.

COST

R&W premiums vary based on the level of coverage but are generally a certain percentage of required coverage. On the other hand, escrow fees are nominal, and larger escrow deposits generally do not result in higher fees. Additionally, in the current low-interest-rate environment, the opportunity costs of having funds on deposit in escrow are relatively low. Escrow will likely continue to be a less expensive risk mitigation tool regardless of whether claims increase over time.

DUE DILIGENCE

When circumstances change, escrow does not require a separate due diligence work stream like R&W insurance does, and it will typically be quicker and simpler to execute a new escrow agreement vs. an R&W policy. As a result, escrow can provide much-needed flexibility when quick turnaround is needed or to resolve last-minute negotiation issues that come up between the Buyer and Seller.

Choosing a Mechanism for Your Deal

Despite their recent emergence, most R&W policies only cover certain types of breaches for representations and warranties, though added coverage may be available, potentially for an additional cost. Claims may be paid but sometimes at the expense of increased legal fees and the extent of recovery. The ability to close within timeframes desired by Buyers can also be impacted. On the other hand, many transactions, even those with R&W policies, involve some form of escrow to help cover and protect the gaps left by R&W policies.

Escrow can offer flexibility, low cost and broad security, such as extending coverage through the “interim period” (time between signing and closing) via a good faith deposit.

Bottom Line

Each transaction and its requirements are unique, and understanding the needs of your transaction — including what it will cost, how long it will take, the extent of its coverage provided, the user experience and quality of digital offerings and certainty of enforceability — will drive towards a coverage model that makes the most sense for you.

*  Nicholas Scarabino and John Thomas contributed to this article.

Nicholas Scarabino, Managing Director, Wholesale Payments, Global Escrow Services Sales at J.P. Morgan.  Nick has been with J.P. Morgan for over 31 years in Sales and Marketing.

He is currently the Global Sales Manager for the Escrow Services department within the Corporate and Investment Bank’s Wholesale Payments division.  The 25+ member team focuses on building relationships and delivering innovative escrow, depositary and agency solutions to corporations, investment banks, law firms and other financial intermediaries. 

John Thomas, Executive Director, Wholesale Payments, Global Escrow Services Product Management.  John has been with J.P. Morgan for over 13 years in Product Management.

He is currently the North America Product Management lead for the Escrow Services department within the Corporate and Investment Bank’s Wholesale Payments division.  The Product Management team focuses on supporting, developing, and expanding escrow solutions and digital escrow applications for institutional clients and law firms.

On July 13, 2021, the U.S. Securities and Exchange Commission (“SEC”) announced charges against:

• Stable Road Acquisition Corp. (“SRAC”), a special purpose acquisition company (“SPAC”);
• SRAC’s proposed merger target, Momentus Inc. (“Momentus”);
• SRAC’s CEO and Momentus’s CEO; and
• the SPAC’s sponsor, SRC-NI Holdings, LLC (“Sponsor”),

in connection with misleading claims made by SRAC and Momentus about Momentus’s propulsion technology and national security concerns associated with Momentus’s CEO.

Momentus is an early-stage space transportation company that intends to provide satellite positioning services with in-space propulsion systems powered by proprietary microwave electrothermal thruster (“MET”) water plasma thrusters.  In October 2020, Momentus and SRAC entered into a merger agreement and SRAC executed subscription agreements in connection with a $175 million private investment in public equity (“PIPE”) that was set to close simultaneously with the merger.

In its Order Instituting Cease-And-Desist Proceedings (the “Order”),[i] the SEC states that Momentus and SRAC misled investors regarding:

1. the extent to which Momentus’s propulsion technology had been “successfully tested” in space; and
2. the extent to which national security concerns involving Momentus’s CEO hindered Momentus from obtaining necessary governmental licenses critical to its operations.

The SEC went on to state that as a result of its failure to conduct adequate due diligence, SRAC compounded these disclosure violations by repeating materially false and misleading statements in materials presented to investors. 

The SEC claims that these failures amounted to violations of Section 10(b), Rule 10b-5, Section 14(a) and Rule 14a-9 of the Securities Exchange Act of 1934 (the “Exchange Act”); and Section 17(a) of the Securities Act of 1933 (the “Securities Act”). 

Without admitting or denying the SEC’s findings, all parties, except for Momentus’s CEO, have agreed to settle these charges with the SEC, with the following penalties being imposed:

1. Momentus, SRAC, and SRAC’s CEO paid civil penalties of $7 million, $1 million, and $40,000, respectively;
2. all subscribers in the PIPE were given the opportunity to terminate their subscription agreements;
3. the Sponsor forfeited 250,000 founder shares in SRAC; and
4. Momentus has undertaken substantial enhancements to its disclosure controls, including the creation of an independent board committee and the retention of an internal compliance consultant for a period of two years.

The merger of SRAC and Momentus was consummated on August 12, 2021.  PIPE subscribers representing an aggregate of $118 million in the original PIPE investment elected to terminate their subscription agreements. While SRAC was able to obtain subscription agreements from new PIPE subscribers, the overall size of the PIPE was decreased from $175 million to $110 million.  In addition to the PIPE shares, SRAC agreed to issue each remaining PIPE subscriber warrants to purchase its common stock at a price of $11.50 per share in an amount equal the number of PIPE shares purchased by such subscriber (11,000,000 additional warrants in total). 

The SEC has separately filed litigation against the former CEO of Momentus.

Momentus’s and SRAC’s Statements

Propulsion Technology Failures

In both the investor presentation materials provided to potential PIPE investors and the registration statement on Form S-4 filed in connection with the stockholder vote to approve the merger, Momentus and SRAC repeatedly claimed that Momentus had “successfully tested” its “cornerstone” propulsion technology in space and that the test satellite was “still operational today.”  In fact, Momentus had conducted only one in-space test of a preliminary version of its technology in 2019, and that test had failed to meet even Momentus’s own internal definition of “mission success.”  Momentus had sought to achieve “100 individual burns of one minute or more.”  Out of 23 attempts, only three generated plasma, and none generated any measurable thrust.  None of the burns lasted a full minute.  Momentus was not able to attempt the remaining 77 burns because it lost contact with the satellite partway through the testing.  As of July 13, 2021, this test satellite remained in space but was not functional.  Even if Momentus had achieved its “mission success” criteria, the preliminary version of the technology was not powerful enough to be commercially viable.

By misleading investors about the results of the in-space test, the SEC found that the registration statement and other public filings falsely assured investors that Momentus was farther along toward commercial deployment of its technology than it actually was.

U.S. National Security Concerns

Momentus and SRAC also failed to disclose the extent to which the CEO’s involvement with Momentus was jeopardizing its chances for success.  Because Momentus’s former CEO is a foreign national, he required an export license in order to access parts of Momentus’s technology, and he was required to hold a valid visa in order to work in the United States.  Various U.S. governmental agencies had not only repeatedly denied the CEO such licenses, but also had revoked his work visa- in each case, because of “national security concerns.”  The CEO had also previously been required by the U.S. government to divest his holdings in another U.S.-based space technology business, again for “national security reasons.”  Importantly, these issues were affecting Momentus by slowing down its development process.  Following the announcement of the merger with SRAC, the U.S. Federal Aviation Administration (“FAA”) twice denied approval for scheduled launches of new satellites in 2021 because of the CEO’s holdings in Momentus.  These launches were critical for Momentus, as they were to be its first commercial flights.  The denials by the FAA caused Momentus to reforecast its expected launch dates from 2021 to 2022.

Most of the foregoing information was omitted from SRAC’s initial filings of its registration statement.  The initial filings failed to disclose that the CEO was considered a national security risk by various U.S. governmental agencies and, thus, was less likely to be granted asylum or an export license.  Instead, the disclosure stated that the CEO had not “yet” obtained an export license, even though at the same time it was becoming clear that his application would be denied.  Finally and importantly, the registration statement’s financial projections for Momentus did not take into account the delays it was experiencing as a result of the FAA’s denials.

SRAC’s Due Diligence Failings

While the SEC noted most of the omitted information was kept from SRAC by Momentus, the SEC found that SRAC “conducted inadequate due diligence” and adopted Momentus’s disclosures when the SPAC included these statements in its PIPE investor presentation and its initial drafts of the registration statement.  The SEC found that SRAC’s diligence efforts were undertaken in a “compressed timeframe and unreasonably failed both to probe the basis of Momentus’s claims that its technology had been ‘successfully tested’ in space and to follow up on red flags concerning national security and foreign ownership risks.”  As a result, SRAC’s marketing materials and its disclosures caused investors to be misled about material aspects of Momentus’s business.

Key Takeaways

• Filings made in the context of business combinations undertaken by SPACs face similar scrutiny from the SEC Staff as do the filings made in connection with traditional initial public offerings (“IPOs”) and should be prepared with the same level of rigor.  The notion, suggested by some in the popular press, that private companies combining with SPACs do not face the same liability as companies that undergo traditional IPOs, should not be relied upon.  As emphasized by the SEC Staff:

“[a]ny material misstatement in or omission from an effective Securities Act registration statement as part of a de-SPAC business combination is subject to Securities Act Section 11. Equally clear is that any material misstatement or omission in connection with a proxy solicitation is subject to liability under Exchange Act Section 14(a) and Rule 14a-9, under which courts and the Commission have generally applied a “negligence” standard.  Any material misstatement or omission in connection with a tender offer is subject to liability under Exchange Act Section 14(e) . . . .  Given this legal landscape, SPAC sponsors and targets should already be hearing from their legal, accounting, and financial advisors that a de-SPAC transaction gives no one a free pass for material misstatements or omissions . . . .”

• The SEC expects SPACs and their sponsors to conduct due diligence on the target in connection with an initial business combination.  In a traditional IPO, the due diligence undertaken by underwriters serves an important investor protection function, and the SEC Staff has publicly lamented the absence of this structural component in de-SPAC transactions.  Indeed, holding the SPAC accountable for its due diligence failures hearkens back to statements made by the Staff of the SEC’s Division of Corporation Finance asking whether the SEC should “reconsider the concept of ‘underwriter’ in [de-SPAC] transactional paths.”
• Related to the point above, the SEC also is focused on the misalignment of incentives arising from the SPAC structure.  SPAC sponsors stand to obtain substantial profit from the completion of a successful business combination, even if the resulting combined company fails to prosper following the business combination.  On the other hand, if a SPAC does not complete a business combination within a specified timeframe, SPAC sponsors stand to lose millions of dollars in invested capital.  These powerful financial incentives coupled with:

1. 1. the limited time period a SPAC has to complete an initial business combination; and
   2. the increasingly competitive market for targets

have caused the SEC to be concerned that sponsors will conduct cursory due diligence, overlook red flags uncovered during the diligence process, and fail to make the necessary disclosures to their stockholders, all in the interest of getting a favorable stockholder vote. 

• The SEC’s Order should also be viewed in the wider context of the SEC’s heightened scrutiny of SPACs in the first half of 2021, and statements made by SEC Staff, including the following:
  • The SEC’s Public Statement on Financial Reporting and Auditing Considerations of Companies Merging with SPACs (March 2021);[ii]
  • The SEC Staff’s Statement on Select Issues Pertaining to Special Purpose Acquisition Companies (March 2021);[iii]
  • The SEC Division of Corporation Finance’s Public Statement on SPACs, IPOs and Liability Risk under the Securities Laws (April 2021);[iv] and
  • The SEC Staff’s Statement on Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies (April 2021).[v]

The SEC’s stated regulatory agenda includes addressing rules related to SPACs.[vi]  Although the agenda does not specify the aspects to be addressed, given statements by the SEC Staff, statements made by SEC Chair Gary Gensler, and areas addressed in proposed SPAC related legislation in Congress, the SEC is likely to address liability issues, whether relating to the use of projections and the availability of the safe harbor for forward-looking statements.  In the meantime, we expect additional guidance and additional actions related to SPACs from the SEC in the near future.

See the SEC’s announcement and related Order.

This article originally appeared as a Mayer Brown legal update. It has been edited and updated for Business Law Today.

[i] See the U.S. Securities and Exchange Commission’s Order Instituting Cease-And-Desist Proceedings, Pursuant to Section 8A of The Securities Act of 1933 and Section 21C of The Securities Exchange Act of 1934.

[ii] See the SEC Staff’s statement, Financial Reporting and Auditing Considerations of Companies Merging with SPACs.

[iii] See the SEC Staff’s statement, Staff Statement on Select Issues Pertaining to Special Purpose Acquisition Companies.

[iv] See the SEC Staff’s statement, SPACs, IPOs and Liability Risk under the Securities Laws.

[v] See the SEC Staff’s statement, Accounting and Reporting Considerations for Warrants Issued by Special Purpose Acquisition Companies (“SPACs”).

[vi] See the SEC Agency Rule List, Spring 2021.

This article is the second in a two-part series exploring the implications of President Biden’s executive order on cybersecurity. In the first installment, available here, William R. Denny discusses the role the executive order plays in the federal government’s commitment to modernize cybersecurity defenses.[1]

Recent cyber-attacks, such as the SolarWinds[2] and Kaseya[3] supply chain attacks, which affected thousands of entities, and the ransomware attack on Colonial Pipeline,[4] are stark reminders of the tremendous and growing cyber threat both to the public and private sectors.  The level of sophistication of these attacks make it ever more difficult for enforcement agencies to detect and prevent these incidents.  On May 12, 2021, just days after the attack on Colonial Pipeline, President Biden released a comprehensive executive order (EO)[5] intended to improve U.S. cybersecurity infrastructure and protect the federal government’s networks. While this is an ambitious step by the administration, there is still a need for public-private partnerships to reduce the risk of future attacks. The President noted in the EO that “[t]he private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the federal government to foster a more secure cyberspace.”

In our previous article, we discussed the elements of the new EO, highlighting remarks made by Dan Sutherland, Chief Counsel for the Cybersecurity & Infrastructure Security Agency (CISA), and Jen Daskal, Deputy General Counsel at the Department of Homeland Security (DHS). The speakers emphasized that ransomware was a massive national security problem requiring both a “whole of government” and a “whole of private sector” approach.  Ransomware often strikes the weakest links in information systems. While the government is investing in strengthening resiliency, the private sector must also play a role in helping to protect against cyberattacks.  This article focuses on the implications of the EO for the private sector.

