I. Overview
With stocks plummeting and employees forced to work in a new environment, company directors are faced with unprecedented challenges in light of the coronavirus.[1] Amid the many concerns, protecting corporate information has been a critical issue as many employees are forced to work remotely.[2] Since remote access increases the frequency of digital exchanges of sensitive information, directors must account for new technological risks that affect both shareholders and stakeholders.
Delaware’s General Corporation Law holds that the board of directors has a general duty to protect and promote the interests of the corporation and its shareholders. [3] Shareholders are owners in the company and want the business to profit.[4] Thus, directors are expected to manage the company to realize profits. [5] However, they do not owe fiduciary duties to the stakeholders.[6] Other than the investors, the primary stakeholders in a company are the employees, customers, and suppliers.[7] Nevertheless, as directors create new strategies for addressing the company’s operations during the pandemic, they may have to prioritize stakeholders. With employees handling sensitive information in remote environments, the risk of data breaches and insider trading increases.[8]
II. Theft
In a recession, directors may focus on managing long-term employee, customer, and supplier benefits rather than investor expectations.[9] Even 50 years ago, Stanford Research Institute defined “stakeholders” as “groups without whom the organization would cease to exist.”[10] Now with a global pandemic changing the way employees work, there are massive cyber problems that can impact both the corporation and its stakeholders.[11]
Both corporations and stakeholders face an increased risk of private data breaches. Large-scale data breaches have increased by 273% in the first quarter of 2020 compared to last year.[12] Many businesses took shortcuts with security in a rush to continue business as usual, while cybercriminals capitalized on the confusion and chaos.[13] According to Iomart, an information technology and cloud computing company, a data breach for a large company can result in a loss of ten million to 99 million records and can decrease company valuation by over seven percent.[14] Further, for small businesses, “a data breach can be catastrophic.”[15]
Every home device or wireless connection creates a possibility for a data breach.[16] Moreover, some employees may not consider the risks of hacking or phishing attacks.[17] Common problems that can arise include: misusing emails, storing business information on personal cloud accounts, misusing network connections to employer systems, misusing passwords, misusing screen-sharing on video conferences, and improper disposal of physical materials.[18] Thus, directors should establish clear corporate compliance programs focused on educating employees on adequate data training, including employment information security policies.[19] Companies should also educate their employees on insider trading, codes of conduct, and establishing a dynamic set of procedures so that complaints are comprehensively examined.[20]
Directors must consider the increased risk to sensitive information and data, given the new remote work environment.[21] Further, since data breaches can also affect stock performance in the long run, directors will be forced to develop robust solutions for the foreseeable future.[22] These solutions might primarily address the concerns of stakeholders.
III. Efficient Markets
Directors will have to improve methods of transparent, legal, and secure communication for markets to maintain efficiency. Semi-strong form efficiency theory holds that security prices reflect publicly-available market information.[23] Efficient markets garner shareholder confidence because the stock valuation is accurately reflected at all times.[24] Thus, companies need to try harder now more than ever to ensure quality internal and external communication.
