Tag Archives: class action

Fixing the Economics of Securities Defense

In my last D&O Discourse post, “The Future of Securities Class Action Litigation,” I discussed why changes to the securities litigation defense bar are inevitable: In a nutshell, the economic structures of the typical securities defense firms — mostly national law firms — result in defense costs that significantly exceed what is rational to spend in a typical securities class action. As I explained, the solution needs to come from outside the biglaw paradigm; when biglaw firms try to reduce the cost of one case without changing their fundamental billing and staffing structure, they end up cutting corners by foregoing important tasks or settling prematurely for an unnecessarily high amount. That is obviously unacceptable.

The solution thus requires us to approach securities class action defense in a new way, by creating a specialized bar of securities defense lawyers from two groups: lawyers from national firms who change their staffing structure and lower their billing rates and from experienced securities litigators from regional firms with economic structures that are naturally more rational.

See Also: Future of Securities Class Actions

But litigation venues are regional. We have state and federal courts organized by states and areas within states. Because lawyers need to go to the courthouse to file pleadings, attend court hearings and meet with clients in that location, the lawyer handling a case needs to live where the judge and clients live.

Right?

Not anymore.

Although the belief that a case needs a local lawyer persists, that is no longer how litigation works. We don’t file pleadings at the courthouse; we file them on the Internet from anywhere (even from an airplane). These days, in most cases, there are just a handful of in-person court hearings. And the reality is that most clients don’t want their lawyers hanging around in-person at their offices because email, phone calls and Skype suffice. Even document collection can be done mostly electronically and remotely. And with increasingly strict deposition limits and witnesses located around the country and the world, depositions don’t require much time in the forum city, either.

In a typical Reform Act case, where discovery is stayed through the motion-to-dismiss process, the amount of time a lawyer needs to spend in the forum city is especially modest. If a case is dismissed, the case activities in the forum city (in a typical case) amount only to (1) a short visit to the client’s offices to learn the facts necessary to assess the case and prepare the motion to dismiss and (2) the motion-to-dismiss argument, if there is one. Indeed, assuming a typical securities case requires 1,000 hours of lawyer time through an initial motion to dismiss, fewer than 50 of those hours — one-half of 1% — need to be spent in the forum city.  The other 99.5% can be spent anywhere.

Discovery doesn’t change these percentages much.  Assume it takes another 10,000 hours of attorney time to litigate a case through a summary judgment motion (so 11,000 total hours). Four lawyers/paralegals spending four weeks in the forum city for document collection and depositions (a generous allotment) yields only another 640 hours. So, in my hypothetical, only 0.63% of the defense of the case requires a lawyer to be in the forum city. The other 99.37% of the work can be done anywhere. Because a biglaw firm would litigate a securities class action with a larger team, the total number of hours in a typical biglaw case would be much higher (both the total defense hours and the total number of hours spent in the forum city), but the percentages would be similar.

And the cost of travel does not move the economic needle. Of course, if a firm is willing not to charge for travel time and travel costs to the forum city, there is no economic issue. My firm is willing to make this concession, and I would bet others are, as well. Even if a firm does charge for travel cost and travel time, the cost is minuscule in relationship to total defense costs. For example, my total travel costs (airfare and lodging) for a five-night trip to New York City are typically less than the cost of two biglaw partner hours.

Of course, there are some purposes for which local counsel is necessary, or at least ideal: someone who knows the local rules, is familiar with the local judges and is admitted in the forum state. But the need to use local counsel for a limited number of tasks doesn’t present any economic or strategic issue, either — if the lawyers’ roles are clearly defined. Depending on the circumstances, I like to work either with a local lawyer in a litigation boutique that was formed by former large-firm lawyers with strong local connections or with a lawyer from a strong regional firm. I just finished a case where the local firm was a boutique and a case where the local firm was another regional firm. In both cases, the local firms charged de minimis amounts. In some cases, the local firm can, and should, play a larger role, but whatever the type of firm and its role, the lead and local lawyers can develop the right staffing for the case and work together essentially as one firm — if they want to.

All of these considerations show securities litigation defense can and should be a nationwide practice. It is no longer local. We need to look no further than the other side of the “v” for a good example. Our adversaries in the plaintiffs’ bar have long litigated cases around the country, often teaming up with local lawyers from different firms. Like securities defense, plaintiffs’ securities work requires a full-time focus that has led to a relatively small number of qualified firms. The qualified firms litigate cases around the country, not just in their hometowns or where their firms have lawyers.

This all seems relatively simple, but it requires us all to abandon old assumptions about law practices that are no longer applicable and embrace a new mindset. Biglaw defense lawyers need to obtain more economic freedom within their firms to reduce their rates and staffing for typical securities cases, or they must face the reality that their firms perhaps are better-suited only for the largest cases. Regional firms must recruit more full-time securities litigation partners and be willing not to charge for travel time and costs. And companies and insurers must appreciate that securities litigation defense will improve — through better substantive and economic results in both individual cases and overall — if they recognize a good regional firm with dedicated securities litigators can defend a securities class action anywhere in the country and can usually do so more effectively and efficiently than a biglaw firm.

Future of Securities Class Actions

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full time. The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands and books-and-records inspections) and shareholder challenges to mergers. The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged, as well. And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement and an internal investigation involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift. Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports. This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of former giants Bill Lerach and Mel Weiss. But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine. Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends. Securities class action filings are down significantly over the past several years, but, as I have written, I’m confident they will remain the mainstay of securities litigation and won’t be replaced by merger cases or derivative actions. There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type. Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market and the lack of significant financial restatements.

