This article is the second part of a two-part series. In the prior article, I discussed flaws in the M&A deal process that has led to litigation. When litigated, independent valuation analysts are hired to serve as expert witnesses and to provide an opinion of fair value.

Introduction

Fairness opinions for M&A transactions may be provided by either an investment banker or an independent valuation analyst. When M&A transactions are disputed, an independent valuation analyst (“valuation analyst”) hired by counsel to plaintiffs (or respondents, in the case of appraisal rights) may discover certain analysis performed by the investment banker that is unsupported.

This discussion focuses on the following topics:

• Fairness opinions – differences between the role of the valuation analyst and the investment banker
• M&A deal process – the role of the investment banker beyond the fairness opinion
• Disputed transactions – the role of the valuation analyst as expert witness opining on fair value
• Disputed transactions – examples of flaws in the investment banker’s analysis for the banker’s fairness opinion

Fairness Opinions for M&A Transactions

Valuation analysts may be retained to provide fairness opinions for private company M&A transactions. Many private companies conduct the transaction with in-house staff, or they may be owned by a private equity firm that has M&A expertise.

When a private company is experienced in negotiating M&A transactions, it may be capable of handling the deal process. In those circumstances, a fairness opinion may only be needed for a particular transaction.

Valuation analysts are not advocates for either the potential acquirer or the target company. Consequently, analysts do not accept contingency or performance-based fees as investment bankers do. Instead, fees are typically based on an agreed-upon budget or standard hourly rates. Such fees are usually significantly than the contingency fees charged by an investment banker.

The valuation analyst’s fairness opinion typically consists of a written opinion, and may be accompanied by a financial analysis that includes a range of value. The business valuation approaches (i.e., income approach, market approach, and/or asset-based approach) applied by the analyst are often the same approaches applied by the investment banker.

Unlike the investment banker, the development and the reporting of the valuation analyst’s analysis and work product typically complies with promulgated professional standards. These promulgated standards may include the Statement on Standards for Valuation Services or the International Valuation Standards.

In some cases, publicly traded companies, or private companies that are targets of a public company acquisition, may retain an investment banker to provide M&A advisory services, as opposed to a valuation analyst. This is typically because of the need for additional services including management of the deal process, soliciting bids, and negotiating the terms of the transaction.

M&A Deal Process: The Role of the Investment Banker

The investment banker’s role in M&A transactions may vary based on several factors. The following discussion summarizes some of these factors.

• Were the wheels already set in motion when the investment banker was hired, and was an acquirer nearly decided upon? If so, the investment banker’s role may be confined to managing the rest of the deal process and providing a fairness opinion. Sometimes, when the overture is from a strategic acquirer, the target company already knows the suitor company well. In this case, the investment banker will be used more as a reality check:

1. to provide confirmatory analysis; and
2. to evaluate the risk and reward of competing offers.

• Was the target company desirous of being acquired, and had it already been approached by a suitor company? If the client intends to be sold and no suitors have been identified, or they have but discussions have not commenced, then the investment banker’s role will be far more extensive. Investment bankers will evaluate bids, which is referred to as buyer qualification, and may involve determining whether the bidders are:

1. experienced in making acquisitions, which can affect the speed of the deal process;
2. a good strategic fit, which may lead to a higher bid; and
3. including contingencies.

   During the due diligence process, the target company’s investment banker can weed out bidders who may be “phishing,” where bidders have no intention of making the acquisition, but rather want access to competitive information via the bidding process. One procedure for rooting out this type of potential suitor is monitoring the data room for how long they spend on particular documents, such as the customer lists, and how little time they spend on other documents that a serious acquirer would ordinarily inspect at length.

• Is the target company or the suitor company experienced with M&A? If management is inexperienced, the investment banker will need to spend much more time coaching management, being more involved with negotiations, and assisting with making financial projections.
• Is there a need to accelerate the completion of the transaction? This factor can be a consideration when deciding whether to conduct an auction or a more targeted, high-level solicitation. The more entities poking around in the virtual data room, the longer it takes to complete a transaction.
• Is the best strategic fit with one or two companies as suitors, or is a more competitive bidding process best? It is said that the auction process often produces the highest price. However, there are other important considerations, such as the length of the deal process, which may be longer for an auction. During that time, unforeseen economic events could lead to a lower stock price and a lower resulting takeout price.

Additionally, the more bidders that are involved, the higher the risk that the negotiations will be leaked to the public, leading to a higher stock price of the target (if publicly traded), and potentially spooking suitors. Another risk is that leaks can stoke fear in a company’s suppliers and customers that their treatment under the merged entity will not be the same.

A longer sales process can lead to employees resigning out of fear of losing their jobs. This could also kill a deal, because employees are part of the value of any company.

• How much of the synergies are included in the acquisition price premium offered by the preferred bidder? The acquirer will usually pay a price premium that is less than projected synergies, which is a reasonable posture because otherwise there is no value to the deal for the acquirer.
• Are private equity funds potential acquirers? Every private equity fund has a target internal rate of return (“IRR”). Knowing that IRR, the banker can model five to six years of cash flow projections (a typical investment holding period for a private equity company M&A transaction), make an assumption about an appropriate exit multiple, and backsolve for the acquisition price and implied pricing multiple that would allow the fund to achieve its targeted IRR. Such an analysis would help the target company:

1. estimate the price that the private equity fund may be willing to pay; and
2. compare that price to offers made by strategic buyers.

• Are any of the final bidders insisting on a stock-for-stock transaction? If so, the investment banker will evaluate both the target company and the acquirer company. The range of value for each company will be used to determine the exchange ratio, or if an exchange ratio has already been agreed upon in principle, to determine if the exchange ratio is fair. Because the acquirer’s stock is the currency with which it will pay the merger consideration, the banker will assess whether the acquirer—and the resulting merged company—is a solid long-term investment.
• How difficult will post-acquisition integration be? Achieving synergies depends on the success of post-merger integration. Investment bankers retained by the acquirer company rather than the target company may also assist with identifying pitfalls to post-acquisition integration. Information technology infrastructure is usually a big part of post-merger integration. The cultural fit is important—some companies have a “coat and tie” culture while others are more informal. Organizational charts are a consideration—the target company may have a simple structure where each employee reports to only one superior, unlike the acquirer. Ignoring the cultural fit can lead to employee defections after the merger.

Disputed Transactions: The Role of the Valuation Analyst

Investment bankers are not typically retained to prepare expert analyses and expert reports—or to provide expert testimony—in connection with litigated M&A transactions. However, the investment banker may be required to testify as a fact witness if the banker provided advisory work and/or a fairness opinion in the disputed M&A transaction. When a valuation analyst is retained as a testifying expert in a disputed M&A transaction, the work product typically consists of a written valuation expert report with exhibits. The valuation analyst’s expert report and exhibits may be more comprehensive than either the investment banker’s work presented in the proxy materials or the investment banker’s materials presented to the board of directors or the special committee.

Settlement discussions may occur in the litigation after the exchange of expert reports. If a settlement is not reached after the exchange of expert reports, each expert may be asked to analyze the work of the opposing expert—and to prepare a rebuttal report. Rebuttal reports respond to the analyses, inputs, and opinions of the expert hired by the opposing party. If a settlement still has not been reached, then deposition testimony, and potentially trial testimony, will follow.

There may be differences in the valuation inputs selected by valuation analysts serving as experts in litigation versus those selected by investment bankers retained for M&A. Among these differences is the valuation date. The valuation date applied by the valuation analyst may be the date the subject transaction closed. The valuation date applied by the investment bankers may be the date the transaction was approved by the board of directors. Due to the passage of time between the two valuation dates, there may be differences in the valuation variables applied by the investment banker versus the valuation variables applied by the valuation analyst. Some of these differences, like the present value discount rate and the debt-to-equity ratio, may be material.

Another difference is the quality of the analysis and the work product. The investment banker’s work product may be produced by bankers who do not have technical training in valuation practices and standards. This lack of valuation training may lead to unsupported judgments, for example, the selected cost of debt for the weighted average cost of capital calculation. The investment banker may ask one of the bank’s fixed-income traders or credit analysts what rate they would charge to the target company. In contrast, the valuation analyst may estimate a cost of debt based on an extensive analysis of market-based yields of guideline debt securities. The valuation analyst may also estimate a weighted average market-based yield if the target company has diverse business units with different credit profiles and different costs of capital.

Disputed Transactions: Examples of Potential Flaws in the Investment Banker’s Fairness Opinion Analysis

In many transactions, the investment banker’s presentation to the special committee or to the entire board of directors—often referred to as the “banker book”—is not required to be disclosed to investors. However, in a merger dispute, the discovery process often reveals both the final banker book and any prior drafts. Differences between drafts and the final analysis may be justified, but these differences may also raise questions.

