It appears that hackers don’t take the summer off. From the U.S. Office of Personnel Management to online dating site Ashley Madison, cybercriminals have been proving that they will go after just about any sort of target that holds people’s personal data.
At the same time, regulators have been trying to fight back—particularly in the European Union, where new rules on data protection are emerging that may be finalized as early as the end of this year. Although these regulations are European, many U.S. companies that do business in the EU and work with customers and employees there will still have to worry about complying.
Given the one-two punch of increasing cyberattacks and impending regulatory changes, now might be a good time for companies to take a hard look at the way they process and protect their data. “Most companies nowadays are going above and beyond anything that’s out there right now and looking forward to the future,” Kristoph Gustovich, director of hosting and security at Mitratech, told CorpCounsel.com. “They’re always looking to meet what’s going to be the next stage of regulations.”
One major action that companies should be taking in anticipation of regulatory changes from Europe, according to the white paper, is ensuring that they’ve taken account of how new rules will redefine their roles in data protection activities. Many companies that managed to avoid a certain amount of responsibility for their customer data by being labeled “data processors” will have the same amount of responsibility as “data controllers” under new regulations. This leveling means that some companies will have to toughen their security stance when it comes to dealing with customers’ personal data.
It’s not just the roles of some companies that are changing, however. Roles of individuals within the companies also have to evolve to meet heightened legal and security needs. The new EU regulations, for example, may require companies with a certain number of employees and a certain amount of data to appoint a data protection officer from either inside or outside the company. This person will be responsible for making sure the company complies with privacy requirements.
General counsel are also seeing their roles evolve as breach risks rise and regulatory risks grow. “The laws are always going to change, and unless you have a general counsel involved to understand that, to present that to the technologist in a way that they can understand, there’s no way the technologist will be able to understand all the nuance,” said Gustovich. He also warned of putting cybersecurity responsibilities in silos—whether they are IT’s or legal’s. In his experience, he noted, that approach is doomed to fail.
One of the most important jobs in-house counsel have for cybersecurity is ensuring that the company’s contracts are compliant with data security laws. The white paper identifies use of contract language as an area where companies covered by new European regulations will probably have to make substantial changes.
The new rules will likely require that companies tell users and customers, in the company’s contracts, what data of theirs the firm will use and how it will use the information. Then, they must get the users to “opt in.” In contrast, a good number of U.S. companies have customers opt in to data collection by default, and insist that they explicitly “opt out.”
Another contractual issue the white paper addresses is the need for very specific language in user contracts. It explains that blanket contract terms will no longer cut it, in terms of compliance with emerging data security laws. And if a company intends to conduct data mining, this has to be made contractually clear to customers and users.
For companies, it’s essential to stay ahead of the curve on the increasingly difficult security environment and on the new European regulations, which may very well set the pace for other future data privacy rules in the U.S. and abroad, said Gustovich. He pointed out that when budgets and contracts need to be adjusted, companies shouldn’t wait to get started—even if the EU gives the two-year lead time between finalization and implementation that it has indicated it will give. Adjusting to serious regulatory changes takes time and planning. “It will come up much faster than people expect,” Gustovich warned.
Jason Atchley : Compensation : 5 Lessons for a Compensation Department of None
5 Lessons for a Compensation Department of None
Over the last few years, we have seen a rise in attention to the all too common, “HR Department of One”. These jacks-and-jills-of-all-trades, (and master of many), must be the policy maker, recruiter, trainer, confidant and much more for many companies. Often, on this very site, we talk about “compensation departments and compensation professionals” as if every company has one or both. But, what if, as is often the case, a company has NO compensation professional on staff? Or, what if the company has a great compensation analyst with little or no training in executive compensation, sales compensation or some other important specialty?
Many successful companies operate with a compensation department of none. What do the people know at these companies that allow them to continue to move forward without internal compensation expertise?
They try and keep things simple. These companies seldom use a wide range of compensation elements. The elements they use usually refrain from a lot of bells and whistles. This allows them to manage the programs effectively, even when the programs may not fully support their needs. They know that a limited program that works is better than an amazing program that doesn’t.
They stick to a schedule. They have limited periods to think about and act on compensation issues. They intensely work on pay during these periods and put little focus on it during the rest of the year.
They delegate. They tend to ask (and trust) more of finance, managers and the employees themselves. There isn’t a lot of time for handholding. People from multiple areas of the company often perform analysis, communication and management of programs as a series of small projects.
They focus on the big things. Another compensation plan or a small tweak to an incentive program may make things better or more interesting, but getting salaries and bonuses right is the priority. Since compensation and HR are part of the same job at most of the companies, the approach is more holistic than at many larger companies.
They know when to ask for help. They have less of their ego involved in the pay programs. This means they reach out to colleagues and consultants earlier and more often. They are comfortable leaning on others’ expertise (and are usually willing to share their own in return.)
What should they know?
Survey data is useful, but it is not compensation consulting or compensation planning. Compensation departments of none may only have access to a single data source. Often that source is an aggregated or “scraped” data set. This data does not have the nuance and detail available from more comprehensive data sources. This may be fine for a while, but it can result in long-term pay policies that cannot be supported when better data or analysis expertise does become available.
Variable pay programs are harder than they seem. The ongoing management and communication required for these programs is often not possible. Poorly designed, managed or understood plans can result in actions, decisions or payouts that can irreparably damage a company.
Without a compensation philosophy and strategy, things will get very messy (but it may take a few years.) Operating without a set of rules is operating without a safety net. Even a simple list of two or three objectives is enough to help ensure consistency.
