Capital raising through a public offering of securities is strictly regulated by the provisions of the federal Securities Act of 1933 (“Securities Act”) and the Exchange Act of 1934 (“Exchange Act”). The focus of the Securities Act is the disclosures and liabilities involved in the offer and sale of securities to the investment community, in both private and public offerings. Under Section 5 of the Securities Act, offers and sales of securities must be registered with the federal Securities and Exchange Commission (“SEC”) unless one of the exemptions from registration included in Sections 3 and 4 of the Securities Act is available. Disclosures in the registration statement are intended to include all of the material information regarding the issuer and the terms of the offering and the Securities Act contains provisions designed to insure that the information is disseminated to the investment community before the offering is completed. The SEC has no authority to rule upon the merits of an offering and lacks the resources necessary to conduct an independent review of all of the facts and statements contained in the registration statement. However, the SEC can prevent the securities from being distributed where such disclosure requirements are not fully met by preventing or suspending the effectiveness of the registration statement.
The basic purposes of the Exchange Act are to regulate securities exchanges and the securities market; to make available to persons who buy and sell securities information relating to the issuers of such securities; to prevent fraud in securities trading and manipulation of markets; and to control the amount of credit which may be used in the securities market. The provisions of the Exchange Act relate primarily to the activities of issuers and their affiliates after their securities have been distributed into the public market. The Exchange Act requires the registration of each class of an issuer’s publicly traded securities with the SEC, as well as the filing of periodic and other reports with the SEC and securities exchanges by those issuers and its officers, directors and controlling shareholders. The Exchange Act also regulates the solicitation of proxies with respect to registered issuers, as well as tender offers and other specified transactions. Finally, the Exchange Act establishes a number of rules relating to the creation and operation of the securities markets, including requirements applicable to broker-dealers, stock exchanges, clearing agencies and transfer agents.
This month’s update to Business Transactions Solution on WESTLAW includes new Business Counselor’s Training Materials for public offerings and public company status (see §288:162) that covers the applicable regulatory framework; considerations in selecting public financing; advantages and disadvantages of public company status; disclosure requirements; underwriting and distribution arrangements; exchange listings and secondary trading and public company status.
Developing a privacy and data security compliance program requires a substantial investment of professional and managerial time and financial resources to acquire, install and operate the necessary technological systems that serve as the foundation for collecting, using, transferring and discarding nonpublic personal information. It is common to refer to privacy and data security as a top-level corporate governance issue that involves the board of directors and senior management and as companies grow they are likely to recruit and appoint experienced professional to serve as chief privacy officers with their own dedicated personnel and budget to oversee the element of the compliance program. While there is no single template for the privacy and data security compliance program it is important to address the following:
- Defining and identifying nonpublic personal information handled by the company and documenting how the information flows into, within and outside the organizational structure of the company;
- Establishing managerial responsibility and control over the compliance program and allocating sufficient cash and other resources to the program;
- Establishing and enforcing all necessary policies and procedures with regard to privacy and data security;
- Establishing focused programs to deal with specific privacy-related risks such as online collection of information and collection and use of information during the course of customer relationships;
- Establishing programs for educating all company employees and business partners about privacy- and data security-related requirements, including continuing education of new developments and threats for executives and managers directly responsible for the compliance program;
- Understanding and monitoring all applicable privacy- and security-related laws and regulations including emerging trends that may change the regulatory landscape in the foreseeable future;
- Establishing and administering procedures for oversight of vendors with access to nonpublic personal information for which the company is ultimately responsible;
- Establishing procedures for data retention and destruction;
- Establishing and administering privacy incident response and breach notification procedures;
- Establishing and enforcing disciplinary policies with respect to failure of employees and business partners to comply with the privacy- and data security-related policies and procedures of the company;
- Communicating the company’s privacy- and data security-related practices to relevant stakeholders including employees, customers, business partners, financial markets and regulators; and
- Providing regular reports on the efficacy of the program to the board of directors and members of the senior management group.
Responsibility for administering the privacy program should be vested in a single person, generally referred to as the chief privacy officer, who will be given authority to establish privacy policies and procedures and oversee personnel in each department of the company who will be responsible for privacy-related issues in their functional area. The importance of have an executive-level position responsible for managing the risks and business impacts of privacy laws and policies is reinforced by the fact that most of the Fortune 100 companies now have a chief privacy officer or an equivalent position. The chief privacy officer, with the support of the chief executive officer and other members of the senior management group, should be prepared to implement privacy policies and practices for the entire company and coordinate the compliance activities of disparate departments such as marketing, communications, customer service, information technology, human resources and legal. The privacy officer and his/her staff should begin by making an assessment of the nonpublic personal information that the company collects and how it is used and otherwise handled by the company. Once policies and procedures are in place the privacy officer should conduct privacy impact assessments and audits of the handling of nonpublic personal information and should create training and educational programs for employees and company agents. Various resources are available for developing a privacy program including the materials that are readily available from privacy seal organizations and from privacy advocacy groups.