While EOs do not have the effect of law, they serve as a roadmap for federal agencies to regulate themselves.  The President can require that certain terms be included in federal contracts and can use EOs to bolster this agenda.  For private sector businesses interested in competing for federal contracts, the President’s “procurement power” creates a powerful catalyst for change.  And because the federal government is such a significant purchaser of private IT services, new federal standards will have a powerful ripple effect on cybersecurity in the private sector.

The EO’s commitment to public/private partnerships is evident through the demands it places on private sector contracting partners.  The EO mandates the removal of barriers that prevent private businesses (who contract with the government) from sharing cybersecurity and breach information, and mandates contract provisions that require the reporting of such information.

For private sector businesses, the EO indicates the increased likelihood of new cyber-related legislation and heightened regulation of existing cybersecurity laws and policies.  While the EO broadly applies to the federal government, it provides several best practices that the private sector should consider emulating to enhance its own cybersecurity readiness.

1. Modernize Private Sector Cybersecurity

The EO directs agencies to prioritize the adoption and use of cloud technologies to store data.  Businesses should likewise invest in cloud technologies for data storage, as this could help ensure that businesses are consistently up to date with the latest security tools.  Businesses should, in the same vein, consider intermittently conducting a thorough procedure of identifying the types of data they store and assessing the sensitive nature of the data.  During this process, businesses should identify data that is no longer needed and dispose of it.  In the event of a cyberattack, businesses should be better able to tell which data may have been compromised.  

The EO also directs the creation of policies for logging data, including retention and management of the logs, to ensure centralized access to critical data for analysis in case of a cyberattack.  The EO provides a valuable outline of the types of security controls that should be considered.  These include endpoint protection, access controls, network security, email security, logging, monitoring and threat hunting.  The private sector can take a cue from the government and adopt some of these security controls.  Businesses should also get in the habit of training their employees on cybersecurity and the importance of protecting their data.

2. Enhance Software Supply Chain Security

The Fact Sheet following the EO states that the EO will:

improve the security of software by establishing baseline security standards for development of software sold to the government, including requiring developers to maintain greater visibility into their software and making security data publicly available.  It stands up a concurrent public-private process to develop new and innovative approaches secure software development and uses the power of Federal procurement to incentivize the market.  

The Biden Administration plans to utilize the purchasing power of the government to implement updated security measures from software vendors who contract with the government.  Businesses can follow suit and require security standards from third-party vendors with whom they transact business.  Businesses should consider conducting due diligence on third parties to ensure that they have the appropriate IT security measures in place to mitigate the risk of a cyber incident.  Businesses should inquire about the measures their third-party vendors have in place such as multifactor authentication and encryption.  Doing so enables businesses to identify possible risks and find remedies before their data is potentially compromised.  Businesses should also get into the habit of including contract provisions that obligate their third-party vendors to notify them of any unauthorized disclosures of their confidential information.  With this information, businesses could act quickly in the event of an attack and attempt to minimize harm from a breach.

3. Develop an Incident Response Plan

The EO instructs federal agencies to develop, within 120 days, a “playbook” to be utilized in the planning and conducting of cybersecurity vulnerability and incident response activities.  Private sector organizations should also develop their own incident response plans.  An incident response plan outlines a course of action in the event of a significant incident.  It assigns roles and creates an incident recovery team, comprised of key professionals within the organization as well as outside experts.  It also prepares employees for any possible attacks.  Having an incident response plan would enable businesses to respond more quickly and effectively to a cyberattack.  After a cyber incident, businesses should reflect on lessons learned, revisit their best practices and modify any elements of their incident response plan that need to be updated.

4. Establish a Cyber Safety Review Board

The EO directs the establishment of a Cyber Safety Review Board co-chaired by government and private sector leads that may convene following a significant cyber incident to analyze the attack and provide concrete recommendations for improving cybersecurity.  Similarly, the private sector should cooperate to establish a similar review board to conduct security threat assessments, identify potential vulnerabilities and make recommendations.  

5. Engage In-House Counsel or External Counsel

Because of the increasing sophistication of cyber risks, businesses should engage with general counsel to set governing principles that balance protecting data with ensuring that the businesses are complying with privacy and regulatory principles.  General counsel could also be instrumental in assisting their businesses to understand the cyber landscape and assisting management in making decisions about cybersecurity measures.  Business attorneys can assist organizations in drafting contracts that include the above-mentioned reporting requirements.  Businesses should take a holistic approach in addressing cybersecurity breaches in a way that addresses employee and client privacy and governance.

The federal government will continue to make cybersecurity a priority to protect the United States, its infrastructure, and its citizens.  For the private sector, the new EO provides a comprehensive guideline for strengthening their cybersecurity.  By modernizing cybersecurity measures, enhancing software supply chain security, developing an incident response plan, establishing a cyber safety review board and engaging in-house counsel, businesses will be better prepared to mitigate cybersecurity risks and respond effectively in the event of cyberattacks.

CISA recently launched a new webpage focused on ransomware, https://www.cisa.gov/stopransomware, that includes guidelines that would be extremely beneficial to businesses.  CISA itself is also strategically designed not just to work on cyber defense and resiliency, but also to improve public-private partnerships.  When there is an incident, quick action is needed, and CISA wants businesses and governmental agencies to know that it has resources to assist.

[1]           Maame Nyakoa Boateng, a third-year student at Penn State Dickinson Law, contributed to both articles.

[2]           See https://www.businessinsider.com/solarwinds-hack-explained-government-agencies-cyber-security-2020-12.

[3]           See https://www.bloomberg.com/news/articles/2021-07-10/kaseya-failed-to-address-security-before-hack-ex-employees-say.

[4]           See https://www.bloomberg.com/news/articles/2021-06-04/hackers-breached-colonial-pipeline-using-compromised-password.

[5]           Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

While politically and ideologically poles apart, U.S. House of Representatives members Liz Cheney and Adam Schiff, both members of the Select Committee investigating the attack on the Capitol on January 6^th, cited the rule of law as the fundamental basis for their concerns. Representative Cheney expressly said that “our most important obligation” is “to defend the rule of law.” She then rhetorically asked, “Will we adhere to the rule of law?” Representative Schiff stated, “Because if we’re no longer committed to a peaceful transfer of power after our elections if our side doesn’t win, then God help us.”

We read or hear virtually every day that the “rule of law” has once again been broken or threatened. There are many books documenting current and recent threats to democracy, widespread economic inequality, and overt discrimination against large segments of our society. Laurence H. Tribe, Harvard constitutional law professor emeritus, and two other law school professors, both former U.S. Attorneys, recently published an op-ed that concluded, “If Garland’s Justice Department is going to restore respect for the rule of law, no one, not even a former president, can be above it.”

What is the “rule of law”?  All lawyers, even business lawyers, are charged with responsibility for both adhering to it in our professional practice and preserving it for the benefit of humanity and the social, political and economic order of which we are so proud. But what is it? Where did it originate? Why are lawyers in particular supposed to protect it?

This famous and almost revered term of art describes a both realistic and aspirational concept of universally applicable normative behavior for humans in relation to themselves and others, including animals, plants and other elements of creation. These norms, when initially articulated and established,  are prospective, not retroactive; clearly expressed both orally and in writing with unambiguous and coherent terminology; and broadly and commonly accepted as reasonably and objectively interpreted and applied in the situations to which they are intended to apply. They are to be promulgated and enforced by persons and institutions of integrity with widely acknowledged authority to enact and enforce the norms and who themselves are expected and required to comply with them.

King John’s affixing his seal to the Magna Carta in June 1215 is frequently cited as the earliest official act of a divine right sovereign monarch recognizing that he was, after all, subject to restraints on his power. The text reads in significant part:

“No freeman shall be taken, imprisoned, disseised, outlawed, banished, or in any way destroyed, nor will We proceed against or prosecute him, except by the lawful judgement of his peers or by the law of the land. To no one will We sell, to none will We deny or delay, right or justice.”

These ancient words that King John negotiated with his powerful barons expressly forbid the exercise of arbitrary or unaccountable power – and thus the use of violence – coercively to achieve the King’s goals. They further put everyone on notice that the King would not corruptly use the power he retained. These principles plainly are thus embedded in the rule of law.

Our foundational law, the Constitution of the United States, is not the result of a monarch’s recognizing restraints on his powers but is a covenant of a community who, in 1787, stated in the Preamble:

“We the People of the United States, in Order to form a more perfect union, establish Justice, insure domestic Tranquility, provide for the common defence, promote the general Welfare, and secure the Blessings of Liberty to ourselves and our Posterity, do ordain and establish this Constitution for the United States of America.”

It is easy to see the basic principles reflected in the Magna Carta also reflected in the Preamble’s language. Establishing justice, ensuring domestic tranquility, providing for common defense and promoting the general welfare, while securing the blessings of liberty, are norms that are not only in the whole community’s interest, but they also allow individual members of the community to pursue happiness, one of the express goals of the Declaration of Independence. These principles are embedded in the rule of law as we commonly understand it today.

Two years ago, the American Bar Association Business Law Section Council established the Rule of Law Working Group, explicitly recognizing that business lawyers, as members of the Bar, have responsibility for not just honoring the rule of law but also for protecting and defending the Constitution, as we are sworn to do upon admission to the Bar. Why has this responsibility been assigned to lawyers? Are lawyers especially equipped to be the custodians of the rule of law?

Lawyers are educated, trained and professionally engaged unfailingly to comply with the Rules of Professional Conduct. These rules require us to be unflinchingly honest with clients, tribunals and each other as we engage on behalf of clients, and to be reasonable (i.e., to make fact-based arguments and proposals) when professionally engaged. We are also expected to assure, to the extent we can, that statutes and other normative rules are lawfully authorized and rationally interpreted and enforced, in order to promote the general welfare and secure the blessing of liberty, both currently and in the future, for the benefit and account of our clients and ultimately, also, the community at large.

These standards are explicitly set forth in the Preamble to the ABA Model Rules of Professional Conduct. “[1] A lawyer, as a member of the legal profession, is a representative of clients, an officer of the legal system and a public citizen having special responsibility for the quality of justice. … [6] … As a member of a learned profession, a lawyer should cultivate knowledge of the law beyond its use for clients, employ that knowledge in reform of the law and work to strengthen legal education. In addition, a lawyer should further the public’s understanding of and confidence in the rule of law and the justice system because legal institutions in a constitutional democracy depend on popular participation and support to maintain their authority.”  (Emphasis supplied.)

Of course, lawyers may reasonably be compensated for legal services rendered (Model Rule 1.5), but Model Rule 6.1, “Voluntary Pro Bono Publico Service,” states that “Every lawyer has a professional responsibility to provide legal services to those unable to pay.” Both of these rules and the principles embedded in them are conditions to our being licensed as lawyers. Thus, none of us can legitimately claim that our limited expertise or limited personal interest in knowing or caring about the rule of law, much less protecting and defending the Constitution, excuses us from respecting and indeed, honoring, these responsibilities, both in our professional practices and otherwise as “public citizens.”

What are the implications of this responsibility?

• What persons or institutions can or should determine normative behavior?
• What restraints, if any, are imposed on the deciders or enforcers of normative behavior for each of these categories?
• What gives the restraints, or lack thereof, authenticity or legitimacy?

How does the rule of law answer or provide guidance for the answers to each of these questions? This brief article is not the vehicle for definitively answering that question, but it is important – and for lawyers, necessary – to have a working knowledge of possible answers. Although the rule of law has applicability beyond the strictly legal realm (such as with respect to the philosophical concept of justice and also with respect to ethics and morality), lawyers over the ages have assumed the mantle of its custodian. It is submitted that our challenge and responsibility is to do our part in the circumstances we currently confront as practitioners and as citizens.

What can the buyer of an operating business recover as damages when the seller fails to indemnify the buyer for harm caused by the seller’s breach of a representation or warranty in the transaction contract? Modern case law and commentary describe mutually exclusive options: either dollar-for-dollar damages to recover out-of-pocket losses, or damages equal to the diminution in value of the business, which is often misleadingly described as damages “subject to a multiplier” or “at the multiple.”[1] The determinative question for deciding between these options, we are told, is whether the business has been permanently injured as a result of the issue giving rise to the breach. For example, if the breached representation concerns the status of a material customer relationship, some would suggest that the buyer must establish lost revenues from that customer “into perpetuity” to be entitled to diminution in value damages.[2] However, the notion that diminution in value damages are only appropriate if the business has suffered harm that will linger for eternity is a false construct, and a confusing way of expressing the simple concept that diminution in value damages are warranted only when the value of the business as acquired has actually been diminished by the seller’s breach. The confusion is compounded when the best way of calculating the diminution in the entity’s value involves using a multiple of earnings, and the valuation methodology is mischaracterized as producing a multiple of damages. Determining whether the value of a business has been diminished by a seller’s breach of representation or warranty (really, its breach of its obligation to indemnify for the loss caused by that breach) is hard enough, without muddying the waters with a misleading standard. This article will endeavor to dispel some myths haunting the measurement of damages in representation and warranties claims arising out of mergers and acquisitions.

Absent an express remedy in the contract, state common law is the starting point for determining damages for a breach of contract. While many states express the measure of damages arising from a breach of contract as “the amount of money that would put the non-breaching party in the same position that the party would have been in had the breach never occurred,”[3] that simple phrase leaves much open to interpretation and offers little real guidance in the M&A context. To place the buyer of an operating business into the position it should have held but for a breach of representation concerning the business, a court will typically award either the cost to “remedy the defect” caused by the breach (an out-of-pocket loss), or the diminution in the value of the business.[4] Ostensibly, the court selects an option which makes the buyer whole without an unwarranted windfall.