The valuation inputs used by the investment banker in the fairness opinion analysis may be different from those of the valuation analyst if the transaction is disputed. The same is true for the valuation analysts hired by each opposing side. The following list presents some of the potential differences or, in some cases, flawed analyses:

• Justification for the selected beta – If the target company was publicly traded, there may be a question as to why the investment banker selected a beta based on either comparable or guideline publicly traded companies—rather than the target company’s own beta. The time horizon for the selected beta (i.e., one-year, two-year, five-year) may also be a question. The usage of a Barra beta has in certain cases been rejected in judicial opinions.[2]
• Capital structure – The capital structure used by the investment banker may be disputed. For example, the investment banker may select a capital structure based on an “optimized” capital structure, rather than the target’s actual capital structure, at the time the deal was approved. In contrast, the valuation analyst may base the analysis on the target company’s actual capital structure as of the unaffected date.
• Long-term growth rate – Investment bankers and valuation analysts may disagree about the expected long-term growth rate. Whether the expected long-term growth rate should reflect only inflationary growth or include real growth may be debated.
• Selection of comparable or guideline companies and transactions – The investment banker and the analyst may disagree on the companies that should be considered in a market approach analysis. In litigation, the court has the final say on which, if any, of the guideline companies are appropriate.

These are only some of the inputs that may be disputed. Others include the equity risk premium (historical v. supply-side), the cost of debt, adjustments—such as an underfunded pension plan and tax credits—and tax rate applied to financial projections.

[1] Verition Partners Master Fund Ltd. v. Aruba Networks, Inc., 210 A.3d 128 (Del. 2019).

[2] In an opinion by Judge Andre Bouchard of the Delaware Court of Chancery, he wrote that, “Barra calculates predicted, forward-looking betas using a proprietary model designed to measure a firm’s sensitivity to changes in the industry or the market….In Golden Telecom, this Court expressed similar concerns when it rejected the use of Barra beta because Barra did not publicly disclose the weight of each factor used in its proprietary model, did not explain the changes in different versions of the model, and because the expert who relied upon it did not fully understand all details of the model…. The Court emphasized that it was not rejecting the use of Barra beta in all cases, but noted that a record of how Barra beta works and why it is superior would be a necessary prerequisite to its adoption in other appraisal cases.” IN RE Appraisal of DFC Global Corp., Consolidated C.A. No. 10107-CB (Del. Ch. July 8, 2016): 20-23.

Each week we read reports of new deployments of smart devices and smart services. Gartner estimates that 25 billion connected things (IoT endpoints) will be in use by 2021, a 21 percent increase from 2019. Leading IoT endpoint sectors are utilities, physical security and government. Smart infrastructure and smart cities are finally living up to the hype.

Most new builds of physical infrastructure—roads, tunnels, airports, transport interchanges, bridges, buildings, utility networks—remain less smart. However, almost all new infrastructure is, or should be, informed by new sources and applications of data. Anonymized and aggregated mobile phone tracks are used to find correlations and patterns to model how unidentifiable individuals access airports or other hubs: from what locality, by what route, and by which mode of transport (private car, minivan, bus, train, etc.). Better data assists in minimizing deleterious environment impacts, planning roads, and estimating likely traffic outcomes, all of which provides a better evidence base that can be used to reduce financing cost of new infrastructure builds. Data can assist humans to make smarter decisions about not-so-smart new physical infrastructure, as well as new smart buildings, cities, and utility networks.

In short, data and the use of new sources of data (including IoT services) can and should be an increasingly important factor in lowering the cost of, and maximizing value derived from, major infrastructure projects.

Analytics insights derived from data about engineering, construction, use, and maintenance of existing infrastructure can be leveraged into better processes and practices and lower costs in planning, executing, and operating new infrastructure.

Analytics insights as to patterns of use of new infrastructure, and as to changes in surrounding communities driven by new infrastructure, can dramatically improve assessment of outcomes of infrastructure builds, enabling innovative structures such as outcomes-based financing that uses quantitively reliable and verified measurement of social outcomes.

However, standard contracts and contracting models in use today for commissioning and financing of new infrastructure, particularly by government authorities and utilities, has generally not kept pace with diversity in sources of data and new capabilities of data analytics to better inform such projects. As a result, too often government authorities and utilities are not achieving the best value for money in planning, building, and operation of newly commissioned infrastructure.

There are a number of reasons why this is the case:

• The business lawyers most familiar with data contracts to date have been technology lawyers, not construction, finance, or infrastructure lawyers. Best practices in data contracting is now infiltrating other fields of business lawyering, but more slowly than would be ideal.
• Data is itself not recognized as an asset class, so its importance can be overlooked.
• Infrastructure sectors are only beginning to understand how to derive, capture, and fairly allocate value from data.
• There remain misconceptions about data “ownership”. In particular, there is a common misconception that data can and should be dealt with in contractual provisions as a type of intellectual property, akin to treatment of engineering plans and design, and operations manuals and software. This analogy is often wrong in that the latter are usually protectable as copyright works and sometimes as patentable subject matter. Many data sources and data sets are not creations of original human endeavour and therefore protectable.
• Insights from data analytics often are derived through a combination of data from multiple sources, or from different points within a multiparty data ecosystem, where the rights of aggregation, combination, and use to create outputs and insights are not properly captured and held by a single party, such as the commissioning party. Multiplicity of parties and of data custodians creates contracting challenges, particularly if data value is sought to be captured by commissioners of physical infrastructure as a trade secret (confidential information).
• To the extent that the value of data in individual projects is assessed and brought into expense and revenue projections, data are often valued in relation to a specific project and not for its potential application to reduce the cost of building or operating a class of infrastructure assets more generally, or its potential use to increase utilization of an infrastructure asset and thus recover financing costs or amortize operating costs.

Misconception as to who “owns” data cause particular problems. Data, mathematical formulae, other algorithms, and algorithmic methods generally cannot be legally “owned” as  ownership is legally determined in most jurisdictions. This is why talking about “licensing” data often does not make legal sense. As a result, it is sometimes said that “no one owns data.” That statement is technically true as a matter of property law in many jurisdictions. However, that statement is also quite misleading.

The key point is that legal ownership of data cannot be definitely assured through operation of intellectual property law or contractual provisions as commonly in use in infrastructure contracts today. Parties commissioning the physical infrastructure assets must be particularly cautious as to contracts they use to ensure that rights of and control of data use and reuse are properly captured and held by a single party, such as the commissioning party.

The problem partly arises as a result of fading of any distinction between “data” and (useful) “information.” We now are accustomed to using “data” as an omnibus term covering any and all of:

• raw data (digital noise to humans) that may not be discoverable and interpretable by machines,
• structured (transformed) data that is ready for machine interpretation, and
• information (such as actionable insights) carrying human interpretable meaning, such as text, music, and images.

However, the distinction between data and information is critically important when considering intellectual property rights and other rights and legitimate expectations of parties “sharing” data in multiparty data ecosystems. As soon as we begin using the terms “data” and “information” interchangeably, we lose precision in analysis and in understanding about data value.

Notwithstanding these problems, it is possible to define certain ownership-like rights and obligations in relation to data.

The first option is to define ownership-like rights and obligations by contract, being rights and obligations that the contract counterparties agree will govern the relationship between them. The practical difficulty, however, is that contractual rights may only be enforced against a party to the contract in relation to:

• acts or omissions of that party, and
• acts and omissions of third parties for whom that party accepts contractual responsibility.

A second option is to use contractual provisions to leverage the diverse laws in many jurisdictions relating to confidential information or trade secrets. Trade secret protection is particularly important in relation to chemical, pharmaceutical, and nutraceutical data. The Coca-Cola recipe and Google search algorithms are famous trade secrets.

Section 1(4) of the Uniform Trade Secrets Act provides:

“Trade secret” means information, including a formula, pattern, compilation, program, device, method, technique, or process, that: (i) derives independent economic value, actual or potential, from not being generally known to, and not being readily ascertainable by proper means by, other persons who can obtain economic value from its disclosure or use, and (ii) is the subject of efforts that are reasonable under the circumstances to maintain its secrecy.

The World Trade Organization’s Agreement on Trade Related Aspects of Intellectual-Property Rights (TRIPS Agreement) provides that “Natural and legal persons shall have the possibility of preventing information lawfully within their control from being disclosed to, acquired by, or used by others without their consent in a manner contrary to honest commercial practices.” Broadly, nations that are signatories to the TRIPS Agreement must provide the right to control data that is (a) secret, (b) valuable, and (c) safeguarded.

The European Union’s to standardize the national laws in EU countries against the unlawful acquisition, disclosure, and use of trade secrets. EU Member States must implement the directive, which harmonizes the definition of trade secrets in accordance with existing internationally binding standards and defines the relevant forms of misappropriation. “Trade secret” is defined in Article 2 as information meeting each of the following:

(a) it is secret in the sense that it is not, as a body or in the precise configuration and assembly of its components, generally known among or readily accessible to persons within the circles that normally deal with the kind of information in question;

(b) it has commercial value because it is secret;

(c) it has been subject to reasonable steps under the circumstances, by the person lawfully in control of the information, to keep it secret

“Trade secret holder” means “any natural or legal person lawfully controlling a trade secret”.

In Australia, trade secrets are generally regarded as a subset of protected confidential information. Protected confidential information requires four elements:

• the information must have the necessary quality of confidence;
• the information must have been imparted in circumstances identifying an obligation of confidence;
• there must be an unauthorized use of that information to the detriment of the person who claims the confidence; and
• the plaintiff must be able to identify with specificity, and not merely in global terms, that data/information which is said to be confidential.

