Category: Litigation

SEC brings enforcement action for failure to timely disclose cyber breach

In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances.  Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC  announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”

SCOTUS upholds state court jurisdiction over class actions asserting only ’33 Act claims

Today, SCOTUS issued its opinion in Cyan Inc. v. Beaver County Employees Retirement Fund. The opinion by Justice Kagan for a unanimous Court answered two questions: Did the Securities Litigation Uniform Standards Act of 1998 eliminate state court jurisdiction over class actions alleging only ’33 Act violations, and, even if not, under SLUSA, can defendants remove these state court actions to federal court? SCOTUS said no in both cases: “SLUSA did nothing to strip state courts of their longstanding jurisdiction to adjudicate class actions alleging only 1933 Act violations. Neither did SLUSA authorize removing such suits from state to federal court.”

SEC Chair confirms mandatory shareholder arbitration provisions and dual-class share structures not near-term priorities

Last week, at a meeting of the SEC’s Investor Advisory Committee, SEC Chair Jay Clayton delivered an opening statement, part of which addressed two governance topics of recent debate. One of the topics—dual-class share structures—was on the Committee’s agenda, while the other—mandatory shareholder arbitration provisions—was not.  In both cases, Clayton’s mission was to explain “why they are not on my list of near-term priorities.”

Equilar reports on advances in board gender diversity

Happy International Women’s Day!  

According to the latest Equilar Gender Diversity Index (GDI), based on the current rate of growth, board gender parity for companies in the Russell 3000 is now expected to be achieved by 2048, an advance from the estimate published in the inaugural 2017 GDI, which did not project parity until 2055. At that point, women held only 15.1% of board seats for the Russell 3000, compared to 16.5% as of the end of 2017. Should we cheer?

New SEC guidance on cybersecurity disclosure

Yesterday, the SEC announced that it had adopted—without the scheduled open meeting, which was abruptly cancelled with only a cryptic statement—long-awaited new guidance on cybersecurity disclosure. The guidance addresses disclosure obligations under existing laws and regulations, cybersecurity policies and procedures, disclosure controls and procedures, insider trading prohibitions and Reg FD and selective disclosure prohibitions in the context of cybersecurity.  The new guidance builds on Corp Fin’s 2011 guidance on this topic (see this Cooley News Brief), adding in particular new discussions of policies and insider trading.   While the guidance was adopted unanimously, some of the Commissioners were not exactly enthused about it, viewing it as largely repetitive of the 2011 guidance—and hardly more compelling. Anticlimactic? See if you agree.

SCOTUS says whistleblowers must whistle all the way to the SEC

Today, SCOTUS handed down its decision in Digital Realty v. Somers, a case addressing the split in the circuits regarding the application of the Dodd-Frank whistleblower anti-retaliation protections: do the protections apply regardless of whether the whistleblower blows the whistle all the way to the SEC or just reports internally to the company? You might recall that during the oral argument, the Justices seemed to signal that the plain language of the statute was clear and controlling, thus suggesting that they were likely to decide for Digital, interpreting the definition of “whistleblower” in the Dodd-Frank anti-retaliation provision narrowly to require SEC reporting as a predicate.  There were no surprises. As Justice Gorsuch remarked during oral argument, the Justices were largely “stuck on the plain language.”  The result may have an ironic impact:  while the win by Digital will limit the liability of companies under Dodd-Frank for retaliation against whistleblowers who do not report to the SEC, the holding that whistleblowers are not protected unless they report to the SEC may well drive all securities-law whistleblowers to the SEC to ensure their protection from retaliation under the statute—which just might not be a consequence that many companies would favor.

Mandatory shareholder arbitration provisions for IPOs? SEC Chair says “not on my list”

Depending on your point of view, you may have experienced either heart palpitations or increased serotonin levels when you heard, back in July 2017, that SEC Commissioner Michael Piwowar had, in a speech before the Heritage Foundation, advised that the SEC was open to the idea of allowing companies contemplating IPOs to include mandatory shareholder arbitration provisions in corporate charters. As reported, Piwowar “encouraged” companies undertaking IPOs to “come to us to ask for relief to put in mandatory arbitration into their charters.”   (See this PubCo post.) As discussed in this PubCo post, at the same time, in Senate testimony, SEC Chair Jay Clayton, asked by Senator Sherrod Brown about  Piwowar’s comments, responded that, while he recognized the importance of the ability of shareholders to go to court, he would not “prejudge” the issue. According to some commentators at the time, to the extent that these views appeared to indicate a significant shift in SEC policy on mandatory arbitration, they could portend “the beginning of the end of securities fraud class actions.” Then, in January of this year, the rumors about mandatory arbitration resurfaced in a Bloomberg article, which cited “three people familiar with the matter” for the proposition that the SEC is “laying the groundwork” for this “possible policy shift.” But in recent Senate testimony, Clayton reportedly put the kibosh on these signals.

In light of the recent fraud charges against audit firm partners and the PCAOB, what questions should audit committees ask their outside auditors?

Recent civil and criminal fraud charges against partners at KPMG and staffers at the PCAOB, arising out of “their participation in a scheme to misappropriate and use confidential information relating to the PCAOB’s planned inspections of KPMG,” have led some managements and audit committee members to consider whether there is more they should be doing to ensure that their outside audit firms are not plagued by similar concerns. This article from Compliance Week sifts through a speech by Helen Munter, PCAOB director of inspections and registration, to assemble a series of questions that, in light of these recent charges, may be appropriate for audit committee members to pose to their outside audit firms.

SEC files charges against former PCAOB staff and former KPMG partners—collateral impact?

Yesterday, the SEC filed charges against six CPAs, including former staffers at the PCAOB and former partners of KPMG, arising out of “their participation in a scheme to misappropriate and use confidential information relating to the PCAOB’s planned inspections of KPMG.”  All have now been separated from KPMG or the PCAOB, and the U.S. Attorney’s Office for the SDNY has filed criminal charges.  Here is the press release, which advises that the “SEC stands ready to work with issuers to ensure that collateral effects, if any, to issuers and, in particular, their shareholders are minimized.” 

SCOTUS hears oral argument in Somers v. Digital Realty Trust: Dodd-Frank whistleblower statute “says what it says”

Yesterday, in addition to hearing oral argument regarding state court jurisdiction over ’33 Act class actions (see this PubCo post), SCOTUS also heard oral argument in a second case, Somers v. Digital Realty Trust.  This case addressed the split in the circuits regarding the application of the Dodd-Frank whistleblower anti-retaliation protections: do the protections apply regardless of whether the whistleblower blows the whistle all the way to the SEC or just reports internally to the company?   Here is a link to the transcript of the oral argument for Digital Realty, which is discussed below.