Transforming Business: Exploring Pathways for Women to Join and Impact Corporate Boards

Womble Bond Dickinson hosted a “Transforming Business: Exploring Pathways for Women to Join and Impact Corporate Boards” panel discussion at the Post Oak Hotel in Houston. WBD Chair & CEO Betty Temple joined 50/50 Women on Boards Houston Founder & Chair Susan Knight (moderator), TechnipFMC Executive VP, Chief Legal Officer & Secretary Victoria Lazar and Duy-Loan Le, a Board of Directors member for Wolfspeed, National Instruments, Ballard Power Systems and Atomera and a retired Senior Fellow at Texas Instruments. The panelists also offered insights into how women can make a lasting impact on corporate boards, and this article is based on that discussion.

The issue of women on corporate boards is a classic glass-half-full/glass-half-empty conundrum.

On one hand, the percentage of women on corporate boards reached an all-time high in 2021, and female board representation has grown substantially in the past decade alone. On the other hand, women still make up only 27 percent of Russell 3000 company boards of directors, according to a recent report by 50/50 Women on Boards. Only nine percent of those companies have gender-balanced boards.

Women Representation on Corporate Boards

Percentage of Female Directors on S&P 500 Boards

2021: 30 percent
2020: 28 percent
2011: 16 percent

Percentage of Boards with Two or More Women Directors

2021: 96 percent
2011: 58 percent

Source: 2021 U.S. Spencer Stuart Board Index

Le said, “In the field of technology, especially in the boardroom, often I’m the only woman.” This was particularly true when she joined her first public board 20 years ago, she said, and while Le sees more women in corporate leadership today, she still feels as if she is in a predominantly male world.

Getting appointed to a corporate board—or even a civic or non-profit board—isn’t easy, particularly for women. But the pathway to board membership is clearer than ever for women, thanks in large part to the work of women who have blazed that trail.

Self-Assessment Key to Finding the Right Board

To those outside the boardroom, a board of directors may seem like a closed, secret society. But the panelists said that joining a corporate board actually is much more akin to applying for a job, albeit a job that isn’t publicly advertised.

“The first step on a board journey is to show interest in leadership,” Lazar said.

“It is a journey – it’s not something you can do overnight,” Temple said. Looking back, she said she would have changed her initial approach to board service, even though she was actively counseling public company boards as an attorney at the time.

“I would try to build a resume for a board with the strengths I have to be a fiduciary to a company. They want you to be strategic—to think about the business and where it is going. So you need to be thoughtful about how you can help,” Temple said. For example, if candidates have proven experience in finance, legal, human resources, communications or policy matters, they should showcase those skills.

Temple said, “Boards are looking for specific skillsets so you can be an asset on day one. It’s difficult to be a director-in-training.”

But first, she recommends candidates do a self-assessment of their areas of strength and experience, so they can find corporate boards that are the best fit.

“The key is not to spread the net too wide but focus on where you can have a real impact,” Temple said.

“The key is not to spread the net too wide but focus on where you can have a real impact.”

BETTY TEMPLE, CHAIR & CEO OF WOMBLE BOND DICKINSON

Knight said that board opportunities can include non-profit, advisory, private equity and private company boards, too. “The common thread is that you have a fiduciary responsibility,” she said.

While board members come from a variety of professional backgrounds, many are attorneys or have legal experience.

“There is a large population of potentially qualified board members who are attorneys. It’s a good time to be an attorney looking to serve on a board,” Lazar said. However, she cautioned that companies neither want nor need a “Second General Counsel” on the board. Attorneys have the skills and background to guide companies strategically and help them spot potential problems before they arise. This background is particularly valuable during a corporate restructuring, Lazar said. But lawyers on the board shouldn’t try to micromanage or second-guess the company’s in-house legal team.

She also said attorneys need to bring more than legal experience to the board room. Other skills and experiences are invaluable to board service and should not be ignored.

Finally, Le said building strong relationships is critical to being considered for board service. Candidates who demonstrate a selfless desire to help others are best positioned to earn the type of trust necessary to be selected.

“In all of my experiences, boards came to me – not because I’m better than anyone else, but because they know me,” she said. “Reach out, spread your wings and help other people without expecting anything in return. That’s how people come to know you and want you to be part of their team.”

“There is a large population of potentially qualified board members who are attorneys. It’s a good time to be an attorney looking to serve on a board.”

VICTORIA LAZAR, EXECUTIVE VP, CHIEF LEGAL OFFICER & SECRETARY OF TECHNIPFMC

Finding the Board that Fits

Women absolutely need to assess their personal skills, strengths and experience when they decide to pursue board membership. They also need to pay close attention to the companies they wish to serve and the other board members they would be serving with. The panelists said the first opportunity for board service may not always be the right opportunity.

“I needed to meet the people I was going to be serving with in person. Do we share the same values? Can I collaborate with them? The chemistry was very important,” Le said.

Lazar said networking is a great way to build the types of relationships that lead to board service.

“There are hundreds of ways to meet people who are in position to recommend you for a board,” she said. These include professional organizations, community and civic groups, economic development organizations, bar associations (for attorneys) and more. Getting involved in such organizations can offer valuable leadership opportunities, as well as the chance to get to know corporate board members.

“Work your network and work your resume, so when you have the opportunity, you have demonstrated leadership. Be ready when they tap you on the shoulder,” Temple said.

“Work your network and work your resume, so when you have the opportunity, you have demonstrated leadership. Be ready when they tap you on the shoulder.”

BETTY TEMPLE

What to Know about Board Service

Finding the right fit and getting on a corporate, civic or non-profit board is just the beginning. The panelists all have extensive experience with board service and shared some of their recommendations for finding success as a board member.

For example, Le said board members need to protect themselves from legal liability when they agree to become a board member.

“I’d never serve on a public board without directors and officers (D&O) insurance,” she said, noting that if board members exercise their best judgment and put the company’s interests first, they generally have nothing to worry about.

Temple also noted that board members need to be prepared to serve on committees. Public companies are required to have Audit, Compensation, and Corporate Governance/Nominating & Governance committees. Women who want to serve on boards should consider how their skillsets and experience can benefit those committees. For example, having a background in human resources or corporate compensation is great experience for serving on a compensation committee. Likewise, candidates with experience in ESG or diversity, equity and inclusion (DEI) may be a good fit for a corporate governance committee.

“Committees are a big part of board service, and it is a lot of work – and it’s not just the meetings. Before the meetings, we get hundreds of pages to review,” Le said. “The decisions you make are consequential. Your decisions impact individuals and their lives.”

Lazar also noted that private company boards can be far different from those at public companies. At public companies, the separation between the board of directors and corporate leadership is established by federal law. But at a privately held company, the barriers between board members and corporate leadership may be blurred. Board candidates at a private company need to investigate the boardroom dynamic up front before they agree to join.

Hiring a CEO

Hiring (and firing) a CEO is perhaps the most basic, fundamental role of a governing board. At the very least, it is one of the three core functions of the board, along with strategy and compliance.

Leadership transition can be smooth—such as when a well-liked CEO decides to retire, and the board has ample time to find a replacement and no shortage of good candidates.  But there are instances where the board and CEO part ways on contentious terms—Carly Fiorina’s 2005 ouster from Hewlett-Packard is one high-profile example of when a board and its corporate leader were completely unable to co-exist.

No matter the circumstances, board members must be prepared to deal with leadership transition at any time.

When somebody says, ‘We need to make a move,’ you have to be ready to voice an opinion and be an active participant in the process. It’s one of the most important and difficult decisions a board can make,” Lazar said.

“Sometimes, leadership isn’t about expertise—it’s about dealing with people.”

DUY-LOAN LE, BOARD OF DIRECTORS MEMBER FOR WOLFSPEED, NATIONAL INSTRUMENTS, BALLARD POWER SYSTEMS AND ATOMERA

Le has been in the boardroom during those difficult meetings. She said she experienced a situation where the board had to replace the CEO, who also was the company’s founder and largest shareholder and who initially did not want to leave.