Of course, if data has become public, the data is no longer confidential and is no longer a trade secret; regardless of whether the data remains commercially valuable. However, a collation of data that comprises a database may retain the necessary character of confidence where only some data (colloquially, “slivers” of data) from the much larger collation is released  into the public domain. Accordingly, a publicly accessible database may be protected if the access is controlled and limited such that the combined accesses do not have the character of making the database broadly available. Also, more extensive data sets or fields from collation of data may be permitted to circulate within a controlled and limited section of the public under legally binding conditions as to confidentiality, and retain the necessary character of commercial confidence.

Further, even where data in a databased is not protectable as a trade secret or other intellectual property, the way in which elements of the database are labelled, structured, managed, correlated,  or used often will be protectable as a trade secret or as other intellectual property.

Clauses in infrastructure project agreements as commonly negotiated today, including in financing agreements, usually address ownership and assignment of intellectual property rights and rights in and to confidential information. However, these clauses are often not apt to capture and allocate data as a class of asset. These clauses often do not require each party in a multiparty data ecosystem to take all commercially reasonable steps to ensure protection of data that the party handles as a trade secret. Often the contract drafting leaves ambiguity as to which entity handling data within a multiparty data ecosystem is the holder of such rights as may arise in any to confidential information (trade secrets) in that data.

These issues can be readily addressed in well through infrastructure contracts. The first step is to recognize the diverse data sets associated with design, build, operation and maintenance of  infrastructure assets. The second step is to assess the value of that data and determine its fair allocation. The third step is to work out which entity should control (“own”) that data, and what each other entity handling that data should be contractually required to do to ensure that the ultimate data controller (“owner”) can protect and thereby derive that value. The fourth step is to work out what practical controls, safeguards, oversight and verification mechanisms, and other good operational data governance should be contractually assured. Only when each of these four steps are completed are the lawyers ready to draft the infrastructure contract. The standard or project infrastructure contract may need significant tailoring to  ensure that:

• key rights of and to data are properly captured and held by a single party, such as the commissioning party,
• the complexities that arise from data arising from multiple sources at different points within a multiparty shared data ecosystem are properly dealt with so it is clear who holds rights in and to confidential information and trade secrets, including in further transformed and derived information (such as insights).

The world has moved on since clauses in some infrastructure project agreements in common use today were developed. Common use contracts now must catch up. Many parties commissioning and financing infrastructure builds are inadvertently giving away data value that they should capture for themselves – or at least gain value by trading away.

In three recent opinions, the Delaware Superior Court upheld the rights of companies and their officers and directors under directors and officers (D&O) liability policies in insurance claims involving a variety of disputed issues of state law. The disputed issues—ranging from jurisdiction over insurers under Delaware’s long-arm statute to the timing of declaratory judgment actions and indemnification of legal fees—highlight favorable principles under Delaware law and underscore the importance of choice-of-law and forum selection provisions in insurance policies.

Insurer Must Reimburse Legal Fees Incurred by Company in Defending against Former Employee’s Counterclaims

In Legion Partners Asset Management, LLC v. Underwriters at Lloyd’s London, the Delaware Superior Court granted a policyholder’s motion for partial summary judgment, holding that Lloyd’s was required to reimburse the company under a D&O policy for legal fees relating to an employee’s counterclaim in a company-initiated arbitration proceeding.

A former employee of Legion Partners filed a lawsuit in California state court against Legion and two of its principal officers, alleging breach of fiduciary duty, wrongful termination, and violation of California’s whistleblower statute. That same day, Legion filed its own arbitration demand, asserting that the employee violated his employment agreement. After the state court lawsuit was stayed in favor of the arbitration, the former employee asserted counterclaims against Legion in the arbitration that largely repeated the allegations in his original lawsuit.

Legion sought coverage from its D&O insurer, Lloyd’s of London, for legal fees and expenses incurred in both the state court lawsuit and in the arbitration. Lloyd’s denied coverage except with respect to the fiduciary duty claims brought against the officers in the state court lawsuit. Legion filed suit against Lloyd’s and moved for summary judgment, arguing that Lloyd’s had wrongfully refused to reimburse the legal fees incurred by the company and the two officers in defending the arbitration counterclaims.

At the outset, the court recognized that even where the insurer had a “duty to advance” rather than a “duty to defend,” Delaware courts construe both duties “broadly in favor of the policyholder” and that the insurer’s duty to advance defense costs was triggered where a claim “could result in indemnity.” Moreover, under Delaware law, the court was not constrained by how the claims are “characterized or formally titled in the pleadings.” Rather, it considered both the facts alleged “and the reasonable inferences to be drawn” from those facts to determine whether the allegations as a whole “assert a risk within the policy’s coverage.”

Applying these principles, the court held that the allegations of the counterclaims asserted a risk within the policy’s coverage under two separate insuring agreements; therefore, Lloyd’s was required to reimburse all legal fees incurred in defending against the former employee’s counterclaims. The court first found that the D&O policy’s coverage for loss arising from claims against the company was triggered because the former employee alleged that Legion, acting through the two officers, breached fiduciary duties. In addition, looking beyond the employee’s “characterizations of his claims,” the court could “reasonably infer” that Legion, through its officers, also allegedly acted against its investors’ interests and violated federal laws by leaking nonpublic information.

The court also broadly construed the phrase “for a Wrongful Act,” recognizing that a claim “need only arise from Wrongful Acts” such that the claim need not “request certain relief that would impose legal liability on the Insureds for the Wrongful Act.” Noting that Lloyd’s “cannot avoid either the broad definition” of “Wrongful Acts” nor the broad causation between wrongful acts and the claim, the court held that the alleged acts by the company, through its officers, triggered coverage under the policy.

Next, the court found that the arbitration counterclaims also triggered the policy’s insuring agreement for payment of loss that the company pays as indemnification to individual insureds. Because the counterclaim was a “Claim” and alleged that the two officers breached their fiduciary duties and violated federal law, the “allegations and the inferences to be drawn from them” constitute “Wrongful Acts” as defined in the policy.

For these reasons, the counterclaim was one for a “Wrongful Act” by insured persons, even though those persons were not named as defendants in the arbitration, meeting all requirements to trigger coverage.

Delaware Court Has Jurisdiction over Insurers Insuring Persons Located in Delaware Who Seek Coverage for Insured Risks in Delaware

The Delaware Superior Court in Energy Transfer Equity, L.P. v. Twin City Fire Insurance Co. issued two separate decisions, both in favor of the policyholder, in a suit filed by Energy Transfer, one of the largest midstream energy companies in the United States. Energy Transfer was sued in a class action lawsuit (the “Dieckman Action”) alleging breach of a partnership agreement of an affiliated entity, Regency.

The Dieckman Action sought $2 billion in damages and alleged that Energy Transfer’s acquisition by merger of Regency violated the Regency partnership agreement due to undisclosed conflicts of interest, inadequate negotiations, and other issues with the transaction. A trial in the Dieckman Action took place in December 2019, and the parties submitted their final post-trial briefings on September 15, 2020.

Energy Transfer notified its D&O insurers of the Dieckman Action and sought coverage under 17 different policies providing $170 million in coverage. The insurers agreed to pay defense costs, but disputed obligations to indemnify the insureds. Energy Transfer filed suit against the insurers, seeking a declaration that the insurers had a duty to indemnify the insureds and demanding damages for the insurers’ anticipatory breach of the D&O policies. Certain insurers filed two separate motions to dismiss—one on jurisdictional grounds and one on ripeness of the prospective duty to indemnify. The court denied both motions, each of which is discussed below.

The insurers’ jurisdictional motion to dismiss contended that the court lacked personal jurisdiction over them. The insurers also argued that Delaware’s long-arm statute did not apply and that exercising jurisdiction would violate the insurers’ due process rights. Energy Transfer responded that the court had personal jurisdiction over the insurers because the insured persons were located in Delaware and sought coverage for risks located in Delaware.

The court agreed with Energy Transfer and dismissed the motion. The court recognized that, even if it is “tempting” to argue lack of personal jurisdiction, the facts supported jurisdiction. First, the Delaware statute conferring personal jurisdiction over nonresidents in cases involving insurance contracts applied where: (i) the insurers issued insurance contracts to the insureds; (ii) the insureds are located in Delaware and are organized under the laws of Delaware; and (iii) the policies are D&O policies “insuring the actions of officers and directors of Delaware corporate entities.” The court held that the insurers were defendants who issued “contracts to insure” persons (i.e., the insured entities and their officers and directors) located in and to be performed in Delaware, which was sufficient to confer personal jurisdiction over Energy Transfer’s claims.

Second, the court determined that exercising personal jurisdiction over the insurers would not offend due process. Longstanding Delaware authority has held that nonresident insurers issuing policies for Delaware corporations “must have foreseen the possibility that [they] could be haled into court in this forum.” Citing this “guiding precedent,” the court found that the Energy Transfer insurers had sufficient minimum contacts with the forum by entering into D&O insurance contracts with Delaware corporations that provided coverage for their officers and directors.

Practically speaking, the court further noted that “rarely are officers and directors of a Delaware entity sued for a breach of fiduciary duty outside of Delaware.” The court reasoned that the duty to defend and indemnify “would likely be in Delaware,” as in the pending Dieckman Action, and that “any coverage dispute litigation would be in Delaware.” Therefore, the court saw “no reason” why the insurers should not be required to remain in Energy Transfer’s coverage action.

