Employers Beware: The Ninth Circuit Finds That Liability Waivers in Consumer Report Disclosures “Willfully” Violate the FCRA

On January 20, 2017, the Ninth Circuit Court of Appeals issued an opinion with far-reaching consequences for employers’ liability under the Fair Credit Reporting Act (15 U.S.C. § 1681b(b)(2)(A)), and which could impact insurance coverage for such liability. In Syed v. M-I, LLC, et al., 2017 WL 242559 (9th Cir. Jan. 20, 2017), the court held that a prospective employer willfully violates the Fair Credit Reporting Act (FCRA) when it procures a job applicant’s consumer report after including a liability waiver in the same document as the statutorily-mandated disclosure.

Plaintiff Syed applied for a job with M-I in 2011. As part of the application process, M-I provided Syed with a document labeled “Pre-employment Disclosure Release.” The Disclosure Release informed Syed that his credit history and other information could be collected and used as a basis for the employment decision, authorized M-I to procure Syed’s consumer report, and stipulated that by signing the document, Syed was waiving his rights to sue M-I for violation of the FCRA. Syed filed a class action lawsuit on behalf of himself and all others that had received the same disclosure document, arguing that M-I had violated the FCRA, which requires that the disclosures given to job applicants before obtaining their consumer reports consist “solely” of the disclosure. The United States District Court for the Eastern District of California dismissed the class action complaint, concluding that Syed had not sufficiently pled willful violation of the FCRA. Syed appealed.

In a matter of first impression, the Ninth Circuit reversed the district court’s dismissal, holding that M-I’s inclusion of a liability waiver in the same document as the disclosure willfully violated the FCRA as a matter of law. In reaching its holding, the court emphasized that the FCRA requires that the disclosures given to job applicants consist “solely” of the disclosure that the report may be obtained for employment purposes. Therefore, the court concluded that an employer’s inclusion of any terms in addition to that disclosure language, including a liability waiver, constitute a “willful” violation of the statute. The court explained that “solely” unambiguously means “alone”, “singly”, “entirely”, or “exclusively” such that M-I’s inclusion of a liability waiver on the same document was a plain violation of the express terms of the statute. The court further elaborated that the inclusion of a waiver “does not comport with the FCRA’s basic purpose…[and] [t]o the contrary, it would frustrate Congress’s goal of guarding a job applicant’s right to control the dissemination of sensitive personal information.”

The Syed case could have a significant impact, opening the door to claims under the FCRA, because employers routinely utilize consumer reports as part of their job application process. Under the statute, Plaintiffs are limited to their actual damages unless they can prove that the employer “willfully fail[ed] to comply” with the statute. In such instances, plaintiffs can recover statutory damages ranging from $100 to $1,000, punitive damages, attorney’s fees, and costs of suit. In light of these exposures, employers often look to their liability policies to pick up the defense costs and indemnity exposure associated with these claims.

The Ninth Circuit’s holding that the employer willfully violated the FCRA is likely to create coverage defenses to these claims, as many states have public policy limitations prohibiting insurance coverage for an insured’s willful acts. In California, the limitation is further codified by statute in Insurance Code Section 533, which expressly provides that “[a]n insurer is not liable for a loss caused by the willful act of the insured.”  Thus, in situations like Syed, where employers have not followed the express requirement of the statute to have disclosures in a standalone document, they will now be facing increased exposure for claims arising under the FCRA without the assured safeguard of insurance coverage to help pick up the tab.

The Syed case is an important reminder for employers to take a fresh look at their application forms, and specifically, their consumer report disclosures under the FCRA to ensure they comport with the express requirements of the statute and, as appropriate, to seek the advice of counsel. Otherwise, employers may face much more than they bargained for with their liability waivers. Rather than escaping liability under the FCRA, they may face exposure for additional remedies resulting from the willful violation of the statute and risk the loss of insurance coverage as a consequence.

Investors Contend “Smoking Gun” Evidence is the Silver Bullet Against Financial Institution Defendants in Silver Rigging Case

The plaintiffs in a multidistrict silver rigging case pending in New York, In re: London Silver Fixing Ltd. Antitrust Litigation (S.D.N.Y., Case No.: 1:14-md-02573), have sought to amend their complaint based on newly acquired “smoking gun” evidence concerning an alleged conspiracy by certain financial institutions to rig the price of silver and silver related financial instruments. With this new “smoking gun” evidence, plaintiffs contend that they are now able to cure certain pleading deficiencies previously identified against UBS, one of the named bank defendants. Plaintiffs further contend that there is evidence of collusive price manipulation against the proposed new defendants: Barclays Bank PLC; Barclays Capital Inc.; Barclays Capital Services Ltd.; BNP Paribas Fortis S.A./N.V.; Standard Chartered Bank; Bank of America Corporation; Bank of America, N.A.; and Merrill Lynch, Pierce, Fenner & Smith Inc. The new evidence includes electronic chats from various traders, which purportedly demonstrate attempts to manipulate the silver market by coordinating trades in advance and “spoofing,” among other things.