Payroll isn’t really the same thing as compensation. Payroll is a result of compensation. Many people confuse the two. Compensation is about everything that happens before someone gets paid. Payroll is about everything that happens because someone gets paid. It is absolutely essential both are done correctly, but each can exist and be performed to perfection even if the other is in disarray.
Pay usually eats up more company revenue than any other piece of your budget. Even small improvements can have a huge impact.That’s right, companies with no internal compensation expertise, often have the greatest need for expertise. Compensation can consume more than seventy cents of every dollar your company brings in. This leaves thirty cents for every other department and activity at your company. If you can increase compensation effectiveness even by 5%, it can be a game changer for the success of your company. In mist of budget discussions, you are the most important person in the room. Respect that incredible responsibility.
It would be great if every company could have a team of compensation experts in the office, but that simply isn’t possible for many companies. The lack of internal compensation expertise does not need to result in a lack of compensation excellence. Are you, or have you been, in this situation? Is there anything you can share to help others succeed?
Few things in life are as private as our romantic entanglements. So with hackers announcing they’ve made off with as many as 37 million records from the parent company of extramarital dating site AshleyMadison.com, you can be sure there are plenty of people sweating over the potential fallout.
The group, which calls itself “The Impact Team,” released a statement on July 20 saying that it has gained access to the databases of Canada-based Avid Life Media, which runs Ashley Madison and other dating sites. The hackers said that if ALM does not comply with its demand to shut down services, it will release private information on its clientele. In addition to the notification, the group has also released a small portion of the data stolen as a demonstration of its intent.
In an interview with cybersecurity blogger Brian Krebs, Avid Life Media CEO Noel Bidderman, said that the company is investigating the breach, which he called “criminal” in nature. “We’re on the doorstep of [confirming] who we believe is the culprit, and unfortunately that may have triggered this mass publication,” Biderman said. “I’ve got their profile right in front of me, all their work credentials. It was definitely a person here that was not an employee but certainly had touched our technical services.”
Avid Life Media’s services differ from traditional dating sites in that they target subsets of dating culture. Ashley Madison bills itself as a dating site for married people, using the tagline “Life is Short. Have an Affair,” to illustrate that point. The site EstablishedMen.com offers affluent males dating connections to younger women, but hackers charge that it is also used to facilitate prostitution and human trafficking.
Avid Life Media offers a “full delete” option designed to help users cover their tracks, a service they charge $19.99 for. However, the hacking group said that the service did little to protect information collected from users.
Impact Team wrote in the statement: “Full Delete netted Avid Life Media $1.7 [million] in revenue in 2014. It’s also a complete lie. Users almost always pay with credit card; their purchase details are not removed as promised, and include real name and address, which is of course the most important information the users want removed.”
While Avid Life Media has not announced how it intends to react to the request, it is unlikely that they will shutter site operations. If hackers are successful in leaking Avid Life Media user information, legal action stemming from the breach is inevitable. That’s likely to include not only the standard class action against the breach victims, but probably an uptick in divorce filins as well.
Jason Atchley : Data Analytics : Applying Analytics to Sales Incentive Plan Design
Applying Analytics to Sales Incentive Plan Design
The cost of not evaluating your sales incentive plan can be steep
By Chad Albrecht, ZS 1/7/2015
Sales compensation analytics in the U.S. have been woefully lacking, even though companies allocate more of their budget to sales compensation than to advertising. Yet while every dollar of advertising is thoroughly scrutinized to maximize the return on investment (ROI) of the marketing budget, the assessment of sales compensation spending is far less rigorous.
That’s unfortunate, because the cost of not evaluating and analyzing the sales incentive plan can be steep, given that an effective plan design can have a double-digit impact on sales as compared to a mediocre or poorly designed plan. Moreover, using analytics appropriately is the best way to objectively assess the effectiveness of your plan design.
Below are examples of sales compensation analytics that can help shed light on incentive plan effectiveness.
Payout Ranges. One of the most effective uses of sales compensation analytics is assessing the plan’s ability to pay for performance. The idea is simple—pay high performers more and low performers less. But this turns into a question of how muchmore or less. What degree of differentiation will send the appropriate message to both high and low performers and help the company maintain financial responsibility?
One simple way to assess the pay-for-performance relationship is to evaluate the incentive payments for the 10th and 90th pay percentiles and compare them to the target incentive amount.
For the 10th percentile performer, there is typically a payout range from 10 percent to 30 percent of the target incentive. Anything below this range means there may be too many people earning little to no incentive, risking turnover and a disengaged salesforce. Anything above that range may mean that bottom performers are being overpaid.
For the 90th percentile performer, there is typically a payout range from 200 percent to 300 percent of the target incentive. Anything below this means you may not be rewarding your top performers generously enough, potentially causing them to look elsewhere for a job. Anything above this range may indicate poor quota setting and/or windfalls.
Percentage of Revenue Generated. Another useful analytic to implement—in cases where a particular product or product group is of strategic importance to the organization—is to divide the percentage of incentive paid by the percentage of revenue generated. A ratio more than 1.2 is appropriate for an emphasized product, while a ratio less than 0.8 is appropriate for a less important product.
Take, for example, a company that sells both license and software-as-a-service (SAAS) software. The company was particularly interested in driving SAAS business in 2014, and the goal for SAAS revenue amounted to roughly 20 percent of the total while license revenue encompassed the remaining 80 percent.
To ensure focus on SAAS products, the company put 40 percent of the incentive weight on the SAAS sales and 60 percent of the incentive weight on license sales. The resulting metrics showed the relative importance of SAAS sales to the organization:
License “Relative Importance” = 60 percent of incentive / 80 percent of sales = 0.75 (signifying low emphasis).