Duty to Indemnify Claim Presents Justiciable Controversy under Delaware Law, Even Before the Award of Damages or Settlement in the Underlying Action

The second motion to dismiss ruling in the Energy Transfer coverage dispute concerned the justiciability of the insureds’ request for declaratory relief under the D&O policies regarding the insurers’ duty to indemnify. The insurers argued there was no “ripe controversy” for adjudication because, even though the Dieckman Action trial had concluded and the parties submitted post-trial briefings, the claim had not resulted in any award of damages or settlement invoking the duty to indemnify. Energy Transfer opposed the motion, arguing that the complaint “establishe[d] a sufficient basis to conclude that the relevant Policies are implicated” and met all requirements for declaratory relief under Delaware law.

The court declined to dismiss the action. Guided by Delaware Supreme Court precedent instructing courts to undertake “a common sense assessment” in balancing the interests of the party seeking relief against the need to postpone judicial review until the question presented arises in a more concrete and final form, the trial court found that Energy Transfer had met its burden to present a justiciable controversy.

The court found that a coverage determination was appropriate under the circumstances where the insureds were involved in active litigation, final briefing is complete after trial, and “a determination should be made soon” with respect to any ultimate liability in the Dieckman Action. Delaware law dictated that the court “take into consideration the legitimate interests of the Insureds in a prompt resolution, the hardship of delay, the prospective of future developments that might affect the determination made, and the need to conserve scarce resources.”

All factors weighed in favor of the insureds, the court concluded, where the Dieckman Action was close to a decision on liability, the insurers had denied coverage on a claim that may soon impose liability on insureds under the policies, and judicial economy would not be preserved by dismissing the action without prejudice, only to have it refiled when a final decision is reached. Moreover, because not all insurers moved to dismiss, the civil action would still proceed regardless of the court’s ruling on the pending motion. Thus, the controversy presented was “mature enough where judicial action is appropriate.”

Takeaways

The three Delaware decisions in Legion and Energy Transfer highlight several key principles.

The first is that Delaware courts continue to uphold numerous principles favoring policyholders which protect Delaware corporations and their officers and directors in the event of a disputed insurance claim.

Duty to Advance Defense Costs. Delaware courts evaluate an insurer’s “duty to advance” defense costs “broadly” under the more favorable “duty to defend” standard, where the insurer must reimburse defense costs under D&O policies when there is even the potential for coverage that “could” result in indemnity. See Hurley v. Columbia Cas. Co., 976 F. Supp. 268, 275 (D. Del. 1997) (“[T]here does not exist a significant difference between the duty to defend and the promise to advance defense costs, other than the difference between who will direct the defense.”). The rule in Delaware is consistent with other jurisdictions that have interpreted the duty to advance defense costs broadly in favor of the policyholders seeking protection under D&O policies. See, e.g., Acacia Research Corp. v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, No. SACV 05-501 PSG MLGX, 2008 WL 4179206, at *12 (C.D. Cal. Feb. 8, 2008) (“as with a duty to defend, [insurer’s] duty to advance defense costs arose on tender of a potentially covered claim”); Liberty Mut. Ins. Co. v. Pella Corp., 650 F.3d 1161, 1170 (8th Cir. 2011) (recognizing that “the duty to reimburse defense costs and the duty to defend are different but ‘similar in result’ and concluding that, even though this case does not involve a duty to defend, the parameters of that duty, under Iowa law [which is materially similar to Minnesota law on the duty to defend], nevertheless guide our analysis of [the insurer’s] duty to reimburse . . . defense costs”); Aspen Ins. UK, Ltd. v. Fiserv, Inc., No. 09-CV-02770-CMA-CBS, 2010 WL 5129529, at *3 (D. Colo. Dec. 9, 2010) (“[T]here are no material differences between a duty to defend and a duty to advance Defense Expenses.”); Julio & Sons Co. v. Travelers Cas. & Sur. Co. of Am., 591 F. Supp. 2d 651, 660 (S.D.N.Y. 2008) (same); Goldberg v. Nat’l Union Fire Ins. Co. of Pittsburgh, PA, 143 F. Supp. 3d 1283, 1293 (S.D. Fla. 2015) (“Generally, courts have ‘viewed an insurer’s duty to advance defense costs as an obligation congruent to the insurer’s duty to defend, concluding that the duty arises if the allegations in the complaint could, if proven, give rise to a duty to indemnify.’” (quoting Fed. Ins. Co. v. Sammons Fin. Grp., Inc., 595 F. Supp.2d 962, 976–77 (S.D. Iowa 2009) and collecting cases)), aff’d, 861 F.3d 1335 (11th Cir. 2017). 

Broad Definition of “Wrongful Acts.” Delaware courts have looked to the actual language of D&O policies, specifically the definition of “Wrongful Act,” which in many cases includes a broad range of conduct (e.g., “acts,” “omissions,” “misrepresentations,” “statements”) that extends well beyond traditional alleged “breach of fiduciary duty.” Despite the nomenclature in the defined term, many such definitions also do not even require the precise conduct by the insured officer or director to be “wrongful,” only that the claim alleges an “act” committed or attempted by an individual insured in his or her capacity as an officer, director, or other insured. Policyholders can leverage expansive definitions to bring numerous insureds into coverage under a D&O policy, even if the insured is only alleged to have incidental involvement in the circumstances giving rise to the claim.

Looking Beyond Labels to Find Coverage. In construing allegations broadly in favor of policyholders, Delaware courts, like the court in Legion, do not rely solely on the “characterizations” of causes of action or remedies by the underlying claimant. Instead, focusing on the actual policy language used, they determine whether the facts alleged against the insureds trigger D&O policy insuring agreements, many of which require only “Claims” that “arise from” wrongful acts. As a result, policyholders may find coverage exists even where officers and directors are not named as defendants, but are nevertheless involved in the alleged wrongful conduct.

Utilizing Declaratory Relief to Protect Insureds Facing Exposure. Delaware courts also permit policyholders to protect themselves proactively from imminent potential exposure by seeking declaratory relief, even where the adverse event has not yet occurred. Permitting “mature” D&O indemnification disputes to proceed allows officers and directors to seek protection from insurance without forcing them to wait until after an adverse judgment is entered.

Furthermore, Delaware corporations, and their officers and directors, should be able to take advantage of favorable jurisdictional law. As in Energy Transfer, insureds can rely on Delaware law to oppose jurisdictional challenges by insurers that attempt to move coverage actions to less favorable forums, which may apply different state law. Insurers issuing policies to Delaware entities and individuals to insure risks in Delaware or actions taken on behalf of Delaware corporations should foresee the possibility of being sued in Delaware.

To be sure, while the decisions above are favorable on several key coverage issues, not all Delaware insurance principles favor policyholders, as recent opinions by the Delaware Supreme Court overturning pro-policyholder rulings on several important D&O coverage issues have shown. See, e.g., In re Solera Ins. Coverage Appeals, No. 413, 2019, 2020 WL 6280593 (Del. Oct. 23, 2020) (reversing Superior Court ruling that Delaware statutory appraisal action was a “Securities Claim” under D&O policy); In re Verizon Ins. Coverage Appeals, 222 A.3d 566, 577 (Del. 2019) (reversing lower court ruling that bankruptcy trustee suit constituted “Securities Claim”). Thus, careful analysis of applicable state law based on the particular facts and policy language at issue is required.

Finally, policyholders should carefully review their D&O insurance policies, both when placing the policies and when they receive a claim, for any choice-of-law or forum selection provisions that may affect the ability of insureds to choose their preferred forum or otherwise take advantage of the favorable principles described above. Even where policies are silent on these issues, policyholders should carefully consider choice-of-law and forum selection early in any claim scenario to account for variances in state law, court disposition, and judicial tendencies that could have significant impact in the event of litigation or arbitration.

Lawyers within corporations and other large organizations tend to play the role of safe harbor. When storms appear and circumstances become uncertain or stressful, sooner or later lawyers—in particular, the general counsel—find a way to calm things down.

Lawyers are also crisis managers. It is no surprise, then, that a lot of organizations are turning to lawyers to take on broader leadership and strategic roles. We are weathering a sustained crisis unlike any we have seen, and some issues can only be resolved after being considered through a legal lens.

Consider the healthcare industry. In the early days of the COVID-19 pandemic when states and municipalities began to issue workforce stay-at-home orders, it became clear that such orders could not meaningfully apply to hospital workers—how could an entire nursing staff, for example, work from home? It was lawyers who stepped in to help healthcare organizations communicate with lawmakers and navigate the uncertainty around regulatory demands. Across industries, lawyers have helped make sense of the business impact of the pandemic on day-to-day operations.

Another area where lawyers have stepped in to lend expertise is around matters related to social unrest and the push for greater diversity, equity and inclusion across society. Lawyers are skilled at working with seemingly opposing viewpoints to achieve consensus and progress. They know the legal framework within which change can happen. Thus, many organizations’ initiatives around diversity, equity and inclusion are being supported if not spearheaded by their legal counsel. 

The COVID-19 pandemic has shined a spotlight on lawyers as leaders. It has made organizations realize that greater responsibilities and authority should be placed on the shoulders of their top legal experts.

Born to Lead?