Although I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions. The Reform Act’s lead plaintiff process gives plaintiffs’ firms incentives to recruit institutional investors to serve as plaintiffs. For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role. At the same time, securities class action economics tightened in all but the largest cases. Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work. And the median settlement amount of cases that survive dismissal motions is fairly low. These dynamics placed a premium on experience, efficiency and scale. Larger firms filed most of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010. Smaller plaintiffs’ firms initiated most of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs and uncertain insurance and company financial resources. Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss. The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided. For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and smaller firms have initiated an increasing number of cases. Like the China cases, these tend to be against smaller companies. Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and that they can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly can and will beat out the smaller firms for the cases they want. But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics. Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997 and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.” Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages. NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years. And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that, in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion) and that one-quarter were against micro-cap companies (market capitalization less than $300 million). These numbers confirm the trend toward filing smaller cases against smaller companies, so that now, most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change. Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant. This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters. It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million. It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers or avoiding important tasks. It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if it loses, to settle for more than $6 million just because it can’t defend the case economically past that point. And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case.

Nor is the answer to hire general commercial litigators at lower rates. Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control. Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics. The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which Biglaw firms are uniquely situated to handle well, on the whole);
  2. Rein in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters, and by reducing staffing and associate-to-partner ratios; or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms. A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city. And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change, as well. For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation. The insured selects counsel, and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld. D&O insurers are in a bad spot in a great many cases. Because most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm. But in many cases that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs or an early settlement that doesn’t reflect the merits but that is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to the choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case. If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium. It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Because I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective. But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.

Future of Securities Class Actions

Securities litigation has a culture defined by multiple elements: the types of cases filed, the plaintiffs’ lawyers who file them, the defense counsel who defend them, the characteristics of the insurance that covers them, the way insurance representatives approach coverage, the government’s investigative policies – and, of course, the attitude of public companies and their directors and officers toward disclosure and governance.

This culture has been largely stable over the nearly 20 years I’ve defended securities litigation matters full-time. The array of private securities litigation matters (in the way I define securities litigation) remains the same – in order of virulence: securities class actions, shareholder derivative litigation matters (derivative actions, board demands and books-and-records inspections) and shareholder challenges to mergers. The world of disclosure-related SEC enforcement and internal corporate investigations is basically unchanged, as well. And the art of managing a disclosure crisis, involving the convergence of shareholder litigation, SEC enforcement and an internal investigation, involves the same basic skills and instincts.

But I’ve noted significant changes to other characteristics of securities-litigation culture recently, which portend a paradigm shift. Over the past few years, smaller plaintiffs’ firms have initiated more securities class actions on behalf of individual, retail investors, largely against smaller companies that have suffered what I call “lawsuit blueprint” problems such as auditor resignations and short-seller reports. This trend – which has now become ingrained into the securities-litigation culture – will significantly influence the way securities cases are defended and by whom, and change the way that D&O insurance coverage and claims need to be handled.

Changes in the Plaintiffs’ Bar

Discussion of the history of securities plaintiffs’ counsel usually focuses on the impact of the departures of giants Bill Lerach and Mel Weiss. But although the two of them did indeed cut a wide swath, the plaintiffs’ bar survived their departures just fine. Lerach’s former firm is thriving, and there are strong leaders there and at other prominent plaintiffs’ firms.

The more fundamental shifts in the plaintiffs’ bar concern changes to filing trends. Securities class action filings are down significantly over the past several years, but I’m confident they will remain the mainstay of securities litigation and won’t be replaced by merger cases or derivative actions. There is a large group of plaintiffs’ lawyers who specialize in securities class actions, and there are plenty of stock drops that give them good opportunities to file cases. Securities class action filings tend to come in waves, both in the number of cases and type. Filings have been down over the last several years for multiple reasons, including the lack of plaintiff-firm resources to file new cases as they continue to litigate stubborn and labor-intensive credit-crisis cases, the rising stock market and the lack of significant financial-statement restatements.

Although I don’t think the downturn in filings is, in and of itself, very meaningful, it has created the opportunity for smaller plaintiffs’ firms to file more securities class actions. The Reform Act gave plaintiffs’ firms incentives to recruit institutional investors to serve as plaintiffs. For the most part, institutional investors, whether smaller unions or large funds, have retained the more prominent plaintiffs’ firms, and smaller plaintiffs’ firms have been left with individual investor clients who usually can’t beat out institutions for the lead-plaintiff role. At the same time, securities class action economics tightened in all but the largest cases. Dismissal rates under the Reform Act are pretty high, and defeating a motion to dismiss often requires significant investigative costs and intensive legal work. And the median settlement amount of cases that survive dismissal motions is fairly low. These dynamics placed a premium on experience, efficiency and scale. Larger firms filed most of the cases, and smaller plaintiffs’ firms were unable to compete effectively for the lead plaintiff role, or make much money on their litigation investments.

