Corporate Noncompliance and Director Liability

Current literature is full of warnings about individual liability of directors when corporations violate governmental laws or regulations. I suggest that the practical risk for directors is minimal.

The United States Attorney General’s Office is out to emphasize that individuals can be criminally liable, not just corporations. Sharper focus results from a September 9th memorandum sent by Deputy Attorney General Sally Yates to all US attorneys, outlining key steps to “strengthen our pursuit of individual corporate wrong doing.” Among other things, prosecutors will no longer soften corporate punishment unless disclosed information concerning the wrong doing includes names of individuals involved. The corporate governance community is just waking up to the facial import of this memorandum.

It is easy to see how active management, failing to follow compliance programs or willfully violating them, can incur criminal prosecution. It is much harder to picture a director, serving only a director’s function, incurring individual liability. The role of the board is to establish a robust compliance program. There is a lot of guidance for how to do that: from counsel, from the government, and indeed from the National Association of Corporate Directors (which has robust materials in this regard). But once the directors adopt a compliance program, and then periodically ask for management to report on violations and efficacy, the directors step back and do not have an active role.

Commentators also now are making reference to the Delaware Chancery Court decision in the Caremark case, which broadly charges directors with a duty to attempt in good faith to assure corporate compliance, and suggests that “in theory at least, [failure could] render a director liable for losses caused by non-compliance with applicable legal standards.”

It is interesting to observe that numerous cases litigated in reliance on the Caremark decision have, to date, not resulted in a single determination of director liability even on a civil level. Further, since criminal prosecution requires intent, or such gross disregard and recklessness as to constitute intent, it is difficult to imagine that a director could be found guilty even under the expanded ambit of the Department of Justice pronouncements. Rather, I would anticipate greater liability on the part of management.

Nonetheless, it is conceivable that the Department of Justice or the SEC will pursue cases against directors in order to force greater attention and, the weight of Federal government prosecution being what it is, it may be that some director someday is going to have to take a plea. But under current law, notwithstanding the mild hysteria today prevalent, I think it most unlikely that individual directors can end up with enough culpability to be found criminally liable.

New Drugs? A Tortuous Path

A November 13 presentation at the Boston offices of DuaneMorris, by Japanese pharma giant Takeda, addressed to a group of life science and healthcare investors, contained stark facts concerning the cost and difficulty of creating new, significant drugs outside the orphan drug niche.

The cost today to bring a new major drug to market averages about $2,800,000. In 1950 you could bring to market almost one hundred new major drugs for a billion dollars; today, not even one. The presenter suggested that we were experiencing Eroom’s law; in other words, Moore’s Law in reverse!

Takeda is looking for ideas leading to marketable pharmaceuticals. They may proceed either by funding academic research (with some technology rights to Takeda) or, alternately, investing through convertible promissory notes.

Takeda’s 2008 acquisition of Millennium Pharmaceuticals is not unusual, as big pharma is expanding through acquisition ; it is common knowledge that internal development of block-buster drugs has become too expensive and time consuming to remain a major focus of these larger companies.

Strategy and Comp Alignment for Boards

What should compensation committees consider when determining executive compensation? The answer, according to an expert panel convened by the National Association of Corporate Directors in Boston on November 10th, seems to be: just about everything.

It is axiomatic that compensation must be aligned to advance corporate strategy. This means that compensation committees are getting more deeply involved in understanding corporate strategy, so that they may align executive compensation to advance strategic goals.

What about pressure from ISS and activist shareholders for current earnings? The answer is, you can’t run scared. You have to do the best you can, yet not end up with something that is outlandish. Further, you have to explain what you are doing, to your shareholders, so they are not confused.

What about metrics? Over 50% of public companies now look at TSR (“Total Shareholder Return”) as a factor in fixing long-term incentive compensation. This is backwards looking; there was discussion as to whether TSR is inappropriate, and how it might interact, or conflict with, new SEC proposals for regulations linking pay to performance.

The panel also noted that companies like to relate their long-term compensation to their peer group, but with companies flopping over into different businesses, it is harder and harder to find real peers for purposes of compensation. Additionally, there is a conundrum in defining “long term” as opposed to “short term” goals; 70% of companies in one study indicated that their idea of “long term” involved only a three to five year time frame.