SAAS “Relative Importance” = 40 percent of incentive / 20 percent of sales = 2.0 (signifying high emphasis).
Assessing ‘Fairness.’ “Fairness” is another important incentive concept for which analytics is critical. A plan is considered “fair” when no territory characteristic other than the effort and ability of the salesperson impacts territory performance, and therefore incentive pay.
The importance of fairness cannot be underestimated for salespeople. In practical terms, designing for fairness requires the company to address two challenges: 1) know which territory characteristics to test for bias, and 2) if bias is observed, understand how to adjust the plan or quotas to eliminate or reduce it. Field sales managers can provide input about what fairness tests to run, increasing the odds of diagnosing fairness issues before faith in the plan is diminished.
To determine perceptions of unfairness in the plan, one good question to ask field salespeople and their manager is, “If you could have any territory in the country, which would you choose and why?” These answers will begin to reveal field perceptions of territory unfairness and provide the basis for further analytic evaluation.
Monitoring Performance with Critical Metrics
There is no one-size-fits-all approach for sales compensation analytics. However, ZS has found in our experience across various industries that a best practice for companies is to define target “zones” for many key metrics. Some typical target zones are shown in the table below.
Typical Target Zones for Key Incentive Compensation Plan Metrics
• SPIFFs = sales performance incentive funds, used to provide an immediate bonus for a sale.
• IC = incentive compensation.
Sales analytics are a key element of a successful sales compensation program. In addition to providing efficient, timely and accurate payout calculations, use of analytics presents companies with a big opportunity to enhance sales compensation plan diagnosis and design.
Chad Albrecht is a principal with ZS in Chicago, where he leads the firm’s business-to-business sales compensation practice. He is a Certified Sales Compensation Professional (CSCP) with more than 15 years of experience implementing motivational incentive plans in the software, business services, medical devices, telecom, distribution and manufacturing industries. He is a co-author of The Power of Sales Analytics(ZS, 2014).
Jason Atchley : Compensation Data : Is Your Company Lying About Pay?
Is Your Company Lying About Pay?
David Larcker and Anastasia Zakolyukina did some research in 2012 for the Rock Center for Corporate Governance at Stanford University. Luckily, it recently made its way back into circulation. The paper, “Detecting Deceptive Discussions in Conference Calls”, attempts to predict the level of deception or truthfulness of CEO communications to shareholders. They found “that the answers of deceptive executives have more references to general knowledge, fewer non-extreme positive emotions, and fewer references to shareholder value. In addition, deceptive CEOs use significantly more extreme positive emotion and fewer anxiety words.”
1) Less truthful CEOs tend to speak in generalities, rather than getting into details. Example: “Everybody knows”, instead of “I know.”
2) Less truthful CEOs tend to use hyperbolic terminology when discussing positives. Example: Using the word “great” instead of “good.”
3) Less than truthful CEOs tend to reference the company or group rather than themselves. Example: “We, instead of I.”
While the research paper indicated there was still more work to be done in this area, it found that it could predict deception with far more accuracy than random selection. In short, it seems as if an astute listener can determine deception with enough confidence to know when a deeper dive is recommended. The results are not perfect, but they are convincing.
These conclusions led me to reevaluate the communications of companies with compensation programs that have failed in the past. Perhaps, it was an equity compensation plan that failed to motivate individuals or drive company success. Maybe, it was a sales compensation program that did not impact revenue or profits. Or, it was a company with a compensation philosophy that claimed to focus on attracting, retaining and motivating world-class talent, while actually delivering none of these. Without writing a 70-page research paper, I have found enough anecdotal evidence to make me think twice. Is it possible that HR and compensation professionals use similar language and techniques when being disingenuous about pay programs? Is it possible that you are guilty of this without even realizing it?
Ask yourself if there has been a difference between how you discuss the plans you like versus those you wish the company would “fix.” Look at your past management presentations. Was your lack of confidence in market data or the recommendations you provided reflected by some of the issues listed above?
The truth is simple. Your employees and executives are both fairly good at seeing through pretext. Unlike many shareholders, your employees are not hoping that you will confirm everything is OK. They are looking for you to provide real information about an incredibly important and complex topic. Can you find examples of these indicators in your programs? Have you seen them in prior positions? If you can detect your own deceiving communications, my guess is that your employees can detect them too.
Jason Atchley : Software Updates: More Dangerous Than Hackers?
Software Updates: More Dangerous Than Hackers?
When the news hit last week that United Airlines flights were grounded, the New York Stock Exchange was down and the Wall Street Journal’s website was malfunctioning, a confused panic ensued. Was this a coordinated cyberattack or just malfunctioning tech? “No matter how hack-like the situation seemed, all three companies and law enforcement have been adamant that bad actors were not behind the failures,” says Slate’s Lily Hay Newman. “And that’s just scary.” Indeed, the story that emerged said router issues, software updates and heavy Web traffic were allegedly behind the mass failures.
“There doesn’t have to be a bad actor on the other end for something to be a cybersecurity problem,” says Newman, citing expert Dave Chronister. He says that although everyone is worried about malicious attacks, there is a greater chance that routine incidents like those that happened to UA, NYSE and WSJ will take down companies than cybercriminals.
Compounding the problem is the fact that as companies evolve in the digital age, their networks “go from complicated to almost absurdly heterogeneous,” says Newman. It’s even worse when systems need to be operational 24 hours a day, such as those at airlines. This means there is never a time when the network can go offline and be reorganized or strengthened. “The systems we interact with all the time, whether it’s an airline ticketing interface or a stock exchange, have evolved in such a piecemeal way, and with so little reprieve, that they inevitably have problems,” says Newman.