This started to change with the wave of cases against Chinese issuers in 2010. Smaller plaintiffs’ firms initiated most of them, as the larger firms were swamped with credit-crisis cases and likely were deterred by the relatively small damages, potentially high discovery costs and uncertain insurance and company financial resources. Moreover, these cases fit smaller firms’ capabilities well; nearly all of the cases had “lawsuit blueprints” such as auditor resignations or short-seller reports, thereby reducing the smaller firms’ investigative costs and increasing their likelihood of surviving a motion to dismiss. The dismissal rate has indeed been low, and limited insurance and company resources have prompted early settlements in amounts that, while on the low side, appear to have yielded good outcomes for the smaller plaintiffs’ firms.

The smaller plaintiffs’ firms thus built up a head of steam that has kept them going, even after the wave of China cases subsided. For the last year or two, following almost every “lawsuit blueprint” announcement, a smaller firm has launched an “investigation” of the company, and these firms have initiated an increasing number of cases. Like the China cases, these cases tend to be against smaller companies. Thus, smaller plaintiffs’ firms have discovered a class of cases – cases against smaller companies that have suffered well-publicized problems that reduce the plaintiffs’ firms’ investigative costs – for which they can win the lead plaintiff role and can prosecute at a sufficient profit margin.

To be sure, the larger firms still mostly will beat out the smaller firms for the cases they want. But it increasingly seems clear that the larger firms don’t want to take the lead in initiating many of the cases against smaller companies, and are content to focus on larger cases on behalf of their institutional investor clients.

These dynamics are confirmed by recent securities litigation filing statistics. Cornerstone Research’s “Securities Class Action Filings: 2014 Year in Review” concludes that (1) aggregate market capitalization loss of sued companies was at its lowest level since 1997, and (2) the percentage of S&P 500 companies sued in securities class actions “was the lowest on record.” Cornerstone’s “Securities Class Action Filings: 2015 Midyear Assessment” reports that two key measures of the size of cases filed in the first half of 2015 were 43% and 65% lower than the 1997-2014 semiannual historical averages. NERA Economic Consulting’s “Recent Trends in Securities Class Action Litigation: 2014 Full-Year Review” reports that 2013 and 2014 “aggregate investor losses” were far lower than in any of the prior eight years. And PricewaterhouseCoopers’ “Coming into Focus: 2014 Securities Litigation Study” reflects that in 2013 and 2014, two-thirds of securities class actions were against small-cap companies (market capitalization less than $2 billion), and one-quarter were against micro-cap companies (market capitalization less than $300 million). These numbers confirm the trend toward filing smaller cases against smaller companies, so that now most securities class actions are relatively small cases.

Consequences for Securities Litigation Defense

Securities litigation defense must adjust to this change. Smaller securities class actions are still important and labor-intensive matters – a “small” securities class action is still a big deal for a small company and the individuals accused of fraud, and the number of hours of legal work to defend a small case is still significant. This is especially so for the “lawsuit blueprint” cases, which typically involve a difficult set of facts.

Yet most securities defense practices are in firms with high billing rates and high associate-to-partner ratios, which make it uneconomical for them to defend smaller litigation matters. It obviously makes no sense for a firm to charge $6 million to defend a case that can settle for $6 million. It is even worse for that same firm to attempt to defend the case for $3 million instead of $6 million by cutting corners – whether by under-staffing, over-delegation to junior lawyers or avoiding important tasks. It is worse still for a firm to charge $2 million through the motion to dismiss briefing and then, if it loses, to settle for more than $6 million just because it can’t defend the case economically past that point. And it is a strategic and ethical minefield for a firm to charge $6 million and then settle for a larger amount than necessary so that the fees appear to be in line with the size of the case. .

Nor is the answer to hire general commercial litigators at lower rates. Securities class actions are specialized matters that demand expertise, consisting not just of knowledge of the law but of relationships with plaintiffs’ counsel, defense counsel, economists, mediators and D&O brokers and insurers.

Rather, what is necessary is genuine reform of the economics of securities litigation defense through the creation of a class of experienced securities litigators who charge lower rates and exhibit tighter economic control. Undoubtedly, that will be difficult to achieve for most securities defense lawyers, who practice at firms with supercharged economics. The lawyers who wish to remain securities litigation specialists will thus face a choice:

  1. Accept that the volume of their case load will be reduced, as they forego smaller matters and focus on the largest matters (which big law firms are uniquely situated to handle well, on the whole);
  2. Rein in the economics of their practices, by lowering billing rates of all lawyers on securities litigation matters and by reducing staffing and associate-to-partner ratios; or
  3. Move their practices to smaller, regional defense firms that naturally have more reasonable economics.

I’ve taken the third path, and I hope that a number of other securities litigation defense lawyers will also make that shift toward regional defense firms. A regional practice can handle cases around the country, because litigation matters can be effectively and efficiently handled by a firm based outside of the forum city. And they can be handled especially efficiently by regional firms outside of larger cities, which can offer a better quality of life for their associates and a more reasonable economic model for their clients.

Consequences for D&O Insurance

D&O insurance needs to change, as well. For public companies, D&O insurance is indemnity insurance, and the insurer doesn’t have the duty or right to defend the litigation. Thus, the insured selects counsel, and the insurer has a right to consent to the insured’s selection, but such consent can’t be unreasonably withheld. D&O insurers are in a bad spot in a great many cases. Because most experienced securities defense lawyers are from expensive firms, most insureds select an expensive firm. But in many cases, that spells a highly uneconomical or prejudicial result, through higher than necessary defense costs or an early settlement that doesn’t reflect the merits, but that is necessary to avoid using most or all of the policy limits on defense costs.

