- SEC Clarifies Duties of Board of Directors Regarding Cybersecurity and Data Breaches
- SEC Imposes First-Ever Sanctions for Retaliation Against a Whistleblower
- 2nd Circuit Vacates Rakoff Decision Regarding Liability Admissions; Clarifies Standard of Review for SEC Consent Decrees
- Supreme Court Limits Securities Class Actions, But Not Fatally
SEC Clarifies Duties of Board of Directors Regarding Cybersecurity and Data Breaches
By Candice M. Tewell
On June 10, 2014, Securities and Exchange Commissioner Luis Aguilar spoke at a “Cyber Risk and the Boardroom” conference at the New York Stock Exchange. Commissioner Aguilar indicated that public companies need to increase their monitoring of cybersecurity risks, and that the SEC will be reviewing companies’ cybersecurity measures and disclosures to ensure that investors are made aware of relevant risks and cybersecurity incidents.
Since the financial crisis began in 2008, the SEC and corporate commentators have placed an increasing focus on directors’ oversight of corporate risk management. Commissioner Aguilar has now clarified that this focus on risk management should include oversight of a corporation’s data/cybersecurity issues. He also recommended that company boards look to the National Institute of Standards and Technology’s (“NIST”) February 2014 Framework for Improving Critical Infrastructure Cybersecurity. In this Framework, NIST attempts to set out guidelines to allow companies to improve their data and cybersecurity.
Companies are already feeling the pressure to make cybersecurity a priority. Data breaches and other cyber-crimes cost American companies over $10 million in 2013. The impact of cyber-attacks can extend far beyond the direct costs associated with recovery of the affected systems, including damage to consumers and significant reputational harm. In addition, the FTC has begun more than 50 data-security enforcement actions in recent years and data breaches have translated into civil lawsuits.
Civil suits include federal securities actions, consumer class actions, and derivative suits against corporate directors and officers, alleging failure of oversight and inadequate cybersecurity systems led to the breaches. In recent years, high profile cases involving privacy and data security have been filed against Target, TJ Maxx, Heartland Payment Systems, and Google. Most of these cases either settled or have not progressed significantly beyond the pleading stage, and the lack of litigated cases has left companies with very little case law to help guide their attempts to create adequate cybersecurity frameworks. But waiting to learn lessons from such cases as the recent derivative and consumer class action litigation against Target may expose companies to potential liability if they become victim to a cyber-incident.
There are several proactive steps companies can take to protect themselves from both cyber-attacks and related liability:
- Develop an enterprise-wide governance structure for addressing cybersecurity;
- Identify sensitive data and assess its vulnerability;
- Develop effective information security policies and procedures, including employee training and management of both employees and vendors;
- Assess technical and physical data protections on a regular basis;
- Prepare a cyber-incident response plan to a potential breach—this should include protocols for managing investor relations, press releases, communications with regulators/law enforcement, and public disclosures following a cyber-incident;
- Practice the cyber incident response plan regularly; and
- Review existing insurance cover and consider investing in specialty insurance to mitigate cyber-related risks and costs.
Further, in light of Commissioner Aguilar’s comments emphasizing the duty of a public company’s board of directors in ensuring the company’s cybersecurity, directors should consider educating themselves about cybersecurity and making it a part of the board’s regular duties. Some steps that can be taken by the board to lessen risk include:
- Assigning cybersecurity risk assessment to a particular board committee;
- Reviewing the annual budget for privacy and IT security programs;
- Assigning roles and responsibility for privacy and security to executives/staff;
- Receiving regular reports on past breaches and current and future risks;
- Participating in training or consulting an outside expert on cybersecurity to ensure that relevant directors have the required technical understanding to evaluate current and future risks; and
- Ensuring the company maintains and practices its cyber incident response plan.
The stakes of cyber-attacks are high. Companies should work proactively to protect themselves both from possible attack and from the litigation sure to ensue from any such attack.
SEC Imposes First-Ever Sanctions for Retaliation Against a Whistleblower
By Jeffrey B. Coopersmith
In previous posts, we reported on the SEC’s whistleblower program implemented as part of the Dodd-Frank Act. On June 16, 2014, the SEC took its program a step further and issued its first order alleging violations of the anti-retaliation provisions of the Act, Section 21F(h) of the Securities Exchange Act, 15 U.S.C. 78u-6(h), and SEC Rule 21F-2(b), 17 C.F.R. 240.21F-2(b).
The SEC’s administrative order alleges that a hedge fund called Paradigm Capital Management and its majority owner violated the anti-retaliation provisions by punishing the fund’s head trader for making a whistleblower submission to the SEC. Paradigm and its majority owner consented to the order, without admitting or denying the allegations. The whistleblower submission alleged that the fund had engaged in certain conflicted trades that were violations of the Investment Advisers Act. When the whistleblower notified the fund’s management that he had reported the alleged violations to the SEC, the fund, advised by counsel, took several steps including, among other things: (1) removing the whistleblower from the trading desk and suspending the whistleblower’s trading and supervisory responsibilities; (2) moving the whistleblower’s work station to an offsite location; (3) directing the whistleblower to prepare a report about potential misconduct at the fund, but providing him with access to 1,900 pages of paper files while denying access to reports from the fund’s computerized trading and account systems; (4) disciplining the whistleblower for emailing confidential material from his personal email address a month after granting him permission to use his personal email address for fund business; and (5) taking other actions viewed by the SEC as designed to marginalize the whistleblower. The whistleblower ended up resigning.
