Delaware courts have become more accommodating to Caremark claims in recent years and this recent Sidley blog cautions that the claims, which are premised on a board’s failure to fulfill its oversight responsibilities, may become increasingly attractive to plaintiffs in situations involving data breaches. Here’s an excerpt:
To successfully allege a Caremark claim, a plaintiff must plead facts demonstrating that either “(a) the directors utterly failed to implement any reporting or information system or controls; or (b) having implemented such a system or controls, consciously failed to monitor or oversee its operations thus disabling themselves from being informed of risks or problems requiring their attention.” Put differently, the directors must have acted in bad faith in failing to oversee. Furthermore, this failure must be related to some aspect of the business that is “essential and mission critical.”
As our “data economy” has fed an increase in data security incidents, failures in data security have in turn created significant risks to corporations. These risks take many forms, including loss of access to business-critical data and IT infrastructure, successful consumer class action lawsuits, regulatory liability, or loss of commercial counterparties or liability to those counterparties. Not surprisingly, shareholder lawsuits have also followed, seeking to hold corporate boards responsible for lax oversight that results in harm to the corporation following a data security incident.
To date, Caremark claims based on data security incidents have mostly failed to gain traction; the vast majority have been dismissed at the motion to dismiss stage and a smaller portion have settled, as our colleagues noted in an article for Bloomberg Law back in 2017. Several recent cases have confirmed that Caremark claims remain difficult to bring (much less win), even when those claims are based on data security incidents. But these cases also reveal potential avenues that shareholder plaintiffs may pursue when bringing data security-related Caremark claims.
The blog highlights recent Caremark claims against Solar Winds & T-Mobile arising out of data breaches. The Solar Winds complaint focuses on Caremark’s first prong, and alleges that the Solar Winds board failed to implement necessary controls. In support of that allegation, the plaintiffs point to, among other things, the board’s failure to respond to an outside consultant’s warnings about data system vulnerabilities.
The T-Mobile case focuses on the second prong, and alleges that the company’s data security shortcomings involved violations of law – which in recent years have proven to be a fertile ground for Caremark claims. In particular, the complaint points to an FCC investigation and resulting fine to support allegations that the Board was “long aware of” yet “failed to heed . . . red flags” related to the company’s cybersecurity inadequacies.
The SEC recently scored a big win on the insider trading front, when a California federal court endorsed its novel “shadow trading” theory as the basis for a Rule 10b-5 enforcement proceeding. Here’s the intro to Cleary’s memo on the decision:
On January 14, 2022, the United States District Court for the Northern District of California issued a decision in SEC v. Matthew Panuwat validating the legal theory advanced by the Commission that trading in the securities of a competitor company could form the basis of an insider trading violation where the defendant learned that an acquisition of his employer was imminent.
In denying the defendant’s motion to dismiss the complaint, the court ruled that the SEC had sufficiently pled a claim, marking the first judicial decision concerning alleged insider trading in securities of a company based on material, nonpublic information (“MNPI”) about another company, a practice that has sometimes been referred to as “shadow trading.”
The court’s refusal to dismiss the SEC’s novel legal theory that trading on the basis of MNPI of one company to profit on a securities transaction involving a competitor constitutes actionable insider trading should be considered by companies and individuals as they assess trading decisions and policies.
The defendant allegedly traded stock of a direct and close competitor in a small market, and the memo points out that the straightforward facts of the case provided the SEC with an optimal setting for asserting its novel theory. This except says that the SEC might find other cases provide tougher sledding:
Other shadow trading fact patterns will likely have to grapple with more complicated determinations, including how material information about one company is for the value of securities of other companies in larger markets or less direct competitors (e.g., an insider at a company trading in the securities of a supplier or customer of the company).
When last we dropped in on Nasdaq, it had amended its proposal to permit direct listings with a capital raise in order to tweak the price range limitations contained in the rule. That amendment came only weeks after the SEC had approved the original version of the rule. Now this Fenwick memo reports that Nasdaq recently filed another amendment to its proposal:
On January 6, 2022, Nasdaq filed an amended rule proposal with the U.S. Securities and Exchange Commission to address the SEC’s questions and concerns related to the prior proposal filed by Nasdaq on May 25, 2021, which sought increased pricing flexibility in a Direct Listing with a Capital Raise.
Among other things, the amended proposal includes additional requirements for pricing a Direct Listing with a Capital Raise at more than 20% above the price range, adds certain notification requirements and a price volatility constraint, eliminates market orders (other than by the company) from the opening of the offering, requires a company to specify the quantity of shares registered in the S-1 registration statement and aligns the 20% price range deviation calculation with the SEC’s rules.
