Supreme Court today said, the process (of filing of an objection by those whose names are not in the list) should be fair. The standard operating procedure should be applied. #NRCAssam -ANI
Supreme Court today said, the process (of filing of an objection by those whose names are not in the list) should be fair. The standard operating procedure should be applied. #NRCAssam -ANI published first on
Train Delays have become a Bane for the Indian #Railways under Modi Govt.
Lok Sabha Reply by Minister @PiyushGoyal testifies it! pic.twitter.com/zzKJ0Pfg4j
Train Delays have become a Bane for the Indian #Railways under Modi Govt.
Lok Sabha Reply by Minister @PiyushGoyal testifies it!pic.twitter.com/zzKJ0Pfg4j published first on
On July 13, 2018, the Amsterdam Court of Appeals finally approved the €1.3 billion ($1.5 billion) settlement of a series of shareholder claims against Fortis in the wake of the global financial crisis. The settlement, which had first been announced in March 2016 by Ageas, Fortis’s successor in interest, faced a number of judicial objections and concerns, resulting in changes to the settlement as originally proposed. According to a July 27, 2018 Law 360 article by Jonathan Richman of the Proskauer law firm and Ianika Tzankova of Tilburg University (here), the court’s recent approval “again shows” that the Dutch settlement procedure “remains a viable settlement vehicle for companies wishing to resolve transnational problems on a classwide, opt-out basis.” On the other hand, claimants’ attorneys have questioned whether the court’s rulings on class distribution and attorneys’ fees could discourage institutional investors from seeking to use the Dutch settlement procedures.
The Amsterdam court’s July 13, 2018 order (in Dutch) can be found here. An unofficial English translation of the court’s order can be found here. The parties’ Second Amended and Restated Settlement Agreement dated April 13, 2018, which the court approved in its July 13 order, can be found here.
Ageas’s July 13, 2018 press release announcing the court’s approval can be found here. A July 13, 2018 press release from the Grant & Eisenhofer law firm, which represented the foundation Stichting Investor Claims Against Fortis (SICAF) along with the Kessler, Topaz, Meltzer, & Check and DRRT law firms, can be found here. The Kessler Topaz law firm’s July 17, 2018 press release can be found here. The DRRT law firm’s July 17 press release can be found here.
Background Regarding Fortis
Prior to the financial crisis, Fortis was a global banking and financial services company based in Belgium. Fortis participated in a consortium of banks (including RBS and Banco Santander) in acquiring ABM AMRO, which was at the time the largest-ever bank acquisition. The transaction depleted Fortis’s balance sheet just as the financial crisis began to emerge.
On September 29, 2008, the governments of Netherlands, Belgium and Luxembourg agreed to bail out Fortis, but only if it were to sell its troubled stake in ABN AMRO. A September 30, 2008 Wall Street Journal article about the action of the three governments, and the role of the ABN AMRO transaction, can be found here.
On October 4, 2008, the Dutch government took over the company’s operations for 16.8 billion Euros ($23 billion). An October 6, 2008 Wall Street Journal article describing the government takeover, including the sale of Fortis banking and insurance assets to BNP Paribas, can be found here.
The U.S. Securities Class Action
As discussed here, on October 22, 2008, Fortis shareholders filed a securities class action lawsuit against Fortis, certain of its directors and officers, and its offering underwriters in the Southern District of New York, seeking damages based on alleged violations of the U.S. securities laws. In their amended complaint, the plaintiffs alleged that the defendants misrepresented the value of its collateralized debt obligations; the extent to which its assets were held as subprime-related mortgage backed securities; and the extent to which its ill-fated decision to acquire ABN-AMRO had compromised the company’s solvency.
In a February 2010 decision (discussed here), then-District Judge Denny Chin entered an order, applying the then-applicable jurisdictional standards under the Second Circuit’s opinion in the Morrison case, granting with prejudice the defendants’ motion to dismiss.
The Shareholder Foundation Actions
As discussed here, in a January 10, 2011 press release (here), two U.S. securities law firms announced that they had filed an action in Utrecht Civil Court on behalf of a specially formed foundation, Stichting Investor Claims Against Fortis. An English translation of the lawsuit can be found here. The lawsuit action was filed against Ageas NV/BV, as Fortis is now known, certain of its directors and officers, and its offering underwriters.
