Securities Mosaic® Blogwatch
October 22, 2018
Bridging the Week: October 15 - 19 and October 22, 2018 (Bitcoin Fraud; Smart Contracts; Actual Delivery; Reg AT)
by Gary DeWaal
The Commodity Futures Trading Commission obtained orders from a federal court in New York concluding its first-filed enforcement action against persons for bitcoin fraud. However, the outcome of an unrelated action having nothing to do with cryptocurrencies and pending in a federal court of appeals in California may have greater implications for the CFTC’s cryptocurrency enforcement efforts going forward. Separately, CFTC Chairman J. Christopher Giancarlo announced before an industry gathering last week that Reg AT – a 2015 Commission proposal to augment regulations regarding algorithmic trading purportedly to mitigate risks – was officially dead. Likely, no algorithmic traders mourned. As a result, the following matters are covered in this week’s edition of Bridging the Week:

    CFTC Concludes First Bitcoin Anti-Fraud Enforcement Action With Assessment of Over $2.5 Million in Fines and Restitution (includes Legal Weeds);
    Reg AT Dead Proclaims CFTC Chairman (includes My View); and more.


    CFTC Concludes First Bitcoin Anti-Fraud Enforcement Action With Assessment of Over $2.5 Million in Fines and Restitution: The Commodity Futures Trading Commission’s first enforcement action alleging fraud in connection with the offer and sale of a cryptocurrency was resolved last week through orders of a federal court in New York against Gelfman Blueprint, Inc. and Nicholas Gelfman, its chief executive officer and head trader.

In September 2017, the CFTC filed charges against Gelfman Blueprint and Mr. Gelfman for conducting an alleged Ponzi scheme involving bitcoin. This enforcement action represented the first time the CFTC used its authority granted under the Dodd-Frank Wall Street Reform and Consumer Protection Act to prosecute an alleged manipulative or deceptive device or contrivance in connection with a cryptocurrency in interstate commerce. (Click here to access CEA Section 6(c)(1), 7 U.S.C. § 9(1).) No derivative based on a cryptocurrency was alleged to have been involved.

The Commission claimed that from January 2014 through January 2016, the defendants solicited approximately US $600,000 from at least 80 customers to trade bitcoin in a pooled fund using a proprietary algorithm called “Jigsaw.” However, charged the CFTC, the defendants misappropriated most of this money for their own use and rarely traded for customers. The defendants also misled investors and potential investors through false and misleading statements.

Mr. Gelfman personally consented to an order of permanent injunction and imposition of a fine, restitution and a trading ban to resolve the CFTC’s enforcement action. The court approved an equivalent default order against Gelfman Blueprint. Under the terms of their orders, Gelfman Blueprint and Mr. Gelfman are required to pay fines and restitution of more than US $2.5 million, combined. Previously, Mr. Gelfman pleaded guilty to one count of petit larceny in connection with a New York criminal prosecution deriving from the same underlying facts as the CFTC's enforcement action.

(Click here for background regarding the CFTC’s enforcement action in the article “CFTC Files Charges Alleging Bitcoin Ponzi Scheme Not Involving Derivatives” in the September 24, 2017 edition of Bridging the Week.)

Although the CFTC's enforcement action against Gelfman Blueprint and Mr. Gelfman was the Commission's first enforcement action alleging fraud in connection with the offer and sale of cryptocurrencies, it has filed subsequent enforcement actions on a similar theme, obtaining a permanent injunction and sanctions in one case – against Cabbagetech Corp. and Patrick McDonnell – and prevailing in a motion to dismiss in another – against My Big Coin Pay, Inc., Randall Crater and certain relief defendants. (Click here for background regarding the Cabbagetech enforcement action in the article, "Federal Court Enters Final Judgment Against Alleged Virtual Currency Fraudster; Confirms CFTC Authority to Bring Enforcement Action" in the August 26, 2018 edition of Bridging the Week and here for a discussion concerning My Big Coin Pay in the article "Second Federal Court Rules That Cryptocurrencies Are Commodities and CFTC Has Anti-Fraud Jurisdiction Over Alleged Wrongdoing" in the September 30, 2018 edition of Bridging the Week.)

Among other developments involving crypto-assets this past week:

    CFTC Commissioner Warns Just Because It’s Decentralized Doesn’t Mean It’s Not Regulated: In a speech delivered in Dubai, CFTC Commissioner Brian Quintenz warned that products and transactions within the Commission’s jurisdiction are subject to the CFTC’s regulation even if they are executed on a blockchain utilizing smart contracts. If there are violations of laws or regulations, it may be challenging to identify who is responsible, he said, but someone is. Mr. Quintenz suggested that code developers could be likely targets for unlawful uses of a smart contract if they could reasonably foresee at the time they created the relevant code that it would likely be used by US persons in a prohibited fashion. The CFTC commissioner noted that “[s]mart contract applications on blockchain networks hold great promise. … At the same time they also raise novel issues of accountability that users and policy makers alike must consider.” Smart contracts are self-executing agreements functioning on a blockchain with all terms between a buyer and seller embedded into lines of computer code.

Earlier this year, Jitesh Thakkar was named in both a CFTC civil enforcement action and a Department of Justice criminal lawsuit in connection with his development of software that purportedly was used by Navinder Sarao in connection with Mr. Sarao’s alleged spoofing activities. (Click here for background in the article “CFTC Names Four Banking Organization Companies, a Trading Software Design Company and Six Individuals in Spoofing-Related Cases; the Same Six Individuals Criminally Charged Plus Two More” in the February 4, 2018 edition of Bridging the Week.)

    Retail Metals Broker Says Lower Court Was Right on Interpretation of Actual Delivery and Limitation on CFTC Anti-Fraud Authority: Monex Credit Company and related companies and persons told a federal appeals court in California that a federal district court got it right when it ruled against the CFTC in May 2018 regarding what constitutes actual delivery of metals under applicable law and the scope of the Commission’s enforcement authority involving commodities, as opposed to derivates based on commodities. Monex made its declaration in papers filed with the court of appeals in opposition to the CFTC’s effort to reverse the district court’s decision.

Previously, the district court held that actual delivery of precious metals in financed transactions to retail persons falls outside the CFTC’s jurisdiction when ownership of real metals is legally transferred to such persons within 28 days – the so-called “Actual Delivery Exception”– even if the seller retains control over the commodities because of the financing beyond 28 days.

The district court also ruled that the CFTC cannot use the Dodd-Frank prohibition against persons engaging in any manipulative or deceptive device or contrivance in connection with the sale of any commodity to prosecute acts of purported fraud except in instances of fraud-based market manipulation. (Click here for details regarding the district court’s decision in the article “California Federal Court Dismissal of CFTC Monex Enforcement Action Upsets Stable Legal Theories” in the May 6, 2018 edition of Bridging the Week.)

Defendants in two recent CFTC enforcement actions charging fraud in connection with cryptocurrency activities – Patrick McDonnell and My Big Coin Pay – unsuccessfully tried to convince two different federal courts to follow the Monex district court’s reasoning to escape the CFTC’s jurisdiction.

    LabCFTC Meet SEC FinHub; SEC FinHub Meet LabCFTC: The Securities and Exchange Commission announced the launch of its Strategic Hub for Innovation and Financial Technology (FinHub) to serve as a resource for public engagement on fintech-related issues, including blockchain technologies and crypto-assets. Like the Commodity Futures Trading Commission’s LabCFTC, FinHub will sponsor fintech-themed events and publications (including a fintech forum on distributed ledger technology and digital assets scheduled for 2019) as well as provide a formal means for interaction with SEC staff.
    FATF Recommends Jurisdictions Apply AML Regulations to All Cryptocurrency Service Providers: The Financial Action Task Force recommended that all jurisdictions “urgently” take steps to prevent the misuse of cryptocurrencies, including subjecting all cryptocurrency service providers to existing anti-money laundering and combatting the financing of terrorism regulations. According to FATF, such service providers should be required to conduct customer due diligence, including ongoing monitoring, recordkeeping and suspicious activity reporting. FATF is an intergovernmental body established in 1989 by member jurisdictions to set standards and help implement legal and operational measures to combat money laundering, terrorist financing, and other related threats to the soundness of the international financial system. (Click here for background on FATF.)

Legal Weeds: A decision by the California federal appeals court in favor of Monex upholding the lower court’s decision would have a chilling effect on the CFTC’s enforcement efforts against persons selling virtual currencies who do so on leverage or who engage in alleged fraudulent practices. This is because such a ruling would raise questions regarding the CFTC’s authority to bring such actions in the first place.

In 2016, the CFTC settled an enforcement action against BFXNA Inc. d/b/a Bitfinex, claiming that the firm operated a platform that enabled retail persons to buy and sell virtual cryptocurrencies and to finance their transactions. However, because Bitfinex purportedly retained control over such transactions after the financing – much like the CFTC alleged against Monex – the CFTC alleged that actual delivery did not occur. As a result, the transactions were akin to futures contracts, and Bitfinex should have been registered as an FCM in order to engage in such activities, said the CFTC. (Click here for further details regarding this CFTC action in the article “Bitcoin Exchange Sanctioned by CFTC for Not Being Registered” in the June 5, 2016 edition of Bridging the Week.)

Moreover, late last year, the CFTC proposed guidance that, for sales of virtual currency to retail persons, the Commission would consider “actual delivery” to have occurred only when such persons could take “possession and control” of all purchased cryptocurrency, use it freely no later than 28 days from the date of an initial transaction and do so unencumbered. This would require neither the offeror nor the seller, or any person acting in concert with such persons, to retain any interest or control in the virtual currency after 28 days from the date of the transaction. This would presumably preclude a seller from retaining control over the cryptocurrency by having authority over a wallet containing such commodity even when the seller financed the purchase. (Click here for details regarding this proposal in the article “CFTC Proposes Interpretation to Make Clear: Retail Client Virtual Currency Transaction Financing No Actual Delivery by 28 Days No Registration = Trouble” in the December 17, 2017 edition of Bridging the Week.)

If the federal appeals court hearing the CFTC’s Monex action upheld the district court’s decision, the ruling could serve as compelling precedent for persons to challenge the CFTC’s jurisdiction over financed virtual currency transactions (as well as other financed commodity transactions) to retail persons where sellers retain control to protect their loans.

Additionally, the CFTC has liberally applied the Dodd-Frank law that prohibits the use or employment of any manipulative device, scheme or artifice to defraud, as well as the parallel CFTC rule. (Click here to access CFTC Rule 180.1) This is because the CFTC has regarded the provision of law “as a broad, catch-all provision reaching fraud in all its forms – that is, intentional or reckless conduct that deceives or defrauds market participants.”

Relying on these provisions, the CFTC has brought a wide range of enforcement actions, including the JP Morgan “London Whale” case, and cases based on allegations of illegal off-exchange metals transactions, claims of more traditional manipulation of wheat, allegations of spoofing, claims of insider trading, and more recently, other allegations of cryptocurrency fraud. (Click here for a general background in the article “CFTC Brings First Insider Trading-Type Enforcement Action Based on New Anti-Manipulation Authority” in the December 6, 2015 edition of Bridging the Week.)