Given the economics, it certainly seems reasonable for an insurer to at least require an insured to look at less expensive (but just as experienced) defense counsel before consenting to the choice of counsel – if not outright withholding consent to a choice that does not make economic sense for a particular case. If that isn’t practical from an insurance law or commercial standpoint, insurers may well need to look at enhancing their contractual right to refuse consent, or even to offer a set of experienced but lower-cost securities defense practices in exchange for a lower premium. It is my strong belief that a great many public company CFOs would choose a lower D&O insurance premium over an unfettered right to choose their own defense lawyers.

Because I’m not a D&O insurance lawyer, I obviously can’t say what is right for D&O insurers from a commercial or legal perspective. But it seems obvious to me that the economics of securities litigation must change, both in terms of defense costs and defense-counsel selection, to avoid increasingly irrational economic results.

5 Steps for Covering Data Breaches

Target’s $19 million settlement with MasterCard[1] underscores very significant sources of potential exposure that often follow a data breach that involves payment cards. Retailers and other organizations that accept those cards are likely to face—in addition to a slew of claims from consumers and investors— claims from financial institutions that seek to recover losses associated with issuing replacement credit and debit cards, among other losses. The financial institution card issuers typically allege, among other things, negligence, breach of data-protection statutes and non-compliance with Payment Card Industry Data Security Standards (PCI DSS). Likewise, as Target’s recent settlement illustrates, organizations can expect to face claims from the payment brands, such as MasterCard, VISA and Discover, seeking substantial fines, penalties and assessments for purported PCI DSS non-compliance.

These potential sources of liability can eclipse others. While consumer lawsuits often get dismissed for lack of Article III standing,[2] for example, or may settle for relatively modest amounts,[3] the Target financial institution litigation survived a motion to dismiss[4] and involved a relatively high settlement amount as compared with the consumer litigation settlement. So did TJZ’s prior $24 million settlement with card issuers.[5] The current settlement involves only MasterCard,[6] moreover, and the Target financial institution litigation will proceed with any issuer of MasterCard-branded cards that declines to partake of the $19 million settlement offer. The amended class action in the Target cases alleges that the financial institutions’ losses “could eventually exceed $18 billion.”[7]

Organizations should be aware that these significant potential sources of data breach and payment brand liability may be covered by insurance, including commercial general liability insurance (CGL), which most companies have in place, and specialty cybersecurity/data privacy insurance.

Here are five steps for securing coverage for data breach and PCI DSS-related liability:

Step 1:            Look to CGL Coverage

                        Coverage A: “Property Damage” Coverage

Payment card issuers typically seek damages because of the necessity to replace cards and, often, also specifically allege damages because of the loss of use of those payment cards, including lost interest, transaction fees and the like. By way of illustration, the amended class action complaint in the Target litigation alleges:

The financial institutions that issued the debit and credit cards involved in Target’s data breach have suffered substantial losses as a result of Target’s failure to adequately protect its sensitive payment data. This includes sums associated with notifying customers of the data breach, reissuing debit and credit cards, reimbursing customers for fraudulent transactions, monitoring customer accounts to prevent fraudulent charges, addressing customer confusion and complaints, changing or canceling accounts and facing the decrease or suspension of their customers’ use of affected cards during the busiest shopping season of the year.[8]

The litigation further alleges that “plaintiffs and the FI [financial institution] class also lost interest and transaction fees (including interchange fees) as a result of decreased, or ceased, card usage in the wake of the Target data breach.”[9]

These allegations fall squarely within the standard-form definition of covered “property” damage under CGL Coverage A. Under Coverage A, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of … ‘property damage’… caused by an ‘occurrence’”[10] that “occurs during the policy period.”[11] The insurer also has “the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘property damage’ … are alleged.”[12]

Importantly, the key term “property damage” is defined to include not just “physical injury to tangible property” but also “loss of use of tangible property that is not physically injured.” The key definition in the current standard-form CGL insurance policy states as follows:

  1. “Property damage” means:
  2. Physical injury to tangible property, including all resulting loss of use of that property. All such loss of use shall be deemed to occur at the time of the physical injury that caused it; or
  3. Loss of use of tangible property that is not physically injured. All such loss of use shall be deemed to occur at the time of the “occurrence” that caused it.

For the purposes of this insurance, electronic data is not tangible property.

In this definition, “electronic data” means information, facts or programs stored as or on, created or used on or transmitted to or from computer software, including systems and applications software, hard or floppy disks, CD-ROMs, tapes, drives, cells, data processing devices or any other media that are used with electronically controlled equipment.[13]

Although the current definition states that “electronic data is not tangible property,” to the extent this standard-form language may be present in the specific policy at issue (coverage terms should not be assumed; rather the specific policy language at issue should always be carefully reviewed),[14] the limitation is largely, perhaps entirely, irrelevant in this context because card issuer complaints, like the amended class action complaint in the Target litigation, typically allege damages because of the need to replace physical, tangible payment cards.[15] The complaints further often expressly allege that the issuers have suffered damages because of a decrease or cessation in the card usage.

