CLOSE X
RSS Feed LinkedIn Instagram Twitter Facebook
Search:
FMG Law Blog Line

Archive for May, 2018

Lessons Learned from the SEC’s Order in the Yahoo! Data Breach Enforcement Action

Posted on: May 22nd, 2018

By: Jennifer Lee

On April 24, 2018, the SEC issued an order in the enforcement action against Altaba Inc., formerly Yahoo! Inc., and imposed a $35 million fine relating to the 2014 data breach which affected more than 500 million Yahoo! user accounts.

SEC’s Findings

The SEC found that Yahoo! violated federal securities laws by failing to disclose the 2014 data breach for almost two years. The SEC focused on the fact that despite its knowledge of the data breach, Yahoo!’s annual and quarterly reports made no mention of the data breach as a risk factor. Instead, the reports represented that the company only faced the risk of potential future data breaches that may expose its users’ personally identifiable information which may lead to litigation, loss of revenue, and damage to its reputation.

In addition, Yahoo! management’s analysis of the company’s financial condition also omitted changes to revenue that were expected to result from the public disclosure of the 2014 data breach.

Lastly, the stock purchase agreement between Yahoo! and Verizon entered into on July 23, 2016 and filed with the SEC on July 25, 2016 was misleading because it contained affirmative representations denying the existence of any significant data breaches.

The data breach was not disclosed until September 2016 in a press release filed as an attachment to a Form 8-K. After the public announcement of the data breach, Yahoo!’s stock price decrease by 3%, resulting in a $1.3 billion drop in its market cap.

Lessons Learned

Disclosures regarding cybersecurity risk factors that discuss potential incidents are misleading if they do not discuss known incidents that have already occurred. The SEC found that the omission of the 2014 data breach in the risk factor disclosures were misleading because it suggested that a significant data breach had not yet occurred, which in turn implied that any negative effects that may result from future breaches are merely speculative.

Companies should perform regular assessments of cybersecurity threats and their likely impact on the business to determine whether such issues should be disclosed as a risk factor. Regulation S-K item 303 requires companies to include trends or uncertainties reasonably likely to have a material impact on their business. Item 503(c) requires companies to disclose the most significant risk factors that make the company speculative or risky. Because cybersecurity incidents have the potential to and often do, in fact, lead to a significant depreciation in a company’s stock price and market cap, failing to perform regular assessments of cybersecurity threats and their likely impact on the business will inevitably lead companies to run afoul of Regulation S-K.

Be mindful of other state, federal, and international regulations that govern disclosure of data breaches and other cybersecurity incidents. Currently, data breach notification obligations in the United States consist of a patchwork of individual state statutes. In addition, the EU’s General Data Protection Regulation, which takes effect on May 25, 2018, contains a whole new set of rules regarding the disclosure of data breaches and other cybersecurity incidents. Companies that operate on a national or international level must be aware of their disclosure obligations under these regulatory structures and how they may affect companies’ disclosure obligations under federal securities laws.

If you have any questions or would like more information, please contact Jennifer Lee at [email protected].

 

The Restatement of The Law of Liability Insurance Is Coming~ Ready Or Not!

Posted on: May 21st, 2018

By: Gretchen Carner

On May 22, 2018, at the annual meeting of the American Law Institute (ALI ) in Washington, D.C., its members are set to vote on final approval of the Restatement of the Law of Liability Insurance (RLLI). The American Law Institute’s RLLI aims, as former Director Lance Liebman said, to seek “the efficient and fair rules that should govern the insurer/insured relationship.” The RLLI has taken eight years to write and has been the subject of much lively debate.

Many of the issues discussed in the Restatement have been hotly contested by insurers.  The RLLI, for the most part, states the majority rule on the vast majority of issues covered. Sometimes, however, the Restatement sets forth what the ALI considers to be the “better rule,” which is a practical approach taking into consideration the law and incentives underlying insurance and claims-handling.