A separate Dutch shareholder foundation, Stichting FortisEffect also was organized on behalf of Fortis shareholders (as discussed here). In addition, the Dutch shareholder group VEB also organized an effort in the Netherlands on behalf of Fortis shareholders (refer here). Shareholder rights group Deminor separately filed an action against Fortis and its directors and officers in the Commercial Court in Beligium (as discussed here).
The Dutch Collective Settlement Procedure
By way of background with respect to the Netherlands class settlement procedures, the Dutch procedures are derived from the Act on the Collective Settlement of Mass Claims, known in the Netherlands as the “WCAM.” The Act, which became effective in 2005, allows parties to a settlement agreement to request that a Dutch court declare the settlement agreement binding. The agreement must be concluded between, on the one hand, one or more potentially liable parties, and, and on the other hand, a foundation or association representing persons on whose behalf the settlement agreement was negotiated. If the Court does declare the settlement agreement binding, the agreement then binds everyone covered by its terms, unless an affected person decides to opt out in writing within a certain time period after the binding declaration. A summary of the Act, its procedures, its binding effect, and its use in connection with the settlement of international claims, can be found here.
The procedures described under the Act have been used in the past in connection with several high profile collective investor actions. In the first and (until the Fortis settlement) highest-profile use of the Dutch procedures, on May 29, 2009, the Amsterdam Court of Appeals approved the $381 Royal Dutch Shell settlement (as discussed here). In addition, as described here, two groups acting on behalf of the non-U.S. investors in Comverium Holding entered settlement agreements with Scor and Zurich. The total amount of the two settlements was $58.4 million. As discussed here, on January 12, 2012, the Amsterdam Court of Appeals held the Comverium settlements to be binding, meaning that it is presumptively enforceable throughout the EU.
The Fortis Settlement and Subsequent Procedures
In a March 14, 2016 press release (here), Ageas announced the settlement of the Fortis shareholder claims pursuant to the Dutch collective settlement procedures, including settlement with the various Dutch shareholder foundations and encompassing the separate proceeding in Belgium. The parties submitted the agreement to the Amsterdam Court of Appeals in accordance with the WCAM procedures and jointly requested the Court to declare the settlement to be binding.
As it turned out, the effort to have the settlement declared binding hit a number of obstacles. One set of issues that arose with the court related to the differential in the proposed settlement of the recoveries to be allocated between active claimants and nonactive claimants. As originally proposed, the active claimants were to receive a larger portion of the settlement than the nonactive claimants. In a June 2017 decision (here, in Dutch), the Amsterdam Court of Appeals rejected this proposed allocation, saying that while there could be differences in recoveries based on substantive differences in various proposed class members claims, the differences in compensation could not depend solely on whether or not a claimant was active. The court also indicated that it would not object to incentive awards as long as the awards were related to the claimants’ reasonable costs and expenses. The court allowed the parties leave to file further submissions detailing the parties’ funding arrangements, fees, and costs. This further phase presented the parties with a number of challenges, as the various claimant groups were organized in differing structures, with different funding arrangements.
As a result of further negotiations following the Court’s June 2017 hearing, the parties amended their initial settlement agreement. Among other things, Ageas agreed to increase the settlement amount by an additional €100 million (to the final amount of €1.3 billion). The amended agreement provided that active and inactive claimants would receive the same amount, with active claimants to be entitled to receive an additional 25% to cover their costs and expenses. Class members will now be given notice of the settlement and an opportunity to opt out of the settlement if they wish to do so.
Concerns About the Final Settlement
The Court of Appeals most recent decision involved a number of key features, as well detailed in the Law 360 article to which I linked above. The Courts various findings with respect to the division of the settlement proceeds between the active and inactive claimants and with respect to the claimants’ fee recoveries have drawn particular attention.
In a very interesting July 16, 2018 post on her On the Case blog (here), Alison Frankel reviews the concerns that some of the plaintiffs’ lawyers involved with the settlement have raised concerns about the court’s final ruling. Her article quotes attorneys from both the Grant & Eisenhofer firm and the Kessler Topaz firm as saying that the revised terms will “actually discourage institutional investors from using the Dutch system.” The Court’s insistence between on equal treatment between active and inactive claimants, according to the commentators, effectively tells institutional investors not to bother with the expense of joining a stichting, because they won’t be rewarded for the effort with a premium recovery, so they might as well avoid the cost and let someone else pay.
