The Single Client Counsel In An Evolving Business Climate
The Legal Wilderness
Dedicated to Searching and Exploring our Legal Frontiers to Find, Categorize, and Tag the wild, Untamed and Predatory Applications of the Law
The Single Client Counsel In An Evolving Business Climate
Joseph F. Speelman
THE ROLE OF CORPORATE COUNSEL IN CORPORATE GOVERNANCE
“April is the cruelest month….”
The Waste Land by T. S. Eliot
It is April and at least two things should be on the mind of Corporate Counsel; 1.) Taxes, and 2.) Annual corporate governance processes and issues. If you are part of a publicly traded Company, your responsibilities as counsel will, in some fashion, be affected by preparations for and perhaps participation in an Annual Shareholder meeting. As well, counsel will participate in and deal with Board of Director meetings as part of corporate governance processes and the preparation for the Shareholder meetings.
Annual Shareholder meetings, especially for large companies, have had a past when they were “sleepy, quick, and quiet” affairs. A time when only a very few shareholders attended the meetings and nothing controversial or divisive was broached. Not so any longer. Challenging business environments, increasing regulatory oversight, strategic litigation, and shareholder activism, to name just a few issues, have placed significant focus on these meetings and on corporate governance and behavior generally.
This is nothing really new, except that there is a significant increase in the efforts, planning, and finance for activist groups involvement, government oversight, including recent legislation (Sarbanes Oxley, The Foreign Corrupt Practices Act, the Dodd-Frank Act, the GDPR, and others), and increased emphasis on oversight and attention to corporate governance practices and behavior brought on by the “mortgage backed securities crisis” in 2008; all of which has created a “Perfect Storm” relating to corporate governance processes and issues in the US and globally. One major focus of this “storm” is on Annual Shareholder Meetings, Board of Director meetings and the process for publically traded companies of all sizes and in all areas of the business economy. (10 Tips for Upcoming Annual Shareholder Meetings, Mayer Brown Legal Update, www.mayerbrown.com.). As well, the same set of issues bring increased focus on privately owned enterprises in the US and internationally. Add to the above a significant increase in internet based attention as well as activities surrounding business practices worldwide and you get a grand potential for constant, vexing, and potentially crippling actions to business processes and structure in large, medium, and small enterprises, either public or privately owned. (“Navigating the Current Landscape of Shareholder Activism”, ACC Newsstand, Lexology, April 10, 2018.). To make the “perfect storm” more perfect, the untimely rise of malicious cyber crime, events, and activities affecting worldwide economies with unanticipated disruptions and costs for all business commerce, and we, as corporate counsel, have a corporate governance “Fine Mess” on our hands. (“Cybersecurity Oversight”, ACC Newsstand, Lexology, March 22, 2018; “SEC Issues Guidance on Cyber Disclosure, Including Board’s Oversight Role”, ACC Newsstand, Lexology, March 1, 2018.).
Some Corporate Organizational Theory
Corporate governance is at the center of the storm. In house corporate counsel are at “ground zero” of the storm. The above issues create very real risks to an enterprise. These risks form a significant part of an overall risk identification and evaluation process for ALL risks a company faces. Corporate counsel must be at the center of these issues in order to evaluate the risks they present accurately. Whatever your professional focus in a company; litigation, commercial contracts, financing, acquisitions and mergers, you have a core function of identifying risks in each area and ensuring they are dealt with properly and timely. Your legal training, including ethical responsibilities, put you in a natural leadership role for risk identification and response. It is what attorneys do.
An organization’s governing process is only as effective as its corporate counsel and the risk management process they create, manage, maintain, and conduct. The corporate counsel's job is to identify risks, evaluate them, and communicate those results to other key members of the risk management process, and then ensure that enterprise leadership is made fully aware of the issues including your evaluations. Corporate counsel must ensure that the governance process of an enterprise is properly designed and functioning to encompass the critical process of evaluating risks, including compliance with laws and with the governance process, and that the process of communicating, timely, such evaluations is enhanced and functions properly. For individual corporate counsel, it requires that you understand the area of the company you are evaluating. Know what it does and why. Determine how it fits together with the entire enterprise business process.
In a large, publicly traded company, you will have many colleagues from various parts of the enterprise that work with you. In a small, private company, you may be working with and reporting to an officer, the President or perhaps even the owner of the company. The process is the same. In a large company you will meet key outside counsel that are experts in securities matters, litigation, corporate governance, and compliance. Learn from them and ensure that you are part of what they are doing. In a smaller enterprise, you may be responsible for all of those matters and, frequently, by yourself. Embrace your responsibilities… it will make you a much better attorney, and employee.