Even before the COVID-19 pandemic, of course, lawyers were being tapped to lead an increasing number and variety of organizations. Take colleges and universities, for example. The number of lawyers in the role of president in higher education has more than doubled in each of the past three decades according to Patricia Salkin, provost of the graduate and professional divisions of Touro College in New York and a lawyer herself. Today’s colleges are big businesses, and the task of leading them has become much more complex, she notes. She adds that stakeholders in academia—as with most industries—are increasingly litigious in regard to issues concerning the First Amendment, privacy and intellectual property, Title IX and more. It makes sense, then, that lawyers are coming to the fore in academia.

What traits do lawyers have that help them lead well amid great uncertainty? For one thing, during these polarized times, lawyers (as if dealing with opposing counsel) have a knack for navigating situations with widely divergent opinions. They are pragmatic, logical thinkers who can view complicated matters from different angles and find resolutions. This is what has always made them good politicians.

In addition, lawyers—the good ones, at least—tend to have deep empathy and emotional intelligence. In an era that cherishes data and bean-counting to a fault, the human component needed to overcome challenges can be lost. Rather than being data-driven, lawyers bring a more philosophical, holistic approach to leadership.

Not all lawyers were born to lead, of course. Individuals who are fiercely independent thinkers, as lawyers often are, can find it challenging to manage teams and develop staff. Those who join the executive ranks often lack fundamental business and managerial skills that top executives need, such as budgeting, financial management and organizational behavior—the type of skills taught in business school.

 An Emerging Trend

Researcher M. Todd Henderson at the University of Chicago Law School asked the question of whether lawyers make better CEOs than MBAs. In his research, he found was that firms run by lawyer CEOs experienced much less corporate litigation than their MBA counterparts, the thinking being that CEOs with legal expertise tend to know how to manage litigation risk and thus pursue more risk-averse strategies. Henderson states, therefore, that CEOs with legal backgrounds often create higher firm value.

This may be just another reason that lawyers are increasingly found in high-profile leadership roles above and beyond the legal department. As an executive recruiter, I expect this trend to continue. There are so many critical leadership roles today that require both legal acumen and the innate ability to lead that many lawyers have.

No more excuses! Do you feel you’re too old, too young, too new, too introverted to connect successfully with people who can help your career? Nonsense. Everyone needs to build a contact database. Anyone can build one.

Most jobs are found through informal networks of connections, the “six degrees of separation” that link disparate people through a chain of friends of friends. Those connections should live in a contact database. That database is ground zero for your networking strategy. Because of the symbiotic relationship between who you know and what you do, it is imperative that you pay attention to your contact list. Let’s begin.

Who Is in Your Network?

Your network should include people from:

• Your past—people you used to know
• Your present—people currently part of your world
• Your future—people you would like to know

Contacts come not only from these three points in time, but also, as diagram 1 shows, from three overlapping activity spheres: the personal, aspirational, and occupational.

Aspirational and occupational spheres are the most relevant for careers. These contacts are your links to other career paths, geographic moves, and the next steps in your current chosen field.

• Many people equate their contacts with the personal sphere. These people are your best friends, family, and other close contacts who provide backup and support. They also usually support your thinking rather than add new ideas, and so are less useful than the other spheres for the purpose of career changes.
• Your occupational sphere includes people from current and past work lives, people in complementary professions, vendors who sell to you, your clients, and your friends. Their careers and contacts lead to information and introductions.
• Aspirational ties typically represent your weakest links. This is your dream builder, the knowledge enhancer network. You find these links everywhere—at events, on social media, in reading material. They include experts in your own field, areas you want to learn more about, or fields you might consider .

People in your aspirational network can help you develop the skills and knowledge you need to succeed. They may be successful business executives or innovators. Some will teach you new hobbies or life skills. Others will be thought leaders, visionaries, and coaches. Each of them exposes you to new ideas and ways of acting that prepare you to move forward,

Weak Links

Of course, contacts should include best friends; strong ties you go to for comfort, support, and confirmation., “But if your network only includes people like you, you probably will have less access to new ideas and opportunities. . . . People who network strategically make use of both their strong and weak ties; the former for support, the latter to bring in new information.”[1]

Weak ties connect you with acquaintances or friends of friends. They are people on your holiday card list, people whose business card you kept just in case, friends of your friends: “someone you know cursorily or historically or maybe even thorough a network of friends. Someone you used to work with, someone whose kid was on your kid’s soccer team 10 years ago, a former neighbor, an acquaintance in a professional group. And strangely, it’s someone who can make a difference.”[2]

“When you look at charts showing network relationships you can see the importance of weak ties in creating linkages between pods of personal, strong networks.”[3] Weak ties bring new insights into your network.

How Do I Build My List?

Theoretically, the size of any network is infinite. If you ask any networking contact to introduce you to any close contact and if you assume that every person has at least fifty close contacts, the numbers are overwhelming.

You can make adding contacts more realistic, manageable, and effective by tying them to your career goals.

• Where are you now in your career?
• Where do you want to be in five years? Ten years?
• What do you need to know and learn to get there?
• Who do you need to know to find out the answers to these questions?

Answers to these four questions will create your path to contact list amplification. Remember: You are not necessarily looking for a greater number of strong relationships. Your focus, rather, is on expanding medium and weak links to people with new ideas and areas of influence who can introduce you to their network.

Begin by going through old business cards, address books, college directories, office personnel lists, colleagues on nonprofit boards, friends from community activities, and so on. Add speakers from saved conference agendas. Add authors you hold in high regard. Add professors, consultants, mentors, inspirational leaders. Add them all to your contacts database.

From this expanded contacts list select twenty-five names that seem most relevant to your goals. Turn to online sources to update what you know about them.

• Research online to see where they have been and where they are now.
• Check their profiles on LinkedIn and their workplace websites.
• Find the contacts whose career trajectory or current workplaces interest you.

Turn Paper Connections into Live Relationships

Create networking strategies to forge connections. Think of career networking as forming relationships with people and organizations to help you understand your career choices. Remember: These are relationships built on reciprocity. As you learn about others, you will look for ways to help them reach their goals, and they will do the same for you.

Are you thinking it will be awkward to suddenly burst upon someone you haven’t seen or heard from in years? It could be; but it’s more likely that if you frame it correctly, they will be pleased to reconnect and will be flattered that you want their advice. To begin, connect first by email to set a time to talk, make them a LinkedIn connection, and send an in-mail request for an information interview, or just pick up the phone and call.

Begin Conversations with the Truth

• With a friend from “past lives”: “I know it’s been ages since we talked. I am calling now to see how you are doing and ask you for career advice.” [Talk about how they are doing now.] “I want to move from _______ to your practice area. I hope you can help me understand what I need to do to prepare for this kind of work and what is the best way to find such a job. Could we schedule a 15-minute conversation?”
• With an acquaintance: “I don’t know if you remember me. We met _______. I was impressed with your career trajectory. Now I am looking to do the same kind of thing. I wondered if we could schedule a 15-minute call?”

Remember, please, to keep them in the loop. Thank them for having agreed to the call, and, if you act on their advice, let them know what happened.

Keep Your List Fresh

List-building is an iterative process. As your career ideas change, so too should people on the list. Make it a habit, after every networking activity, to add new names or add new information to names already on the list. For example:

• At your monthly networking group meeting, you heard that Charlie was changing firms. After the meeting, update your database and call him to congratulate him and find out more about the move. Record your action and what you learned in your database.
• After an event, add the names of the handful of people with whom you had meaningful conversations, making sure to add the specifics of where you met them, why they were there, and conversation highlights.
• Every six months, go through your list to winnow outdated contacts and identify gaps you need to fill to keep the list in line with your current goals.

Keep building and expanding the interest areas of your contacts and you will have a ready resource for wherever your career takes you.

[1] Carol Schiro Greenwald, Chapter 3, Strategic Networking for Introverts, Extroverts and Everyone in Between (ABA, LPD, 2019), p. 34.

[2]. Marc Miller, “To Get a Job, Use Your Weak Ties,” August 17, 2016, forbes.com/sites/nextavenue/2016/08/17/to-get-a-job-use-your-weak-ties/#2619254a6b87.

[3] Greenwald, Strategic Networking for Introverts, Extroverts and Everyone in Between, p. 34.

It seems each day another company is extending their work from home time. Massive enterprises like Google, Amazon Corporate, and Indeed have already postponed a return to the office until 2021, whereas others like Facebook, Twitter, Slack, and Zillow have made remote work permanent.

However, many businesses still face the decision of whether to return to the office, balancing the benefits of returning against the risk of exposure. As general counsel, you are tasked with not only helping your company find this balance, but also ensuring the company is legally compliant. Legal obligations will vary based on where your business is located and in what industry. Although it can be helpful to look at what other companies across the country are doing, keep in mind they may have different regulations to follow. 

Reopening must begin with a plan. You must decide ahead of time how you are going to keep workers safe, how you will monitor the health of employees, what you will do in case of a positive case, and what options you will offer employees. Let’s walk through the key considerations to evaluate ahead of reopening. 

