Missouri recently enacted a law which made it the 45th state to adopt data breach notification regulations. The law goes into effect August 28, 2009. Similar to other states’ laws, Missouri’s law applies to any persons and companies who have personal information of a Missouri resident, regardless of size, nature of business or other factors.
What Type of Information is Covered? Missouri’s law defines “personal information” expansively to include:
- social security numbers;
- driver’s license numbers or similar unique identification numbers created by a government body;
- financial account numbers (with a required security code, access code or password which would permit access to the account);
- credit card or debit card numbers (with a required security code, access code or password which would permit access to the account);
- unique electronic identifiers or routing codes (with a required security code, access code or password which would permit access to the account);
- medical information; and
- health insurance information.
What You Must Do After a Breach. If a breach occurs, you must provide notice to the Missouri resident that a breach has occurred without any unreasonable delay. That notice must include, at minimum:
- a description of the incident in general terms;
- the type of information that was obtained in the breach;
- a contact number for the person or company for further assistance; and
- contact information for consumer reporting agencies.
At a conference on July 28, 2009, Neil Barofsky, the Special Inspector General for TARP, outlined the types of fraud that his office was investigating. He indicated that review of the Capital Purchase Program is his primary objective at this time, and that the office is investigating allegations of securities fraud, accounting fraud, falsified financial statements, criminal misrepresentations, and fraudulent practices involving mortgage modifications. Barofsky noted that his office is currently conducting “10 or 11” audits involving government spending that could lead to criminal fraud charges.
The focus appears to be on “application-stage” fraud, involving actions taken by entities when they were applying for Capital Purchase Program funds. Barofsky noted that “these are banks that are cooking their books, whether it’s false valuation of assets, whether it’s round-trip transactions — really whatever we’ve seen recently in large accounting fraud, we’re investigating, looking at institutions that did that in order to get TARP funds.”
On July 10, 2009, the Securities and Exchange Commission (the “SEC” or the “Commission”) published the proposed new rules to enhance compensation and corporate governance disclosure in Items 401, 402 and 407 of Regulation S-K, which we reported earlier in our July 2, 2009 bulletin (available here),
For more information, please read the client alert published by Bryan Cave LLP’s Corporate Finance and Securities Client Service Group on July 17, 2009.
Yesterday the SEC approved an NYSE proposal that will eliminate broker discretionary voting in director elections. Additionally, the SEC is proposing rule changes that would eliminate (1) certain proxy statement disclosures relating to executive compensation and corporate governance and changes to certain proxy solicitation rules and (2) require recipients of Troubled Asset Relief Program (“TARP”) funds to implement “say-on-pay” practices through the proxy solicitation process.
For more information, please read the client alert published by Bryan Cave LLP’s Corporate Finance and Securities Client Service Group on July 2, 2009.
Ricci v. DeStefano Supreme Court Finds that City Discriminated Against White Employees
On June 29, 2009, the United States Supreme Court rendered its much-anticipated decision in the case of Ricci v. DeStefano, 2009 WL 1835138 (2009), and declared that the City of New Haven, Connecticut had engaged in unlawful disparate treatment discrimination when it refused to implement the results of a promotional exam that revealed a substantial disparate impact on African-American employees. Specifically, the Court held that an employer may not use statistical disparity as the sole basis for changing an employment practice unless there is strong evidence indicating that continuing the practice would violate the disparate impact provisions of Title VII. Ricci is a significant development in the area of discrimination law, and will require employers to consider carefully a wide range of employment practices and decisions.
For more information, please read the client alert published by Bryan Cave LLP’s Labor and Employment Client Service Group on July 15, 2009.
On July 20, 2009, the Office of the Special Inspector General for the Troubled Asset Relief Program (SIGTARP) published the results of the SIGTARP Survey of Initial TARP Capital Purchase Program Recipients. Despite the report’s flaws, some of which are discussed below, the results should be read by all TARP recipients. The report does a good job summarizing how banks use capital (see in particular Appendix B) and exploring the myriad of ways in which TARP funds have been used.
Report Conclusions
Titled “SIGTARP Survey Demonstrates that Banks Can Provide Meaningful Information on Their Use of TARP Funds,” the report recommends that Treasury require TARP Capital recipients to submit periodic reports to Treasury on the uses of TARP funds, including what actions they were able to take that they would not have taken otherwise.
The actual results of the survey, however, would seem equally to support a conclusion that, because TARP funds are capital, the specific uses of TARP funds cannot be specifically identified. Instead, the TARP Capital Purchase Program has provided additional capital to banks to allow them to continue to engage in all of the activities in which they engage in, including lending.
Disclosure of Individual Responses
The SIGTARP report aggregates the responses of the 360 bank recipients of TARP funds through January 31, 2009. (SIGTARP has not given any indication that it intends to survey subsequent recipients of TARP funds.) Although individual responses are not included in this report, SIGTARP indicates that it intends to post all responses, redacted as necessary, on its website within 30 days.
On June 23, 2009 and June 30, 2009, the Treasury announced the completion of the thirty-second and thirty-third rounds, respectively, of TARP Capital infusions. In these two rounds, which closed on June 19 and June 26, the Treasury purchased a total of approximately $3.7 billion in securities from 26 financial institutions. The Treasury has now invested in 650 institutions, totaling approximately $203.2 billion.
In these two rounds, Hartford Financial Services Group, Inc., Hartford, Connecticut, received the largest infusion, $3.4 billion. Gold Canyon Bank, Gold Canyon, Arizona, received the smallest infusion, $1.6 million.