According to public reports, the “smoking gun” evidence came “[e]ight months after Deutsche Bank AG settled a lawsuit claiming it manipulated gold and silver prices.”[1] In plaintiffs’ memorandum in support of their motion to amend, they explain that the materials they received from Deutsche Bank as part of their proposed settlement provided them with evidence that “far surpasses” the conspiracy they previously alleged. Plaintiffs also maintain that the defendants will suffer no prejudice by the amendment because, even though the case is a few years old, the parties have not taken depositions or produced documents, other than the Deutsche Bank materials.

UBS, who was dismissed from the case in October 2016, but may be brought back in if the motion to amend is granted, challenged plaintiffs’ assertions that they have cured their pleading defects. In UBS’s response brief, the bank argues that, even if plaintiffs’ allegations were true, they do not show that UBS had “control” over the silver fixing at noon London time (which is when the price of silver was set), or that they had “advance knowledge” of the fix price. UBS further contends that plaintiffs fail to connect the new evidence to actually executed transactions. In addition, and contrary to the plaintiffs’ position, UBS argues the new allegations would change the plaintiffs’ theory and the scope of the current action, which would unfairly prejudice the bank. UBS further maintains that the proposed complaint would not withstand a motion to dismiss.

Plaintiffs seek until December 22, 2016 to file their reply brief. Thereafter, the Court will determine whether the new evidence truly is the “smoking gun” that plaintiffs contend it to be. In any event, there appears to be a trend developing in these large cases brought against several financial institutions. Specifically, it is now common to see one bank settle with plaintiffs before all others, presumably at a discount, with the promise to aid plaintiffs in prosecuting their claims against the remaining bank defendants. We have seen the same strategy at play in the class action litigation brought against various banks arising out of the LIBOR manipulation. If the strategy is successful, we can expect to see it implemented in future actions, as well.

[1] David Glovin and Edvard Pettersson, “Deutsche Bank Records Said to Show Silver Rigging at Other Banks” Bloomberg, available at: https://www.bloomberg.com/news/articles/2016-12-08/deutsche-bank-records-alleged-to-show-banks-rigged-silver-prices (Dec. 7, 2016).

Strike Three – You’re Out – Data Breach Shareholder Derivative Lawsuit Against Home Depot Dismissed

On November 30, 2016, Judge Thomas W. Thrash dismissed a shareholder derivative action brought against Home Depot as a result of the breach of its security systems and theft of its customers’ personal financial data (“the Breach”) in 2014. In Re The Home Depot, Inc. Shareholder Derivative Litigation, Civ. No. 1:15-CV-2999, 2016 WL 6995676 (N.D. Ga. 2016). In the derivative action, Plaintiffs asserted that Home Depot was harmed as a result of the company’s alleged delay in responding to significant security threats, and thus sought to recover under three primary claims against Home Depot’s current and former directors and officers (“Ds&Os”). These included the following alleged claims: (1) breach of the duty of loyalty by failing to institute internal controls sufficient to oversee the risks in the event of a breach, and for disbanding a Board of Directors committee that was responsible for overseeing those risks; (2) waste of corporate assets; and (3) violation of Section 14(a) of the Securities Exchange Act in connection with Home Depot’s 2014 and 2015 proxy filings. According to Judge Thrash, all of the claims against the Ds&Os “ultimately” related to what they “knew before the Breach and what they did about that knowledge.” Defendants filed a motion to dismiss, which Judge Thrash ultimately granted applying Delaware law. It was undisputed that no demand was made on the Home Depot Board of Directors. Thus, Plaintiffs had the burden of demonstrating that the demand requirement was excused because it would have been futile.

Judge Thrash analyzed each of the three claims against the Ds&Os. As for the primary claim that the Directors allegedly breached their duty of loyalty and that they failed to provide oversight, Plaintiffs were required to show that the Directors either “knew they were not discharging their fiduciary obligations or that the Directors demonstrated a conscious disregard for their responsibilities[.]” When combined with the general demand futility standard, Plaintiffs essentially needed to show that a majority of the Board faced substantial liability because it consciously failed to act in the face of a known duty to act. Judge Thrash stated that this is “an incredibly high hurdle for the Plaintiffs to overcome[.]”