It is anticipated that courts considering coverage issues of first impression, or where the law is not clear, may now turn to the RLLI for guidance.  Because Restatements are developed by learned individuals in their area of expertise at the ALI, and are only approved after a long and painstaking process, it would be reasonable for a court to look at what the RLLI has to say about an unsettled issue. If the Final Draft of the Restatement is approved this month, some of the following hot topics should be high on an insurer’s radar.

Policy InterpretationSection 3 adopts a presumption in favor of the plain meaning rule for interpretation of “standard-form” policy terms, stating: “an insurance-policy term is interpreted according to its plain meaning, if any, unless extrinsic evidence shows that a reasonable person in the policyholder’s position would give the term a different meaning. That different meaning must be more reasonable than the plain meaning in light of the extrinsic evidence, and it must be a meaning to which the language of the term is reasonably susceptible.”

The “extrinsic evidence exception” in Section 3(2) is a modification of the majority rule that extrinsic evidence is only relevant after the term is found ambiguous (i.e., has another reasonable interpretation).  Under Section 3, consideration of extrinsic evidence is relevant to determine whether there is another more reasonable interpretation of the term.

Insurers’ Duty to DefendSection 13 defines the applicable duty to defend standard as the traditional “potential for coverage” standard included in the “four corner/eight corners” rule adopted in most jurisdictions. Once the duty to defend applies, “[t]he insurer must defend until its duty to defend is terminated under § 18 by declaratory judgment or otherwise,” unless facts as to which there is no genuine dispute establish that:

(a) The defendant in the action is not an insured under the insurance policy pursuant to which the duty to defend is asserted;

(b) The vehicle involved in the accident is not a covered vehicle under the automobile liability policy pursuant to which the duty to defend is asserted and the defendant is not otherwise entitled to a defense;

(c) The claim was reported late under a claims-made-and-reported policy such that the insurer’s performance is excluded under the rule stated in § 36(s); or

(d) There is no duty to defend because the insurance policy has been properly cancelled.

The comments to this Section explain that the reasons behind it are based on public-policy concerns with allowing insurers to consider “an all-the-facts-and-circumstances approach” that extends well beyond the exceptions stated in Section 13 or elimination of the common rule that the insurer must pursue a declaratory-judgment action before rejecting its duty to defend. The comments also warn insurers against trying to include a contractual provision terminating the duty to defend in situations other than those listed in this Section unless it also contains a mechanism protecting the insured’s right to a defense.

Insurer’s Right to RecoupmentSection 25 (2) provides that an insurer defending under a reservation of rights is not relieved of the duty to make reasonable settlement decisions.  If the insurer decides to settle uncovered claims to cap its potential liability down the road, it cannot recoup any portion of the settlement payment unless that is allowed under the terms of the insurance contract.  The comments under this Section make clear that the no-recoupment rule is a default rule, which means that a contrary term in the insurance contract would prevail.

It will be interesting to see how this Section is applied in California where recoupment of uncovered settlement payments is allowed if the insurer complies with the strict requirements set forth in Blue Ridge Ins. Co. v. Jacobsen (2001) 25 Cal.4th 489, 502, and not any specific policy language.  Blue Ridge satisfied the prerequisites for seeking reimbursement for noncovered claims included in a reasonable settlement payment by asserting: (1) a timely and express reservation of rights; (2) an express notification to the insureds of the insurer’s intent to accept a proposed settlement offer; and (3) an express offer to the insureds that they may assume their own defense when  the insurer and insureds disagree whether to accept the proposed settlement.

The take-away here is that when there is no in-state law on an issue, a court’s resort to the RLLI, in conjunction with other sources, seems likely.  On the other hand, when there is precedent available, it seems unlikely that a court would opt to adopt the RLLI rule if it conflicts with well settled law. Time will tell what the impact and role of the RLLI will be on the cases in jurisdictions where the law is sparse on the topic or ripe for change.

If you have any questions or would like more information, please contact Gretchen Carner at [email protected].