On March 23, 2020 the SEC issued a statement recognizing that “corporate insiders are regularly learning new material non-public information that may hold an even greater value than under normal circumstances.”[25] The SEC further advised that given these unique circumstances, “a greater number of people may have access to material non-public information than in less challenging times,” and thus, will maintain a heightened alert for signs of insider trading.[26]
While directors do not have a fiduciary duty to third parties, they do have a duty to protect shareholders. [27] This duty includes protecting shareholders with public information from bad-faith actors that trade on insider information.[28] A company’s employees can legally purchase or sell the company’s stock so long as they disclose certain information.[29] However, insider trading becomes illegal when trades are made on material non-public information.[30] Further, the duties and obligations of a corporate insider “could attach to those outside the insiders’ realm in certain circumstances.”[31] Even before the coronavirus forced millions to work from home, the SEC had cases involving family members trading on material non-public information.[32] For example, the SEC charged a banking consultant with insider trading based on confidential information he learned by eavesdropping on his partner, who was working on an airline merger deal.[33] Since coronavirus has disrupted the securities market in unprecedented ways, the SEC noted that it was “committing substantial resources” to ensure that “Main Street investors are not victims of fraud or illegal practices in these unprecedented market and economic conditions.”[34] Although the SEC can meticulously scrutinize trades , directors need to proactively mitigate the risk that shareholders may engage in insider trading.[35]
However, directors must also remember not to make any material misstatements or omissions regarding the effect of the pandemic on the company.[36] For example, two securities fraud class actions were filed against Norwegian Cruise Lines for artificially inflating the price of the companies’ securities by issuing false statements about the company’s ability to withstand the coronavirus. The plaintiffs claimed that the company was “employing sales tactics of providing customers with unproven and/or blatantly false statements about COVID-19 to entice customers to purchase cruises.”[37] In March, a newspaper released leaked emails from an employee showing that a Norwegian Cruise Line manager directed its staff to lie to customers regarding the effects of the coronavirus.[38] The sales were at severe lows, and Norwegian’s stock fell by almost 30% at the beginning of March, causing severe losses to investors.[39] Plaintiffs asserted that Norwegian violated §10(b) of the Securities Exchange Act of 1934 by making untrue statements of material facts and defrauding anyone similarly situated in purchasing Norwegian securities.[40]
Ideally, companies should have a strong corporate culture. Since companies want to avoid being the subject of litigation, directors and senior executives should embrace ethics and honesty as core corporate values.[41] Employees should be trained on policies to prevent risky trading activity and there should be proactive investigations into any potentially illegal insider trades.[42] Companies should be continuously reminding employees to discuss non-public information only in private settings and to hide computer screens from non-employees.[43] Most importantly, companies should make timely and complete disclosures because trading on public information is legal.[44]
Additionally, the SEC encourages self-reporting, especially where discovery constitutes material information that requires public disclosure.[45] When conducting investigations, the board should expect that anyone will be investigated for misconduct. For example, a successful initiative by three self-reporting advisory firms “’led to the return of almost $140 million to harmed investors, stopped wrongful conduct, and highlighted the importance of an adviser’s obligations to provide full and fair disclosures to clients.’”[46] Companies might also be wary of the SEC whistleblower program under the Dodd-Frank Act; however, directors should recall that this program considers the company’s compliance procedures.[47]
IV. Conclusion
In these unprecedented times, companies are forced to rapidly evolve. To maintain a steady, secure grasp on the future of their financial holdings, directors must focus on both their external cyber security and their internal methods of information sharing. In a post pandemic world, the most dynamic and adaptable companies will be the most successful.
[1] See Bryan Borzykowski, How to protect your small business in the midst of the coronavirus outbreak, CNBC (Mar. 10, 2020, 8:01 AM), https://www.cnbc.com/2020/03/09/how-to-protect-your-business-in-the-midst-of-the-coronavirus-outbreak.html.
[2] See Steven A. Caloiaro & Caleb L. Green, Maintaining Trade Secrets Amid the COVID-19 Pandemic, Dickinson Wright (April 2020), https://www.dickinson-wright.com/news-alerts/maintaining-trade-secrets-amid-covid19-pandemic.
[3] See Del. Code Ann. tit. 8, § 141 (1953).
[4] See Adam Hayes, Shareholder, Investopedia (June 20, 2020), https://www.investopedia.com/terms/s/shareholder.asp.
[5] See Del. Code Ann. tit. 8, § 141 (1953).
[6] See id.
[7] James Chen, Stakeholder, Investopedia (Mar. 4, 2020), https://www.investopedia.com/terms/s/stakeholder.asp.
[8] See Darren Abernethy, Insider Trading in the Data Breach Context: Proactive Corporate Planning and Regulatory Enforcement, Greenberg Traurig (May 18, 2020), https://www.gtlaw-dataprivacydish.com/2020/05/insider-trading-in-the-data-breach-context-proactive-corporate-planning-and-regulatory-enforcement/.
[9] See Andrew Edgecliffe-Johnson, Coronavirus poses big test of capitalism’s stakeholder conversion, Fin. Times (Mar. 4, 2020), https://www.ft.com/content/6d75fd96-5d71-11ea-b0ab-339c2307bcd4.
[10] Id.
[11] Dan Lohrmann, How Is Covid-19 Creating Data Breaches?, Gov’t Tech. (Mar. 30, 2020), https://www.govtech.com/blogs/lohrmann-on-cybersecurity/how-is-covid-19-creating-data-breaches.html.