These types of allegations are squarely within the “property damage” coverage offered by CGL Coverage A, and courts have properly upheld coverage in privacy-related cases where allegations of loss of use of property are present.[16]

            Coverage B: “Personal and Advertising Injury” Coverage

There is significant potential coverage for data breach-related liability, including card issuer litigation, under CGL Coverage B. Under Coverage B, the insurer commits to “pay those sums that the insured becomes legally obligated to pay as damages because of ‘personal and advertising injury,’”[17] which is “caused by an offense arising out of [the insured’s] business … during the policy period.”[18] Similar to Coverage A, the policy further states that the insurer “will have the right and duty to defend the insured against any … civil proceeding in which damages because of … ‘personal and advertising injury’ to which this insurance applies are alleged.”[19]

The key term “personal and advertising injury” is defined to include a list of specifically enumerated offenses, which include “oral or written publication, in any manner, of material that violates a person’s right of privacy.”[20]

Considering this key language, courts have upheld coverage under CGL Coverage B for claims arising out of data breaches and for a wide variety of other claims alleging violations of privacy rights.[21] It warrants mention that, although the trial court in the Sony PlayStation data breach litigation recently ruled against coverage, the trial court’s decision — which turned on the court’s finding that, essentially, Coverage B is triggered only by purposeful actions by the insured (Sony) and not by the actions of the third parties who hacked into its network — that decision is currently on appeal to the New York Appellate Division and may soon be reversed. Nowhere in the insuring agreement or its key definition does the CGL policy require any action by the insured. As the coverage’s name “Commercial General Liability” indicates, the coverage does not require intentional action by the insured, as argued by the insurers in the Sony case, but rather is triggered by the insured’s liability, i.e., the insurer commits to pay sums that the insured “becomes legally obligated to pay” that “arise out of” the covered “offenses.” The broad insuring language, moreover, extends to the insured’s liability for publication “in any manner,” i.e., via a hacking attack or otherwise. The cases cited by the insurer in the Sony case are factually inapposite and interpret entirely different policy language. Indeed, Sony’s insurer, Zurich, itself acknowledged in 2009 that CGL policies may provide coverage for data breaches via hacking, which by definition involves third-party actions.[22]

Organizations also should be aware that the Insurance Services Office (ISO), the insurance industry organization responsible for drafting standard-form CGL language, recently promulgated a series of data breach exclusionary endorsements.[23] ISO acknowledged that there currently is data breach coverage for hacking activities under CGL policies. In particular, ISO stated that the new exclusions may be a “reduction in personal and advertising injury coverage”—the implication being that there is coverage in the absence of the new exclusions.

At the time the ISO CGL and CLU policies were developed, certain hacking activities or data breaches were not prevalent and, therefore, coverages related to the access to or disclosure of personal or confidential information and associated with such events were not necessarily contemplated under the policy. As the exposures to data breaches increased over time, stand-alone policies started to become available in the marketplace to provide certain coverage with respect to data breach and access to or disclosure of confidential or personal information.

To the extent that any access or disclosure of confidential or personal information results in an oral or written publication that violates a person’s right of privacy, this revision may be considered a reduction in personal and advertising injury coverage.[24]

Other than the trial court’s decision in the Sony case, no decision has held that an insured must itself publish information to obtain CGL Coverage B coverage, and a number of decisions have appropriately upheld coverage for liability that the insured has resulting from third-party publications.[25]

The bottom line: There may be very significant coverage under CGL policies, including for data breaches that result in the disclosure of personally identifiable information and other claims alleging violation of a right to privacy, including claims brought by card issuers.

Step 2:           Look to “Cyber” Coverage

Organizations are increasingly purchasing so-called “cyber” insurance, and a major component of the coverage offered under most “cyber” insurance policies is coverage for the spectrum of issues that an organization typically confronts in the wake of a data breach incident. This usually includes, not only defense and indemnity coverage in connection with consumer litigation and regulatory investigation, but also defense and indemnity coverage in connection with card issuer litigation. By way of example, one specimen policy insuring agreement states that the insurer will “pay … all loss” that the “insured is legally obligated to pay resulting from a claim alleging a security failure or a privacy event.” The key term “privacy event” includes “any failure to protect confidential information,” a term that is broadly defined to include “information from which an individual may be uniquely and reliably identified or contacted, including, without limitation, an individual’s name, address, telephone number, Social Security number, account relationships, account numbers, account balances, account histories and passwords.” “Loss” includes “compensatory damages, judgments, settlements, pre-judgment and post-judgment interest and defense costs.” Litigation brought by card issuers is squarely within the coverage afforded by the insuring agreement and its key definitions.

Importantly, a number of “cyber” insurance policies also expressly cover PCI DSS-related liability. By way of example, the specimen policy quoted above expressly defines covered “loss” to include “amounts payable in connection with a PCI-DSS Assessment,” which is defined as follows:

“PCI-DSS assessment” means any written demand received by an insured from a payment card association (e.g., MasterCard, Visa, American Express) or bank processing payment card transactions (i.e., an “acquiring bank”) for a monetary assessment (including a contractual fine or penalty) in connection with an insured’s non-compliance with PCI Data Security Standards that resulted in a security failure or privacy event.

This can be a very important coverage, given that, as the recent Target settlement illustrates, organizations face substantial liability arising out of the card brand and association claims for fines, penalties and assessments for purported non-compliance with PCI DSS. The payment card brands routinely claim that an organization was not PCI DSS-compliant and that the PCI forensic investigator assigned to investigate compliance routinely determines that the organization was not compliant at the time of a breach. As the payment industry has stated, “no compromised entity has yet been found to be in compliance with PCI DSS at the time of a breach.”[26]

The bottom line: “Cyber” insurance policies may provide broad, solid coverage for the costs and expenses that organizations may incur in connection with card-issuer litigation and payment brand claims alleging PCI non-compliance.