The Court’s decision also raises questions about the claimants’ eventual recovery of their fees for funders and lawyers; while the court did not eliminate the recovery of fees, the court made it clear that negotiated fees, even those to which a defendant has agreed, will be reviewed by the court and evaluated as part of the court’s overall reasonableness assessment. As a result of these concerns, the commentators suggested, fewer big money investors will sign up for stichtings, meaning that the representative group would be negotiating from a weaker position.
On the other hand, Frankel also quotes Jaroen van Kwawegen from the Bernstein Litowitz firm as saying that the Amsterdam Court in the Fortis settlement didn’t change the stichting lawyers’ ability to ask for fees based on the global recovery, just demanded that the fee arrangements be disclosed. He also disputed that institutional investors would actually be deterred from being actively involved in recovery efforts; he expects that institutional investors will join legitimate settlement stichtings to have a voice in the negotiations with defendants, not merely because of the prospect of fees based on the collective recovery.
Discussion
Regardless of these questions about the Court’s dispositions with respect to allocation of recoveries and fees, the Dutch WCAM procedures present an attractive alternative for parties seeking to achieve a transnational resolution of claims on a classwide opt-out basis. The U.S. is the only other jurisdiction whose procedures allow for resolution of class claims on an opt-out basis. However, because of the U.S. Supreme Court’s Morrison decision and its limitation on the extraterritorial reach of the U.S. securities laws, the U.S. procedures will not be a viable alternative in situation arising outside the U.S.
While there are procedures in other countries (for example, the U.K. and Germany) allowing for the resolution of claims on a group, mass, or class basis, these procedures operate on an opt-in basis. As the Law 360 article to which I linked above notes, “in many respects, the WCAM is still the only game in town for a defendant (or prospective defendant) that seeks total peace.”
These aspects of the Dutch procedures were are already sufficiently attractive and well known that investor claimants seeking to pursue claims against a variety of companies from outside the Netherlands have formed shareholder foundations to seek to try to utilize the Dutch procedures to achieve a global collective investor settlement. Among other companies whose shareholders have initiated efforts to try to pursue collective settlements under the Dutch WCAM procedures are VW (about which refer here); Tesco (refer here); and Petrobras (refer here). The Fortis settlement will undoubtedly encourage shareholder claimants seeking to pursue claims against other companies to try to use the Dutch procedures as well.
Indeed, these attributes of the Dutch system and its potential attractiveness to prospective claimants has raised concerns in some quarters about the possibility of “forum shopping” and, even more pejoratively, “collective redress tourism.” Whether the Dutch courts will indeed become a preferred forum for the resolution of transnational claims remains to be seen. However, it is true that the final resolution of the Fortis claims does suggest that the Dutch procedures do represent a viable procedural vehicle for the resolution of claims on an opt-out basis.
Readers of this blog may be interested in a particular detail of the final Fortis settlement, having to do with the contribution toward the settlement of Fortis’s D&O insurers. At the time that Ageas announced the initial settlement back in March 2016, it also released an accompanying press release regarding the insurance arrangements. The accompanying press release states that Ageas had reached an agreement with the insurers that had issued D&O insurance policies to Fortis during the period 2007-2008, including two successive D&O insurance policies, as well as a separate public offering of securities insurance (“POSI) policy issued to Fortis in connection with a 2007 public rights issue. The amount of the insurance settlement was stated in the March 2016 press release to be €290 million, which represented about 24 percent of the initial amount of the proposed settlement.
The press releases and other documentation surrounding the final settlement that was ultimately approved by the court do not provide any further detailed information about the original insurance settlement or the amount of the insurer’s contribution toward the final settlement amount. The Second Amended and Restated Settlement Agreement (here) does state in paragraph (G) of the Background section of the agreement (on page 6) that the Settlement Amount “will be funded by Ageas and by the proceeds from certain insurance policies for the benefit of its (former) directors and officers. The Settlement Amount less such insurance proceeds will be paid by Ageas in order to settle all claims and to be released of any potential liability.” The agreement does not specify the amount of the insurers’ contribution, or whether the original €290 million the insurers agreed to pay has been eroded in the interim by subsequent attorneys’ fees. In any event, it is clear that the settlement agreement will be funded in part by the payment of the proceeds of Fortis’s D&O insurance policies.