The easiest way to illustrate these damages options is through hypotheticals at the extremes. If the seller’s breach of warranty is an inflated representation of one, relatively minor, account receivable, the buyer could be placed in the position it would have been in but for the breach by awarding damages in the amount of the difference between the receivable as represented and in reality. This remedy makes the buyer whole, because the value of the entire business really has not been diminished by one inflated account receivable. At the other extreme, if the seller has fraudulently and grossly inflated its last twelve months’ earnings by using fictitious revenue from fictitious customers, then the value of the business as delivered to the buyer is materially different than the value as warranted. In that case, diminution in value damages are the only way to make the buyer whole.

But consider a more nuanced situation where the breach of representation or warranty concerns the status of a material customer relationship, and the relationship disappears upon the buyer’s purchase. Should the buyer be compensated for the lost profit from the relationship for some fixed period of time, maybe tied to the length of the business’ contract with the customer (if such a contract exists)? Or, should the buyer be compensated for the difference between the value of the business with an unimpaired customer relationship (as warranted) and the value without the relationship at all (as delivered)? There is scant case law from which to answer these questions, which only causes undue emphasis on the few cases that strive to do so.

Zayo Group, LLC v. Latisys Holdings, LLC, C.A. No. 12874-VCS, is one of the rare cases that does consider the type of damages to be awarded in a situation somewhat similar to the one described above, albeit only in dicta and limited to some very specific facts. Zayo involved the sale of an information technology infrastructure services business that primarily employed short-term contracts with its customers. The seller warranted that it had not received notice of the termination of, material modification of, or refusal to perform, its material contracts. The seller, however, did not warrant lack of notice of a customer’s intent not to renew a material contract. When several material contracts did not renew post-acquisition, the buyer brought suit. After trial, the court entered judgment for the seller, finding no breach of contract. Although the decision on liability was determinative of the case, the court considered the buyer’s claim for damages. A careful reading of the damages portion of the Zayo opinion reveals the court’s reliance on the seller’s expert as the source of what could be misunderstood as statements of the law of damages. For example, the court stated:

Benefit of the bargain—or expectancy—damages measure the difference between the as-represented value of a transaction (typically the purchase price) and the value the purchaser actually received. The actual value the purchaser received, in turn, must assume, and account for, a diminution of the company’s earnings into perpetuity. The “benefit of the bargain” methodology is appropriate for calculating damages only when the alleged breach of the representation or warranty has caused a permanent diminution in the value of the business (as a result of lost revenues into perpetuity) and the business has thereby been permanently impaired.[5]

As explained below, the italicized sentence, for which no legal authority is cited, is ripe for misinterpretation and serves as a poor teacher for any court seeking to determine whether out-of-pocket loss or diminution in value is the appropriate measure of damages.

Precise word choice matters, and this portion of the Zayo opinion uses temporal terms that cannot be read literally, leaving courts and practitioners alike to wonder how they should be applied. No buyer of a business could ever prove lost revenues from any customer into perpetuity. “Perpetuity” is defined as “eternity,” and “eternity” is defined as “infinite time.”[6] It is hard enough (impossible, actually) to prove that a customer would be a customer for eternity, but if the customer relationship has been lost, how does the business buyer prove that the customer would have been a customer for eternity after the customer is no longer a customer by its own volition?

Similarly, “permanent” is defined as “continuing or enduring without fundamental or marked change.”[7] While the loss of a material customer relationship could permanently diminish the value of a business, it is equally possible that such a loss could materially diminish the value of the business as sold (at the time of the acquisition), but over the course of time the business could recover.[8] Is the buyer only entitled to diminution in value damages in the former scenario, but not the latter? And, if the question turns on whether the value of the business will forever be diminished, or might at some point in the future recover, how could the parties and court even determine that within the timespan of a litigation commenced shortly after the sale?

The manner in which valuation professionals value businesses may be to blame for the misleading suggestion that lost revenue into perpetuity is a prerequisite for diminution in value damages. Valuation professionals typically value a business by making an informed estimate of the business’s future using its present and past performance as indicia of its prospects. Typically, the income stream used in the valuation of a business should be the expected income into “perpetuity,” but, that income into perpetuity is then discounted (through a discount rate or embedded within an earnings multiple) to capture the increasing and compounding risk that the income stream could stop after a given year and, therefore, not last into perpetuity. Effectively, depending on the discount rate, after about 15 to 20 years the expected discounted annual income could quickly approach $0. In other words, while “perpetuity” is the standard terminology used in valuing a business, it is a risk adjusted perpetuity, such that the valuation models typically reflect little incremental benefit from the income after 15 to 20 years in the future. The buyer of a business does not typically actually expect any business condition, let alone a revenue stream, to continue into perpetuity, further divorcing the aforementioned Zayo standard for the award of “expectancy damages” from the reality of what a business buyer expects from a transaction. This therefore begs the question of why, if the status of a material customer relationship is misrepresented and the objective value of the business as delivered is less than as warranted, a court would require a buyer to prove loss of perpetual income that no one contemplated simply to recover the difference in the value of the company as promised and as conveyed?

The use of the misnomer “damages subject to a multiplier” to explain diminution in value damages compounds the confusion caused by the misunderstanding of “perpetuity” for valuation purposes.[9] This phrase conflates the nature of the harm with the valuation methodology used to calculate the harm. A brief hypothetical illustrates the point: Assume a business is purchased for $100 million, and the purchase price was established under a market approach valuation using a 5x multiple against a trailing 12-month EBITDA of $20 million. The seller represents that it is unaware of any indication that its top ten customer relationships are in peril. That representation proves to be false; the seller was aware that a top, longstanding customer was planning to terminate its relationship, and the customer does so right after the sale. The customer was responsible for $2 million of EBITDA over the trailing 12 months. The buyer may argue that the appropriate calculation of damages is to use the market approach to determine the difference between the value of the business as warranted ($100 million) and as delivered. The buyer might then argue that the court should back out the lost customer’s contribution to the trailing 12-months EBITDA ($2 million) from the company’s total, and then reprice the business as it was originally priced, using a 5x multiple. This would result in an “as-delivered” value of $90 million (5 x $18 million). The difference between the business as warranted and as-delivered now is $10 million ($100 million – $90 million), thus the buyer’s diminution in value damages are $10 million.

Too often, however, the buyer’s damages in this scenario are described as “damages at the multiple” or as consequential damages, as if the buyer’s damages were actually $2 million, and are somehow being multiplied like a statutory enhanced damages award.[10] In fact, the buyer’s damages are $10 million, the difference between the price paid and the value of the company as delivered, and are only being calculated using a multiple in the market-based valuation methodology. Indeed, it is likely that the business without the customer relationship could be valued (and the same damages amount reached) using an income approach without a multiple but with a discount rate. Awarding any plaintiff or injured party a “multiple” of its actual damages sounds extreme, to be applied only in the most egregious of situations. But, in this hypothetical the buyer is not recovering a “multiple” of its damages, it is recovering the base value of its actual damages. Characterizing the amount as damages “at the multiple” or “subject to a multiplier” simply because a market approach is used to calculate the diminution in the company’s value will consciously or unconsciously bias courts against what is a just award.

A more honest – if not better – standard for determining when diminution in value damages are appropriate in mergers and acquisitions representations and warranties claims is akin to Justice Potter Stewart’s famous definition of pornography: “I know it when I see it.”[11] Notwithstanding its misleading use of “damages at the multiple” and “perpetuity” terminology, the AICPA Practice Aid that was heavily relied upon by the seller’s expert (and thus the court) in Zayo provides a simpler analysis: “Claims that result in dollar-for-dollar damage are typically those that have a one-time effect on the target and that do not impact the target financial condition in future periods (in other words, will not affect future cash flows).”[12] To determine whether a diminution in value has occurred, the AICPA Practice Aid advises that “[t]he primary question that should be asked and evaluated is, Has the buyer’s business been damaged into the future?”[13],[14] Damage that lasts into the future is more likely to be damage that affects the underlying value of the business at the time of the sale, but as suggested above, the future is not necessarily eternity.

Rather than trying to understand and adhere to misused concepts like “perpetuity,” “permanent,” or “at the multiple,” courts should employ a more holistic approach, focusing on the buyer’s actual expectations, the impact of the misrepresentation on the business after the transaction,[15] and a healthy dose of common sense. In Zayo, for example, a host of factors contributed to the court adopting the seller’s damages calculations, including that (i) no breach occurred (which explains why the damages portion of the opinion is dicta), (ii) the buyer’s expert had no valuation experience, and (iii) no buyer witness testified that the buyer would have paid less but for the alleged misrepresentation. However, the core of the court’s reasoning was that the underlying business “was a revolving door” of short-term contracts with short customer loyalty.[16] The loss of a few of these short-term customer relationships was to be expected and did not devalue the overall business in an amount greater than the lost contract renewal revenue (the out-of-pocket loss). Therefore, a “dollar-for-dollar” damages award would make the buyer whole, whereas a diminution in value recovery calculated using a multiple of EBITDA would result in a windfall to the buyer.

As the case law in this area develops, one would expect and hope to see more clarity around the standard for determining when diminution in value damages are appropriate. Diminution in value, after all, is the traditional remedy for a breach of warranty under the “benefit of the bargain” rule, i.e., the difference between the actual value of the property and the value which it would have had absent the breach.[17] As a result, one would expect diminution in value to be the default remedy for a contractual misrepresentation in the sale of a business, generally applicable absent a showing that it would result in a windfall. Eliminating the misconceptions that diminution in value damages require proof of lost revenue for eternity or that they equate to enhanced damages may hasten the arrival of such much-needed clarity.

[1] See, e.g., American Institute of Certified Public Accountants Forensic & Valuation Services Practice Aid for Mergers and Acquisition Disputes (“AICPA Practice Aid”), at 19 (“Depending on the nature of the alleged breach, claims for indemnification may result in dollar-for-dollar damages to recover out-of-pocket losses or damages subject to a multiplier in situations when a buyer can demonstrate that it overpaid for the target based on the alleged breach.”)

[2] Zayo Group, LLC v. Latisys Holdings, LLC, C.A. No. 12874-VCS, 2018 WL 6177174, *16 (Del. Ch. Nov. 26, 2018).

[3] Cobalt Operating, LLC v. James Crystal Enterprises, LLC, Civ. A. 714-VCS, 2007 WL 2142926, *29 (Del. Ch. July 20, 2007) (citing Del. Limousine Serv., Inc. v. Royal Limousine Serv., Inc., 1991 WL 53449, *3 (Del. Super. 1991)). See also, Merrill Lynch & Co., Inc. v. Allegheny Energy, Inc., 500 F.3d 171, 185 (2d Cir. 2007) (“A party injured by breach of contract is entitled to be placed in the position it would have occupied had the contract been fulfilled according to its terms.”) (citation omitted).

[4] See Universal Enterprise Group, L.P. v. Duncan Petroleum Corp., C.A. No. 4948-VCL, 2013 WL 3353743, *19 (Del. Ch. July 1, 2013). There is certainly an argument that the correct measure of damages is always, or almost always, diminution in value: “[W]here the seller makes misrepresentations about the business he is selling, the natural and probable result is that the business is actually worth less than the buyer paid, and diminution of value damages therefore compensate the buyer for ‘the value of the promised performance.’” Powers v. Stanley Black & Decker, Inc., 137 F. Supp. 3d 358, 386 (S.D.N.Y. 2015) (quoting Schonfeld v. Hilliard, 218 F.3d 164, 176 (2d Cir. 2000)).

[5] Zayo, C.A. No. 12874-VCS at 16 (citations omitted; emphasis added).

[6] https://www.merriam-webster.com/dictionary/perpetuity; https://www.merriam-webster.com/dictionary/eternity.

[7] https://www.merriam-webster.com/dictionary/permanent.

[8] Damages are measured at the time of the breach. Comrie v. Enterasys Networks, Inc., 837 A.2d 1, 17 (Del. Ch. 2003); Sharma v. Skaarup Ship Mgmt. Corp., 916 F.2d 820, 825 (2d Cir. 1990). For a breach of representation or warranty arising from the sale of a business, that time is typically the date the transaction closes.

[9] See supra, n.1.

[10] See AICPA Practice Aid, at 57 (“Indemnity claim damages can be measured two ways: dollar for dollar over a finite period or into perpetuity or at the multiple ….”); Powers, 137 F. Supp. 3d at 385-86 (holding that diminution in value damages are direct, not consequential, damages).

[11] Jacobellis v. Ohio, 378 U.S. 184, 197 (1964) (Stewart, J., concurring).

[12] AICPA Practice Aid, at 57.

[13] Id. at 59.

[14] In the sale of an operating business, past harm can create damage into the future. The import of representations and warranties is to protect against the possibility that the earnings assumptions on which the buyer relies in purchasing the business are not sustainable on a going-forward basis. Cobalt Operating, at *27. Thus, past harm (e.g., inflated revenue figures, or concealment of material customer relationship problems) often affects future cash flows.

[15] A word of caution: As noted above, damages are measured as of the date of the breach, which is usually the date of the transaction. See supra, n.5. Courts have taken very divergent views on whether the company’s performance after the transaction is probative of its value as of the date of the transaction. See, e.g., Merrill Lynch & Co., 500 F.3d at 185 (“The district court’s inquiry into [the business’s] performance and market conditions in the months following the acquisition was improper because events subsequent to the breach, viewed in hindsight, may neither offset nor enhance [the buyer’s] general damages.”)

[16] Zayo, C.A. No. 12874-VCS at *16.

[17] See, e.g., Clearview Concrete Products Corp. v. S. Charles Gherardi, Inc., 88 A.D.2d 461, 453 N.Y.S.2d 750, 756 (Sup. Ct., App. Div. 2^nd Dept. 1982) (citations omitted).

The temptation for anyone – including lawyers – to take part in a whistleblower bonanza is all but irresistible. Moreover, federal whistleblower legislation and the federal agencies authorized to provide monetary whistleblower awards continue to proliferate, the latest being the Anti-Money Laundering Act of 2020 (the “AMLA”),[1] which was enacted in January 2021. The AMLA provisions were modeled on others enacted as recently as 2010, and whistleblower awards over the past decade have been nothing short of bountiful.