Achieving adequate data security and privacy protections for customers, employees and other parties requires a strategy and like any other strategy it is important to identify relevant metrics that can be used to assess performance. Unfortunately, there is no single strategy that will be entirely successful in each instance and even companies that have thoughtfully developed and implemented data protection regimes can suffer security breaches. When creating a data protection program companies should be mindful of the stories they might need to tell if and when problems occur and this means being able to demonstrate that the program was based on recognized industry standards and applicable regulatory guidelines. In addition, companies should have a record of their consultation processes that includes the names and backgrounds of the technical and legal specialists that were involved. Companies should also be able to explain how their data security framework work and when and how decisions were made among various alternative solutions. For example, companies typically have a limited budget for their data security programs and the record should describe how and why dollars were invested in addressing particular risks. While all this information cannot eliminate potential liability for security breaches it can help mitigate potential penalties and punitive damage awards.
Chapter 230 of Business Transactions Solution (§§230:1 et seq.) on WESTLAW covers the development and administration of policies and procedures to comply with laws, regulations and industry standards relating to privacy, data security and overall collection and use of nonpublic personal information. The materials include a large library of illustrative policies and related practice tools such as checklists for developing a privacy and data security compliance program (BTS §230:130), negotiating information security issues in outsourcing contracts (BTS §230:131) and privacy and data security issues in acquisition transactions (BTS §230:132). The chapter also includes valuable communications vehicles for clients including client executive summaries regarding privacy and data security laws (BTS §230:133), security requirements for nonpublic personal information (BTS §230:134) and implementation and management of privacy programs (BTS §230:135).
While much of the capital raised by closely-held businesses from outside investors in the private placement market comes in the form of an equity investment, consideration should also be given to the use of debt securities. Debt securities without conversion rights can provide companies with an opportunity to secure additional capital for the business without diluting the ownership interests of the holders of equity securities. Convertible debt securities can be used to attract capital from those investors looking for more downside protection in the event the business is unable to meet its financial and business objectives. While debt securities have different rights, preferences, and privileges than equity securities, the process for completing a debt financing is very similar to the steps that need to be completed for an equity investment.
Larger companies, including many public companies, have taken to issuing debt securities to take advantage of favorable credit terms, including low interest rates, and to avoid the uncertainties of attempting to sell new securities in the equity markets. The debt securities issued by public companies are quite sophisticated and limited only by the imagination of a company’s financial officers and investment bankers. Traditionally, debt securities in privately-held businesses were issued only to friends and family of the founding group at the time the company was formed and to institutional investors as the company matured. Debt securities issued to friends and family usually were converted into common stock upon completion of the first round of outside funding from venture capitalists or other professional investors. Debt securities issued to the institutional investors were typically scheduled for conversion within 12–18 months in some form of liquidity event, such as an initial public offering or acquisition. However, debt investment financings have been much more common as companies struggled to stay afloat after their initial equity investment capital evaporated. For example, the so-called “bridge loan” is a transaction in which current investors provide the company with a limited amount of funds, in the form of a loan, to keep the company going until a new round of equity financing can be closed. Upon closing of the new equity financing, the bridge loan is either repaid or converted into the securities issued in the new financing. Investors participating in the bridge loan are rewarded for the increased risk through warrants and options, as well as preferred terms on conversion of the loan amounts in the equity financing.
Counsel for the issuer and counsel for the lender-investor in a debt financing transaction perform many of the same functions that must be completed in connection with an equity transaction; however, the nature of the instrument will dictate a slightly different emphasis, as well as the need for specialized experience that might not be part of the skills normally offered by counsel primarily engaged in equity offerings. For example, company counsel needs to be conversant with laws and procedures relating to secured transactions, as well the impact of the strict loan covenants and restrictions on the company’s business. Investors’ counsel needs to be able to advise the client regarding the rights of creditors under secured transactions and bankruptcy laws, particularly when the investors also hold company equity securities. In addition, the company will generally prepare, with the assistance of counsel and any finder/broker, offering documents that not only comply with applicable securities law requirements, but which also serve as a powerful marketing tool for the company in its search for investment capital. The offering documents in a debt financing should include a detailed description of the proposed terms of the debt securities; the projected cash flow over the term of the instrument; and a legal discussion touching on creditors’ rights and the covenants and restrictions that will be put in place to allow holders of the debt securities to monitor the use of their funds. To learn more about helping your clients with debt financings, see the new Business Counselor’s Training Materials on the subject (see §155:287) and the new slide deck presentation on debt financing (see §155:286), both available in Business Transactions Solution on WESTLAW.