Step 3:            Look to Other Potential Coverage

It is important not to overlook other types of insurance policies that may respond to cover various types of exposure flowing from a breach. For example, there may be coverage under directors’ and officers’ (D&O) policies, professional liability or errors and omissions (E&O) policies and commercial crime policies. After a data breach, companies are advised to provide prompt notice under all potentially implicated policies, excepting in particular circumstances that may justify refraining to do so, and to carefully evaluate all potentially applicable coverages.

Step 4:            Don’t Take “No” For an Answer

Unfortunately, even where there is a legitimate claim for coverage under the policy language and applicable law, an insurer may deny a claim. Indeed, insurers can be expected to argue, as Sony’s insurers argued, that data breaches are not covered under CGL insurance policies. Nevertheless, insureds that refuse to take “no” for an answer may be able to secure valuable coverage.

If, for example, an insurer reflexively raises the “electronic data” exclusion in response to a claim under CGL Coverage A, which purports to exclude, under the standard form, “[d]amages arising out of the loss of, loss of use of, damage to, corruption of, inability to access or inability to manipulate electronic data,”[27] insureds are encouraged to point out that the damages alleged by card issuers for replacing physical cards and for lost interest and transaction fees, etc., resulting from loss of use of those cards, are clearly outside the purview of the exclusion. Likewise, if an insurer raises the standard “Recording And Distribution Of Material Or Information In Violation Of Law” exclusion, insureds are encouraged to point out that the exclusion has been narrowly interpreted, does not address common-law claims and has been held inapplicable where the law at issue fashions relief for common law rights.[28]

Importantly, exclusions and other limitations to coverage are construed narrowly against the insurer and in favor of coverage under well-established rules of insurance policy interpretation,[29] and the burden is on the insurer to demonstrate an exclusion’s applicability.[30]

Step 5:            Maximize Cover Across the Entire Insurance Portfolio

Various types of insurance policies may be triggered by a data breach, and the various triggered policies may carry different insurance limits, deductibles, retentions and other self-insurance features, together with various different and potentially conflicting provisions addressing, for example, other insurance, erosion of self-insurance and stacking of limits. For this reason, in addition to considering the scope of substantive coverage under an insured’s different policies, it is important to carefully consider the best strategy for pursing coverage in a manner that will maximize the potentially available coverage across the insured’s entire insurance portfolio. By way of example, if there is potentially overlapping CGL and “cyber” insurance coverage, remember that defense costs often do not erode CGL policy limits, and structure the coverage strategy accordingly.

When facing a data breach, companies should carefully consider the insurance coverage that may be available. Insurance is a valuable asset. Before a breach, companies should take the opportunity to carefully evaluate and address their risk profile, potential exposure, risk tolerance, sufficiency of their existing insurance coverage and the role of specialized cyber coverage. In considering that coverage, please note that there are many specialty “cyber” products on the market. Although many, if not most, of these policies purport to cover many of the same basic risks, including data breaches and other types of “cyber” and data privacy-related risk, the policies vary dramatically. It is important to carefully review policies for appropriate coverage prior to purchase and, in the event of a claim, to carefully review the scope of all potentially available coverage.

This article was first published in Law360.

 

[1] Target Strikes $19M Deal With MasterCard Over Data Breach, Law360 (April 15, 2015). The settlement is contingent upon at least 90% of the eligible MasterCard issuers accepting their alternative recovery offers by May 20.

[2] See, e.g., No Data Misuse? No Standing For Data Breach Plaintiffs, Law360 (April 24, 2014).

[3] Target Will Pay Consumers $10M To End Data Breach MDL, Law360, New York (March 19, 2015).

[4] See, e.g., Target Loses Bid to KO Banks’ Data Breach Litigation, Law360 (April 15, 2015).

[5] TJX Reaches $24M Deal With MasterCard Issuers, Law360 (April 2, 2008).

[6] The company is reported to be in similar negotiations with Visa.

[7] In re: Target Corporation Customer Data Security Breach Litigation, MDL No. 14-2522 (PAM/JJK) (D. Minn), at ¶ 87 (filed August 1, 2014).

[8] Id., ¶ 2 (emphasis added).

[9] Id., ¶ 86 (emphasis added).

[10] ISO Form CG 00 01 04 13 (2012), Section I, Coverage A, §1.a., §1.b.(1).

[11] Id., Section I, Coverage A, §1.b.(2).

[12] Id., Section I, Coverage A, §1.a.; Section V, §18.

[13] ISO Form CG 00 01 04 13 (2012), Section V, §17 (emphasis added).

[14] In the absence of such language, a number of courts have held that damaged or corrupted software or data is “tangible property” that can suffer “physical injury.” See, e.g., Retail Sys., Inc. v. CNA Ins. Co., 469 N.W.2d 735 (Minn. Ct. App. 1991); Centennial Ins. Co. v. Applied Health Care Sys., Inc., 710 F.2d 1288 (7th Cir. 1983) (California law); Computer Corner, Inc. v. Fireman’s Fund Ins. Co., No. CV97-10380 (2d Dist. Ct. N.M. May 24, 2000).

[15] See also Eyeblaster, Inc. v. Federal Ins. Co., 613 F.3d 797 (8th Cir. 2010).

