United States: Securities And Corporate Governance Litigation Quarterly - November 2015
Decisions Of Interest For Corporate And Transactional Lawyers

Welcome to the fifth issue of Securities and Corporate Governance Litigation Quarterly, Seyfarth's quarterly publication of the Securities & Financial Litigation Group focusing on decisions or other items of interest for corporate and transactional lawyers. Each summary below is followed by key practice takeaways.

Delaware Chancery Court Rejects Majority Stockholder's Attempt To Remove And Replace Officers Through By-Laws Amendments

Gorman v. Salamone (here) involves a long-running dispute over the control of Westech Capital Corp. which arose because a voting agreement was arguably unclear as to whether certain directors were to be elected per capita among certain key shareholders or per share. The majority shareholder, John J. Gorman, IV, largely lost that battle in an earlier case that was decided by the Delaware Supreme Court in late 2014 (here) which left the CEO and Gorman's nemesis, Salamone, in place, together with the board seat to which Salome was entitled as CEO under the voting agreement.

Undeterred, Gorman purported to amend Westech's bylaws by written consent to allow the stockholders — Gorman with the majority of the shares — to remove and replace Westech's officers. The amended bylaw provided:

Gorman then attempted to remove Salamone pursuant to Gorman's new purported power and appoint himself as the new CEO. Salamone and other board members refused to recognize Gorman's actions and Gorman commenced a summary proceeding under Section 225 of the Delaware General Corporation Law ("DGCL") to determine whether Salamone had been properly removed. Gorman relied on both Section 142(b) of the DGCL which provides that "[o]fficers shall be chosen in such manner and shall hold their offices for such terms as are prescribed by the bylaws or determined by the board of directors or other governing body" and on Section 109(b) which generally gives the stockholders broad power to adopt and amend the bylaws "relating to the business of the corporation, the conduct of its affairs, and the rights or powers or the rights or powers of its stockholders, directors, officers or employees."

However, the Court found that the general powers given to stockholders were trumped by Section 141(a) which specifies that "[t]he business and affairs of every corporation . . . shall be managed by or under the direction of a board of directors, except as may be otherwise provided in this chapter or in its certification of incorporation." Section 141(a) has been interpreted as a prohibition on stockholders directly managing the business affairs of a corporation, and the issue in Gorman v. Salamone was whether the majority stockholder's removal and replacement of Salamone as CEO was tantamount to "managing" the corporation. The Chancery Court concluded it was because it mandated how the board of directors decided the substantive business decision of removing the corporation's CEO. The Court stated the test for whether a bylaw is proper as whether it defined the "process and procedures" by which a board decision is made or, instead, whether the bylaw mandates how the board should make specific business decisions, which the new bylaw certainly did.

Practice takeaways:

• Control fights in closely held corporations are sometimes the product of poor drafting of corporate governance documents. Often, however, the lack of clarity and ambiguities in those documents are the product of negotiated compromises and "kicking the can" on potential control issues rather than sloppiness. If the corporate documents governing control go too far, the court may resort to a highly technical reading of the statute to preserve the board's primacy to manage the business and affairs of the corporation, thus leading to unsatisfied expectations, hopeless deadlocks, and potentially lengthy and expensive litigation.
• Imprecise corporate governance documents and their unintended or intended consequences can seldom be revised after the fact if there are classes of directors elected to protect certain control groups; one or the other of the control groups will object and there is often no way for one group to break the deadlock. Gorman v. Salamone demonstrates one of number of ways that even a majority shareholder cannot break the deadlock.
• Bylaws are by their nature only "rules of the road" governing process and procedures. All too often stockholders attempt to pack precise corporate control provisions into bylaws and shareholder agreements, and in light of Gorman v. Salamone that approach may not hold up in a judicial challenge.
• Choice of entity is very important in relation to control and the extent to which stockholders can inject themselves into substantive business decisions. The DGCL already provides an avenue through which stockholders can restrict the discretion of directors and implement stockholder management by electing to treat the corporation as a statutory "close corporation." See DGCL Sections 341 et seq. (including Section 350 (restricting director discretion) and Section 351 (management by stockholders) if close corporation status is elected in the certificate of incorporation). Also, these formalities do not necessary apply to limited liability companies, where member and manager roles can be more freely defined by contract. As the Gorman court noted, "a Delaware corporation is a board-centric entity. Other governance structures can be imposed on other entities, if that is what the stakeholders desire."

