The public and private focus on corporate governance continued apace in the first half of 2023. In recent months, there were notable developments in jurisprudence potentially impacting corporate diversity initiatives and in the regulation of crypto asset trading platforms. For example:
Additionally, Kramer Levin issued numerous alerts throughout the first half of 2023 on other developments in the corporate governance space, including the federal government’s commitment to addressing sanctions evasion, export control violations and similar economic crimes; the importance of developing and maintaining robust data protection plans and making timely disclosures relating to cybersecurity incidents; the need for corporate directors to take an active role in both implementing reasonable information and reporting systems and monitoring and responding to critical risks within their areas of responsibility; and the evolving landscape of environmental, social and governance (ESG) efforts. We briefly summarize these alerts below.
Supreme Court Unanimously Narrows Scope of Liability Under Section 11(a) of Securities Act of 1933
On June 1, in Slack Technologies, LLC v. Pirani, the Supreme Court unanimously held that even in a case involving direct listing of both registered and unregistered securities, to state a claim under Section 11(a) of the Securities Act of 1933, a plaintiff must allege that he or she purchased securities issued pursuant to and traceable to the allegedly misleading registration statement.
Section 11 of the act allows an individual to sue for a material misstatement or omission in a registration statement when the individual has acquired “such security.” The Court determined the statute’s language and grammar, read against the backdrop of the statute’s context of focusing on particular securities and limiting damages, indicated that Section 11(a) was intended to be construed narrowly and applies only to a security registered under a particular registration statement alleged to contain a materially misleading statement or omission.
The Court’s decision reinforces a long line of lower court decisions holding that Section 11(a) claims must arise out of securities purchases traceable to a specific, allegedly defective registration statement. The Court declined to allow plaintiffs in direct listings to circumvent this requirement and refused to create an exception that would have potentially broadened the scope of Section 11 liability significantly.
SEC Releases New C&DIs on Rule 10b5-1 Amendments
On May 25, in connection with its adoption of amendments to Rule 10b5-1 in December 2022, the SEC released three new compliance and disclosure interpretations (C&DIs). The new C&DIs clarify the timeline for companies to implement new annual and quarterly disclosure requirements and establish the length of a cooling-off period when individuals hold two Rule 10b5-1 plans. This guidance is applicable to both U.S. domestic companies and foreign private issuers.
Commerce Department to Penalize Failure to Voluntarily Self-Disclose Significant Export Violations
On April 18, in concert with the Department of Justice’s (DOJ) focus on voluntary self-disclosure of corporate misconduct, as well as DOJ’s commitment to addressing sanctions evasion, export control violations and similar economic crimes, the Department of Commerce announced clarifications to its policies on voluntary self‑disclosure of violations of the Export Administration Regulations (EAR) in a memorandum to all export enforcement employees. The EAR are designed to protect sensitive U.S. technologies and goods, in particular those that may have dual military and commercial application, from misuse by foreign adversaries.
The memorandum clarifies how the Office of Export Enforcement (OEE) will assess appropriate penalties “in situations where there is a deliberate non-disclosure of significant possible [EAR] violations.” Whereas the OEE has consistently considered the strength of an entity’s compliance regime, including preventive measures and the submission of the voluntary self-disclosure report, as a mitigating factor in assessing the applicable civil penalty, on a going-forward basis, OEE will similarly consider failure to self-disclose as an aggravating factor should a “significant possible violation [be] uncovered by a party’s export compliance program but no [voluntary self‑disclosure] [be] submitted.”
In addition, the policy encourages confidential reporting of potential violations by others. Should a tip result in an enforcement action, it may be rewarded as exceptional cooperation with OEE “if a future enforcement action, even for unrelated conduct, is ever brought against the disclosing party.” Beyond consideration as a mitigating factor for an entity’s own misconduct, there may also be monetary rewards available if such reporting discloses not just a potential export violation but also a potential sanctions violation, assuming the Treasury Department or DOJ takes any qualifying action based on the whistleblower report.
Compliance With Forthcoming Biometric Laws in New York City
On April 27, lawmakers on the New York City (NYC) Council introduced two bills that would amend NYC’s administrative code to more heavily regulate the collection and storage of biometric data by businesses and owners of residential buildings. Biometric data is defined broadly in these bills and includes scans of the face, iris or retina; fingerprints; voice recognition; and any similar characteristics that can be used to identify an individual.
One of NYC’s proposed bills would expand the scope of NYC’s existing local law to apply to all “places or providers of public accommodation” (i.e., restaurants, hotels, retail stores, museums, stadiums, etc.) and would preclude such establishments from using biometric recognition technology to verify or identify customers without first obtaining their written consent. Under the proposed new law, all places or providers of public accommodation must develop a written policy, available upon request, that includes guidance regarding the retention and destruction of such biometric data. Customers must be afforded the opportunity to request that their data be erased. Further, businesses will not be able to disclose, sell, trade or otherwise profit from the biometric data they have collected.
