Massachusetts Regulation of Cyber Security in all Businesses

There is a specific Massachusetts governmental regulation concerning protection of personal information of residents of the Commonwealth. This regulation protects individuals, corporations, partnerships and other entities. It imposes obligations on any company which retains “personal information,” which is defined as the resident’s name plus any one of: social security number; driver’s license number or State-issued identification number; financial account number, or credit or debit card number, with or without security or access code.

Any business that has personal information about a Massachusetts resident, by ownership or by license, must have a “comprehensive security program” that contains “administrative, technical, and physical safeguards that are appropriate” to the size and nature of one’s business and data. There is a long list of specifics which must be contained in the security program.

Additionally, the holder of personal information must have provisions protecting computers, including any wireless system, that conform to an additional long list of specific user controls, including authentication, selection of passwords, restricting and blocking unwanted access, encryption for information over public networks, up-to-date software, and training of employees.

It is axiomatic that cyber security is just not a “financial records” issue. Many companies possessing personal information are already closely monitored by reason of their business, for example health care and financial services. But even the simplest of businesses must comply with Massachusetts law.

One more thing; if your business possess personal information that is going to the EU, there are particularly draconian regulations, with massive government fines, of which you should be aware.

Cyber Breach– Whom do you Call First?

Whom do you call first when you discover that your system has been breached? Luckily for lawyers, the right answer clearly seems to be “call your lawyer first.” This means before you call an outside company to remediate, or your public relations firm to guide you in appropriate disclosure. This is particularly true with respect to companies with in-house counsel.

Generally, communications between a company and its counsel are privileged and not discoverable. Sometimes, in house counsel, by acting normally, may waive that privilege where inside counsel is functioning more as a business executive than an attorney. If you first contact outside counsel, and have outside counsel supervise the audit of the breach (hiring third-party experts), and if your communications relative to fault are between the company and outside counsel, then the privilege which protects communications with your lawyer will be preserved; only facts you want disclosed will become public.


Director Fiduciary Duty: Massachusetts Changes

The common understanding is that boards of directors owe fiduciary duties to the shareholders. This is the “Delaware rule” and has been understood until now to apply also to Massachusetts corporations.

Not so fast.

Although the rule in Massachusetts remains that the board duty runs to the shareholders in closely held companies (where the Massachusetts approach has always been similar to imposing the kinds of high fiduciary standards expected from partners), a current decision of the Massachusetts Supreme Judicial Court changes the rules for publicly held entities.

In the high-profile acquisition by Dell of Massachusetts-incorporated EMC, the transaction was structured by EMC’s holding company merging upstream into Dell, rather than having EMC sell each of the individual EMC operating companies separately. Shareholders sued the directors, claiming that the proper way to maximize shareholder value was to sell each individual unit and have a separate price for each.

The Supreme Judicial Court struck down the case, establishing a new rule for public corporations in Massachusetts. Citing the Massachusetts Corporation Act that makes it clear that directors must hold the reasonable belief that they act in “the best interests of the corporation,” and further citing the statute to the effect that in so acting directors may consider other constituencies including employees, creditors, customers and societal considerations, the Court broke with the Delaware rule as it relates to public companies.

This does not mean that disgruntled shareholders have no recourse against directors. They can always make demand on the board, asking the independent members of the board to find that the directors violated their duty to the corporation. But direct litigation by shareholders of public corporations (absent self-dealing) now will no longer be permitted in Massachusetts.

It should be noted that the SJC applied the literal language of the statute in articulating the obligation of corporate directors to public companies. But the statute itself makes no such distinction, and the SJC seemingly has retained its interpretation that the duty of directors in private Massachusetts companies runs directly to the shareholders notwithstanding the language in the statute.

I bet the legislature didn’t have this dichotomy in mind when they passed the statute!

Crowd Funding: Problems Problems….