This situation required interpersonal skills, not cold business logic. The CEO/Founder had given so much to the company, and he needed an exit strategy that wouldn’t humiliate him. Le was able to navigate that difficult path during their long, emotional phone call.

“It can be intense. If that situation hadn’t been navigated properly, it would’ve blown up in our face,” she said. “Sometimes, leadership isn’t about expertise—it’s about dealing with people.”

Whether women are looking to serve or are already in the boardroom, the panelists encouraged them to believe in themselves.

“Why wouldn’t you be qualified? Everyone has to do it for the first time,” Lazar said. “Focus on what you have and what you bring.”

“If you’ve been appointed to a public company board, then you’re there – you’ve got it. Just be a great board member and keep doing the right things,” Temple said.

“I remember the feeling the first time I walked into a board room. It was all white men, a generation older than me. But I thought, ‘I have an advantage.’ Because none of these men have lived the life I’ve lived. And what’s the worst that can happen – that they kick me off the board?” Le said. “From there, just do what Betty said and carry yourself with confidence. You are just as good as anyone in that room.”

For additional research and resources, go to the 50/50 Women on Boards website. 50/50 Women on Boards is dedicated to promoting gender balance and diversity on corporate boards.

Copyright © 2022 Womble Bond Dickinson (US) LLP All Rights Reserved.

SEC Commissioner Signals Need to Fulfill Mandate of Sarbanes-Oxley Act and Develop “Minimum Standards” for Lawyers Practicing Before the Commission

In remarks on March 5, 2022, on PLI’s Corporate Governance webcast, Commissioner Allison Herren Lee of the Securities and Exchange Commission stated that 20 years after its enactment, it is time to revisit the “unfulfilled mandate” of Section 307 of the Sarbanes-Oxley Act of 2002 and establish minimum standards for lawyers practicing before the Commission.1  Commissioner Lee, who announced that she will not seek a second term when her current one ends this month, took issue with what she called the “goal-directed reasoning” of some securities lawyers—that is, focusing primarily on the outcome sought by executives, rather than the impact on investors and the market as a whole.  Such lawyering, Commissioner Lee observed, has a host of negative consequences, including encouraging non-disclosure of material information, harming investors and market integrity, and stymying deterrence.  The solution, Commissioner Lee opined, is to fulfill the mandate of Section 307, which empowered the Commission to “issue rules, in the public interest and for the protection of investors, setting forth minimum standards of professional conduct for attorneys appearing and practicing before the Commission in any way in the representation of issuers.”2

Over the last 20 years, the Commission has declined to adopt enhanced rules of professional conduct for lawyers appearing before the Commission.  There are good reasons for the Commission’s inaction, including the attorney-client privilege, the goal of zealous advocacy, the fact-specific nature of materiality determinations, and the traditionally state-law basis for the regulation of attorney conduct.  Commissioner Lee, moreover, did not propose specific new rules and recognized that the task was difficult and should be informed by the views of the securities bar and other stakeholders.  Nor did she say that action by the Commission was imminent; it is unclear whether the Commission has authority to promulgate new rules under Section 307 given a 180-day sunset under the statute that occurred in 2003.  Indeed, neither Commissioner Lee nor any of the other SEC commissioners have issued statements on this topic since the PLI webcast.  SEC Enforcement Director Gurbir Grewal has, however, indicated an increased emphasis on gatekeeper accountability in order to restore public trust in the market.3  Nonetheless, given the Commission’s existing authority to impose discipline under its Rules of Practice, practitioners should be mindful of the potential for increased scrutiny moving forward.

Background

In the wake of corporate accounting scandals involving Enron, Worldcom, and other companies, Congress enacted the Sarbanes-Oxley Act in 2002 “[t]o safeguard investors in public companies and restore trust in the financial markets.”4  The Act was aimed at “combating fraud, improving the reliability of financial reporting, and restoring investor confidence,”5 including by empowering the SEC with increased regulatory authority and enforcement power.6  To that end, the Act includes provisions to fortify auditor independence, promote corporate responsibility, enhance financial disclosures, and enhance corporate fraud accountability.7

The Sarbanes-Oxley Act was passed just six months after the collapse of Enron in December 2001, and neither the House nor Senate bills originally contained professional responsibility language.8  Hours before the Senate passed its version of the Act, however, the Senate amended the bill to include language that would eventually become Section 307.9  Around the same time, 40 law professors sent a letter to the SEC requesting the inclusion of a professional conduct rule governing corporate lawyers practicing before the Commission.10  The letter picked up on a 1996 article by Professor Richard Painter, then of the University of Illinois College of Law, which recommended corporate fraud disclosure obligations for attorneys similar to those imposed on accountants by the Private Securities Litigation Reform Act of 1995.11  Senator John Edwards, one of the sponsors of the Senate floor amendment of the bill, emphasized the importance of including professional conduct rules for attorneys in such a significant piece of legislation, stating that “[o]ne of the problems we have seen occurring with this sort of crisis in corporate misconduct is that some lawyers have forgotten their responsibility” is to the companies and shareholders they represent, not corporate executives.12

In its final form, Section 307 imposed a professional responsibility requirement for attorneys that represent issuers appearing before the Commission.  Specifically, Section 307 directed the Commission, within 180 days of enactment of the law, to “issue rules, in the public interest and for the protection of investors, setting forth minimum standards of professional conduct for attorneys appearing and practicing before the Commission in any way in the representation of issuers,”13 and, at minimum, promulgate “a rule requiring an attorney to report evidence of a material violation of securities laws or breach of fiduciary duty or similar violation by the issuer or any agent thereof to appropriate officers within the issuer and, thereafter, to the highest authority within the issuer, if the initial report does not result in an appropriate response.”14

Since the enactment of Section 307, however, the Commission has promulgated only one rule pursuant to its authority, commonly known as the “up-the-ladder” rule.15  The up-the-ladder rule imposes a duty on attorneys representing an issuer before the Commission to report evidence of material violations of the securities laws.  When an attorney learns of evidence of a material violation, the attorney has a duty to report it to the issuer’s chief legal officer (“CLO”) and/or the CEO.16  If the attorney believes the CLO or CEO did not take appropriate action within a reasonable time to address the violation, the attorney has a duty to report the evidence to the audit committee, another committee of independent directors, or the full board of directors until the attorney receives “an appropriate response.”17  Alternatively, attorneys can satisfy their duty by reporting the violation to a qualified legal compliance committee.18  To date, the SEC has never brought a case alleging a violation of the up-the-ladder rule.

Commissioner Lee’s Remarks

In her remarks, Commissioner Lee stated that it is time to revisit the “unfulfilled mandate” of Section 307 and consider whether the Commission should adopt and enforce minimum standards for lawyers who practice before the Commission.  Commissioner Lee criticized “goal-directed reasoning” employed by sophisticated counsel in securities matters, and cited as an example Bandera Master Fund v. Boardwalk Pipeline,19 a recent decision in which the Delaware Court of Chancery rebuked the attorneys involved for their efforts to satisfy the aims of a general partner instead of their duty to the partnership-client as a whole.  The Court, specifically, stated that counsel “knowingly made unrealistic and counterfactual assumptions, knowingly relied on an artificial factual predicate, and consistently engaged in goal-directed reasoning to get to the result that [the general partner] wanted.”20  Bandera and cases like it, according to Commissioner Lee, are emblematic of a “race to the bottom” caused by pressure on securities lawyers to compete with each other for clients, while failing to give due consideration to the potential impact on investors, market integrity, and the public interest.

In Commissioner Lee’s view, “goal-directed” lawyering not only falls short of ethical standards but causes harm to the market and reduces deterrence.  Commissioner Lee expressed concern that, in an effort to give management the answer it wants, lawyers may downplay or obscure material information.21  Although recognizing that materiality determinations are fact-intensive, Commissioner Lee said that should not provide blanket cover for legal advice aimed at concealing material information from the public.  Non-disclosure has a host of negative consequences, including distorting market-moving information, interfering with price discovery, misallocating capital, impairing investor decision-making, and eroding confidence in the financial markets and regulatory system.  Further, such lawyering diminishes deterrence by creating a legal cover for inadequate disclosure, making it more difficult for regulators to hold responsible individuals accountable.  This type of legal counsel, in Commissioner Lee’s view, “is merely rent-seeking masquerading as legal advice, while providing a shield against liability.”