Check Local, State, and Federal Regulations

Where your business is located will influence what policies you put in place, given that they must align with government regulations. There will be certain protocols to follow related to the maximum capacity allowed in the office, mask wearing, and how to report cases. There are various resources you can look to for learning the guidelines:

• The Centers for Disease Control and Prevention (CDC) has resources to help businesses and workplaces navigate the virus. 
• OSHA provides guidance for returning to work.
• The official government websites of your state, city, and/or county will provide state and local guidelines.
• The U.S. Chamber of Commerce provides state-by-state reopening guidelines.

Review Insurance Policies 

Many insurance companies have begun issuing regulations and requirements for businesses, such as the consent required from employees or customers. You likely already reviewed your insurance coverage to check whether you were covered for event cancellation or business interruption, but don’t forget to recheck prior to opening. Another consideration is workers’ compensation. If an employee were to contract the virus after returning to the office, he or she might seek coverage. Read up on the details of your policy to ensure you know what is and is not covered.

Create a COVID Waiver 

One of the best ways companies can manage risk and return to work is through a basic waiver for employees to review. It should outline what you are doing to keep workers safe, obtain consent by asking employees to acknowledge and agree they are aware COVID exists, and confirm, should they show up to work sick, that they could get others sick. It’s crucial that employees are allowed to review the waiver and make a decision for themselves on whether they return to work. A waiver will not be as effective if there are no options available, and forcing employees to return to work and sign an agreement will put you at risk of future class-action lawsuits. 

Think Through Additional Agreements

Beyond a COVID waiver, reopening will require several types of agreements and policies. Some of the most pertinent assessments, waivers, and consents include: daily health certifications, distancing policies, mobile symptom screening, and contract-tracing consents. Create a general policy with information such as hygiene best practices, modified work schedules, what should be done if an employee experiences symptoms, and how to handle exposure to the virus. If you plan to test employees, an informed consent is critical. States have various requirements for what the consent should include, but most incorporate these elements: 

• a description of the test
• a statement of the test’s purpose
• clarification on whether the test was ordered by a physician or is self-directed by the individual
• information on the reliability of test results 
• identification of the person(s) with whom the test results may be shared and why
• a general description of the disease or condition that is being tested

Provide New Ways to Sign Agreements 

Part of reopening is determining how to account for social distancing across your business. Many processes cannot be done the same way they were previously. A perfect example is signing contracts. In order to properly social distance, pen and paper are no longer an option. Consider the HR contracts to put in place and ask yourself: 

• Do you have a way to hire employees remotely? 
• Is there a self-service option for sales teams to issue agreements with new customers? 
• What about the return-to-work waivers? 
• Do you have a scalable way to capture consent? 

You obviously want to get all employees to participate. With daily certifications and symptom screening, you must make the process as easy and seamless as possible for employees. This means eliminating the friction of pen and paper or even PDFs and eSignatures. Employees have enough to worry about when returning to work, so you don’t want to add to that by requiring them to find a document to download, sign, and upload each day. Consider setting up your agreements as a one-click contract, where employees can take one simple action to execute the agreement. 

Store Record of Acceptance 

Not only must you have agreements in place and new methods of capturing acceptance, but you also must ensure you are keeping records. Insurance might require information on consent waivers issued to employees. If an employee seeks workers’ comp from contracting the virus at work, they must prove the infection occurred at work. Records of symptom screening and waiver acceptance will play a big role in that. Not to mention, with the potential of lawsuits from employees or customers, you want to ensure you are able to produce records at any moment.

The number-one priority is to reopen safely. Don’t feel rushed to reopen. Take time now to plan for how your business can open in a legally compliant and safe manner.

Prior to the COVID-19 pandemic, investigators relied on a proven playbook for addressing potential bribery and corruption: due diligence into relevant personnel or vendors, in-person interviews, and surveillance operations. Meanwhile, audit teams reviewed archived records, historical issues, and wider market practices to discern common techniques, missteps, or potential problem areas. This process is more complex during the pandemic. Triggers for an FCPA investigation and the possible steps to address violations have shifted, obfuscating the future of these investigations and enforcement. The following discusses practical strategies for navigating this altered landscape.

Changes in the Field

An understanding of your FCPA risk profile—your vulnerabilities, compliance history, and partners—means reduced risk and increased post-incident control. Before the pandemic, risk profiles were likely more easily assessed, with security measures set up based on known patterns of industry or geographic risks. This profoundly changed because of the pandemic. Now, a more active approach is necessary. To anticipate issues, you must devote proper attention and analysis to the aspects of your business most disrupted by the pandemic—even those aspects not historically associated with FCPA risk.

Consider supply chains: As international providers are forced to adapt at every level—from product sourcing to tax approvals, customs brokerage, or transport management—there is immense pressure to maintain the consistency that their clients expect. A dramatic rise in the use of facilitation payments is sure to follow. Already a pronounced risk, these payments are often used to streamline the supply process. Businesses returning during the pandemic may scramble to recoup the months of losses accrued during quarantines. This combined with rising unemployment and income concerns creates additional stress for employees to meet deadlines and achieve results. This also creates a heightened risk of potentially improper payments and damage to the company. As businesses continue to respond to the pandemic, additional vulnerabilities may develop that further underscore every company’s need to examine the more stressed aspects of its operations.

Changes to Your Approach

Organizations must adapt their approach to meet the new challenges of corruption during the pandemic. The reality is that some historically successful methods, particularly in-person interviews, are not currently viable. As measures against physical contact preclude in-person solutions, investigators and auditors must rely on remote or digital methodologies to address potential corruption. Now is the time to use proven methods to address current challenges: self-assessments. In our experience, self-assessments and compliance program audits are powerful and proactive tools to combat corruption risk and mitigate current exposure. These tools allow an organization to have visibility through remote review of books and records and any programmatic weaknesses.

Self-Assessments. Self-assessment forms should be sent to all parties, whether internal or at a vendor, who interface with government officials or operate in historically vulnerable regions or industries. During the assessment, the responding parties answer multiple questions designed to identify risk and provide data to evidence compliance with corporate policies, procedures, and initiatives. Compliance is then rated on a one-to-five scale, ultimately allowing the organization to make an informed decision on next steps, which could potentially include a deeper investigation. Self-assessments also help to scale audits by identifying practical risks and to limit the need for in-person procedures.

Compliance Audits. Anti-corruption program compliance audits are also critical to helping companies uncover and remediate nascent issues before those issues rise to the level of criminal activity, civil liability, or regulatory action. As part of these audits, financial information is reviewed to ensure that expenditures for government-related services are appropriate and accurately recorded in the company’s books and records. Analytics often will reveal discrepancies between expense reimbursement requests and invoices, requiring a more detailed review. Armed with this information, a company can make an informed decision about policy and procedure changes, remedial action for any employees involved, and the need for further employee training. An informed decision can also be made about whether the company self-reports to regulators.

Changes to Your Culture

Although training, self-assessments, and compliance audits are critical, proactive approaches to mitigating corruption risk, it is also essential that your overall compliance program be nimble enough to react swiftly once an issue is suspected or identified. Review your FCPA training and guidelines to ensure both employees and business partners are made aware of the communication channels available to them for reporting suspected or witnessed wrongdoing. This should include contact information for compliance officers as well as an anonymous and confidential reporting option. Efforts should include ensuring that all reports are reviewed by a trained, objective, and independent team that is well-versed in how to respond to corruption-related allegations, evaluate the issues, and determine whether an internal investigation should be initiated. 

Conclusion

Ultimately, the COVID-19 pandemic heightens the risk of corruption and bribery exposure even in traditionally compliant departments as employees and third parties face pressure to reverse the negative effects of the recent economic downturn. Investigators and auditors, meanwhile, can depend on trusted existing strategies to create sensible, scalable, and remote solutions.

Although the financing of consumer goods and services is not a new concept, there has been a recent, rapid evolution in the methods, means, and speed of providing point-of-sale financing to consumers. The history of consumer credit traces back to retailers permitting consumers to pay for goods and services over time. Financing of goods and services was later outsourced to banks and finance companies who took on the risk, and reward, of financing on the retailer’s behalf. As time went on, the correlation between the creditor and the retailer became closer, at times becoming difficult to differentiate between the retailer and the creditor through the sales and financing process. Despite this point-of-sale financing evolution, roughly the same disclosure regime remains in place from 40 years ago.

Existing model disclosures are built for a physical world, but exponentially more transactions are taking place electronically, with this number drastically increasing due to the recent pandemic. The devices consummating these transactions are getting smaller and more mobile. Many model forms are built for 8½ × 14 paper, yet the size of Apple’s latest iPhone is 5.78 inches by 2.82 inches. Few creditors are deviating from model forms given the regulatory safe harbors afforded. Unfortunately, this practice does not always provide for the best consumer experience. Although retailers continue to provide products and services to consumers through consumer-preferred mediums—now, primarily mobile devices—partnering creditors are unable to adopt their financing disclosure regime to meet the customer sales experience that consumers have come to expect on these retailers’ platforms.

Several options are available to creditors to reconsider their disclosures framework. First, although creditors take comfort in model forms, using model forms is not the sole method to comply with the letter and spirit of the law. Creditors may consider creating alternative disclosures that comply with the technical requirements of the disclosure mandates in a mobile-device-friendly manner. Second, creditors may engage with retailers to determine customer pain points and evaluate whether to update model forms. In addition, the Consumer Financial Protection Bureau (CFPB) has provided avenues to test new disclosures, including the trial disclosure sandbox, where creditors can improve existing disclosures and test new forms with the CFPB. Additionally, creditors may engage with the CFPB’s Office of Innovation to request a no-action letter for a CFPB-approved disclosure or process.

