In February 2018, SCOTUS handed down its decision in Digital Realty v. Somers, holding that the Dodd-Frank whistleblower anti-retaliation protections apply only if the whistleblower blows the whistle all the way to the SEC; internal reporting to the company alone would not suffice. As Justice Gorsuch remarked during oral argument, the Justices were largely “stuck on the plain language” of the statute. However, by requiring SEC reporting as a predicate, it was widely thought that the decision might have a somewhat perverse impact: while the win by Digital would limit the liability of companies under Dodd-Frank for retaliation against whistleblowers who did not report to the SEC, the holding that whistleblowers were not protected unless they reported to the SEC could well discourage internal reporting by driving all securities-law whistleblowers directly to the SEC to ensure their protection from retaliation under the statute—which just might not be a consequence that many companies would favor. (See this PubCo post.)
The Department of Justice has just released its updated guidance for Evaluation of Corporate Compliance Programs. The DOJ Manual identifies factors that prosecutors take into account “in conducting an investigation of a corporation, determining whether to bring charges, and negotiating plea or other agreements.” Among these factors is the “adequacy and effectiveness of the corporation’s compliance program.” Although the guidance is designed to assist prosecutors in assessing and making informed decisions about the extent of “credit” to be attributed to a company in light of its corporate compliance program, the factors that prosecutors are advised to consider in evaluating these programs should not be lost on companies seeking to develop and implement their own compliance programs. Of course, the guidance is not intended to be formulaic and recognizes that the relevance and significance of the factors and questions identified will vary depending on a range of company attributes, including “each company’s risk profile and solutions to reduce its risks.”
SCOTUS finds primary securities fraud liability for disseminating statements made by others with intent to defraud
Last week, SCOTUS decided Lorenzo v. SEC, a case involving a claim that an investment banker was liable for securities fraud when, at the direction of his boss, he cut, pasted and disseminated to potential investors information that his boss had provided, even though the banker knew the information was false. In a 2011 case, Janus Capital Group, Inc. v. First Derivative Traders, SCOTUS had held that, an “investment adviser who had merely ‘participat[ed] in the drafting of a false statement’ ‘made’ by another could not be held liable in a private action under subsection (b) of Rule10b–5.” (Rule 10b–5(b) prohibits the “mak[ing]” of “any untrue statement of a material fact.”) In Lorenzo, the question before the Court was whether a person who did not “make” statements (that is, who did not have “ultimate authority” over the statements), but who knowingly disseminated false statements to potential investors with intent to defraud, could be found to have violated subsections (a) and (c) of Rule 10b–5. The answer, in an opinion written by Justice Breyer, was yes. Will this case embolden plaintiff’s counsel to push the envelope and assert claims against people who are only peripherally involved in the dissemination of allegedly false information? Time will tell what the ultimate impact of this case may be.
You might remember this no-action letter to Johnson & Johnson granting relief to the company if it relied on Rule 14a-8(i)(2) (violation of law) to exclude a shareholder proposal requesting adoption of mandatory shareholder arbitration bylaws. (See this PubCo post.) In that letter, the staff relied on an opinion from the Attorney General of the State of New Jersey, the state’s chief legal officer, which advised the SEC that the proposal was excludable under Rule 14a-8(i)(2) because “adoption of the proposed bylaw would cause Johnson & Johnson to violate applicable state law.” The issue was so fraught that SEC Chair Jay Clayton felt the need to issue a statement supporting the staff’s hands-off position: “The issue of mandatory arbitration provisions in the bylaws of U.S. publicly-listed companies has garnered a great deal of attention. As I have previously stated, the ability of domestic, publicly-listed companies to require shareholders to arbitrate claims against them arising under the federal securities laws is a complex matter that requires careful consideration,” consideration that would be more appropriate at the Commissioner level than at the staff level. However, mandatory arbitration was not an issue that he was anxious to have the SEC wade into at that time. To be sure, if the parties really wanted a binding answer on the merits, he suggested, they might be well advised to seek a judicial determination. And, you guessed it—Clayton’s words to the proponent’s ears—the proponent filed this complaint on March 21.