Understand the business. Where it makes money, its cost structure, its strengths, advantages, and where it might be vulnerable. Most importantly, meet and get to know key people throughout the organization. Each has an important perspective on the enterprise. Learn it.
Enough Organizational Discussion: Things To Focus on Regarding Preparation for and conduct of a Shareholder Meeting.
Shareholder Meeting Planning.
- Security – Most of the company’s senior executives will likely attend. The Board Chair will be present along with CEO, CFO, Chief Legal Officer and others. Admission checks, even airline style security, may be called for depending upon who will attend and if indications of dissent or contentious issues are present. The security function must be incharge of running access and inspections. Do a “dry run” on the access process. Only shareholders should be admitted, generally, unless the facility allows for, and the company desires to have public attendance in separate areas. Security contingencies must be in place including back up plans with local or regional law enforcement. Security must be adequate to the perceived risk.
- Technology Issues – Dealing with presentation technologies and shareholder participation via electronic means, such as webcasts. Understand these systems and have proper personnel engaged to ensure these functions are working and secure.
- Q & A Sessions – Many questions may arise; cyber security issues, news items regarding the company, questions on stock performance, questions regarding environmental risks, issues relating to company policies on global warming and climate changeand many others. Anticipate such issues and the questions as well as answers, from a legal standpoint as well as company policy standpoint. Participate in the preparation of proposed answers, comments, and thoughts on such matters for the Chair or moderator, or other corporate official should such issues arise.
- Media – Traditional, Social, and Otherwise – You must anticipate that shareholder meetings and proceedings may be reported, perhaps even broadcast or disclosed in real time by media and others using various social and traditional media technologies. This must be made consistent with Annual Meeting rules and procedures to ensure the process is managed and company, as well as state and Federal regulations, and laws are complied with by all.
- Rules Governing the Meeting - The company by-laws should have an exacting and up to date set of rules for conducting an Annual Shareholders meeting. Corporate Counsel must know them and ensure they are understood and adhered to by company leaders at all times during the meeting. The Chair as well as all officers and presenters should “practice” these rules and be prepared for unforeseeable events or issues as best they can. That is a clear responsibility of in house corporate counsel. Prepare you clients.
- Media Representatives and guests – Media often seeks to attend shareholder meetings of a company. They may be excluded by appropriate rules. They can be allowed to attend as well. They should not be allowed to ask questions of the chair or interface with shareholders during the meeting. Media can be sequestered during the meeting and should always be accompanied by a company public relations representative.
- Voting Process – The process of tabulating votes at a shareholder meeting, reporting the results of votes, and counting proxies for votes all have processes that are thoroughly regulated for public companies by the Securities & Exchange Commission (SEC). Results generally must be filed within 4 business days of the meeting. Large public companies usually have this process integrated into the corporate processes. Corporate counsel should understand those rules and processes. Companies listed on various stock exchanges (example: NYSE) have to submit annual affirmations on corporate governance matters within 30 days of the meeting.
- Institutional Shareholders – These shareholders tend to be large investment funds, mutual funds, large investors and investors that tend to be interested in a longer term growth potential of a company and spend a lot of time looking at many stocks before choosing to invest. They like to be engaged in active, open-ended discussions with company leadership. They expect to have access to a company’s leadership at or around shareholder meetings either during or after the meeting. Such discussions should be arranged as part of the annual shareholder meeting but in separate or adjacent venues. Generally, institutional investors ask about strategic risks the company faces such as: large litigation, activist or general shareholder initiatives, competition, emerging issues such as cyber security risks, and major decisions the company might be facing. Corporate counsel must fully understand such issues and be involved in advising leadership on legal aspects, including risks, involved in such matters. CAVEAT: despite all the above, ensure your client knows that material, non- public information cannot be disclosed to such shareholders or others. Such information constitutes “insider information”. Be very careful here.
(“10 Tips for Upcoming Annual Shareholder Meetings”, Mayer Brown Legal Update, 28 March 2018, www.mayerbrown.com.).