As financing continues to integrate further with point-of-sale transactions, it remains pivotal that consumers are aware of when they are interacting with a bank (with consumer credit disclosures being the epitome of a consumer recognizing bank interaction) and when consumers are interacting with the retailer. This distinction is critical for several reasons, including true lender and privacy purposes. Regulatory developments and cases evaluating this issue have been rapidly increasing, likely due to more point-of-sale financing agreements and the interconnectedness of retailers and financers. The Office of the Comptroller of the Currency is attempting to address bank-partnership uncertainty through proposed regulation, while states continue to evaluate true lender concerns impacting their respective residents. In addition, privacy concerns for both the retailer and the creditor include ownership of information collected and usage rights with respect to that information, including the sharing and usage of information by third parties. An understanding of these increasingly complex data flows is important to evaluate issues under federal law, including the Fair Credit Reporting Act, as well as under state law, including the newly revised California Online Privacy Protection Act.

Finally, drawing clear lines delineating the retailer’s and the creditor’s responsibility is important for regulator interactions. Defining responsibilities clearly assists regulator inquiries and examinations as well as ultimate responsibility (which many times rests with the regulated entity) if there is a problem with the program. Regulators will be evaluating both the form and the substance of point-of-sale financing programs, and parties are well served to have clearly delineated ownership lines.

Point-of-sale financing continues to evolve faster than the times and legislation itself. For long-term success in this renewed growth opportunity, retailers and finance partners must look to both ancient and novel regulations while remaining closely connected to shifting consumer needs and behaviors.

When the calendar turned to 2020, my first thought was about how futuristic the year sounded and what kind of interesting things it had in store. At that time, no one could possibly have imagined that some of those interesting things would be face masks, working from home, and wearing the same loungewear so often that you begin to lose any concept of time. Still, the COVID-19 pandemic has hammered home the point even further that technology touches nearly every facet of our everyday lives. Consider something as benign as a lamp: you can purchase it on Amazon, turn it on or off using Google, and pay for the electricity that powers it via app. Given this and the current state of the world we live in, it should come as no surprise that modern technology has even impacted financial services industries and the regulatory environments in which they operate. Through RegTech and SupTech, both industry and regulatory agencies are finding ways to modernize compliance and create a more efficient and increasingly digital regulatory landscape.

What Are RegTech and SupTech?

“RegTech” refers to technology that has been developed for industry to address regulatory challenges. Those challenges might include meeting compliance requirements, assessing risk management, and reporting data. “SupTech,” on the other hand, describes the use of technology by supervisory and regulatory agencies to improve efficiency in their duties overseeing industry. SupTech includes streamlining administrative and operational procedures, as well as utilizing automation in the supervision process. Ultimately, the combination of RegTech and SupTech ideally will lead to a more robust compliance environment through proactive monitoring by supervisory agencies, enhanced reporting from industry, and better overall oversight. An added benefit of this efficiency is lower costs for industry in complying with regulations and better allocation of resources by supervisory authorities. A true win-win.

Developments in RegTech

RegTech is a booming industry, expected to be worth over $55 billion by 2025. With such growth comes some inevitable questions. How do regulators view RegTech? Do RegTech programs have the blessing of the agencies with which they are trying to comply? Regulators at both the state and federal level recognize the impacts RegTech has on industry and are actively trying to keep up with the innovation they are seeing.

In July 2019, New York Department of Financial Services (NYDFS) Superintendent Linda Lacewell announced the establishment of the NYDFS Research and Innovation Division. The Division’s intent is to ensure that NYDFS keeps pace with innovation in all sectors of the financial services industry. NYDFS further showed its dedication to fostering and tracking innovation by joining the Global Financial Innovation Network (GFIN) in October. GFIN seeks to support financial innovation by providing more efficient ways for firms to interact with regulators to develop new products that will benefit consumers.

In an August 2019 speech, Federal Deposit Insurance Corporation (FDIC) Chairman Jelena McWilliams emphasized the growing role of RegTech, noting that the FDIC will need to step in if regulators do not agree on joint guidance regarding bank use of artificial intelligence. Banks could potentially use AI to comply with laws and regulations concerning anti-money-laundering controls and other vital compliance programs. Small banks, as McWilliams noted, are more likely to turn to technology for competitive advantages and must be sure that their attempts at innovation will not be stifled by regulatory uncertainty.

Developments in SupTech

Despite the heightened emphasis on tracking industry innovation, regulatory agencies aren’t merely sitting back and watching industry utilize technology. In fact, groups of agencies have banded together to explore SupTech initiatives that allow them to better leverage technology in supervising and communicating with industry.

Back in 2017, the Conference of State Bank Supervisors (CSBS) launched Vision 2020, an effort to modernize state regulation of nonbank financial companies. Vision 2020 focused on six major initiatives: (1) creating the Fintech Industry Advisory Panel, which allows industry to provide input on state regulation; (2) redesigning the Nationwide Multistate Licensing System & Registry (NMLS) with a more automated and data-driven approach; (3) harmonizing multistate supervision through uniformity in examinations and consistent best practices; (4) assisting state banking departments in recognizing weaknesses in order to perform at a higher standard; (5) enabling banks to service nonbanks by addressing the risks involved and demonstrating how to comply with state and federal laws; and (6) improving third-party supervision through support for federal legislation to amend the Bank Services Company Act to allow state and federal regulators to better coordinate supervision.

In January 2020, CSBS released its Vision 2020 Accountability Report. Prepared by the Fintech Industry Advisory Panel, the report outlines progress made on the group’s initiatives to streamline state licensing and supervision of fintech companies. The report focuses on the increased use of technology for licensing and exams. Notably, CSBS has: (1) expanded the use of NMLS across all license types for nonbank financial services, (2) developed state licensing guidelines that are consistent across multiple states, and (3) launched a new state examination system. The report also noted a more consistent and streamlined approach nationwide to the licensing and regulation of money service businesses.

As part of the Vision 2020 initiative, CSBS announced in February 2020 the nationwide roll out of the State Examination System (SES). SES is designed to allow state agencies to securely perform examinations, investigations, consumer complaint processing, and enforcement actions. The customer complaint management system—released just this past September—allows state financial regulators to input, manage, and address customer complaints electronically. Summaries of all complaints entered will be available to any state regulator using SES, allowing state regulators to identify trends and potential bad actors. Although SES is clearly a SupTech solution, it also has some RegTech elements. The goal of SES is to bring every interaction a company has with state regulators onto a single platform. Giving companies a one-stop-shop digital platform for all regulator interactions would create massive time and cost efficiencies.

Feels a little like the future, doesn’t it?

Much has been written in recent years about lawyers’ duties to preserve the confidentiality of client information under the rules of professional conduct and to take reasonable precautions to strengthen cybersecurity in order to avoid data breaches. Executing those duties has become more difficult amid an increase in the frequency and sophistication of state-sponsored and criminal cyberattacks directed at law firms and their clients. Further complicating matters for lawyers is knowing when disclosure to clients of a law firm data breach is required by the rules of professional conduct even though the threat of exfiltration or loss of client confidential data is in doubt. Below we examine opinions of the American Bar Association that offer some guidance on when client notification of a data breach is appropriate to ensure protection of client confidentiality and minimize exposure to legal malpractice liability. In addition, we will discuss the requirements of bar associations in various states and analyze law firms’ exposure to potential professional liability.

Several large international law firms have recently been hacked by foreign nationals seeking information in furtherance of an insider trading ring. A prominent Chicago law firm was sued in a class action alleging that it failed to maintain adequate safeguards to protect client confidential information. A New York entertainment law firm was subject to a ransomware attack in which the attackers claimed to have stolen privileged data about many of the firm’s high-profile clients. Panamanian law firm Mossack Fonseca was infamously hacked; the leaked documents published on the internet included the names of a number of the firm’s high-profile government clients, their shell corporations, and financial transactions, raising the specter of an alleged illegal money laundering scheme. The massive data breach and attendant unwelcome publicity coined the phrase “the Panama Papers” and inspired the Netflix movie The Laundromat, in which Meryl Streep portrayed a widow who was bilked by a client of the firm.

Against this backdrop, the organized bar has implemented guidelines, including published ethics opinions on cybersecurity, and reasonable measures to prevent data breaches—and ensuing professional liability. However, what should lawyers do when the unthinkable occurs, and their firm is the victim of a data breach or ransomware attack? What obligations do lawyers have to notify their clients that their confidential data has been or may have been compromised or accessed by a hacker?

ABA Ethics Opinion 483

In 2018, the American Bar Association Standing Committee on Ethics and Professional Responsibility issued Formal Opinion 483, which provides guidance on law firms’ duties to notify clients of data breaches under the ABA Model Rules of Professional Conduct. The committee wrote that, “an obligation exists for a lawyer to communicate with current clients about a data breach.” However, not all cyber episodes require client notification. Rather, Formal Opinion 483 defines a data breach as cyber episode in which “material client confidential information is misappropriated, destroyed or otherwise compromised, or where a lawyer’s ability to perform the legal services for which the lawyer is hired is significantly impaired by the episode.”