An adverse ruling for the CFTC in the court of appeals hearing Monex could force the CFTC to more narrowly focus its enforcement activities under the Dodd-Frank provision, restricting the Commission to bring lawsuits only where it can allege that a purported fraud affected the market or constituted fraud-based market manipulation.

    Reg AT Dead Proclaims CFTC Chairman: At a speech at FIA Expo last week, J. Christopher Giancarlo, chairman of the Commodity Futures Trading Commission, said that he would not advance Regulation Automated Trading for consideration by the Commission in its current form. Although Mr. Giancarlo acknowledged he shared concerns about “the inevitability of some future market disruption exacerbated by automated trading algorithms,” he said there was nothing in Reg AT that would “prevent such an event.” Moreover, he claimed that adoption of Reg AT would give “a false sense of security that the CFTC had regulatorily foreclosed such market disruption, which is impossible.”

The CFTC initially proposed Reg AT in November 2015. The provisions, if adopted, would have imposed extensive new requirements on certain existing CFTC registrants that used automated trading systems, required the first-time registration as a floor trader of many persons who used algorithmic trading systems to electronically and directly route orders to designated contract markets, and allowed for the inspection without subpoena by the CFTC and Department of Justice of proprietary algorithmic trading systems’ source code. The CFTC proposed an amended version of Reg AT in November 2016. (Click here for background on both the initially proposed and revised versions of Reg AT in the article “Proposed Regulation AT Amended by CFTC; Attempts to Reduce Universe of Most Affected to No More Than 120 Persons” in the November 6, 2018 version of Bridging the Week.)

Reaction to the CFTC’s proposed initial and amended rules to address algorithmic trading was mostly unfavorable. (Click here for a summary of reactions to the CFTC’s amended version of Reg AT in the article “Supplemental CFTC Regulation AT Proposal Generally Criticized as Too Prescriptive” in the May 7, 2017 edition of Bridging the Week.)

Mr. Giancarlo indicated that he would be “quite open” to consider whether any elements of proposed Reg AT might serve as a basis for another more effective rule that addressed risks of automated trading.

My View: Reg AT was a no-go from the start.

At the time it proposed Reg AT, the CFTC acknowledged the multitude of existing best industry practices and many rules and requirements of designated contract markets and the National Futures Association already in place to mitigate the risks of algorithmic trading. Notwithstanding, the Commission recommended piling on additional layers of highly detailed requirements that would have added, at most, marginal benefits, while imposing substantial additional costs.

Moreover, in an effort to enhance compliance with what are now best practices, the CFTC potentially would have caused some trading firms to consider not implementing new and innovative risk control procedures and even rolling back already relied-on best practices. This is because the CFTC initially proposed to elevate to a regulatory incident the failure of an AT Person to comply with its own compliance procedures, in addition to relevant law and rules. This would have discouraged algorithmic trading firms from implementing as a formal requirement any best practice above a CFTC minimum requirement, when its reward for being innovative and top in class could be a potential regulatory violation and sanction.

Most egregious, the requirement that AT Persons make available their source code to CFTC and US Department of Justice staff for inspection — not solely pursuant, as now, to subpoena or other lawful process of law — was a substantial if not unconstitutional overreach, opening AT Persons to potential compromises of their proprietary innovations.

The better way to achieve many of the good objectives of Reg AT has always been to build upon approaches already implemented by DCMs and the NFA, let alone by the proprietary trading industry itself, and to encourage the development and implementation of further best practices rather than construct a new regulatory infrastructure.

Mr. Giancarlo objected to Reg AT when it was proposed, and fortunately has formally killed the proposal entirely now.

More Briefly:

    Multiple Nonmembers Held Liable for Disruptive Trading by NYMEX and COMEX and for Not Participating in Disciplinary Process: Business conduct committees of the Commodity Exchange, Inc. and the New York Mercantile Exchange penalized numerous nonmembers for engaging in disruptive trading practices as well as not participating in exchange disciplinary actions. Li Mian Feng, Jang Woo Suk and Sung Yong Kim were each sanctioned for purported spoofing, after not answering charges brought against them. Mr. Fang was fined US $80,000 by COMEX and NYMEX BCCs, Mr. Kim, US $70,000 by COMEX and NYMEX BCCs, and Mr. Suk, US $60,000 by a COMEX BCC. Separately, Xiang Lin was fined US $60,000 by COMEX for placing copper futures orders with the intent to cancel them before execution as well as not participating in an exchange investigation. Each of these individuals were also subject to temporary or permanent trading bans from all CME Group exchanges. Finally, Jae Myun Ko was also subjected to a permanent trading ban from all CME Group exchanges by COMEX and NYMEX BCCs solely for not participating in the exchanges’ investigatory process.
    CBOE Exchanges Fine Member for Not Stopping Excessive Order Messaging Activity: Group One Trading, L.P., a member of the Cboe BZX and EDGX exchanges, was fined US $62,500 by the exchanges for not having risk management controls and supervisory procedures for market access reasonably designed to prevent numerous instances of potentially excessive options quote messaging activity from February 1, 2016, through August 31, 2017. Cboe claimed that, for the relevant time period, it identified more than 13,500 instances of excessive options quote messaging that was caused by a system bug that caused individual traders’ option quoting on particular exchanges to be affected by other internal traders’ quoting of the same option on the same exchange as opposed to external market conditions. Cboe said the firm’s automated pre-order entry controls did not detect this internal looping problem because they were not designed to detect aggregate quote messaging by all firm traders for an option in one venue or across multiple venues; they were designed solely to detect problematic messaging by individual traders. The exchanges claimed that Group One’s actions violated the Securities and Exchange Commission’s Regulation Market Access. Reg MAR – adopted by the Securities and Exchange Commission in 2010 – generally requires a broker or dealer with access to trading securities directly on an exchange or alternative trading system to have procedures and controls reasonably designed to limit their financial exposure as a result of such access and ensure compliance with all applicable regulatory requirements. (Click here to access Reg MAR, SEC Rule 15c3-5. Click here for helpful answers to frequently asked questions related to Reg MAR provided by the SEC’s Division of Trading and Markets.)
    SEC Rules Against Two Exchanges Raising Market Data Fees: The Securities and Exchange Commission set aside depth-of-book market data feed fee increases by NYSE Arca, Inc. and Nasdaq Stock Market LLC because the exchanges did not establish that the increases were fair and reasonable and not unreasonably discriminatory. The SEC’s decision was in response to a challenge in 2010 by The Securities Industry and Financial Markets Association that the fee increases violated applicable law (click here to access Securities Exchange Act Section 11A(c)(1)(C) and (D), 15 U.S.C. § 78k-1(c)(1)(C) and (D)). NYSE Arca and Nasdaq had argued that two competitive forces – competition for order flow and the availability of alternative solutions – precluded them from imposing unfair and unreasonable pricing. However, the SEC claimed that the exchanges did not provide sufficient facts or legal arguments to support their claims. This is the first time the Commission has rejected a fee hike for market data products. Simultaneously with its determination, the SEC remanded 400 other challenges to exchanges’ market data and market access fees that also had been submitted to it back to the relevant exchanges for further consideration in light of the SEC’s order.
    Global Banking Supervisors Seek Views on Modifying Capital Treatment of Customer Collateral for Centrally Cleared Derivatives: The Bank of International Settlements’ Committee on Banking Supervision agreed to consider amending its leverage ratio requirements for banks clearing derivatives for customers by potentially authorizing margin posted by customers to be counted as an offset for banks’ replacement future exposure for client-cleared derivatives. (The leverage ratio requires banks to hold a minimum amount of common stock and certain disclosed reserves – so-called “Tier 1” capital – as a percentage of their total exposure.) Comments will be accepted by the Basel Committee through January 16, 2019. Earlier this year, the Bank of England published a study showing that the imposition of leverage ratio requirements on banks for clearing customer derivatives – even when fully margined – has resulted in banks reducing their willingness to handle customer business. (Click here for details in the article “Bank of England Study Says Banks Subject to Leverage Ratio Clear Fewer Client Transactions” in the June 24, 2018 edition of Bridging the Week.)
    Public Companies Warned by SEC of Consequences If Cyber-Attacks Are Determined Attributable to Lax Internal Controls: The Securities and Exchange Commission determined not to bring enforcement actions against nine public issuers of securities that each lost more than US $1 million because of cyber-attacks; two issuers lost more than US $30 million each, and in total, all the issuers lost nearly US $100 million. In all cases, wire payments were made in response to email requests from faked domains of legitimate company executives or foreign vendors. Although each of the issuers had procedures for certain levels of authorizations for payment requests, after the cyber-attack incidents, they enhanced these procedures as well as the processes related to changes in vendor information and account reconciliations. The SEC said that these attacks suggest the need for public issuers to assess their internal accounting controls in light of emerging risks, “including risks arising from cyber-related frauds.” The SEC made its non-enforcement determination in a Report of Investigation issued under applicable law (click here to access Section 21(a) of the Securities Act of 1935, 15 U.S.C. § 78u(a)(1).)
    SEC-CFTC Harmonization Briefing Hosted by Two CFTC Commissioners Not Violative of Sunshine Act Rules CFTC Inspector General: The Commodity Futures Trading Commission’s Inspector General issued a report concluding that a February 2018 meeting hosted by two commissioners to hear presentations by CFTC and Securities and Exchange Commission staff on harmonization efforts did not violate legal requirements that mandate meetings involving at least the number of commissioners required to take an action on behalf of the agency to be open to the public. (Click here to access the relevant provision of the Sunshine Act, 5 U.S.C. § 552b.) The Inspector General concluded that, although it would have been better to have had all CFTC commissioners present at the meeting (at the time there were three), applicable law was not violated because no deliberations were intended at the meeting because of the nature of the issues briefed. Moreover, following the meeting, no CFTC final rules were implemented related to the meeting. The Inspector General reviewed this matter because of a complaint by an unnamed private citizen and from the organization Public Citizen.
    FinCEN Employee Arrested and Criminally Charged for Leaking Confidential SARs to Reporter; Two Former Bank Employees Convicted for LIBOR Manipulation: Natalie Mayflower Sours Edwards, a senior employee with the Financial Crimes Enforcement Network of the US Department of Treasury, was arrested and criminally charged in a federal court in New York for providing to a news reporter copies of confidential suspicious activity reports related to Paul Manafort, Richard Gates, the Russian Embassy, Maria Butina and Prevezon Alexander, as well as related internal FinCEN emails. According to the criminal complaint, Ms. Edwards made copies of SARS and other documents on an external flash drive provided to her by FinCEN, and then took photos of SARs which she forwarded by text message to the reporter. Ms. Edwards is charged with engaging in her prohibited conduct from October 2017 through October 2018. When questioned by law enforcement agents, she initially denied having any contact with the news media. If convicted of the charged crimes, Ms. Edwards could be sentenced up to five years in prison. Unrelatedly, Mathew Connolly, a former Deutsche Bank supervisor, and Gavin Black, a prior DB derivatives trader, were convicted by a jury in a federal court in New York of conspiracy and wire fraud for their role in a purported scheme to manipulate the London Internabank Benchmark Offered Rate.
October 22, 2018
Arnold & Porter Compares New California Privacy Law With the EU’s Privacy Regime
by Nancy L. Perkins, Anthony Raglani, Ronald D. Lee, Zoe V. Walkinshaw, Anthony Samson and Angel Tang Nakamura

On September 23, 2018, the governor of California signed into law an amended version of the California Consumer Privacy Act of 2018 (CCPA),[1] which was originally enacted in late June 2018. The amendments are a partial response to extensive criticism of the legislation as overbroad, ambiguous, and excessively burdensome for organizations doing business in California. Throughout the summer, a coalition of businesses and industry associations  (including the California Retailers Association, the Consumer Technology Association, the Internet Association and others), engaged in a concerted effort to persuade the California Legislature to clarify certain definitions in the law, limit its scope to prevent unintended consequences and delay its enforcement date to give regulated businesses the requisite time to establish systems and policies for compliance.[2] The Legislature’s response addresses a few, but by no means all, of the industry’s concerns. It delays enforcement of most of the law’s provisions until July 1, 2020 or six months after the California  attorney general publishes final implementing regulations,[3] whichever is earlier, and it clarifies certain exemptions from the law’s reach, but it leaves intact a host of complex requirements. Any entity subject to the CCPA that interacts with individual consumers faces a considerable task in readying for compliance during the approximately 18-month period before the CCPA is enforced.