Commissioner Lee stated that the existing framework governing professional conduct is not adequate to hold lawyers accountable for such “reckless” advice.  According to Commissioner Lee, state bars—the principal source for lawyer discipline nationwide—are not up to the task because they lack resources, expertise in securities matters, and the ability to impose adequate monetary sanctions.  Additionally, Commissioner Lee noted that state law standards focused mostly on the behavior of individual lawyers, assigning few responsibilities to the firm for quality assurance.  Indeed, state law standards are mostly drafted in a “one-size-fits-all fashion” according to Commissioner Lee, and do not take into account the different issues faced at large firms that represent public companies, which are quite different from a solo practitioner handling personal injury or estate law matters.  Likewise, although the SEC has the power under Rule 102(e) of its Rules of Practice to suspend or bar attorneys whose conduct falls below “generally recognized norms of professional conduct,” there has been little effort to define or enforce that standard.22  Nor has the SEC rigorously enforced standards of attorney conduct under the one rule it has issued under Section 307, the “up-the-ladder” rule.

Commissioner Lee stated that it was time for the Commission to fulfill its mandate under Section 307.  Although not proposing any specific rules, Commissioner Lee offered the following concepts as a starting point:

  • Greater detail on lawyers’ obligations to a corporate client, including how advice must reflect “the interests of the corporation and its shareholders rather than the executives who hire them”;
  • Requirements of “competence and expertise” (as an example, disclosure lawyers should not opine on materiality “without sufficient focus or understanding of the views of ‘reasonable’ investors”);
  • Continuing education for securities lawyers advising public companies (similar to requirements set by the Public Company Accounting Oversight Board for minimum hours of qualifying continuing professional education for audit firm personnel);
  • Oversight at the firm level (similar to quality-control measures implemented at audit firms);
  • Emphasis on the need for independence in rendering advice (similar to substantive and disclosure requirements implemented in Rule 2-01 of Regulation S-X for auditors);
  • Obligations to investigate red flags and ensure accurate predicates for legal opinions (similar to the obligations that an auditor must perform to certify to the accuracy of their client’s financial statements); and
  • Retention of contemporaneous records to support the reasonableness of legal advice.

Commissioner Lee noted that the content of any specific rules or standards will require “careful thought,” as well as assistance from the securities bar, experts on professional responsibility, and other interested parties and market participants.  She invited input from the legal community and other stakeholders and noted that she appreciated the complexity of the task and concerns of the American Bar Association and others regarding protection of the attorney-client privilege.  Indeed, outside auditors are generally regarded as “public watchdogs” and such communications between the corporation and an auditor are not entitled to the affirmative attorney-client privilege afforded to legal counsel.  Accordingly, regulating the legal profession using a similar framework to that applied to the accounting profession has sparked more controversy.  Nonetheless, in Commissioner Lee’s view, those concerns should be weighed against “the costs of there being few, if any, consequences for contrived or tortured advice.”

Implications

The Commission has declined to adopt enhanced rules of professional conduct for lawyers appearing before it in the 20 years since the enactment of the Sarbanes-Oxley Act.  Commissioner Lee’s call for minimum standards, however, potentially signals increased scrutiny by the SEC with respect to lawyers who “practice before the Commission.”  As Commissioner Lee noted, that means “counsel involved in the formulation and review of issuers’ public disclosure, including those who address the many legal questions that often arise in that context.”23  Nonetheless, Commissioner Lee cautioned that she did “not intend with these comments to address the conduct of attorneys serving as litigators or otherwise representing their client(s) in an advocacy role in an adversarial proceeding or other similar context, such as in an enforcement investigation.”24

Although framing her call for standards in terms of Section 307 of the Sarbanes-Oxley Act, it is not clear that the Commission will—or even can—promulgate any further rules under that authority.  Commissioner Lee did not state that she was speaking on behalf of the Commission or indicate that the Commission would be taking concrete, imminent steps to adopt such standards.  The Commission has not put its imprimatur on the remarks by incorporating them into a formal release or statement of policy.  Moreover, the text of Section 307 appears to foreclose the possibility of further rulemaking, as it provides that the Commission shall issue any such rules “[n]ot later than 180 days after the date of enactment of this act,” i.e., January 27, 2003.  Consistent with that constraint, the SEC proposed the up-the-ladder requirements on November 21, 2002, in Release No. 33-8150, and the rule became final on January 29, 2003.25  But the SEC has not issued any other rule under Section 307 to date.

Even if official action under Section 307 may not be forthcoming, Commissioner Lee’s call for action should not be discounted.  Setting aside the up-the-ladder requirements, the SEC has authority under Rule 102(e) of the SEC’s Rules of Practice to censure or bar a lawyer from appearing or practicing before the Commission if found, among other things, “[t]o be lacking in character or integrity or to have engaged and unethical or improper professional conduct.”26  Commissioner Lee cited prior SEC guidance to indicate that Rule 102(e) may apply to attorney conduct that falls below “generally recognized norms of professional conduct,”27 a standard that has been left undefined to date.28  In practice, the SEC “will hold attorneys who practice before it to the standards to which they are already subject, including state bar rules.”29  At a minimum, then, Commissioner Lee’s objective of greater accountability may be achieved through a more aggressive application of Rule 102(e), which, as she noted, has generally only been applied as a follow-on penalty for primary violations of the securities laws by lawyers.

Commissioner Lee’s term expires on June 5, and she has announced that she intends to step down from the Commission once a successor has been confirmed.30  Should the Commission nonetheless take up her call to action in the future, it will be no easy task to adopt clear standards that can be implemented in a predictable manner.  In particular, Commissioner Lee’s focus on the role of lawyers in advising issuers on determinations of materiality and disclosure does not lend itself well to oversight or enforcement.  The well-established standard for materiality—whether “there is a substantial likelihood that a reasonable shareholder would consider it important in deciding how to vote”—is far from clear-cut.31  The Supreme Court, moreover, long has recognized that materiality “depends on the facts and thus is to be determined on a case-by-case basis.”32  As such, and as evidenced by the sundry cases concerning disclosure issues reversed on appeal, disagreement between litigants—as well as jurists—on matters of materiality and disclosure are par for the course.  If that is so, how can a lawyer’s advice on such matters (which will inevitably turn on the facts and the lawyer’s judgment and experience) be subject to oversight in any objective sense?

Even if lawyers’ materiality advice could be evaluated under objective standards, there are other difficulties.  First and foremost is that oversight of legal advice implicates the attorney-client privilege and the underlying benefit of candid advice from securities disclosure and corporate counsel.  As the Supreme Court has observed, the attorney-client privilege “is founded upon the necessity, in the interest and administration of justice, of the aid of persons having knowledge of the law and skilled in its practice, which assistance can only be safely and readily availed of when free from the consequences or the apprehension of disclosure.”33  Aside from situations in which the client has voluntarily waived privilege (as sometimes occurs in SEC investigations) or where another exception to the privilege applies, it is unclear how the SEC could evaluate legal advice without invading privilege.  Such attempts could have led to an increase in corporate wrongdoing as corporate executives could be more reluctant to seek expert legal advice.  In addition, it is unclear how regulators assessing materiality advice would—or could—balance an assessment of whether a lawyer has given the “correct” advice with a lawyer’s ethical obligations of zealous representation of the client.34  The divide between overreaching “goal-directed” reasoning and permissible zealous advocacy for the client is often murky, and reasonable minds can differ depending on the circumstances.  Moreover, it is already well-accepted that a corporate lawyer’s obligation is to the corporation as its client, not to any individual officer or director.35  That obligation carries with it ethical duties to “proceed as is reasonably necessary for the best interest” of the corporation, including when the lawyer is aware of violations of the law or other misconduct by senior management.36  In that sense, Commissioner Lee’s proposal could be viewed as a call for the SEC to take on enforcement of existing ethical rules, rather than for the development of novel “minimum standards.”