The second proposed bill would amend the Tenant Data Privacy Act to make it illegal for an owner of a “multiple dwelling” (i.e., residential buildings that are occupied, or will be occupied, by three or more families living independently of one another) to install, activate or employ any biometric recognition technology that identifies tenants or their guests without first obtaining their written consent or their consent through a mobile application. Landlords should be aware that installation of Ring, Google Home or similar devices that incorporate facial recognition technology would be implicated by this proposed law. Landlords should also ensure that their policies and practices regarding the use and collection of biometric data comply with the NYC Human Rights Law, which prohibits landlords from discriminating against individuals based on certain protected characteristics, such as race, gender, disability and marital status.
Update: As of the publication of this Midyear Review, the bills have not been passed by the city council. However, as biometric technology continues to advance and concerns regarding its use continue to grow, we can expect to see more regulations aimed at increasing transparency and accountability. Businesses should be cognizant of these laws in order to avoid potential liability and financial penalties.
On March 30, federal regulators announced that Wells Fargo Bank had entered into settlements in which it agreed to pay $97.8 million in fines for enabling sanctions violations between 2010 and 2015. In two separate enforcement decisions, the Department of the Treasury’s Office of Foreign Assets Control and the Federal Reserve’s Board of Governors found that Wells Fargo provided a financial software platform called Eximbills to an unnamed European bank (Bank A), which then used the software to process 124 transactions, totaling over $530 million, in violation of U.S. sanctions for Iran, Sudan and Syria. Regulators concluded that Wells Fargo reasonably should have known that Bank A was using the Eximbills software in this manner and that its failures to promptly identify the apparent violations were attributable to shortcomings in its risk-assessment and oversight mechanisms.
In recent years, DOJ officials have repeatedly emphasized a focus on sanctions enforcement, describing sanctions as “the new FCPA [(Foreign Corrupt Practices Act)].” These penalties underscore that federal regulators are vigorously pursuing potential sanctions violations — even when such violations are admittedly inadvertent and indirect.
Given this focus, companies need to invest in reviewing and, when necessary, strengthening their sanctions procedures. Here, Wells Fargo inherited these issues as part of its Wachovia acquisition. Corporate lawyers have long diligenced in merger transactions corruption risks arising under the FCPA and similar international statutes. The government’s focus on sanctions enforcement highlights the need to approach sanctions risks and diligence with the same heightened scrutiny if bidders and issuers are not already doing so.
SEC Proposes Data Breach Notification and Incident Response Requirements
On March 15, the SEC proposed three rule changes that demonstrate its continued focus on cybersecurity. These rule changes supplement prior amendments by the SEC aimed at protecting customer information.
One of these proposals, and the only one to be unanimously approved (the Proposal), would amend Regulation S-P to require covered institutions to directly notify individuals of certain data breaches and implement written policies to minimize the resulting damage. The others include a requirement for written incident response plans that focus on protecting individuals’ personal information and expanding the scope of Regulation S-P to apply the safeguards rule to all transfer agents registered with the SEC and those registered with another regulatory agency as defined by the Exchange Act. Further recordkeeping and retention requirements were also included.
In light of these proposals, covered institutions should ensure they have robust data protection plans in place to comply with existing requirements under Regulation S-P. Covered institutions should also consider how to implement the written policies set forth in the Proposal.
SEC Issues $3 Million Penalty Against Blackbaud for Misleading Cybersecurity Incident Disclosures
On March 9, software company Blackbaud agreed to pay $3 million to the SEC as a result of alleged misleading disclosures arising out of a 2020 data breach that involved customer bank account information and Social Security numbers.
On May 14, 2020, Blackbaud detected that it had suffered a data breach that resulted in the unauthorized access of over 13,000 customers’ information. Approximately two months later, on July 16, 2020, Blackbaud notified customers individually and via its website, stating that no bank account information or Social Security numbers had been accessed. However, Blackbaud personnel learned soon afterward that bank account information and Social Security numbers had been accessed in an unencrypted form.
Following this incident, on Aug. 4, 2020, Blackbaud filed a Form 10-Q that did not disclose the unauthorized access of bank account information and Social Security numbers. Blackbaud eventually disclosed on Sept. 29, 2020. As a result, the SEC found that Blackbaud had violated, among other provisions, the non-scienter anti-fraud sections of the Securities Act as well as SEC rules governing disclosure controls and procedures.
The order against Blackbaud highlights an issuer’s responsibility to make timely disclosures relating to cybersecurity incidents. The SEC’s increasing focus on cybersecurity enforcement and disclosure controls relating to cybersecurity incidents is reflected in the fact that the fine against Blackbaud exceeds fines the SEC has levied in the past for similar violations.
Cybersecurity in the Boardroom: ‘Caremark’ Liability for Boards’ Failure to Oversee Cybersecurity
Caremark claims are typically derivative claims asserted by shareholders alleging that the board breached its duty of loyalty by failing to oversee key operations. To be viable, such claims must adequately allege that the board failed to impose systems for reporting risks or failed to act in the face of red flags disclosed to it. Although the Delaware Court of Chancery has recently dismissed Caremark claims against directors for alleged failures to oversee cybersecurity risks due to a lack of bad faith, recently enacted data privacy laws impose positive law requirements that could have the effect of increasing directors’ exposure to the threat of Caremark litigation.