Formal Opinion 483 further notes:

[N]o notification is required if the lawyer’s office file server was subject to a ransomware attack but no information relating to the representation of a client was inaccessible for any material amount of time, or was not accessed by or disclosed to unauthorized persons. Conversely, disclosure will be required if material client information was actually or reasonably suspected to have been accessed, disclosed or lost in a breach.

Thus, it would appear that Formal Opinion 483 is arguably inconsistent, leading to the question: Is mere access sufficient to trigger a duty to provide notification, or must there be a reasonable suspicion of tampering with or misappropriation of the data? Some guidance is given by state ethics opinions, which, like the ABA, suggest that lawyers have a duty to investigate and disclose the existence of a data breach to clients whose material confidential information is known to have been accessed or exfiltrated by an unauthorized intruder. As will be seen, the law firm’s duty to provide client notice may exist even in situations in which the data penetration did not result in exfiltration of or damage to the client’s data.

Other Ethics Opinions

Earlier ABA Ethics Opinion 95-398 (1995) addressed a law firm’s obligation to notify a client when a third-party document storage vendor sustains an intrusion that exposes client confidential information, concluding that a lawyer may be obligated to notify the underlying client of an unauthorized intrusion which “could reasonably be viewed as a significant factor in the representation, for example where it is likely to affect the position of the client or the outcome of the client’s legal matter. . . .”

The New York State Bar Association Committee on Professional Ethics has similarly concluded that a lawyer must notify affected clients of information lost through an online cloud data storage provider. N.Y. State Bar Ass’n Eth. Op. 842 (2010). According to the NYSBA, “If the lawyer learns of any breach of confidentiality by the online storage provider, then the lawyer must investigate whether there has been any breach of his or her own clients’ confidential information, notify any affected clients, and discontinue use of the service unless the lawyer receives assurances that any security issues have been sufficiently remediated.”

The Maine Bar Association Professional Ethics Committee addressed client notification in its Ethics Opinion 220, which determined that client disclosure was fact-specific in the event of a law firm data breach but could be triggered by mere exposure rather than actual pilfering or manipulation of client data. According to the Maine Bar:

Notification requirements under the Maine Rules of Professional Conduct arise when confidences or secrets are exposed or the breach significantly impairs or impacts the representation of a client. A cyberattack or data breach alone may give rise to a duty to notify clients, depending on the circumstances. . . . Once the scope of an attack or breach is understood, the lawyer must promptly and accurately make an appropriate disclosure to the client.

(Citations omitted.) Thus, under the Maine Rules of Professional Conduct, mere exposure of client confidential information may be sufficient to trigger a disclosure obligation.

The Michigan State Bar has recently concluded that a law firm material data breach triggers an obligation to give notice to its clients. According to the Michigan Bar Ethics Opinion RI 381:

A lawyer has a duty to inform a client of a material data breach in a timely manner. . . . A data breach is “material” if it involves the unauthorized access, destruction, corruption, or ransoming of client ESI protected by [Michigan Rule of Professional Conduct] 1.6 or other applicable law, or materially impairs the lawyer’s ability to perform the legal services for which the lawyer has been hired. The duty to inform includes the extent of the breach and the efforts made and to be made by the lawyer to limit the breach.”

Thus, at least under the guidance furnished by the Michigan Bar Association, if the lawyer can determine which clients’ data have been compromised, then assuming that the pilfered or exposed data are material, those clients should be notified. The law firm should also promptly investigate and remediate the breach.

Professional Liability Concerns

In addition to compliance with the rules of professional conduct, there are also professional liability issues inasmuch as a disgruntled client could bring a claim that its confidential information was insufficiently safeguarded, or that it was not timely notified of the breach. In such cases, adverse publicity could be generated by the mere filing of a public complaint.

For example, in March 2020, a lawsuit was filed by Hiscox Insurance against law firm Warden Grier for breach of contract, breach of fiduciary duty, and malpractice. Hiscox accuses the law firm of failing to notify it of a major data breach in 2016, in the course of which client confidential information was penetrated by an intruder, posted on the dark web, and held for ransom, which the firm paid. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP (2020). According to the complaint, the law firm learned of the data breach in December 2016, but did not notify clients for over 16 months that their personal identifying information (PII) had been accessed by the “Dark Overlord” intruder and posted to the dark web. Julia Weng, Hiscox Hack Suit Advances as Warden Grier Loses Dismissal Bid, Data Breaches.net, July 25, 2020. In July 2020, a federal district court denied Warden Grier’s motion to dismiss Hiscox’s complaint, ruling that the complaint provides a cause of action for breach of contract and breach of implied contract, reasoning that the carrier’s litigation management guidelines constituted a binding contract that required the law firm to take specified precautions to protect the security of clients’ PII. Hiscox Ins. Co. Inc. & Hiscox Syndicates Ltd. v. Warden Grier, LLP, Case No. 4:20-cv-00237-NKL (W.D. Mo. Jul. 23, 2020). The law firm did not move to dismiss the negligence cause of action, which remains intact.

In 2016, a former client of Chicago law firm Johnson & Bell filed a class action alleging that the firm engaged in malpractice by its failure to maintain adequate standards of cybersecurity. The class action alleged that the firm, which portrays itself as an expert in advising clients about cybersecurity, was itself negligent in protecting its own clients’ data security by failing to properly encrypt an online attorney time-tracking system and by the use of a virtual private network. The purported class representatives alleged that they were damaged by the risk that their confidential information might be compromised at some point in the future. After denial of the law firm’s motion to dismiss, the court directed the parties to participate in confidential arbitration.

Regulatory Issues

In addition to professional liability concerns, law firms should be mindful of statutory obligations imposed on all businesses. For example, Massachusetts enacted a pioneering data-protection law in 2010 known as Standards for the Protection of Personal Information of Residents of the Commonwealth, which requires companies doing business in Massachusetts to encrypt personal data and to retain and store digital and physical records and implement network security controls to protect sensitive consumer information. The Massachusetts law broadly applies to: “Every person that owns or licenses personal information about a resident of the Commonwealth,” and requires such persons to develop “a comprehensive information security program that is written in one or more readily accessible parts.” It also contains safeguards to protect and encrypt confidential consumer information.

Lawyers who represent insurance companies in particular should take note of cybersecurity regulations promulgated in 2017 by the New York Department of Financial Services (DFS), which regulates the insurance industry. These new cybersecurity rules, which apply to all entities under DFS jurisdiction, including insurance companies, insurance agents, and banks, require encryption of all nonpublic information held or transmitted by the covered entity, and require each regulated company to appoint a chief information security officer, who must report directly to the board of directors and issue an annual report setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches.

Of particular interest to law firms that represent financial institutions or are retained by insurance companies is section 500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.” See . Thus, insurance companies that provide access to PII to third-party vendors must certify not only that their own information systems are adequate, but also that the information security systems of vendors, presumably including law firms with whom they do business, are also secure and protected. In other words, law firms who do business with regulated financial service companies are expected to comply with the cybersecurity standards of their represented clients.

Conclusion

As explained above, the rules of professional conduct require a fact-based inquiry and disclosure to those clients whose material data is known or reasonably suspected to have been accessed by an intruder. A law firm’s duty to notify clients about a data breach depends on the severity of the breach, the level of knowledge the lawyer has about the breach, and the materiality of the improperly accessed data. The consensus of the organized bar, as exemplified in the ethics opinions discussed above, recommends client notification of a data breach affecting clients’ confidential data that are material and reasonably suspected to have been accessed, disclosed, or lost.

The materiality of the data and their importance to the client are fact-specific. For example, if the intruder accessed the first draft of a brief filed 18 months ago in a closed case, ABA Ethics Opinion 483 probably would not require notice. On the other hand, a nonpublic client’s private financial statement, current merger plans, misconduct by the client’s CFO, or a nonpublic sexual harassment complaint would probably be the sort of information that a corporate client would reasonably consider material and expect to be notified about in the event of a breach. However, lawyers should ensure that they comply with clients’ litigation management guidelines, which may require notifications in situations broader than those required in bar association ethics opinions.

Law firms should proactively prepare for a future cyber intrusion and mitigate their risk by preparing a breach notification plan. In the event of a breach, law firms can avoid or mitigate professional malpractice claims by notifying their cyber insurance carriers, undertaking a prompt and thorough investigation, and employing third-party breach mitigation experts. Prompt and diligent disclosure to clients of the breach may also help mitigate the risk and severity of litigation.

Jennifer Goldsmith is vice president, professional liability claims, at Ironshore Insurance, an attorney at law, and a graduate of The George Washington University Law School. David Standish is a graduate of New York Law School, at attorney admitted in New York, and an assistant vice president and cyber/tech claims manager at Ironshore Insurance. Barry Temkin is a partner at Mound Cotton Wollan & Greengrass in New York, an adjunct professor at Fordham University School of Law, and immediate past chair of the New York County Lawyers’ Association Committee on Professional Ethics. The views expressed in this article are the authors’ alone and do not reflect the views of Ironshore Insurance, Fordham University, or the New York County Lawyers’ Association.

The foregoing information is for informational purposes only. It is not a substitute for legal advice from a licensed attorney, nor does it create an attorney-client relationship. The authors disclaim all liability arising out of this resource.