Ultimately, there are good reasons for the Commission’s reluctance to date to formally adopt minimum standards of professional conduct for lawyers appearing before it, including the attorney-client privilege, the goal of zealous advocacy, and the fact-specific nature of materiality inquiries.  The manipulation of facts and bad reasoning targeted by Commissioner Lee are not only the exception, and difficult if not impossible to eliminate completely, but are largely covered by existing rules and practices.  Nonetheless, Commissioner Lee’s call for lawyers to strive for higher legal and ethical standards in their counsel should be welcomed.  Sound legal advice is not only important for issuer clients, but also for the financial well-being of investors, the integrity of the markets, and public confidence in the regulatory system and capital markets.  Enhancements in ethical standards for the legal profession could also lead to reputational benefits and greater integrity in the profession.  It remains to be seen whether Commissioner Lee’s remarks will serve as an aspirational goal for securities lawyers, or translate into concrete action by the Commission.


1 Commissioner Allison Herren Lee, Send Lawyers, Guns and Money: (Over-) Zealous Representation by Corporate Lawyers Remarks at PLI’s Corporate Governance – A Master Class 2022 (Mar. 4, 2022), [hereinafter “Commissioner Lee Remarks”].

See Sarbanes‑Oxley Act, § 307, 15 U.S.C. § 7245 (2002).

3 Gurbir Grewal, Director, Division of Enforcement, Remarks at SEC Speaks 2021 (Oct. 13, 2021).

Lawson v. FMR LLC, 571 U.S. 429, 432 (2014).

5 Stephen Wagner and Lee Dittmar, The Unexpected Benefits of Sarbanes-Oxley, Harvard Bus. Rev. (Apr. 2006).

See Sarbanes–Oxley Act, § 3, 15 U.S.C. § 7202 (2002).

See Sarbanes–Oxley Act, § 1, 15 U.S.C. § 7201 (2002).

8 Jennifer Wheeler, Securities Law: Section 307 of the Sarbanes-Oxley Act: Irreconcilable Conflict with the ABA’s Model Rules and the Oklahoma Rules of Professional Conduct?, 56 Okla. L. Rev. 461, 464 (2003).

Id.

10 Id. at 468-69.

11 See generally Richard W. Painter & Jennifer E. Duggan, Lawyer Disclosure of Corporate Fraud: Establishing a Firm Foundation, 50 SMU L. Rev. 225 (1996).

12 Wheeler, supra note 8, at 465 (quoting 148 Cong. Rec. S6551 (daily ed. July 10, 2002) (statement of Sen. Edwards)).

13 See Sarbanes‑Oxley Act, § 307, 15 U.S.C. § 7245 (2002).

14 Final Rule: Implementation of Standards of Professional Conduct for Attorneys, Securities Act Rel. No. 8185 (Sept. 26, 2003).

15 17 C.F.R. §§ 205.1-205.7.

16 17 C.F.R. § 205.3(b)(1).

17 17 C.F.R. §§ 205.3(b)(3), (b)(4).

18 17 C.F.R. § 205.3(c).

19 Bandera Master Fund LP v. Boardwalk Pipeline Partners, LP, No. CV 2018-0372-JTL, 2021 WL 5267734, at *1 (Del. Ch. Nov. 12, 2021).  In Bandera, plaintiffs brought suit against a general partner for breach of a partnership agreement stemming from the general partner’s exercise of a call right without satisfying two requisite preconditions.  The court held for the plaintiffs and found the general partner had engaged in willful misconduct.  Id. at *51.  Contributing to the misconduct was the general partner’s outside counsel, who drafted an opinion letter justifying the general partner’s exercise of the call right.  Id.  Throughout the drafting process, the court found, that the outside counsel manipulated the facts in order to achieve the general partner’s desired conclusion.  Id. at *18-*47.

20 Id. at *51.

21 Commissioner Lee specifically cited, among other matters, environmental, social, and governance (“ESG”) disclosures.  The Commission is currently considering additional climate change-related disclosures to Regulation S-K and Regulation S-X.  See Jason Halper et al., SEC Proposes Climate-Related Changes to Regulation S-K and Regulation S-X, Cadwalader, Wickersham & Taft LLP (Mar. 23, 2022); see also Paul Kiernan, SEC Proposes More Disclosure Requirements for ESG Funds, The Wall Street Journal (May 25, 2022, 6:26 pm ET).

22 Rule 102(e) states, in relevant part:

(1) Generally. The Commission may censure a person or deny, temporarily or permanently, the privilege of appearing or practicing before it in any way to any person who is found by the Commission after notice and opportunity for hearing in the matter:

(i) not to possess the requisite qualifications to represent others; or

(ii) to be lacking in character or integrity or to have engaged in unethical or improper professional conduct; or

(iii) to have willfully violated, or willfully aided and abetted the violation of any provision of the Federal securities laws or the rules and regulations thereunder.

17 C.F.R. § 201.102(e)(1).

23 Commissioner Lee Remarks, supra note 1.

24 Id.

25 Proposed Rule: Implementation of Standards of Professional Conduct for Attorneys, Securities Act Rel. No. 8150 (Nov. 21, 2002); Final Rule: Implementation of Standards of Professional Conduct for Attorneys, Securities Act Rel. No. 8185 (Sept. 26, 2003); see also 2 Legal Malpractice § 14:114 (2022 ed.).

26 17 C.F.R. § 201.102(e).  The Rules of Practice generally “govern proceedings before the Commission under the statutes that it administers.” 17 C.F.R. § 201.100.  The SEC has the authority to administer and enforce such rules pursuant to the Administrative Procedures Act, 5 U.S.C. § 551 et. seq. See Comment to Rule 100, SEC Rules of Practice (July 2003).

27 In the Matter of William R. Carter Charles J. Johnson, 47 S.E.C. 471 (Feb. 28, 1981) (“elemental notions of fairness dictate that the Commission should not establish new rules of conduct and impose them retroactively upon professionals who acted at the time without reason to believe that their conduct was unethical or improper.  At the same time, however, we perceive no unfairness whatsoever in holding those professionals who practice before us to generally recognized norms of professional conduct, whether or not such norms had previously been explicitly adopted or endorsed by the Commission.  To do so upsets no justifiable expectations, since the professional is already subject to those norms.”).

28 In the past, the Commission has sought to discipline lawyers for violating securities laws with scienter, rendering misleading opinions used in disclosures and engaged in otherwise liable conduct, but not for giving negligent legal advice to issuers. See In the Matter of Scott G. Monson, Release No. 28323 (June 30, 2008) (collecting cases).

29 In the Matter of Steven Altman, Esq., Release No. 63306 (Nov. 10, 2010).

30 Statement of Planned Departure from the Commission (Mar. 15, 2022).

31 TSC Indus., Inc. v. Northway, Inc., 426 U.S. 438, 449 (1976).

32 Basic Inc. v. Levinson, 485 U.S. 224, 250 (1988).

33 Upjohn Co. v. United States, 449 U.S. 383, 389 (1981) (quoting Hunt v. Blackburn, 128 U.S. 464, 470 (1888)).

34 Rule 1.3: Diligence, American Bar Association, (last visited Mar. 18, 2022) (“A lawyer shall act with reasonable diligence and promptness in representing a client.”); Rule 1.3 Diligence – Comment 1, American Bar Association,  (last visited Mar. 18, 2022) (“A lawyer must also act with commitment and dedication to the interests of the client and with zeal in advocacy upon the client’s behalf.”).

35 See, e.g.Upjohn, 449 U.S. at 389.

36 Rule 1.13: Organization As Client, American Bar Association, cmt. 2  (last visited April 19, 2022).

© Copyright 2022 Cadwalader, Wickersham & Taft LLP

How Changing Beneficial Ownership Reporting May Impact Activism

The SEC in February proposed amendments to Regulation 13D-G to modernize beneficial ownership reporting requirements. Adoption of the amendments as proposed will accelerate the timing – and expand the scope – of knowledge of certain activist activities. The deadline for comments on the proposed rules was April 11 and final rules are expected to be released later this year.