The last note I want to make about this settlement is the one on which most people would focus, which is the sheer settlement’s size. This settlement is the largest shareholder collective action settlement ever in Europe, or indeed anywhere outside the U.S. A settlement of this value in the U.S. would be among the ten largest ever among U.S. securities class action lawsuits settlements. The arrival of collective shareholder settlements of this size outside the U.S. is unprecedented, and underscores the extent to which things have changed, a point reinforced by the massive £1 billion settlement in the U.K. of the collective RBS investor claims. The possibility of collective investor claims of this magnitude outside the U.S. represents a significant magnification of the potential liability exposures of companies and their directors, as well as of their insurers.
The post Dutch Court Declares Largest-Ever European Investor Claims Settlement Binding appeared first on The D&O Diary.
Dutch Court Declares Largest-Ever European Investor Claims Settlement Binding published first on
After grounding TRAI chief, French ethical hacker challenges PM Modi to share Aadhaar details online http://www.newindianexpress.com/nation/2018/jul/29/after-grounding-trai-chief-french-ethical-hacker-challenges-pm-modi-to-share-aadhaar-details-online-1850277.html …
After grounding TRAI chief, French ethical hacker challenges PM Modi to share Aadhaar details online http://www.newindianexpress.com/nation/2018/jul/29/after-grounding-trai-chief-french-ethical-hacker-challenges-pm-modi-to-share-aadhaar-details-online-1850277.html … published first on
It was perhaps inevitable after Facebook’s disappointing quarterly earnings announcement last week triggered what reportedly is the largest single day share price drop ever that securities class action lawsuits against the company would follow. And indeed on Friday at least two securities class action lawsuits were filed against the company. While the lawsuit filings may have been predictable, at least one of the lawsuits contains an interesting and unexpected variant on the standard pattern – one of the two lawsuits contains allegations that the company made misrepresentations about its readiness for the May 2018 effective date of General Data Protection Regulation (GDPR) and about the impact of GDPR compliance on the company’s business and operations. As discussed below, these allegations reflect the growing liability exposures arising from growing privacy-related concerns and regulation.
Background
In its quarterly earnings conference call after the close of business on July 25, 2018, Facebook reported slower-than-expected revenue growth for the period—though coming in at more than 40%—and said it expected quarterly revenue growth to decline over the rest of the year. The company also reported lower user growth in Canada and the U.S., and a decline in the daily user base in Europe. Facebook executives attributed the decline in Europe to the GDRP privacy regulations that went into effect during the second quarter. The company’s CFO also said that the company’s operating margins are likely to fall in coming reporting periods due to unfavorable currency conditions and owing to the company’s need for additional investments in security and safety. The CFO also reported on users’ increasing use of Facebook features with “lower rates of monetization.” During the next trading day, the value of the company’s shares declined 19%, representing a drop in market capitalization of nearly $120 billion.
The Lawsuits
On Friday, a Facebook shareholder filed a putative securities class action lawsuit in the Southern District of New York against the company, its CEO, Mark Zuckerberg, and its CFO, David Wehner. The complaint purports to be filed on behalf of investors who purchased Facebook shared between April 25, 2018 and July 25, 2018. The complaint (a copy of which can be found here) alleges that the defendants failed to disclose that “(i) the number of daily and monthly active Facebook users was declining; (ii) due to unfavorable currency conditions and plans to promote and grow features of Facebook’s social media platform with historically lower levels of monetization, such as Stories, Facebook anticipated its revenue growth to slow and its operating margins to fall; and (iii) as a result Facebook’s public statements were materially false and misleading at all relevant times.”
A separate putative securities class action lawsuit filed in the Southern District of New York against Facebook and certain of its executives represents a different approach to the company’s disclosures. The separate lawsuit, filed by Facebook shareholder Fern Helms, on behalf of a purported class of Facebook investors who purchased Facebook securities between October 1, 2017 and July 26, 2018, focuses on the company’s disclosures about its GDPR readiness and related privacy issues. In her complaint (a copy of which can be found here), Helms names as defendants the company, Zuckerberg, Wehner, and Facebook COO Sheryl Sandberg.