The biggest takeaway is that, in conjunction with fixing a combination of short-term and long-term compensation, it is necessary to both start with the company’s strategic goals and then make sure that the compensation of the C-suite and the next important tier of management both are compensated under the same philosophy so that all of the management team is pulling in the same direction.

A second important takeaway: companies cannot be complacent by de-emphasizing long-term and even mid-term strategy, as even prosaic companies with established businesses, products and client bases are changing rapidly in the current environment. Strategic planning for the long term is essential for virtually every business, and boards ignore this reality at their peril. This creates tension between the investments necessary for long-term sustainability, on the one hand, and marketplace pressure for immediate yield on the other.

Finally, and not discussed: if boards and therefore compensation committees owe a duty to their shareholders (as opposed to the company as an entity), why do not boards start with a detailed analysis of the demographics of their shareholder base to see what their strategy ought to be? That is different from listening to shareholders who reach out to you, and different from recognizing that ETFs and index funds now control the majority of investment in American companies. This has to do with defining the first step: what in fact is the cohort in your particular company to which you owe your fiduciary duty? If a majority of your investors are, in a given case, short or mid-term, don’t you have an obligation to have a strategy, and a compensation plan, that focuses on immediate returns (as opposed to what otherwise might be defined as long-term strategy)?

True Crowdfunding at Last

On October 30, the SEC at long long last promulgated final rules for true crowdfunding, a mere three and a half years after receiving instructions from Congress to do just that.  Whether this Federal program will replace other crowdfunding solutions, some of which rely on the intra-State offering exemption and some of which require accredited investor status, remains to be seen.  The Federal program opens investments across state lines to all persons, not just accrediteds.

Today my assistant delivered the 686 page SEC release to my desk, so you will note that granular details are omitted in this post.  Surely lawfirms, including mine, will rush to provide detailed legal alerts as to the restrictions, mechanisms and dollar limitations included in the rule and, in any event, that level of detail is inappropriate for a blog post.  Over time I will try, rather, to suggest how this final rule does, and does not, fit into the capital formation matrix.

Note that the rule is effecting 180 days from publication in the Federal Register, so you will not be seeing deals immediately (the funding portals part of the rule is effective January 29, 2016, to give the portals time to prepare for the deal onslaught).

Many companies  and institutional investors bemoaned the current crowd-funding options as encouraging dumb money.  Since the bar to invest under this definitive Federal scheme is much lower than required accredited investor status (indeed someone earning less than, or having a net worth less than, $100,000 is entitled to invest the greater of 5% of net worth or annual earnings or $2000, making an equity play akin to someone’s budget for lottery tickets), we will be seeing a lot of dumb money if this exemption gets heavy use.

And perhaps a lot of fraud upon the unsophisticated, the very fear that slowed the SEC adoption process as it struggled with the balance between the legislative mandate and the SEC role of public protector.  Democracy in the seed capital market could end up being pretty ugly….

The Future of Wearable Medical Devices

80% of mobile “wearable” medical devices today are focused on the treatment of chronic disease; some are good, some “garbage,” and in any event more than half of them will disappear in three years.

This was the view expressed by an expert panel convened in the Boston Office of Duane Morris on October 16; the panel included executives from Samsung, Vodafone, Brigham and Women’s Hospital and Zaffre (the venture capital arm of Blue Cross/Blue Shield of Massachusetts).

Wearables today focus on that which can be seen or measured; diabetes, blood pressure, hypertension, and of course the number of steps we take each day. These apps can integrate with application of medicine as needed.

However, the panel does not see this as the primary future of medical “wearables.” Rather, the focus should swing toward monitoring “wellness” by emphasizing

Company Resistance to Activist Shareholders

Company resistance to activist shareholders is most successful if management is transparent, is willing to listen to activist shareholders, is open to new ideas, has a pre-existing plan on how to deal with activist shareholders, and closely monitors transient shareholding so companies know in advance who may be ringing their door bell.