The federal Defend Trade Secrets Act of 2016 (“DTSA”), which came into effect on May 11, 2016 as Public Law No. 114-153, amended the federal criminal code to create a private civil cause of action for trade secret misappropriation. Specifically, a trade secret owner may file a civil action in a U.S. district court seeking relief for trade secret misappropriation related to a product or service in interstate or foreign commerce (18 U.S.C.A. § 1836(b)(1)). The DTSA established remedies including injunctive relief, compensatory damages, and attorney’s fees, and set a three-year statute of limitation from the date of discovery of the misappropriation (18 U.S.C.A. § 1836(b)(3)). The DTSA does not preempt state law, which means that trade secret owners may continue to pursue remedies in state courts while taking advantage of the provisions in the DTSA.
Under the DTSA (18 U.S.C.A. § 1836(b)(2)), a trade secret owner may apply for and a court may grant, in extraordinary circumstances, an ex parte seizure order (i.e.,, seizure without prior notice to the person against whom seizure is ordered), such as an employee whom an employer suspects may be prepared to leave the U.S. with the employer’s valuable trade secrets) to prevent dissemination of a trade secret if the court makes specific findings, including that: (1) a temporary restraining order or another form of equitable relief is inadequate, (2) an immediate and irreparable injury will occur if seizure is not ordered, and (3) the person against whom seizure would be ordered has actual possession of the trade secret and any property to be seized. A court must take custody of and secure seized materials and hold a seizure hearing within seven days. An interested party may file a motion to encrypt seized material. It should be noted, however, that the DTSA allows individuals or companies who believe they have been subjected to wrongful or excessive seizure to pursue a cause of action for damages including lost profits, costs of materials, loss of goodwill and punitive damages if the seizure was sought in bad faith.
The DTSA amended certain definitions in 18 U.S.C.A. § 1839 and added the following definitions of “misappropriation” and “improper means”:
“(5) the term ‘misappropriation’ means—
“(A) acquisition of a trade secret of another by a person who knows or has reason to know that the trade secret was acquired by improper means; or
“(B) disclosure or use of a trade secret of another without express or implied consent by a person who—
“(i) used improper means to acquire knowledge of the trade secret;
“(ii) at the time of disclosure or use, knew or had reason to know that the knowledge of the trade secret was—
“(I) derived from or through a person who had used improper means to acquire the trade secret;
“(II) acquired under circumstances giving rise to a duty to maintain the secrecy of the trade secret or limit the use of the trade secret; or
“(III) derived from or through a person who owed a duty to the person seeking relief to maintain the secrecy of the trade secret or limit the use of the trade secret; or
“(iii) before a material change of the position of the person, knew or had reason to know that—
“(I) the trade secret was a trade secret; and
“(II) knowledge of the trade secret had been acquired by accident or mistake;
“(6) the term ‘improper means’—
“(A) includes theft, bribery, misrepresentation, breach or inducement of a breach of a duty to maintain secrecy, or espionage through electronic or other means; and
“(B) does not include reverse engineering, independent derivation, or any other lawful means of acquisition”
The DTSA provides immunity from civil and criminal liability for an individual who discloses a trade secret: (1) to a government official or attorney in confidence to report or investigate a violation of law, or (2) in a legal complaint or filing under seal. See 18 U.S.C.A. § 1833(b). It is important for employers to be aware that they are required to provide notice of the DTSA immunity in any contract or agreement with an employee that governs the use of a trade secret or other confidential information, which notice requirement may be satisfied by providing a cross-reference to a policy document provided to the employee that sets forth the employer’s reporting policy for a suspected violation of law. Failure to comply with the notice requirement will prevent employers from be awarding certain exemplary damages or attorney fees under 18 U.S.C.A. § 1836(b)(3). The notice requirements apply to contracts and agreements entered into or updated after the effective date of the DTSA (May 11, 2016). It is recommended that notice language track the statute, such as the following:
“Notwithstanding the foregoing nondisclosure obligations, 18 USC § 1833(b)(1) added by the U.S. Defend Trade Secrets Act of 2016 (“DTSA”) provides that an individual shall not be held criminally or civilly liable under any federal or state trade secret law for the disclosure of a trade secret that is made: (1) in confidence to a federal, state, or local government official, either directly or indirectly, or to an attorney, and solely for the purpose of reporting or investigating a suspected violation of law; or (2) in a complaint or other document filed in a lawsuit or other proceeding, if such filing is made under seal. In addition, the DTSA provides that an individual who files a lawsuit for retaliation by an employer for reporting a suspected violation of law may disclose the trade secret to the attorney of the individual and use the trade secret information in the court proceeding, if the individual (1) files any document containing the trade secret under seal; and (2) does not disclose the trade secret, except pursuant to court order.”
For examples of how the notice should be placed into a full agreement, see the chapter on Employee Confidentiality and Innovations Assignment Agreements (§§167:1 et seq.) in Business Transaction Solutions on Westlaw.