Today’s general counsel shoulder a great deal of responsibility for the legal well-being of some of the world’s largest and most complex corporations. And if current trends hold, they will continue to become even bigger players in corporate strategy and risk management in the years to come.
It’s a select group, especially those who make it into the elite ranks of our survey of the best-compensated GCs. And since compensation components vary so much from year to year, a compensation king (or queen, perhaps one of these years) may not reign for very long.
And so it is with Brackett Denniston III, general counsel of General Electric Company and reigning compensation king two years running. Who’s the usurper? Alan Braverman, the The Walt Disney Co.’s general counsel,who brought home a whopping $6,699,231 in total cash compensation, according to the 2015 General Counsel Compensation survey, which was conducted by Corporate Counsel affiliate ALM Legal Intelligence and based on publicly available information found in 2014 proxy filings. [For a more complete explanation of our methodology, please see “Adding Up the Sums.”]
Representing Mickey and friends is a pretty good gig. Braverman made a base salary of $1,374,231, plus a performance-based bonus of $5,325,000. That wasn’t all. We rank top-earning GCs by their cash compensation, but Braverman’s pay packet, like that of most others, included nearly $2 million in stock awards and more than $1 million in stock options as well.
No one on the list had as outstanding a year as Braverman. But overall, GC pay packets got fatter as the lean years of the financial crisis fade even further into the rearview mirror and the nation’s general counsel continue to gain increased responsibility and organizational clout. “As far as compensation goes, the numbers are very good,” says John Gilmore, managing partner at executive recruiting firm BarkerGilmore, based in Fairport, New York. He explains that this is at least in part due to the fact that GCs are under pressure to do more for companies than they have in the past. “They are bringing a lot of legal work that used to be on the outside inside the department,” he notes. “They have a lot more on their plate now than they ever have had.” Luckily, with great power, it seems, comes bigger paychecks.
Compensation structures for any high-level executive can get complicated, but a good place to start is with cold hard cash. In this year’s survey—we feature the best-paid 100 here, not the entire universe of chief legal officers—average total cash compensation (the metric we use to rank our top 100 general counsel) increased by 6.2 percent, to $2,095,191, which is only a very slight dip from the previous year, when it increased by 6.4 percent.
This measured but positive pace of growth is a big improvement from recession years such as 2009, when take- home cash pay actually dropped by 11.1 percent. Solid if not overwhelming gains in compensation in 2014 helped produce some strong numbers atop the charts. Behind Braverman in the rankings came Denniston with $6,096,00 total cash take-home, and Paul Cappuccio of Time Warner Inc., with $5,864,715.
These numbers are impressive, but without breaking them down, it’s hard to get the full picture. The first element of total cash compensation is base salary, which averaged $706,453 for the GCs in the top 100 this year, a jump of only 0.8 percent from the 2013 numbers. With some exceptions, like 21st Century Fox Inc.’s Gerson Zweifach, who raked in the best base salary in the rankings at $3 million, this is not to be the area where GC pay flourished most.
Gains were stronger in another part of the pay package: bonuses plus nonequity compensation, which trended upward by an average of 9.2 percent in 2014. This category includes discretionary bonuses paid by the board, in addition to cash pay based on performance, which has become increasingly popular since the signing of the Dodd-Frank Wall Street Reform and Consumer Protection Act in 2010. Dodd-Frank raised the bar for executive compensation disclosures, and gave shareholders the ability to weigh in on this type of compensation through “say on pay” votes. The impacts of the law, combined with a growing public concern around executive pay post-financial crisis, have prompted companies to prove to shareholders that general counsel are earning their keep, and performance based pay—which can be doled out in either cash bonuses or equity—are one way to do this.
So how is general counsel performance measured? Let us count the ways. If that sounds vague, that’s because it often is. We asked compensation experts to pin it down, and we got fuzzy answers—though most stressed that it’s a reflection of the tough jobs top company lawyers have these days. “It’s often not as specific as something like a litigation outcome, unless it’s make-or-break for the company,” offers Todd Sirras, managing director of Los Angeles-based executive compensation consulting firm Semler Brossy. “It’s more on corporate goals or objectives, and in many of the larger companies’ performance measures are shareholder returns.”
Speaking of shares, though cash pay for GCs in our survey was nothing to sneeze at, the truth is, equity is still what makes executives the big bucks. And in a trend reminiscent of the dot-com boom years, pay packages are now emphasizing this type of compensation more. “It’s a multiyear trend that’s going on, it’s a pattern that in recent history happens in periods of stable or rising equity markets,” says Sirras. “It’s fully in line with what we would expect to see.”
With the overall financial outlook rosier, at least when it comes to corporate earnings, general counsel seem to be more than happy to get paid in stock. But that, of course, could change with even a whiff of a bear market. “If the equity market continues to be strong, then I think you’ll see more increase in equity,” Sirras explains. “If the equity market weakens significantly, I think you’ll see cash become more valued; it becomes more effective as a tool to create more incentives for people.”
For now at least, stocks look like a sure bet. We found that the average stock awards received by GCs in 2014 increased by an eye-popping 49.4 percent. Some of that progress can be attributed to an outlier—David Drummond, general counsel of Google Inc., who received $40 million in stock awards this past year. However, even excluding Drummond, the rise in awards is still an impressive 21.9 percent on average.