On May 19, 2021, for example, the Securities and Exchange Commission (the “SEC”) awarded $28 million to a whistleblower based on charges and a recovery not from the particulars reported by the whistleblower, but from an investigation in another geographic area altogether that arose as a result of the original tip. That is, the tip reporting wrongdoing in one geographic region did not itself lead to any recovery, but led to investigations by the SEC and another agency that ultimately resulted in charges and recovery in another geographic region not reported by the whistleblower.

In general, an agency authorized to provide whistleblower awards does so as a result of moneys collected in a judicial or administrative action (a “Covered Action”), provided the sum collected is at least $1 million. In aid of a Covered Action can be another judicial or administrative action brought by another entity[2] based upon the original information provided by the whistleblower (a “Related Action”). The Final Order in the aforementioned May 2021 award noted that, although “the Covered Action’s and the Related Action’s charges involved misconduct in geographical regions that were not the subject of the Claimant’s information” and there was “not a strong nexus between the Claimant’s information and the . . . charges,” an award would nonetheless be granted that “appropriately recognizes Claimant’s level of contribution to the Covered Action and Related Action.”

Another whistleblower award of similar magnitude was issued on April 20, 2020, when the SEC announced the payment of a bounty of more than $27 million to a whistleblower who alerted the agency to misconduct occurring, in part, overseas. But that award did not even make it onto the list of the top 10 awards ever paid by the SEC, which has now made over $900 million in whistleblower awards. As these awards may, by statute, only be from 10% to 30% of the amounts recovered, simple arithmetic tell us that, based on information from whistleblowers, the SEC has since collected anywhere from $3 to $9 billion for violations of the federal securities laws.[3]

These whistleblower awards are given pursuant to express authority contained in the Dodd-Frank Wall Street Reform & Consumer Protection Act of 2010 (“Dodd-Frank”).[4] The $28 million award in May 2021 is only the 10th largest the SEC has granted since inception of the program. The largest thus far was a whopping $114 million, issued on October 22, 2020, of which $52 million came from the SEC and the balance of $62 million from another agency, the identity of which is redacted in the Final Order.

“Where do I sign up?,” you may well ask. Receiving money of this magnitude is truly a life-changing event and creates a powerful incentive for anyone to provide information to the government that is likely to lead to large recoveries for fraud. This article therefore considers the propriety of a lawyer receiving a financial award for acting as a whistleblower[5] under recent federal programs authorizing rather munificent bounties. In the majority of cases, receipt by a lawyer of such an award would be not unjust enrichment, but rather unethical enrichment.

Whistleblowing by a lawyer all by itself – i.e., even without the added layer of financial incentive – is problematic in legal ethics, not only because it raises serious questions about disclosure of confidential client information but also because uncertainty surrounds a federal administrative agency’s assertion of authority to preempt state analogues of the Model Rules. The prospect of substantial financial gain[6] compounds the problem by creating incentives that, by their very nature, run counter to two fundamental and virtually peremptory norms of the legal profession: avoiding conflicts of interest under Model Rule 1.7 and either Model Rule 1.8 (for current clients) or Model Rule 1.9(c) (for former clients), as well as preserving the confidentiality of client information under Model Rule 1.6.

While reference is occasionally made by analogy in this article to judicial decisions addressing the question of lawyers receiving financial awards in qui tam actions[7] arising under the federal False Claims Act (“FCA”), this discussion will not address recovery by a lawyer as a “relator”[8] under the FCA or any of the many state analogues[9] of that statutory scheme.

Before proceeding, let’s briefly acknowledge the “elephant in the room”: A cynical lawyer might postulate, purely from a financial or retirement planning perspective, that the magnitude of whistleblower bounties makes the prospect of severe disciplinary action – even suspension or disbarment – an acceptable risk. The author will not comment on this risk-reward conjecture, other than to point out that the risk should not be underestimated, because the pot of gold at the end of the rainbow may not be found. The behavior that may give rise to discipline would always antedate any whistleblower award, neither the receipt nor the magnitude of which is a “sure thing” — dependent as they are upon:

1. a determination by one or more government agencies to investigate;
2. the outcome of the investigation;
3. a decision to prosecute an enforcement action on the basis of that investigation;
4. the success of that enforcement action; and
5. the ultimate monetary recovery by the government.

In the English version of an adage from the ancient world, “There’s many a slip ‘twixt the cup and the lip.”

BACKGROUND

The whistleblowing provisions in question have been created by two separate regimes. The older one, scarcely more than a decade old, was enacted in Dodd-Frank; the more recent – enacted in 2021, in fact – is the AMLA.

The Dodd-Frank Regime

There are two pertinent provisions of Dodd-Frank. Section 748 amended the Commodity Exchange Act of 1936 (the “CEA”)[10] by adding a new Section 23, entitled “Commodity Whistleblower Incentives and Protection.” That provision directs the Commodity Futures Trading Commission (the “CFTC”) to pay awards, subject to certain limitations and conditions, to whistleblowers who voluntarily provide it with “original” information about a violation of the CEA that leads to the successful enforcement of an action brought by the CFTC that results in monetary sanctions exceeding $1,000,000, or the successful enforcement of a related action.[11] The CFTC promulgated a final rule[12] and created a “Whistleblower Program” to implement this provision. Similarly, Section 922 of Dodd-Frank amended the Securities Exchange Act of 1934 (the “Exchange Act”)[13] by adding a new Section 21F, directing the SEC to do likewise, mutatis mutandis.[14] The SEC has established its own “Office of the Whistleblower” and promulgated a final rule (since amended) to implement the elements of its respective statutory authorizations.[15] If an eligible whistleblower’s information leads to recovery by either the CFTC or the SEC of $1 million or more, then the whistleblower may receive anywhere from 10% to 30% of the actual amount recovered in the action or related actions.[16]

AMLA

A 1984 statute authorized the Treasury to pay an award to whistleblowers for original information about violations of the anti-money laundering laws[17] if it led to a criminal fine, civil fine, or asset forfeiture of at least $50,000, and capped the award at the lesser of 25% of the net amount collected or $150,000.[18] Modeled largely on the Dodd-Frank approach, the AMLA significantly enlarges this authority by authorizing Treasury to pay whistleblower awards of up to 30% for information leading to enforcement actions that result in penalties, disgorgement, and interest of at least $1 million.[19] The whistleblower must provide original information relating to a violation of the BSA to (1) the whistleblower’s employer, (2) Treasury, or (3) the Department of Justice. Any whistleblower who makes an anonymous claim for an award must be represented by counsel and will have to disclose the whistleblower’s identity before receiving the bounty.

In view of the newness of these provisions and the absence (as of this writing) of any final regulations implementing this new authority, the discussion that follows will focus on the ethics implications of the substantially similar Dodd-Frank whistleblower provisions, with which there have been 10 years of experience.

The Details under Dodd-Frank

To be eligible for a financial award from either of the Commissions, a whistleblower must meet certain statutory criteria. First, the whistleblower’s information must have been voluntarily provided and must lead to successful enforcement of a Covered Action[20] or Related Action.[21] Second, what the whistleblower provides must be “original information,” which means that it is:

• derived from the whistleblower’s “independent knowledge or independent analysis,”[22]
• not otherwise known from a source other than the whistleblower, and
• not “exclusively derived from an allegation made in a judicial or administrative hearing or government report, hearing, audit, or investigation, or from the news media, unless the whistleblower is a source of the information.”[23]

Third, the whistleblower may not knowingly and willfully make any false, fictitious, or fraudulent statement or representation, or use any false writing or document knowing that it contains any false, fictitious, or fraudulent statement or entry.[24]

As noted above, an eligible whistleblower may receive anywhere from 10% to 30% of the actual amount recovered by either of the Commissions, provided that the amount recovered is at least $1 million. The minimum award payable under the Dodd-Frank regime is therefore $100,000 (which is 10% of $1 million), but there appears to be no upper limit, as recoveries by the Commissions (and therefore whistleblower awards) can easily be in the millions or tens of millions of dollars. [25]

The magnitude of any such potential award – truly a life-changing amount of money – creates an ethically precarious situation for a lawyer whistleblower. Awards of this dimension provide a temptation toward thinking with less than complete objectivity, a temptation to which any person, including a lawyer, could easily succumb.

The Commissions, to their credit, limit the ability of lawyers to be eligible whistleblowers:

• The CFTC’s approach is to exclude from the “independent knowledge” component information that is obtained (A) via a communication that was subject to the attorney-client privilege or (B) “[i]n connection with the legal representation of a client on whose behalf the whistleblower, or the whistleblower’s employer or firm, have been providing services, and the whistleblower seek[s] to use the information to make a whistleblower submission for the whistleblower’s own benefit,” unless, in either instance, the disclosure is otherwise permitted by the applicable federal or state attorney conduct rules.[26]
• The SEC’s approach is to acknowledge from the outset the “special duties” lawyers owe their clients and the importance of furthering consultation between issuers of securities and their counsel in promoting overall compliance with the federal securities laws.[27] Thus, the SEC’s Dodd-Frank regulations announce that a lawyer will not generally be credited with providing “original information” if that information was obtained (1) from confidential communications subject to the attorney-client privilege, (2) from the legal representation of a client, or (3) from association with a firm retained by an organization to conduct an inquiry into possible violations of law, unless, in the case of (1) and (2), disclosure is permitted by the standards of lawyers’ professional conduct issued by the SEC in 2003[28] pursuant to the Sarbanes-Oxley Act (“SOX”),[29] by applicable state attorney conduct rules, or “otherwise.”[30]

The SEC’s lawyer conduct rules allow disclosure of client confidences outside the issuer organization only after the lawyer has reported “up the ladder” within the issuer’s organizational structure information about a “material violation”[31] by the “issuer”[32] or an officer, director, employee, or agent of the issuer.[33] The Part 205 rules do not mandate “reporting out” to the SEC but permit it, without the issuer’s consent – to the extent the lawyer reasonably believes necessary – in certain situations.[34]

At the same time, however, by incorporating the SOX regulations into the Dodd-Frank whistleblower framework, the SEC introduced a “wild card” into the ethics calculus, namely the assertion by the SEC and one of its former General Counsel that its SOX regulations preempt[35] inconsistent state ethics rules, at least with respect to that subset of the bar over which the SEC has any colorable authority (i.e. attorneys “appearing and practicing”[36] before the SEC).[37]

ETHICAL IMPLICATIONS

The Dodd-Frank whistleblower provisions create a significant ethical dilemma for the legal profession, especially for lawyers who practice (whether as in-house counsel or outside counsel) in the securities regulatory and commodities regulatory spheres. The dilemma arises from the magnitude of the awards, as the question of whether lawyers may ethically “blow the whistle” on clients, not just in the financial regulatory arena but across the spectrum of law practice, has already been settled in the Model Rules.

Conflicts of Interest

Model Rule 1.7 – Current Client

The enormous incentive to blow the whistle represented by the award levels authorized under Dodd-Frank seems ineluctably to create an impermissible conflict of interest for a lawyer[38] under Model Rule 1.7. Model Rule 1.7(a) prohibits (subject to a four-part set of exceptions enumerated in paragraph (b) but not pertinent here[39]) a lawyer from representing a client in the face of a concurrent conflict of interest, which exists if, inter alia, “the representation . . . will be materially limited by . . . a personal interest of the lawyer.”[40]

During the SEC’s Dodd-Frank whistleblowing rulemaking, the ABA expressed concerns about the impact of potential financial awards on the attorney-client privilege:

The ABA is concerned that any provisions in the final rules that would entitle whistleblowers to collect substantial awards may create a strong incentive for a lawyer to compromise his or her ethical obligations and undermine the client confidence that the U.S. Supreme Court recognized in the Upjohn case as critical to assuring the continued effectiveness of the attorney-client privilege and the work product doctrine. A client’s awareness that its attorneys may use information provided confidentially to obtain large whistleblower awards could well prevent the free flow of information necessary to the client’s right to effective counsel.[41]

The Dodd-Frank whistleblowing scenario, and the sheer size of potential awards payable by the Commissions, assume Brobdingnagian proportions when compared with considerations identified in two ABA ethics opinions addressing potential financial interest conflicts.[42] It is difficult to conceive that either of those contexts (an amount advanced as bail for a client or a security interest to guarantee payment of legal fees) would represent monetary amounts even remotely comparable to the order of magnitude of Dodd-Frank whistleblower awards. Yet even far smaller sums than those have been deemed sufficient to trigger the personal interest conflict under Model Rule 1.7(a).[43]

Even more so here, the magnitude of the lawyer’s pecuniary interest in the potential award irrevocably undermines any ability on the lawyer’s part to be a neutral and objective provider of legal advice. It is difficult to imagine, under the standard embodied by Model Rule 1.7(a)(2), a limitation more “material,” a lawyer’s interest more “personal,” or a conflict more trenchant and unyielding.

The correctness of this conclusion can be seen by comparison to the Second Circuit’s decision in United States v. Schwarz,[44] in which a lawyer representing one of two police officers charged with assaulting a suspect in custody subsequently received a $10 million retainer to represent the Police Benevolent Association in a civil action brought by the victim of the alleged assault. In contrast to what is possible under the whistleblower scenario, the police officer client actually gave informed consent to the potential conflict.[45] Nevertheless, the court held that the conflict was not waivable, as the lawyer’s financial interests “so permeated the defense that no meaningful waiver could be obtained.”[46]

The same conclusion was reached in the Dodd-Frank context by the New York County Law Association’s Committee on Professional Ethics in a 2013 opinion.[47] Viewing the ethical issues surrounding whistleblowing by lawyers in the abstract, the opinion interpreted New York’s version of Model Rule 1.7 and found that such a financial incentive “might tend to cloud a lawyer’s professional judgment.”[48] The opinion continued, “the potential payment of an anticipated whistleblower bounty in excess of $100,000 presumptively gives rise to a conflict of interest between the lawyer’s personal interest and that of the client.”[49]

Model Rule 1.7(b) raises the possibility that a personal interest conflict can be waived and consented to by the client.[50] Even in the case of a waiver of conflict, however, there is, as the NYCLA concluded, a “‘significant risk’ that the lawyer’s professional judgment or representation will be adversely affected by the lawyer’s personal interest, [and] in some circumstances the whistleblower-bounty conflict may be unwaivable.”[51]

To sum up: In the vast majority of situations – in view of the secrecy that underlies the whistleblowing process, the adversarial nature of the conduct, and the magnitude of the awards –

• Dodd-Frank whistleblowing
• on a current client
• by a lawyer acting as a lawyer
• who is eligible to receive a monetary award from either of the Commissions

creates an impermissible and unconsentable conflict of interest proscribed by Model Rule 1.7(a).

