I have long believed and said that the typical professional liability and D&O liability insurance policy contractual exclusion written with the broad “based upon, arising out” preamble sweeps too broadly and precludes coverage for the very kind of claims for which policyholders buy the insurance. The Seventh Circuit has now said what I have long been saying; the appellate court found that the contractual liability exclusion in an E&O insurance policy renders coverage under the policy “illusory” and therefore the policy must be reformed to match the policyholder’s “reasonable expectations.” I hope everyone involved in the professional liability and D&O liability insurance industry will take the time to familiarize themselves with this recent decision. I also hope this decision means the end of contractual liability exclusions using the broad “based upon, arising out of” preamble. The Seventh Circuit’s September 23, 2019 decision discussed below can be found here. Background DVO designs and builds anaerobic digesters that use microorganisms to break down biodegradable materials to create biogas. WTE entered a contract with DVO under which DVO was to design and build an anaerobic digester to be used to generate electricity from cow mature. WTE sued DVO for breach of contract, alleging that DVO failed to fulfill its design duties, responsibilities, and obligations, in that it allegedly did not properly design the various substantial operating systems within the anaerobic digester. DVO submitted the WTE lawsuit to its E&O insurer. The insurer initially defended the claim under a reservation of rights, but several months later advised DVO that it would no longer provide a defense. The WTE litigation ultimately went to trial, resulting in a judgment in favor of WTE. The insurer initiated an action seeking a judicial declaration that it does not have a duty to defend or indemnify DVO. The parties filed cross-motions for summary judgment. The insurer argued that coverage for the underlying claim was precluded by the policy’s contractual liability exclusion. DVO argued, among other things, that the contractual liability exclusion rendered coverage under the policy illusory and that the policy should be reformed. The district court rejected the argument that coverage under the policy was illusory. The district court reasoned that though coverage for professional malpractice would always fall within the exclusion’s coverage preclusion, third parties (that is, non-clients) could still bring tort claims against DVO that would not be precluded by the exclusion. The policyholder appealed the court’s ruling. The policy’s contractual liability exclusion, which was added to the policy by endorsement, provides in pertinent part that “This Policy does not apply to … any ‘claim’ or ‘suit’ … Based upon or arising out of … breach of contract, whether express or oral, nor any ‘claim’ for breach of an implied in law or an implied in fact contracts [sic].” The September 23, 2019 Opinion In a September 23, 2019 opinion written by Judge Ilana Rovner for a unanimous three-judge panel, the Seventh Circuit reversed the district court’s ruling and remanded the case for further proceedings. In taking up the case, the appellate court noted that the parties agreed that the contract exclusion applies to preclude coverage; “the sole issue” in the case is whether the language in the breach of contract exclusion “renders the exclusion broader than the grant of coverage, and therefore renders the coverage illusory.” In analyzing this issue, the appellate court rejected the district court’s conclusion that coverage is not illusory because the policy, even with the exclusion, still provides coverage for third-party claims. The problem with this conclusion is that “the language in the exclusion at issue here is extremely broad.” Wisconsin courts, the appellate court said, interpret exclusions with the “arising out of language” broadly. Indeed, the appellate court said, Wisconsin’s courts have interpreted this language broadly enough even to preclude coverage for third-party claims. Wisconsin’s courts have interpreted the “arising out of” phrase broadly enough “to reach any conduct that has at least some causal connection between the injury and the event not covered.” And here, the “event not covered” is “itself quite expansive” as it extends to all contracts “whether express or oral, and even including contracts in law and in fact.” In any event, the court said, “the overlap between claims of professional malpractice and breach of contract is complete, because the professional malpractice necessarily involves the contractual relationship.” The broad “arising out of language” would “exclude all claims of professional liability whether or not brought by third-parties.” Accordingly, the appellate court said, “we hold that the breach of contract exclusion in this case rendered the professional liability coverage in the E&O policy illusory.” When a policy’s “purported coverage” is “illusory,” the policy “may be reformed to meet and insured’s reasonable expectation of coverage.” The focus should be “not on hypothetical third-party actions, but on the reasonable expectation of coverage of the insured in securing the policy.” In that regard, the appellate court said, there is “no reason to believe” that in buying the E&O insurance DVO sought had “only a reasonable expectation that it was obtaining insurance only for claims of professional malpractice brought by third parties.” E&O insurance, the court said (quoting Wisconsin case authority) is designed to insure members of a particular professional group from liability arising out of the special risk such as negligence, [etc.] in inherent in the practice of the profession.” Accordingly, the contract “should be reformed so as to meet the reasonable expectation of DVO as to the E&O policy’s coverage for liability arising out of negligence, omissions, mistakes and errors inherent in the practice of the profession.” The appellate court remanded the case to the district court for further proceedings so as to “give effect” to DVO’s “reasonable expectation.” Discussion It really shouldn’t require the lofty efforts of an august appellate court to declare that the whole point of an E&O insurance policy is to provide coverage for professional malpractice claims and that coverage under a policy that has an exclusion that operates to preclude coverage for a professional malpractice claim of the very type for which the insured purchased the insurance renders the coverage “illusory.” Nevertheless, the appellate court has said it. And what the appellate court has said here could be said in all contexts and for all professional liability policies – including in particular D&O insurance policies – that have contractual liability exclusions with the broad “based upon, arising out of” exclusions. These exclusions simply sweep too broadly, precluding coverage for the very types of claims for which the policyholders purchase the coverage. It is particularly important here to note that the appellate court’s conclusion that the exclusion rendered the coverage “illusory” was not based on the exclusion as it was applied – to the contrary, it was based on the exclusion as it was written. That is, the exclusion ON ITS FACE renders coverage illusory. Some background on this issue in the D&O context seems appropriate here. There was a time long ago when D&O insurance policies did not have contractual liability exclusions. In those days, the insurers took the position (and may still take the position when working with policies that do not have contractual liability exclusions) that a liability insurance policy does not cover liabilities under taken by contract. D&O policies, the insurers contend, only provide coverage for liabilities imposed “by law,” but not for liabilities that are voluntarily undertaken in a contract. In the mid 90’s, when D&O policies were rebuilt to include entity liability coverage in addition to the standard individual liability protection, contractual liability exclusions soon became a standard policy feature, in order to make it clear that the policy’s entity coverage did not extend to liabilities undertaken by contract. (The exclusions typically are found only in private company and non-profit organization D&O policies; because public company D&O insurance policies provide entity coverage only for securities claim, there is no need for a contractual liability exclusion because contractual liability claims simply do not fall within the policy’s entity coverage insuring agreement). The insurers’ original sin is that when they added the contractual liability exclusion they did not draft the exclusion simply to reflect existing law that liability policies do not provide coverage for claims for voluntarily undertaken liability. Instead, the insurers tried to extend the preclusive effect of existing law not only to claims “for” contractual liability, but drafted it overly broadly to reach also to claims “based upon or arising out of” a contract. The effect of this broad wording is, as the appellate court said here, that the exclusion sweeps extremely broadly. Indeed, as the appellate court concluded, the exclusion sweep so broadly that it renders coverage “illusory.” And the reality is, as so many of us have seen time and time again over the years, that the insurers rely on the contractual liability exclusion to try to deny coverage even for the very kind of claims for which policyholders buy the coverage in the first place. The point of this digression, and really the point of the appellate court’s decision, is that the contract exclusion in professional liability insurance policies — including D&O liability insurance policies — should be written with a “for” preamble, rather than a “based upon or arising out of” preamble,” in order to ensure that the exclusion does not sweep too broadly and does not render coverage under the policy “illusory.” I can anticipate the kinds of objections that insurer side advocates will raise to this analysis. First, they will point out that this exclusion at issue in this case was written even more broadly than the standard contractual liability exclusion, precluding coverage as it does for breaches of contracts “whether express or oral” and whether “implied in law” or “implied in fact.” Yes, yes, this language is unusual and it is broad. But the appellate court did not base its decision on this unusual language; to the contrary, the appellate court’s conclusion that the exclusion is “extremely broad” was not based on the exclusion’s unusual language; rather, the conclusion was based on the exclusion’s all too common “based upon, arising out of” preamble language. Any attempt to try to evade the obvious implications of this decision by trying to rely on the unusual extraneous phrases in the exclusion would be a total red herring – not to mention a complete misreading of the court’s analysis. I can also anticipate insurers trying to evade the clear impact of this decision by saying that, well, it was under Wisconsin law, and <<shrug>> what does Wisconsin have to do with anything in the real world? To which I say, be kind to Wisconsin, for better or worse, its citizens helped determine the outcome of the last Presidential election. In addition, although Wisconsin’s principles of insurance contract exclusion are perhaps of a greater clarity that the principles under some other jurisdictions’ laws, there is nothing so unusual about Wisconsin law that would render this decision relevant only to disputes to which Wisconsin’s law applies. Anyway, the fact is, the decision was rendered not by some court in the backwoods of Wisconsin. This was a decision by the Seventh Circuit, an important and respected court in the federal judiciary. So, my friends, here is where we are: It is time to put an end to the contractual liability exclusions with the “based upon, arising out of” language. There is no reason for exclusions with this language to be in a professional liability policy or in a D&O insurance policy except to give insurers a way to try to dodge coverage for claims that they ought to be covering – indeed, to deny coverage for claims that are the very kinds of claims for which their customers buy their insurance product. I hope policyholder-side advocate out there will join me in saying that from this point forward we will do everything we can to ensure that professional liability insurance coverage – including D&O liability insurance coverage—will not be written on policies with contractual liability exclusions with the broad “based upon, arising out of” wording. “Aux armes, citoyens/ Formez vos bataillons!” Are you with me, friends? Then, good, time to man the barricades. From now on, as much as possible, contractual liability exclusions only with the “for” wording. “Marchons, marchons!” And once we fix the contractual liability exclusion, we can then move on the professional services exclusion, which has exactly the same fundamental problem as the contractual liability exclusion. “Le jour de gloire est arrivé!” The post 7th Circ.: Contract Exclusion Renders Coverage “Illusory” appeared first on The D&O Diary. 7th Circ.: Contract Exclusion Renders Coverage “Illusory” syndicated from https://888migrationservicesau.wordpress.com via Tumblr 7th Circ.: Contract Exclusion Renders Coverage “Illusory”
0 Comments
The National Advertising Division Annual Conference kicked off with Andrew Smith, the Director of the FTC’s Bureau of Consumer Protection, as the keynote speaker. Near the close of his remarks, Director Smith announced that the FTC will hold a workshop on the Children’s Online Privacy Protection Act (“COPPA”). For a refresher, COPPA is designed to protect the privacy of children by establishing certain requirements for websites that market to children. The FTC operates under the assumption that if children are the target demographic for a website, the website must assume that the person accessing the website is a child, and proper consent must be obtained. This assumption exists even if the website did not start with children as the target audience. To illustrate this point, Director Smith discussed TikTok, a social media app that allows users to create and share short-form videos, which purchased Musical.ly, an app that allowed its users to post videos of themselves lip synching to songs. Musical.ly originally marketed to adults. However, as the website grew in popularity, it became clear that children used the website and that Musical.ly knew that children used the website. On February 27, 2019, the FTC brought a Complaint against Musical.ly alleging that Musical.ly collected information about children, but did not obtain the required parental consent to collect that information. In fact, child predators began using the website to obtain the location of children, though luckily, no child was hurt. As a result, TikTok agreed to pay $5.7 million to settle the FTC allegations. Director Smith also used YouTube as an example of a website that tracked data for behavioral advertising in violation of COPPA. YouTube drops cookies on a user’s computer to track online browsing so that it can serve ads based on a user’s interests—a high performing method of advertising compared to traditional contextual advertising. YouTube started this practice generally, but as specific channels were established for children, including the creation of YouTube Kids, YouTube did not obtain the parental consent required under COPPA to continue this practice. Director Smith made clear that it is not the FTC’s intention to discourage the YouTubers of the world from targeting kids for content. Nor does the FTC want to discourage the collection of information or hinder the ability to engage with interest-based advertising—a move that would have an extreme negative effect on content creators. But media that focuses on children has to play by different rules. Because of the importance of protecting children, the FTC is conducting a workshop on COPPA to address how consent should be obtained in these types of situations. Director Smith also noted that the workshop will discuss compliance as it relates to image data, voice data, and education technology. The workshop will be on October 7, 2019, in Washington, D.C. There are many industries that should take note and consider participating in this workshop. One such industry is the gaming/esports industry. Because games, tournaments, and general content are (in large part) targeted to those that are protected by COPPA, compliance issues abound in the industry. The FTC continues to demonstrate their interest in COPPA compliance, making clear that parental consent is key.