The CCPA is being heralded by many as a “first in the nation” privacy regime. Because it defines the “personal information” subject to its protection extremely broadly, and because it grants consumers extensive rights to control that information, it has been referred to as a US state’s importation of the European Union (EU) General Data Protection Regulation 2016/679 (GDPR) that became enforceable on May 25, 2018. Many organizations that spent months or even years preparing to comply with the GDPR are considering whether those efforts will be sufficient to ensure compliance—or at least to bring them close to compliance—with the CCPA as well. But despite core similarities between the GDPR and the CCPA, having prepared for compliance with the former will not relieve a business of additional work to achieve compliance with the latter. Although GDPR compliance may help with some aspects of CCPA compliance, an assessment of the CCPA’s requirements needs to be undertaken as a separate exercise and will require adopting new operational and policy measures.

Key Differences Between the CCPA and the GDPR

As a threshold matter, there are certain core differences between the CCPA and the GDPR in terms of the scope of regulated persons, information and activities. For example:

Covered Entities. The GDPR has broad application to any person or entity, regardless of location or nationality, that acts as a “controller” (i.e., a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data) or a “processor” (i.e., a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller) of personal data of individuals that is collected in connection with a presence in the EU. The CCPA is not so broad; it regulates a “business,” defined as a for-profit legal entity that does business in the state of California and which:

(1) Has annual gross revenues in excess of $25 million,

(2) Alone or in combination buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices on an annual basis, or

(3) Derives 50 percent or more of its annual revenues from selling consumers’ personal information, to provide consumers with a variety of rights with respect to the protection and control of their personal information.

This difference in covered entities reflects the fundamental underpinnings of the two laws: The GDPR is grounded on the principle that, in the EU, privacy is a human right. Although the California Constitution similarly refers to the right to privacy as among the “inalienable” rights of all individuals, the CCPA itself does not seek to protect that right outside the commercial arena. It is “consumers” whose personal data is protected under the CCPA, and it is businesses, not other persons, upon which California has imposed the CCPA’s requirements.

Personal Information. The GDPR protects “personal data” which is “any information relating to an identified or identifiable natural person (or a “data subject”).” The CCPA similarly protects “personal information,” but the definition of that term is designed to cover not only information identifiable to an individual consumer, but also to consumers that purchase or use products or services jointly: “‘Personal information’ means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.”

Importantly, however, as clarified by the recent amendments to the CCPA, certain information that is subject to protection under other US privacy regimes is exempt from the CCPA. For example, nonpublic personal financial information that is collected, processed, sold, or disclosed pursuant to the Gramm-Leach-Bliley Act and its implementing rules or the California Financial Information Privacy Act is also generally exempt from the CCPA (although a breach in the security of this information would be actionable in a private party suit brought under the CCPA). In addition, medical information governed by the California Confidentiality of Medical Information Act and “protected health information” collected or created by “covered entities” or “business associates” as those terms are defined under the Health Insurance Portability and Accountability Act (HIPAA) and its implementing rules are not subject to the CCPA. Information is exempt if it is collected as part of a clinical trial subject to protection under (i) the so-called “Common Rule” protecting human research subjects; (ii) the parallel rules of the Food and Drug Administration, or (iii) good clinical practice guidelines issued by the International Council for Harmonization in research. This latter exemption, vigorously advocated for by the pharmaceutical and medical device industries, is critical to prevent risks to the integrity of clinical trials that would exist if consumers who are research subjects could request access to or deletion of their personal data collected in the course of a clinical trial in which blinded studies and consistent data retention are essential to accurate analysis and reliable results.

There is ambiguity—or perhaps a serious deficiency—in the exemption for research subject information, however, in that much research involving human subjects takes place outside of actual “clinical trials”—for example, through surveys, interviews and other channels. The specific reference to data collected in a “clinical trial”—as opposed to in human-subject research more generally—may not encompass information collected for purposes of, for example, pharmacoeconomic or outcomes research, or for purposes such as identifying clinical trial participants. The medical research community may wish to seek further clarifying amendments to foreclose the possibility of an adverse impact on such nonclinical research.

Core Consumer Rights. Most of the basic privacy rights protected by the CCPA and GDPR are similar. The CCPA declares the California Legislature’s intent to ensure five core consumer rights of California residents with respect to personal information about them:

The right to know what personal information is collected;

The right to know whether that personal information is sold or disclosed, and to whom;[4]

The right to “say no” to the sale of that personal information;

The right to access that personal information; and

The right to equal service and price, regardless of exercising their privacy rights.

The GDPR similarly grants individuals the right to notice of what types of personal information about them will be collected and disclosed, as well as the right to access the collected information. But unlike the CCPA, the GDPR does not focus specifically on the sale of personal data—the GDPR regulates “processing” generally, which encompasses collection, disclosure, sale, and the many other forms of activity that may occur with respect to personal data. And the GDPR does not require special notice of an individual’s right to block the sale of personal information, whereas the CCPA requires each regulated business to post a clear and conspicuous notice on the homepage of its website of a consumer’s right to prevent such sale, which must be an active link for consumers to click stating: “Do Not Sell My Personal Information.” (For children, the CCPA requires additional protection: children under the age of 16 must affirmatively opt-in before businesses can sell their personal data, and parents of children under the age of 13 must opt-in on the child’s behalf.)

Deletion of Personal Information. Another area in which the GDPR and CCPA are similar, but different enough to suggest distinct practices and policies, concerns the right of individuals to have their personal information deleted upon request. Under the GDPR, such a request must be honored in any of six circumstances, including when the personal information is no longer necessary in relation to the purposes for which it was processed or the individual has withdrawn their consent to processing and there is no other legal ground for processing. The CCPA, while establishing a general right to deletion, narrows the right substantially by permitting a business to decline an individual’s request for deletion of certain personal information under nine specific conditions, including if the business needs to keep that information to “enable solely internal uses that are reasonably aligned with the expectations of the individual based on the individual’s relationship with the business” or to “[o]therwise use the consumer’s personal information, internally, in a lawful manner that is compatible with the context in which the consumer provided the information.”

Third-Party Processing Contracts. Another noticeable difference between the CCPA and the GDPR is that the GDPR requires any “controller” that shares personal information with a third-party “processor” to enter into a contract with the processor that places specific data protection obligations on the processor. Although other privacy laws in the United States, including the HIPAA privacy regulations and the Gramm-Leach-Bliley Act rules, impose such contractual obligations on “covered entities” and financial institutions, respectively, the CCPA does not require the businesses it regulates to similarly bind third-party processors to data protection obligations.

A more detailed summary of the similarities and differences between the CCPA and the GDPR is set forth in chart form below. As the summary indicates, while the CCPA and GDPR both are expansive pieces of legislation that similarly extend certain privacy rights to individuals in relation to their personal information, each law has subtleties in its definitions, mandates and exceptions that critically impact its application and interpretations. Businesses seeking to comply with both laws should view compliance with the CCPA as a separate phase of their data privacy program, albeit a phase that is following closely on the heels of, or is in conjunction with, their GDPR compliance. The specific details of both laws should be fully assessed so that business practices and policies can be implemented and adjusted accordingly.

Summary Comparison of Key Provisions of the CCPA and the GDPR

Provision CCPA GDPR Practical Implications
Covered Entities A “business” is defined as any for-profit legal entity that does business in the state of California and collects and controls consumers’ personal information and satisfies one or more of the following thresholds: (1) annual gross revenues in excess of $25 million, (2) alone or in combination buys, receives, sells or shares for commercial purposes the personal information of 50,000 or more consumers, households or devices on an annual basis, and (3) derives 50 percent or more of its annual revenues from selling consumers’ personal information. A “business” also includes any entity that controls or is controlled by a business that satisfies these criteria. Applies to processing of personal data by:

1. A “controller,” i.e., a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data; or

2. A “processor,” i.e., a natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller.

The CCPA is not intended to apply to smaller companies, but apart from the $25 million revenue threshold, the remaining prongs of the definition are somewhat unclear, for example, due to the breadth of certain underlying terms, such as “sell,” and the inclusion of terms such as “households” and “devices,” each of which could plausibly be located outside of California.
Scope Can apply to businesses located outside of California if personal information of California consumers is collected. Can apply to processing of personal data relating to EU or non-EU data subjects in the context of the activities of an establishment of a controller or a processor in the EU, regardless of whether the processing takes place in the EU or not.


Can apply to processing of personal data of EU data subjects by controllers or processors located outside of the EU if the processing activities are related to the offering of goods/services to, or monitoring the behavior of, individuals residing in the EU.

The protections of the CCPA are anchored to California residents. Accordingly, any business that “does business” in California, regardless of its physical location, may become a covered entity due to its interaction with California residents.
Protected Individuals “Consumers” are protected and are defined as any natural person who is a California resident. By contrast, “persons” such as other individuals not meeting the definition of consumer, sole proprietorships, partnerships, LLCs, corporations, and a variety of other legal entities are not protected.