We should keep in mind that there are shares and there are shares—they come in two basic forms, restricted grants and stock option awards. Restricted shares, which came into vogue when tech share prices tanked, are seen as solid, as general counsel don’t have to wait a year or five or 10 before the equity vests and they can sell their shares. The case is different with stock options, which by vesting over time means higher risks due to strike prices and the vagaries of the market, but they bear the promise of higher rewards. Over the last few years, options have not performed well in the survey, likely because postrecession, the risk appetite of GCs has been lower.
Suddenly, though, in 2014 all of that seems to have changed. Options made a big comeback with general counsel, with the average option award growing by 11.8 percent over the previous year. And some GCs really benefited from the action, such as this year’s option king, Burke Norton, chief legal officer of Salesforce.com Inc., who snagged $3,245,944 in option awards this past year. Bob Graff, a partner and recruiter in the in-house practice group at Major, Lindsey & Africa, a legal search consultancy based on Hanover, Maryland, says that options may very well be more in vogue this year, particularly for younger (and perhaps less risk-averse) general counsel. “Options went out of style for a while, but generally what we see is if a company gives you actual shares or restricted units, they’re going to give a lot fewer units,” he explains. “So it really limits your upside.”
Though the average option award went up in the past year, the numbers around value of stock after it actually vests told a bit of a different story. The average value realized on vesting dropped 6.8 percent in 2014 from the previous year. As for the value of shares actually exercised, that dropped as well, by 20.2 percent. This means that perhaps GCs are not getting the full bang for their option buck.
The type of business a general counsel advises can also have a large influence on the number of zeros in their paycheck. The Bravermans and Dennistons of the world rode to the top in part because their industries have a record of paying GCs handsomely. Of the top 10 best-compensated general counsel on our list this year, five are the top lawyers at entertainment companies, and three are financial sector GCs. The total cash pay in these two industries also topped the charts again this year, while railroads, a perennial low scorer, and retail, which has historically been closer to the middle of the pack, rounded out the bottom of the list.
Big payouts in financial services and entertainment align well with the difficult and novel issues that GCs in these industries face. “Especially in entertainment, there’s a lot of IP protection required, and on the financial side there is a lot of regulation,” says Sirras. “The general counsel at these larger companies has to be able to balance all of that and protect the consumers’ and shareholders’ interests and manage what are often far-flung and diverse and global regimes from the regulatory perspective, as well as all kinds of IP protection regimes that are different in different countries and media.”
Beyond the industry breakdown, we also took a look at how female general counsel fared in our rankings. The list features many prominent women this year, with Maryanne Lavan of Lockheed Martin Corp. (No. 11) nearly breaking into the top 10. It seems that gender equality in the GC’s office is getting slightly better over time, although women in the top 100 still made less total cash on average than men—$1,955,175 to their male counterparts’ $2,123,869.
Diversity in the general counsel’s chair is clearly a work in progress, according to Nancy Jessen, managing director at Huron Legal, a branch of Chicago-based Huron Consulting Group Inc., but many companies are getting increasingly proactive about it. “What they are doing is making sure they are giving a very fair shot to women and minority candidates,” she says, explaining that when looking for new top legal talent, many are making sure to include qualified females and minorities in their search and in the interview processes, while also ensuring that the actual search committees have diverse representation.
In order to get a more diverse set of GCs at the top of the survey, of course, the ranks have to open up as older general counsel retire or switch jobs and newer ones step in to fill the gap. And this may indeed be happening. “We haven’t seen a slowdown at all,” says John Gilmore. “We have seen an escalating number of general counsel openings, and what we’re attributing it to is because the economy is in good shape, many of the general counsel who have been around for a long time are in a good financial situation. They’re in a place where they can financially move on to bigger and better things.”
A healthier economy may indeed be feeding more general counsel turnover, With this increased movement, explains Jessen, comes the opportunity for companies to redefine responsibilities for the new legal chiefs. “Often when there is turnover and a company is bringing in a new general counsel, they have much higher expectations for that role when someone is coming in,” she says, adding that changed standards will then often benefit the newcomers by leading to superior pay plans.
The cycle of a better economy, to more movement in the job market, to better pay appears to be a virtuous (and profitable) one for general counsel. But will it continue? We’ll have to wait until next year’s survey to find out.
Originally appeared in print as He Can Afford This
Potential liability for data breaches has emerged as a major concern for businesses in the past few years as massive cyber-attacks are increasing, with companies that use or store private customer data electronically or use social media as part of their marketing strategy being the prime targets. These data breaches have contributed to an increase in director and officer (D&O) litigation in connection with cyberincidents, and will continue to do so, with plaintiffs seeking to capitalize on D&O policies that do not contain cyber or data breach exclusions.
The market for D&O cyber coverage is evolving in response to these issues. However, existing policies and those covering prior policy periods do not reflect current market trends. Many D&O policies connected to the current influx of D&O litigation lack cyberliability exclusions. Thus, although both businesses and insurance companies are responding to changes in cyber liability exposure and litigation, plaintiffs continue to capitalize on the possibility of payouts for cyberliability under D&O policies.
The Increasing Threat of Cyberintrusions and Data Breach Exposure
Various agencies, departments and organizations continue to take serious steps toward electronic data protection in recognition of emerging and evolving cyberthreats. For instance, on Feb. 3, 2015, the Financial Industry Regulatory Authority (FINRA) released its Report on Cybersecurity Practices, focusing on cybersecurity issues within the financial services industry. See, News Release. Among its findings, FINRA notes that the frequency and sophistication of cyber-attacks continues to increase. See, FINRA Report. With respect to broker-dealers, FINRA advises that the industry as a whole “must make responding to these threats a high priority.” Id. FINRA reports that a variety of factors are driving exposure to cybersecurity threats, including advances in technology, changes in business models, and changes in how businesses and their customers use technology to create vulnerabilities in information technology systems. The tools used to access private information are increasingly sophisticated, and insiders may also pose a substantial threat.