This author does not go so far as to suggest that there can never be circumstances in which a Dodd-Frank whistleblower award could ethically be sought by a lawyer who is acting as a lawyer. For example, it is conceivable that an individual lawyer might have so much personal or family wealth that even the magnitude of a Dodd-Frank whistleblower award would have no effect on that lawyer’s objectivity. Such circumstances, it is fair to assume, will be extremely rare, however, and so for the vast majority of lawyers, seeking such an award for information provided to one or both of the Commissions may constitute profoundly unethical conduct. Other possible exceptions might arise as contemplated by the Commissions’ regulations if, for example, outside counsel is participating in an internal corporate investigation into wrongdoing and has a reasonable basis for believing that disclosure of the information to either of the Commissions is necessary to prevent conduct that is likely to cause substantial injury to the financial interest or property of the entity or investors or that will impede an investigation of the wrongdoing.[52] An exception may also exist where at least 120 days have elapsed since the lawyer whistleblower provided the information to the relevant entity’s audit committee, chief legal officer, chief compliance officer (or their equivalents), or the whistleblower’s supervisor.[53]

Model Rule 1.8 – Current Client

In addition to Model Rule 1.7, a conflict of interest governed by Model Rule 1.8(a) arises where a lawyer knowingly acquires a pecuniary interest adverse to a client. Model Rule 1.8 is commonly understood to apply to business transactions with a client, but the “pecuniary interest” language is not limited to that context. The Rule proscribes entering into “a business transaction with a client or knowingly enter[ing] into an ownership, possessory, security or pecuniary interest adverse to a client.” (Emphasis added). The use of the disjunctive contemplates an ownership-based conflict for these categories of interests even in the absence of a business transaction with a client.

The “pecuniary interest” conflict exists unless all three conditions in Model Rule 1.8(a)(1)-(3) are satisfied. As these include full written disclosure, written advice that the client take legal advice from an independent source, and the client’s informed consent, the conditions simply cannot be met in the Dodd-Frank whistleblowing context.

Therefore, merely by arranging to be eligible for a substantial monetary award in the amount of 10% to 30% of any amount in excess of $1 million recovered from the client by either of the Commissions based on lawyer-supplied “original information,” the lawyer acquires the proscribed adverse pecuniary interest in violation of Model Rule 1.8(a).

In addition, Model Rule 1.8(b) prohibits a lawyer from using “information relating to representation of a client to the disadvantage of the client unless the client gives informed consent, except as permitted or required by these Rules.” Paramount among the “permitted or required” instances that might arise in the Dodd-Frank whistleblower context are the provisions of Model Rule 1.6(b)(2)-(3), which authorize, respectively, disclosure to prevent a client’s concurrent crime of fraud and disclosure to prevent, mitigate, or rectify a client’s prior crime or fraud, which, in each instance, is reasonably certain to result (or, in the case of prior client misconduct, has already resulted) “in substantial injury to the financial interests or property of another and in furtherance of which the client has used the lawyer’s services.” The extent of the disclosure must be what the lawyer “reasonably believes necessary” to accomplish these aims.

Assuming that a client engaged in wrongdoing of this magnitude is unlikely to give informed consent, a lawyer’s blowing the whistle to either of the Commissions is prohibited by Model Rule 1.8(b) as using confidential information relating to the representation to the disadvantage of the client, unless all three of the following conditions are met:

• the lawyer’s services were used in furtherance of a crime or fraud;
• which is reasonably certain to cause, or has already caused, substantial injury to the financial interests or property of one or more third parties; and
• the extent of the disclosure is reasonably believed by the lawyer to be necessary to prevent, mitigate, or rectify the client’s crime or fraud.

Model Rule 1.9 – Former Client

Model Rule 1.9(c)(1) prohibits the use of information relating to the representation of a former client to the disadvantage of the former client except as the Rules permit or require. The analysis is thus essentially the same[54] as what was just discussed under Rule 1.8(b). In applying New York’s version of Model Rule 1.9, NYCLA Op. 746 reached the same conclusion.

Common Law Fiduciary Duty

In addition to violations of the conflicts of interest provisions under the Model Rules, whistleblowing under the Dodd-Frank regime would violate a lawyer’s fiduciary duty at common law that would be breached were a lawyer to appropriate and disclose information of a current or former client for the lawyer’s own profit.[55] In the Restatement’s formulation, a lawyer is prohibited, except with the client’s consent, from using “confidential information of a client for the lawyer’s pecuniary gain other than in the practice of law [and] must account for any profits made by the use of such information.”[56] This strict duty, which applies even when the disclosure is permissible under the Model Rules and even when the client is not harmed by the disclosure, is an outgrowth of the common law of agency:[57]

The strict confidentiality duty of the Subsection is warranted for prophylactic purposes. A lawyer who acquires confidential client information as a result of a representation should not be tempted by expectation of profit to risk a possibly incorrect assessment of future harm to a client. There is no important societal interest in permitting lawyers to make unconsented use or revelation of confidential client information for self-enrichment in personal transactions.[58]

The prospect of having to account to the client and make restitution of the lawyer’s profit from whistleblowing would remove any temptation to violate the rules of professional conduct and risk disbarment in anticipation of living on easy street because of the magnitude of the anticipated bounty. Yet this prospect is illusory because of the mandated secrecy, noted above, surrounding Dodd-Frank whistleblower activities. The client will never know whether the “covered judicial or administrative action” was based on information provided by a whistleblower or, if so, who that whistleblower was. This practical difficulty underscores the need for the rules of professional conduct to act as a deterrent.

Confidentiality

In General

Model Rule 1.6 requires lawyers to refrain from disclosing confidential client information or using it adversely against the client, unless the client consents or an exception applies. The duty of confidentiality sweeps broadly. In particular, “confidential” information includes much more than information protected by the attorney-client privilege or work product doctrine. Under Model Rule 1.6 (as well as under many state incarnations), “confidential” information includes “all information relating to the representation, whatever its source.”[59]

The confidentiality rationale rests on the vital importance society places upon the “full, free and frank” exchange between lawyer and client, shielded from the intrusive eyes and ears of others, including the government. Without assurances of confidentiality, critical discussions between lawyer and client would necessarily be limited in a manner that would negatively affect the former’s ability to serve the latter. The benefits of confidentiality have long been recognized. As Chief Justice Lemuel Shaw of the Massachusetts Supreme Judicial Court said almost 200 years ago:

This principle we take to be this; that so numerous and complex are the laws by which the rights and duties of citizens are governed, so important is it that they should be permitted to avail themselves of the superior skill and learning of [attorneys] both in ascertaining their rights in the country, and maintaining them most safely in court … that the law has considered it the wisest policy to encourage and sanction this confidence, by requiring that on such facts the mouth of the attorney should be forever sealed.[60]

Consistent with this policy, lawyers must be able to gather all the necessary information and be free to explore with the client the client’s options. If a client perceives a “threat that these confidential communications will be shared with those whose interests may be adverse to the client, the chilling effect on the lawyer-client relationship becomes plain.”[61]

“A fundamental principle in the client-lawyer relationship is that, in the absence of the client’s informed consent, the lawyer must not reveal information relating to the representation.”[62] Disclosure of confidential information of any client is authorized under Model Rule 1.6 “to the extent the lawyer reasonably believes necessary”[63] either “to prevent the client from committing a crime or fraud that is reasonably certain to result in substantial injury to the financial interests or property of another”[64] or “to prevent, mitigate, or rectify substantial injury to the property of another,”[65] in each case where the client has used the lawyer’s services in furtherance of the crime or fraud. Those disclosure exceptions are simply not available where the lawyer’s services have not been so used.

Furthermore, with respect to an organizational client, the prescribed approach is set out in Model Rule 1.13, which requires a lawyer who knows of corporate misconduct to report such misconduct up-the-line (to the board of directors if necessary) unless the lawyer believes it is “not necessary in the best interest of the organization” to do so. Disclosure outside the organization without its consent is limited to situations where the highest authority in the organization has failed to address the legal violation the lawyer has reported and the lawyer “reasonably believes that the violation is reasonably certain to result in substantial injury to the organization” – and even then only “to the extent necessary to prevent substantial injury to the organization.”[66] In the case of an attorney who has been engaged to investigate matters within the corporation or to defend the organization or its constituents, however, reporting any discovered misconduct outside the organization is forbidden.[67]

Although the existence of conflicts of interest is enough of an ethical proscription against lawyers collecting bounties for Dodd-Frank whistleblowing, NYCLA Op. 746 devoted the majority of its analysis to confidentiality under applicable New York rules of professional responsibility. Because of the complexity of the regulatory framework established by the SEC in particular, which resurrects judicially unresolved questions of preemption first aired in the SOX era, some additional points are noteworthy.

Effect of the Dodd-Frank Regulatory Framework

The Commissions, in their respective regulations, limit the ability of lawyers to be eligible whistleblowers. The lodestar is the source of the information being conveyed by the whistleblower. As noted above, only “original” information qualifies. Information obtained by those occupying positions with fiduciary or quasi-fiduciary obligations (which would include in-house counsel and outside counsel)[68] is generally not considered “original,” but there are some exceptions as described below. Furthermore, the original information must be “voluntarily” provided. That means it must be provided prior to any request to the whistleblower (or anyone representing the whistleblower) from the Commissions, any other federal or state authority (e.g., DOJ or a State Attorney General), Congress, or any SRO about a matter to which the information in the whistleblower’s submission is relevant.[69]

The CFTC’s approach is to exclude from the “independent knowledge” component[70] any information that is:

1. obtained via a communication that was subject to the attorney-client privilege, or
2. in connection with the legal representation of a client on whose behalf the whistleblower (or the whistleblower’s employer or firm) have been providing services, and that the whistleblower seeks to use to make a submission for the whistleblower’s own benefit, unless, in either instance, the disclosure is otherwise permitted by the applicable federal or state attorney conduct rules.[71]

The SEC’s approach is to acknowledge from the outset the “special duties” lawyers owe their clients and the importance of furthering consultation between issuers of securities and their counsel in promoting overall compliance with the federal securities laws.[72] Thus, the SEC’s Dodd-Frank regulations announce that a lawyer will not generally be credited with providing “original information” if that information was obtained (1) from confidential communications subject to the attorney-client privilege, (2) from the legal representation of a client, or (3) from association with a firm retained by an organization to conduct an inquiry into possible violations of law, unless, in the case of (1) and (2), disclosure is permitted by the standards of lawyers’ professional conduct issued by the SEC in its 2003 Part 205 rules,[73] by applicable state attorney conduct rules, or “otherwise.”[74]

By incorporating the Part 205 rules into the Dodd-Frank whistleblower framework, however, the SEC introduced some complexities into the ethics calculus. These complexities include not only exceptions to the requirement of confidentiality that are not found in the Model Rules, but also the (as yet untested) assertion by the SEC that its regulations preempt state avatars of the Model Rules in certain circumstances.

Dodd-Frank whistleblowing, by its nature, entails “reporting out” – specifically to the government. Yet the SOX regulations invoked by the SEC do not contemplate “reporting out” except in exceptional circumstances. To begin with, those regulations do not apply to all lawyers but only to a subset: those “appearing and practicing” before the SEC. Secondly, the default requirement for such attorneys under the Part 205 regulatory regime is emphatically not blowing the whistle to the SEC; rather, those regulations require reporting “evidence of a material violation”[75] of the securities laws by the issuer (or any of its officers, directors, employees or agents) to the CEO or, perhaps more likely, the Chief Legal Officer,[76] and thereafter if no satisfactory action is taken, “up the ladder” within the corporate organization, all the way to the board of directors if necessary. [77] This procedure is, in essence, consistent with Model Rule 1.13(b), though the latter requires not merely credible evidence of a reasonably likely violation but actual knowledge[78] of an existing or impending violation.

Incorporating the Part 205 rules into the Dodd-Frank whistleblower framework also inserts into the analysis a potential “wild card,” namely the assertion, made both by the SEC and by one of its former General Counsel,[79] that the SOX regulations[80] preempt inconsistent state ethics rules,[81] at least with respect to that subset of the bar over which the SEC has any colorable authority (to wit: attorneys “appearing and practicing” before the SEC). If the SEC’s whistleblower regulations preempt inconsistent state ethics rules, that could theoretically preclude state disciplinary action and the salutary effect on attorney conduct of the threat of such disciplinary action for flagrant violations of confidentiality, privilege, and conflict of interest rules.

The preemption debate began shortly after promulgation of the final Part 205 rules, with both the Washington State Bar[82] and the California Bar[83] taking the position that the SEC lacked preemption authority.[84] In the intervening years, no court has yet had occasion to rule on the SOX/state ethics rules preemption question.[85]

Logically, however, it would seem that whatever legal or policy arguments might support preemption in the SOX/Part 205 context are simply absent in the Dodd-Frank whistleblower context. For one thing, there was not – and cannot have been – any preemptive intent regarding regulation of the Bar on the part of Congress when enacting Dodd-Frank, since the two whistleblower provisions predominantly apply to individuals who are not lawyers. More tellingly, in enacting Dodd-Frank Congress was very attentive to preemption issues and specifically legislated on that topic in other areas,[86] but Section 922 (the SEC whistleblower provision) is silent on preemption.[87] For another, the secrecy requirements of Dodd-Frank whistleblowing are, in the case of a lawyer-whistleblower, incompatible not only with the default confidentiality principles of the Model Rules and the attorney-client privilege but also the SEC’s own Part 205 rules, which require internal, up-the-ladder reporting and contemplates “reporting out” only when that default procedure does not function as intended.