The current reporting timeline creates an asymmetry of information between beneficial owners on the one hand and other stockholders and issuers on the other. The SEC proposal is seeking to eliminate this asymmetry and address other concerns surrounding current beneficial ownership reporting. The accelerated beneficial ownership reporting deadlines will result in greater transparency in stock ownership, allowing market participants to receive material information in a timely manner and potentially alleviating the market manipulation and abusive tactics used by some investors.

The shortened filing deadlines should benefit a company’s overall shareholder engagement activities. The investor relations team at a company will have a more accurate and up-to-date picture of its institutional investor base throughout the year, which should result in more timely outreach to such shareholders.

INVESTOR ACCUMULATION OF SHARES BEFORE DISCLOSURE

Although issuers will likely view the proposed rules as beneficial, many commentators have predicted a negative impact on shareholder activism. Under the current reporting requirements, certain activist investors may benefit by having both additional time to accumulate shares before disclosing such activities and potentially more flexibility in strategizing with other investors.

Many commentators have argued that the proposed shorter timeline for beneficial ownership reporting will negatively impact an activist shareholder’s ability to accumulate shares of an issuer at a potentially lower price than if market participants had more timely knowledge of such activity and intent. In many cases a company’s stock price is impacted once an investor files a Schedule 13D with clear activist intent. This can even occur in some cases once a Schedule 13G is filed by a known activist investor without current activist intent.

If the shorter reporting deadlines reduce such investors’ profit, it is expected that an investor’s incentive to accumulate stock in order to initiate change at a company will also be reduced. Activists instead may be encouraged to engage more with management. In other words, the shorter reporting period may deter short-term activists and encourage more long-term focused activism.

TIMING OF ISSUER RESPONSE

The shorter reporting deadlines are also expected to result in management having earlier notice of any takeover attempt and to give a company the opportunity to react more quickly to any such attempt. There is potential for this to lead to increased use of low-threshold poison pills. But the SEC stated in the proposed rules release that it believes the risk of abundant reactionary low-threshold poison pills is overstated due to scrutiny of such poison pills from courts and academia, limitations imposed by state law and the unlikelihood that the beneficial ownership would trigger the low-threshold poison pills.

Companies that have low-threshold poison pills – such as one designed to protect a company’s net operating losses – may want to review them to confirm that the proposed rules would not be expected to have any impact. For example, such poison pills may link the definition of beneficial ownership to the SEC rules, including Schedule 13D and 13G filings.

‘GROUP’ REPORTING

Another proposed change expected to affect shareholder activism is the expanded definition of ‘group’ for the purposes of reporting under Schedule 13D. The current rules require an explicit agreement between two or more persons to establish a group for purposes of the beneficial ownership reporting thresholds.

Commentators believe that under the current rules, certain investors seeking change at a company may share the fact that they are accumulating shares of a company with other shareholders or activists, which can then act on this information before the general public is aware; in other words, before public disclosure in and market reaction to the Schedule 13D filing. This activity may result in near-term gains for the select few involved before uninformed shareholders can react.

Under the SEC’s proposed amended Rule 13d-5, persons who share information with another regarding an upcoming Schedule 13D filing are deemed to have formed a group within the meaning of Section 13(d)(3) regardless of whether an explicit agreement is in place, and such concerted action will trigger reporting requirements. This proposed change is expected to benefit companies and shareholders overall by preventing certain investors from acting in concert on information not known to a company and its other shareholders.

The full impact of the proposed rule changes on shareholder activism cannot be accurately predicted, but we believe that at a minimum, issuers will find it beneficial to have more regularly updated information on their institutional investor base for, among other things, their shareholder engagement efforts.

© 2022 Jones Walker LLP

Privacy Tip #328 – Ukraine Charity Scams

Unscrupulous criminals use crises to their advantage. Scammers are using the conflict in Ukraine to bilk money from people trying to help those impacted from the attacks. There are numerous accounts of scammers using old techniques to defraud people from funds and personal information.

We all want to help and what is unfolding in Ukraine is tragic. Fraudsters prey on our wishes to aid those in need and know that we are vulnerable to attack because of the emotional toll the war in Ukraine is taking on the world, but particularly the Ukrainians.

If you wish to support Ukraine, do so. But be wary of where you are sending your money. There are many wonderful and legitimate charities that are working hard to assist those in need. But there are others who are using our emotions to help others to steal from us. Be wary of unsolicited requests for donations through email or text. Research the charity to which you are sending your money and make sure you are on the charity’s official website. Be cautious about clicking on any links that are sent to you via text or email. If you are solicited by a well-known charity, take the time to donate directly through their official website and not through unsolicited emails.

The Ukrainians need all the resources and support they can get, so send your charitable donations to a charity that will actually get the funds to them.

According to CNBC, here is a list of top-rated charities for Ukrainian relief.

Copyright © 2022 Robinson & Cole LLP. All rights reserved.

 

Article By Linn F. Freedman of Robinson & Cole LLP

For more articles on cybersecurity, visit the NLR Communications, Media & Internet section.

The Gensler SEC: What to Expect in 2022

Since Gary Gensler became chair of the U.S. Securities and Exchange Commission in April 2021, his agency has signaled an active agenda that many expect will be aggressively enforced. Cornerstone Research recently brought together distinguished experts with SEC experience to share what they expect the SEC will focus on in 2022. The expert forum, “The Gensler SEC: Policy, Progress, and Problems,” featured Joseph Grundfest, a former commissioner of the SEC and currently serving as the W. A. Franke Professor of Law and Business at Stanford Law School; and Mary Jo White, senior chair, litigation partner, and leader of Debevoise & Plimpton’s Strategic Crisis Response and Solutions Group who previously served as chair of the SEC and as U.S. Attorney for the Southern District of New York. Moderated by Jennifer Marietta-Westberg of Cornerstone Research, the forum was held before an audience of attorneys and economists and explored the major regulatory and enforcement themes expected to take center stage in the coming year.

ESG Disclosures and Materiality

In its Unified Regulatory Agenda first released in June of last year, the SEC indicated that it will propose disclosure requirements in the environmental, social, and governance (ESG) space, particularly on climate-related risks and human capital management. However, as documented by the numerous comments received as a result of the SEC’s March 15, 2021, request for input on climate change disclosures, there is substantial debate as to whether these disclosures must, or should, require disclosure only of material information. During the expert forum, Grundfest and White agreed that ESG disclosures should call for material information only. However, they have different predictions on whether ESG disclosures actually will be qualified by a materiality requirement.

White emphasized that materiality is a legal touchstone in securities laws. “If the SEC strays far from materiality, the risk is that a rule gets overturned,” she said. “Not every single rule needs to satisfy the materiality requirement, but it would be a mistake for the SEC not to explain what its basis for materiality is in this space.”

Grundfest added, “There is a spectrum of ESG issues, and while some are within the SEC’s traditional purview, others are new and further away from it. For example, to better ensure robust greenhouse emissions disclosure, the Environmental Protection Agency should be the one to require disclosure rules that would not be overturned.”

Gensler has indicated that investors want ESG disclosures in order to make investment and voting decisions. For instance, in his remarks before the Principles for Responsible Investment in July 2021, Gensler stated that “[i]nvestors are looking for consistent, comparable, and decision-useful disclosures so they can put their money in companies that fit their needs.” White predicts that some but not all ESG disclosure requirements in the proposed rules the SEC is working on will call for material information.

Grundfest, however, believes that the rules the SEC eventually adopts will require disclosure only of material information. “The SEC’s proposal on ESG disclosures will ask for everything, from the moon to the stars,” he said. “But public comments will sober the rules. The SEC staff will take into account the Supreme Court standard and the Chevron risk. It will settle on adopting materiality-based disclosure rules.”

There is also debate over the potential definition of materiality in the context of any proposed ESG disclosures. The panelists were asked whether the fact that large institutional investors assert various forms of ESG information are important to their investment decisions is a sufficient basis upon which to conclude that the information is material. Neither White nor Grundfest believes the Supreme Court as currently composed would accept this argument, but they differ on the reasons.

