Month: January 2017

Data Breaches, Part 1 – How Prepared Is Your Company?

Computer hacking and data security became central issues in the 2016 presidential election as a result of several, high-profile data breaches. Although the public may have been surprised to learn how vulnerable electronic data actually is, corporate chief legal officers regularly toss and turn at night worrying about their organizations’ data security. According to the Association of Corporate Counsel’s 2016 Chief Legal Officer Survey, data security has ranked among the top three concerns of Chief Legal Officers for several years running.  The ACC survey found that twenty-two percent of CLO’s experienced a data breach within the last two years. Astonishingly, forty-nine percent of healthcare CLO’s experienced a data breach within the last two years, followed by forty-five percent of education industry CLO’s.

Data breaches can be extraordinarily expensive. Response costs can quickly mount into the millions of dollars. Resulting government investigations can lead to significant legal expenses, as well as potential fines. However, the damage will likely go well beyond the initial financial costs. A high-profile data breach can inflict significant damage on a company’s brand, impacting the bottom line far more than the initial legal and investigative costs. Such damage may take years to repair. Beyond the financial damage, a high-profile data breach can often wreck the careers of CEO’s, CLO’s and information technology professionals.

So, the question becomes, how well-prepared is your organization for a data breach? Advance preparation is crucial. Waiting until a data breach is discovered is a recipe for disaster.

Preparing for Data Breaches

To reduce exposure in the event of a data breach, your company must prepare for a breach in advance. This includes instituting security and prevention measures, as well as creating an incident response plan, in the event a breach occurs. In upcoming posts, I will offer help on both fronts. These posts will examine the following topics, all of which your organization must consider before a data breach occurs:

  1. Has your company taken “reasonable security measures” with respect to data security?
  2. Is your company collecting and keeping sensitive information unnecessarily?
  3. Are your vendors and service providers a weak link in your data security plan?
  4. Does your organization have an up-to-date incident response plan?
  5. Has your company purchased adequate insurance covering both the response costs and resulting liability?
  6. Have you prepared your board of directors for a data breach?

I hope these posts prove helpful and would love to hear how your company has prepared for, and responded to, a data breach.

Photo courtesy of Zakwitnij on Flickr.

Merger Transaction – When is a Release of Officers and Directors not a Release?

Imagine you are a corporate officer or director sued personally by shareholders for breach of fiduciary duty, following the announcement of a merger transaction. You sleep soundly, believing that the release in the merger agreement fully protects you. Not necessarily!

The Court of Chancery of Delaware recently ruled that such a release will not always protect corporate officers and directors from suit. In In re Riverstone National, Inc. Stockholder Litigation, shareholders alleged that the company’s officers and a majority of the directors breached their fiduciary duties by usurping a corporate opportunity.

According to the complaint, the company executed a merger agreement ten days after the shareholders notified the company of the breaches. The merger agreement included a release, in which the acquirer released these claims. The company did not receive any additional consideration for the release. Not surprisingly, the shareholders asserted that no other shareholders benefited from the release, other than the defendant officers and directors. On the same day that the merger agreement was executed, the shareholders filed suit. Three days later, the transaction closed.

Likely feeling confident that the release protected them and that these derivative claims were extinguished by the merger, the officers and directors filed a motion to dismiss. The court swiftly denied the motion to dismiss, ruling that the shareholders could continue with their lawsuit.

Here are a few takeaways from the decision:
  1. Following a merger, shareholders may bring a lawsuit against corporate officers and directors that is normally derivative in nature, even if the merger eliminated the ability of shareholders to bring a derivative action, if the shareholders plead particularized facts demonstrating a cause of action against the officers and directors.
  2. Officers and directors may lose the protections of the business judgment rule if they receive a material benefit not shared by other shareholders.
  3. If officers and directors have a material conflict, courts may evaluate the merger under the more onerous entire fairness doctrine. This means that the officers and directors must demonstrate that the merger was entirely fair to shareholders (a fair price from a fair process). Absent a material conflict, shareholders normally must rebut the business judgment rule and demonstrate a non-exculpated breach of duty.