Accordingly, confidentiality principles are another reason to be chary of whistleblowing by lawyers. Such whistleblowing constitutes disclosure of client information in violation of the default confidentiality provisions of the Model Rules and may only be done ethically where those Rules (or their state avatars) expressly so permit or require.[88]

CONCLUSION

Seeking a monetary award from the SEC or the CFTC for whistleblowing on a client almost certainly creates a personal interest conflict, within the meaning of Model Rule 1.7(a)(2). Disclosing the client’s information to a federal agency, other than as specifically authorized under the Model Rules, violates the confidentiality requirements of Model Rule 1.6. A lawyer, acting as a lawyer, who pursues such an award does so at extreme peril of disciplinary action and should, at a minimum, consult the ethics rules and authorities in each jurisdiction in which he or she is admitted.

[1] This constitutes Titles 60-63 of the massive (nearly 1500 pages) William M. (Mac) Thornberry National Defense Act of 2021, Pub. L. No.: 116-283, §§ 6001 et seq. Another, related piece of the puzzle is Title 64, the Corporate Transparency Act ( the “CTA”), establishing disclosure requirements for beneficial owners of certain business enterprises. The Business Law Section has already done two “In the Know” webinars on the CTA, one addressing the substance and the other addressing some of the ethical implications.

[2] Possible other entities include: the Department of Justice; an appropriate department or agency of the Federal Government, acting within the scope of its jurisdiction; a self-regulatory organization; a state attorney general in connection with a criminal investigation; an appropriate state regulatory agency or department. Other possibilities are, in the case of commodities-related whistleblowers, a foreign futures authority; and in the case of securities-related whistleblowers, the Public Company Accounting Oversight Board, a foreign securities authority, and a foreign law enforcement authority. See 7 U.S.C. § 26(h)(2)(C)(I)-(VI); 15 U.S.C. § 78u-6(h)(2)(D) (I)-(VIII).

[3] Actually, the recovery amount may be somewhat higher, since the statute does not authorize whistleblower awards for collection of monetary sanctions of $1 million or less. See 15 U.S.C. § 78u-6(a)(1) (definition of “covered judicial or administrative action”).

[4] Pub. L. No. 111-203, 124 Stat. 1326 (2010).

[5] The term “whistleblower” is susceptible of many different definitions in different contexts. See Julian W. Kleinbrodt, Pro-Whistleblower Reform in the Post-Garcetti Era, 112 Mich. L. Rev. 111, 113 (2013) (observing that “[t]here is no single definition of a whistleblower, and it takes on different contours in different contexts”). Although the term is neither defined nor used in the ABA Model Rules of Professional Conduct (2018) [hereinafter the “Model Rules”], references in this article to a lawyer as “whistleblower” should be understood to mean a lawyer who reports a client’s wrongdoing to a governmental or law enforcement agency. Cf. Black’s Law Dictionary (9th ed. 2009) (defining a whistleblower as “[a]n employee who reports employer wrongdoing to a governmental or law-enforcement agency”).

[6] As discussed below, the minimum award payable is $100,000 and could fairly easily reach millions of dollars.

[7] The descriptor qui tam is short for the Latin phrase “qui tam pro domino rege quam pro se ipso in hac parte sequitur,” which refers to one who brings an action on behalf of the king as well as himself. This regime, despite certain similarities, is conceptually different from the Dodd-Frank regulatory whistleblower landscape considered in this article.

[8] A “relator” is an individual who brings suit under the FCA in the name of the government, which has sixty days to intervene in the action. If the government declines to intervene, the relator may proceed alone. 31 U.S.C. § 3730(b). If the action is successful, the relator stands to receive an award of 15-25% of the proceeds (whether a verdict or settlement) if the government has intervened and litigated the matter and between 25-30% if the government has not intervened. 31 U.S.C. § 3730(d). State false claims acts operate in similar fashion.

[9] E.g., the N.Y. False Claims Act, N.Y. State Fin. Law §§ 187 et seq.

[10] 7 U.S.C. §§ 1 et seq.

[11] Dodd-Frank § 748, 124 Stat. 1739 (creating CEA § 23, 7 U.S.C. § 26).

[12] CFTC, Final Rules for Implementing the Whistleblower Provisions of Section 23 of the Commodity Exchange Act, 76 Fed. Reg. 53,172 (Aug. 25, 2011) (codified at 17 C.F.R. §§ 165.1 et seq.).

[13] 15 U.S.C. §§ 78a et seq.

[14] Dodd-Frank § 922 (creating Section 21F of the Exchange Act, 15 U.S.C. § 78u-6).

[15] See SEC, Securities Whistleblower Incentives and Protections, 76 Fed. Reg. 34,300 (June 13, 2011) (codified at 17 C.F.R. §§ 240.21F-1 et seq.) [hereinafter “SEC Dodd-Frank Release”].

[16] 7 U.S.C. § 26(b)(1) (CFTC); 15 U.S.C. §78u-6(b)(1) (SEC). The CFTC and the SEC shall jointly be referred to hereinafter as the “Commissions.”

[17] E.g., Currency and Foreign Transactions Reporting Act of 1970, Pub. L. No. 91-508, 84 Stat. 1114 (1970) (codified as amended in scattered sections of 12, 18, and 31 U.S.C. and commonly known as the “Bank Secrecy Act”) [hereinafter referred to as the “BSA”].

[18] 31 U.S.C. § 5323(a)-(b).

[19] Pub. L. No. 116-283, § 6314.

[20] 7 U.S.C. § 26(b)(1) (CFTC); 15 U.S.C. § 78u-6(b)(1) (SEC). As noted earlier, the term “covered judicial or administrative action” means any judicial or administrative action brought by the CFTC or the SEC, as the case may be, that results in monetary sanctions exceeding $1million. 7 U.S.C. § 26(a)(1) (CFTC); 15 U.S.C. § 78u-6(a)(1) (SEC).

[21] A “related action” is defined as a judicial or administrative action brought by a statutorily designated entity that is based upon the original information provided by a whistleblower that led to the successful enforcement by either of the Commissions of a “covered judicial or administrative action.” 7 U.S.C. § 26(a)(5) (CFTC); 15 U.S.C. § 78u-6(a)(5) (SEC). Statutorily designated entities include, inter alia, (1) the Department of Justice; (2) an appropriate Federal regulatory authority (e.g., one of the bank regulatory agencies); (3) a self-regulatory organization; (4) a State attorney general in connection with any criminal investigation; (5) an appropriate State regulatory authority; and (6) a foreign law enforcement or regulatory authority. See 7 U.S.C. § 26(h)(2)(C)(i) (CFTC); 15 U.S.C. §78u-6(h)(2)(D)(i) (SEC).

[22] These concepts are not defined in Dodd-Frank but are defined by the Commissions in their separate regulations. The term “independent knowledge” means factual information in the whistleblower’s possession that is not derived from publicly available sources. The term “independent analysis” means the whistleblower’s examination and evaluation (whether performed alone or with others) of information (including publicly available information), which then reveals information that is not generally known or available to the public. See generally 17 C.F.R. § 165.2(g)-(h) (CFTC), 17 C.F.R. § 240.21F-4(b)(2)-(4). (SEC).

[23] 7 U.S.C. § 26(a)(4) (CFTC); 15 U.S.C. §78u-6(a)(3) (SEC).

[24] 7 U.S.C. § 26(m) (CFTC); 15 U.S.C. § 78u-6(i) (SEC). Such false or fraudulent statements or conduct are independently criminalized under 18 U.S.C. § 1001 and, in the case of a whistleblower who is a lawyer, would subject the lawyer to discipline under Model Rule 8.4(b) and (c).

[25] In addition to the awards described at the beginning of this article see, e.g., CFTC, Press Release, CFTC Announces Whistleblower Award of More Than $10 Million (April 4, 2016), available at http://www.cftc.gov/PressRoom/PressReleases/pr7351-16. The SEC typically redacts its whistleblower grant orders, but a law firm that represents whistleblowers revealed on its website an award of $22.5 million dated June 30, 2016. See The Employment Law Group, Rewards Tracker, available at http://sec-whistleblowers.com/rewards-tracker/.

[26] 17 C.F.R. § 165.2(g)(2)-(3).

[27] See generally SEC Dodd-Frank Release, 76 Fed. Reg. at 34,314.

[28] SEC, Implementation of Standards of Professional Conduct for Attorneys, Securities Act Release No. 33-8185, 68 Fed. Reg. 6296 (Feb. 6, 2003) (currently codified at 17 C.F.R. § 205.3(d)(2)). These regulations (known colloquially as the “Part 205 rules”) apply only to lawyers “appearing and practicing” before the SEC in the context of providing legal services to an “issuer” of securities. “Issuer” in this context is broadly defined to include certain affiliates for which the lawyer has provided services on behalf of, or at the behest of or for the benefit of, the issuer, regardless of whether the lawyer is employed or retained by the issuer. Id. § 205.2(h). Likewise, “appearing and practicing” is broadly defined and includes, inter alia, merely advising on U.S. securities laws or regulations in connection with a document that the lawyer has notice will be filed or submitted (or incorporated into a document to be filed or submitted) to the SEC. Id. § 205.2(a).

[29] Public Company Accounting Reform and Investor Protection Act of 2002, Pub. L. No. 107-204, 116 Stat. 745 (2002) (which became colloquially known, after its Senate and House sponsors, Paul Sarbanes and Michael Oxley, as the Sarbanes-Oxley Act).

[30] 17 C.F.R. § 240.21F-4(b)(4)(i), (ii), (iii)(C). Note that the SEC has not (to date) explained what facts or circumstances might give rise to the “otherwise” exclusion.

[31] Referring to both federal and state laws and obligations, this term is defined for purposes of the Part 205 rules as “a material violation of an applicable United States federal or state securities law, a material breach of fiduciary duty arising under United States federal or state law, or a similar material violation of any United States federal or state law.” 17 C.F.R. § 205.3(i).

[32] See supra note 28 (describing broad definition of “issuer” for this purpose).

[33] See generally 17 C.F.R. § 205.3(b).

[34] The circumstances include: (i) To prevent the issuer from committing a material violation that is likely to cause substantial injury to the financial interest or property of the issuer or investors; (ii) To prevent the issuer, in the course of an SEC investigation or administrative proceeding, from committing perjury, proscribed in 18 U.S.C. § 1621; suborning perjury, proscribed in 18 U.S.C. § 1622; or committing any act proscribed in 18 U.S.C. § 1001 that is likely to perpetrate a fraud upon the SEC; or (iii) To rectify the consequences of a material violation by the issuer that caused, or may cause, substantial injury to the financial interest or property of the issuer or investors in the furtherance of which the attorney’s services were used. 17 C.F.R. § 205.3(d)(2)(i)-(iii).

Differences between the SEC’s rule and Model Rule 1.13 are discussed later in the article.

[35] No preemption issue exists with respect to the CFTC, which has no SOX responsibilities and has not incorporated by reference any other regulations purporting to govern attorney conduct.

[36] See supra note 28.

[37] The validity of this assertion is open to question (see infra notes 79-85 and accompanying text), and there has even been a lack of consensus on the issue among former SEC General Counsels.

[38] This article focuses only on situations in which a lawyer is acting as a lawyer and is representing a client involved in the conduct giving rise to the possibility of whistleblowing. Thus, in the case of a business entity, this discussion does not address the conduct of a whistleblower who has a law degree and may well be licensed to practice law in one or more jurisdictions but who is acting as a director, officer, employee, or agent without any attorney-client relationship with the organization.

[39] The client’s informed consent is a basic component of the exceptions in paragraph (b). Whistleblowing under the Dodd-Frank framework, by its nature, precludes seeking the client’s consent. In order not to impair the efficacy of any agency investigation, Dodd-Frank whistleblowing is confidential, and in fact the Commissions are generally required to keep the information confidential. See 7 U.S.C. § 26(h)(2)(A) (CFTC); 15 U.S.C. § 78u-6(h)(2)(A) (SEC). Moreover, the adversary nature of a lawyer blowing the whistle on a client would seem to render the conflict non-consentable per se.

[40] Model Rule 1.7(a)(2).

[41] Letter from Stephen N. Zack, President, Am. Bar Ass’n, to Hon. Mary L. Schapiro, Chair, Securities and Exchange Commission, at 3 (May 11, 2011).

[42] See, e.g., ABA Formal Ethics Op. 432 (2004) (advancing bail on behalf of accused client may pose a conflict if amount of bail is “material” to the lawyer); ABA Formal Ethics Op. 427 (2002) (discussing the propriety of a lawyer taking a security interest in property of the client to guarantee payment of legal fees).

[43] Cf. United States v. Quest Diagnostics Inc., 734 F.3d 154 (2d Cir. 2013) (lawyer violated applicable New York professional conduct rules by filing qui tam action against former employer with respect to matters substantially related to prior representation of employer).

[44] 283 F.3d 76 (2d Cir. 2002).

[45] The court explained the potential conflict as the disincentive, created by the lawyer’s simultaneous representation of the PBA, to seek to obtain acquittal for the police officer client by endeavoring to place the blame entirely on the other police officer. Id. at 94-95.

[46] Id. at 96 (quoting United States v. Fulton, 5 F.3d 605, 613 (2d Cir. 1993)).

[47] N.Y. Cnty. Lawyers’ Ass’n., Comm. on Professional Ethics, Ethical Conflicts Caused by Lawyers as Whistleblowers under the Dodd-Frank Wall Street Reform Act of 2011, Formal Op. 746 (Oct. 7, 2013) [hereinafter referred to as “NYCLA Op. 746”].

[48] Id. at 10-11.

[49] Id. at 11.