Yesterday I blogged the start of the joint SEC/NYU “Dialogue” on federal crowd funding for the sale of securities.  Late yesterday SEC Commissioner Stein released a public statement on matters focused by that Dialogue,  suggesting that not only is crowd funding still rare but also it is suffering from a variety of weaknesses.

All transactions must be done through FINRA-regulated “funding portals” which must make sure that the company disclosures required by the SEC Rule are posted (investors cannot deal directly with issuers).  No big surprise here: weakness in enforcing disclosure led to offers being withdrawn, and one portal was expelled.  Is there a “race to the bottom” whereby portals are lax for the purpose of  attracting business?  Does this problem require even further regulation by the SEC?

About a quarter of the crowd funding was with SAFEs, an instrument that is a contract to sell securities at a discount once there is a priced subsequent round of investment.  The SEC asks if retail investors are sophisticated enough to understand that this is not equity, not debt, that a company may never have a subsequent priced round of investment and thus the investor has — zero?  This is a legitimate regulator’s concern, but that very same question fairly could be addressed to the entire idea that retail investors should be making these kinds of investments in the first place; this latter concern resulted in a multi-year delay in the SEC even permitting these transactions notwithstanding being specifically charged with doing so in the JOBS Act.

Finally, there is great geographic concentration among companies using the portals; 60% of all deals, and 90% of all closed funding, were in California, Texas and along the East Coast.  The SEC asks if they should undertake further outreach to educate entrepreneurs elsewhere. The question was emotionally presented: can the SEC make crowd funding “accessible to everyone from the businesswoman in Missouri to the immigrant in West Virginia”?   The thought was not expressed that perhaps that businesswoman and that immigrant were just too smart to engage in this process to begin with….

I close with an anomaly which, readers here know, is a class of logical disconnects which always intrigue me.  Our economy and regulatory scheme seem to be fostering investment by retail investors in speculative new companies at the same time that retail investors have somewhat abandoned the public marketplaces, where information is far more robust and substantive protections for the investor are clearly in place. As a matter of policy, that may be the exactly wrong result…..

Crowd Funding: SEC Trend?

The current Administration of course is suspicious of government regulation.  The Acting SEC Chair, Michael Piwowar, a conservative Republican who has been on the Commission for a long time, has suggested that the SEC may further deregulate crowd funding to facilitate access by small business to broader sources of capital.

In remarks this week to the SEC-NYU “Dialogue on Securities Market Regulation,” Piwowar speculated that companies benefited by crowd funding might not otherwise find financing, while the JOBS Act had authorized crowd funding to reflect bi-partisan Congressional support to empower entrepreneurs in this very fashion.

Crowd funding has been legal at the Federal level for less than a year, but it has been very sparingly used.  Only 163 deals have been offered over the mandatory “funding portals” and only 33 have completed their raises to the tune of only approximately $10 Million.  The Dialogue aims to evaluate experience to date; Piwowar is suggesting he may look for ways to juice up this approach.

It took about four years after the JOBS Act for the SEC to enact Rules permitting crowd funding, and the reason is that crowd funding solicits money from poor people for small projects about which precious little analytical information is available.  Securities professionals typically view these kinds of small retail investors as providing “dumb money” and not the kind of support emerging companies need.  Since most emerging companies seem to fail, inducing poorer investors to inject money into them may sound like democracy in action but may have negative unintended consequences.

The data to be generated may well be informative, but should be analyzed critically based on the facts, not in terms of advancing a philosophical agenda of deregulation.   Is there a “wisdom of the crowd” in this arena?  Those of us who work regularly with investors in early stage companies know that even sophisticated diligence on well-conceived enterprises are prone to failure, which is why a smart portfolio consists of many “bets” in the hope that at least some of them produce profitable returns.



Start-up to Exit: Role of the Board

As a company progresses from early stage through growth to some sort of an exit (acquisition, IPO), the role of the Board must change so as to provide requisite skill sets to match the needs for these different company stages.