via Tumblr A Morning Cup of COPPA From the NAD Annual Conference Readers know that it doesn’t take much to get me up on my hobby horse about insurers trying to deny coverage based on the late provision of notice. In general, I am against a mere procedural fault causing a complete coverage forfeiture. Every now and then though there is a case where the policyholder’s lack of diligence makes the case against the insurer’s coverage defense very tough. A recent decision out of the District of Minnesota provides an example where the extent and nature of the policyholder’s delay in providing notice of claim made the argument in favor of coverage very difficult. But while the insurer’s denial of coverage based on policyholder’s late provision of notice arguably was justifiable in the case, the circumstances involved still present some important lessons both about notice of claim and about the policyholder’s obligations under the policy. District of Minnesota Judge Susan Richard Nelson’s August 26, 2019 opinion in the case can be found here. A September 18, 2019 post on the Wiley Rein law firm’s Executive Summary Blog about the case can be found here. Background Assessment Systems is a consulting services and testing software company. Assessment Systems entered into a contract to provide services to Crane, a company that certifies crane operators. During the course of the contract, Crane contended that the software Assessment Systems provided failed to function under the terms of the parties’ agreement, and refused payment. In June 2017, Assessment Systems sued Crane alleging breach of contract and seeking damages for non-payment. On April 21, 2017, Crane answered and filed a counterclaim against Assessment Systems asserting breach of contract and breach of warranty. The initial discovery deadline was December 15, 2017, but it was extended to April 23, 2018. Assessment Systems provided notice of the counterclaim to its Business Owners’ policy insurer on April 19, 2018 – as the Court later observed, the notice was provided “approximately one year after the Counterclaim was filed, and only four days prior to the close of discovery.” Prior to providing notice, Assessment Systems did not obtain any discovery supporting or refuting and of Crane’s asserted damages relating to Crane’s counterclaim and did not depose any witnesses, including Crane’s expert witness. The reason Assessment Systems did not provide notice of the counterclaim earlier is that its Director of Human Services – the employee responsible for managing insurance coverage issues for the company – was terminated in December 2017 and had never informed Assessment Systems of the need to make a claim to the insurer. As the Court later noted, “No explanation is offered by Assessment Systems for why notice was not provided to Citizens during [the] eight months” prior to the HR director’s termination. After the HR director’s departure, another employee took responsibility for the insurance matters, and ultimately discovered the insurance policy from which Assessment Systems sought coverage, and then caused Assessment Systems to provide notice to the insurer. On May 21, 2018, the insurer appointed counsel to represent Assessment Systems with respect to the counterclaim. Assessment Systems, with the assistance of counsel appointed by the insurer, move for partial summary judgment with respect to a contractual limitation on Crane’s claimed damages. The court granted the motion, but preserved for trial questions of damages stemming from amounts Crane had paid under the contract. Trial in the case is currently set for September 30, 2019. The insurer filed a federal court action seeking a judicial declaration that it has no duty to defend or indemnify Assessment Systems in the underlying lawsuit. The insurer filed a motion for summary judgment. The claims-made insurance policy that the insurer issued to Assessment Systems provided, among other things, that “If a ‘claim’ is made against ‘you,’ you must see to it that we receive written notice of the ‘claim’ as soon as practicable.” The August 26, 2019 Opinion In an August 26, 2019 opinion, District of Minnesota Judge Susan Richard Nelson, applying Minnesota law, granted the insurer’s summary judgment motion. Judge Nelson first determined that although the policy did not specific say so, timely notice is required as a condition precedent to coverage under the insurer’s policy. The “plain and natural language” of the policy’s insuring agreement specifies that the policy’s coverage applies “only if” the policyholder provides notice of claim to the policy. Judge Nelson also noted as a general matter the claims-made policies require notice before insurance coverage attaches. Judge Nelson then concluded that notice requirement of the policy is “material” to the insurance agreement and therefore cannot be excused. She said that “considering the integral nature of notice to the insurer in claims-made insurance policies, and because the Policy at issue here is a claims-made policy, the Court holds as matter of law that the notice requirement in the Policy is ‘material’ – indeed a ‘basic’ or foundational – term of the insurance agreement.” As a material condition precedent to coverage, the notice requirement “must be literally met or exactly fulfilled” or no liability can arise on the promise qualified by the condition. Judge Nelson then concluded that “the undisputed facts demonstrate that notice was not given as soon as practicable.” The neglect of the company’s terminated HR director “is not a valid reason to delay notice,” particularly given the eight-month delay after the counterclaim was served and the HR director was terminated. The negligence of an employee, Judge Nelson said, “does not excuse a company’s failure to comply with a contract.” Holding otherwise, Judge Nelson said, “would permit employers to dodge insurance contract requirements where their employees are less than vigilant on insurance matters, which in turn may prejudice the insurer because the lapse of time can deprive the insurer of the opportunity for prompt investigation and impede defense against fraudulent claims.” Finally, Judge Nelson noted that although a showing of prejudice is not required under Minnesota law for an insurer to assert late notice as a defense to coverage, “even if a showing of actual prejudice were required, there is not genuine dispute of material fact that [the insurer] suffered actual prejudice as a result of Assessment Systems’ untimely notice.” During the period of the delayed notice, Assessment Systems conducted no discovery of Crane’s counterclaims and took no depositions, including no deposition of Crane’s expert. The notice was provide to the insurer just four days before the discovery deadline, and while some of Crane’s damages claims were defeated by Assessment System’s partial summary judgment motion, Assessment Systems is unable to conduct any discovery of Crane’s remaining damages claims. Discussion It is always going to be a tough fight for a policyholder if its best argument against its insurer’s late notice defense is that the notice was untimely due to the neglect of an incompetent employee who ultimately was fired. However, I will say that almost every late notice dispute involves some element of oversight or omission. The fact is that in my experience, late notice happens. It happens for lots of reasons or for no reason at all. The question that the late provision of notice always presents, regardless of its cause, is whether the fact that notice was not timely provided should operate as a complete forfeiture of coverage. In this case, Judge Nelson in effect anticipated my usual fall back argument about late notice, which is that the insurer ought not to be able to rely on the late notice to defeat coverage unless the untimeliness of the notice prejudiced the insurer’s interests. Here, though the insurer was not required under Minnesota law to establish that it was prejudiced by the late notice, Judge Nelson said that even if prejudice were required, the record shows that the late provision of notice did prejudice the insurer. (Indeed, it could be said that not only was Assessment Systems not diligent in protecting its interests under the policy, but diligence as similarly lacking in the way the company defended itself against Crane’s counterclaim.) The best that can be said about this case is that it demonstrates a point that I often make when discussing notice issues, which is the importance for policyholders to be diligent in protecting their interests under the insurance policies. While there are many arguments I am prepared to make to try to counteract insurer’s attempts to avoid coverage, the most effective way for policyholders to preserve coverage is to avoid giving the insurer grounds on which to rely in trying to deny coverage. Well-advised policyholders will take appropriate steps to protect their interests, including take all steps to fulfill the policyholder’s obligations under the policy. (In one of the units in my series on the Nuts and Bolts D&O insurance, I discuss the policyholder’s various policy obligations at greater length.) There are some other lessons here. First, the function of administering a company’s insurance program is a very important responsibility. It should be undertaken by someone with a certain amount of sophistication and experience – and competence. With all due respect to persons who serve in the role of HR director, the HR department is not necessarily the first place that comes to mind when you are thinking about where within a company to place the insurance management function. The key is that the insurance administration function is an important one; it should be treated as an important function and the responsibility for the function should be assigned in recognition of the function’s importance. Second, as I think this case shows, it may not always be obvious when a claim has arisen. The underlying dispute here began as an attempt by Assessment Systems to collect unpaid amounts due from Crane under the service contract. The lawsuit only became a matter of relevance to the insurance policy when Crane filed the counterclaim. As often happens when litigation unfolds, it may not have occurred to anyone at Assessment Systems that what had started out as essentially a collection lawsuit had become a matter for which its insurance policy might provide coverage. The failure to recognize that a given matter is or has become something to which the insurance might be relevant happens fairly often. One of the reasons for this failure to recognize a claim is that the policy’s definition of Claim is so broad these days, encompassing a wide variety of legal matters. Another reason for the failure to recognize a claim is, as was the case here that various legal matters may not start out as claims but become claims later on. This failure to recognize a claim problem is a tough one. More than once in my career I have been in routine renewal conversations with clients and in the course of discussion it will just come out that there is some pending matter that does or could be a claim under the policy. (Many practitioners will no doubt themselves be familiar with these “Oh, by the way…” kinds of conversations.) As advisors, the best we can try to do to help our clients avoid getting in this kind of situation is to remind them frequently of the breadth of the policy’s definition of the term claim and of the importance of providing the insurer with timely notice. All of that said, and as I noted above, I am still prepared to argue as much as possible and in many situations that the late provision of notice should not effect a complete forfeiture of coverage. The fact is that when humans are involved, things like the late provision of notice are going to happen. The policy should be administered in a way that makes allowances for the fact that humans are involved. The post Late Notice of Claim Precludes Coverage appeared first on The D&O Diary. Late Notice of Claim Precludes Coverage syndicated from https://888migrationservicesau.wordpress.com via Tumblr Late Notice of Claim Precludes Coverage Alzheimers and Cancer? FTC Announcement Shows That FDA Is Not the Only Agency That Is Serious9/23/2019 Last week, the Federal Trade Commission issued a press release announcing that it had issued warning letters to three unnamed sellers of cannabidiol (CBD) products who marketed everything from gummies to creams with bold claims that the