Helms alleges that during the class period the defendants made misleading statements about or failed to disclose that
(1) the implementation of the General Data Protection Regulation (“GDPR”), which was adopted by the European Union on or around April 14, 2016, would have a foreseeable and materially negative impact on use of [Facebook’s] Platform, revenue growth, and profitability because the informed consent required by the GDPR resulted in many users rejecting Facebook’s privacy policies and/or procedures and exposed a significant number of fake accounts on the platform; (ii) by May 25, 2018, Facebook’s Platform use and revenue growth had already begun to decline as a result of Facebook’s efforts to comply with the GDPR; (iii) the decline in Facebook’s Platform use and the increase in costs as a result of complying with the GDPR had a materially adverse effect on Facebook’s financial health, including its revenue and projected growth; and (iv) as a result Facebook’s public statements were false and misleading at all relevant times.
Discussion
These latest lawsuits are of course not the first suits to hit Facebook as a result of its privacy-related issues. Earlier this year following disclosures that Facebook had given data analytics firm Cambridge Analytica access to user data, the company was hit with a number of lawsuits, including lawsuits filed by investors who alleged that the company had mispresented its policies with respect to the use and sale of its user data. I raised at that time the question of whether privacy-related issues might possibly represent the next big D&O liability exposure.
In raising this question about the possibility of privacy issues becoming an important part of the D&O liability landscape, one thing I specifically mentioned was the recent effective date of the GDPR. GDPR, I noted, not only raised the possibility of companies getting hit with regulatory enforcement actions, but also raised the possibility of investors and others seeking to hold companies liable for failing to fulfill privacy requirements and subjecting the company to liabilities and penalties.
The second of these two latest lawsuits filed against Facebook represents a specific example of the way in which the new GDPR regulations can give rise to D&O litigation. In her complaint, Facebook shareholder Fern Helms alleges that Facebook failed to disclose that the implementation of the GDPR would have a foreseeable negative impact on the company’s financial performance, and also that the effectiveness of the GDPR requirements was having a negative impact on the company’s user data, as well as that the costs of complying with GDPR would adversely affect the company’s financial health.
Facebook may be a particularly high-profile example, but it is far from the only company that is struggling or going to struggle in its compliance with GDPR and experience negative impacts on its financial results as a result of GDPR compliance. Not every company that struggles to comply with GDPR is going to get hit with a D&O lawsuit. But as companies across the marketplace release financial reports showing the extent to which the GDPR implementation has affected their financial results, there may well be other investors who feel they have been misled about the companies’ state of GDPR readiness or about the impacts the companies expected from GDPR implementation.
The particularly interesting thing to me about the GDPR-related sequence of events at Facebook and the resulting securities litigation is that the sequence did not involve any regulatory action. In trying to anticipate how the implementation of GDPR might lead to D&O claims, I had focused on the possibility of investor claims following in the wake of regulatory action. Those types of follow-on claims might well still arise. However, the Facebook sequence and resulting securities lawsuits are interesting because the problems arose without the involvement of any regulators, based solely upon the negative impact on the company’s reported financial results arising from costs associated with GDPR-related compliance. Again, Facebook is not the only company that is struggling with these issues, and is surely not the only company that will report that it has been negatively impacted by GDPR compliance-related costs and requirements, and Facebook may not be only company hit with a GDPR compliance-related securities lawsuit.
A further recent development even further underscores the possibility of these kinds of privacy-related issues leading to D&O lawsuits. As I noted at the time, at the end of June California adopted its own privacy-related legislation. The California Consumer Privacy Act of 2018 imposes on businesses significant privacy obligations, creates a number of privacy rights, and provides for enforcement both through private right of action and regulatory enforcement. The California legislation presents many of the same challenges and potential litigation risks that I raised above with respect to the GDPR. The Act’s passage arguably represents a significant step toward making privacy issues a prominent part of the liability landscape in the months and years ahead.
In making these privacy-related conjectures, I want to be sure to emphasize a particular analytic distinction. As has been well-documented on this blog, there have been data breach-related D&O lawsuits for some time. While the track record on the data breach-related D&O lawsuits is at best mixed, they represent a distinct phenomenon from the privacy-related issues on which I am focusing in this blog post. The two sets of Facebook securities lawsuits filed this year help make this point. Neither the earlier Cambridge Analytica lawsuit nor the more recent earning quarterly earnings disappointment lawsuits involved a data breach. Rather, the lawsuits related to privacy concerns and to governmental regulations focused on privacy concerns. While both the data breach and privacy issues involve user data, they related to very different operational concerns and will affect companies in very different ways.