[12] Ellen Sheng, Cybercrime ramps up amid coronavirus chaos, costing companies billions, CNBC (July 29, 2020, 9:20 AM), https://www.cnbc.com/2020/07/29/cybercrime-ramps-up-amid-coronavirus-chaos-costing-companies-billions.html.
[13] Id.
[14] See id.
[15] Id.
[16] Angela P. Doughty & Erica B. E. Rogers, Working Remotely and Cyber Security During the COVID-19 Outbreak, The Nat’l. L. Rev. (Mar. 26, 2020), https://www.natlawreview.com/article/working-remotely-and-cyber-security-during-covid-19-outbreak.
[17] Id.
[18] Id.
[19] See id.
[20] See Mary Jo White, Chair, SEC, Address at the Stanford Univ. Rock Ctr. for Corp. Gov’nce: A Few Things Directors Should Know About the SEC (June 23, 2014), https://www.sec.gov/news/speech/2014-spch062314mjw#_ftnref2.
[21] See Caloiaro & Green, supra note 2.
[22] See Catalin Cimpanu, Data breaches affect stock performance in the long run, study finds, Zero Day (Sep. 14, 2018, 2:02 PM), https://www.zdnet.com/article/data-breaches-affect-stock-performance-in-the-long-run-study-finds/.
[23] James Chen, Semi-Strong Form Efficiency, Investopedia (Apr. 14, 2019), https://www.investopedia.com/terms/s/semistrongform.asp.
[24] See How Does an Efficient Market Affect Investors?, Investopedia (Sep. 28, 2019), https://www.investopedia.com/ask/answers/05/marketefficiency.asp.
[25] Stephanie Avakian & Steven Peikin, Co-Directors of the SEC’s Division of Enforcement, SEC, Regarding Market Integrity (Mar. 23, 2020), https://www.sec.gov/news/public-statement/statement-enforcement-co-directors-market-integrity.
[26] Id.
[27] See Del. Code Ann. tit. 8, § 141 (1953).
[28] See id.
[29] See SEC v. Tex. Gulf Sulphur Co., 446 F.2d 1301, 1308 (2d Cir. 1971).
[30] See id.
[31] Thomas C. Newkirk, Assoc. Dir., SEC, Insider Trading –
A U.S. Perspective (Sep. 19, 1998), https://www.sec.gov/news/speech/speecharchive/1998/spch221.htm.
[32] See, e.g., SEC Charges Husband of Investment Banker with Insider Trading, SEC (Dec. 17, 2018), https://www.sec.gov/litigation/litreleases/2018/lr24375.htm; Litigation Release No. 22958, SEC (Mar. 31, 2014), https://www.sec.gov/litigation/litreleases/2014/lr22958.htm.
[33] See SEC Charges Husband of Investment Banker with Insider Trading, supra note 32.
[34] Avakian & Peikin, supra note 25.
[35] See Deborah R. Meshulam et. al., Coronavirus: Warning from SEC on insider trading highlights importance of disclosure controls during the COVID-19 pandemic, DLA Piper (Mar. 31, 2020), https://www.dlapiper.com/en/us/insights/publications/2020/03/coronavirus-warning-from-sec-on-insider-trading-highlights-importance-of-disclosure-controls/.
[36] See Reid & Dubow, supra note 35.
[37] Douglas v. Norwegian Cruise Lines Holdings Ltd., Case No. 1:20-cv-21107 (S.D. Fla. Mar. 2, 2020).
[38] See id.
[39] See id.
[40] See id.
[41] See White, supra note 20.
[42] See Jennifer Freel & Lincoln Wesley, Regulators Watch For Insider Trading In Chaotic COVID-19 Market, JD Supra (Apr. 9, 2020), https://www.jdsupra.com/legalnews/regulators-watch-for-insider-trading-in-46782/.
[43] See Reid & Dubow, supra note 35.
[44] See Freel & Wesley, supra note 44.
[45] See White, supra note 20.
[46] SEC Orders Three Self-Reporting Advisory Firms to Reimburse Investors, SEC (Apr. 17, 2020), https://www.sec.gov/news/press-release/2020-90.
[47] See White, supra note 20.
