Technology Company Issues

The use of social media as a public company information channel encountered a roadblock on December 5, 2012 as Netflix, Inc. and its CEO, Reed Hastings, both received Wells notices from the SEC regarding a prior Facebook post that Mr. Hastings had made. A Wells notice is a notification from the SEC that it intends to recommend enforcement action against a company or individual. This notice also gives the affected parties an opportunity to explain why such an action is not appropriate. 

Mr. Hastings’ July 2012 Facebook post congratulated the company’s content licensing team for exceeding a milestone in monthly viewing hours. It also contained a positive prediction regarding future monthly viewing hours. Netflix did not issue a Form 8-K, a press release or any other disclosure at the time of this post. Mr. Hastings has made a habit of posting company information on his Facebook page. Here is the post that is the subject of the Wells notice:

 FD issue for Netflix

Netflix filed a Form 8-K regarding this matter on December 5, 2012. According to this 8-K, the Wells notices indicated that the SEC staff intended to recommend that the SEC institute a cease and desist proceeding and/or bring a civil injunctive action against Netflix and Mr. Hastings for violations of Regulation FD, Section 13(a) of the Securities Exchange Act of 1934 and Rules 13a-11 and 13a-15 under the 1934 Act. Mr. Hastings also provided a statement that was attached as an Exhibit to this Form 8-K. The statement clearly indicates his feeling that the SEC’s application of Regulation FD is incorrect here. 

Regulation FD prohibits selective disclosure of material information. This regulation was enacted to prevent public companies from selectively releasing material information to certain shareholders or other parties without broad distribution. For example, Regulation FD prevents a company from selectively providing information to certain friendly investment analysts or major shareholders before it is publicly. The policy behind this rule is that all investors should have equal access to material information. 

Regulation FD is conceptually a good rule, as it helps to level the playing field among investors and interested parties. The real problem in the social media context is that
Continue Reading Netflix CEO’s Facebook post leads to possible Regulation FD action by SEC – Time for some changes

How public companies should handle social mediaSocial media use has experienced a meteoric rise. According to Tweetsmarter (a social media blog), the top five social media sites (Facebook, Twitter, LinkedIn, Google+ and Pinterest) have 1.8 billion users. Many companies have also embraced social media use as a cheap and efficient channel for the dissemination of information. Good examples here include Best Buy’s Facebook page and Whole Foods’ Twitter account.

While social media is a very powerful force in marketing and branding, public companies face significant potential problems from its use.  A public company’s posting of information on a social media site is equivalent to any other written information that is disclosed by other means. If material nonpublic information is disclosed via a social media channel, the company will face the same securities law issues that it would face from any other disclosure made through other means. Accordingly, public companies must consider the possible impacts of social media use and take steps to control and mitigate the potential negative effects of social media use.

While there is no perfect solution to the potential problems that social media use creates for public companies, I have assembled the following list of guidelines and best practices for public companies in the social media area:


Continue Reading Careful with that tweet! Social media considerations for public companies

hacking a computerCybersecurity issues continue to be a hot topic for companies. As discussed in my prior blog posts, “Get ready for increased cybersecurity disclosure requirements” and “SEC pushes for disclosure of hacking incidents”, the SEC continues to focus on cybersecurity and data breach items and has now begun to encourage public companies to disclose them, even in the absence of applicable rules or regulations. The only official guidance from the SEC on cybersecurity disclosure continues to be the disclosure guidelines provided in October, 2011 in CF Disclosure Guidance:  Topic No. 2 – Cybersecurity (the “Release”). 

There has been some important movement on cybersecurity issues outside of the SEC. While this does not directly pertain to disclosure of these items, public companies should pay close attention to these developments since they may provide some valuable guidance in this area. These developments also confirm the importance of cybersecurity issues and support my position that the SEC will probably soon mandate additional disclosure requirements for cybersecurity items. 

On September 19, 2012 Senator John D. Rockefeller IV (D, West Va.) sent a letter to the CEOs of all Fortune 500 companies posing questions about these companies’ cybersecurity policies and related issues. His letter asked these companies to evaluate their roles and responsibilities in connection with cybersecurity legislation and reform and to work with the Federal government to successfully enact cybersecurity legislation. Responses to this letter are voluntary, but it is likely that most of these companies will respond in some fashion. The companies’ responses were requested by October 19, 2012. 