The issues surrounding privacy have to do with the way businesses collect and use consumer data, not just whether or not the businesses keep the data secure. These issues surrounding the use of consumer data are likely to be of continuing and increasing importance, both because of the increasing numbers of businesses collecting and using consumer data and because of the increasing regulatory focus on these processes, as, as for example in the GDPR and the new California legislation.
It is probably worth noting here that while Facebook did experience a massive stock price drop, that does not necessarily mean that the new lawsuits are meritorious. Among other things, these new complaints undoubtedly will face motions to dismiss based on the respective complaints’ alleged failure to meet the PSLRA’s heightened pleading requirements with respect to scienter. Neither complaint alleges that the defendants engaged in insider trading during the class period or otherwise benefited financially. The complaints allege only that the defendants knew or should have known that the supposed misrepresentations were false. It remains to be seen whether and to what extent these new lawsuits will be successful.
The post Massive Facebook Stock Drop Draws GDPR-Related Securities Suit appeared first on The D&O Diary.
Massive Facebook Stock Drop Draws GDPR-Related Securities Suit published first on
The Good, Bad and Ugly on India’s Template for How Your Data Will be Protected https://thewire.in/tech/india-template-data-protection-draft-bill …
The Good, Bad and Ugly on India’s Template for How Your Data Will be Protected https://thewire.in/tech/india-template-data-protection-draft-bill … published first on
Srikrishna Panel proposals: Privacy breaches to attract monetary penalties https://www.business-standard.com/article/economy-policy/srikrishna-panel-proposals-privacy-breaches-to-attract-monetary-penalties-118072800026_1.html …
Srikrishna Panel proposals: Privacy breaches to attract monetary penalties https://www.business-standard.com/article/economy-policy/srikrishna-panel-proposals-privacy-breaches-to-attract-monetary-penalties-118072800026_1.html … published first on
For any organization experiencing a data breach, the organization’s response to the incident remains one of the most important and yet one of the most challenging next steps. In the following guest post, Paul Ferrillo, a partner in the New York office of the Greenberg Traurig law firm, examines the ways that an organization can respond well to a cyber incident. I would like to thank Paul for his willingness to allow me to publish his article as a guest post on my site. I welcome guest post submissions from responsible authors on topics of interest to this blog’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul’s article.
*************************
Years ago, when describing a “bad news” event, it was common to describe the situation to your colleague as “right hand column, above the fold.” Meaning in tomorrow’s newspaper (like the paper edition of the New York Times), the written article would be in the far-right hand column, on the top half of the fold (ok, Millennials, we get it, you have never seen a “paper” New York Times). That meant likely the article was important. And that you should read it first and fast.
Today, there is no such luxury of having until the next day to respond to a bad news event. Today you are lucky if you have an hour to respond to a high-activity blogger before he or she levels you or your company with an upper cut posting you were not expecting, like “You’ve been hacked, and we know you know you’ve been hacked but haven’t said anything.” Or worse, that post is coupled with an impromptu iPhone video describing the problem. One recent commentator described a similar situation:
For [this company], it was video footage of a bloodied passenger …, being dragged off the plane by airport security guards. Once that clip hit social media, it went viral. Worse, it took [the company] two days to respond with a meaningful statement and apology. This lag made the airline look uncaring and incompetent. [i]
Yesterday, newspapers were in print. The past was sort of like this:
The “gold standard” for pre-Internet crisis communications was Johnson & Johnson’s handling of the Chicago Tylenol killings of 1982. Someone had laced the pills with cyanide, then put the packaged product back on retail shelves. After seven people were killed, the company had vendors pull all Tylenol off retail shelves, and quickly invented tamper-proof packaging to relaunch the product. Johnson & Johnson responded fast—and honestly — taking ownership of the problem and solving it quickly. Failure would have resulted in the loss of the Tylenol brand.”[ii]
But Tylenol happened before the Internet. Before Google and the hundred thousand other blogs that post on corporate crises daily. Today our news comes at us like water from a fire house that could knock down the strongest fire. The bloggers are relentless. The regulators can be even more relentless.
Recently many very large companies (on the global scope of the Tylenol problem) have had their own cybersecurity crises and boy, its pretty easy to know those that handled the crisis well, and those that suffered the $15 million stock drop because of the big breach that was not well “appreciated” by senior management.