SEC enforcement action for materially misleading projections in the face of red flags and other actions
In case anyone needed a reminder from the SEC, this case against Sonus Networks, its CFO and VP of Sales may well serve as one: per the SEC’s Associate Director of Enforcement, a company needs to have a “reasonable basis” if it makes public projections or estimates about future financial results: “The investing community expects that when companies choose to provide public financial projections, there is a reasonable basis underpinning those projections….When a company ignores red flags or takes steps to make public financial projections inaccurate we will take appropriate action.”
This SEC Order, In the Matter of The Dow Chemical Company, is a great refresher—at Dow’s expense, unfortunately for Dow—on the analysis required to determine whether or not certain expenses and benefits are perquisites or personal benefits that must be disclosed in the Summary Comp Table in the proxy statement. As you probably know, the analysis for determining whether an item is a disclosable “perk” can be very tricky to apply, especially when it involves the use of corporate jets by executives and their friends and families. The SEC claims that Dow applied the wrong standard altogether in its analysis, failing to disclose over a five-year period $3M in CEO perks and understating the CEO’s disclosed perks by an average of 59%. Dow settled the charges for a fine of $1.75M and also undertook to engage an independent consultant that would perform a review of Dow’s policies, procedures and controls and conduct training related to the determination of perks.
Yesterday, the SEC voted (by a vote of three to two) to propose amendments to the rules related to its whistleblower program. According to Chair Clayton, the program has been a resounding success in providing incentives to individuals to blow the whistle on wrongdoing. The press release reports that “[o]riginal information provided by whistleblowers has led to enforcement actions in which the Commission has ordered over $1.4 billion in financial remedies, including more than $740 million in disgorgement of ill-gotten gains and interest, the majority of which has been, or is scheduled to be, returned to harmed investors.” The proposal is intended to improve the program by increasing efficiencies and providing more tools and more flexibility to the SEC, enabling the SEC to adjust, within certain limitations, the amounts payable as awards under the program. The amendments also modify the requirements for anti-retaliation protection to conform to SCOTUS’s recent decision in Digital Realty v. Somers (see this PubCo post).
In this recent Cooley Alert, SEC Issues New Guidance on Cybersecurity Disclosure and Policies, we wrote that the SEC had not yet brought a formal enforcement proceeding for failure to make timely disclosure regarding cybersecurity risks and/or cyber incidents and asked whether an enforcement action might just be on the horizon? In that regard, we noted that, in 2017, the co-director of the SEC’s Enforcement Division had warned that, although the SEC was “not looking to second-guess good faith disclosure decisions,” enforcement actions were certainly possible in the right circumstances. Indeed, the co-director had cautioned that no one should mistake the absence of enforcement actions for an unwillingness by the SEC to pursue companies with inadequate cybersecurity disclosures before and after breaches or other incidents. Apparently, SEC Enforcement has now identified circumstances it considers to be “right”: today, the SEC announced “that the entity formerly known as Yahoo! Inc. has agreed to pay a $35 million penalty to settle charges that it misled investors by failing to disclose one of the world’s largest data breaches in which hackers stole personal data relating to hundreds of millions of user accounts.”
Today, SCOTUS issued its opinion in Cyan Inc. v. Beaver County Employees Retirement Fund. The opinion by Justice Kagan for a unanimous Court answered two questions: Did the Securities Litigation Uniform Standards Act of 1998 eliminate state court jurisdiction over class actions alleging only ’33 Act violations, and, even if not, under SLUSA, can defendants remove these state court actions to federal court? SCOTUS said no in both cases: “SLUSA did nothing to strip state courts of their longstanding jurisdiction to adjudicate class actions alleging only 1933 Act violations. Neither did SLUSA authorize removing such suits from state to federal court.”