This was the primary take-away from the National Association of Corporate Directors-New England’s February 14 Boston Breakfast Meeting, which offered a panel of entrepreneurs who are leading growth companies (all of which had an IPO).

A typical trajectory for company expansion was identified:

First, a formative stage where the Board must lead the development of the technology and proving the business model.

Second, various stages of financing through growth mode and thereafter often an expansion through M&A.

Third, many companies themselves go public or are acquired.

Management must guide the evolution of the Board, identifying the particular needs at each stage, and easing people off and on the Board as appropriate.

Many emerging companies combine the chairmanship with the CEO role, which is not thought to be best practice. Indeed, in Europe, this is viewed as an inherent conflict of interest. Panelists noted that a strong, independent lead director is a counterbalance to the tensions created by the same person serving at the top of the company and of its supervising Board.

Aside from orchestrating the composition of the Board, CEOs must make sure that everyone is reasonably aligned; this means management and the Board but it also means dealing with the investors. There are particular tensions where early investors are looking for an exit while later investors tend to have a longer-term strategy. Does this mean the Board must always be thinking about exit, or sale? One panelist replied in the affirmative; you must look at the one, three and five year projections for your business, in terms of growth and business cycles; a sale, if not an overwhelming imperative, is always an option to be kept in mind.

A question from the floor asked whether Boards need to include someone adept at cyber security issues. While the panelists believed this was a growing trend and that cyber security was very important, growing companies have so many Board needs to fill and so few slots that, at least at an early stage, including someone with cyber capabilities is not the general practice. It was suggested that the company can have a series of advisory boards, one of which typically may be involved in the company’s science or business, but one could also be directed toward IT and cyber security issues.

Finally, what about founders? They generally were described as short on patience, and don’t want to stick around awaiting a liquidity event. There is sometimes tension as founders, moved aside into advisory or technical roles, may undermine the growth-oriented and exit-oriented management teams. How to you move a recalcitrant founder aside?

The consensus: very carefully.

Executive Comp and the new Administration

In the current state of lack of clarity as to where proposed deregulation by the new US administration may lead us, certain significant current aspects of executive compensation practices typical of larger enterprises may be subject to radical change.  Such changes can cause massive revisions to what are currently the standard models used in such circumstances.

These are complex areas but executives (and boards) should be alert to the following:

One million dollar rule: Public corporations cannot deduct CEO/highest paid employee pay if it exceeds $1M unless that pay is keyed to specific performance metrics.  If the corporate rate drops to 15% as proposed, there is less incentive for the company to limit fixed compensation.  Also, non-qualified stock options and performance based stock, exempt from the $1M rule, will become less attractive.

Incentive stock options: ISOs have fallen in favor as they deny a corporate deduction and the AMT reduces the tax advantages to employees.  The administration wants to repeal the AMT, which may help rejuvenate ISOs.

Deferred comp: Nothing is so confusing in the executive comp area as rules relating to deferred compensation under Section 409A (to defer tax on income until actually paid, close adherence to the controls in this Section must be observed).  Although Pearl Meyer (well-regarded executive comp consulting firm) states that the new administration has yet to address 409A, they also note that recent legislation has been proposed to alter or even reverse the practice under 409A, thereby upsetting many years of meticulous deferral planning.

SEC disclosure rules: No doubt these are under administration attack, but some are so entrenched in business practice that repeal today will not much matter.  I have posted re the pay ratio rule that is under clear seige even before its effective date, but existing rules requiring advisory say-on-pay stockholder votes and committee independence have lives of their own.  Say-on-pay may have the unintended company benefit of being the canary in the coal mine– better to learn of shareholder unrest, in this day and age, by means of a non-binding straw poll than to learn of it from a proxy fight or activist attack.