In finding that Plaintiffs’ failed to overcome this hurdle, Judge Thrash rejected Plaintiffs’ arguments about the significance of disbanding the Infrastructure Committee charged with oversight of the risks Home Depot faced in the event of a data breach. Plaintiffs alleged that the Board failed to amend the Audit Committee’s charter to reflect the new responsibilities for data security that had been transferred from the Infrastructure Committee, as required by the Company’s Corporate Governance Guidelines. As a result, Plaintiffs alleged that the Board failed to designate anyone with the responsibility to oversee data security, thereby leaving the company without a reporting system. Judge Thrash concluded that “[t]his argument is much too formal.” Regardless of whether the Audit Committee had “technical authority,” both the Committee and the Board believed it did. Given the factual allegations that the Audit Committee received regular reports from management on the state of Home Depot’s data security, and the fact that the Board in turn received briefings from both management and the Audit Committee, the court concluded that “there can be no question that the Board was fulfilling its duty of loyalty to ensure that a reasonable system of reporting existed.”

The court also rejected Plaintiffs’ argument that the Board’s failure “to ensure that a plan was in place to ‘immediately’ remedy the deficiency in [Home Depot’s data security],” supported the breach of the duty of loyalty claim. Plaintiffs acknowledged in the complaint that the Board acted before the Breach occurred, that it had approved a plan that would have fixed many of Home Depot’s security weaknesses, and that it would be fully implemented by February 2015. Under Delaware law, the court held that directors violate their duty of loyalty only if “they knowingly and completely failed to undertake their responsibilities.” Judge Thrash concluded that “as long as the Outside Directors pursued any course of action that was reasonable, they would not have violated their duty of loyalty.”

In addition, Plaintiffs alleged that there was “a plan,” but that “it moved too slowly.” The court held that this was not the standard under which to evaluate demand futility on a duty of loyalty claim. The court noted that with the benefit of hindsight, “one can safely say that the implementation of the plan was probably too slow, and that the plan probably would not have fixed all of the problems Home Depot had with its security.” However, the court also found that “simply alleging that a board incorrectly exercised its business judgment and made a ‘wrong’ decision in response to red flags…is not enough to plead bad faith.”

Based on the foregoing analysis of the demand futility issue, the court had little difficulty discounting the claim of corporate waste. Plaintiffs alleged that the Board’s insufficient reaction to the threats posed by alleged deficiencies in compliance with contractual requirements for data security caused significant losses to the company, which constituted a waste of Home Depot’s assets. Here, the court concluded that the Plaintiffs’ claim was basically a challenge to the Director’s exercise of their business judgment, and although with hindsight, it “was easy to see that the Board’s decision to upgrade Home Depot’s security at a leisurely pace was an unfortunate one,” the decision nevertheless fell squarely within the discretion of the Board and was protected under business judgment rule.

Finally, Plaintiffs’ Section 14(a) claims, which were also subject to a demand requirement, alleged that Defendants omitted important information from their 2014 and 2015 Proxy Statements by not disclosing that Home Depot had known of specific threats to its data security, and that the Audit Committee’s charter was not amended to reflect that the responsibility for IT and data security had been transferred to it. The court rejected these arguments, noting that regardless of whether the charter was amended, “everyone believed and acted as if the Committee did have oversight over data security during the relative time period.” Further, the court found that Plaintiffs failed to specifically identify which statements in the Proxy Statements were false or misleading and also failed to plead with particularity how the omission caused the alleged loss. Thus, the court held that the claim did not demonstrate the necessary duty to disclose required under Section 14 (a). Moreover, “because [Plaintiffs] had not demonstrated a substantial likelihood that the Defendants would have been liable for a Section 14(a) violation,” the court found that demand was neither futile for the Section 14(a) claims, nor excused.

This decision is in step with two other recent decisions dismissing shareholder derivative actions against companies arising out of high-profile data breaches. See Palkon v. Holmes, et.al. 2014 WL 5341880 (D.N.J. Oct. 20, 2014) (court, applying Delaware law, dismissed a derivative action against Wyndham Hotels brought after that company suffered a large data breach, relying in part on the protections afforded the Ds&Os under the business judgment rule); Davis et al. v. Steinhafel et al., No. 14-cv-203, (D. Minn. July 7, 2016) (court dismissed derivative action against Target because a claim could not be stated in connection with a corporation’s special litigation committee’s decision not to pursue derivative claims against the company’s officers or directors, particularly where it demonstrated that the decision was based on a thorough and impartial investigation).

With the prevalence of security breaches taking place against various corporations, including large retailers, Home Depot is yet another reminder of the potential exposure presented by cyber-liability for the boardroom, including costly litigation even if the corporation prevails. Judge Thrash’s opinion provides guidance on how the business judgment rule can protect Ds&Os for their decision-making with respect to the demands of cybersecurity. Given the numerous references to the “benefits of hindsight,” however, corporate boards should be vigilant in assessing their cybersecurity plans. There may come a time when a court will not so readily apply the “business judgment rule” to a Board’s decision making process in addressing cybersecurity concerns.