Second Circuit Creates Split Regarding Definition Of Whistleblower Under Dodd- Frank's Anti-Retaliation Provisions

On September 10, 2015, the Second Circuit, in Berman v. Neo@Ogilvy LLC (here), split with the Fifth Circuit regarding the reach of Dodd-Frank's whistleblower anti-retaliation provisions. The crux of the debate arises from the interplay between the statutory definition of "whistleblower" and the conduct protected in the Act's anti-retaliation provisions. Specifically, the Act clearly defines "whistleblower" as "any individual who provides . . . information relating to a violation of the securities law to the [SEC]." 15 U.S.C.§ 78u-6(a)(6). The anti-retaliation provisions of the law, however, prohibit retaliation against "whistleblowers" who participate in the following conduct: (i) who raise complaints relating to lawful acts done by a whistleblower in providing information to the SEC; (ii) who participate or assist in any investigation of the SEC based upon such information; and (iii) who make disclosures required or protected under the Sarbanes-Oxley Act and any other law, rule or regulation subject to the jurisdiction of the SEC. See 15 U.S.C. § 78u-6(h)(1)(A)(i)-(iii).

One interpretation of the statute — the one ultimately adopted by the Second Circuit — is that because subsection (iii) above does not expressly condition anti-retaliation protection on an employee having complained to the SEC, a complaint to the SEC is not required by the statute. Under this reading, the protections afforded to a "whistleblower" under subsection (iii) seemingly contradict the clear statutory definition of the term "whistleblower" in the earlier section of the statute, leading a number of district courts, and now the Second Circuit, to conclude that there is sufficient ambiguity in the statute to permit deference to the SEC's subsequent whistleblower regulations defining the term more broadly. Not surprisingly, the SEC's position is that an employee need not report to the SEC in order to benefit from the anti-retaliation provisions of Act. In fact, following oral argument in Berman, the SEC issued an interpretive rule designed to "clarify" that, for purposes of the employment retaliation protections provided by Dodd-Frank, an individual's status as a whistleblower does not depend on reporting information to the SEC. See Interpretation of the SEC's Whistleblower Rules Under Section 21F of the Securities Exchange Act of 1934, Exchange Act Release No. 34-75592 (Aug. 4, 2015).

Not all courts agree with this broad reading of the law. The Fifth Circuit in Asadi v. G.E. Energy (USA), L.L.C. and a number of district courts have held the statutory definition of "whistleblower" is abundantly clear, and notwithstanding the language in subsection (iii), the anti-retaliation provisions support the conclusion that to be a whistleblower, a person must first complain to the SEC. A majority of the panel in Berman disagreed, describing the central issue as whether the "arguable tension between the definitional subsection [] which defines 'whistleblower' to mean an individual who reports violations to the [SEC], and subdivision (iii) . . ., which, unlike subdivisions (i) and (ii), does not within its own terms limit its protection to those who report wrongdoing to the SEC" creates sufficient ambiguity as to require deference to the SEC's rule.

The majority began its analysis by highlighting the purported "tension" between the definition of whistleblower and the language of subsection (iii), observing that if subsection (iii) is meant to protect individuals who complain to the SEC, it will protect only those few individuals who make simultaneous complaints to their employer and to the SEC. The Court further observed that there are categories of potential whistleblowers who cannot report wrongdoing to the SEC until after they have first reported it to their employer (such as auditors and attorneys), and therefore, "apart from the rare example of simultaneous . . . reporting of wrongdoing . . . there would be virtually no situation where an SEC reporting requirement would leave subdivision (iii) with any scope." Consequently, the majority opined the central question is "whether Congress intended to add subdivision (iii) . . . only to achieve such a limited result." Ultimately, the Court determined that the statutory texts are unclear, and found no legislative history that "even hints at an answer." Accordingly, the Court found the "tension" created sufficient ambiguity to allow deference to the SEC's interpretation of the statute.

In its effort to rationalize the apparent unambiguous definition of "whistleblower" set out in the statute, the majority noted, "[w]e recognize that the terms of a definitional subsection are usually to be taken literally. . . and, pertinent to this case, usually applied to all subsections literally covered by the definition, but we have also recognized that 'mechanical use of a statutory definition' is not always warranted." That is, even though the statute provides a clear definition of a term that is later used in other sections of the statute, the majority still concluded that the statute was somehow ambiguous.