For instance, five comprehensive state privacy laws take effect in 2023, all of which place affirmative cybersecurity and data handling requirements on companies that process personal data. Similarly, new regulations proposed by both the SEC and the New York Department of Financial Services also mandate board oversight to ensure a company meets heightened cybersecurity requirements.
Ultimately, the Chancery Court has left the door open to Caremark claims if a plaintiff can plead specific facts that the board acted in bad faith by failing to oversee cybersecurity risks. Thus, in light of new privacy laws and rules and expanding exposure under existing laws, boards will need to implement reasonable systems to oversee those risks and then document their compliance to be consistent with Caremark.
In their speeches in early March to the American Bar Association’s (ABA) 38th National Institute on White Collar Crime, Deputy Attorney General Lisa O. Monaco and Assistant Attorney General Kenneth A. Polite Jr. highlighted the DOJ’s recent policy changes and expanded initiatives in corporate criminal enforcement. Their remarks served to emphasize the importance of affirmative corporate compliance and DOJ’s commitment to individual accountability.
Among the initiatives discussed were Deputy AG Monaco’s directive that each DOJ component develop its own self-disclosure policy to encourage corporate cooperation in criminal enforcement, a pilot program incentivizing companies to make their own efforts to reach individual actors beyond DOJ’s prosecutorial efforts, and revisions to the Evaluation of Corporate Compliance Programs. Additionally, further resource commitments within the National Security Division and a revised policy on the selection of monitors in the Criminal Division were addressed.
DOJ’s initiatives are geared at promoting robust corporate compliance alongside transparent incentives. In return for developing mechanisms to assist DOJ in prosecuting wrongdoing, DOJ is offering corporate entities and their shareholders the opportunity to recoup losses and avoid stiffer penalties. The success of these programs remains to be seen.
Delaware Court of Chancery Determines That the Duty of Oversight Applies to Corporate Officers
While Delaware courts have long held that corporate directors are charged with a fiduciary duty of “oversight,” on Jan. 26, the Delaware Court of Chancery held for the first time that the duty of oversight also extends to corporate officers as to “matters within their areas of responsibility.”
In McDonald’s Corp. Stockholder Litig., the court reasoned that officers are charged with running the day-to-day operations of the business and thus are “optimally positioned to identify red flags and either address them or report upward.” Additionally, the court noted that the Delaware Supreme Court has generally held that “the fiduciary duties of officers are the same as those of directors” — and those duties logically would include oversight duties. Finally, analogizing officers and directors to agents and principals, the court found guidance in the law of agency, which imposes on agents the obligation to use reasonable efforts to provide their principals with all material information relating to the tasks entrusted to the agent.
Although decisions by the Delaware Court of Chancery do not carry the same weight as those from the Delaware Supreme Court, this decision is likely to be cited widely until the Delaware Supreme Court addresses the issue directly. As a result, corporate officers should take an active role in both implementing reasonable information and reporting systems and monitoring and responding to critical risks within their areas of responsibility.
On Jan. 26, a 25‑state coalition sued the Department of Labor (DOL) in Texas over its finalized regulations titled “Prudence and Loyalty in Selecting Plan Investments and Exercising Shareholders Rights” (the 2022 Rule). A second case was filed on Feb. 21 in the Eastern District of Wisconsin by two plan participants, assisted by the Wisconsin Institute for Law & Liberty.
The 2022 Rule provides greater flexibility to retirement-plan fiduciaries to consider ESG factors when selecting investment courses of action and exercising shareholder rights such as proxy voting. It replaces a 2020 DOL regulation that emphasized that plan fiduciaries must focus on “economic considerations that have a material effect on the risk and return of an investment.”
The 2022 Rule and related litigation have received significant attention. Shortly after the first case was filed, a resolution seeking to nullify the 2022 Rule under the Congressional Review Act was introduced into Congress.
Update: Though President Biden vetoed the legislation on March 20, the support for the resolution by all the Republicans in the House and Senate, as well as one House Democrat and two Senate Democrats, is an indication of the level of controversy surrounding the 2022 Rule and ESG factors in investing at large.
Issuers Have Until Dec. 1 To Comply With New SEC Incentive-Based Compensation Clawback Rule
Late last year, the SEC adopted a final rule addressing the obligations of listed issuers to recover incentive-based compensation paid to executive officers prior to an accounting restatement. The final rule requires many issuers to (i) adopt more stringent written clawback policies than those currently in place and (ii) provide more extensive disclosures of these policies. The final rule implemented these new requirements by directing national securities exchanges to establish listing standards addressing the recovery of overpayments of incentive-based compensation.
Update: On June 9, the SEC approved the New York Stock Exchange’s and Nasdaq’s proposed clawback listing standards. Issuers will have until Dec. 1 to adopt compliant policies.
* * *
Kramer Levin will continue to monitor and publish alerts and articles on these trends and other corporate governance developments in the months ahead.