The Securities and Exchange Commission’s (SEC) Office of Compliance Inspections and Examinations (OCIE) also released a cybersecurity examination sweep summary in February 2015, which examined 57 broker-dealers and 49 registered investment advisers concerning how they address the legal, regulatory and compliance issues associated with cybersecurity. See, OCIE Cybersecurity Summary. Notably, the OCIE Summary indicates that most of the examined firms reported that they had been the subject of a cyber-related incident. A majority also stated that they experienced cyber-attacks directly or through one or more of their vendors. Most of the cyberincidents were related to malware and fraudulent e-mails.
On Feb. 13, 2015, the White House convened a summit on cybersecurity and data protection. President Obama noted that more than 100 million Americans had personal data compromised in recent data breaches, underscoring the importance of addressing the unique and often widespread risks associated with cyberintrusions.
Cybersecurity Litigation and the Undefined Standard of Care
Due to the increasing occurrence of data breaches, cyber litigation, including related D&O lawsuits, is on the rise. The FTC, for example, has initiated cybersecurity lawsuits and investigations. See, e.g., FTC v. Wyndham Worldwide Corp., No. 13-1887 (ES), 2014 WL 2812049 (D.N.J. June 23, 2014) (FTC alleges Wyndham entities violated FTC act by failing to maintain reasonable and appropriate data security for consumers’ sensitive personal information); FTC v. Wyndham Worldwide Corp. (Wyndham II), 10 F. Supp. 3d 601 (D.N.J. 2014). The district court’s denial of Wyndham’s motion to dismiss the complaint in Wyndham II is presently before the Third Circuit Court of Appeals on interlocutory review, where the court will consider the FTC’s authority to address cybersecurity issues under Section 5 of the Federal Trade Commission Act, as well as Wyndham’s alleged cybersecurity lapses.
The FTC’s brief cites the reasonableness standard articulated by the New Jersey district court, stating that reasonableness is the “touchstone” of the analysis. Brief for the Fed. Trade Comn’n (Nov. 5, 2014). However, what constitutes “reasonableness” remains largely undefined by courts.
The FCC is also doubling down on cybersecurity. On Oct. 24, 2014, the FCC levied its first fine under the Communications Act of 1934, and ruled against two companies for failing to adequately protect consumer information. See, In the Matter of TerraCom, Inc. and YourTel America, Inc., FCC 14-173, Notice of Apparent Liability for Forefeiture (Oct. 24, 2014). The FCC imposed a fine of $10 million on the companies for failure to employ reasonable data security practices, misrepresenting to customers that appropriate technologies were used to protect their personal information, failing to properly protect customer information, and failing to fully inform customers that their personal information had been compromised by third-party access. Id.
The FCC noted that “consumers applying for telecommunications services have a reasonable expectation that the carrier will protect confidentiality” of personal information they provide in connection with a transaction. Id . at 8. It found that the companies’ data security practices were “unjust and unreasonable” because they “failed to employ even the most basic and readily available technologies and security features” for protecting consumer information. Id. at 12.
Although case law and enforcement actions have yielded factual scenarios from which companies may discern particular practices that may not be appropriate, a uniform or better-defined standard of care has yet to emerge.
The Related Increase in D&O Litigation
Along with the proliferation of cyber litigation, related D&O lawsuits continue to present themselves in connection with data breaches. These lawsuits may seek to capitalize on D&O policies that lack specific cybersecurity exclusions. It remains unclear whether and to what extent traditional D&O policies would cover such claims. Standard D&O policies simply may not contemplate the new financial risks brought about by cyberliability and therefore may not adequately cover such claims. See, e.g., “Willis Warns Directors D&O Policies May Not Cover Some Cyber Risks,” Insurance Journal (Aug. 6, 2012) (citing Willis Group Holdings Executive Risks Boardroom Guide). However, the steady increase in D&O lawsuits indicates that D&O plaintiffs may hope or expect to resolve those questions in favor of coverage under more traditional policies still in force. Because such policies are unlikely to contain cybersecurity exclusions, they may cover losses resulting from data breach-related derivative litigation.
The Wyndham case is one example of derivative litigation that arose in connection with a cyberattack. In Palkon v. Holmes, No. 2:14-CV-01234 (SRC), 2014 WL 5341880 (D.N.J. Oct. 20, 2014), shareholders filed a derivative lawsuit against directors and officers of Wyndham Worldwide Corp. (Wyndham). The New Jersey federal district court dismissed the D&O case with prejudice on grounds that the plaintiff shareholder failed to show that the Wyndham board’s demand refusal was made in bad faith or was based on an unreasonable investigation. Under the strong presumption afforded by the business judgment rule, the court found that Wyndham’s board “had a firm grasp of Plaintiff’s demand when it determined that pursuing it was not in the corporation’s best interest.” Palkon, 2014 WL 5341880 at 6. The court noted that the company had implemented cybersecurity measures before the first breach, and those measures were followed. This finding prevented the plaintiff from showing gross negligence.