products could treat a wide variety of the most serious diseases known to man. This follows an earlier wave of letters that it issued jointly with the U.S. Food and Drug Administration (FDA) last March, which warned other CBD marketers of misbranding and introducing an unapproved new drug without prior approval, and of making unsupported claims about their CBD products’ ability to treat and cure serious diseases such as cancer and Alzheimer’s, among other medical conditions. In the latest press release, the FTC reaffirms its interest in monitoring health-related advertising claims in the budding CBD industry. The FTC did not disclose the recipients of the warning letters, but the Commission quoted several problematic claims made by the undisclosed CBD companies. Examples of claims that the FTC appears focused on include 1) assertions that CBD products have been “clinically proven” to treat cancer, Alzheimer’s disease, or other serious medical diseases; 2) claims that CBD products are effective in relieving various types of pain; and 3) references to the amount of research companies have acquired to support these claims. In the letters, the FTC asked that the companies review all of their claims that a CBD product can prevent, treat, or cure diseases or other medical conditions to ensure that those claims were supported by “competent and reliable scientific evidence.” The FTC demanded that the companies “notify the FTC within 15 days of the specific actions they have taken to address the agency’s concerns.” This is the FTC’s second appearance in the CBD space, and its first solo act. Though the industry may primarily focus on FDA and Drug Enforcement Agency (DEA) regulation, the warning letters are a reminder that the quickly growing CBD industry is getting more attention from an alternative threat—the FTC. Going forward, it appears that the FTC will continue to pay closer attention to whether claims that CBD products can treat various diseases, or are otherwise “clinically proven,” are backed by competent and reliable scientific evidence. If not, CBD companies can potentially face more serious legal action related to false advertising, such as FTC enforcement actions, state attorneys general action, and consumer class actions. Because of these risks, CBD companies should have a formal compliance plan in place to ensure their marketing plans comply with federal guidelines, which include guidelines for compiling and maintaining claim substantiation. These recent letters serve as a cautionary reminder to companies operating in the CBD space to verify the accuracy of their advertisements and other marketing material. Failure to do so could result in further FTC action for monetary and injunctive relief, as well as FDA actions to remove products from the market—and both outcomes could be real buzz kills.
via Tumblr Alzheimer’s and Cancer? FTC Announcement Shows That FDA Is Not the Only Agency That Is “Serious” After the U.S. Supreme Court’s March 2018 decision in the Cyan case that state courts retain concurrent jurisdiction for ’33 Act liability actions, one idea that circulated was that companies could avoid securities class action lawsuits in state court by adopting a charter provision designating a federal forum for these kinds of suits. Unfortunately, in December 2018, Delaware Chancery Court Vice Chancellor Travis Laster held in Sciabacucchi v. Salzburg that under Delaware law federal forum provisions are invalid and ineffective, as discussed here. The Sciabacucchi decision, which is now on appeal, is the subject of a comprehensive critique in a recent article by Stanford Law Professor Joseph Grundfest, entitled “The Limits of Delaware Corporate Law: Internal Affairs, Federal Forum Provisions, and Sciabacucchi” (here). Professor Grundfest argues that Sciabacucchi was wrongly decided and that a under a “straightforward” application of applicable Delaware statutory law, federal forum provisions are valid and permitted. It is important to note at the outset, as Professor Grundfest acknowledges in footnote one in his paper, that Grundfest himself developed the concept of the federal forum provision and drafted the federal forum provision language that was in dispute in the Sciabacucchi case. Indeed, in the parties’ pleadings in Sciabacucchi, the use of federal forum provisions was referred to as the “Grundfest solution,” and so Grundfest’s interest in these issues is, as he acknowledges in the footnote, “paternal.” Background on State Class Action Securities Litigation Professor Grundfest opens the substantive portion of his paper with a review of the problems that state court securities actions create. First, as his paper statistically demonstrates, state court securities class action litigation, which actually began to accumulate even before Cyan, has grown significantly since the case was decided, to the point that now 76 percent of Section 11 cases are brought either in state court alone or in parallel state and federal actions. Plaintiffs, Professor Grundfest notes, have significant incentives to “migrate” their cases to state court, as state court pleading standards are more plaintiff-friendly; as state courts do not uniformly apply the discovery stay in federal court; and as there is no process in state court for consolidating duplicate proceedings. Plaintiffs’ attraction to state court arguably is statistically justified, as between 2011 and 2018, the dismissal rate for state court Section 11 actions was only 19 percent, while the dismissal rate in federal court was 45 percent. Increased likelihood of surviving dismissal and increased uncertainty has meant that state court securities suits at higher values than do comparable federal court actions. Among other things as a result of these considerations, the cost of D&O insurance for IPO companies has risen materially in the wake of Cyan, as Professor Grundfest’s paper details statistically. Readers of this blog will find the paper’s discussion of the D&O insurance issues particularly interesting. Background on Litigation Management Bylaws The idea for companies to adopt bylaw provisions specifying a federal forum arose out of the larger discussion in recent years for companies to manage their litigation risks by adopting litigation management bylaws. In 2013, then-Chancellor Leo Strine Jr. held (as discussed here) in the Chevron case that corporations can adopt bylaws designating a preferred forum for litigation “relating to the internal affairs of the corporation.” A 2014 Delaware Supreme Court decision in the ATP Tour case (discussed here) also upheld the validity of a bylaw provision shifting fees to an unsuccessful litigant in a shareholder claim. However, in 2015, the Delaware legislature enacted a provision barring fee-shifting bylaws, while codifying the right of Delaware corporations to designate Delaware as the preferred forum for shareholder disputes. The Sciabacucchi Case With the idea circulating that companies should adopt federal forum provisions, a number of IPO companies adopted bylaws designating a federal forum “for the resolution of any complaint asserting a cause of action under the Securities Act of 1933.” Among the IPO companies adopting these kinds of provisions were Blue Apron, Stitch Fix and Roku. Matthew Sciabacucchi bought shares in all three companies. He then filed an action in Delaware Chancery Court seeking a judicial declaration that the companies’ federal forum provisions are invalid. In December 2018, Vice-Chancellor Laster granted Sciabacucchi’s motion for summary judgment, holding under Delaware law the provisions are invalid and unenforceable. In reaching this ruling, Vice-Chancellor Laster said that while Delaware law permits companies to adopt a forum selection clause for “internal affairs” claims, owing to what Laster describes as “first principles” Delaware law “does not authorize a Delaware corporation to regulate external relationships.” A ’33 Act liability action, Vice-Chancellor Laster said, “is external to the corporation,” as “Federal law creates the claim, defines the elements of the claim, and specifies who can be a plaintiff or a defendant.” While Delaware law has certain authority on internal matters related to the company’s organization, that authority “does not extend to its creation’s external relationships.” The state’s authority, Laster said, does not extend, for example, to tort claims asserted against the company.” A state’s corporate charter “cannot bind a plaintiff to a particular forum when the claim does not involve right or relationships that were established under Delaware law.” Since that is what the federal forum provisions do, they are therefore “ineffective and invalid.” Professor Grundfest’s Critique Professor Grundfest’s paper presents a multi-part attack on Vice-Chancellor Laster’s ruling in Sciabacucchi. As an initial matter, Grundfest challenges Laster’s reliance on sweeping “first principles” to invalidate the federal forum provision. Under these “first principles,” Laster said, when “the claim exists outside the corporate contract, it is beyond the power of corporate law to regulate.” The implications of this suggestion, Grundfest says, “reach far beyond the four corners of Federal Forum Provisions and articulate a novel principle that would constrain all of the past and future Delaware corporate law.” The further problem with the “first principles” analysis is the suggestion that without these constraints, Delaware might interpret its own laws to allow regulation, say, of tort or contract claims. The “easy answer to these concerns is that none of them could arise in the context of federal forum provisions, and other forum provisions are not at issue. Delaware, Grundfest says, “can address those concerns if and when those provisions arise in a real case or controversy.” The Sciabacucchi decision, Grundfest contends, is “highly contestable.” Among other things, Grundfest argues that the decision is against controlling U.S. and Supreme Court precedent. Laster concluded that that the federal forum provision is “contrary to the federal regime,” while disregarding the U.S. Supreme Court’s 1989 decision in Rodriguez de Quijas v. Shearson/American Express, Inc., which, Grundfest asserts, the Court “conclusively establishes that plaintiffs have no immutable right to litigate Securities Claims in state court and enforces a contract of adhesion prohibiting state court litigation of Securities Act claims.” Yet, Grundfest notes, Sciabacucchi nowhere mention the Rodriguez claim. Moreover, Grundfest notes, by invalidating a federal practice governing a federal claim that is consistent with federal law, Sciabacucchi “imposes a restraint on federal practice that appears nowhere in federal law,” and “creates an unprecedented intrusion by Delaware law into the federal space.” A further “problem” with Sciabacucchi is that it assumes that Securities Act plaintiffs are never existing stockholders to whom fiduciary duties are owed – a proposition, Grundfest notes, for which the Sciabacucchi opinion offers no factual support. In fact, Professor Grundfest notes, numerous SEC filings show that existing holders purchase additional shares in both IPOs and follow-on offerings, and these purchasers are owed fiduciary duties in connection with the statements made in the registration statements. Sciabacucchi’s “internal affairs” analysis is also “problematic” as it “diverges from precedent” to “invent a materially narrow definition” of the term “internal affairs.” Both U.S. Supreme Court and Delaware’s definition of internal affairs are broader and more encompassing, yet Sciabacucchi “offers no rationale for its divergence from controlling precedent.” The decision’s application of its “divergent definition” of “internal affairs” is “additionally problematic” in its conclusion that Securities Act claims are “always external.” However, Delaware precedent establishes that an act can simultaneously be an internal violation of Delaware law or violate a federal law. Indeed, Grundfest argues, the “due diligence” defense to Section 11 claims necessarily entails a close inquiry into the actions and awareness of board members, all matters that are “entirely internal.” The court’s decision is also “problematic” from a policy perspective. If the board processes that caused the filing of a defective registration statement are external, then “a host of boardroom functions” previously considered internal become “amenable to regulation by sister states.” This “trajectory” is “inimical to Delaware’s interest in regulating the internal functioning of Delaware-chartered entities.” Moreover, Sciabacucchi’s “first principles” analysis, and its implied constraints on legislative action “veers Delaware’s judiciary into the Legislature’s lane, as well as into the federal lane.” All of these problems, Grundfest suggests, can be avoided by a “straightforward” interpretation and application of Delaware’s statutory law. A textualist reading of the statutes avoids “all of the concerns that inspire the invention of a divergent ‘internal affairs’ definition.” Sections 102(b)(1), 115, and 202 of the DGCL “unambiguously support the validity of Federal Forum Provisions and nothing in Sciabacucchi suggests Federal Forum Provisions are inconsistent with the plain text.” The statutory text also answers the concern about the possibility of charter provisions seeking to address, for example, tort or contract law. Sections 102 and 115 both refer to provisions relating to directors, officers, and shareholders “in their capacities as such,” which would take out the concern about charter provisions spilling into a host of other matters. Discussion Grundfest’s paper is massive and detailed. It is always a challenge attempting to summarize anything as vast and sweeping as this paper and it is a particular challenge to do so within the constraints of the blogging format. I hope my summary here does justice to Grundfest’s extensive effort. While Grundfest’s arguments are numerous and extensive, several basic things stand out. The first is that he thinks that Vice-Chancellor Laster really got it wrong in Sciabacucchi. In Grundfest’s view, the decision disregards important federal and Delaware precedent and relies on assumptions of fact that are “demonstrably incorrect.” The other thing that is clear is that Grunfest continues to believe that federal forum provisions are a good idea and are permissible under Delaware statutory law. I should note here that in the interests of brevity, I telescoped Grundfest’s affirmative case that the text of the relevant Delaware statutes supports companies’ adoption of federal forum provisions. It is in the nature of his paper that his critique of Sciabacucchi predominates the presentation. There is no mystery about the timing of Professor Grundfest’s paper. As I noted at the outset, Sciabacucchi is on appeal to the Delaware Supreme Court, and the parties have just entered the briefing phase of the appeal. Having originated and propagated the idea of federal forum provisions, Grundfest clearly has an interest in seeing his intellection creation survive legal scrutiny. His paper clearly bespeaks the fervor of his commitment to his project. The paper is a legal missile aimed at the Delaware Supreme Court. It will of course be very interesting to see how the appeal turns out. The larger problem for everyone is that the possibility of state court securities litigation has created a huge mess, adding complexity, confusion, and cost for companies and for their D&O insurers. We can also certainly hope that the Delaware Supreme Court concludes that federal forum provisions are permissible. However, unless and until that happens, the problems arising from the possibility of state court securities litigation will continue, causing all of the problems and concerns that Grundfest’s paper notes. For that reason, I continue to believe that the best approach would be for Congress to act and address this situation. SLUSA was clearly intended to force all securities litigation into federal court. However, Congress made a hash of things when it modified the jurisdictional provisions of the ’33 Act, and that is how the U.S. Supreme Court wound up concluding in Cyan, notwithstanding SLUSA, that state courts retain concurrent jurisdiction for Section 11 claims. While federal forum provisions are a good idea, the best thing would be for Congress to go back and clean things up. One final note. Grundfest’s paper is massive and could even be daunting for some. Just in case readers of this blog don’t manage to make their way through the text to see it, the insurance practitioners who read this blog will be particularly interested in the statistical analysis in Section II of Grundfest’s paper. The paper not only sets out interesting statistical information about state court securities litigation filings and resolutions, but it also lays out interesting and detailed information about how Cyan has affected the D&O insurance market for IPO companies. I am sure that many readers will find it well worth their time to work their way through both the litigation statistics and the insurance pricing information. Special thanks to the several readers who sent me a link to Professor Grundfest’s paper.
The post A Critique of the Delaware Chancery Court Decision on Federal Forum Provisions appeared first on The D&O Diary. A Critique of the Delaware Chancery Court Decision on Federal Forum Provisions syndicated from https://888migrationservicesau.wordpress.com via Tumblr A Critique of the Delaware Chancery Court Decision on Federal Forum Provisions In two recent decisions, federal district courts have dismissed at least some of the claims brought by federal and state authorities, finding the complaints insufficiently specific in alleging that a defendant’s conduct met the relevant statutory requirements and/or insufficiently clear regarding their allegations as a whole. These rulings may provide a useful roadmap for future challenges to complaints brought by federal and state regulatory agencies and/or attorneys general. Federal Trade Commission and People of the State of New York, by James, v. QuincyWe’ve blogged previously about the FTC and State of New York’s challenge to the advertising for cognitive supplement Prevagen. If your memory is good, you will recall that Judge Stanton dismissed the case, but the Second Circuit reversed on the issue of whether the studies Prevagen mentions in its ads support the claims in its ads. In addition to the product manufacturer and marketer, Quincy Bioscience, LLC, Prevagen, Inc., and Quincy Bioscience Manufacturing, LLC, the government also named as defendants Quincy’s co-founders and two largest shareholders, Mark Underwood and Michael Beaman. After the remand, on July 24, 2019, the United States District Court for the Southern District of New York granted the defendants’ motion to dismiss the claims against Beaman, while denying the defendants’ motion to dismiss the claims against Underwood and rejecting their other arguments for dismissal. In so ruling, the court applied the normal standard for individual liability under the FTC Act: “An individual may be held liable … for a corporation’s deceptive acts or practices if, with knowledge of the deceptive nature of the scheme, he either participate[s] directly in the practices or acts or ha[s] authority to control them.” The knowledge requirement may be met by showing that the individual has “actual knowledge of material misrepresentations, reckless indifference to the truth or falsity of such misrepresentations, or an awareness of a high probability of fraud along with an intentional avoidance of the truth.” Similarly, the New York statutes invoked in the complaint, New York Executive Law § 63(12) and New York General Business Law §§ 349-50, provide that corporate officers and directors “may be held liable for fraud if they participate in it or have actual knowledge of it.” The court found that the complaint adequately alleged that Underwood had the authority to control the corporate defendants’ advertising practices and that he “participated directly in the alleged false advertising of Prevagen.” Beyond his overall positions of leadership—as Quincy’s largest shareholder, a co-founder and the president of Quincy and two of the three subsidiaries, and a director of all three subsidiaries—the complaint alleged that Underwood “made final decisions on advertising claims, wrote advertising materials, and appeared in Prevagen advertisements.” Furthermore, the court cited the allegations that Underwood “directed the research, translated scientific data into marketing language, and wrote a user guide explaining the science behind Prevagen” as sufficient to “support an inference that he knew what the research and studies concluded and thus had knowledge of the deceptive nature of the advertisements.” By contrast, the court concluded that the complaint’s allegations against Beaman fell short of the mark. The court noted that Beaman’s comparable leadership positions—as Quincy’s second largest shareholder, a co-founder, former president, and current CEO of Quincy and two of the three subsidiaries, and chair of the board of directors of all three subsidiaries—gave him, as well as Underwood, “the authority to control the corporate defendants’ advertising practices.” Nevertheless, the court found that the complaint’s allegations regarding Beaman’s conduct—namely, that he “has given media interviews, signed research agreements, pre-approved research proposals, and reviewed Defendants’ advertising”—were “insufficient to show that he knew the results of the research or participated in the false advertising.” Thus, the court dismissed the claims against Beaman, with leave to amend. What the FTC can add and whether it does so remain to be seen. Consumer Financial Protection Bureau v. Ocwen Financial Corporation, et al.A lack of sufficient specificity and clarity similarly led to dismissal of claims brought by the CFPB against Ocwen Financial Corporation (“OFC”) and two subsidiaries. The CFPB alleged that the mortgage servicing practices of OFC and the two subsidiaries—Ocwen Mortgage Servicing, Inc. (“OMS”) and Ocwen Loan Servicing, LLC (“OLS”)—violated provisions of the Consumer Financial Protection Act (“CFPA”), Fair Debt Collections Practices Act (“FDCPA”), Real Estate Settlement Procedures Act (“RESPA”), Truth in Lending Act (“TILA”), and Homeowners Protection Act of 1998 (“HPA”), and related federal regulations. Defendants moved to dismiss the complaint on a variety of grounds. In a September 5, 2019 ruling, the United States District Court for the Southern District of Florida agreed with the defendants that the CFPB’s claims under the FDCPA must be dismissed because the complaint failed to allege facts plausibly showing that each of the defendants acted as a “debt collector” as defined by the FDCPA. Specifically, while “[t]he Complaint plausibly alleges that Defendants collect or attempt to collect [their] own debts … [it] fails to plead factual allegations from which the Court can plausibly infer that Defendants regularly collect or attempt to collect on debts owed or due another at the time of collection.” The court granted the CFPB leave to re-plead its FDCPA claims in an amended complaint. The defendants also launched a more sweeping attack against the CFPB’s complaint, arguing that “all Counts should be dismissed because the Complaint is an impermissible ‘shotgun’ pleading and it fails to distinguish among the Defendants.” The court agreed with the defendants that the complaint “constitute[d] improper shotgun pleading … requiring dismissal of the CFPB’s complaint without prejudice.” As the court observed, the term “shotgun pleading” can encompass a variety of improper pleadings, including complaints that “contain multiple counts where each count adopts the allegations of all preceding counts,” as well as complaints with counts that contain “conclusory, vague, and immaterial facts not obviously connected to any particular cause of action.” The court found that the complaint in Ocwen Financial Corp. was an improper shotgun pleading because it “is ninety-two pages long and incorporates all 220 paragraphs of allegations into each of the fourteen counts, regardless of whether the factual allegations pertain to the cause of action.” At the same time, the court rejected the defendants’ argument that the CFPB’s complaint relied on improper group pleading and failed to specify what each defendant had allegedly done for each cause of action. The court found that the complaint plausibly alleged common enterprise liability—under which it is not necessary to allege that each defendant committed a particular wrongful act. TakeawaysIn both cases, the government has been given the opportunity to replead. Thus, whether these victories are long-lasting or short-lived remains to be seen. The cases do, however, provide useful guidance on what the government needs to plead to succeed.