A panel of experienced directors advised an audience at the October 20 meeting of the National Association of Corporate Directors-New England Chapter that activist shareholders seek contact with directors as well as stockholders. There was a division of opinion as to the role of directors in interfacing with activists. Some believed that bringing “relevant directors” into contact with activists, or indeed with long-term investors, could be valuable in giving a “sense of how the board supports or challenges company corporate strategy.” Others expressed concern that not all directors were “suitable” to interface with shareholders, citing fears of selective disclosure and violation of SEC Regulation FD.

The one institutional investor on the panel set forth the standards that that institutional investor used to evaluate companies, noting that they had their own specific criteria and did not follow recommendations of proxy advisors such as ISS: Does your board have sufficient subject matter expertise in your space, have you avoided anti-takeover provisions, is its compensation tied to performance over at least a three- to five-year period such that management has “skin in the game,” and earnings performance over “at least” a five-year period? Since institutional investors will likely own your company for the long haul, and since most activist investors will not, this institutional investor is particularly selective in determining whether to support, or not support, the activists.

Most startling takeaway: None of the panelists, when asked about “diversity” on the board of directors, seemed particularly interested in gender or other diversity, emphasizing in all instances the need for robust specific subject matter experience: financial expertise, domain expertise, experience with the government in those industries involved in defense. Skill sets, not gender or other diversity issues, were universally emphasized.

Officer, Director Liability for Lay-Offs?

A United States Bankruptcy Court has just decided a case indicating the possibility of individual director and officer liability where a bankrupt company had failed to provide advance notice of an intention to reduce staff. The case arose under the so-called WARN Act, a Federal statute applicable to businesses with one hundred or more employees, and under similar state law. These laws require that employees receive prior notice (federally, sixty days) of plant closings or mass layoffs.  Failure to comply results in liability for back pay, interest, penalties and attorney’s fees.

The theory of the case is that officers and directors, in failing to give statutory notice, incur liabilities on behalf of the company itself. Creating such a liability constitutes breach of fiduciary duty to the company, which a bankruptcy trustee can pursue against the officers and directors.  As a planning matter, a company with tight cash flow, particularly forecasting that cash will run out, should count back from that date of expected insolvency to calculate when the requisite statutory notice of layoffs must be given.

Theoretically, even absent a bankruptcy, minority shareholders might ultimately be allowed to assert a derivative claim, against officers and directors who have failed to give appropriate notice and thus incurred unnecessary company liability.  Note: as of today, I am aware of no case so holding.

Who’s Got the (Shareholder) Action?

Those acquainted with the musical show “Guys and Dolls” know that the key question on the lips of every wise-guy with a pair of shaved dice in his pocket is, “who’s got the action?”  Which leads us to a comment on those modern-day craps shooters, the activist shareholders.  But the activist shareholder landscape is changing….

First, activist funds have gotten far more interested in small-cap companies.  The problem there, for the companies, is that these are most unlikely to have a plan in place to deal with the activists; at least, so claims the National Association of Corporate Directors.  (Still, big fish attract big anglers:  Nelson Peltz’s Trian Fund just bought $2.5B of GE stock, though their exact agenda remains unclear.)

Another change is that we have come a long way from the corporate raiders of a generation ago (think Gordon Gecko).  Activists dig deeper, generally are more measured in tone, and try to improve performance by getting board seats and getting ideas adopted.

Bill McNabb of Vanguard (they run at last count $3.3B of other people’s investment funds) says he is approached continually by activists, seeking an ally.  They respond only to those whom they evaluate as having better track records.  But Vanguard itself has a history of modest activism, per McNabb; in 2014 his Funds sent 923 letters to companies commenting on Vanguard perceptions, 358 of which  suggested “governance structure changes.”

Governance advice from Vanguard: your board should have a shareholder relations committee to provide direct access to market perceptions; IR should support, not get in the way.  McNabb thinks that they have valuable data for the board.  Not clear why that data could not be conveyed to management as in the past, however, unless management itself is perceived as the problem….

Most counsel and governance experts like to concentrate communications with shareholders in very few hands to make sure the company’s message is consistently and accurately portrayed and to avoid violation of regulation FD (leakage of confidential information).  But the ground-rules are changing here, as shareholders seek more direct methods of peaceful input.



FDA on Future of Med Device Cyber Security

In my immediately prior post discussing a presentation by Suzanne Schwartz of FDA relative to cyber security in medical devices, I noted that the FDA had proposed regulatory actions during the next twelve months.