Grundfest believes the Supreme Court will stick with its approach of a hypothetical reasonable investor. “The fact that these institutional investors ask for this information doesn’t necessarily mean that it’s material,” he said. “If the SEC wants to have something done in this space, it has to work within the law.”

White said an important aspect of the rule will be the economic analysis, though she, too, does not think materiality can be “decided by an opinion poll among institutional investors.” For example, a shareholder proposal requesting certain information that has not received support does not necessarily make the information immaterial. “The Supreme Court will be tough on the survey approach,” she said.

Digital Assets and Crypto Exchanges

In several statements and testimonies, Gensler has declared the need for robust enforcement and better investor protection in the markets for digital currencies. He has publicly called the cryptocurrency space “a Wild West.” In addition to bringing enforcement actions against token issuers and other market participants on the theory that the tokens constitute securities, the SEC under his leadership has brought enforcement actions against at least one unregistered digital asset exchange on the theory that the exchange traded securities and should therefore register as securities exchange.

“The crypto space is the SEC’s most problematic area,” Grundfest said. “Franz Kafka’s most famous novel is The Trial. It’s about a person arrested and prosecuted for a crime that is never explained based on evidence that he never sees. Some recent SEC enforcement proceedings make me wonder whether Kafka is actually still alive and well, and working deep in the bowels of the SEC’s Enforcement Division.” In support of this literary reference, Professor Grundfest  noted that, in bringing enforcement actions against crypto exchanges alleging that they traded tokens that were unregistered securities, the SEC never specified which tokens traded on these exchanges were securities. “This is almost beyond regulation by enforcement. It’s regulation by FUD—fear, uncertainty, and doubt,” Grundfest said.

White predicted that, of the 311 active crypto exchanges listed by CoinMarketCap as of December 1, 2021, the SEC will bring cases against at least four in the coming year.

Gensler has publicly argued for bringing the cryptocurrency-related industry under his agency’s oversight. “We need additional congressional authorities to prevent transactions, products, and platforms from falling between regulatory cracks,” he said in August at the Aspen Security Forum. But neither White nor Grundfest believes the current Congress will enact legislation giving the SEC authority to regulate crypto transactions that do not meet the definition of an investment contract under the Howey test.

In November 2021, a federal jury in Audet v. Fraser at the District Court of Connecticut decided that certain cryptocurrency products that investors purchased were not securities under Howey. Neither Grundfest nor White believes this finding will cause the SEC to become more cautious about asserting that some forms of crypto are securities.

“One jury verdict is hardly a precedent,” White said. “The facts of the case didn’t have many of the nuances under Howey that other cases have. It will not deter the SEC.”

The panelists agreed that SEC enforcement activity will be aggressive in the crypto space. A report by Cornerstone Research, titled SEC Cryptocurrency Enforcement: 2021 Update, found that, under the new administration, the SEC has continued its role as one of the main regulators in the cryptocurrency space. In 2021, the SEC brought 20 enforcement actions against digital asset market participants, including first-of-their-kind actions against a crypto lending platform, an unregistered digital asset exchange, and a decentralized finance (DeFi) lender.

Proxy Voting

With the 2022 proxy season on the horizon, people will be watching the SEC closely, as Gensler’s Commission recently adopted new rules for universal proxy cards, and it has revisited amendments adopted under the former chair of the SEC, Jay Clayton.

Last November, the SEC adopted universal proxy rules that now allow shareholders to vote for their preferred mix of board candidates in contested elections, similar to voting in person.  These rules would put investors voting in person and by proxy on equal footing. “Universal proxy was proposed at the time when I was the chair of the SEC, and the logic for the rule is overpowering,” White said. “In adoption, some commissioners had reservations on the thresholds of voting power a dissident would be required to solicit, but voted in favor anyway based on its logic. It was a 4 to 1 vote.”

Grundfest and White expect the number of proxy contests that proceed to a vote will go up as a result. From 2019 to 2020, the incidence of proxy contests increased from 6 to 13. Looking ahead to the coming year, Grundfest predicts the rule change will increase the incidence of proxy contests by somewhere between 50% and 100%. White predicts a more modest increase of about 50%.

Regarding rules on proxy voting advice, the SEC issued Staff Legal Bulletin No. 14L (CF) last November to address Rule 14a-8(i)(7), which permits exclusion of a shareholder proposal that “deals with a matter relating to the company’s ordinary business operations.”

The bulletin puts forth a new Staff position that now denies no-action relief to registrants seeking to exclude shareholder proposals that transcend the company’s day-to-day business matters. “This exception is essential for preserving shareholders’ right to bring important issues before other shareholders by means of the company’s proxy statement, while also recognizing the board’s authority over most day-to-day business matters,” the bulletin said.

Both White and Grundfest believe a modest number of issuers will go to court in the 2022 proxy season seeking to exclude Rule 14a-8 shareholder proposals as “transcending” day-to-day operations. “I think companies will challenge shareholder proposals in court but not a lot,” White said. “It depends on the shareholder proposal.”

Grundfest believes any such cases would be driven as much by CEOs as by any other factor. “Companies may challenge a shareholder proposal in court if they have a CEO who is offended by a certain proposal or for First Amendment reasons,” he said. Grundfest cited a hypothetical example of a software company in Texas with a shareholder proposal on gun rights or abortion rights, which have nothing to do with the cybersecurity software the company produces. “It would be hard to force a company to put forth a politically charged proposal that is not related to that company’s business,” he said. “If it’s a First Amendment right, the company will go to court.”

Copyright ©2022 Cornerstone Research

Securities Litigation: An Emerging Strategy to Hold Companies Accountable for Privacy Protections

A California federal judge rejected Zoom Video Communications, Inc.’s motion to dismiss securities fraud claims against it, and its CEO and CFO, for misrepresenting Zoom’s privacy protections. Although there have been a number of cases challenging inadequate privacy protections on consumer protection grounds in recent years, this decision shifts the spotlight to an additional front on which the battles for privacy protection may be fought:  the securities-litigation realm.

At issue were statements made by Zoom relating to the company’s privacy and encryption methods, including Zoom’s 2019 Registration Statement and Prospectus, which told investors the company offered “robust security capabilities, including end-to-end encryption.” Importantly, the prospectus was signed by Zoom’s CEO, Eric Yuan. The plaintiffs, a group of Zoom shareholders, brought suit arguing that end-to-end encryption means that only meeting participants and no other person, not even the platform provider, would be able to access the content. The complaint alleged that contrary to this statement, Zoom maintained access to the cryptographic keys that could allow it to access the unencrypted video and audio content of Zoom meetings.

The plaintiffs’ allegations are based on media reports of security issues relating to Zoom conferences early in the COVID-19 pandemic, as well as an April 2020 Zoom blog post in which Yuan stated that Zoom had “fallen short of the community’s  ̶ ̶  and our own  ̶ ̶  privacy and security expectations.”  In his post, Yuan linked to another Zoom executive’s post, which apologized for “incorrectly suggesting” that Zoom meetings used end-to-end encryption.

In their motion to dismiss, the defendants did not dispute that the company said it used end-to-end encryption.  Instead, they challenged plaintiffs’ falsity, scienter, and loss causation allegations – and all three attempts were rejected by the court.

First, as to falsity, the court did not buy the defendants’ argument that “end-to-end encryption” could have different meanings because a Zoom executive expressly acknowledged that the company had “incorrectly suggest[ed] that Zoom meetings were capable of using end-to-end encryption.”  Thus, the court found that the complaint did, in fact, plead the existence of materially false and misleading statements. The court also rejected the defendants’ argument that Yuan’s understanding of the term “end-to-end encryption” changed in a relevant way from the time he made the challenged representation to his later statements that Zoom’s usage was inconsistent with “the commonly accepted definition.” The court looked to Yuan’s advanced degree in engineering, his status as a “founding engineer” at WebEx, and that he had personally “led the effort to engineer Zoom Meetings’ platform and is named on several patents that specifically concern encryption techniques.”