Current and Emerging Corporate Governance Issues
- Cyber Security Issues. On February 21, 2018, the SEC issued an Interpretive Guidance to help public companies in preparing disclosures about cyber security risks and incidents. The Commodities Futures Trading Commission (CFTC) issued a guidance to companies regarding duties of companies to adopt policies and procedures that address administrative, technical, and security protections against cyber attacks and to safe guard customer’s records and information. These guidelines make clear that policies for preventing attacks, protecting information, and disclosing such incidents must be put in place by all public companies and also enterprises that seek to issue public debt such as bonds. (ACC Newsstand, Lexology.com, March 1, 2018). Public companies as well as private organizations issuing public debt now have disclosure obligations on cyber issues, risk evaluations and risk factor disclosure, descriptions of the company’s business products, customer relationships, disclosure of material pending legal proceedings relating to cyber security issues. Additionally, Boards of Directors must establish adequate oversight of cyber security processes and any events that have occurred. The Board must direct this process.
Company Boards are tasked to assess their risk regarding cyber events. This must have corporate counsel leading such an assessment and reporting directly to the Board. Proper controls and procedures should enable companies to identify cyber security risks and management must evaluate the effectiveness of such procedures. This is all the direct work of corporate counsel! (“SEC Issues Guidance on Cyber Disclosure, Including the Board’s Oversight Role”, ACC Newsstand, Lexology, March 1, 2018.)
To comprehend the emphasis on cyber issues, one need only understand that the US Council of Economic Advisers (CEA) published a report on February 16, 2018 dealing with the impact of “malicious cyber activity” on the US economy. The report estimates that cyber activity cost the US economy between $57 billion and $109 billion in 2016 alone.(“Cost of Malicious Cyber Activity to the US Economy”, ACC Newsstand, Lexology, February 20, 2018). The true number, quite frankly, is much, much larger that the CEA estimate.
The cyber security risk is the largest, highest profile, and most dangerous issue facing every enterprise worldwide. Corporate counsel must be at the center of the risk assessments, policy drafting, oversight, and evaluation of that risk to their company.The SEC guidance made clear that directors and officer have a duty to oversee the cyber security event risk directly and to manage that risk. This clearly calls into issue the need to evaluate the cyber risk in order to establish adequate and relevant insurance and risk coverage for such events. The risk evaluation must be performed by corporate counsel, in conjunction with insurance and risk coverage management personnel in the company. Finally, corporate counsel must also raise the issue of the need for the company to address this issue directly in existing Director’ and officers’ Insurance coverage. This is a high profile risk issue for any company. It must be raised with corporate leadership directly and immediately! Such insurance coverage is either non-existent or inadequate, I assure you. (“Cybersecurity Oversight”, ACC Newsstand, Lexology, March 22, 2018;“D&O Insurance for Cyber Liabilities: Increased Cyber Exposure Should Cause Directors & Officers to Take Another Look at Their D&O Policies”, K&L Gates, Stay Informed, www.klgates.com.).
- Shareholder Activists Issues and Initiatives. Shareholder activist groups have begun to show more aggressive and sophisticated strategies regarding public companies. Transparency about political spending, environmental, climate change, board diversity, and leadership pay issues seem to be the most common matters raised by these groups. (“Voting with your pocket”, The Economist Magazine, April 14th, 2018; “Navigating the Current Landscape of Shareholder Activism”, ACC Newsstand, Lexology, April 10, 2018.).
- Climate issues. Shareholder activist groups have sponsored shareholder initiatives that are based upon notions that large publically traded energy companies and their leadership have failed to adequately respond to global climate issues and such initiatives are closely aligned with a series of law suits in California and New York City against such companies that assert such a failure of adequate response and seeking billions of dollars in alleged damages. (Voting with your pocket, The Economist Magazine, April 14th, 2018 ). Atleast one such company, ExxonMobil Corporation, faced a shareholder initiative seeking to force the company to create and produce annual reports of climate research and changes. This initiative passed and ExxonMobil recently published the first such report. That report, to no one’s surprise, was cited as “evidence” in each of the above referenced climate change law suits against the company. (“Voting with your pocket”, The Economist Magazine, April 14th, 2018 ; “ExxonMobil Releases Climate Change Report, Following Similar Reports by Chevron, Shell and Others”, ACC Newsstand, Lexology, April 10, 2018.).