[16] See, e.g., District of Illinois in Travelers Prop. Cas. Co. of America v DISH Network, LLC, 2014 WL 1217668 (C.D, Ill. Mar. 24, 2014); Columbia Cas. Co. v. HIAR Holding, L.L.C., 411 S.W.3d 258 (Mo. 2013).

[17] ISO Form CG 00 01 04 13 (2012), Section I, Coverage B, §1.a.

[18] Id., Section I, Coverage B, §1.b..

[19] Id.. Section I, Coverage B, §1.a.; Section V, §18.

[20] Id.. Section V, §14.e.

[21] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[22] Zurich, Data security: A growing liability threat (2009), available at http://www.zurichna.com/NR/rdonlyres/23D619DB-AC59-42FF-9589-C0D6B160BE11/0/DOCold2DataSecurity082609.pdf (emphasis added).

[23] These new exclusions became effective in most states last May 2014. One of the exclusionary endorsements, titled “Exclusion – Access Or Disclosure Of Confidential Or Personal Information,” adds the following exclusion to the standard form policy:

This insurance does not apply to:

Access Or Disclosure Of Confidential Or Personal Information

“Personal and advertising injury” arising out of any access to or disclosure of any person’s or organization’s confidential or personal information, including patents, trade secrets, processing methods, customer lists, financial information, credit card information, health information or any other type of non public information.

CG 21 08 05 14 (2013). See also Coming To A CGL Policy Near You: Data Breach Exclusions, Law360 (April 23, 2014).

[24] ISO Commercial Lines Forms Filing CL-2013-0DBFR, at pp. 3, 7-8 (emphasis added).

[25] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013).

[26] Visa: Post-breach criticism of PCI standard misplaced (March 20, 2009), available at http://www.computerworld.com.au/article/296278/visa_post-breach_criticism_pci_standard_misplaced/

[27] CG 00 01 04 13 (2012), Section I, Coverage A, §2.p.

[28] See, e.g., Hartford Cas. Ins. Co. v. Corcino & Assocs,. 2013 WL 5687527 (C.D. Cal. Oct. 7, 2013). For example, in the Corcino case, the court upheld coverage for statutory damages arising out hospital data breach that compromised the confidential medical records of nearly 20,000 patients, notwithstanding an express exclusion for “personal and advertising Injury …. [a]rising out of the violation of a person’s right to privacy created by any state or federal act.” Corcino and numerous other decisions underscore that, notwithstanding a growing prevalence of exclusions purporting to limit coverage for data breach and other privacy related claims, there may yet be valuable privacy and data breach coverage under “traditional” or “legacy” policies that should not be overlooked.

[29] See, e.g., 2 Couch on Insurance § 22:31 (“the rule is that, such terms are strictly construed against the insurer where they are of uncertain import or reasonably susceptible of a double construction, or negate coverage provided elsewhere in the policy”).

[30] See, e.g., 17A Couch on Insurance § 254:12 (“The insurer bears the burden of proving the applicability of policy exclusions and limitations or other types of affirmative defenses”).

When Not to Use Regular Counsel

When selecting counsel to defend them against a securities class action, companies usually face the question of whether they want to hire attorneys from their regular outside corporate firm. Sometimes, companies will retain their regular outside firm as a matter of course, without even going through an audition process to interview other potential defense firms.

While such an arrangement is frequent, it can be inappropriate.  Ethical and practical conflicts lurk beneath the surface that can make it unwise for a company to hire its regular outside firm for securities class action defense — and these conflicts need to be examined more closely by companies, their insurance carriers and the counsel seeking to represent them.

It is a dilemma that all securities counsel faces at one time or another — when should they turn down representation of a firm client in a securities lawsuit? Over the years, I have struggled with that question, and my analysis has evolved and grown sharper.  The north star of the analysis is a basic principle: Attorneys should not represent a client when they have a conflict that could compromise the client’s defense.

In the context of securities litigation defense, a conflict can arise when it is in the client’s interest to rely on the defense firm’s corporate work as a defense against allegations of falsity or scienter (intent or knowledge of wrongdoing), or to establish a due-diligence defense. For the client, it is a question that boils down to whether the same firm that provided disclosure or stock-trading advice can make an objective decision about whether to disclose that advice to assert these defenses.

The company, not its lawyers, makes disclosures. But lawyers play a prominent role in many disclosures, by drafting or editing them, by giving advice to the company about their adequacy and by weighing in on decisions not to disclose certain information. This is more true of some disclosures than others — public offering materials, for example, are likely to be largely drafted by the attorneys, who will weigh in on every important disclosure decision. Lawyers also advise on matters that bear on scienter — primarily the presence or absence of material nonpublic information in connection with establishment of 10b5-1 plans and periodic stock sales, and on stock offerings. Even if lawyers have not technically provided legal advice or representation on these matters, directors and officers often rely on their regular counsel to object to potential misrepresentations or ill-advised stock sales about which they had notice.

I am not suggesting that it is never appropriate for a company to hire its regular outside firm to defend a securities class action — in some cases, the firm may not have had any involvement in the disclosures or decisions that are being challenged, or that are likely to be challenged as the case proceeds. For example, if the stock price drop that triggered the litigation was caused by a restatement, the litigation likely will not implicate the lawyers’ disclosure advice, because the case will be about the company’s financial statements, on which the lawyers didn’t work.The above considerations yield two guiding principles:

  • If the securities class action challenges a disclosure on which a firm has provided disclosure advice, as to what was disclosed or what was not disclosed, the firm generally should not defend the litigation.
  • If the securities class action relies on stock sales as evidence of scienter, a firm that advised on the stock sales – or 10b5-1 plans under which the stock sales were made – generally should not defend the litigation.