Every Rose Has Its Thorn: No D&O Coverage For Bad Loans To Flower Company, Fifth Circuit Says

In a recent decision, the Fifth Circuit ruled in favor of Markel American Insurance Company in a D&O liability coverage dispute centering on the application of the policy’s “Creditor Exclusion.” The panel affirmed a lower court’s holding that the exclusion precluded coverage for claims brought by lenders of the insured. Markel Am. Ins. Co. v. Verbeek, 2016 WL 5400412 (5th Cir. 2016) (Tex.). In doing so, the panel rejected arguments by the insured, which relied on changes in the lender’s position during the underlying litigation.

The underlying case involved a claim brought by a bank syndicate comprised of Regions Bank, Comerica Bank, Solutions Capital I, LP and MCG Capital Corporation (collectively, “the banks”) which issued a credit facility loan agreement to the insured, Color Star Growers of Colorado, Inc. (“Color Star”), a flower distributor. Color Star soon went bankrupt and defaulted on its obligations under the credit facility loan. The banks filed suit against Color Star’s officers, Huibert and Engelbrecht Verbeek, in Texas state court alleging that the Verbeeks fraudulently induced the banks to issue the loans by misrepresenting the financial condition of their company. In particular, the banks claimed that the Verbeeks had overstated the value of their inventory by approximately $6.6 million. According to the banks, the Verbeeks were looking at their bottom line through rose-colored glasses.

The Verbeeks tendered the lawsuit to Markel and requested a defense under their D&O policy. Markel denied coverage for the suit, citing the policy’s “Creditor Exclusion.” That exclusion pertinently stated that the D&O policy did not cover “any Claim brought or maintained by or on behalf of . . . [a]ny creditor of [the insured company] in the creditor’s capacity as such[.]” Markel filed suit for declaratory relief in federal court on the same day that it denied coverage. The district court ultimately agreed with Markel that it did not owe coverage and granted declaratory judgment in Markel’s favor.

The Fifth Circuit affirmed the district court’s ruling in an unpublished per curiam opinion. On appeal, the Verbeeks advanced two main arguments for why the Creditor Exclusion should not apply to the lawsuit brought by the banks. First, they argued that the banks did not assert claims in their “capacity” as creditors because the banks did not seek to hold them contractually responsible for the loans. The Verbeeks also argued that the Chapter 9 liquidation plan “stripped” the banks of their rights as creditors of Color Star. However, the court rejected these arguments. The court held that although the Verbeeks were not being asked to repay the loan, the dispute still arose entirely from the loan to Color Star. The court also found it “immaterial” that the banks were no longer asserting rights as creditors following the liquidation because the plain language of the Creditor Exclusion relied on the banks’ status at the time the claim was asserted. As the panel explained:

The fact that the state court plaintiffs may no longer have creditor rights is immaterial: they had such rights when they ‘brought’ the underlying litigation. The Verbeeks’ argument – which relies on the state court plaintiffs’ current status as purported noncreditors – rewrites the Creditor Exclusion such that it applies only when a claim is both ‘brought and maintained by’ a creditor. But, the Creditor Exclusion is written in the disjunctive. As such, the fact that the state court plaintiffs were creditors when they brought the suit is sufficient to trigger the Creditor Exclusion. (emphasis in original).

Additionally, the Verbeeks argued that one of the banks was suing as an “investor,” rather than a creditor, based on its own allegations. Even though the bank did plead that its loan was an “investment,” the appellate court relied on other factual allegations which showed that the expected returns were limited to the principal and interest payments on the loan. Just as a flower has the same scent no matter what it is called, a loan by any other name is still a loan, according to the Court. In doing so, the Court observed that its holding was consistent with Texas law, which requires an insurer’s duty to defend to be determined solely from the pleadings, as such rule “requires a court to focus on the factual allegations showing the origin of the damages claimed,” rather than mere labels. In sum, the panel held that the claim had been brought by the banks in their capacity as creditors. Thus, the Creditor Exclusion precluded coverage.

Notably, this decision contrasts with other recent federal appellate decisions in other circuits, which have found coverage under D&O policies for an insured’s liability stemming from unrepaid loans. See St. Paul Mercury Ins. Co. v. FDIC, 2016 U.S. App. LEXIS 18811 (9th Cir. 2016); St. Paul Mercury Ins. Co. v. FDIC, 774 F.3d 702, 710-11 (11th Cir. 2014).

One takeaway here is that the Creditor Exclusion in D&O policies may apply in circumstances beyond the traditional scenario where a lender sues an insured for past-due payments after a default. Its application also depends on the particular wording of the exclusion, which can vary between policies. When presented with claims which arise out of credit agreements, insurers should be wise to carefully consider the specific language of the exclusion, as well as the jurisdiction in which the claim is pending.

Brexit means Brexit…Really?