The above sets out the fact that shareholder activists are often coordinating their efforts and tactics with other groups that have planned companion litigation against particular targets of such shareholder initiatives and utilize the initiatives as “evidence” in subsequent litigation. The activists are skilled in the use of social media to manipulate public opinion and shareholder opinion on such subjects, thus creating a very real risk area that corporate counsel must identify, evaluate and report to the leadership of their clients, including the Boards of directors of such companies.(“Navigating the Current Landscape of Shareholder Activism”, ACC Newsstand, Lexology, April 10, 2018;”Is Sustainability and Climate Reporting Material?”, ACC Newsstand, Lexology, April 9, 2018.).
- Information Security and Data Privacy. The privacy of information and data held by companies that relates to customers or private parties and the protection of such information by such companies has become a significant and growing issue for all enterprises worldwide; including US based companies. The protection of data and privacy of information in the possessions of companies is becoming a significant corporate governance issue in the US for three reasons: 1.) The increase in cyber events that demonstrate exceedingly poor protection and handling of such data as it is stolen by cyber criminals; 2.) Some very high profile US data collecting Silicon Valley corporations and US medical enterprises have misused, failed to protect, or even profited from not protecting customers’ private information in their possession; and 3.) Neither the US Government nor business enterprises have a general, nationwide, and uniform set of laws concerning or requiring the protection of such information by companies that collect and hold it. ( “GDPR’s New Requirements: What Investment Managers, Funds, Banks, and Broker-Dealers Need to Know”, ACC Newsstand, Lexology, April 17, 2018.).
As March came to an end, Facebook faces some 16 separate, very large lawsuits relating to the revelations regarding Cambridge Analytica’s access to the personal data of millions of Facebook users…for free and without permission from or warnings to any Facebook customers. (“Facebook Privacy Litigation: U.S. Style Data Regulaltion”, ACC Newsstand, Lexology, April 5, 2018.). Judging by the CEO of Facebook’s almost “childish” approach before Congress of offering only an apology and a weak offer to do better, it is likely the number of lawsuits against Facebook will grow enormously.
Follow the Facebook debacle with the hacking of and theft of data from Equifax, a giant US enterprise that collects huge amounts of sensitive credit information on millions of Americans, including the theft of such credit information such as bank accounts, social security numbers. Add the timid U.S government response to such actions and it all seems to establish that US laws are weak on this issue and companies must do much better at protecting customers’ data and private information in their possession. The combined public and shareholder reaction to these events is outrage, pure and simple outrage. (“Reforming the U.S. Approach to Data Protection and Privacy”, Council on Foreign Relations; www.cfr.org, January 30, 2018.).
Compare the U.S. “approach”, which I will call “regulation by private litigation” to the European Union (EU) approach. The EU has adopted the General Data Protection Regulation (GDPR), which becomes effective on May 25, 2018. It is a comprehensive, aggressive, and punitive regulation that requires all companies, enterprises of any sort that collect or store data to protect that data from theft or release at the risk of very punitive action by the EU for any failure to abide by those protection requirements. (“GDPR’s New Requirements: What Investment Managers, Funds, Banks, and Broker-Dealers Need to Know”, ACC Newsstand, Lexology, April 17, 2018.). Most importantly to corporate counsel for US enterprises, this regulation is Extra-Territorial and requires any enterprise of any sort, located anywhere that is doing business in any European country to comply fully with all provisions of the regulation. It has the same reach as the US Foreign Corrupt Practices Act….global.
How does the foregoing affect corporate counsel for U.S. companies, small, medium, or large; public or private? You, as in house corporate counsel, must begin the process immediately of evaluating the potentially monumental risks to your company/client associated with the collection and storage of data and personal information of customers, clients or others. U.S. corporate governance policies and procedures must be effective to avoid or deter cyber attacks on your client, protect data in your client’s possession, and you must also prepare you client for compliance with foreign regulations, especially the GDPR. Plan for stricter U.S. data protection laws or regulations. Anticipate shareholder activist efforts to impose such stricter standards on your client through its governance process. Finally, anticipate and communicate to your client the likelihood of strategic, all encompassing litigation seeking compensation from companies for not being properly prepared to deal with protecting data and personal information in their possession. Whether your company is or is not so prepared. Remember, this is America: people and companies often get sued for merely existing and attempting to make money.
As an attorney, corporate counsel must initiate and participate in improving your client on this general issue but you must also prepare for overreaching, intellectually dishonest, and brutal litigation. That, unfortunately, is to be a fact in the changing business climate of the present. Make a difference, conduct yourself with zealous protection of your client and maintain your ethical decorum….it is what good attorneys do.
You must be a leader in your company because of your skills and legal training. Seek out that responsibility.
Be careful out there.