In his dissent, Judge Jacobs harshly criticizes the majority for re-writing the statute, misreading its clear terms ("a bad misreading, tantamount to a misquotation") and for placing the Second Circuit on the "wrong side" of a circuit split. Relying heavily on Asadi, Judge Jacobs observed that "[p]ersons who report certain violations of the securities laws are protected from retaliation under (at least) two federal statutes. [SOX] protects employees who blow a whistle to management or to regulatory agencies; Dodd-Frank protects "whistleblowers," defined as persons who report violations "to the [SEC]." He then criticized the majority for "assum[ing] its own conclusion," ignoring the distinction between SOX and Dodd-Frank, and for "look[ing] here, there and everywhere — except to the statutory text" for the meaning of the term "whistleblower." Judge Jacobs next attacked the majority's conclusion that subsection (iii) would have a limited effect, and more so, for its holding that when a plain reading of a statute gives it an "extremely limited" effect, the statutory provision is therefore "impaired or ambiguous."

Practice Takeaway:

• With a clear circuit split, as well as strong dissent in its own Circuit, this issue seems destined for resolution by the Supreme Court. Indeed, the Second Circuit agreed on October 14, 2015 to put its mandate on hold while Neo@Ogilvy seeks Supreme Court review. Until the Supreme Court resolves the circuit split, the broader restriction on retaliation under the Second Circuit's construction should guide employers' reaction to "whistleblowers" whether or not they report to the SEC.

Recent SEC Enforcement Action Highlights Cybersecurity Risks

On September 22, 2015, the Securities and Exchange Commission ("SEC") announced (here) that R. T. Jones Capital Equities Management, an investment adviser, agreed to settle charges that it failed to establish required cybersecurity policies and procedures before its web server was attacked by a hacker (traced to China). The breach resulted in the compromise of personally identifiable information ("PII") of 100,000 persons, including thousands of the firm's clients.

The adviser was alleged to have violated the "safeguards rule" (here) which requires investment advisers to adopt written policies and procedures designed to protect customer information. Here, the adviser stored sensitive PII on a server hosted by a third party and the adviser failed to conduct periodic risk assessments, implement a firewall, encrypt PII stored on the server, and maintain a response plan in case of cyberattacks.

After the attack, the adviser notified each individual whose PII was compromised and offered free identity theft monitoring. Although the adviser received no reports of a client suffering financial harm from the breach, the SEC faulted the adviser for failing to adopt written policies and to have clear procedures in place before a breach occurs as required by the safeguards rule. The Co-Chief of the SEC's Enforcement Division stated "[I]t is important to enforce the safeguards rule even in cases like this when there is no apparent financial harm to clients."

The SEC's focus on cybersecurity is reflected in the results of a Cybersecurity Examination Sweep Survey (here) by its Office of Compliance Inspections and Examinations ("OCIE"). This survey was designed to inform the SEC's Staff about the level of preparedness of the broker-dealers and investment advisers that were examined. Among other things, the OCIE survey showed that:

• A significant majority of the broker-dealers and advisers have adopted written information security policies and conduct periodic risk assessments to identify cybersecurity vulnerabilities.
• Most of the examined firms have been the subject of a cyber-related incident, and about a quarter had sustained losses caused by employees not following authentication procedures for fraudulent emails seeking to transfer funds.
• The firms' cybersecurity risk policies for their vendors varied in implementation. While most incorporate some form of requirements in their vendor contracts, a much smaller number provide training for vendors and business partners authorized to access their networks.
• Just over a majority of broker-dealers, and only a small number of advisers, have insurance for cybersecurity incidents.

Practice takeaways:

We anticipate that the SEC's interest in the management of cybersecurity risk will increase among firms in the business of holding and managing clients' information, such as broker-dealers and investment advisers, and will also spread laterally to other entities whose activities are covered by SEC regulation:

• Cybersecurity threats — whether from nation-state actors, criminal organizations or competitive businesses — are not likely to abate in the future. In order to maintain competitive advantage as a good business partner as well as to avoid or mitigate potential liability, it will become increasingly important for companies to demonstrate that they have sound and constantly updated policies in place. As the R. T. Jones enforcement action demonstrates, having and following a reasonable cybersecurity policy can be as important as the consequences of an actual data breach.
• The data elicited from the OCIE survey indicates that, for the industry segment covered, practices are moving toward a number of common elements. This reflects an emerging "standard of care" that will inform regulatory expectations and trends in private litigation for information security breaches.
• Cybersecurity policies should cover security practices, asset management and data flow. They should be designed to identify the business' systems and needs, develop and implement safeguards, detect security threats and events, respond to events with an action plan, and restore normal operations after an incident.
• The standard of care will constantly evolve as the threats become more sophisticated. In the future, cybersecurity is likely to become predictive based on hacker behavior, rather than reactive by adjusting to past threats.
• Covered firms should explore insurance options for covering cybersecurity risks.
• While the OCIE survey was confined to covered broker-dealers, the SEC appears to be directing increased attention to public companies in certain industries that have been targeted by hackers seeking material non-public information on which to trade. While regulatory action specifically directed to cybersecurity risks for public companies in general does not appear imminent, any cybersecurity vulnerabilities that a public company generating material non-public news has may expose it to investigations for insider trading. If those vulnerabilities compromise the company's financial reporting functions, there may also be exposure to claims of inadequate financial controls, deficient disclosure in management's discussion and analysis, and scrutiny of the adequacy of financial reserves for contingencies.

Delaware Chancery Court Issues A Reminder of The Limitations That May Exist In Your Director and Officer Indemnification

The Delaware Chancery Court's recent decision in Charney v. American Apparel, Inc., (here) highlights some potential pitfalls that may exist in many standard Delaware indemnification and advancement provisions for directors and officers. In American Apparel, the company's founder and former CEO and Chairman, Dov Charney, sued to recover advancement of legal expenses he was incurring in another litigation filed by the company. In that other case, the company was suing Charney for breach of a Standstill Agreement the parties had entered into the previous year while Charney was still at the company. The court held that Charney was not entitled to advancement under the company's charter and his indemnification agreement because the suit over the Standstill Agreement was not "related to the fact" that Charney was a director or officer.

In June 2014, Charney was suspended as CEO by the board of directors, pending an investigation into alleged misconduct by Charney. In July 2014, Charney and the company entered into the Standstill Agreement, under which Charney was prohibited from taking certain actions, including seeking removal of members of the board and making disparaging comments about the company to third parties. The Standstill Agreement also governed the terms by which Charney might return to the company, depending on the outcome of the investigation. In December 2014, following the investigation, Charney was terminated for cause based on his misconduct prior to June 2014.

Following his termination, Charney allegedly engaged in a variety of hostile actions that the company believed violated the Standstill Agreement. On May 15, 2015, the company filed its lawsuit over these alleged violations, claiming that Charney was attempting a potential takeover, had expressed anti-board sentiments at employee meetings, made negative statements to third parties, and submitted a declaration in opposition to the board in an unrelated legal proceeding. Charney made a prompt demand on the company for advancement of his legal fees incurred in the Standstill Agreement case under his indemnification agreement and company's by-laws. The Company rejected Charney's demand on May 26, 2015.

Charney filed his suit for advancement of fees on June 4, 2015. Charney argued that the company's advancement obligations are defined by and flow from its indemnification obligations such that he is entitled to advancement expenses incurred in the Standstill Proceeding under Delaware law. The court disagreed and held that while rights to advancement and indemnification are related, they are "discrete and independent." As such, Delaware courts have refused to recognize claims for advancement absent specific language that permits it under the applicable circumstances. Similarly, the court rejected Charney's argument that he was entitled to advancement under the company's charter. The court held that under the charter, only current officers and directors of the company are entitled to advancement. Finally, the court rejected Charney's argument that his fees were incurred "as a result of" his position as a director and/or officer of the company. The court held that while Charney's position exacerbated the magnitude of his actions, there was no causal connection and all of his actions could have been undertaken whether or not he served as a director or officer. Moreover, each of the alleged actions the company was challenging occurred after he had been terminated an officer or director.

Practice Takeaways

• Review the language of the company's indemnification obligations under the by-laws, charter or in separate agreements with its officers and directors. While most standard indemnification provisions cover both former and current officers and directors, the advancement obligations may not apply to former officers and directors.
• Pay particular attention to the triggering language of the indemnification obligations. If it is limited to claims brought "by reason of the fact" that one is an officer or director (the language used in section 145 of the Delaware Gen Corp. law), there may be no coverage for contract disputes, like the one here in American Apparel, which may arise out of one's role as a director but may not "arise by reason of the fact" of that role.
• Recognize that generally there will not be indemnification or advancement coverage for claims that do not have a causal connection to the claimant's actions or inactions as an officer or director, or which do not relate to his or her exercise of judgment, discretion, or decision-making authority on behalf of the corporation.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.