[50] A recent ethics opinion of the New York State Bar Association concluded that neither a lawyer nor his firm may represent a client in litigation funded by a litigation financing company in which the lawyer is an equity holder. Among several ethical concerns, the opinion identified New York’s version of Rule 1.7(a)(2). The opinion found that the lawyer’s personal and financial interest in the financing company could create a significant risk that the lawyer’s professional judgment could be adversely affected by the lawyer’s own interests. “For instance, the Company may have an interest in expediting (or prolonging) the litigation to enhance the value of the Company’s investment but which may not equate with the client’s interests in going to trial (or reaching an early settlement). A continuing duty exists to protect the client from this risk.” N.Y. State Bar Ass’n Comm. on Prof’l Ethics, Op. 1145 ¶ 12 (March 7, 2018). The opinion noted, however, that this conflict could “be adequately disclosed and waived under Rule 1.7(b) if the other requirements of Rule 1.7(b) are fulfilled.” Id.

[51] NYCLA Op. 746, at 11-12 (citing Schwarz).

[52] See 17 C.F.R. § 165.2(g)(7)(i)-(ii) (CFTC), 17 C.F.R. § 240.21F-4(b)(4)(v)(A)-(B) (SEC).

[53] See 17 C.F.R. § 165.2(g)(7)(iii) (CFTC), 240.21F-4(b)(4)(v)(C) (SEC).

[54] Actually, the coverage of Model Rule 1.9 is a little broader. Whereas Rule 1.8(b) only covers a client represented by the lawyer, Rule 1.9(c)(1) applies to a client formerly represented by either the lawyer or by his or her present or former law firm.

[55] See Fremont Reorganizing Corp. v. Faigin, 198 Cal. App. 4th 1153 (2011) (former in-house counsel who told insurance authorities about former employer’s allegedly illegal conduct could be liable for breach of fiduciary duty and duty of confidentiality).

[56] Restatement (Third) of the Law Governing Lawyers § 60(2).

[57] Id. cmt. j.

[58] Id.

[59] Model Rule 1.6 cmt. [3].

[60] Hatton v. Robinson, 31 Mass. (14 Pick.) 416, 422 (1833).

[61] ABA Formal Op. 368 (1992).

[62] Model Rule 1.6 cmt. [2].

[63] Model Rule 1.6(b).

[64] Model Rule 1.6(b)(2).

[65] Model Rule 1.6(b)(3).

[66] Model Rule 1.13(c). In contrast to Model Rule 1.6(b)(3), Model Rule 1.13 does not, by its terms, authorize disclosure to prevent, mitigate, or rectify substantial injury to the property of another.

[67] Model Rule 1.13(d).

[68] See, e.g., 17 C.F.R. § 240.21F-4(b)(4).

[69] See 17 C.F.R. § 165.2(o) (CFTC); 17 C.F.R. § 240.21F-4(a) (SEC).

[70] See supra note 22 and accompanying text.

[71] 17 C.F.R. § 165.2(g)(2)-(3).

[72] See generally SEC Dodd-Frank Release, 76 Fed. Reg. at 34,314.

[73] SEC, Implementation of Standards of Professional Conduct for Attorneys, Securities Act Release No. 33-8185, 68 Fed. Reg. 6296 (Feb. 6, 2003) (currently codified at 17 C.F.R. § 205.3(d)(2)).

[74] 17 C.F.R. § 240.21F-4(b)(4)(i), (ii), (iii)(C). Note that the SEC has not (to date) explained what facts or circumstances might give rise to the “otherwise” exclusion.

[75] See id. § 205.2(e) (defining “evidence of a material violation”). This definition of “evidence of a material violation” is a notorious double-negative standard: “credible evidence, based upon which it would be unreasonable, under the circumstances, for a prudent and competent attorney not to conclude that it is reasonably likely that a material violation has occurred, is ongoing, or is about to occur.” Cf. Keith R. Fisher, The Higher Calling: Regulation of Lawyers Post-Enron, 37 U. Mich. J. L. Reform 1017, 1104 (2004) (suggesting that this standard comes “perilously close to ‘knew or should have known’ standard of proof – in other words, scienter”). As noted above, the term “material violation” is itself defined as a “material violation of an applicable United States federal or state securities law, a material breach of fiduciary duty arising under United States federal or state law, or a similar material violation of any United States federal or state law.” 17 C.F.R. § 205.2(i).

[76] Id. § 205.3(b)(1), (c)(1). The duplication in two separate paragraphs refers to two situations: one for issuers that have not established a Qualified Legal Compliance Committee and the other for issuers that have. If the reporting attorney is a subordinate attorney, however, he may content himself with reporting to his supervisor and need take no further action. Id. § 205.5(c). This is actually somewhat less onerous than a subordinate lawyer’s obligations under Model Rule 5.2(b), compliance with which requires that the supervisory lawyer’s resolution of an “arguable” question of professional duty be “reasonable” and that the subordinate act in accordance with that resolution.

[77] Id. § 205.3(b)(3).

[78] Cf. Model Rule 1.0(f) (defining knowledge-related terms).

[79] See Letter from Giovanni P. Prezioso, General Counsel, SEC, to J. Richard Manning, President, Wash. State Bar Ass’n (July 3, 2003).

[80] No preemption issue exists with respect to the CFTC, which has no SOX responsibilities or other regulations purporting to govern attorney conduct.

[81] See 17 C.F.R. § 205.1 (“These standards supplement applicable standards of any jurisdiction where an attorney is admitted or practices and are not intended to limit the ability of any jurisdiction to impose additional obligations on an attorney not inconsistent with the application of this part. Where the standards of a state or other United States jurisdiction where an attorney is admitted or practices conflict with this part, this part shall govern”).

[82] See Ethics 2003 Committee of Wash. State Bar Ass’n. Internal Formal Ethics Opinion 2003, available at http://www.wsba.org/lawyers/groups/ethics2003/formalopinion.doc (opining that lawyers admitted in the State of Washington may not ethically reveal client confidences and secrets unless authorized to do so under Washington’s rules of professional conduct, regardless of the permissive disclosure provisions of the Part 205 Rules).

[83] See, e.g., State Bar of California, Ethics Alert, The New SEC Attorney Conduct Rules v. California’s Duty of Confidentiality (Spring 2004); Corporations Comm. of the Business Law Section of the California State Bar, Conflicting Currents: The Obligation to Maintain Inviolate Client Confidences and the New SEC Attorney Conduct Rules, 32 Pepp. L. Rev. 89 (2004) (arguing that the SEC’s preemption assertion exceeds its authority).

[84] But cf. Roger Cramton, George Cohen & Susan Koniak, Legal and Ethical Duties of Lawyers After Sarbanes-Oxley, 49 Vill. L. Rev. 725 (2004) (supporting an argument for implied preemption).

[85] Also worth noting, even en passant, are (1) that in SOX Congress did not expressly grant the SEC preemptive authority over state regulation of lawyers, and (2) that similar attempts by another federal administrative agency to invoke regulatory authority over lawyers in other regulatory contexts – the privacy provisions of the Gramm-Leach-Bliley Act of 1999 and the Fair and Accurate Credit Transactions Act of 2003 – were resoundingly rejected when challenged by the bar. See New York State Bar Ass’n v. FTC, 276 F. Supp.2d 110 (D.D.C. 2003) (holding that the FTC exceeded its authority in extending the statutory term of art “financial institution” to lawyers), aff’d sub nom. American Bar Ass’n v. FTC, 430 F.3d 457 (D.C. Cir. 2005); American Bar Ass’n v. FTC, 671 F. Supp.2d 64 (D.D.C. 2009) (holding that nothing in the FACT Act contained an “unmistakably clear” grant of authority that would permit FTC intervention into regulating the practice of law), vacated as moot, 636 F.3d 641 (D.C. Cir. 2011) (concluding that intervening legislation clarifying that lawyers were not subject to the FTC rule had mooted the controversy).

[86] E.g., Dodd-Frank § 767 (preempting State gaming and bucket-shop laws), § 1041(a) (preempting state consumer protection laws to the extent, and only to the extent, they are inconsistent with federal consumer protection laws under Dodd-Frank Title X), and § 1044 (prescribing state law preemption standards for national banks and their subsidiaries).

[87] Likewise Dodd-Frank § 748, amending the CEA, evinces no preemptive intent.

[88] Examples include Model Rules 4.1 and 1.6(b)(2)-(3), and 1.13(c).

On June 28, 2021, while both congressional bodies continue to introduce and consider numerous legislative proposals to “reform” and amend the existing legal analytical framework, the U.S. District Court for the District of Columbia dismissed two high-profile antitrust cases simultaneously brought by the Federal Trade Commission (FTC) and 46 states. Both cases alleged that Facebook illegally maintained a monopoly in the social networking space through its acquisition of nascent competitors, including WhatsApp and Instagram, as well as by placing restrictions on developers that access Facebook’s networks.

The key difference between the decisions is that the court granted the FTC leave to amend its complaint to better address Facebook’s alleged monopolization. Therefore, while the states’ case is finished (unless they file an appeal), the FTC retains a number of options, including trying to bolster its monopolization claim or pursuing the case through the FTC’s administrative proceedings.

Members of both political parties and from both congressional chambers condemned the decisions:

The FTC should pursue this case, but we shouldn’t count on regulators and the courts alone to save us. Keeping our markets competitive, open and fair? It will require the Congress to act.

— Amy Klobuchar (@amyklobuchar) June 29, 2021[1]

Facebook is clearly a monopoly. The district court ruling shows the need for Congress to reform the antitrust laws. Our bipartisan bills give additional resources to law enforcement agencies and brings greater scrutiny to mergers. We have to act now.

— Rep. Ken Buck (@RepKenBuck) June 29, 2021[2]

Discussion of the Decisions

The FTC and 46 states separately sued Facebook in December 2020, alleging that Facebook violated Section 2 of the Sherman Act[3] through its alleged “buy or bury” strategy of acquiring Instagram (2012) and WhatsApp (2014) and by adopting policies that prevented app developers that Facebook viewed as potential competitive threats from accessing Facebook’s platform interfaces (API Policies). The states also sought relief under Section 7 of the Clayton Act[4], which prevents acquisitions that tend to substantially lessen competition.

District Court Judge James Boasberg dismissed each case on different grounds.

The FTC Case. Judge Boasberg dismissed the FTC’s monopolization claim for a failure to plausibly allege facts that Facebook has monopoly power.[5] The FTC defined the relevant product market served by Facebook as one for “Personal Social Networking Services,” which the FTC described as “online services that enable and are used by people to maintain personal relationships and share experiences with friends, family, and other personal connections in a shared social space.”[6] The FTC alleged that Facebook held a market share “in excess of 60%,” and there were no substitutes for Facebook. The decision criticized the FTC for failing to offer any measure or metrics for this analysis and failing to name even a single Facebook competitor. The court therefore observed that “[i]t is almost as if the [FTC] expects the Court to simply nod to the conventional wisdom that Facebook is a monopolist. After all, no one who hears the title of the 2010 film ‘The Social Network’ wonders which company it is about.”[7]

The court also expressed concern with the FTC’s claims regarding Facebook’s API Policies, cautioning the FTC that generally antitrust law does not impose a duty to deal on monopolists.[8] Although the court made plain that the FTC “to be sure, has alleged several specific refusals to deal that in fact may meet [antitrust law’s] requirements” for pleading a claim, the court explained that injunctive relief is not available under Section 13(b) of the FTC Act[9] because the FTC does not allege ongoing or imminent anticompetitive conduct.[10]

The States’ Case. The states similarly premised their claims on Facebook’s alleged monopoly, but Judge Boasberg found additional grounds for dismissal with prejudice under the doctrine of laches, which does not apply to the U.S. government. More specifically, the court found that laches precluded the states’ claims because it viewed the Clayton Act’s four-year statute of limitations as “the starting presumption” for when an aggrieved plaintiff may file a complaint.[11] The court then pointed to the states having waited six and eight years, respectively, to claim that the WhatsApp and Instagram acquisitions violated antitrust laws and found “no case … in which a plaintiff other than the United States (against which laches does not apply), whether a state or a private party, was awarded equitable relief after such long post-acquisition delays in filing suit.”[12]

The court explained that laches was particularly appropriate because (1) the Instagram and WhatsApp acquisitions were widely publicized at the time; (2) it was well-understood at the time that Facebook was “the dominant player” in online social networking; (3) the FTC’s extra scrutiny of the Instagram transaction was publicized; (4) analysts had expressly commented that Facebook was acquiring WhatsApp to “eliminate[e] a potential competitor poised to mount a major challenge to Facebook’s monopoly;” and (5) significant prejudice to Facebook was apparent, given that the states sought a divestiture of longtime core Facebook assets.[13]

The attorneys general are appealing the decision.

Two Key Takeaways

1. Laches Applies to Everyone Besides the US Government

   The court found that the United States — not the states — is the proper enforcer of the federal antitrust laws, as Congress, when passing the Clayton Act, had not articulated a special role for the states in enforcing those laws, making them akin to private plaintiffs against which equitable defenses applied.[14] Indeed, even prior to the Facebook decision, the states had tacitly admitted this, as the National Association of Attorney Generals recently urged Congress to expand the states’ role as antitrust enforcers.[15] By contrast, at no point did the court question the ability of the FTC to complain about Facebook’s acquisitions of competitors that occurred well before the Clayton Act’s four-year statute of limitations. Timing may eventually impact the FTC if it repleads its refusal to deal claim or asserts other claims based on non-acquisition conduct that is not more recent or ongoing in nature.

2. The FTC’s Next Move May Implicate Chair Khan’s New Playbook

   The court criticized the FTC for making a conclusory claim of Facebook’s 60% “market share,” but also noted that it “believes that the agency may be able to ‘cure [the] deficiencies’ by repleading.” To strengthen its market power allegations, the FTC would likely need to include additional information regarding the basis of its market share calculation, allegations regarding whether Facebook’s market share remained constant or how it otherwise shifted since 2011 (the period that the FTC itself references), the identity of at least some of the other firms that account for the remaining 30-40% of the market, and proof that people value Facebook more than its social media substitutes and connect the popularity of Facebook’s social media services to the advertising dollars that popularity helps generate.