Lastly, the court rebuffed the defendants’ attempt at undermining loss causation, finding that the plaintiffs had pled facts to plausibly suggest a causal connection between the defendants’ allegedly fraudulent conduct and the plaintiffs’ economic loss. In particular, the court referenced the decline in Zoom’s stock price shortly after defendants’ fraud was revealed to the market via media reports and Yuan’s blog post.

That said, the court dismissed the plaintiffs’ remaining claims, as they related to data privacy statements made by Zoom or, in general, by the “defendants,” unlike the specific encryption-related statement made by Yuan. The court found that the corporate-made statements did not rise to the level of an “exceptional case where a company’s public statements were so important and so dramatically false that they would create a strong inference that at least some corporate officials knew of the falsity upon publication.” Because those statements were not coupled with sufficient allegations of individual scienter, the court granted the defendants’ motion to dismiss those statements from the complaint.

© 2022 Proskauer Rose LLP.
For more articles about business litigation, visit the NLR Litigation section.

SEC Report Details Record-Shattering Year for Whistleblower Program

On November 15, the U.S. Securities and Exchange Commission (SEC) Whistleblower Program released its Annual Report to Congress for the 2021 fiscal year. The report details a record-shattering fiscal year for the agency’s highly successful whistleblower program. During the 2021 fiscal year, the SEC Whistleblower Program received a record 12,200 whistleblower tips and issued a record $564 million in whistleblower awards to a record 108 individuals. Over the course of the year, the whistleblower program issued more awards than in all previous years combined.

“The SEC’s Dodd-Frank Act whistleblower program has revolutionized the detection and enforcement of securities law violations,” said whistleblower attorney Stephen M. Kohn. “Congress needs to pay attention to this highly effective anti-corruption program and enact similar laws to fight money laundering committed by the Big Banks, antitrust violations committed by Big Tech, and the widespread consumer frauds often impacting low income and middle class families who are taken advantage of by illegal lending practices, redlining, and credit card frauds.”

“The report documents that whistleblowing works, and works remarkably well, both in the United States and worldwide,” continued Kohn. “The successful efforts of the SEC to use whistleblower-information to police Wall Street frauds is a milestone in the fight against corruption. Every American benefits from this program.”

In the report, Acting Chief of the Office of the Whistleblower Emily Pasquinelli states “[t]he success of the Commission’s whistleblower program in landmark FY 2021 demonstrates that it is a vital component of the Commission’s enforcement efforts. We hope the awards made this year continue to encourage whistleblowers to report specific, timely, and credible information to the Commission, which will enhance the agency’s ability to detect wrongdoing and protect investors and the marketplace.”

Read the SEC Whistleblower Program’s full report.

Geoff Schweller also contributed to this article.

Copyright Kohn, Kohn & Colapinto, LLP 2021. All Rights Reserved.

For more on SEC Whistleblower Rewards, visit the NLR White Collar Crime & Consumer Rights section.

Trifecta of New Privacy Laws Protect Personal Data

Following California’s lead, two states recently enacted new privacy laws designed to protect consumers’ rights over their personal data. The Colorado Privacy Act and the Virginia Consumer Data Protection Act mimic California privacy laws and the EU General Data Protection Regulation (GDPR) by imposing stringent requirements on companies that collect or process personal data of state residents. Failure to comply may subject companies to enforcement actions and stiff fines and penalties by regulators.

Virginia Consumer Data Protection Act

On March 2, 2021, Virginia’s legislature passed the Consumer Data Protection Act (CDPA, the Act), which goes into effect on January 1, 2023.

Organizations Subject to the CDPA

The Act generally applies to entities that conduct business in the state of Virginia or that produce products or services targeted to residents of the state and meet one or both of the following criteria: (1) control or process personal data of 100,000 Virginia consumers annually, (2) control or process personal data of at least 25,000 consumers (statute silent as to whether this is an annual requirement) and derive more than 50 percent of gross revenue from the sale of personal data. The processing of personal data includes the collection, use, storage, disclosure, analysis, deletion or modification of personal data.

Notably, certain organizations are exempt from compliance with the CDPA, including government agencies, financial institutions subject to the Gramm-Leach-Bliley Act (GLBA), entities subject to the Health Insurance Portability and Accountability Act (HIPAA), nonprofit organizations and institutions of higher education.

Broad Definition of Personal Data

The CDPA broadly defines personal data to include any information that is linked to an identifiable individual, but does not include de-identified or publicly available information. The Act distinguishes personal sensitive data, which includes specific categories of data such as race, ethnicity, religion, mental or physical health diagnosis, sexual orientation, citizenship or immigration status, genetic or biometric data, children’s data and geolocation data.

Consumers’ Data Protection Rights

The new Virginia privacy law recognizes certain data protection rights over consumers’ personal information, including the right to access their data, correct inaccuracies in their data, request deletion of their data, receive a copy of their data, and opt out of the processing of their personal data for purposes of targeted advertising, the sale of their data or profiling.

If a consumer exercises any of these rights under the CDPA, a company must respond within 45 days – subject to a one-time 45-day extension. If the company declines to take action in response to the consumer’s request, the company must notify the consumer within 45 days of receipt of the request. Any information provided in response to a consumer’s request shall be provided by the company free of charge, up to twice annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on the consumer’s request. The company is required to provide the consumer with written notice of the decision on appeal within 60 days of receipt of an appeal.

Responsibilities of Data Controllers

The CDPA imposes several requirements on companies/data controllers, including limiting the collection of personal data, safeguarding personal data by implementing reasonable data security practices and obtaining a consumer’s consent prior to processing any sensitive data.

Moreover, data controllers should have a Privacy Notice that clearly explains the categories of personal data collected and processed; the purpose for processing personal data; how consumers can exercise their rights over their personal data; any categories of personal data shared with third parties; the categories of third parties with which personal data is shared; and consumers’ right to opt out of the processing of their personal data.

Importantly, all data controllers are required to conduct and document a data protection assessment (DPA). The DPA should identify and weigh the benefits and risks of processing consumers’ personal data and the safeguards that can reduce such risks. The Virginia Attorney General (VA AG) may require a controller to produce a copy of its DPA upon request.

Furthermore, data controllers must enter into a binding written contract with any third parties that process personal data (data processors) at the direction of the controller. This contract should address the following issues: instructions for processing personal data; nature and purpose of processing; type of data subject to processing; duration of processing; duty of confidentiality with respect to the data; and deletion or return of data to the data controller. In addition, the contract should include a provision that enables the data controller or a third party to conduct an assessment of the data processor’s policies and procedures for compliance with the protection of personal data.

Regulatory Enforcement

The VA AG has the exclusive authority to enforce the CDPA. Prior to initiating an enforcement action, the VA AG is required to provide the company/data controller with written notice identifying violations of the Act. If the company cures the violations within 30 days and provides the VA AG with express notice of the same, then no action will be taken against the company. The law permits the VA AG to impose statutory civil penalties of up to $7,500 for each violation of the Act. Moreover, the VA AG also may seek recovery of its attorneys’ fees and costs incurred in investigating and enforcing the resolution of violations of the Act.

Colorado Privacy Act

On July 7, 2021, Colorado passed the Colorado Privacy Act (CPA), which takes effect on July 1, 2023. In many respects, the CPA mirrors Virginia’s new privacy law.

Organizations Subject to the Law

The CPA applies to companies/data controllers that:

  • Conduct business in the state of Colorado or
  • Produce or deliver commercial products or services that are targeted to residents of Colorado and
  • Satisfy one or both of the following criteria:
    • Control or process personal data of 100,000 or more Colorado consumers annually
    • Derive revenue from the sale of personal data and process or control personal data of 25,000 or more Colorado consumers (statute silent as to whether this is an annual requirement).

Notably, the CPA does not apply to personal data that is protected under certain other laws, including GLBA, HIPAA, the Fair Credit Reporting Act, the Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act (COPPA), Family Educational Rights and Privacy Act (FERPA), customer data maintained by a public utility, employment records or data maintained by an institution of higher education. 

Broad Definition of Personal Data

The CPA broadly defines personal data as information that can be linked to an identifiable individual, but does not include de-identified or publicly available information. The law also distinguishes personal sensitive data that may include race, ethnicity, religion, mental or physical health condition or diagnosis, sexual orientation or citizenship. 