Any “data subject,” which is defined as “an identified or identifiable natural person.” An “identifiable natural person” is defined as “one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” The CCPA’s definition of “consumer” could be read to apply to individuals involved with commercial transactions or functions, including employees of businesses involved in such activities. This would appear to extend the reach of the CCPA beyond its intended scope and could create unintended consequences for businesses engaged in routine commercial functions with no personal, family or household purpose.
Protected Information “Personal information” is information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household. It includes, but is not limited to, the following: (1) identifiers such as a real name, alias, postal address, unique personal identifier, online identifier Internet Protocol address, email address, account name, Social Security number, driver’s license number, passport number, or other similar identifiers; (2) categories of information described under Cal. Civ. Code § 1798.80; (3) characteristics of protected classifications under California or federal law; (4) commercial information; (5) biometric information; (6) internet or electronic network activity information; (7) geolocation data; (8) audio, electronic, visual, thermal, olfactory or similar information; (9) professional or employment information; (10) education information; and (11) inferences drawn from any of the above information to create a consumer profile. “Personal information” does not include any publicly available information.[5] “Personal data” or “any information relating to an identified or identifiable natural person (or “data subject”).” The CCPA’s definition of “personal information” is exceptionally broad. In effect, the CCPA protects any identifying information about a consumer or which could reasonably be linked to a consumer, as well as any identifying information that relates to a household. The term “household” is not defined, but could plausibly include residences outside of the state of California owned or rented by or otherwise housing California residents, as well as any connected devices within those households that contain personal information about California residents. Without clarification, the inclusion of the term “household” could be used to further broaden the already-considerable amount and types of information protected by the CCPA.
Definition of “Processing” Any operation or set of operations that are performed on personal data or on sets of personal data, whether or not by automated means.


Any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.  
Definition of “Sell” Selling, renting, releasing, disclosing, disseminating, making available, transferring, or otherwise communicating orally, in writing, or by electronic or other means, a consumer’s personal information by the business to another business or a third party for monetary or other valuable consideration. Not a separate concept; would be included in the definition of “processing.” The CCPA’s definition of “sell,” like many other key terms, is very broad and includes acts such as “disclosing” personal information in exchange for “other valuable” (i.e., potentially nonmonetary) consideration. Accordingly, a business’ disclosure or transfer of personal information to a third party in connection with a broader transaction or services agreement may be sufficient to constitute a sale.
Definition of “Collect” Buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means. The definition includes receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior. Not a separate concept; included in the definition of “processing.” The CCPA’s definition of “collect” is both broad and ambiguous. The term would capture a business’ passive receipt of personal information, regardless of the factual context or means of delivery and receipt. Many significant business functions, such as marketing, service provider management and acquisitions, will almost certainly involve the “collection” of personal information as it is currently defined.
Information Requirements Upon receipt of a consumer’s request for any disclosure of the categories and specific pieces of personal information that a business has collected about that consumer, the business must deliver such information to the consumer free of charge within 45 days of receipt of a verifiable request. The time period for disclosure may be extended once by an additional 45 days upon the provision of notice to the consumer. The delivery of information can be made by mail or electronically; however, electronic disclosures must be provided in portable format to the extent feasible.


Businesses that collect a consumer’s personal information are required, either at or before the point of collection, to inform consumers as to the categories of personal information to be collected and the purposes for which the categories of personal information shall be used. Businesses are not permitted to collect additional categories of personal information, or use collected information for additional purposes, without providing notice to the consumer.

A list of information needs to be provided to data subjects (1) at the time their personal data is obtained if their personal data was collected directly from them, or (2) within certain timeframes afterwards if their personal data was not collected directly from them. In the second case, certain limited exemptions to the information requirement apply, such as that its provision would be impossible or involve a disproportionate effort.


The list of information to be provided includes the identity and contact details of the controller, the contact details of the data protection officer, the purposes for processing and legal basis/es for processing, the recipients of the personal data, the personal data retention period, the data subjects’ rights, and appropriate safeguards used to transfer the personal data out of the EU.

The CCPA’s requirement that businesses provide consumers with “specific pieces” of information is not defined or explained. Even absent any ambiguity, from an operational perspective, many businesses will be challenged to design and implement systems and controls capable of delivering the “specific pieces” of information intended to be covered by the law. In addition, this provision will require businesses to transmit sensitive information, thereby exposing the information, perhaps unnecessarily, to security risks. Any increased exposure to a potential security breach is, for a variety of reasons, problematic for businesses. Here it is worth noting, as discussed further below, that the CCPA’s private right of action provision can be triggered by a security breach involving a consumer’s personal information.
Consent Requirements In order to comply with consumer opt-out provisions, businesses must make available two or more designated methods for submitting requests for disclosure of information including, at minimum, a toll-free telephone number and a public website. Business’ websites must provide a clear and conspicuous link on their websites titled “Do Not Sell My Personal Information” that enables consumers to opt-out of the sale of their personal information.


In addition, businesses must provide a description of consumers’ right to opt out of the sale of their personal information, along with the above-described website link, in their website privacy policies or in any California-specific description of consumers’ privacy rights. Businesses must also disclose in a form that is reasonably accessible to consumers and in accordance with a specified process that consumers have a right to request that their personal information be deleted.


Consent is one legitimate ground for processing personal data and several others apply. If a controller or processor wants to rely on consent, and not another ground, it needs to be aware that the threshold for valid consent is high. Opt-out consent is not valid. Consent is defined as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”


Consent requirements are without prejudice to the requirements under the EU Privacy and Electronic Communications Directive 2002/58/EC (currently being updated) to obtain consent to send certain forms of electronic marketing to individuals.

The CCPA’s opt-out provision is inflexible in that it requires a consumer to either opt-out of all sales of his/her personal information, or permit such sales in their entirety.


Consumers may determine that they benefit from certain types of sales or transfers of their personal information, but they will not be able to permit certain sales while prohibiting others. Moreover, given the breadth of the CCPA’s definition of “sell,” a consumer’s opting out of the sale of his/her personal information may have consequences that are unknown to the consumer, such as limiting the business’ ability to transfer the information between business units or to service providers, which could in turn limit the utility of the services received by the consumer.

Data Retention Requirements Businesses are not required to retain any personal information collected for a single, one-time transaction if the information is not sold or retained by the business. Businesses that sell personal information must be prepared to provide disclosures to consumers regarding the collection and use of their personal information covering the preceding 12-month period from the date of receipt of the request.


Personal data must be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed, with certain limited exceptions.


Information about the period for which personal data will be stored, or if that is not possible, the criteria used to determine that period, needs to be included as part of the information requirements (see the “Information Requirements” section above).

Although the CCPA does not prescribe minimum record-retention periods for consumers’ personal information, in effect, the CCPA will require businesses to retain information in order to preserve the ability to disclose such information to consumers if requested. In certain instances, businesses may be required to retain information for much longer than would be necessary in the ordinary course of business.
Rights Granted to Protected Individuals


Establishes four core individual rights:

(1)   The right to request that a business deletes personal information that it has collected about a consumer.

(2)   The right to request and receive information about, and specific pieces of, personal information that has been collected or sold or disclosed to third parties by a business.

(3)   The right to opt out of the sale of a consumer’s personal information.

(4)   The right to not be discriminated against due to the exercise of any right established by the CCPA.


As the CCPA does, the GDPR establishes the rights in points (1) and (2) of the opposite column, though the exemptions to these rights differ between the CCPA and GDPR.

The GDPR does not establish the rights in points (3) and (4) of the opposite column.

The GDPR additionally establishes the rights for data subjects who may, with regard to their personal data (under certain circumstances):

·     request it to be rectified;

·     have its processing restricted;

·     have it provided to them and transferred to another organization;

·     object to its processing;

·     withdraw their consent to its processing;

·     complain to a regulator about its processing; and

·     not be subject to a decision based solely on certain forms of automatic processing, including profiling.

Several of the practical implications of the consumer rights established by the CCPA are discussed elsewhere in this chart; however, with respect to the deletion of personal information, the CCPA overlooks several practical issues presented by this requirement. For example, in many instances, particularly in sectors that involve significant amounts of data processing, consumers’ information may be organized and maintained in ways that will make it challenging for a business to retrieve and delete the information of a single consumer upon request. In addition, the CCPA does not account for varying uses of personal information and the related impact of the deletion of such information. A consumer could, for example, request the deletion of personal information that is relevant to a workplace investigation involving that consumer or which is critical to the due diligence of a pending commercial transaction—in both instances undermining a use of the information that was likely unintended.


Also of note, the recent amendments to the CCPA include a provision limiting the rights of consumers and the obligations of businesses to the extent that they infringe on any noncommercial activity of a covered entity. This provision was likely added in an effort to limit the potential for free speech challenges to the law under either the US or California Constitutions.

Opt-Out Provisions A business that sells consumers’ personal information must disclose this fact to consumers, who have the right to opt out of the sale of their personal information. For consumers under the age of 16, the parents of the consumer have the right to opt-in to any sale of the consumer’s personal information.



A directly comparable obligation does not exist; however, data subjects can try to enforce their rights (as described in the row above) with regard to any selling of their personal data. With respect to the CCPA’s opt-out provisions, see above discussion regarding the mechanics and utility of the provision.
Remedies The CCPA establishes a private right of action for any consumer whose nonencrypted or nonredacted personal information was subject to an unauthorized access and exfiltration, theft or disclosure as a result of a business’ failure to implement and maintain reasonable security procedures. Statutory damages are limited to not less than $100 and not more than $750 per consumer per incident, as well as injunctive and declaratory relief and any other relief deemed proper by the court.


The CCPA also provides for administrative enforcement, including by authorizing the  attorney general to bring actions for civil penalties against any business that fails to cure an alleged violation of the law within 30 days of being notified of such violation. Civil penalties of $2,500 per violation or $7,500 per intentional violation may be imposed by the  attorney general. The  attorney general is not authorized to bring an enforcement action until the earlier of six months after the date of publication of final regulations issued as required by the CCPA or July 1, 2020.

Data subjects have the following rights:

(1)   Right to a judicial remedy against a legally binding decision of a regulator.

(2)   Right to a judicial remedy against a controller or processor.

(3)   Right to compensation from a controller or processor.

Regulators can also impose fines on controllers or processors of up to the higher of €20 million or four percent of total worldwide annual turnover of the preceding financial year for the most serious breaches of the GDPR.

The CCPA’s private right of action provision applies if a consumer’s “nonencrypted or nonredacted” personal information was the subject of a security breach or other form of unauthorized access. The use of “or” rather than “and” is likely a drafting error; however, at present the language has the effect of broadening the scope of the provision. Irrespective of whether this language of the law is clarified, in light of the breadth of the CCPA’s key operative terms and provisions, the private right of action authority is likely to lead to a significant amount of class action litigation in connection with security breaches involving protected personal information.


[1] 2017 California Assembly Bill No. 375, California 2017-2018 Regular Session (amending Part 4 of Division 3 of the California Civil Code), amended by 2017 California Senate Bill No. 1121.

[2] See Coalition Letter.

[3] The CCPA directs the  attorney general to adopt a number of regulations to further implement and clarify the scope and requirements of the law prior to its effective date. This may include the expansion or modification of the definition of protected “personal information,” the adoption of additional exceptions as may be required for businesses to comply with state or federal law, and the implementation of rules and procedures governing the mechanics of the CCPA’s opt-out and consumer-notice requirements. The  attorney general is also granted the discretion to adopt additional regulations that are deemed to be necessary to the law’s implementation.