via Tumblr Of Specificity and Shotgun Pleadings: Southern District of New York and Southern District of Florida Toss Claims Lacking Sufficient Specificity and Clarity Quick answer: It depends on what the lease says. Last week featured a tug-of-war between a producer and the community in which it operates; this week in HJSA No. 3 LP v. Sundown Energy LP it’s the producer and the lessor. HJSA owns the mineral estate under 30,540 acres in Ward County, Texas. Sundown is the lessee. After six years the lease could be maintained only as to individual tracts from which there was production in paying quantities and as to other tracts only if Sundown was engaged in a “continuous drilling program”. Dueling lease provisions (emphasis mine) Paragraph 7B says: The first such continuous development well shall be spudded in on or before the sixth anniversary of the Effective Date, with no more than 120 days to elapse between completion or abandonment of operations on one well and the commencement of drilling operations on the next ensuing well. Paragraph 18 is a 90-day temporary cessation clause that defines drilling operations as: “ … actual operations … (spud-in with equipment capable of drilling to Lessee’s objective depth); reworking operations, including fracturing and acidizing; and reconditioning, … “. After Sundown drilled 14 development wells, HJSA claimed that the lease had terminated as to certain portions of the property because Sundown had on five separate occasions over 14 years allowed more than 120 days to elapse between completion or abandonment of operations on one well and commencement of drilling operations on the next well, thereby failing to maintain the lease as to areas not HBP. During those alleged lapses no new wells had been spudded, but reworking and reconditioning operations on existing wells had taken place. Litigation followed. In resolving the dispute the court relied on several rules of construction:
Was Paragraph 7b a special limitation? Sundown argued forfeiture and denied that 7B was a special limitation. The “for so long” language of the habendum clause fixed a natural limit to the lease and created a special limitation because it did not cut short the natural limit of the lease. That would be a forfeiture. Score a point for HJSA. What was a “continuous drilling operation” under paragraph 7b? Now, to summarize several pages of contract construction but keep us out of the weeds: 7B defined a continuous drilling program as requiring the spudding of a new well. 18 defined operations more broadly to include reworking and reconditioning, but in a different context. The court how the industry uses “spud-in”, went to the dictionary to define “such” and “ensuing”, and concluded that the paragraph 18 definition of an “operation” could not be grafted on to the paragraph 7b definition. A specific provision controls over the general. Paragraph 7B is a specific provision and the obligations of that paragraph required Sundown to engage in a continuous drilling program by spudding in a new well. The duties in that paragraph are more specific than those in paragraph 18. Paragraph 18 was not rendered meaningless because it contemplated the situation in which production ceases on an existing well and allows for reworking, etc. it had a purpose, just not the one suggested by Sundown. In the end, Sundown was required to spud a well to comply with Paragraph 7. Musical interlude You can enjoy your songwriters and your cover artists. We don’t make you choose. Spudding? Reworking? What are “Operations” Under an Oil and Gas Lease? syndicated from https://888migrationservicesau.wordpress.com via Tumblr Spudding? Reworking? What are “Operations” Under an Oil and Gas Lease? As discussed in the following guest post from John Reed Stark, a recent development in the class action litigation arising out of the massive Marriott International data breach could have significant ramifications for other claimants asserting class action claims — including securities class action claims — based on data breaches or other cybersecurity incidents. Stark is President of John Reed Stark Consulting and former Chief of the SEC’s Office of Internet Enforcement. A version of this article originally appeared on Securities Docket. I would like to thank John for allowing me to publish his guest post on this site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is John’s article. ******************************* The cybersecurity class action bar might be celebrating the holidays a bit early this year. The enthusiasm stems from a recent (but barely noticed) judicial letter from Judge Paul W. Grimm, of the United States Federal District Court for the District of Maryland, who oversees class action litigation arising out of last year’s data breach of Marriott’s Starwood guest reservation database. In his letter, which is essentially a judicial decree, Judge Grimm ordered Marriott to make public a crucial third-party report that will reveal key details about the data breach. Known formally as a “Payment Card Industry Forensic Investigative Report,” or “PFI Report,” the report in question can be one of the most evidentiarily powerful documents for data breaches involving credit card information. With respect to Marriott-breach related pending multidistrict class actions filed by consumers, financial institutions and governments, the Marriott PFI Report has previously either been severely redacted or sealed off to the public entirely. But now, per Judge Grimm, the First Amendment mandates the Marriott PFI Report’s public release (perhaps lightly redacted). On the surface, Judge Grimm’s order might look like part of one of the many inconsequential discovery-related squabbles that typically occur during class actions and other litigation. But Judge Grimm’s decision could have significant ramifications for plaintiffs filing securities-related and other class actions following data breaches at retail companies. This article drills down into Judge Grimm’s ruling, and:
Retailers and PCI-DSS Compliance Payment Card Industry Data Security Standards (PCI-DSS) is a set of requirements created to help protect the security of electronic payment card transactions that include personal identifying information (PII) of cardholders, and operates as an industry standard for security for organizations utilizing credit card information. PCI-DSS applies to all organizations that hold, process or pass credit card holder information and imposes requirements upon those entities for security management, policies, procedures, network architecture, software design and other critical measures that help to protect customer credit and debit card account data. The Payment Card Industry Security Standards Council (PCI SSC), an international organization founded by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc. in 2006, develops and manages certain credit card industry standards, including the PCI-DSS. In addition to promulgating PCI-DSS, the PCI SSC has developed a set of industry rules governing responses to payment card data breaches. These rules, known collectively as the Payment Card Industry Forensic Investigator (PFI) program, were intended to replace the programs established by the individual card brands. In theory, PCI-DSS is good for retailers, establishing a minimum data security standard that all retailers must meet, discouraging competitors from cutting corners and allowing for some uniformity and stability. PCI-DSS not only protects the card brands but it also ensures that consumers feel safe when using credit and debit cards. However, adhering to PCI-DSS can become costly and onerous, especially for retail chains, and can subject retailers to the cybersecurity whims of the card brands, who enjoy a very strong bargaining position. PCI-DSS and Data Breaches When a cyber-attack targets electronically transmitted, collected or stored payment card information, whether the retailer has met PCI-DSS compliance quickly becomes an intense area of inquiry. For instance, the card brands may levy significant fines and penalties on retailers that are not in compliance with PCI-DSS. Such penalties and fines, imposed separately by each card association, can include:
The PFI Report Once a data security incident occurs, in order to determine whether the retailer must incur any of the above penalties or pay for any system modifications required to achieve PCI-DSS compliance, the retailer is contractually obligated to hire a specially certified PCI-approved forensic investigative firm (also known as a “PFI”) from a small and exclusive list of card brand approved vendors (currently comprised of 22 companies). The PFI team then performs a specified list of investigative work including writing a final report about the data security incident – the PFI Report — that is issued to both the retailer and the various credit card companies. The PFI Report then becomes the basis used by the card brand companies to calculate potential fines that will be levied against the acquiring banks. These fees are then passed along to the victim company in the form of indemnification. More Art Than Science Sometimes PFI Reports are the most thorough, comprehensive and authoritative analysis of a cyber-attack upon a retailer. But sometimes, albeit unintentionally, the PFI Report can be prejudiced, jaundiced, biased or otherwise flawed. The findings and conclusions of PFI Reports typically derive from painstaking efforts of digital forensics and malware reverse engineering, which can consist of conjecture, hypothesizing, speculation, supposition and simple old-fashioned guesswork. In fact, both skill sets are more art than science, which can render PFI Reports overly subjective, skewed or even mistaken. Here’s why: First off, while some data security incidents may provide key evidence early-on, most never do, or even worse, provide a series of false positives and other initial stumbling blocks. After a cyber-attack, there is rarely, if ever, a CSI-like evidentiary trail. Indeed, digital forensic evidence of a data security incident is rarely in plain view; it can rest among disparate logs (if they even exist), volatile memory captures, server images, system registry entries, spoofed IP addresses, snarled network traffic, haphazard and uncorrelated timestamps, Internet addresses, computer tags, malicious file names, system registry data, user account names, network protocols and a range of other suspicious activity. Evidence can also become difficult to nail down — logs are destroyed or overwritten in the course of business; archives become corrupted; hardware is repurposed; and the list goes on. Second, when a digital forensics investigator analyzes the virtual remnants, artifacts and fragments left within the attack vector of a company’s devices or systems such as “deleted recoverable files” residing in the more garbled sectors of a hard drive such as “unallocated and slack space” or the boot sector, facts and conclusions can be subject to interpretation and guided by the assumptions and experience of that investigator. Consider for example the intricacies and complexities of malware-reverse engineering. “Malware” is oft defined as software designed to interfere with a computer’s normal functioning, such as viruses (which can wreak havoc on a system by deleting files or directory information); spyware (which can secretly gather data from a user’s system); worms (which can replicate themselves and spread to other computers); or Trojan horses (which upon execution, can cause loss or theft of data and system harm). The definition of malware, however, is actually broader and a bit of a misnomer, and actually means any program or file used by attackers to infiltrate a computer system. Like the screwdriver that becomes harmful when a burglar uses it to gain unlawful entry into a company’s headquarters, legitimate software can actually be malware. Thus, malware reverse engineering, a crucial aspect of incident response, is also often the most challenging. Finally, there also exists a massive cybersecurity labor shortage, with over three million cyber-related jobs remaining unfilled — which means there are quite a few inexperienced amateurs masquerading as