Of note during the last two weeks of June, 2009, eleven institutions re-paid approximately $68.3 billion. The largest re-payments came from JPMorgan & Chase ($25 billion), The Goldman Sachs Group, Inc. ($10 billion), and Morgan Stanley ($10 billion). As of June 30, 2009, the total amount re-paid under the TARP Capital Purchase Program is approximately $70.1 billion, and Treasury’s outstanding investment equals approximately $133.1 billion.
Also of note, the Treasury provided the warrant disposition information for a number of institutions that had previously re-paid the Treasury (please click here for our discussion of the disposition process). The Treasury disposed of the additional investment of thirteen institutions (10 public (via warrants) and 3 private (via preferred stock)). The proceeds from these dispositions totaled approximately $19.4 million.
On July 1, 2009, the SEC proposed a rule to implement the “Say-on-Pay” provisions contained in the TARP executive compensation restrictions.
The proposal would add a new Exchange Act Rule 14a-20, which would require TARP recipient to provide a separate shareholder vote to approve the compensation of their executives, as disclosed under Item 402 of Regulation S-K, in their proxy solicitations for an annual meeting at which directors are to be elected. In addition, a TARP recipient would be required to explain the general effect of the vote, such as whether the vote is non-binding.
The SEC is not dictating the specific language, form of resolution, or proxy disclosure that a TARP recipient must use to provide shareholders with a “Say-on-Pay.” However, footnote 14 to the Proposing Release contains an important caveat:
“However, as stated in Section 111(e)(1) of the EESA, the vote must be to approve “the compensation of executives, as disclosed pursuant to the compensation disclosure rules of the Commission (which disclosure shall include the compensation discussion and analysis, the compensation tables, and any related material).” We believe that a vote to approve a proposal on a different subject matter, such as a vote to approve only compensation policies and procedures, would not satisfy the requirements of Section 111(e)(1) of the EESA or proposed Rule 14a-20.”
The proposed rule also (i) continues to require that TARP recipients submit a preliminary proxy statement for potential SEC review; and (ii) confirms that TARP recipients that qualify as smaller reporting companies under the SEC disclosure framework may rely on the smaller reporting company disclosure requirements, and are therefore not required to provide a Compensation Discussion & Analysis.
As we’ve previously discussed, the FDIC has revised the brokered deposit/interest rate restrictions to create a presumption in favor of a “national deposit interest rate” starting January 1, 2009. Less than well-capitalized institutions will be then barred from paying in excess of 75 basis above the national rate, unless the institution is successful in convincing the FDIC that the institution’s local deposit rate market is above the national rate.
We have had several conversations with FDIC staff over the last few weeks regarding the FDIC’s intentions with respect to the new national deposit rate structure and how FDIC in Atlanta would approach it, given that the apparent average rate in Atlanta is already higher than 75 basis points more than the national rate. FDIC staff stated that this was a very difficult and very sensitive issue, and that the local office of FDIC anticipated that most banks would, and would be permitted to, use a local rate basis. That was the good news.
The bad news is that the burden of proof is going to become very high for any bank attempting to demonstrate the local rates. The FDIC has subscribed to a service called “RateWatch” that they were going to use, he believed, as a reference point. The FDIC will analyze carefully the definition of the local market and the computation of the average from that market. We understand that the analysis will have to be done on a branch by branch basis within the chosen market area (using newspaper quotes is apparently not enough).
Banks seeking to support a higher local rate would need to define its “local market” — i.e., counties in which the bank has branches, or perhaps another standard that the bank can support — and then calculate the local rate paid by each bank and branch in its local market. For this purpose, each branch is given the same weight as a single-office bank; for example, if Bank of America has 5 branches in your market, the rate paid by each of those branches is counted individually and weighted equally. This will likely cause the large national retail banks to have a significant and disproportionate influence on local rates, especially if they are not competing for the same local deposits sought by community banks.
Although some questioned if the day would arrive, the Red Flag Rules issued by the FTC, the federal bank regulatory agencies and the National Credit Union Administration go into effect August 1, 2009. The Rules are drafted broadly and will apply to many different companies, including “financial institutions and creditors with covered accounts.” Essentially, if you offer any form of loan or maintain any form of money account, you will have to comply the Red Flag Rules.
Preparing for August 1
The biggest step you should take is to prepare a Red Flag Plan. Although the Rules stress that each program should be tailored to the individual entity, some central elements should be present:
- IDENTIFICATION – Make sure your plan identifies what constitutes a “red flag” (i.e. what could reasonably indicate identify theft).
- DETECTION – Make sure you have a written procedure for how you will detect, understand and process any red flags.
- RESPONSE – Make sure you adequately define how you will respond, making sure that you include enough flexibility to respond adequately to different levels of threat.
- MAINTENANCE – Make sure you have a set process for reviewing, updating and revising your Red Flag Plan.
- OVERSIGHT – Make sure the plan is properly approved by the Board of Directors, Managers or similar management positions, and include explicit designations of power as to who in management (either the Board or a senior officer) will oversee the Plan and its execution.
The Interim Final Rules regarding Executive Compensation for TARP recipients provide a number of corporate governance standards for Compensation Committees. While these standards currently only apply to financial institutions that have outstanding TARP investments, many of the standards are likely to be considered best practices for the compensation committees of all companies.
TARP recipients generally are required to have a compensation committee consisting solely of independent directors (with independence determined by reference to the federal securities laws). (Private TARP recipients who received a TARP investment of less than $25 million are not required to have a compensation committee, in which case the full Board of Directors is required to take the actions detailed below).