On 23 June 2016, 51.8% of voters in the UK voted in a referendum to leave the European Union. However, the process for formally leaving has been a journey into the unknown, leading to short term volatility in the financial markets and longer term uncertainty for businesses as they move into unchartered territory.

Whilst many businesses start to put in place contingency plans for the post-Brexit landscape, an unexpected procedural hurdle has been put up by a High Court ruling on 3 November 2016. Three senior Judges decided that the UK Government cannot invoke Article 50 of the Treaty of Lisbon (necessary to trigger the two-year period for the UK to leave the EU) without a vote in Parliament.

The legal challenge led by business-woman Gina Miller was concerned with procedural steps, not politics, but has raised again the uncomfortable and divisive fact that the referendum vote is not ‘legally binding’ – a point accepted by all parties in the litigation. The UK Government’s appeal to the High Court decision is due to be heard by all eleven Justices of the Supreme Court in December 2016.

The question of whether the Government has the power to invoke Article 50 without having a vote in Parliament is without legal precedent. It is nonetheless difficult to imagine that the Supreme Court will overrule with the High Court’s decision; it is more likely that the Supreme Court will uphold the High Court’s ruling and not bow to mounting pressure to side-step the fundamental constitutional principles of the sovereignty of Parliament.

The Government’s self-imposed timetable of March 2017 for the commencement of the formal two-year process is in jeopardy.

While the political and constitutional entanglements are played out in the judicial system and the media, the fact remains that for insurers based in the UK and in Europe the decision to leave the EU has significant commercial and regulatory consequences. Some London based insurers have opted to hedge their bets and set up operations in Ireland to allow Lloyds access to the European market. The current constitutional debate in the UK demonstrates a healthy democracy in action, but that comes with the side helping of prolonged uncertainty.

Ex-Rabobank Traders Robson and Thompson Receive Lighter Sentences for Libor Scheme

Two former Rabobank traders received minimal and no prison time earlier this month for their participation in a conspiracy to fix Libor, or the London interbank offered rate, to benefit traders’ positions at Rabobank.

On November 9, 2016, the former head of money market and derivatives trading for Rabobank in Northeast Asia, Paul Thompson, was sentenced to three months by U.S. District Judge Jed Rakoff, after pleading guilty to conspiring to commit wire fraud and bank fraud. Prosecutors said Thompson participated in a scheme with others to rig the U.S. dollar and yen Libor rates to benefit Rabobank’s trading positions. Thompson, a trader based in Hong Kong and Singapore, waived extradition and pled guilty in July after his arrest in Australia. While Judge Rakoff believed that prison time was warranted, he noted numerous mitigating factors entitling Thompson to a shorter term, including health issues suffered by Thompson himself and some of his family members. Judge Rakoff granted further leniency by allowing Thompson to return to Perth, Australia to spend Christmas with his family before beginning his sentence in February 2017. Thompson had sought community service or home detention in Australia.

On November 14, 2016, Judge Rakoff sentenced British trader Paul Robson to time served and two years of supervised release after Robson pled guilty in August 2013 to conspiring to rig Libor. In October 2015, Robson testified against co-conspirators Anthony Allen and Anthony Conti, stating that the two men were active participants in the scheme to tailor the global interest rate to benefits traders’ positions at Rabobank. Robson’s sentence represents a departure from the sentencing guidelines of 45 to 51 months. In handing down the sentence, Judge Rakoff emphasized the remorse and extensive cooperation from Robson, including his testimony against his former boss and other traders and his agreement to waive his extradition rights.

Libor supports the basis of many financial products around the world, including mortgage and credit card rates. U.S. and European authorities have spent years investigating whether banks tried to manipulate the Libor rate to benefit their own trading positions. The investigations have led to around $9 billion in regulatory settlements with financial institutions and charges against several individuals. A total of seven former Rabobank traders were charged by the United States Department of Justice after the bank reached a $1 billion deal in 2013 to resolve United States and European investigations. In March, co-conspirators Anthony Allen and Anthony Conti were sentenced by the United States District Court to two years and one year and one day in prison, respectively. Both individuals have appealed. Two other former Rabobank traders – Takayuki Yagamia and Lee Stewart – have pled guilty and await sentencing. Former senior trader at Rabobank’s Tokyo desk, Tetsuya Motomura, remains a fugitive from the United States Government. The case is U.S. v. Robson et al., United States District Court, Southern District of New York, No. 1:14-cr-00272.

The SEC’s $200 Million Fraud Case Against Patriarch’s Tilton May Be Largest Case Ever Handled by an Administrative Law Judge

Lynn Tilton, the founder of private equity firm Patriarch Partners, LLC, and so-called “Diva of Distressed,” is embattled in what is expected to be the largest and possibly the most contentious SEC in-house trial to date.