A pair of derivative suits filed Jan. 21 and Jan. 29, 2014, over Target’s data breach also remain pending in the federal district court for the District of Minnesota. The first complaint alleged breach of fiduciary duty and waste of corporate assets. See, Kulla v. Steinhafel, Case No. 0:14-cv-00203 (D. Minn. Jan. 21, 2014). The second complaint alleged breach of fiduciary duty, gross mismanagement, waste of corporate assets and abuse of control. See, Collier v. Steinhafel, Case No. 0:14-cv-00266 (D. Minn. Jan. 29, 2014). Both complaints alleged failure to take adequate steps to prevent a security breach, and that defendants “aggravated the damage to customers by failing to provide prompt and adequate notice to customers and by releasing numerous statements meant to create a false sense of security to affected customers.”
Thus, D&O lawsuits have been cropping up in connection with major cyber litigation, and the frequency and severity of these lawsuits can be expected to grow. See, e.g., D&O Claims & Trends Q2 2013, Advisen Insurance Intelligence (July 2013) (expectations are that the frequency and severity of D&O suits will grow due to increased regulatory scrutiny); see also, “Cyber Liability — the Changing D&O Risks,” WGA insureblog (Oct. 10, 2014) (“The rise of cyberliability is threatening to cause one of the D&O insurance industry’s periodic spasms.”).
Mitigating Exposure to D&O Litigation
Existing case law does not clearly explain what constitutes “reasonable” precautions taken by a business. In Wyndham, the court offers some suggestions that guide compliance, noting that the FTC’s public complaints and consent agreements, as well as its public statements and business guidance brochure, see, FTC, “Protecting Personal Information: A Guide for Business” (November 2011), indicate reasonable measures to be taken with respect to cybersecurity. It further suggests that industry practices may guide the reasonableness inquiry. See, Wyndham, 10 F. Supp. 3d at 620. Various other regulatory agencies and organizations also offer guidance on protecting private information, including the SEC, FINRA, theNational Association of Chief Information Officers (NASCIO), the U.S. Department of Homeland Security (DHS), and the Department of Justice (DOJ). See, “Mitigating the Threat of Cybersecurity Litigation in an Ambiguous Regulatory Environment,” 57 No. 2 DRI For Def. 48 (Feb. 2015).
Development of industry standards would address some of these concerns. The February, 2015 FINRA Report notes that an effective practice for firms would be to evaluate industry frameworks and standards as reference points for developing their approach to cybersecurity.
The FINRA Report suggests a number of frameworks and standards that businesses may draw upon as a starting point, including the National Institute of Standards and Technology (NIST) Framework for Improving Critical Infrastructure Cybersecurity Version 1.0 created pursuant to Executive Order 13549 of Aug. 18, 2010, among others. See, NIST Framework(Feb. 12, 2014). The NIST Framework specifically calls for businesses and organizations to establish a roadmap for reducing cybersecurity risk that considers legal and regulatory requirements, industry standards and best practices, and reflects risk management priorities. The related NIST Roadmap for Improving Critical Infrastructure Cybersecurity, echoes that “industry groups, associations, and non-profits can be key vehicles for strengthening awareness of the Framework.”
Another important step in mitigating cyberliability, and in particular, D&O liability, is to ensure adequate cyberinsurance coverage. Insurers are well aware of the increasing risk of cyberliability for businesses. See, e.g., Increased D&O Diligence Required, The Hartford; “Cyber D&O Claims May Be On the Rise,” Zurich Insider (Jan. 2015). Some have suggested that, rather than excluding cyber events, D&O insurers may ask more questions of boards to determine their role and duties with respect to cyberrisk management. See, “Why Cyber Risk as a Boardroom Issue Can’t be Ignored,” WS&Co. However, it is becoming increasingly difficult for businesses and insurers to keep up with the many facets of cyberliability exposure. See, supra, “Cyber Liability — the Changing D&O Risks” (Oct. 10, 2014).
Cybersecurity risks are largely unknown and in constant flux. In addition to negotiating D&O policies that do not specifically exclude cyberliability, it is equally important to obtain an adequate scope of coverage. Coverage should address a broad range of cyberrisks, such as third party or vendor exposures, regulatory liability, cybercrime, and other foreseeable costs to the business resulting from a cyber incident. To the extent possible, policies should also include language broad enough to cover some risk of exposure to undefined cyberthreats. It is imperative that businesses and their advisers stay on top of evolving cyberrisks to ensure that adequate coverage remains in place.
James D. Gassenheimer is a partner and Lara O’Donnell is an associate on Berger Singerman’s dispute resolution team in Miami.
Federal judges and judiciary employees were among the millions of federal employees whose personal information was compromised in a data breach.
Judges and judicial branch officials told the NLJ this week that they and many of their colleagues received alerts in recent weeks that their information was potentially stolen in a breach of 4.2 million federal employees’ personnel records announced last month by the Office of Personnel Management (OPM).
The federal judiciary has been in crisis mode, according to David Sellers, a spokesman for the Administrative Office of the U.S. Courts. Officials are meeting weekly at a minimum, the judiciary set up an internal website for employees with relevant information, and the Administrative Office has sent out seven branchwide memos with updates to date, according to Sellers.
“Anything that compromises personal information and consequently threatens safety and security is a great concern,” Sellers said. “We treated this at the [Administrative Office] the same way we would treat a disaster, like if a hurricane hit a court.”
On Thursday, OPM announced a second data breach affecting 21.5 million people, including 19.7 million individuals who applied for background investigations through the agency. An estimated 3.6 million federal employees affected by the personnel records breach announced in June were also affected by the background investigations records breach, according to OPM. It was not immediately clear if judges and other judiciary employees fell into that group.
Judicial security, including financial security, is a sensitive issue for courts, which routinely contend with threats against judges. Congress over the years adopted special protections to keep judges’ personal information out of the public realm, such as permitting judges to redact certain information about their finances in public financial disclosure reports.