In addressing this issue, some law firms tend to emphasize only the lawyer-as-witness problem, which in many states can be avoided by having another firm examine the defense firm’s lawyers. But the problem can be more significant than this.

Let’s analyze the situation with a simple hypothetical. A securities class action against Acme Corporation challenges a statement in Acme’s 10-K. Acme’s regular outside corporate counsel provided advice to the company about the challenged disclosure, including advice that certain omitted information that allegedly made it misleading did not need to be disclosed. As evidence of scienter, the lawsuit cites Acme’s officers’ sales of company stock pursuant to 10b5-1 plans established during the alleged class period. Corporate counsel advised that the officers had no material nonpublic information when they established the plans.

Acme and the individual defendants will have an interest in defending themselves by asserting that they relied on the law firm’s advice, both as to the disclosure decision and the stock sales. At first blush, it may seem that the positions of Acme and its law firm are the same — both want to defend the correctness of the disclosures and stock-sale decisions. But their interests are not the same. Even if their lawyers’ advice was wrong, the defendants may be able to avoid liability, as long as their reliance upon it was reasonable and genuine.

On the other hand, Acme’s lawyers have an interest in preventing the disclosure of incorrect legal advice, which could not only prove embarrassing but also expose them to liability. And even if their advice was defensible, lawyers do not like to have their legal work, including their internal law firm communications, produced in discovery — and potentially dissected by competing firms. And, like everyone, lawyers have a natural aversion to testifying, or to making themselves the focus of litigation.

This all means that defense firms that also serve as corporate counsel have enormous incentives to avoid having their clients introduce evidence about their legal work, even if that evidence is plainly in the clients’ interest. These defense firms are motivated, consciously or not, to steer the clients away from a defense based on reliance on legal advice — something that may be easy to do without many questions being asked, because of the general bias against revealing privileged information. This may not result in substantial prejudice if there are good defenses otherwise, but no doubt there is prejudice in many cases, which is largely (if not entirely)  invisible to the client — through, for example, higher settlement amounts than would otherwise be necessary, or pressure to settle a case that might otherwise be a good trial candidate.

So why do companies hire their corporate counsel so often? I’d say there are three reasons.

First, it’s fair to say that outside counsel law firms don’t routinely go through this kind of analysis with their clients, before asking that they be hired to defend a securities class action. Few companies have been through securities class actions, so they need to be guided through this analysis in a candid fashion. At most, regular outside counsel discusses the lawyer-as-witness problem, and correctly notes that it’s common for regular outside counsel to defend securities claims.

Second, companies often regard securities class actions as frivolous and don’t take the counsel-selection process as seriously as they should. Most companies think their case will be dismissed, so there won’t ever be any conflict issues, and it is safe to just hand the lawsuit off to their regular firm.

Third, firms tell companies that if a case does not get dismissed, it will settle — so, again, conflict issues will never arise.

Because the conflicts that arise from these situations are largely invisible to the clients and the carriers, and any visible effects — such as potentially higher settlements — cannot be measured, there is no outcry against the practice. But the fact that the harm is difficult to detect or measure doesn’t mean it doesn’t exist, or that it is not potentially significant in some cases.

All of the above problems are exacerbated when a company hires its regular outside firm without even interviewing other firms. In failing to interview other firms, companies fail to get an outside reality check regarding conflict issues, miss out on the free legal advice they will receive from the firms they interview and give up the leverage they have during the selection process to get economic concessions from the firm that they ultimately hire. In addition, without an audition process, companies have no way to compare the securities litigators from its regular outside firm with other securities litigators, and sometimes unknowingly engage less effective and efficient lawyers than they would if they simply took a half a day to interview a handful of firms.

There is a simple, common-sense remedy: The company should conduct an interview process during which it can ask other firms about the regular outside firm’s conflict (taking into account those firms’ interest in being hired) — a process that, as noted above, has advantages for the company anyway. Alternatively, the company can engage securities litigation defense counsel who isn’t under consideration for the defense role to advise on the issue. Under either procedure, the company should also seek advice from its insurers and broker, who have a unique and helpful perspective as “repeat players” in securities litigation, having typically been involved in a very large number of securities litigation matters.

Whoever does this analysis needs to think past the initial complaint to the claims that are likely to be asserted by the lead plaintiff in a consolidated complaint. For example, if a class-period 10-K contains disclosures that are causally related to the reason the stock dropped, the analysis should consider the 10-K even if it isn’t mentioned in the initial complaint, because the lead plaintiff is likely to challenge it. Or if there are class-period stock sales, the analysis should take them into account, even if the initial complaint doesn’t mention them.

If regular outside counsel were to advise their corporate clients to obtain counsel-selection advice through an audition process or an independent firm, as well as from their insurers and broker, they would do great service to their clients, in ensuring that the clients received the maximum amount of protection possible from their appropriate reliance on the advice of counsel to navigate the difficult waters of disclosures and stock sales. Significant potential harm, albeit largely invisible and unmeasurable, can be avoided by simply insisting upon an impartial counsel-selection process that allows the client to evaluate the full spectrum of potential conflicts.

Even if the company and its directors and officers end up selecting the company’s regular outside counsel, the benefits of the selection process will most certainly serve the company well throughout the litigation.