The trial, which commenced on October 24, 2016 and is expected to last approximately three weeks, is taking place before Administrative Law Judge Carol Fox Foelak as part of the SEC’s in-house enforcement process. Since the 2010 Dodd-Frank Wall Street Reform Act gave the SEC increased powers to handle cases against a wider universe of defendants in its in-house proceedings, the agency has opted to bring cases before in-house judges, rather than taking them to federal court, with the view that doing so is faster and more efficient. However, it has come with significant pushback from Tilton, who attempted to force the case into federal court and out of the in-house SEC proceedings by filing two federal lawsuits. Nevertheless, Tilton’s efforts proved to be unsuccessful, as the Second Circuit Court of Appeals confirmed the U.S. District Court’s decision not to exercise jurisdiction over Tilton’s challenge to the SEC. Instead, Tilton will have to wait until after the administrative proceedings to litigate the constitutional issues she has raised against the SEC proceedings.

The SEC first brought suit against Tilton and Patriarch Partners in March 2015 alleging fraud in connection with three distressed investment vehicles run by Patriarch Partners known as the Zohar funds. According to the SEC, Tilton defrauded investors by using her own “subjective, personal belief” about whether the company would be able to repay the loans or whether the companies were actually in default on interest payments. Instead of categorizing companies that missed interest payments as being in default, Tilton is alleged to have improperly characterized them as current – all so that she could allegedly collect $200 million in management fees, which otherwise would have gone to investors. In the suit, which follows a five-year investigation, the SEC seeks disgorgement of up to $200 million, making it possibly the largest case ever heard by an SEC administrative judge, and seeks to have Tilton and Patriarch Partners banned from the securities industry. Tilton denies wrongdoing, and her attorneys are vigorously arguing that she and Patriarch Partners have been unfairly targeted by the SEC. While the in-house trial is expected to last through early November, given the contentious nature of the proceedings, it is unlikely that the conclusion of the administrative proceedings will mark the end of the battle.

Tilton also faces an ongoing battle on another front – this one, over insurance coverage. After exhausting the $20 million limit of its executive liability primary policy, Patriarch Partners filed suit against Axis Insurance Co. (Axis) demanding coverage under a $5 million excess policy. However, according to Axis, Tilton’s actions conflict with policy language excluding coverage for “pending and prior” legal disputes because, at the time she applied for the additional $5 million in excess coverage in August 2011, she knew her funds were under investigation by the SEC. In fact, Axis argues that Tilton was on notice of the investigation in 2009, years before the 2012 subpoena that purportedly triggered coverage. While Patriarch Partners has taken the position in its coverage dispute that there was no allegation of a wrongful act when coverage was procured, Axis recently filed its answer to the amended complaint, as well as a counterclaim, seeking a declaration that it owes no coverage based on a prior knowledge defense, which Axis believes is supported by the discovery conducted to date. The parties have not yet set a briefing schedule in connection with motions for summary judgment.

Given the SEC’s increased scrutiny on the practices of private equity firms, this case may be part of a broader trend by the SEC to hold private equity firms, and the individuals that run them, accountable for their alleged wrongdoing. As a result, should the outcome of the Tilton case provide a further “green light” to the SEC, the agency may be emboldened to bring more cases against private equity firms in the future.

Crime Policy Does Not Cover Loss of Company Funds Resulting From Social Engineering Scheme

In a long-awaited decision (at least by the parties and fidelity law practitioners) the Fifth Circuit Court of Appeals has held that a “Computer Fraud” Insuring Agreement in a Crime Insurance Policy does not cover the insured’s loss after its employees were tricked into wiring approximately $7 million to a fraudulent bank account set up by criminals posing as one of the insured’s trusted vendors.  Apache Corp. v. Great American Insurance Co., No. 15-20499, 2016 WL 6090901 (5th Cir. Oct. 18, 2016).

This case arises from a 2013 social engineering scheme1 whereby several criminals, suspected to be based in Latvia, posed as representatives of Petrofac, a vendor of Apache, the insured oil-production company.  After corresponding with the fraudsters by phone and over email, the imposters convinced Apache to direct payments to a “new” bank account for Petrofac.  In brief, the scheme unfolded as follows:

  • An Apache employee received a telephone call from a person identifying herself as a representative of Petrofac, Apache’s vendor. The caller instructed Apache to change the bank account information for its payments to Petrofac.  The Apache employee responded that such a change could not be accomplished without a formal request on the vendor’s letterhead.
  • A week later, Apache’s accounts payable department received an email from a “petrofacltd.com” address2 in which the sender advised that the purported “new” bank account was effective and payments going forward should be made to the new account. The sender attached a letter to the email with both the old and “new” bank account information.  This letter was on Petrofac letterhead and contained a signature by a purported Petrofac employee.
  • In response to the email with attached letter, an Apache employee called the number listed on the letter. An individual posing as a Petrofac employee purportedly confirmed the request to change the banking information.
  • An Apache employee then entered an internal “change request” with the new Petrofac bank account information. A separate Apache manager then approved the request and thereafter payments began flowing to the new bank account, which was really a fraudulent account set up by the imposters.