DOJ and USCIS Join Forces Creating a Tougher Road for Employers

Posted on: May 18th, 2018

By: Layli Eskandari Deal

On May 11, 2018, U.S. Citizenship and Immigration Services (USCIS) and Department of Justice (DOJ) entered into a Memorandum of Understanding regarding information sharing and case referrals.  USCIS and DOJ state that this effort is meant to improve the way the agencies share information and collaborate on cases “to better detect and eliminate fraud, abuse and discrimination by employers bringing foreign workers to the United States.”  The Memo allows the agencies to share information and help “identify, investigate and prosecute employers who may be discriminating against U.S. workers and/or violating immigration laws.”

This Memo has been entered into by the agencies in the spirit of “Buy American and Hire American” Executive Order issued by President Trump.  This new collaboration most likely will lead to more audits, site inspections and requests for evidence and create a difficult path for foreign workers and their employers.

For additional information related to this topic and for advice regarding how to navigate U.S. immigration laws you may contact Layli Eskandari Deal of the law firm of Freeman Mathis & Gary, LLP at (770-551-2700) or [email protected].

9th Circuit Holds Inadmissible Evidence May Support Class Cert

Posted on: May 17th, 2018

By: Ted Peters

Courts around the country are split over whether admissible evidence is needed to support a class certification.  The Fifth Circuit requires it, and the Seventh and Third Circuits appear to be of the same opinion.  In contrast, the Eighth Circuit has indicated that inadmissible evidence can be considered.  On May 3, 2018, the Ninth Circuit join ranks with the Eighth Circuit when it issued an opinion indicating that certification of a class action can be supported by inadmissible evidence.

The case arises out of the district court’s decision to deny class certification to a group of nurses based, in part, on the finding that two of the named plaintiffs had not offered evidence that they were underpaid.  Their only evidence consisted of a paralegal’s analysis of time cards reflecting that hours were not properly calculated.  While perhaps not sufficiently trustworthy to be admitted at trial, the Ninth Circuit concluded that the district court prematurely rejected such evidence when ruling on whether the class could be certified.  The Court stated: “Notably, the evidence needed to prove a class’s case often lies in a defendant’s possession and may be obtained only through discovery.  Limiting class-certification-state proof to admissible evidence risks terminating actions before a putative class may gather crucial admissible evidence.”

The Court also concluded that, because there was no consideration as to whether the employer controlled the nurses after they clocked in, the district court misapplied the definition of “work” under California jurisprudence.  Lastly, the Court was critical of the finding that the law firm representing the putative class action was incapable of properly representing the class, focusing on “apparent errors by counsel with no mention of the evidence in the record demonstrating class counsel’s substantial and competent work on [the] case.”

If you have questions or would like more information, please contact Ted Peters at [email protected].

Winemakers Decan’t Warn a Consumer About Every Risk

Posted on: May 16th, 2018

A Pour Result for Plaintiffs’ Attorneys in California, but a Grape Win for Vintners

By: Robyn Flegal

In May 2018, the California Court of Appeals refused to revive a class action lawsuit claiming wines made by fifteen winemakers should contain an arsenic warning. The lawsuit was originally filed in 2015, alleging that these wines exposed consumers to arsenic in violation of California law. The panel of the California Court of Appeals held that the alcoholic beverage warning on these wines sufficiently notified customers about the potential risks associated with consuming the wine, despite the lack of a specific arsenic warning.

California’s Proposition 65—the safe drinking water and toxic enforcement act of 1986—protects the state’s drinking water sources from being contaminated with chemicals known to cause cancer, birth defects, or other reproductive harms. Prop 65 requires businesses to disclose exposures to such chemicals to Californians.

The appeals court held that the Office of Environmental Health Hazard Assessment requires companies to disclose one chemical for each health risk. Thus, because the alcoholic beverage warning alerted customers that wine could result in cancer and reproductive harm, the additional arsenic warning was unnecessary. The failure to provide a separate arsenic warning was therefore not a violation of the regulations.

Companies doing business in California should be aware of Proposition 65 and the labeling and disclosure requirements thereunder. For more information, please contact Robyn Flegal at [email protected] or any of FMG’s Commercial Litigation Professionals.