incident response professionals, whose findings can be dubious. This dearth of bona-fide data breach response experts should come as no surprise. The data breach response industry remains in its infancy – there are few academic degrees available in the realm of incident response and barely any incident response courses in college and graduate school curriculums. Many incident responders come from government, such as the Air Force’s Office of Special Investigations; the U.S. Computer Emergency Readiness Team (CERT) of the Department of Homeland Security; or the various cyber squads of the Federal Bureau of Investigation. Other incident response experts are simply self-taught from experience or from piecing together varying expertise of digital forensics, network engineering and security science. The bottom line is that no matter where a data breach response worker starts out, it can take as much as a decade of apprentice work before becoming a bona-fide data breach response expert. PFI Conflicts of Interest Though the attacked retailer engages the PFI and is responsible for all fees and expenses associated with the PFI’s investigation, the PFI conducts the investigation on behalf of the third-party card brands and with their direct involvement. Thus, even the most trustworthy, conscientious and objective PFI team can have an inherent conflict of interest and be biased. For instance, under PFI rules, each of the payment card brands is responsible for “Defining requirements regarding the use of PFIs and the disclosure, investigation and resolution of security issues” of the security incident. This supervisory role affords the card brands wide latitude in directing and controlling key aspects of the data breach response process. In fact, PFI rules actually attempt to minimize involvement of the victim company in the response, stating outright that the company is not to control or direct the investigation. To ensure compromised entities fully understand this limitation, the PFI rules specifically require that the retailer acknowledge and agree in its contract with the PFI that “that the investigation is being carried out as part of the PFI Program, that all PFI Report information shall be shared with affected Participating Payment Brands throughout the investigation and that the investigation is not to be directed or controlled in any way by the Compromised Entity.” To make matters even worse, if a retailer disagrees with any of the findings of the PFI, the retailer has limited, if any, recourse to dispute the PFI Report prior to the unfavorable facts being turned over to third parties. PFI rules require the contract to specify that the PFI has the authority to deliver all final and draft reports and PFI work papers to the card brands at the same time as the reports are sent to the victim retailer. Retailers can comment on draft and final PFI reports but do not have “approval authority,” and any facts regarding the investigation with which the retailer fundamentally disagrees might not be part of the documentation that the PFI or the card brands provide to third parties. Meanwhile, in stark contrast, the credit card brands enjoy unique input and control with respect to the documentation of a security incident, including approval rights over all PFI reports and the ability to reject any report that does not conform to all applicable requirements, such as templates and use of proper scoping methodology. Dueling, Parallel Digital Forensic Investigations Given the potential for bias, conflicts of interest and subjectivity (or even mistakes), retailers rarely stand-by quietly and simply accept the PFI’s findings on the data breach. Instead, when hiring a PFI after a cyber-attack, most retailers engage a second “company-directed” forensic examiner to the investigation, one that is completely independent of the card brand approved PFI list. This second, company-directed forensic examiner typically reports to, and is formally engaged by, the retailer’s outside counsel or internal general counsel. There can be tremendous advantages for a victim-retailer to engage their own forensic firm, in addition to the card brands PFI team. First, absolute technical accuracy and completeness of the report is of paramount importance given that this report may become the foundation for regulatory inquiry and litigation, and a victim company may need to challenge a PFI’s draft report’s findings. Second, the involvement and direction of counsel in the context of the investigation will presumably apply to the work product produced by the digital forensic investigators, rendering their findings, conclusions and other communications protected by attorney-client confidentiality. The involvement of counsel also establishes a single point of coordination and a designated information collection point, enhancing visibility into the facts, improving the ability to pursue appropriate leads and, most importantly, ensuring the accuracy and completeness of information before it is communicated to external audiences. Think of it this way: After experiencing a fire in a home, a homeowner may have concerns about the qualifications or credibility of the insurance adjuster or may believe the insurance adjuster’s report is biased or specious. So the homeowner hires their own expert to challenge the report of the insurance adjuster in order to receive a better insurance payout. The same principle holds true for PCI incident response. However, there are also some disadvantages to this “dueling investigation” approach. Given the sanctity of the attorney-client privilege and work product doctrines, the retailer’s forensic firm and the PFI firm can rarely collaborate, or even be in the same room together, lest the retailer risk waiving attorney-client privilege. The retailer may even go so far as to arrange for the PFI firm and the retailer’s firm to deploy different endpoint detection applications – thus paying for two almost identical software licenses. Thus, the retailer pays twice for a cyber-attack investigation and twice for each team’s expensive toolsets – which can add up to millions (or even tens of millions) of dollars. That’s like paying for an Uber car and a Lyft car to take one person home from a night out – it’s a bit maddening. Welcome to the upside down world of data breaches: where actual perpetrators are rarely caught; where actual damages to specific customers are rarely identified; and where the retailer victimized by a cyber-attack must not only also pay the invoices of the PFI team (who reports solely to the card brands) but must also pay the invoices of the second external forensic expert (who reports solely to the retailer). The Marriott Breach, the Resulting Class Actions and the Marriott PFI Report Marriott International, Inc. (Marriott) is a multinational company that manages and franchises a broad portfolio of hotels and related lodging facilities around the world. On November 30, 2018, Marriott announced a data security incident involving unauthorized access to the Starwood guest reservation database containing information relating to as many as 500 million guests. Since then, Marriott claims that attackers who breached its Starwood Hotels unit’s guest reservation system stole personal data from up to 383 million guests — including more than five million unencrypted passport numbers. Marriot also now asserts that attackers had unauthorized access to its Starwood network of reservations at W Hotels, Sheraton Hotels & Resorts and other properties dating back to 2014, prompting questions about Marriott’s cybersecurity governance and infrastructure as well as suspicion that Marriott negligently missed the breach during its due diligence process before acquiring Starwood in 2016 for $13.6 billion. The class action frenzy since these events has been nothing short of astounding. A total of 176 plaintiffs from all 50 U.S. states have filed suit against Marriott relating to the Marriott breach. Meanwhile, consumers, financial institutions and governments in various states, such as California, Illinois, New York and Massachusetts have filed dozens more class actions, including a securities class action. Given the vast scope and number of class actions relating to the Marriott data breach, the plaintiffs agreed to centralize the litigation at a hearing with the Judicial Panel on Multidistrict Litigation. The Judicial Panel: 1) determines whether civil actions pending in different federal districts involve one or more common questions of fact such that the actions should be transferred to one federal district for coordinated or consolidated pretrial proceedings; and 2) selects the judge or judges and court assigned to conduct such proceedings. The Judicial Panel agreed that consolidating the class action lawsuits into multi-district litigation (MDL) was the best option, also noting that Marriott was headquartered in Maryland and most witnesses would be found in the area and ordering the MDL to reside before Judge Paul Grimm in the Federal District Court of Maryland. The Panel noted in its order: “[W]e find that centralization…of all actions in the District of Maryland will serve the convenience of the parties and witnesses and promote the just and efficient conduct of this litigation … The factual overlap among these actions is substantial, as they all arise from the same data breach, and they all allege that Marriott failed to put in to place reasonable data protections. Many also allege that Marriott did not timely notify the public of the data breach.” The Marriott Securities Class Actions The securities class action lawsuit(s) against Marriott and certain of its senior executives assert claims under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934, and SEC Rule 10b-5 promulgated thereunder, on behalf of all persons or entities who purchased or otherwise acquired Marriott common stock between November 9, 2016 through November 29, 2018. In the first securities class action lawsuit involving Marriott, filed on December 1, 2018, less than one full day (!) after Marriott announced the data security incident, the complaint refers to statements in the company’s SEC filings about the importance of information technology security, alleging that certain statements in Marriott’s SEC filings were false and misleading because: “(1) Marriott’s and Starwood’s systems storing their customers’ personal data were not secure; (2) there had been unauthorized access on Starwood’s network since 2014; (3) consequently the personal data of approximately 500 million Starwood guests and sensitive personal information of approximately 327 million of those guests may have been exposed to unauthorized parties; and (4) as a result Marriott’s public statements were materially false and/or misleading at all relevant times.” Since its initial filing, the plaintiffs have amended their securities class action complaint, and added new and more complete allegations, with the most recent version found here. Unlike more traditional securities class action lawsuits, the Marriott securities class action lawsuit does not involve allegations of financial or accounting misrepresentations. Instead, it involves allegations that Marriott suffered a significant reverse in its operations, alleging that the company failed to inform investors that the data security incident might occur and that if it did occur it would have a negative impact on the company. A Brief Aside about the Disclosure of Cyber-Attacks by Public Companies In particular, public company disclosures relating to cyber-attacks can provide ideal fodder for class action plaintiffs looking for negligent representations, insufficient assertions or misleading statements. There is confusion about not just when a public company should disclose a data security incident, but also what precisely the public company should say about the incident. For example, per the U.S. Securities and Exchange Commission’s (SEC) February 26, 2018 interpretive guidance relating to disclosures about cybersecurity risks and incidents, when a company has learned of a cybersecurity incident or cyber-risk that is material to its investors, companies are expected to make appropriate disclosures, including filings on Form 8-K or Form 6-K as appropriate. Additionally, when a company experiences a data security incident, the 2018 SEC Guidance emphasizes the need to “refresh” previous disclosures during the process of investigating a cybersecurity incident or past events. However, on the one hand, with respect to the actual content of a company’s data security incident’s disclosure, the 2018 SEC Guidance allows for a lack of specifics so as not to compromise a company’s security, stating: “This guidance is not intended to suggest that a company should make detailed disclosures that could compromise its cybersecurity efforts – for example, by providing a “roadmap” for those who seek to penetrate a company’s security protections. We do not expect companies to publicly disclose specific, technical information about their cybersecurity systems, the related networks and devices, or potential system vulnerabilities in such detail as would make such systems, networks, and devices more susceptible to a cybersecurity incident.” But on the other hand, the 2018 SEC Guidance cautions companies not to use any sort of generic “boilerplate” type of language in its disclosures, stating somewhat opaquely: “We expect companies to provide disclosure that is tailored to their particular cybersecurity risks and incidents. As the Commission has previously stated, we ‘emphasize a company-by-company approach [to disclosure] that allows relevant and material information to be disseminated to investors without boilerplate language or static requirements while preserving completeness and comparability of information across companies.’ Companies should avoid generic cybersecurity-related disclosure and provide specific information that is useful to investors.” Given the SEC’s schizophrenic approach to disclosing cybersecurity-related events, rather than serving as safe harbor for public companies, the SEC’s 2018 Guidance ironically has become a beacon for class action plaintiffs. PSLRA Discovery Stay and the Marriot Securities and Derivatives Tracks Congress enacted The Private Securities Litigation Reform Act of 1995 (PSLRA) to address perceived abuses in securities fraud class actions. Among those concerns was that the high “cost of discovery often forces innocent parties to settle frivolous securities actions.” In addition, Congress sought to prevent private securities plaintiffs from using frivolous lawsuits as a vehicle “to conduct discovery in the hopes of finding a sustainable claim not alleged in the complaint.” In furtherance of those goals, the PSLRA provides that “all discovery and other proceedings shall be stayed during the pendency of any motion to dismiss, unless the court finds, upon the motion of any party, that particularized discovery is necessary to preserve evidence or to prevent undue prejudice to that party.” In the Marriot MDL, there are five case “tracks” (Government, Financial Institution, Consumer, Securities and Derivative). In accordance with the PSLRA, Judge Grimm ordered that all discovery for both the Securities and Derivative Tracks be stayed, until the resolution of Marriott’s pending motion to dismiss. Judge Grimm also provisionally granted a motion to seal Marriott’s motion to dismiss the Government Track action, which included a copy of the Marriott PFI Report as an exhibit. Currently, redacted versions of these pleadings appear on the docket, although the Marriott PFI Report remains sealed in full. Class Action Motions Concerning the Marriott PFI Rather than captioned as traditional orders and motions, to keep costs down, Judge Grimm’s has implemented a case management system in the Marriott MDL, which includes a July 16, 2019 order that any party seeking to file a motion shall first submit a letter, no longer than three pages, stating the facts and bases supporting such relief. This way, the Judge might just rule on the three page letter and avoid the costs of lengthy memoranda, motions, affidavits, etc. Once a letter is filed, Judge Grimm determines whether to schedule an expedited telephone conference to discuss the requested motion and whether the issues may be resolved or otherwise addressed without the need for formal briefing. This expedited motions procedure apparently meant that Gibson Dunn, the law firm representing Marriott in the class actions, had limited time and space to argue against the release of the Marriott PFI Report (e.g. no room for expert affidavits, documentation of particularities, witness declarations and the many other details and minutia typically presented in an important litigation motion.) Based on the currently 438 entries in the Marriott MDL docket, the two primary letters seeking the unsealing of the Marriott PFI Report appear to be the following pleadings:
In opposition to the Silverman Letter and the Labaton Sucharow Letter, Marriott submitted the following pleadings:
The Silverman Letter specifically seeks production of the Marriott PFI Report before the deadline for amending its complaint, stating: “Our position on these matters is consistent with this Court’s emphasis on efficiency and avoidance of unnecessary litigation effort. Requiring production of the PFI Report and other investigative reports related to the Data Breach prior to the deadline for amending complaints will promote efficiency by ensuring that the allegations conform to the available facts, thus eliminating unnecessary discovery and motion practice over allegations based on “information and belief” that may be inconsistent with facts already developed in the PFI and other investigations … Early production of the PFI Report, other investigative reports, and all materials provided to government regulators investigating the Data Breach at issue by Marriott will greatly facilitate all parties’ ability to frame the issues in the case for the Court.” The Labaton Sucharow Letter notes that Marriott had already attached a copy of the PFI Report in their July 15, 2019 motion to dismiss in the Government Track, but had placed the Marriott PFI Report under seal and also argued that the First Amendment mandates that Judge Grimm unseal the Marriott PFI Report. “It is settled law that the First Amendment and common law protect the public’s access to judicial records … Merely attempting to avoid embarrassment, legal liability, or a harm to future business prospects are insufficient reasons under either standard to justify keeping information in judicial records from the public. The party seeking the sealing must overcome the interest of the general public, which includes the financial markets as Marriott is a publicly traded company … As an initial matter, these materials are clearly a matter of public interest to investors, consumers, and the American public. … Defendants have articulated why they want the materials kept under seal – (1) danger from potential hacking of their systems, (2) competitive harm, and (3) that it would undermine current investigations … None of these reasons satisfy the high burden Defendants must meet to rebut the presumption of access and maintain these judicial records under seal.” The Gibson Dunn Letter reiterates the arguments of Marriott’s July 16 Motion to place the Marriott PFI Report under seal and adds an additional argument relating to the PSLRA discovery stay, stating: “Plaintiffs’ motion is an attempted end-run around the PSLRA’s discovery stay. The PSLRA, which governs the Securities and Derivative Tracks, imposes an automatic stay on all discovery pending resolution of motions to dismiss. Plaintiffs now seek to expose confidential discovery materials in public court filings, so that they can access discovery that federal law bars them from obtaining at this juncture. [In addition], 1) Sealing the information protects it from criminals that could use it to perpetrate “future cyberattacks.” Disclosure of the sealed information could, for instance, help hackers hone their strategies … 2) The compelling governmental interest in shielding ongoing investigations requires keeping certain information sealed; … and 3) Marriott’s concern about offering “competitors insight into certain aspects of Marriott’s internal business practices” Judge Grimm’s Decision In an August 30, 2019 “Letter Order,” Judge Grimm sided with the plaintiffs, and ordered the unsealing of the Marriott PFI Report, while assigning a magistrate judge to determine if it should contain any “narrowly tailored” redactions (e.g. if Marriott can show with definitive particularity that publication of any portions/sentences of the Marriott PFI Report would “threaten existing operational database systems.”) With respect to Marriott’s PSLRA arguments, because the unsealing of the Marriott PFI Report was of no monetary cost to the Marriott defendants, Judge Grimm noted that the spirit of PSLRA remained intact and respected. Moreover, because Marriott had attached the Marriott PFI Report to their earlier pleading, Marriott had rendered the Marriott PFI Report a “pleading” and not “discovery material” which did not run “afoul with the PSLRA discovery stay.” With respect to Marriott’s other arguments, Judge Grimm found that “there is a First Amendment right to access portions of the PFI report and pleadings that cannot be shown to constitute a particularly identified, non-speculative harm.” Judge Grimm writes: “Defendants argue (without explaining how) that the information could help hackers attack systems Defendants currently use by studying “network infrastructure for handling cardholder data, systems and strategies for securing such information and thwarting attacks, encryption and decryption processes and protocols, and activity logging.” … This justification for continuing to seal the entirety of the report is both speculative and generalized. Under this reasoning, none the details of how the Starwood database was compromised could ever be revealed, which would prevent the public from understanding how the data breach occurred in the first place, and it would prevent other entities from learning how to better protect their networks from similar attack. This is hardly in the public interest … Second, Defendants’ assertion that unsealing the pleadings and PFI report would interfere with ongoing investigations is equally conclusory and speculative. While Defendants do claim that ongoing investigations would be jeopardized, it is unclear which investigations would be compromised, or how, and therefore this argument fails … Lastly, Defendants offer no particularized support for the proposition that sealing the entire PFI report and portions of the Pleadings is necessary to prevent disclosure of commercially sensitive data and internal business practices.” Judge Grimm then ordered the parties to confer expeditiously with U.S. Magistrate Judge Facciola to determine what portions of the Marriott PFI Report, if any, should be redacted, noting that he “will not wait indefinitely to implement this order [and] should the parties disagree, Judge Facciola shall make a report and recommendations to me for my ultimate determination.” Judge Grimm Hands Over the Brass Ring It should come as no surprise that the plaintiffs in the Marriott securities class action lawsuits asked Judge Grimm to unseal the Marriott PFI Report. For a class action plaintiff, the PFI Report is the brass ring of documentary evidence, containing detailed, well-documented and potentially inculpatory opinions and findings relating to the Marriott data breach. Conducted without any direction, interference or influence from Marriott, and presented without any of Marriott’s objections, disagreements, opposition, etc., the Marriott PFI Report also provides a timely, unique and wholly unfettered analysis of the data breach. Moreover, obtaining a PFI Report early on in a class action can save a plaintiff millions of dollars in discovery-related expenses while also delivering a mammoth strategical advantage. But herein lies the rub. While the credit card brands may have the very best of intentions, as set forth above, the reality is that the PFI Report is not necessarily the most reliable or even accurate set of findings. In summary:
Going Forward Retailers who experience data security incidents must already deal with a class action blitzkrieg, and Judge Grimm’s recent love letter to the class action bar only adds fuel to that firestorm. On the one hand, Marriott arguably put the Marriott PFI Report in “play” by attaching it to their motion to dismiss, thereby providing Judge Grimm with a convenient rationale to rule that its release did not violate the PLSRA discovery stay. Perhaps in future securities class actions, if a defendant does not file the PFI Report as part of any pleading, the PSLRA’s statutorily required discovery stay will prohibit any plaintiff from seeing the PFI Report before an opportunity for a dispositive motion, like a motion to dismiss. But on the other hand, for securities class actions and all other class actions, Judge Grimm’s letter validates a class action plaintiff’s “First Amendment” right to see the PFI Report, which may prompt other judges to grant class action plaintiffs immediate access to it. Such prompt and early access could curtail defendants hopes of winning early pre-trial dispositive motions, while potentially arming class action plaintiffs with an evidentiarily powerful litigation weapon. Clearly, retailers should take heed of Judge Grimm’s Letter Order and try to prepare for its consequences. One preemptive option for retailers is to conduct “table-top” exercises of a data security incidents at their company, and engage a “mock PFI Team,” comprised of former PFI investigators, to create a “mock PFI Report.” Reviewing a mock PFI Report could then provide a retailer with a better understanding of what to expect from a PFI Team and enable the retailer to develop the kind of corporate governance and technological infrastructure that would typically result in a more favorable PFI Report. The mock PFI investigation would also provide unique training for IT personnel and others who will have to work with PFI Teams, preparing a company’s employees for what is typically an extremely awkward experience, replete with hazards and pitfalls. Think of it this way: When opening a new restaurant what better way to obtain an “A” health department rating than to hire a former health department inspector to conduct a mock inspection. The same goes for PCI-DSS compliance. Table-top exercises also enable organizations to analyze potential emergency situations in an informal environment and are designed to foster constructive discussions among participants as they examine existing operational plans and determine where they can make improvements. Indeed, table-top exercises are a natural fit for information security because they provide a forum for planning, preparation and coordination of resources during any kind of attack. Retailers should also spend more time on the due diligence of selecting a PFI from the 22 digital forensic companies currently on the PCI SSC List. Retailers should study carefully the credentials and track record of PFI team members, ensuring that their selected PFI team is experienced, fair, objective, meticulous and open to discussions and disagreement. Not to be too cynical but it would also probably help if the law firm managing a retailer’s data breach response has prior experience with the PFI team and that the PFI team is concerned about their reputation with the law firm (i.e. that the PFI team relies on the law firm for other business). When there exist competing, outside economic interests at issue, it is only human nature for the PFI team to put their best and most fair foot forward during the course of their engagement. Given that trying to avert a cyber-attack is like trying to prevent a kindergartener from catching a cold during the school year, retailers should anticipate a securities class action lawsuit filing within 24 hours of the announcement of their next (inevitable) data security incident — and they should take steps now to help facilitate an exculpatory PFI Report. Otherwise, a class action liability skirmish may be over before the retailer has even had a chance to enter the battlefield. __________________ John Reed Stark is president of John Reed Stark Consulting LLC, a data breach response and digital compliance firm. Formerly, Mr. Stark served for almost 20 years in the Enforcement Division of the U.S. Securities and Exchange Commission, the last 11 of which as Chief of its Office of Internet Enforcement. He currently teaches a cyber-law course as a Senior Lecturing Fellow at Duke Law School. Mr. Stark also worked for 15 years as an Adjunct Professor of Law at the Georgetown University Law Center, where he taught several courses on the juxtaposition of law, technology and crime, and for five years as managing director of global data breach response firm, Stroz Friedberg, including three years heading its Washington, D.C. office. Mr. Stark is the author of “The Cybersecurity Due Diligence Handbook.”
The post Guest Post: Some Good News for the Cybersecurity Class Action Bar appeared first on The D&O Diary. Guest Post: Some Good News for the Cybersecurity Class Action Bar syndicated from https://888migrationservicesau.wordpress.com via Tumblr Guest Post: Some Good News for the Cybersecurity Class Action Bar One of the most significant corporate litigation phenomena over recent years has been the rise of merger objection litigation, as result of which nearly every public company merger objection transaction has drawn at least one lawsuit. According to the latest study of merger litigation from Cornerstone Research, this phenomenon continued in 2018, with the same percentage of merger transactions as in 2017 attracting at least one lawsuit – in 2018, as in 2017, 82% of public company merger transaction valued over $100 million drew at least one lawsuit. The Cornerstone Research report, entitled “Shareholder Litigation Involving Acquisitions of Public Companies: Review of 2018 M&A Litigation,” can be found here. Cornerstone Research’s September 17, 2019 press release about the report can be found here. The Cornerstone Research report draws on the firm’s merger transaction database, which contains 1,928 deals announced between November 19, 2006, through December 31, 2018. Percentage of Deals Drawing a Lawsuit: According to the report, there were a total of 142 public company merger deals announced in 2018 that were challenged by lawsuits, compared with 115 in 2017. However, in both 2017 and 2018, the deals that drew lawsuits represented 82% of all deals announced during the year. The percentage of deals hit with lawsuits had declined slightly during 2016 (the year in which the Delaware Chancery Court issued its Trulia decision, in which the court evinced its distaste for the type of disclosure-only settlement that typically resolved the merger objection lawsuits then), to around 71% of deals announced during the year. However, in 2017 and 2018, the percentage of deals challenged in lawsuits bounced back somewhat, although not all the way to 2009-2015 annual average of 90% of deals. Number of Lawsuits Per Deal: The average number of lawsuits filed per deal rose slightly to 3.1 in 2018, compared to 2.9 lawsuits per deal in both 2016 and 2017. The number of lawsuits per deal in 2018 remained below the 2009-2015 average number of lawsuits per deal of 4.7. Several of the deals announced in 2018 drew notably more lawsuit filings; for example, both the Finisar Corp. and Pandora Media transactions drew nine lawsuits. Percentage of Lawsuits Voluntarily Dismissed: One significant change in 2017 and 2018 compared to prior years was the increasing number of merger objection suits resolved through voluntarily dismissal. Thus, while the annual average percentage of merger objection suits voluntarily dismissed was only 17% during the period 2006 through 2015, the percentage rose to 72% in 2017 and stayed at roughly the same level (70%) in 2018. This increase in the number of voluntary dismissals is a result of the plaintiffs’ changing approach to resolving this litigation, in which the defendant voluntarily agrees to make changes to the deal –related proxy statement and agrees to pay the plaintiffs’ counsel a “mootness fee” in exchange for the plaintiff’s counsel’s agreement to dismiss the lawsuit. Shift of Suit Filings from State Court to Federal Court: The Delaware Chancery court’s 2016 decision in the Trulia case has significantly affected the plaintiff’s counsel’s choice of the forum in which to file the merger objection lawsuits. Thus, during the period 2009 through 2015 (that is, the period before Trulia), the average annual percentage of all deals that were challenged in federal court was26 percent. However, in 2017, the number of deals challenged in federal court rose to 96 percent. In 2018, the number of deals challenged in federal court declined slightly compared to 2017, to 91 percent. State Court Filings: In addition, in 2018, 34 percent of deals were challenged in state court, which represents a rebound from the 2017 percentage of 18 percent. The number of deals challenged in state court in 2018 also increased , with 49 deals challenged in state court, compared to only 21 in 2017. Number of Jurisdictions in Which a Deal is Challenged: In 2018, only 45 percent of litigated deals faced challenges in only one jurisdiction, which represents the first time since 2013 that less than half of challenged deals faced litigation in only one jurisdiction. In 2018, 43 percent of deals were challenged in two jurisdictions, compared to 26 percent in 2017. In 2018, 12 percent of deals were challenged in three or more jurisdictions, compared to only four percent in 2017. The post Percentage of 2018 Deals Drawing Merger Objection Suits Held Steady appeared first on The D&O Diary. Percentage of 2018 Deals Drawing Merger Objection Suits Held Steady syndicated from https://888migrationservicesau.wordpress.com via Tumblr Percentage of 2018 Deals Drawing Merger Objection Suits Held Steady Last week, companies engaged in debt collection were not-so-gently reminded that making calls using an automated dialer to any number other than the one provided by the consumer is incredibly risky—and in Rash Curtis & Associates’ case, a $267 million risk. Calls made to phone numbers with the consumer’s prior express consent are not prohibited by the TCPA. The FCC and courts have long considered phone numbers provided by consumers in a transaction (such as opening a credit card account) as “in bounds,” reasoning that consumers implicitly give consent to be reached on those telephone numbers in connection with the transaction or account. However, this does not extend to phone numbers obtained through other means, including “skip tracing,” commonly used by third-party collectors and debt buyers who often touch the accounts after many months or even years after the original transaction. Following a May jury verdict in favor of the plaintiffs in a class action brought against a debt collection firm, a judge last week entered a judgment against the firm for $267 million ($500 per illegal call made). I’ll leave it to my colleagues Dan Blynn and Stephen Freeland to opine on the TCPA and class action implications here, but as someone who advises debt collectors on regulatory issues, this case is a stark reminder that trying to get a hold of hard-to-reach consumers continues to be fraught with risk because of the multi-layered regulatory and statutory schemes governing debt collection. It also is a cautionary tale of how the use of technology to optimize collections must be carefully analyzed for first, second, and third order effects. And while the CFPB’s upcoming rulemaking, which is seven years in the making, should modernize the Fair Debt Collection Practices Act and provide some clarity on consumer contact, it will not supersede conflicting state laws and certainly will not address the 800-pound gorilla in the room, the TCPA. For that, we continue to look to the FCC with our fingers crossed.
via Tumblr When Skiptracing + Autodialing = $267 Million |
About UsWith our expert team of specialists at Demogenic, we have the potential to keep you updated with the information which no one can provide. We have been offering a promising high quality service and recommend service provider only after doing preliminary assessment till the time you are happily settled overseas. |