The scheme unraveled when the “real” Petrofac contacted Apache regarding several delinquent invoices.  Upon investigation, Apache realized that it had been duped.  Fortunately, Apache was able to recover a substantial portion of the funds, leaving its total loss at only $2.4 million, of which Apache claimed a loss of approximately $1.4 (after application of the deductible) under the “Computer Fraud” provision of its crime policy.

The Computer Fraud Insuring Agreement

Apache’s crime policy contained, in part, the following “Computer Fraud” Insuring Agreement:

We will pay for loss of, and loss from damage to, money, securities and other property resulting directly from the use of any computer to fraudulently cause a transfer of that property from inside the premises or banking premises: (a) to a person (other than a messenger) outside those premises; or (b) to a place outside those premises.

After analyzing Apache’s loss, Great American denied coverage, in part, because the loss “did not result directly from the use of a computer nor did the use of a computer cause the transfer of funds.”  Essentially, the insurer examined the fraud and found that the email did not, by itself, cause the funds transfer and coverage under the Computer Fraud agreement was limited to hacking and unauthorized computer use.  Apache disagreed and sued the insurer, claiming that the Computer Fraud agreement said nothing about “hacking” and the denial was improper because the email from the fraudsters constituted computer fraud which directly caused the fraudulent transfer of funds.

The District Court Decision

In August 2015, the U.S. District Court for the Southern District of Texas handed down a decision granting Apache’s motion for summary judgment, noting that “the intervening steps of the [post-email] confirmation phone call and supervisory approval do not rise to the level of negating the email as being a substantial factor” in bringing about the loss, thus presenting a factual scenario sufficient to allow coverage under the “directly resulting from” language in the Computer Fraud Insuring Agreement.  According to the district court, “despite the human involvement that followed the fraud, the loss still resulted directly from computer fraud, i.e., the email directing Apache to disburse payments to a fraudulent account.”

The Fifth Circuit Reverses and Gets it Right

On October 18, 2016, the Fifth Circuit vacated the district court decision and entered judgment in favor of Great American, noting that “there is cross-jurisdictional uniformity in declining to extend coverage when the fraudulent transfer was the result of other events and not directly by the computer use.”  After surveying a spate of recent case law involving similar disputes, the court found that the now vacated district court decision was the “only presented decision interpreting the computer-fraud policy language to cover a loss when the computer use at issue was limited to email correspondence.”  The Court found that the email Apache highlighted in order to assert coverage under the Computer Fraud agreement was undoubtedly “part of the scheme,” but merely incidental to the occurrence of “the authorized transfer of money.”

Note that the email, by itself, caused no transfer of money; rather, it was just one step in a multi-step process that ended in Apache failing to detect the imposters and making large payments to a fraudulent bank account.  To interpret the computer fraud provision as reaching any fraudulent scheme involving an email communication would, as stated by the court, “convert the computer-fraud provision to one for general fraud,” a risk the insurer clearly did not contemplate. Essentially, the Court read the “resulting directly from” language in the Computer Fraud agreement to require the identified “use of a computer” to cause the fraudulent transfer itself (i.e., a true hacking incident), not merely set in motion, or be part of, a chain of events whereby an insured fails to investigate the accuracy of fraudulent information provided to it.

Takeaways

Social engineering schemes similar to that described above are on the rise because of the ease in which fraudsters can obtain information about a target online.  By using a combination of telephonic and online communication, even large companies are vulnerable to sophisticated schemes of fraud.  In response to these threats, certain carriers have introduced specialized extensions of coverage or separate products aimed at covering “social engineering” risks.  Nonetheless, certain coverage directed at true “hacking” threats, as was the intent of Great American’s insuring clause here, will likely be subject to challenges from insured’s lacking appropriate “social engineering” coverage.  The Fifth Circuit’s Apache decision provides helpful authority to define the limits of standard computer fraud wording as it appears in crime policies and shows that the use of a computer somewhere in the chain of a multistep fraudulent scheme is insufficient to trigger coverage.

__________________________

1 “Social Engineering” is often defined differently based on who is using the phrase (e.g., insurers, brokers, IT professionals).  In general, social engineering may be understood to be “the use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes, or to induce an individual to take an action in which they otherwise would not engage.”  See “Social Engineering” (in the context of information security) Oxford Dictionaries.

