Another year, another spate of scandals about huge data breaches, sexual misconduct and gender inequities. Such events swept up companies such as Facebook, CBS and Marriott, and many of the companies faltered in the court of public opinion for how they handled the events.
Davis Graham & Stubbs made the looming legal risks and regulatory scrutiny that come with these types of scandals the focus of its yearly public company update Thursday at the Four Seasons in Denver.
Below are a few highlights for how companies can mitigate their legal risks in shifting regulatory environments.
The 5 ‘Ws’ (and ‘How’) of Internal Investigations
There seems to be a clear message for companies looking to mitigate regulators’ wrath for mishandling an internal investigation into misconduct: Regulators are more likely to look favorably at a company’s proactive efforts to look into what may have happened, and there are steps to combat the appearance that a company covered something up.
“I think a lot of times … the question comes up: Do we really have to do this? The likelihood of someone finding out is slim. It’s probably just a complainer who had a bad day at work,” said partner Jackie Roeder. “It’s better to know than not. … When you get to a situation where there is something wrong, you want to know before the government knows; you want to know before a public report is made.”
Davis Graham & Stubbs co-managing partner Chad Williams discussed the difference in guidance from the Department of Justice between companies cooperating in criminal investigations versus civil investigations. In November, Deputy Attorney General Rod Rosenstein clarified that companies have to fully cooperate with a criminal investigation, including identifying every person “substantially involved” or responsible for the conduct, in order to get credit for cooperating.
By contrast, companies have more leeway to receive credit for cooperating in civil investigations. Williams said this means companies have to make tough judgment calls about how forthcoming to be, based on factors such as how likely the government is to find out about the conduct at issue.
“Oftentimes it makes sense” to be immediately forthcoming “without relinquishing all of your defenses,” Williams said.
Data Security and Privacy
One panel focused on the wide array of bellwether developments in 2018 in the realm of data security and privacy, from the SEC’s increasing role as the main regulatory agency in data privacy for public companies to new breach notification laws taking effect. Last year saw several high-high-profile breaches affecting at least tens of millions of consumers and increased interest from legislators in the topic.
Davis Graham & Stubbs partner Trent Martinet said contract negotiations didn’t used to place a high focus on data security and privacy. But now, he said, he spends a lot of time negotiating cybersecurity provisions such as limitations on liability and cybersecurity insurance limits.
“These are very heavily negotiated conditions in agreements, whereas three to five years ago” they didn’t play as much of a role, Martinet said. Facebook’s data breach affecting 29 million consumers isn’t small, but it still is dwarfed by the largest breaches of 2018 against Indian company Aadhaar and hotel branch Marriott Starwood, which operates internationally. Those compromised the information of 1.1 billion and 500 million people.
Martinet discussed a 2018 study from the International Association of Privacy Professionals that examined public companies’ attitudes toward cybersecurity risks by looking at their 10-Ks. Almost 100 percent of the companies examined were concerned about cyberattacks. They pointed to reputation damage, financial losses and business disruption as the three biggest perceived consequences of breaches.
Diversity on Boards of Directors
During a segment on corporate governance, partner Elizabeth Vonne said California’s 2018 law requiring boards of directors of at least six members to have three women probably won’t hold up to constitutional legal challenges. The state passed the law to make a strong statement, and even if it ultimately is struck down, Vonne said it still spotlights strategies for companies to increase diversity on their boards. Tactics can include conscious efforts to consider women and minority candidates for each board opening and looking at their whole book of expertise instead of just focusing on candidates who have served on boards before. Vonne said she is not immune to biases in recommending job candidates, and keeping a list of people that includes diverse candidates can help combat that.
“Even if you ask me off the top of my head … the people who come immediately to my mind are a lot less diverse than if I consult my list,” she said. “So we’re all subject to these biases.”
She showed statistics comparing the numbers of women and minority board members between Colorado companies, S&P 500 companies and data from the New York Stock Exchange and NASDAQ.
S&P 500 boards comprise 24 percent women and 17 percent minorities. Among Colorado companies, which Vonne said she compared to data for attendees at DGS’s event for the past few years, women make up 12 percent of board members. Colorado ranks 20th among all 50 states in the percentage of women board members. While women have made headway increasing their numbers on boards, Vonne said the percentage of minority male members decreased rom 14 percent in 2017 to 10 percent in 2018.
— Julia Cardi