[4] The CCPA requires a business that collects a consumer’s information to disclose to that consumer the categories and specific pieces of personal information that the business has collected, sold to a third party or disclosed for a business purpose, as well as the categories of third parties with whom the business has sold or disclosed personal information, among other items. Businesses must also disclose the categories of the sources from which personal information has been collected and identify the business or commercial purpose(s) underlying the collection of consumers’ information. The CCPA establishes specific requirements for the form and timing of delivery of information requested by a consumer.

[5] This definition provided in this chart has been abbreviated to include only its essential elements. The statutory definition contains additional guidance regarding certain categories of “personal information” and certain terms included within the definition are defined separately under the statute.

This post comes to us from Arnold & Porter Kaye Scholer LLP. It is based on the firm’s memorandum, “California’s New Privacy Statute: Is It a US GDPR?,” dated October 3, 2018, and available here.

October 22, 2018
Going Concern Opinions, Institutional Ownership, and CEO Compensation
by Ning Ren and Yun Zhu

Auditors issue going concern opinions when they have substantial doubts about a client’s ability to continue as a going concern for one year beyond the financial statement date. Abundant anecdotal evidence shows that  companies that received these opinions went through restructurings, with managers and employees losing their jobs or seeing their pay cut. For example, after Ernst & Young sent Texas utility Dynegy Holdings, Inc. a going concern opinion in 2011, a majority of the company’s directors said they wouldn’t consider being re-elected,  and the CEO and CFO said they might leave the company. After Clearwire Corp. received a going concern opinion in 2010, it sold a large amount of debt, and Craig McCaw resigned as chairman. And after receiving such an opinion in 2012, Sharp announced that it would cut 5,000 jobs after having already cut salaries, sold assets, and scaled back investments.

While these detrimental effects are well documented, little is known about what actions boards of directors take to strengthen monitoring of managers (agents) and restore investor confidence after receipt of a going concern opinion.  ]

In our recent study “Going-Concern Opinions and Corporate Governance,” we empirically examine how going concern opinions affect various aspects of  corporate governance, including corporate control, executive compensation, and turnover among executives and auditors.

Though the issuance of going concern opinions decreases firm value and conveys a negative signal to the stock market, its impact on corporate control is not straightforward. On one hand, since the incentives provided by equity-based compensation are needed most when firms are in a crisis, it’s reasonable to expect that financial distress would cause executive and non-executive directors to own more stock. On the other hand, institutional investors or blockholders of stock might be more likely to increase their ownership stakes in distress situations. The overall effect should be that ownership concentration increases because widely-dispersed equity exaggerates the free-rider problem.

Financially distressed companies are usually subject to strategic or political constraints on how much CEOs can be compensated. Directors, being afraid of losing their own jobs or sued, are likely to reduce executive compensation to avoid any appearance of self-dealing. What’s more top executives feel hesitant to negotiate higher compensation because it is costly for them to leave the firm, especially when they are responsible for the financial problems. In addition, the issuance of going concern opinions and the associated financial distress impose financial and personal costs on  managers (for example, reduction in compensation and decision-making authority and loss of reputation and prestige). Hence, managers might resign. In addition, the negative stock performance following the announcement of a going concern opinion motivates boards of directors to terminate top managers. And not surprisingly, companies in financial distress are more likely to change auditors due to disputes over audit opinions, accounting methods, or disclosure policies.

Empirically, we utilize the issuance of Auditing Standard No. 5 (AS5) as the exogenous shock to draw causality from going concern opinions to changes in corporate governance.  The AS5 aims to increase auditors’ ability to issue going concern opinions but has no impact on corporate governance. From a sample of going concern opinions issued from 1995 to 2012, we find strong evidence that subsequent to the issuance of going concern opinions, the  institutional investors and other large stockholders tend to reduce their stakes. Furthermore, the issuance of going concern opinions also motivates companies to decrease executive compensation and terminate top managers and auditors.

With these findings, we demonstrate the importance of auditors in corporate governance.  While companies pay their external auditors and have the power to fire them, regulators and external stakeholders push for auditor independence.  Our study supports the latter conclusion and shows how enhancing the power of auditors can improved company performance.

This post comes to us from professors Ning Ren at Long Island University and Yun Zhu at St. John’s University. It is based on their recent paper, “Going-Concern Opinions, Institutional Ownership and CEO Compensation,” available here.

October 22, 2018
A Watershed Development for “Material Adverse Effect” Clauses
by Andrew Herman, Barbara Becker, Daniel Alterbaum, Jeffrey Chapman, Mark Director, Stephen Glover, Gibson Dunn

On October 1, 2018, in Akorn, Inc. v. Fresenius Kabi AG, [1] the Delaware Court of Chancery determined conclusively for the first time that a buyer had validly terminated a merger agreement due to the occurrence of a “material adverse effect” (MAE). Though the decision represents a seminal development in M&A litigation generally, Vice Chancellor Laster grounded his decision in a framework that comports largely with the ordinary practice of practitioners. In addition, the Court went to extraordinary lengths to explicate the history between the parties before concluding that the buyer had validly terminated the merger agreement, and so sets the goalposts for a similar determination in the future to require a correspondingly egregious set of facts. As such, the ripple effects of Fresenius in future M&A negotiations may not be as acute as suggested in the media. [2]


Factual Overview

On April 24, 2017, Fresenius Kabi AG, a pharmaceutical company headquartered in Germany, agreed to acquire Akorn, Inc., a specialty generic pharmaceutical manufacturer based in Illinois. In the merger agreement, Akorn provided typical representations and warranties about its business, including its compliance with applicable regulatory requirements. In addition, Fresenius’s obligation to close was conditioned on Akorn’s representations being true and correct both at signing and at closing, except where the failure to be true and correct would not reasonably be expected to have an MAE. In concluding that an MAE had occurred, the Court focused on several factual patterns:

  • Long-Term Business Downturn. Shortly after Akorn’s stockholders approved the merger (three months after the execution of the merger agreement), Akorn announced year-over-year declines in quarterly revenues, operating income and earnings per share of 29%, 84% and 96%, respectively. Akorn attributed the declines to the unexpected entrance of new competitors, the loss of a key customer contract and the attrition of its market share in certain products. Akorn revised its forecast downward for the following quarter, but fell short of that goal as well and announced year-over-year declines in quarterly revenues, operating income and earnings per share of 29%, 89% and 105%, respectively. Akorn ascribed the results to unanticipated supply interruptions, added competition and unanticipated price erosion; it also adjusted downward its long-term forecast to reflect dampened expectations for the commercialization of its pipeline products. The following quarter, Akorn reported year-over-year declines in quarterly revenues, operating income and earnings per share of 34%, 292% and 300%, respectively. Ultimately, over the course of the year following the signing of the merger agreement, Akorn’s EBITDA declined by 86%.
  • Whistleblower Letters. In late 2017 and early 2018, Fresenius received anonymous letters from whistleblowers alleging flaws in Akorn’s product development and quality control processes. In response, relying upon a covenant in the merger agreement affording the buyer reasonable access to the seller’s business between signing and closing, Fresenius conducted a meticulous investigation of the Akorn business using experienced outside legal and technical advisors. The investigation revealed grievous flaws in Akorn’s quality control function, including falsification of laboratory data submitted to the FDA, that cast doubt on the accuracy of Akorn’s compliance with laws representations. Akorn, on the other hand, determined not to conduct its own similarly wide-ranging investigation (in contravention of standard practice for an FDA-regulated company) for fear of uncovering facts that could jeopardize the deal. During a subsequent meeting with the FDA, Akorn omitted numerous deficiencies identified in the company’s quality control group and presented a “one-sided, overly sunny depiction.”
  • Operational Changes. Akorn did not operate its business in the ordinary course after signing (despite a covenant requiring that it do so) and fundamentally changed its quality control and information technology (IT) functions without the consent of Fresenius. Akorn management replaced regular internal audits with “verification” audits that only addressed prior audit findings rather than identifying new problems. Management froze investments in IT projects, which reduced oversight over data integrity issues, and halted efforts to investigate and remediate quality control issues and data integrity violations out of concern that such investigations and remediation would upend the transaction. Following signing, NSF International, an independent, accredited standards development and certification group focused on health and safety issues, also identified numerous deficiencies in Akorn’s manufacturing facilities.

Conclusions and Key Takeaways

The Court determined, among others, that the sudden and sustained drop in Akorn’s business performance constituted a “general MAE” (that is, the company itself had suffered an MAE), Akorn’s representations with respect to regulatory compliance were not true and correct, and the deviation between the as-represented condition and its actual condition would reasonably be expected to result in an MAE. In addition, the Court found that the operational changes implemented by Akorn breached its covenant to operate in the ordinary course of business.

Several aspects of the Court’s analysis have implications for deal professionals:

  • Highly Egregious Facts. Although the conclusion that an MAE occurred is judicially unprecedented in Delaware, it is not surprising given the facts. The Court determined that Akorn had undergone sustained and substantial declines in financial performance, credited testimony suggesting widespread regulatory noncompliance and malfeasance in the Akorn organization and suggested that decisions made by Akorn regarding health and safety were re-prioritized in light of the transaction (and in breach of a highly negotiated interim operating covenant). In In re: IBP, Inc. Shareholders Litigation, then-Vice Chancellor Strine described himself as “confessedly torn” over a case that involved a 64% year-over-year drop-off in quarterly earnings amid allegations of improper accounting practices, but determined that no MAE had occurred because the decline in earnings was temporary. In Hexion Specialty Chemicals, Inc. v. Huntsman Corp., Vice Chancellor Lamb emphasized that it was “not a coincidence” that “Delaware courts have never found a material adverse effect to have occurred in the context of a merger agreement” and concluded the same, given that the anticipated decline in the target’s EBITDA would only be 7%. No such hesitation can be found in the Fresenius opinion. [3]
  • MAE as Risk Allocation Tool. The Court framed MAE clauses as a form of risk allocation that places “industry risk” on the buyer and “company-specific” risk on the seller. Explained in a more nuanced manner, the Court categorized “business risk,” which arises from the “ordinary operations of the party’s business” and which includes those risks over which “the party itself usually has significant control”, as being retained by the seller. By contrast, the Court observed that the buyer ordinarily assumes three others types of risk—namely, (i) systematic risks, which are “beyond the control of all parties,” (ii) indicator risks, which are markers of a potential MAE, such as a drop in stock price or a credit rating downgrade, but are not underlying causes of any MAE themselves, and (iii) agreement risks, which include endogenous risks relating to the cost of closing a deal, such as employee flight. This framework comports with the foundation upon which MAE clauses are ordinarily negotiated and underscores the importance that sellers negotiate for industry-specific carve-outs from MAE clauses, such as addressing adverse decisions by governmental agencies in heavily regulated industries.
  • High Bar to Establishing an MAE. The Court emphasized the heavy burden faced by a buyer in establishing an MAE. Relying upon the opinions that emerged from the economic downturns in 2001 and 2008, [4] the Court reaffirmed that “short-term hiccups in earnings” do not suffice; rather, the adverse change must be “consequential to the company’s long-term earnings power over a commercially reasonable period, which one would expect to be measured in years rather than months.” The Court underscored several relevant facts in this case, including (i) the magnitude and length of the downturn, (ii) the suddenness with which the EBITDA decline manifested (following five consecutive years of growth) and (iii) the presence of factors suggesting “durational significance,” including the entrance of new and unforeseen competitors and the permanent loss of key customers. [5]
  • Evaluation of Targets on a Standalone Basis. Akorn advanced the novel argument that an MAE could not have occurred because the purchaser would have generated synergies through the combination and would have generated profits from the merger. The Court rejected this argument categorically, finding that the MAE clause was focused solely on the results of operations and financial condition of the target and its subsidiaries, taken as a whole (rather than the surviving corporation or the combined company), and carved out any effects arising from the “negotiation, execution, announcement or performance” of the merger agreement or the merger itself, including “the generation of synergies.” Given the Court’s general aversion to considering synergies as relevant to determining an MAE, buyers should consider negotiating to include express references to synergies in defining the concept of an MAE in their merger agreements.
  • Disproportionate Effect. Fresenius offers a useful gloss on the importance to buyers of including “disproportionate effects” qualifications in MAE carve-outs regarding industry-wide events. Akorn argued that it faced “industry headwinds” that caused its decline in performance, such as heightened competition and pricing pressure as well as regulatory actions that increased costs. However, the Court rejected this view because many of the causes of Akorn’s poor performance were actually specific to Akorn, such as new market entrants in Akorn’s top three products and Akorn’s loss of a specific key contract. As such, these “industry effects” disproportionately affected and were allocated from a risk-shifting perspective to Akorn. To substantiate this conclusion, the Court relied upon evidence that Akorn’s EBITDA decline vastly exceeded its peers.
  • The Bring-Down Standard. A buyer claiming that a representation given by the target at closing fails to satisfy the MAE standard must demonstrate such failure qualitatively and quantitatively. The Court focused on a number of qualitative harms wrought by the events giving rise to Akorn’s failure to bring down its compliance with laws representation at closing, including reputational harm, loss of trust with principal regulators and public questioning of the safety and efficacy of Akorn’s products. With respect to quantitative measures of harm, Fresenius and Akorn presented widely ranging estimates of the cost of remedying the underlying quality control challenges at Akorn. Using the midpoint of those estimates, the Court estimated the financial impact to be approximately 21% of Akorn’s market capitalization. However, despite citing several proxies for financial performance suggesting that this magnitude constituted an MAE, the Court clearly weighted its analysis towards qualitative factors, noting that “no one should fixate on a particular percentage as establishing a bright-line test” and that “no one should think that a General MAE is always evaluated using profitability metrics and an MAE tied to a representation is always tied to the entity’s valuation.” Indeed, the Court observed that these proxies “do not foreclose the possibility that a buyer could show that percentage changes of a lesser magnitude constituted an MAE. Nor does it exclude the possibility that a buyer might fail to prove that percentage changes of a greater magnitude constituted an MAE.”

Fresenius offers a useful framework for understanding how courts analyze MAE clauses. While this understanding largely comports with the approach taken by deal professionals, the case nevertheless offers a reminder that an MAE, while still quite unlikely, can occur. Deal professionals would be well-advised to be thoughtful about how the concept should be defined and used in an agreement.



Akorn, Inc. v. Fresenius Kabi AG, C.A. No. 2018-0300-JTL (Del. Ch. Oct. 1, 2018).(go back)


See, e.g., Jef Feeley, Chris Dolmetsch & Joshua Fineman, Akorn Plunges After Judge Backs Fresenius Exit from Deal, Bloomberg (Oct 1, 2018) (“‘The ruling is a watershed moment in Delaware law, and will be a seminal case for those seeking to get out of M&A agreements,’ Holly Froum, an analyst with Bloomberg Intelligence, said in an emailed statement.”); Tom Hals, Delaware Judge Says Fresenius Can Walk Away from $4.8 Billion Akorn Deal, Reuters (Oct. 1, 2018) (“‘This is a landmark case,’ said Larry Hamermesh, a professor at Delaware Law School in Wilmington, Delaware.”).(go back)


The egregiousness of the facts in this case is further underscored by the fact that the Court determined that the buyer had breached its own covenant to use its reasonable best efforts to secure antitrust clearance, but that this breach was “temporary” and “not material.”(go back)


See, e.g., Hexion Specialty Chems. Inc. v. Huntsman Corp., 965 A.2d 715 (Del. Ch. 2008); In re: IBP, Inc. S’holders Litig., 789 A.2d 14 (Del. Ch. 2001).(go back)


This view appears to comport with the analysis highlighted by the Court from In re: IBP, Inc. Shareholders Litigation, in which the court determined that an MAE had not transpired in part because the target’s “problems were due in large measure to a severe winter, which adversely affected livestock supplies and vitality.” In re: IBP, 789 A.2d at 22. In this case, the decline of Akorn was not the product of systemic risks or cyclical declines, but rather a company-specific effect.(go back)
October 22, 2018
Lazard’s Review of Shareholder Activism—2018 3Q YTD
by Jim Rossman, Lazard

Key Observations on the Activist Environment through 3Q 2018

Record Level of Companies Targeted

  • Activists targeted 174 companies in the first three quarters of 2018, surpassing 169 companies targeted in all of 2017
  • 26% more campaigns initiated YTD over 2017 YTD, representing capital deployment of $53.8bn, in-line with 2017 YTD levels
    • Nonetheless, 3Q witnessed a decline in new campaign activity and capital deployment relative to the recordsetting 1Q and 2Q 2018
  • A record 130 activists were responsible for YTD campaigns, exceeding the level for all of 2017
  • Elliott accounted for ~10% of all activity, with 19 campaigns launched YTD


Board Seats Won on Track to Surpass 2016 Record

  • The 130 Board seats won in 2018 YTD represent a ~57% increase over 2017 YTD and a ~30% increase over the number won in all of 2017
    • Starboard, Elliott, and Icahn alone accounted for ~48% of all Board seats won
    • Board seats mostly granted via settlement, with only ~15% resulting from proxy fights
    • Only 25% of Board seats won YTD were filled by activist fund employees, the lowest level on record

Board Change and M&A are the Most Common Objectives

  • Board change and M&A initiatives were each requested in one third of all new campaigns YTD

Targets Becoming Increasingly Global

  • 42% of campaigns YTD targeted non-US companies, including 21% launched at European companies, 10% at Asian companies, 6% at Canadian companies, and 3% at Latin American companies
  • European activity is modestly down, with 40 campaigns YTD as compared to 42 in 2017 YTD
    • 38% decline in year-over-year capital deployed in Europe stems from lack of multiple $1bn stakes that characterized 2017 YTD

Increasing Engagement from Traditional Active Managers

  • Traditional long-only investors continue to refine their engagement strategies
    • A growing list of institutional managers have become increasingly vocal in advocating for strategic change themselves or encouraging management to engage with activists that are agitating for change

The complete publication, including Appendix, is available here.

October 22, 2018
Coming Soon(ish): SEC’s “Semi-Annual Reporting” Proposal
by Broc Romanek

Back in August, President Trump asked the SEC to study the possibility of moving from quarterly to semi-annual reporting for public companies. We then blogged the reaction to this concept from a number of quarters. And a few weeks ago, SEC Chair Clayton indicated that the push for semi-annual reporting wouldn’t go too far.

Apparently, Chair Clayton’s comments may have been misinterpreted because the latest “Reg Flex Agenda” – posted last week – indicates that a proposal for semi-annual reporting is forthcoming (or at least, it’s in the “prerule” stage – as compared to the “proposed rule” stage). And since the Chair has indicated that his Reg Flex Agendas don’t need to be taken with a grain of salt, we really might expect to see a proposal from the SEC in the ‘shorter rather than longer’ term (meaning over the next year IMHO). In fact, a SEC spokesperson noted in this Reuters article that Chair Clayton was expecting to consider this type of rulemaking even before the President tweeted about it (hat tip to Cydney’s blog)!

Other forthcoming proposals include:

Overhaul of Reg S-K
Narrowing ‘Accelerated Filer’ Definition
Amendments to Rule 3-05 of Reg S-X
Resource Extraction Payment Disclosures
Extending Jobs Act’s ‘Testing the Waters’ to Non-EGCs
Expanding Availability of Reg A

And these open rulemakings remain on the ‘long-term’ burner: clawbacks; pay-for-performance; conflict minerals; universal proxy; board diversity disclosures; proxy plumbing – and a proposal based on the recent Rule 701/Form S-8 concept release…

Some Pay Ratio Stats (Military Below 5:1)

During the keynote of our recent “Proxy Disclosure/Executive Compensation Conference,” Steven Clifford noted that the pay ratio in the US military is less than 5:1. And this Labrador blog covers our conference including these pay ratio stats:

– Average ratio for S&P 500 companies was 160:1
– For the Fortune 1000, it was 158:1
– For the Russell 3000, it was 71:1
– Median employee pay was $69,000 for S&P500 versus $108,000 for the tech industry
– Highest ratios were in retail, consumer discretionary and consumer staples and materials
– Lowest ratios were in financials, healthcare and utilities
– 19% of the Russell 3000 provided some sort of supplemental pay disclosure such as adjusted workforce, full-time only employees used to find median or adjusted CEO pay due to one-time awards
– Some companies noted a low pay ratio this year due to caveats to prepare for higher ratios in the future

“101 Pro Tips – Career Advice for the Ages” Paperback!

I just ordered a bunch more of our latest paperback – “101 Pro Tips – Career Advice for the Ages” Paperback – from the printers because they flew off our shelves. Here’s the “Table of Contents.” It’s free for members of (but it does cost $20 in shipping & handling).

This book is designed for fairly young lawyers – both in law firms and in companies. It’s written in an “easy to read” style, complete with some stories & anecdotes to make it interesting. A fairly unique offering in our field. This is a unique offering – and I’m pretty happy about how it came out. Members can request it now.

Broc Romanek

October 22, 2018
Cybersecurity Disclosure Benchmarking
by Charles Seets, Les Brorsen, Steve Klemash, EY

Boards, executives, investors, regulators and other governance stakeholders have expressed growing interest in understanding how companies guard against, plan for and respond to cybersecurity incidents.

As cybersecurity threats evolve and risks become more complex and widespread, focus on corporate disclosures in public filings on the subject likely will intensify.

Cybersecurity crime is an increasing threat with unique challenges resulting from the complexity of an interconnected business ecosystem and the rapid evolution in technology. While the U.S. Securities and Exchange Commission (SEC) has required registrants to disclose information about business risks and material developments in their annual reports for decades, companies face particular challenges in publicly reporting cybersecurity threats. This is due in part to the need to disclose material information while keeping potentially sensitive information out of the hands of attackers.


To help inform stakeholders, we conducted an analysis of cybersecurity-related disclosures of Fortune 100 companies. These companies often are leaders as governance disclosure practices continue to evolve. The review was based on two prominent investor-facing public filings: proxy statements and Form 10-K filings.