How do you handle a cybersecurity breach well? You avoid things the companies that did not handle their crisis so well messed up. Though we can’t counsel you on every iteration of every breach and every problem, here are the five most important things a company should do exceptionally well today’s era of blogs and Iphones:
1. Don’t wait to react – it won’t get better for you: If the breach is suspected to be bad enough (which probably only you will know), you don’t have a day to react. You don’t have an hour to react. Its time to start firing up the computer or iPhone to start working fast on a response, even if the message is only “we just found out about this; we don’t know much yet, but our teams of responders and experts are working closely to get the bottom of the situation. As soon as we know, you will know.” Or something like this. The worst response is the “sounds of silence.”
2. Not all crises are the same – so plan: Sometimes a crisis comes out of the blue, like a DdoS Attack from no-where like Mirai, which shut down the Internet on a Friday morning on the whole East Coast of the US. These lighten bolts must be dealt with like lightning bolts. Deal with it. Other crises, though completely unwanted might be more predictable, like a ransomware attacks. If one of these, get out your back up tapes; notify who you need to; and get back up and running. Then figure out what happened so it does not happen again. Finally, some crisis might have twists and turns, like you know you get breached, but find out the next day you were “first” breached three months ago but no one remedied the problem, leaving your attackers to do more damage rather than less. This sort of crisis will take teams of lawyers, crisis communicators and technicians to solve. This sort of crisis does happen. So, plan for it.
3. Not all crisis communicators are the same – plan: Back to Tylenol versus today. Does your crisis communicator or PR firm have digital media experience? Do they cover the major blogs 24/7? Can they monitor your social media outlets like Twitter and Instagram 24/7, looking for troublesome messages, highly-critical bloggers or even worse (like plaintiffs’ lawyers)? Not all crisis communicator and PR firms do the digital media thing well. If you are a major corporation (and/or are publicly traded on a national exchange), you would be well served to get a digital media and social media expert on your crisis team. You need to control the message and the response. Trading this role to the bloggers is a bad idea.
4. Practice Your Business Continuity and Crisis Communications Plans at least twice a year – use different scenarios. Keep it real: this one is self-evident. The worst crisis management plan is one that gets left in your desk all year. Everyone must know the plays in the playbook. From the board to the IT department to the PR department. Everyone must know their role. Speed matters. See point 1.
5. Who’s in Charge? What’s the Message? Plan: Maybe our two most important points. Not only must there be a crisis and social media plan of action, it is important to identify who is the point person. Who is in charge? Who is the focal point? Is it the CEO? Is it the lead director? Very hard for us to say, but we do know enough to say, “don’t pick the wrong person.” Experience matters. Sensitivity matters. Demeanor matters. A good rule to go by is “ask around the C-Suite and board room.” Who is admired? Who is despised? Your social media people may have a good perspective here as they assumedly are watching your sites anyway. Also, pick more than one person as potential spokespersons. Why? Person 1 may be directly involved in the problem. So, person 2 might have to step in.
Finally, what’s the message? Again, hard for us to say. Something bad happened. Maybe a nation state attack? Maybe something worse like a malicious sider. Maybe significant IP was lost. And maybe something criminal happened, which might call for the involvement of DHS or the FBI. All these factors might influence the message. But we can stay with confidence: stick to the basics; plan for different scenarios and remember, you don’t have one day to respond. It might be the dreaded hour problem. So plan ahead.
________________________
[i] https://www.dmnews.com/channel-marketing/social/article/13035003/bad-news-can-move-at-the-speed-of-light
[ii] Id.
The post Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response appeared first on The D&O Diary.
Guest Post: The Speed of Breaches and Other Bad News in Cybersecurity Incident Response published first on
It seems like we (and the NAD) can’t get enough of “best.” In a recent case, the National Advertising Division (NAD) ruled that the advertiser, Mahindra USA, Inc., could not claim its products were superior without reasonable evidence.
Deere & Company, Inc. challenged Mahindra’s tractor advertisements as unsubstantiated superiority claims. Mahindra’s ads included “Best” claims such as: best-selling, best value, best warranty, best performance, “toughest tractors,” and superior engine oil. Additionally, Mahindra advertised consumer testimonials that expressed disappointment in the quality of John Deere tractors compared to Mahindra tractors.
Of course, context is king and “Best” advertisements can either be substantive claims, or considered mere “puffery.” (See here for a discussion on NAD and “best” claims). For some of the challenges in this case, Mahindra conceded its ads were substantive claims and argued that they were factually supported. For instance, Mahindra argued its best-selling claims were based on unbiased data. NAD agreed that a reasonable basis existed for the claims (although additional disclosures were necessary). For the majority of the challenged advertisements, however, Mahindra argued its statements were puffery. NAD rejected this defense in all but one instance and recommended discontinuation of the ads.