Karen Milton, circuit executive for the U.S. Court of Appeals for the Second Circuit, said judges had been urged to alert the U.S. Marshals Service, which oversees judicial security, if their information was compromised in the OPM data breaches. A spokeswoman for the Marshals Service referred questions about its response to the data breaches to OPM.
“Of our judges who I know who have been notified, they are concerned about this,” Milton said. She added that some employees, including herself, did not receive an initial notice from OPM and only learned that they may have been affected by the breach after calling the company chosen by OPM to provide identity-theft and credit-monitoring services.
A spokeswoman for the U.S. Supreme Court declined to say whether any of the justices received a letter from OPM.
Chief Judge Laurie Smith Camp (left) of the U.S. District Court for Nebraska said she received a letter from OPM that her information was compromised. She said she was at meetings this week with court personnel, and “all the hands went up when I asked how many had received letters” from OPM.
The Administrative Office of the U.S. Courts is concerned about the services offered by OPM to employees affected by the personnel records breach, according to a memo that Administrative Office Director James Duff sent to judges and judiciary officials on July 7.
“The credit-monitoring services are available for only 18 months and none of the services cover family members,” Duff wrote. “Both the scope and duration of the services concern us, as well as many of our judges and employees.”
A spokesman for OPM said the agency was reviewing the judiciary’s feedback.
If judges or judiciary employees fall into the group of individuals whose information was compromised in the background investigations breach, they’ll be eligible for more robust credit monitoring and identity-theft protection. Those services will be offered for at least three years, according to OPM.
OPM said it will notify individuals affected by the background investigations breach in the coming weeks.
Chief Judge Richard Roberts (left) of the U.S. District Court for the District of Columbia said judges and employees in his courthouse received letters from OPM that their information may have been compromised in the personnel records breach. He declined to say if he received such a letter, citing security concerns.
The scope of the breach was “very unsettling,” Roberts said. As for whether OPM had done enough to protect federal employees whose information may have been stolen, he said it was too early to tell.
Duff has said that strengthening the judiciary’s cybersecurity protections is a priority for the Administrative Office. One downside to the judiciary giving circuits control over local affairs was that cybersecurity efforts were decentralized, Duff said, speaking in late June at a meeting of D.C. judges and court officials. The judiciary was looking into more uniform defense systems, he said, but added that it would also take a “culture change” among the judges and employees to be aware of how they protect their information online.
Judges historically have had a reputation for being tech-unsavvy. Roberts acknowledged that many judges may spend too little time thinking about their vulnerability online. “It’s a new issue for us,” he said.
Chief Judge Fred Biery of the U.S. District Court for the Western District of Texas said he doesn’t own a personal computer, and only uses his work computer when necessary. He received a letter from OPM about the data breach and signed up for the credit monitoring and identity-theft services. He said his presence on the web was limited, however.
“I use voice recognition software: It’s my voice and my clerks recognize it,” Biery said. “I can’t get hacked on a personal computer if I don’t have one.”
The Obama administration said today that hackers stole Social Security Numbers from more than 21 million people and took other sensitive information when government computer systems were compromised.
On July 9, OPM announced that more than 19 million who had applied for background investigations were affected. Government officials also said nearly 2 million people were also affected who weren’t applicants, but rather spouses or other family members.
The inter-agency forensic investigation, which commenced last month, identified two separate but related cybersecurity incidents on its systems. The first incident, announced in June by the OPM—the agency that oversees staffing and security clearance for federal agencies—revealed that hackers gained access to OPM databases in December 2014 and may have compromised the personal identifiable information of as many as 4 million individuals.
“OPM discovered an incident affecting background investigation records of current, former, and prospective federal employees and contractors,” according the July 9 OPM announcement. “Following the conclusion of the forensics investigation, OPM has determined that the types of information in these records include identification details such as Social Security Numbers (SSNs); residency and educational history; employment history; information about immediate family and other personal and business acquaintances; health, criminal and financial history; and other details.”
The team concluded “with high confidence” that sensitive information, including the SSNs of 21.5 million individuals, was stolen from the background investigation databases. That figure includes 19.7 million individuals that applied for a background investigation, and 1.8 million non-applicants, predominantly spouses or co-habitants of applicants.
According to OPM, some records also include findings from interviews conducted by background investigators, and approximately 1.1 million include fingerprints. Those impacted include those who underwent a background investigation through OPM in 2000 or afterwards.
“It is highly likely that the individual is impacted by this cyberbreach. If an individual underwent a background investigation prior to 2000, that individual still may be impacted, but it is less likely,” OPM officials said.
This data breach began in May 2014, according to OPM Director Katherine Archuleta’s recent testimony before Congress. It was not discovered until May 2015. Government officials said there is no information that points to any misuse of the stolen data.
“There is no information at this time to suggest any misuse or further dissemination of the information that was stolen from OPM’s systems,” according to the OPM announcement.
For the 21.5 million background investigation applicants, spouses or co-habitants with SSNs and other sensitive information that was stolen from OPM databases, OPM and the Department of Defense (DOD) will work with a private-sector firm specializing in credit and identity theft monitoring to provide credit-monitoring services. In addition, OPM launched a new, online incident resource center today.
Earlier this week, Homeland Security Secretary Jeh Charles Johnson said in a speech that he believed all civilian federal agencies will be using EINSTEIN 3A (E3A)—a cybersecurity platform—by the end of this year.
“To be frank, our federal cybersecurity is not where it needs to be,” Johnson said in the speech. “But we have taken, and are taking, accelerated and aggressive action to get there.”