Our observations revealed that the depth and nature of cybersecurity-related disclosures vary widely, suggesting there is opportunity for enhancement in how cybersecurity risks, cybersecurity risk management frameworks and board oversight are communicated. This report seeks to provide companies and other stakeholders with insights on this quickly evolving area of disclosure.

Our perspective

Cybersecurity-related risks are complex, which can make it challenging to provide meaningful information to investors and other stakeholders without disclosing facts that could harm company efforts to protect data security.

In the wake of several major cybersecurity incidents, companies, investors and policymakers have been re-examining what and when information is communicated by companies and opportunities for enhanced disclosure.

There are many forces driving the increased focus on corporate disclosures around cybersecurity-related risks and incidents, several of which are outlined in this report. Our aim is to enhance consideration and discussions around cybersecurity-related disclosures by offering insights on current disclosures, along with perspectives on the topic from regulators, investors and boards of directors.

Current regulatory landscape

2018 cybersecurity guidance from the SEC

The SEC issued guidance on 21 February 2018 “… to assist public companies in preparing disclosures about cybersecurity risks and incidents.” In framing the matter and the SEC’s motivation in issuing it, the guidance states that “Cybersecurity risks pose grave threats to investors, our capital markets, and our country. Whether it is the companies in which investors invest, their accounts with financial services firms, the markets through which they trade, or the infrastructure they count on daily, the investing public and the US economy depend on the security and reliability of information and communications technology, systems, and networks.”

The new guidance reinforces and builds on the SEC’s 2011 cybersecurity staff guidance, which clarified companies’ obligations to disclose cybersecurity risks, material breaches and the potential impact of the breaches on business, finances and operations. This includes two new topics: (i) the importance of public companies having strong disclosure controls and procedures to enable timely and accurate disclosures of cybersecurity risks and incidents, and (ii) insider trading prohibitions as related to cybersecurity incidents.

SEC Chairman Jay Clayton expressed his views on the guidance in a press statement stating it “… will promote clearer and more robust disclosure by companies about cybersecurity risks and incidents, resulting in more complete information being available to investors.” He encouraged “… public companies to examine their controls and procedures, with not only their securities law disclosure obligations in mind, but also reputational considerations around sales of securities by executives.”

There are many forces driving the increased focus on corporate disclosures around cybersecurity-related risks and incidents.

SEC officials have stated that the Division of Corporation Finance will monitor cybersecurity disclosures as part of its selective filing reviews, and encouraged stakeholders to provide feedback on the guidance. It should be noted that the timing of the 2018 SEC guidance—issued shortly before annual reports for 2017 were due to be filed and at the start of the 2018 proxy season—means that companies may not have had full opportunity to consider and implement it.

Investors view cyber as integral to risk oversight

Investors view cybersecurity risk management as a critical component of the board’s risk oversight responsibilities.

That is what many leading institutional investors have shared with EY during our annual investor outreach program, which most recently included conversations with more than 60 institutional investors representing US$32 trillion in assets under management.

In light of the importance of cybersecurity, some investors seek additional and enhanced disclosure from companies and engagement with boards on cybersecurity planning, risks and incidents. Investors generally want to understand how boards are actively overseeing cybersecurity risks and strategy.

Through engagement, some investors also seek to learn whether the board is receiving regular reports from management and input from third-party independent experts as appropriate.

The Council of Institutional Investors (CII) published a list of questions for investors to pose to boards in an effort to understand how they are prioritizing cybersecurity. The publication recommends that companies proactively communicate how they address cybersecurity matters as a way to enhance investor confidence and suggests that directors need to “understand management’s cybersecurity strategy; learn where cybersecurity weaknesses lie; and support informed, reasonable investment in the protection of critical data and assets.”

Recent high-profile hearings on Capitol Hill highlighted broad bipartisan concerns over how companies manage, plan for and disclose cybersecurity attacks.

“Users should expect companies of various sizes, industries and cyber risk profiles to bring different strategies, in varied stages of implementation, in response to this massive and growing challenge,” according to the CII. The questions posed by the CII were as follows:

  1. How are the company’s cyber risks communicated to the board, by whom, and with what frequency?
  2. Has the board evaluated and approved the company’s cybersecurity strategy?
  3. How does the board ensure that the company is organized appropriately to address cybersecurity risks? Does management have the skill sets it needs?
  4. How does the board evaluate the effectiveness of the company’s cybersecurity efforts?
  5. When did the board last discuss whether the company’s disclosure of cyber risk and cyber incidents is consistent with SEC guidance?

Boards of directors

Boards also are increasing engagement on the subject. Consider that the recent SEC guidance states

“… we believe disclosures regarding a company’s cybersecurity risk management program and how the board of directors engages with management on cybersecurity issues allow investors to assess how a board of directors is discharging its risk oversight responsibility in this increasingly important area.”

The National Association of Corporate Directors issued a Cybersecurity Handbook in 2017 that outlined five principles for board cybersecurity oversight. “Along with the rapidly expanding ‘digitization’ of corporate assets, there has been a corresponding digitization of corporate risk. Accordingly, policymakers, regulators, shareholders and the public are more attuned to corporate cyber risk than ever before,” states the handbook.

According to the NACD, these are the five principles boards should consider as they seek to enhance their oversight of cybersecurity risks are:

Principle 1: Directors need to understand and approach cybersecurity as an enterprise-wide risk management issue, not just an IT issue.

Principle 2: Directors should understand the legal implications of cyber risks as they relate to their company’s specific circumstances.

Principle 3: Boards should have adequate access to cybersecurity expertise, and discussions about cyber-risk management should be given regular and adequate time on board meeting agendas.

According to the handbook, when needed, directors should look to outside experts to help them evaluate the assertions made by management and security leadership. Boards should schedule “deep-dive briefings” for independent third-party experts to help validate the extent to which the cybersecurity program is meeting objectives.

Principle 4: Directors should set the expectation that management will establish an enterprise-wide cyber-risk management framework with adequate staffing and budget. The handbook also recommended regular reviews of the effectiveness of the organization’s cyber-risk management.

Principle 5: Board-management discussions about cyber risk should include identification of which risks to avoid, which to accept, and which to mitigate or transfer through insurance, as well as specific plans associated with each approach.

US policy environment

While it is difficult to legislate or dictate prescriptive policy to address cybersecurity risks, the issue is being contemplated by a host of regulators and government agencies in the US and around the world. US regulators across sectors from the Federal Trade Commission to the Department of Commerce are stepping up activity in this area.

Congress is also increasing its oversight and engagement on cybersecurity disclosure and risk management. Recent high-profile hearings on Capitol Hill highlighted broad bipartisan concerns over how companies manage, plan for and disclose cybersecurity attacks. Members also have heard testimony on legislative proposals such as the Cybersecurity Disclosure Act of 2017.

The bill, introduced by Senator Jack Reed (D-RI) and supported by Senator Susan Collins (R-ME), would direct the SEC to issue final rules requiring a registered public company to disclose in its annual report or annual proxy statement whether any member of its board has expertise or experience in cybersecurity.

While political headwinds and institutional challenges make passage of cybersecurity legislation unlikely in the near term, interest from Congress and other policymakers in Washington continues to increase.

Forty-one percent of companies include cybersecurity experience as among the key director qualifications highlighted or considered by the board.

What we found

We conducted an analysis of cybersecurity-related disclosures in the proxy statements and annual reports on Form 10-K of Fortune 100 companies for which documents were available as of September 1, 2018. The analysis was based on voluntary cybersecurity-related disclosures on the following topics:

  • Board oversight including risk oversight approach, board-level committee oversight, director qualifications, management reporting structure and management reporting frequency
  • Statements on cybersecurity risk and strategy, including disclosure of related strategy-focused language, shareholder engagement and risk factors
  • Risk management, including cybersecurity risk management efforts or program, education and training, engagement with outside security experts and use of an external advisor

The depth and company-specific nature of the disclosures vary widely, including the level of detail.

In considering these findings, note that the analysis represents disclosures at a single point in time (i.e., the date of filing) and may not reflect ongoing changes in company practices. Additionally, companies may not have had full opportunity to consider and implement the recent SEC guidance given the timing of its release.

In light of these considerations, the analysis offers an informative assessment of the current state of cybersecurity-related disclosures, which can help inform emerging best practices and further dialogue on how companies can be more effective in communicating about these issues to investors and other stakeholders.

Board oversight

Most companies disclosed that cybersecurity is among the risks overseen by the board and whether any committees are charged with oversight responsibilities regarding cybersecurity.

How management reports to the board on this topic is an emerging area for disclosure with less than half of companies disclosing this information and a smaller subset offering detail around the frequency of that reporting and what it includes.

Director qualification observations

Forty-one percent of companies include cybersecurity experience as among the key director qualifications highlighted or considered by the board. The disclosure does not always indicate which directors (if any) have this expertise, and there are variations in what is considered cybersecurity expertise.

Note: Percentages based on total disclosures for companies in 2018. Data based on the 79 companies on the 2018 Fortune 100 list that filed Form 10-K filings and proxy statements through 1 September 2018.

* Some companies disclose that cybersecurity is overseen by the full board and not any specific committee. Others may designate oversight to more than one board-level committee.

Strategy-focused statement

A handful of companies highlighted in their proxy that cybersecurity is a current or emerging strategic focus, or state that data privacy is central to the company’s purpose and core values.

Shareholder engagement

Some companies that disclosed engagement with investors also disclose the topics discussed during engagement. For topics beyond executive compensation, that disclosure is often high level (e.g., sustainability, risk oversight, strategy). As a result, the data here may understate the actual amount of engagement discussions involving cybersecurity.

Risk factor disclosure

All companies disclosed cybersecurity as a risk factor and provided general statements, which may or may not be company specific in nature. For example, most companies disclosed that regardless of company efforts, there still may be a breach and that in such an event, company operations may suffer.

Cybersecurity risk mitigation efforts

These disclosures cited company efforts on cybersecurity risk monitoring, training, planning and prevention, but the depth of disclosures varied widely, with few companies providing details on these efforts.


Questions for the board to consider

  • Has the board formally assigned responsibility on cybersecurity matters—at the board and management levels?
  • Does the board have access to the needed expertise on cybersecurity? And is the board getting regular updates and reports concerning cybersecurity risk strategy and event preparedness?
  • Does the board have regular briefings on the evolving cybersecurity threat environment and how the cybersecurity risk management program is adapting? How is the board actively overseeing the company’s investments in new cybersecurity technologies and solutions?
  • Does the board know how management has performed in recent tabletop exercises simulating cybersecurity incidents—and has the board participated in any such exercises?
  • Is the board hearing directly from and having a dialogue with third-party experts whose views are independent of management?
  • How will the SEC guidance and investor interest impact 2019 disclosures?



This post aims to enhance consideration and discussions around cybersecurity-related disclosures by offering insights on current disclosures, along with perspectives on the topic from investors, regulators and boards of directors.