SEC: Reconsider (Kill?) Pay Ratio Rule

Just over the internet, via SEC Release: Conservative SEC member Piwowar, acting chair, has solicited input on compliance problems being faced by reporting companies in meeting the disclosure requirement, starting with respect to this year, of the ratio between CEO pay and median pay of all company employees. A Congressional mandate designed to shame CEOs into moderating the rise in their average pay, and a stupid idea from the onset, the pay ratio rule was delayed by years within the Commission even when the liberal Democratic majority was in charge.  Interestingly, Piwowar as acting chair is adopting the “bleed them til they die” approach, not waiting around for Congress to outright kill this disclosure requirement (as I am sure they will).  He went out fishing, whoops I mean asking, for companies to send to the SEC enough industry-driven excuses to support what is no doubt his goal: to defer effective date, and let companies stop spending time and money in gathering data, until Congress itself kills this foolishness.  You cannot “disclose” CEOs into pay submission, and Congress should have been ashamed of itself to even try.  There may be a lot good in Dodd Frank that gets shot down, but the pay ratio rule deserves its own quick death.

Directors vs Trump?

Directors must increase shareholder value.  That is the law in almost all instances; the variables are timing and selection of method.  Activist shareholders are likely to be the major watchdog over adherence to this obligation.

Trump pushes for domestic siting of facilities and, presumably, sourcing of components.  US labor and other costs are high.  Products will cost more to produce.  Such products may be at competitive disadvantage.  Trump cannot directly force the company to select US vs foreign growth.

What do directors do?  What policy postures should a board discuss with, or insist upon for, the CEO?  Trump’s unorthodox, direct approach already has impacted some corporate actions, and drawn philosophical criticism from many, including on the editorial page of the Wall Street Journal.

Boards, as the strategic leaders of a company, need to engage these issues now.  What guidance can they find?  Aside from knowing their industry and company, and aside from prodding management to engage these issues (though hard to believe management is not self-motivated), what outside resources are available to define the methodology of board actions? How does the board approach its minutes in this circumstance?  The answers to these latter questions will evolve promptly in the marketplace; even now, one day after inauguration, the National Association of Corporate Directors has proposed some guidelines for Board process.

Healthcare– Trends amid Chaos

It is common knowledge that in the delivery of healthcare most professionals believe that the trend will be away from “fee for service” and towards “fee for performance,” which means that providers will be paid to treat an entire population as opposed to being reimbursed for given visits or procedures. In practical terms, how will this trend play out?

James Agnew, Vice President of Corporate Development and Acquisitions for Tufts Health Plan and Tufts Health Ventures, an HMO unaffiliated with Tufts University but with an investment arm deploying capital into the marketplace, discussed some aspects of this trend at the Thursday morning breakfast meeting of the Boston Chapter, Association for Corporate Growth. Some high points are set forth below.

Big hospitals, providing healthcare in acute circumstances, are extremely expensive. One of the trends must be to bring healthcare out of the hospitals, to the extent possible, and provide healthcare through health systems, mobile medicine, in-home monitoring and similar solutions.

One overall consideration is how to deliver healthcare in the current regulatory environment. Cooperation between providers and payors (such as Tufts) will be essential. Tufts is active in all three healthcare delivery markets: commercial coverage, Medicare and Medicaid.

Electronic medical records is part of the solution, but extremely difficult to collect. Partners is paying about $1 billion dollars to install the EPIC software, after having spent hundreds of millions of dollars on a prior failed attempt. Agnew believes that ultimately electronic data will be aggregated and the companies which do the aggregation will be much like utilities; a provider or an insurer in search of data will buy the data from a central source the same way one buys electricity.

Tufts seeks investments or acquisitions in hospitals, regional health plans and companies that provide coordination of medical services. They are also interested in companies that foster “consumer engagement,” as healthcare moves more to the home and away from the hospital. They have an interest in wearables and telemedicine, but are slow to embrace direct investments in medical devices. They avoid the complexities of the pharma space.

The landscape is chaotic for healthcare today. The myriad directions in which Tufts is looking to expand and invest echo the complications of this environment.