   The decision may also lead the FTC to pivot under new Chair Lina Khan. Although the FTC filed the case in federal court and has advised the court that it would file an amended complaint, it also could have chosen to bring an action through its in-house administrative process, where FTC commissioners themselves would review an order from the FTC’s administrative law judge and render a decision that can be appealed to federal courts. Such a strategic decision could dovetail with the FTC’s withdrawal of its 2015 guidance on standalone use of Section 5 of the FTC Act, which prohibits “unfair methods of competition” — a broader standard than antitrust claims under Sections 1 and 2 of the Sherman Act and Section 7 of the Clayton Act.

[1] See https://t.co/P4fUeYeDMM.

[2] See https://t.co/5aO4RfuZGi.

[3] 15 U.S.C. §§ 1-7.

[4] 15 U.S.C. §§ 12-27.

[5] FTC Op. at 30-31.

[6] Id. at 21-22.

[7] Id. at 31.

[8] Id. at 39-41. Specifically, the court noted that “to be actionable, such a scheme must involve specific instances in which that policy was enforced (i) against a rival with which the monopolist had a previous course of dealing; (ii) while the monopolist kept dealing with others in the market; (iii) at a short-term profit loss, with no conceivable rationale other than driving a competitor out of business in the long run.”

[9] 15 U.S.C. § 45.

[10] FTC Op. at 42-44.

[11] States Op. at 41.

[12] Id. at 44.

[13] Id. at 44-45.

[14] Id. at 48-49.

[15] See www.stateagreport.com/news/full-slate-of-state-attorneys-general-urges-congress-to-strengthen-state-antitrust-enforcement-abilities/#page=1.

In the wake of the Colonial Pipeline hack, President Biden released a long-anticipated Executive Order (EO) intended to strengthen U.S. cybersecurity infrastructure. [1] [2]  The EO highlights the government’s interest in public-private partnerships in the realm of cybersecurity by triggering a rulemaking process that will impose cybersecurity standards on private companies that contract with the federal government in the areas of information technology (IT) and operational technology (OT).  The EO is only one of many steps the new administration is taking to improve cybersecurity.  In line with the government’s vision, the Department of Energy also released a 100-day cybersecurity pilot program,[3] and the Federal Energy Regulatory Commission took steps to establish incentive-based programs for cybersecurity investments.[4]

Dan Sutherland, Chief Counsel for the Cybersecurity & Infrastructure Security Agency (CISA), and Jen Daskal, Deputy General Counsel at the Department of Homeland Security (DHS), spoke at an Infragard webinar on May 19, 2021 about the new Executive Order (EO).[5] 

Before delving into the EO, the speakers gave a brief introduction to the roles of DHS and CISA.  DHS takes a “whole of government” approach to cybersecurity, and deals with cybersecurity issues through the United States Secret Service and Immigration and Customs Enforcement (ICE), which focuses on prosecuting cyber-enabled crime.  It also works through the Transportation Security Administration (TSA) and Coast Guard, which focus on cybersecurity in surface transportation. CISA, on the other hand, is an independent federal agency under DHS oversight.  It focuses specifically on the United States’ cybersecurity and communications infrastructure.  Acting more as a risk advisor and research arm, rather than enforcer, CISA aims to keep the nation’s critical infrastructure secure, robust, and capable of defending itself against cyber-attacks.

Both speakers briefly discussed three pieces of legislation that give CISA more authority to perform their work:

1. The National Defense Authorization Act (NDAA), which is a product of the Cyberspace Solarium Commission, provides 11 substantive new authorities for CISA, including: the ability to issue administrative subpoenas, the authority to do more to protect federal networks, and the wherewithal to provide capabilities and tools to other federal agencies without reimbursement. However, CISA’s subpoena authority is very limited.  It mainly involves the power to collect public-facing IP information from internet service providers (ISPs) when the information is not otherwise available.  Under this authority, ISPs must provide identifying information attached to IP addresses.  CISA, of course, claims to have no interest in overstepping privacy rights or civil liberties. 
2. The DotGov Online Trust in Government Act (DotGov Act) was established through the Consolidated Appropriations Act. The DotGov Act gives CISA the authority to issue “.gov” addresses that provide more security.  These are provided to federal agencies at no cost.
3. The last legislation the speakers highlighted was the American Rescue Plan Act of 2021, which gave CISA $650 Million to improve federal network security. CISA will operate a pilot cloud environment featuring heightened security systems.  This could signal a significant new path for CISA to provide services to agencies rather than merely issuing policies and directives. 

Executive Order on Improving the Nation’s Cybersecurity

The Executive Order has been a priority for the Secretary of the DHS, Alejandro Mayorkas.  When he outlined his vision for DHS’s cybersecurity efforts on March 31, 2021, Secretary Mayorkas said, “[m]ake no mistake: a free and secure cyberspace is possible.  We will champion this with words and action.”[6] 

The speakers highlighted the importance of the role the EO plays in the federal government’s commitment to modernize cybersecurity defenses and protect the federal government’s infrastructure.  While executive orders cannot direct the private sector or create new authorities that do not already exist, they can leverage the power of the White House to signal priorities and support the use of existing authorities to implement key priorities. All the EO provisions outlined by the speakers build on the maturation of the cybersecurity mission and are intended to address recent cybersecurity incidents.  

The EO has several innovative aspects. It leverages the procurement power of the federal government to impose reporting requirements and standards for service providers with which the federal government contracts.  This has the potential to have a ripple effect for the private sector; to set standards of care and best practices beyond the provision of services to the federal government. 

The EO also focuses on improving information sharing about potential incidents in the inter-agency process and through procurement power.  It eliminates roadblocks for private entities to share information with government and assists the government in preventing incidents from occurring in the first place.  The federal government observed that IT and OT service providers who contract with the government are hesitant and sometimes unable to share information with CISA and the FBI.  They often claim that their contracts prevent the sharing of information to any agency outside of their contracting partners.  The EO requires CISA to develop standard contractual clauses to be implemented through the federal acquisition regulation process.  IT and OT service providers will thereby be required to collect, preserve, and share data and to collaborate during investigations.  The EO goes beyond information sharing and provides standard formats to assist with investigation and remediation.  Section 2(g)(I) of the EO outlines the types of reporting that should be included in the contracts. 

Additionally, the EO creates a new Cybersecurity Safety Review Board, which will analyze broader, nationally significant cyber incidents affecting federal civilian information systems or non-federal systems, and make concrete recommendations for improving cybersecurity.  CISA is actively working to develop this Board.

The EO provides authorities to conduct threat-hunting authorities, ensuring that there is government-wide buy-in on CISA’s ability to use these authorities effectively.  It also includes desired improvements in cloud security and in the development of software used in the supply chain.

Recent cyber security incidents have revealed a lack of visibility into the cloud environment.  To address this, the EO requires CISA to develop a set of security principles that govern the cloud environment for federal agencies. The EO also requires the Secretary of Commerce, in coordination with National Institute of Standards and Technology (NIST), to publish minimum elements of the bill of materials and a definition of “critical software.”  The Secretary of Commerce is also responsible for recommending minimum standards for testing of third-party software source code by the third-party licensors. 

In addition, CISA can help federal agencies by providing a federal incident-response playbook and improving methods for detecting vulnerabilities.  Because currently CISA sees internet traffic only at the perimeter but not at the object (computer) level, the EO requires organizations to give CISA access to monitor object-level data and provide endpoint detection capabilities, allowing CISA a greater ability to look for malicious code and vulnerabilities.

When asked whether the EO sufficiently protects critical infrastructure, Dan Sutherland stated that CISA was taking substantial new steps to address recent issues.  Regarding possible metrics of success, he said that these metrics may include measurements of efforts and results and, since the EO has many short, aggressive deadlines, people should expect to see results such as patching happening quickly.

The final point the speakers addressed was on inter-agency sharing of information.  Under the Federal Information System Moderation Act (FSMA), every agency is responsible for its own security, while CISA provides only guidance and policies.  After the data breach at the federal Office of Personnel Management,[7] there was more cooperation and collaboration in the federal civilian executive branch.  The EO is further prompting federal agencies to work collaboratively.  In that regard, the EO calls for procedures for the Secretary of DHS and the Department of Defense to share all directives applying to their respective information networks. To take this a step further, the speakers recommended the cultivation of greater information sharing between the federal system and the private industry.

Our next article will focus on steps the private sector should be taking in light of new standards under the EO.

Read the second article in this two-part series, published in September 2021: https://businesslawtoday.org/2021/09/private-sector-actions-in-light-of-the-cybersecurity-executive-order/

[1]           Maame Nyakoa Boateng, a third-year student at Penn State Dickinson Law, contributed to this article.

[2]           Available at: https://www.whitehouse.gov/briefing-room/presidential-actions/2021/05/12/executive-order-on-improving-the-nations-cybersecurity/.

[3]           Department of Energy, “Biden Administration Takes Bold Action to Protect Electricity Operations from Increasing Cyber Threats,” April 20, 2021, https://www.energy.gov/articles/biden-administration-takes-bold-action-protect-electricity-operations-increasing-cyber-0 (last checked July 16, 2021). 

[4]           Cybersecurity Incentives, Federal Energy Regulatory Commission, Department of Energy, Notice of Proposed Rulemaking, https://www.federalregister.gov/documents/2021/02/05/2021-01986/cybersecurity-incentives (last checked July 16, 2021).

[5]           For those who missed the webinar, it can be viewed at https://www.americanbar.org/groups/cybersecurity/. 

[6]           Secretary Mayorkas Outlines His Vision for Cybersecurity Resilience, March 31, 2021, https://www.dhs.gov/news/2021/03/31/secretary-mayorkas-outlines-his-vision-cybersecurity-resilience (last checked July 16, 2021).

[7]           See https://www.opm.gov/cybersecurity/cybersecurity-incidents/.

On July 7, 2021, Colorado Governor Jared Polis signed into law the Colorado Privacy Act (CPA). By enacting the CPA, Colorado becomes the third state in the nation to implement a generally applicable consumer data privacy law, after California with the California Consumer Privacy Act (CCPA) and Virginia with the Virginia Consumer Data Protection Act (VCDPA). While the CPA is similar to the CCPA and VCDPA in many respects, it has a different scope and different obligations than those two laws. Accordingly, impacted businesses must conduct a separate scope analysis, and, if subject to the CPA, they will need to set up different business rules to comply with the law.

The CPA applies to person(s) that conduct business in Colorado or that produce products or services that are intentionally targeted to Colorado residents and that either (1) control or process personal data of at least 100,000 Colorado residents during a calendar year, or (2) derive revenue or receive a discount on the price of goods or services from the sale of personal data and process or control the personal data of at least 25,000 Colorado residents. The CPA applies to information that is linked or reasonably linkable to an identified or identifiable person acting in an individual or household context. The law also provides special protections for sensitive data, which includes personal data revealing racial or ethnic origin, religious beliefs, mental or physical health condition or diagnosis, sex life or orientation, citizenship or citizenship status, and personal data from a known child.

However, the CPA does not apply to, among other things:

• financial institutions or data subject to the federal Gramm-Leach-Bliley Act;
• certain activities regulated by the Fair Credit Reporting Act;
• information on persons acting in a commercial or employment context;
• deidentified data or, in some contexts, pseudonymous data; or
• publicly available information.

Consumer Rights

The CPA provides consumers with a number of rights related to their personal data, several of which are similar to rights available under the CCPA and VCDPA. Under the CPA, consumers have the right to:

• confirm whether or not a controller (the person that determines the purpose and means of processing personal data) is processing personal data;
• access their personal data;
• correct inaccuracies in their personal data, taking into account the nature of the personal data and the purposes for processing the personal data;
• delete personal data concerning them;
• obtain a portable copy of personal data that they access from the controller;
• opt out of the processing of personal data for (1) targeted advertising, (2) the sale of personal data, or (3) profiling in furtherance of decisions that produce legal or similarly significant effects concerning the consumer; and
• appeal a refusal to take action on a request to exercise a right under the CPA.

The CPA also requires controllers to adopt and offer, by July 1, 2024, a universal opt-out mechanism to allow consumers to opt out of the sale of personal data and opt out of the processing of personal data for purposes of targeted advertising under technical specifications to be established by the Colorado attorney general.

Controller Obligations

The CPA imposes different obligations depending on whether the business is a controller or a processor (the entity processing personal data on behalf of the controller). Therefore, a business will need to analyze whether it is acting as a controller or a processor when engaging in any personal data processing.

Under the CPA, controllers must, among other things:

• provide a Privacy Notice containing specific disclosures, including the categories of personal data collected, processed, and shared, the purposes for which personal data are collected and processed, the categories of third parties with whom the controller shares personal data, and, if selling personal data or processing personal data for targeted advertising, a clear and conspicuous disclosure of the sale or processing and how a consumer can opt out;
• limit processing personal data to what is adequate, relevant, necessary, reasonable, and proportionate in relation to the specified purposes for which such personal data is processed;
• not process personal data for purposes that are not reasonably necessary or compatible with specified purposes, unless the controller obtains consumer consent;
• take reasonable measures to secure personal data during both storage and use from unauthorized acquisition;
• not process personal data in violation of discrimination laws; and
• not process sensitive data without consent.

The CPA also requires controllers to conduct and document data protection assessments when conducting data processing that presents a heightened risk of harm to a consumer. Processing that presents a heightened risk of harm to a consumer includes engaging in the following activities:

• the processing of personal data for purposes of targeted advertising;
• the sale of personal data;
• the processing of personal data for purposes of profiling, where such profiling presents a reasonably foreseeable risk of certain types of harm to consumers; and
• the processing of sensitive data.

Processor Obligations

A processor must follow a controller’s instructions and must assist the controller in:

• responding to consumer rights;
• meeting data security and breach notification obligations; and
• providing information to enable the controller to conduct and document data protection assessments.

There are also requirements for contracts between controllers and processors as well as requirements for engaging subcontractors.

Enforcement

The Colorado attorney general and district attorneys have exclusive authority to enforce the CPA. The attorney general and DAs may seek civil penalties of up to $20,000 for each violation of the CPA, in addition to injunctive relief. The CPA provides for a 60-day right to cure.

The CPA does not provide for a private right of action.

Effective Date

The CPA will become effective on July 1, 2023.