So when is a commercial message puffery? The inquiry revolves around the measurability of the advertisements. NAD explained, “[i]f the superlative is used in a way that suggests it is measurably better than its competitor, it is not puffery but a claim requiring substantiation.” Puffery can be found when “vague and fanciful” superlatives are used, rather than references to specific attributes suggesting product superiority in a recognizable way. Of course, determining if ads qualify as puffery is a murky endeavor. Thus, NAD considers both the words and contexts of the claims.
NAD determined Mahindra’s “Best Warranty” advertisements were substantive claims, not puffery, because warranties can be “objectively measured based on superiority in the warranty attributes valued by consumers.” In another ad, Mahindra’s website headline stated, “The Best vs. The Rest,” followed by the text: “[s]ee why our performance is superior. Take a look at how Mahindra stacks up against the competition…” Clicking through the webpage led to additional content on Mahindra’s product attributes such as lift capacity and fuel efficiency. NAD determined that this was also not puffery, because it invited consumers to compare Mahindra’s tractors to its competitors’ tractors “with measurable attributes in mind.” Even the engine oil ad claiming “Superior Protection With Our Branded Oil” was considered a claim requiring substantiation because “one reasonable takeaway is that ‘superior’ is being used in the comparative sense.”
The only successful puffery defense involved the taglines: “Toughest Tractors on Earth” and “Toughest Utility Vehicles on Earth.” NAD reasoned that, in the context of tractors, toughness is not quantifiable because it cannot be tied to a measurable attribute. However, NAD noted that toughness can be measurable in other contexts such as claiming superiority in glue adhesiveness, citing a 2006 decision in which “The Toughest Glue on Planet Earth” was a substantive claim.
While that may have been the best part of the decision, NAD also went on to address a challenge to the use of consumer testimonials. For consumer testimonials, the general rule is that advertisers may not make claims through testimonials that cannot be substantiated if made directly by the advertiser. However, some testimonial statements are considered expressions of opinions, rather than substantive claims. This is what Mahindra tried to argue here.
Testimonials are considered individual expressions of opinions that do not need substantiation when they lack a broader message about product superiority compared to similar products in the market. For instance, NAD approved the testimonial of one consumer’s general experience, “[Mahindra] dealer answered all my questions and helped me find the machine that really fits our needs and our lifestyle.” Other testimonials, although comparative in nature, were still acceptable as sufficiently vague expressions of personal satisfaction. For instance, permissible testimonials included “Mahindra gave me more for my money,” and “I chose Mahindra because it’s the best tractor in its class period.”
However, NAD recommended that several of Mahindra’s testimonials be discontinued as unsubstantiated claims, including every testimonial that mentioned John Deere directly: (1) “I’ve had a 45-horse John Deere and there is no comparison. The Mahindra has the torque you need to lift the loader;” (2) “[w]e bought a John Deere mower four years ago and it’s falling apart, but Mahindra has stayed a workhorse;” and (3) “John Deere acted like they were doing me a favor.” An advertiser may lawfully disparage a competitor, but only if the claims are “truthful, not misleading and narrowly drawn.” Here, NAD determined that Mahindra failed to provide evidence of superior lift performance, durability, and customer relations necessary to justify these claims.
The Mahindra decision is an important reminder that companies should be cautious in claiming superiority in measurable product characteristics without providing supporting evidence. To create advertisements that qualify as puffery, an advertiser should stick to three rules of thumb: (1) use hyperbolic language, (2) do not mention competitors, and (3) avoid highlighting specific elements of a product. To publish testimonials as mere opinions, advertisers should again refrain from naming competitors and specific product attributes, and choose statements that focus on a consumers’ positive experiences.
Recent NAD Decision Largely Rejects Puffery Defenses and Consumer Testimonials that Disparage Competition published first on
SC raps Centre on access for disabled https://www.thehindu.com/news/national/sc-raps-centre-on-access-for-disabled/article24515102.ece?homepage=true …
SC raps Centre on access for disabled https://www.thehindu.com/news/national/sc-raps-centre-on-access-for-disabled/article24515102.ece?homepage=true … published first on
GoLicit 