The SEC’s administrative order against Paradigm and its majority owner imposed monetary sanctions consisting of $1.7 million in disgorgement for the trading violations, prejudgment interest of $181,771, and a civil penalty of $300,000. The order does not specify what portion of the civil penalty applies to the alleged retaliation against the whistleblower as opposed to the trading violations. In a press conference, the SEC’s enforcement director declined to specify what portion of the civil penalty was for the retaliation. Nevertheless, the SEC’s action may signal increased scrutiny of employment actions taken in relation to employees who assume the role of whistleblowers.
2nd Circuit Vacates Rakoff Decision Regarding Liability Admissions; Clarifies Standard of Review for SEC Consent Decrees
By John A. Goldmark
In a much anticipated decision on June 4, 2014, the 2nd Circuit vacated U.S. District Judge Rakoff’s controversial rejection of a consent decree approving a $285 million settlement between the SEC and Citigroup, in which the bank neither admitted nor denied wrongdoing. In 2011, Judge Rakoff blocked the proposed consent decree, ruling that the SEC policy of allowing parties to settle enforcement actions without admitting or denying liability undermined the court’s ability to assess whether the settlement was fair.
In a ruling viewed as a rebuke to Rakoff, the 2nd Circuit emphasized that the SEC—not the courts—has the authority to decide the terms of a settlement agreement. Noting that the SEC’s resources are limited and that consent decrees are a legitimate means of enforcement, the 2nd Circuit observed: “Trials are primarily about truth. Consent decrees are primarily about pragmatism.” The 2nd Circuit explained that there was “no basis in the law” for district courts to require admissions in proposed SEC settlements.
The 2nd Circuit clarified that that the proper standard is whether an SEC settlement is “fair and reasonable” and outlined the relevant considerations:
- the basic legality of the decree;
- whether the terms of the decree, including its enforcement mechanism, are clear;
- whether the consent decree reflects a resolution of the actual claims in the complaint;
- whether the consent decree is tainted by improper collusion or corruption between the SEC and the defendant; and
- whether the public interest would not be disserved (if the deal contains an injunction).
Absent substantial grounds for finding that the consent decree does not satisfy these considerations, the district court is required to enter the order.
The ruling marks a victory for the SEC, and confirms that the agency has broad discretion to negotiate the terms of its settlements. In a statement, the SEC Division said it was "pleased" with the decision, stating: "While the SEC has and will continue to seek admissions in appropriate cases, settlements without admissions also enable regulatory agencies to serve the public interest by returning money to harmed investors more quickly, without the uncertainty and delay from litigation and without the need to expend additional agency resources."
As we previously reported, the SEC moved quickly to announce a new policy to require admissions of liability, after Judge Rakoff’s decision, in certain (probably high profile) cases. Now that the 2nd Circuit has reversed the underlying decision that triggered the SEC policy, the SEC may apply that policy even more sparingly than it has so far. At the very least, the SEC will not be able to insist on admissions on the ground that without an admission there is a risk that the district court would not approve the settlement.
Supreme Court Limits Securities Class Actions, But Not Fatally
By Conner G. Peretti
In its much-anticipated decision in Halliburton Co. v. Erica P. John Fund, Inc., the U.S. Supreme Court declined to overturn the landmark Basic v. Levinson decision, but ruled that defendants in securities law class actions may rebut the fraud-on-the-market presumption of reliance before the class certification stage by showing a lack of price impact. This seemingly small turn in the law may have significant practical effects on companies facing securities fraud class actions.
As we discussed here and here, Basic created the fraud-on-the-market theory, which underlies most securities class action cases. The theory provides for a presumption that investors relied on all public information released by a defendant as embodied in the price of its publicly-traded stock. Before Halliburton, defendants could not introduce evidence to directly rebut this presumption before class certification (e.g., that the alleged misrepresentation had no price impact or that the market did not efficiently absorb the information into the stock price).
In Halliburton, the Justices vacated and remanded the 5th Circuit’s decision, holding that defendants should be able to rebut the fraud-on-the-market theory presumption before class certification by showing evidence that an alleged misrepresentation did not, in fact, affect the stock’s price. The Supreme Court did not, however, issue the blockbuster ruling some observers were anticipating—eliminating the fraud-on-the-market theory altogether as a basis for securities class actions. Such a ruling would have had the likely impact of ending securities class actions as we currently know them. Note that enforcement actions brought by the SEC and DOJ are not reliant on the fraud-on-the-market doctrine and the decision therefore has no impact on them.