The memo has additional details on the amended proposal, and notes that the comment period will run until February 2, 2022, and the SEC will make a final decision on the proposal by February 25, 2022.
Liz recently blogged on the topic of how “homeless” public companies – those that claim not to have a principal executive office in their SEC filings – may create regulatory puzzles. Keith Bishop recently blogged a couple of specific examples of those puzzles under California law:
The designation of a corporation’s principal executive offices, of course, is one factor in determining whether a publicly held corporation is subject to California’s board quota laws. Cal. Corp. Code §§ 301.3, 301.4, 2115.5 & 2115.6. In addition, a domestic or foreign corporation required to file an annual statement of information (Form SI-550) must disclose the address of its principal executive office (no “s”). Cal. Corp. Code §§ 1502(a)(5) & 2117(a)(3).
Those corporations that have decided that they have no principal executive office may want to revisit their bylaws. Some corporate bylaws provide impose advance notice requirements on shareholders wishing either to submit a proposal for a shareholder vote or to nominate candidate(s) for election to the board. Often these provisions require that the notice be received at the corporation’s principal executive offices within a specified timeframe before the meeting. This is problematical if the corporation is taking the position that no such office exists in its filings with the Securities and Exchange Commission.
I know all the cool kids only want to exist in cyberspace or the metaverse or whatever this week’s variation on cloud cuckoo land is, but I think it’s kind of preposterous that the SEC permits companies to get away with offering securities without providing a physical address, particularly since they almost certainly have one. In that regard, this Olshan blog notes that “securities law commentators have suggested that the term “principal executive offices” would mean the place where the CEO and most other executive officers work most of the time.”
It’s no secret that rule amendments to enhance cybersecurity disclosure are on the SEC’s agenda, but in a speech yesterday at Northwestern Law School’s annual Securities Regulation Institute, SEC Chair Gary Gensler provided a little more color as to what public companies might expect to see in a rule proposal. Here’s an excerpt:
Disclosure regimes evolve over the decades. Cybersecurity is an emerging risk with which public issuers increasingly must contend. Thus, I’ve asked staff to make recommendations for the Commission’s consideration around companies’ cybersecurity practices and cyber risk disclosures. This may include their practices with respect to cybersecurity governance, strategy, and risk management.
A lot of issuers already provide cyber risk disclosure to investors. I think companies and investors alike would benefit if this information were presented in a consistent, comparable, and decision-useful manner.
In addition, I’ve asked staff to make recommendations around whether and how to update companies’ disclosures to investors when cyber events have occurred.
Make no mistake: Public companies already have certain obligations when it comes to cybersecurity disclosures. If customer data is stolen, if a company paid ransomware, that may be material to investors. As recent cases show, failure to make accurate disclosures of cybersecurity incidents and risks can result in enforcement actions.
Chair Gensler’s speech also addressed cybersecurity regulatory initiatives addressing broker-dealers, investment advisors, mutual funds and other participants in the financial sector – as well as service providers to those businesses.
The inaugural post on Goodwin’s new Public Company Advisory Blog shares some helpful tools on navigating the legal and practical aspects of the earnings release process. This 18-page Earnings Release Compliance Guide provides an overview of the legal issues that companies need to keep in mind when preparing their earnings releases, as well as guidance on dealing with potential problem areas. For example, this excerpt addresses the use of KPIs:
– Review key performance measures/indicators (KPIs) for consistency across quarters and other disclosure documents.
– KPIs are used by management to manage or evaluate the performance of the business. Certain KPIs may not meet the definition of a non-GAAP financial measure and thus may not be subject to Regulation G or Item 10(e) of Regulation S-K. Nevertheless, you need to consider what additional information may be necessary to provide adequate context for an investor to understand the KPI metric presented. In this regard, the SEC generally expects the following disclosures to accompany any KPI metric:
– a clear definition of the metric and how it is calculated,
– a statement indicating the reasons why the metric provides useful information to investors, and
– a statement indicating how management uses the metric in managing or monitoring the performance of the business
This publication is accompanied by a 6-page Earnings Release Compliance Checklist that provides a bullet-point summary of many of the topics covered in more depth in the Guide.
This Woodruff Sawyer blog lays out 20 questions that a prospective director should ask before agreeing to join a corporate board. Each question is accompanied by an explanation of why it’s important. Here’s an example:
What skill sets are represented on the board?
A diversity of skills and experience among board members is one of the best ways to ensure that the board can address unexpected issues. Does the board you are considering have this? If everyone on a board has a similar background—everyone has a technical or finance background, for instance—the board is less likely to be able to proactively identify new risks or recognize innovative solutions and strategies.