Consumers’ Data Protection Rights

The law sets forth consumers’ data protection rights, including the right to access their personal data; the right to correct inaccuracies in their data; the right to request deletion of their data; the right to obtain a copy of their data; and the right to opt out of the processing of their personal data for the purposes of targeted advertising, the sale of their data or profiling.

A company/data controller must respond to a consumer’s request within 45 days – subject to a single 45-day extension as reasonably required. The company must notify the consumer within 45 days if the company declines to take action in response to a consumer’s request. Information provided in response to a consumer request shall be provided by the company free of charge, once annually per consumer. The company must establish a procedure for a consumer to appeal the company’s refusal to take action on a consumer’s request. The company shall provide the consumer a written decision on an appeal within 45 days of receipt of the appeal. The company may extend the appeal response deadline by 60 additional days where reasonably necessary.

Responsibilities of Data Controllers

The CPA imposes a number of stringent requirements on companies, including limiting the collection of personal data to what is reasonably necessary; taking reasonable measures to secure personal data from unauthorized acquisition during both storage and use; and obtaining a consumer’s consent prior to processing any sensitive data.

The data controller should have a clear and conspicuous Privacy Notice that sets forth the categories of personal data processed by the company, the purpose for processing personal data and the means by which consumers can withdraw their consent to processing of their data. The Privacy Notice should identify the categories of personal data collected or processed, categories of personal data shared with third parties and the categories of third parties with which personal data is shared. The Privacy Notice also must disclose whether the company sells personal data or processes personal data for targeted advertising, and the means by which consumers can opt out of the sale or processing of their data. 

A data controller shall not process any personal data that represents a heightened risk of harm to a consumer without conducting a data protection assessment (DPA). The DPA must identify and weigh the benefits from the processing of personal data that may flow to the controller, the consumer and the public against the potential risks to the rights of the consumer. These risks may be mitigated by safeguards adopted by the company. The company may be required to produce its DPA to the Colorado Attorney General (CO AG) upon request.

A company/data controller must enter into a binding contract with any third parties (data processors) that process personal data at the direction of the data controller. This contract should address the following issues: data processing procedures, instructions for processing personal data, nature and purpose of processing, type of data subject to processing, duration of processing, and deletion or return of data by the data processor. The contract also should include a provision that allows the controller to perform audits and inspections of the processor at least once annually and at the processor’s expense. The audit should examine the processor’s policies and procedures regarding the protection of personal data. If an audit is performed by a third party, the processor shall provide a copy of the audit report to the controller upon request. 

Regulatory Enforcement

The CO AG has the exclusive authority to enforce the DPA by bringing an enforcement action on behalf of Colorado consumers. A violation of the DPA is considered to be a deceptive trade practice. Prior to initiating an enforcement action, the CO AG must issue a notice of violation to the company and provide an opportunity to cure the violation. If the company fails to cure the violation within 60 days of receipt of notice of the violation, the CO AG may commence an enforcement action. Civil penalties may be imposed for violations of the Act.

Conclusion

Companies that collect or process consumer data are well advised to heed these new privacy laws imposed by Virginia and Colorado, since more states are sure to adopt similar laws. Failure to adhere to these new stringent legal requirements summarized in the table below may subject companies to regulatory enforcement actions, in addition to fines and penalties.

Requirements Virginia  Colorado
Consumer Data Protection Rights
Right to access personal data X X
Right to correct personal data X X
Right to delete personal data X X
Right to receive a copy of personal data X X
Right to opt out of processing personal data X X
Duty to Respond to Consumer Requests
Within 45 days (subject to one-time extension) X X
Notice of refusal to take action X X
Provide information free of charge X X
Appeal process X X
Privacy Notice
Categories of personal data collected or processed X X
Purpose for processing data X X
How consumers can exercise their rights X X
Categories of personal data shared with third parties X X
Categories of third parties with which personal data is shared X X
How consumers can opt out of the sale or processing of their personal data X X
Data Protection Assessment (DPA)
Documented DPA weighing the benefits and risks of processing consumers’ personal data, and the safeguards that can reduce such risks X X
Binding Contract Between Data Controller and Third-Party Data Processor
Instructions for processing personal data X X
Nature and purpose of the processing X X
Type of data subject to processing X X
Duration of processing X X
Duty of confidentiality X X
Deletion or return of data X X
Audits of data processor’s policies and procedures to safeguard data and comply with privacy laws X X
Enforcement
Enforcement by Attorney General X X
Fines and penalties X X

© 2021 Wilson Elser


Article By

For more articles on data privacy legislation, visit the NLR Communications, Media, Internet and Privacy Law News section.

Proposed House Bill Would Set National Data Security Standards for Financial Services Industry

A new bill introduced by House Financial Services subcommittee Chairman Rep. Blaine Luetkemeyer would significantly change data security and breach notification standards for the financial services and insurance industries. Most notably, the proposed legislation would create a national standard for data security and breach notification and preempt all current state law on the matter.

Breach Notification Standard

The Gramm-Leach-Bliley Act (GLBA) currently requires covered entities to establish appropriate safeguards to ensure the security and confidentiality of customer records and information and to protect those records against unauthorized access to or use. The proposed House bill would amend and expand  GLBA to mandate notification to customers “in the event of unauthorized access that is reasonably likely to result in identify theft, fraud, or economic loss.”

To codify breach notification at the national level, the proposed legislation requires all GLBA covered entities to adopt and implement the breach notification standards promulgated by the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of Thrift Supervisor in its  Interagency Guidance on Response Programs for Unauthorized Access to Customer Information and Customer Notice. This guidance details the requirements for notification to individuals in the event of unauthorized access to sensitive information that has or is reasonably likely to result in misuse of that information, including timing and content of the notification.

While the Interagency Guidance was drafted specifically for the banking sector, the proposed legislation also covers insurance providers, investment companies, securities brokers and dealers, and all businesses “significantly engaged” in providing financial products or services.

If enacted, this legislation will preempt all laws, rules, and regulations in the financial services and insurance industries with respect to data security and breach notification.

Cohesiveness in the Insurance Industry

The proposed legislation provides uniform reporting obligations for covered entities – a benefit particularly for insurance companies who currently must navigate a maze of something conflicting state law breach notification standards. Under the proposed legislation, an assuming insurer need only notify the state insurance authority in the state in which it is domiciled. The proposed legislation also requires the insurance industry to adopt new codified standards for data security.

To ensure consistency throughout the insurance industry, the proposed legislation also prohibits states from imposing any data security requirement in addition to or different from the standards GLBA or the Interagency Guidance.

If enacted, this proposed legislation will substantially change the data security and breach notification landscape for the financial services and insurance industries. Entities within these industries should keep a careful eye on this legislation and proactively consider how these proposed revisions may impact their current policies and procedures.

 

Copyright © by Ballard Spahr LLP

Exclusive Study Analyzes 2014 IPOs – Initial Public Offerings

Proskauer Rose LLP, Law Firm

Proskauer’s Global Capital Markets Group has just released its second annual IPO Study, the group’s analysis of U.S.-listed initial public offerings in 2014 and identification of year-over-year comparisons and trends. As with last year’s first edition, it yields a number of noteworthy observations and insights.

The study examines data from 119 U.S.-listed 2014 IPOs with a minimum deal size of $50 million, and also includes separate industry sections on health care; technology, media and telecommunications; energy & power; financial services; industrials; and consumer/retail. This edition expands on last year’s to include an appendix focusing on foreign private issuers, as 2014 experienced a meaningful return of IPO issuers from Europe and Asia. It also makes year-over-year comparisons of extensive data about deal structures and terms, SEC comments and timing, financial profiles, accounting disclosures, corporate governance and deal expenses.

Underlying the study is the proprietary IPO database that we created for the first edition and have subsequently expanded and enhanced, a valuable resource for sponsors and companies considering an IPO as well as for IPO market participants and their advisors.

Download Proskauer’s 2015 IPO Study

ARTICLE BY