In his opinion, Vice Chancellor Glasscock offered some consolation to corporate officers and directors. He noted that a court must be wary of conclusory allegations that a merger extinguished a potential derivative suit. Absent particularized facts pled in the complaint. “much ground for strike suits and other mischief would be possible.”

Let’s hope for a lot less of that mischief!

Corporate Insurance Policy Does Not Cover SEC Investigation Before Wells Notice or Target Letter Sent

We buy insurance hoping to never need it. Nonetheless, we pay the premiums so that we can sleep better in the event that we have a problem someday. But, in the early stages of a government investigation, your insurance policy may not provide the coverage that you hoped for.

A Colorado federal court recently ruled that a D&O insurance policy did not provide coverage for an SEC investigation because the SEC had not yet issued a Wells Notice or otherwise alleged a violation of securities laws. In MusclePharm Corporation v. Liberty Insurance Underwriters, Inc., the SEC’s Division of Enforcement sent a letter to the company advising that it was conducting an investigation into its operations. The letter also requested voluntary production of certain documents. Less than two months later, the SEC issued an “Order Directing Private Investigation and Designating Officers to Take Testimony.” The order said that the SEC had “information that tends to show” “possible violations” of federal securities laws by MusclePharm and/or its officers and directors.

The Insurance Policy

The company had previously purchased a D&O insurance policy that provided coverage for “Securities Action Liabilities.” The insurance company refused to cover MusclePharm’s claim for legal fees and expenses incurred during the investigation. It denied coverage because the SEC had not yet issued a Wells Notice or target letter. Absent such notice or letter, the insurance company asserted that the SEC had not alleged wrongdoing to trigger coverage. (A Wells Notice is a notification that the SEC is close to recommending that the Commission commence action against the recipient. A target letter is a notification from a prosecutor that the recipient is the target of a federal criminal investigation.).

The policy’s coverage section provided that it covered losses resulting from a “Securities Action” for a “Wrongful Act” that occurred during the policy period. “Wrongful Act” was defined to mean:

any actual or alleged error, misstatement, misleading statement, act, omission, neglect, or breach of duty, actually or alleged committed or attempted by the Insured Persons in their capacities as such or in an Outside Position, or, with respect to Insuring Agreement 1.3, by the Insured Organization[.]

The Court’s Ruling

The court held that the insurance policy did not cover the investigation. In reaching this decision, the court found that the SEC had not alleged conduct in any of its communications that met the definition of “Wrongful Act” in the policy. To meet that definition, the “alleged error or omission must involve a positive assertion that the implicated error or omission is believed to have actually occurred, even if still subject to proof,” according to the court.

None of the SEC’s communications had ever asserted that an error or omission had actually occurred. To the contrary, the SEC’s Order repeatedly said that the SEC had not determined if any of the acts described in the Order had actually occurred. The court held that the policy did not cover the investigation until the SEC alleged a past “Wrongful Act.” The court did not consider the SEC’s comment that “[I]nformation that tends to show” “possible violations” existed sufficient to trigger coverage.

How to Protect Your Company Before a Government Investigation

Although this case does not establish any startling, new legal principal, it illustrates how vulnerable companies and their officers and directors may be during the early stages of a government investigation if the company has not purchased “pre-claim inquiry” coverage for the officers and directors and coverage for investigative costs for the company. Kevin M. LaCroix, an insurance executive with RT ProExec, notes in his blog that such coverage is now available, either as a stand-alone policy or as an accessory to the primary D&O policy.

Government investigations are exorbitantly expensive. They often require separate counsel for the company and each officer and director, all paid for by the company. Additional coverage for investigative costs may be considered expensive by some. However, the additional premium likely pales in comparison to the $3 million in legal fees and expenses paid by MusclePharm during the SEC investigation. This case demonstrates that absent adequate coverage, a government investigation may be a devastating hit to your bottom line.

MusclePharm has appealed the decision, so stay tuned. This may not be the last word on this case.

Photo courtesy of Photos of Money on Flickr.