Cybersecurity risk management and incidents and related disclosures are a critical issue for investors, companies and other key stakeholders. We expect the interest and focus on enhanced communication will continue to grow as the challenges continue to evolve. Recent SEC guidance on the issue is just the latest indication that regulators and stakeholders want to better understand a company’s efforts around cybersecurity planning, incident response and notification procedures. As with many other emerging issues, public disclosures present an opportunity for a company to demonstrate leadership on this vital matter.

By sharing information on the state of current disclosure efforts, stakeholders can gain an understanding of where opportunities for enhancement exist, and how to drive and establish leading practices.

October 22, 2018
Reforming Director’s Long-Term Duties in the EU
by Claire Jeffwitz, Filip Gregor, Frank Bold

The European Commission has taken up the debate on the obligations of company directors and will be analysing if they should be clarified at an EU level. This commitment is included in their Action Plan on Sustainable Finance [1] aimed at transforming Europe’s economy and financial system into a sustainable one. The Commission seeks to attenuate short-term pressure from capital markets on corporations that force directors to disregard opportunities and risks stemming from long-term sustainability considerations.

Although it is universally agreed that directors’ obligations are to act in the interests of the company, there exists a lack of clarity over what these “interests” are in practice or who they are owed to. In this context, Frank Bold has published the paper entitled Redefining directors’ duties in the EU to promote long-termism and sustainability, which outlines recommendations to clarify directors duties, integrate sustainability in these duties and recognise legally corporate governance arrangements that protect company’s social mission.


The proposals included in this paper are supported by examples and analyses from EU Member States and other jurisdictions, and the questions that might need to be considered in order to apply these to an EU-wide context. The paper specifically considers recent legislative developments in France with the presentation of the “Loi Pacte” which includes recommendations to reform the French Civil Code.

The directors of a company are those responsible for implementing the company’s strategy, overseeing its operations, and accounting for its performance. The way that such duties are defined determines how the directors are accountable and who they are accountable to. The purpose of this paper is to explore ways to clarify and, where appropriate, enhance director duties and corporate governance by explicitly incorporating sustainability factors into those obligations and focusing directors’ attentions on the long-term.

The paper firstly considers the duty of directors to act in the interests of the company and explores more particularly, to whom these duties are owed to, who benefits from them and what the interests of the company are. It also includes an analysis on other duties which could be adopted to effectively promote the success of the company in the long-term, whilst minimising social and environmental impacts. Lastly, the paper outlines further reforms in company law that could be introduced in relation to the social purpose of the company in order to promote long-term sustainability and facilitate the efforts of sustainable investors.

Key conclusions:

  • It should be clarified by means of legislation or guidance that directors’ duties are owed to the company, as a legal entity, and has exclusive right to enforce them. In all European jurisdictions, directors’ duties are owed to the company, rather than to its shareholders or any other third parties. [2] Guidance should make clear that the company’s activities impact a wide range of stakeholders (including shareholders) and societal interests (such as the environment) that need to be considered by directors from the perspective of company’s interests and purpose.
  • It should also be clarified that the primary interest of the company is to survive in the long-term, in order to achieve the purpose for which it was incorporated, taking into consideration the economic, social and environmental issues to which its activities give rise. Directors should give parity to all material stakeholders and issues that are important for the long term health of the company and its specific purpose and should not prioritize shareholder value over such considerations. Attempts to broaden the interests of the company to take account of interests beyond those of the shareholders have generally failed to provide sufficient clarity. Efforts to describe the drivers of long-term corporate success are more likely to be fruitful.
  • It is recommended for the law to more explicitly require directors to identify and mitigate all of the economic, social, and environmental factors that materially affect the long-term prospects of a company and the attainment of its specific social objectives. [3]In practice, this analysis is often limited to short-term financial risks. This analysis and mitigation should be published in a suitable integrated reporting format. The legislation (and/or the legislative guidance) should specify salient material risks for key industries to ensure that an appropriate baseline has been established. Directors should be required, under the legislation, to identify additional material risks to the company, taking into account the specific nature of the company.
  • There should be a new duty for directors to act within the planetary boundaries and social foundations, supported by a requirement to carry out ongoing human rights and environmental due diligence in relation to a company’s operations (including its supply chains) and to develop a strategy to mitigate any such impacts. [4] This is complementary to the above recommendation, which does not require directors to consider the impacts of the company on external resources if these impacts do not directly affect the longevity of the company or its unique social objectives. Legislation or guidance should define planetary boundaries and social foundations [5] to the maximum extent possible, as well as the appropriate due diligence requirements, but directors should be legally obligated to more specifically develop this in the context of the company’s specific business model.
  • We also recommend that a duty of the company (rather than the directors) be introduced, which requires the company to identify, prevent and mitigate human rights violations and significant environmental harm. There are many adverse environmental or social impacts that do not in themselves cause a company measurable financial damage. We recommend that as part of a larger company law reform project, a duty should be imposed on companies to identify, prevent, and mitigate human rights violations and significant environmental harm caused (or contributed to by other companies that it can control such as subsidiaries and business partners). This duty is to be owed by the company to the public, and particularly those who suffer such harm.
  • Companies can adopt a social purpose that either expressly takes precedence over their commercial purpose, or is to be balanced with that commercial purpose by the directors at their discretion. Given that companies in the majority of European jurisdictions are already free to do this, such new legislation may cause confusion, with companies potentially assuming that an explicit social purpose is exceptional, and that most commercial companies would not consider this. Therefore, we recommend that the European Commission instead affirms that there is nothing in company law that prevents companies from adopting a social purpose that takes precedence over, or is balanced with, a company’s commercial purpose.
  • We recommend to embed in law a social purpose “status” for mission-led companies that declare a social purpose in their articles of association, irrespective of their legal form and size, provided that they meet certain corporate governance criteria which will ensure their accountability for actively seeking to achieve such purpose. This would ensure that any expression of a company’s specific social purpose has legal force in order to guarantee to investors, consumers, employees or other stakeholders that the governance of that company is substantially oriented towards their social purpose, rather than only paying lip service to it.

There is currently significant public and political drive to increase companies’ long-term success and sustainability. However, this is threatened by an entrenched perspective of directors’ duties that confuses short-term shareholder value with the interests of the company, and ignores the impacts that the company may have on any other stakeholders. This paper provides an overview of this conflict and considers how directors’ duties could be clarified at an EU level to contribute to the objectives of the Action Plan to help to transform Europe’s economy into a sustainable system, to manage financial risks stemming from environmental and social issues, and to foster transparency and long-termism in financial and economic activities.

The complete paper is available for download here.



European Commission’s action plan on financing sustainable growth (March 2018). Retrieved from: (go back)


Prepared for the European Commission DG Markt, by Gerner Beuerle, C., Paech, P. and Schuster, E.P. (2013). Study on Directors’ Duties and Liabilities, 63. Retrieved from here. (go back)


Eccles, R. and Youmans, T. (2015). Materiality in Corporate Governance: The Statement of Significant Audiences and Materiality (Working Paper 16-023). Retrieved from Harvard Business School (go back)


Sjafjell, B., Johnston, A., Anker-Sorensen, L. and Millon, D. (2015). Shareholder primacy: the main barrier to sustainable companies. In B. Sjafjell, B. Richardson (Eds.), Company Law and Sustainability (p. 147). Cambridge, England: Cambridge University Press(go back)



Raworth, K. (2017). Doughnut Economics. London, Random House Business and Sustainable Development Goals.(go back)
October 22, 2018
California Law Requires Female Presence in Boardrooms
by Courtney Ann Matsuishi & Carlos M. Bermudez

On September 30, Governor Jerry Brown (D) signed a new California law requiring female presence on boards of public companies headquartered in California. 

Under SB-826, all public companies listed on a major U.S. stock exchange and headquartered in California must have one woman on their board by the end of 2019 and, by the end of 2021, two women if the board has five directors, and three women if the board has six or more directors.  Companies will be deemed to be in compliance with the law if female directors hold the requisite number of board seats during any portion of the calendar year. Companies that fail to comply could be fined - $100,000 for the first violation and $300,000 for each subsequent violation. 

One of the significant aspects of the law is that it applies to all public companies whose principal executive office (as listed on the company’s Securities and Exchange Commission (SEC) form 10-K) is in California, regardless of where the company is organized. The result is that the law has a greater impact because it reaches more companies than if the law applied only to companies organized in California. The law will also impact private companies based in California that are planning to go public (including many tech companies) as they will need to reorganize their board structures prior to an initial public offering (IPO) if their boards do not satisfy the quota.   

The law was born out of recognition that women are significantly under-represented in boardrooms, especially in California. In 2017, out of 445 public companies headquartered in California in the Russell 3000 Index, women held only 15.5% of the board seats and 26% of the companies did not have any women on their boards, according to the Board Governance Research LLC’s “Women on Boards of Public Companies Headquartered in California 2017 Report”. Studies indicate that it will take up to 50 years to achieve gender parity in the boardroom, and the legislation aims to accelerate the achievement of this goal. The new California law is the first of its kind in the United States, but follows the lead of many European countries (including France, Germany, Italy and Norway) that have successfully enacted similar requirements.

Opponents argue that the law only addresses one aspect of diversity and is overregulation by the state. They assert that the market is already addressing the issue with investors demanding greater diversity (and specifically, more women) on boards. State Street and BlackRock have threatened to withhold votes if boards do not meet their diversity requirements. There is a real possibility that the law could be successfully challenged as unconstitutional and violative of equal protection rights as the result of the law is that male board members could be displaced by women. Although a number of business organizations in California opposed the law, no lawsuits challenging the law have been filed yet.

California public companies that do not currently meet the requirements need not fret. Companies with all-male boards have more than a year to comply and only need to fill one board seat with a woman by the end of 2019. In addition, companies do not have to replace the men currently on the board – they can satisfy the requirements by increasing the total number of board seats and filling the new seats with women.

View today's posts

10/22/2018 posts

Bridging the Week: Bridging the Week: October 15 - 19 and October 22, 2018 (Bitcoin Fraud; Smart Contracts; Actual Delivery; Reg AT)
CLS Blue Sky Blog: Arnold & Porter Compares New California Privacy Law With the EU’s Privacy Regime
CLS Blue Sky Blog: Going Concern Opinions, Institutional Ownership, and CEO Compensation
The Harvard Law School Forum on Corporate Governance and Financial Regulation: A Watershed Development for “Material Adverse Effect” Clauses
The Harvard Law School Forum on Corporate Governance and Financial Regulation: Lazard’s Review of Shareholder Activism—2018 3Q YTD Blog: Coming Soon(ish): SEC’s “Semi-Annual Reporting” Proposal
The Harvard Law School Forum on Corporate Governance and Financial Regulation: Cybersecurity Disclosure Benchmarking
The Harvard Law School Forum on Corporate Governance and Financial Regulation: Reforming Director’s Long-Term Duties in the EU
AG Deal Diary: California Law Requires Female Presence in Boardrooms

Blog posts are subject to copyrights held by the authors and are republished here with permission. Views expressed are those of the authors alone. Infringement Notification.