2 Petrofac’s real email domain name is “petrofac.com.”  For a recent FBI memo describing the threat of so-called “business email compromise” schemes (a type of social engineering scheme), please click here.  See “Scenario 1,” in which the FBI notes:  “A business, which often has a long standing relationship with a supplier, is requested to wire funds for invoice payment to an alternate, fraudulent account. The request may be made via telephone, facsimile, or e-mail. If an e-mail is received, the subject will spoof the e-mail request so it appears very similar to a legitimate account and would take very close scrutiny to determine it was fraudulent. Likewise, if a facsimile or telephone call is received, it will closely mimic a legitimate request.”

3 The Surety & Fidelity Association of America, a national trade organization consisting of fidelity and surety insurance companies, submitted an amicus brief to the Fifth Circuit urging that the district court’s decision be reversed: “To hold that ‘Computer Fraud’ means any fraud that uses a computer even in some minor way … essentially turns ‘Computer Fraud’ coverage into ‘All fraud’ coverage.  It would be impossible to underwrite potential risks for ‘All Fraud’ coverage and … the premiums for such a policy would be prohibitive.”

 

The “Shutout” of M&A Strike Suits and Disclosure Settlements

The scenario is a familiar one. Public companies announce a proposed merger and move forward to solicit shareholder approval. Shareholder class actions challenging the merger soon follow. They often allege that the board of directors breached their fiduciary duties by failing to disclose sufficient information or by disseminating false or misleading disclosures about the proposed transaction. Within weeks, the parties reach a proposed settlement requiring the company to make pre-closing supplemental disclosures and pay a six-figure fee award in exchange for a broad release of claims. These “strike” suits, as they are sometimes called, are largely driven by the attorneys’ fees awarded to class counsel and provide little, if any, benefit to shareholders. The resulting settlements – known as “disclosure” or “disclosure-only” settlements because the additional disclosures are the primary or sole consideration to shareholders for the agreement– were routinely approved by courts until recently.

In January, the Delaware Chancery Court issued a landmark decision calling the future viability of these settlements into doubt, at least in Delaware. In In re Trulia, Inc. Stockholder Litigation, 129 A.3d 884 (Del. Ch. 2016), the court did more than reject the parties’ proposed disclosure settlement. It reexamined the court’s historical practice of approving these settlements, and announced increased judicial scrutiny of the reasonableness of the “give” of the shareholders in providing a release of claims and their “get” in the form of supplemental disclosures. Id. at 898, 907. The court also warned that disclosure settlements “are likely to be met with continued disfavor in the future unless the supplemental disclosures address a plainly material misrepresentation or omission, and the subject matter of the proposed release is narrowly circumscribed” to capture only the disclosure and fiduciary duty claims relating the sale process. Id. By employing this standard, the court sought to ensure that the additional disclosures provide adequate value to the shareholders.

In August, the Seventh Circuit endorsed Trulia. In its decision in In re: Walgreen Co. Stockholder Litigation, 2016 WL 4207962 at *4 (7th Cir. Aug. 10, 2016), the court adopted the Trulia standard in rejecting the disclosure settlement proposed in a class action challenging the Walgreens/Alliance Boots reorganization. The court expressed skepticism about strike suits and disclosure settlements, noting that these types of class actions are no better than a “racket” yielding fees for class counsel and nothing of value for the shareholders. Id. at *3. However, the Seventh Circuit went further than the Trulia court in applying the standard of disfavoring such settlements unless the additional disclosures address a plainly material misrepresentation or omission. Id. at *4-5. It made clear that the supplemental disclosures must not only “address” the alleged misrepresentations or omissions, “they must correct them.” Id. at *5.

Courts in other jurisdictions may soon follow Trulia and Walgreen in applying a “plainly material” standard to proposed disclosure settlements. Regardless, Trulia appears to be discouraging pre-merger deal challenges in Delaware as the number of these suits filed there since January has declined dramatically as compared to prior years. This trend is expected to continue, along with the recent shut-out of the fee-driven, disclosure settlements these suits often generate.

Royal Bank of Scotland to Pay $1.1 Billion for Role in 2008 Financial Crisis

The Royal Bank of Scotland (RBS) has agreed to pay the National Credit Union Administration (NCUA) $1.1 billion to settle claims over the sale of allegedly “toxic” mortgage-backed securities to corporate credit unions that later failed, the administration announced last Tuesday. The settlement will resolve claims against RBS in federal actions in California and Kansas the NCUA board brought against multiple financial institutions in its role as liquidating agent for Western Corporate Federal Credit Union and U.S. Central Federal Credit Union.

According to NCUA, banks duped credit unions into purchasing the securities by downplaying investment risks and making misrepresentations in offering documents.

RBS does not admit any fault under the terms of the settlement agreement, NCUA said.

Last week’s settlement brings NCUA’s total recovery to $4.3 billion to date. Net proceeds will be used to pay claims against five failed corporate credit unions, NCUA said.

LexBlog