Consider, too, the advantage of having at least one board member who has the skill set to be the director who will deal with difficult legal situations, such as an internal investigation or thorny litigation. A board that has no one capable of making independent legal judgments is a board that is at risk for blindly agreeing to do whatever outside counsel tells them to do.
I’ve previously blogged about some of the uncertainties involved in how to account for digital assets. In light of those uncertainties & Bitcoin’s volatility, it’s not surprising that companies with investments in Bitcoin or other digital assets might want to present non-GAAP financial data that backs out the impact of swings in the value of those assets on their financial results.
Yeah, well good luck with that, because the Corp Fin Staff apparently is having none of it. Here’s an excerpt from this Bloomberg Tax article detailing the back & forth between the Staff and MicroStrategy on that company’s unsuccessful efforts to back out Bitcoin from its non-GAAP income statement:
For the quarter ending Sept. 30, 2021, MicroStrategy reported a net loss of $36.1 million. Adding back in its share-based compensation expense and the impairment of its digital assets made the company’s unofficial, or non-GAAP, income flip to $18.6 million, its filing shows. MicroStrategy did not immediately respond to a request for comment.
The company told the SEC it used non-GAAP measures to give investors a fuller picture of its finances. If the company only showed declines in value, it would give “an incomplete assessment” of its Bitcoin holdings that would be “less meaningful to management or investors” in light of the company’s strategy to acquire and hold Bitcoin. “We further believe that the inclusion of bitcoin non-cash impairment losses may otherwise distract from our investors’ analysis of the operating results of our enterprise software analytics business,” the company wrote.
The SEC disagreed. In a letter dated Dec. 3, the market regulator told MicroStrategy it objected to the adjustment and told the company to remove it from future filings. In its Dec. 16 response, MicroStrategy said it would comply.
Speaking of Bitcoin, as a very bitter Cleveland Browns fan, I admit that this report brightened my day just a little.
On Friday, Corp Fin & IM announced that companies should no longer provide paper “courtesy copies” of filings unless the Staff requests them. This announcement is one of those things that really dates me – because I remember when what we called “courtesy packages” were absolutely de rigueur.
As I recall, there were always multiple courtesy packages for Securities Act filings – one for the legal reviewer, one for the accountant, and usually one for the branch chief – and they always included clean & marked copies of your filing, a copy of your comment response letter, and any new or revised exhibits.
Back in the paper filing days, you usually provided courtesy packages with each amendment to your registration statement in order to help expedite the review process. But in the days before Rule 430A*, they actually played a critical role in getting a registration statement declared effective before the market opened. That’s because you had to get the filing package into the reviewer’s hands as soon possible after you dropped the filing package off at the SEC file desk so that they could see the pricing information, verify any changes made in response to last minute comments, and declare your registration statement effective.
Over time, as the SEC moved from paper to electronic filings, I’d still offer to Fed Ex courtesy packages to the reviewer. The usual response was along the lines of “We aren’t supposed to ask for courtesy copies, but that would be really helpful.” Now, the Staff says you shouldn’t provide courtesy copies unless they ask for them. . . Jeez, am I really getting sentimental about courtesy packages! It sure looks like it.
*Yes, there really was a time before Rule 430A when you had to drop pricing information into a pre-effective amendment that you hand delivered to the SEC first thing in the morning on the day you wanted to start trading your IPO. But that was almost 35 years ago, which is why this particular old man called out William Butler Yeats – not Cormac McCarthy & the Coen Brothers – in the title of this blog.
The January – February issue of the Deal Lawyers newsletter was just posted and sent to the printer. Articles include:
– Delaware Supreme Court Upholds Advance Waiver of Statutory Appraisal Rights
– SPACs and the Implications for D&O Insurance
– Purchase Price Adjustments in Technology Deals
Remember that, as a “thank you” to those that subscribe to both DealLawyers.com & our Deal Lawyers newsletter, we are making all issues of the Deal Lawyers print newsletter available online. There is a big blue tab called “Back Issues” near the top of DealLawyers.com – 4th from the end of the row of tabs. This tab leads to all of our issues, including the most recent one.
And a bonus is that even if only one person in your firm is a subscriber to the Deal Lawyers newsletter, anyone who has access to DealLawyers.com will be able to gain access to the newsletter. For example, if your firm has a firmwide license to DealLawyers.com – and only one person subscribes to the print newsletter – everybody in your firm will be able to access the online issues of the print newsletter. That is real value. Here are FAQs about the Deal Lawyers newsletter including how to access the issues online.