Hopefully by the end of calendar 2015, but not later than early 2016, FDA intends to formally articulate a policy concerning “post-market expectations.” One of the major issues in cyber security is that there is a large installed base of devices already in the marketplace, so that work done on new devices will not cure the existing marketplace risk. Guidance for what is expected from device manufacturers should be forthcoming.

The FDA also hopes to adopt the NIST framework relating to cyber security, making it understandable and applicable to medical devices. (For those not deep in the alphabet game, “NIST” is the National Institute of Standards and Technology.)

FDA proposes to provide a vulnerabilities scoring system for medical devices, with sensitivity to the context in which end-users come in contact with such devices.

Schwartz also discussed, albeit it in general terms, premarket guidance. They want to see products where security is “baked in” not “bolted on.” They want to see that you have applied a process for software validation. For new devices, in connection with FDA submissions they expect to see risk analysis, provision for response and ongoing monitoring and for a patch program. They are also interested in getting a sense for what they call “cyber hygiene,” which is a combination of good design, control of access to the software and a provision for routine “servicing” of the software.

With respect to medical devices already in the marketplace, “FDA generally will not need to review or approve medical device software changes made solely to strengthen cyber security.” This approach seems to be an effort to facilitate speed in fixing cyber problems identified in the marketplace.

Aside from FDA identification of resistance within the device industry for collaboratively addressing cyber issues, the various speakers in the aggregate made a compelling case for robustly addressing the issues presented. By the end of the decade, it is estimated that there will be twenty six billion devices connected to the internet, and while most will not be medical devices, many of them will be. One speaker estimated that as much forty five percent of all of last year’s data breaches or hacks were in the medical field (hospitals, insurers, devices and the like). Theoretically, aside from fraud risk, hacking into medical devices could erase records, over-load systems which would create a DOS (demand of service) shutdown, threaten medical patients with online implants (such as pacemakers) with extortion threats, and even (in one reported case) permit a patient to hack into his medical drip to increase the flow of narcotic painkillers.

And with the explosion of “wearable” devices, including Fit Bits, the opportunities for device hacking will do nothing but proliferate in the future.

FDA on Cyber and Med Devices–Part One

The biggest problem in combating medical device cyber-attacks is not technological, it is the secretive reaction of med device companies when confronted with evidence that their devices can be hacked, leading to a refusal to disclose any information about the hacking incidents.

At the Thursday, October 1st conference organized by MassMEDIC (the Massachusetts organization of medical device companies), Suzanne Schwartz of the FDA politely threw down the gauntlet. Schwartz is the Director of Emerging Preparedness of the Center for Devices and Radiological Health at FDA; she expounded at great length on the FDA’s perceptions and expectations with respect to cyber security matters.

Schwartz called upon the industry to act collaborately to identify cyber risks. She asked: aside from a shared desire to protect and heal the public, what is going to motivate competitors to disclose cyber risk information? Do we need a total disaster? Should the FDA impose a penalty (she asked with apparent innocence)? Or, will the industry not adopt a more collaborative approach.

She reviewed a series of executive orders from the President, applicable guidance issued by the FDA, and made reference to last October’s FDA public workshop on cyber security of medical devices (presented in conjunction with the Department of Homeland Security and the Department of Health).

Another problem is the sometimes confrontational nature of dialogue between hackers and companies. She called for civility on both sides. “Security researchers are not the enemy here.”

Two established medical device companies of some size and stature, Boston Scientific and Phillips Healthcare, presented in a separate panel with respect to their practices. It is not surprising that each described robust attention to cyber security during the entire device design process and a willingness to share disclosure with others in the industry (while protecting trade secrets from competitors); each described a corporate program which no doubt the FDA (whose key representative was also listening to the presentation) will find most comforting. It was almost as if a different industry were being described by these presenters compared to FDA’s scenario, which is not to suggest that their companies do not follow the robust procedures they mentioned. It is also perhaps not surprising that the companies which were willing to disclose their procedures are those with the best procedures; it is not likely that a company with poor ratchet on cyber hacking of medical devices would step forward and present in this particular setting.

A subsequent post will outline proposed FDA actions during the next twelve calendar months, and provide premarket guidance on FDA review of devices and related software.