Senator Rockefeller has long been a very strong proponent of cybersecurity legislation, and he is clearly frustrated with the lack of progress in this area. He was instrumental in the introduction of both the Cybersecurity Act of 2010 and the Cybersecurity Act of 2012, both of which failed to gain Senate approval. The proposed Cybersecurity Act of 2012 was defeated by a filibuster in August 2012, and in his letter Senator Rockefeller attributes this filibuster to opposition from business and trade groups, particularly the United States Chamber of Commerce. He has supported President Obama’s proposed use of an executive order to enact cybersecurity protection outside of the legislative process, and he references this in his letter. Based on the language of his letter, however,
Continue Reading Cybersecurity issues continue to draw attention

cybersecurity intrusionA number of well-known companies, including Zappos.com, Google, Quest Diagnostics, Eastman Chemcial and AIG, have recently experienced actual or potential intrusions into their computer systems and related confidential data. Some of these incidents have been active criminal attacks by sophisticated hackers, while others have resulted from situations such as lost or stolen laptops. The frequency and severity of hacking incidents have been steadily increasing.  In fact, virtually all companies today are subject to the risks of such incidents due to the widespread use of Internet and information technology. The advent of a substantial mobile workplace with workers accessing data remotely through smartphones, tablets, laptops and other devices has also multiplied companies’ risks in this area.  

As the risks have increased, the SEC has been recently increasing the pressure on public companies to disclose “hacking” and other cyberintrustion incidents in their regulatory filings. There are still no SEC rules governing such disclosure, but I believe that this has clearly become a high priority disclosure item. I also foresaw these increased cybersecurity disclosure requirements in my prior blog post (“Get Ready for Increased Cybersecurity Disclosure Requirements”). Public companies that experience a hacking or other cyberintrustion incident should carefully review the recent actions taken by the SEC and other public companies that have experienced these incidents.

The SEC took a major step in encouraging disclosure of hacking and other cybersecurity items with its issuance of “2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity)” (the “Release”) in October 2011. This Release only provided general guidance on disclosure of cyberincidents. The SEC has not yet developed any rules or regulations on cybersecurity or hacking incident disclosure, although we believe that such rules and regulations will be enacted at some point soon. In any case, based on recent events it appears that the Commission is strongly encouraging such disclosure despite the lack of existing rules and, in some cases, engaging in de facto rulemaking.

Companies tend to resist disclosure of hacking incidents for several
Continue Reading SEC pushes for disclosure of hacking incidents

Following up on my post on the subject, I had the opportunity to speak with Colin O’Keefe of LXBN regarding the Facebook/Instagram deal.  In the brief interview, I explain how things have changed since Facebook’s IPO and what, if anything, that meant for the deal’s fairness review with the California Department of Corporations.

Following up on my post on the subject, I had the opportunity to speak with Colin O’Keefe of LXBN regarding the Facebook/Instagram deal.  In the brief interview, I explain how things have changed since Facebook’s IPO and what, if anything, that meant for the deal’s fairness review with the California Department of Corporations.

California Department of Corporations, One Sansome Street, San Francisco

We previously blogged about the potential liability for Facebook, Inc. directors if the company paid too much for the social media start-up company Instagram. Recall that in April, Facebook agreed to acquire Instagram for, at the time, approximately $1 billion with the consideration payable 30% in cash and 70% in Facebook common stock (now, due to the decrease in Facebook’s share price from the stipulated price of $30 per share, the deal is only worth about $650 million). A recent NY Times Deal Book article points out that if the deal fixed the total purchase price rather than the number of shares to be issued, Instagram would have gotten a much better deal due to the depressed Facebook share price. Given the declining share price of Facebook stock, is Facebook’s reduced consideration still fair to Instagram’s shareholders? This is exactly the question that will be determined by the California Department of Corporations which will be conducting a fairness review of the acquisition this Wednesday.

The purpose of this fairness hearing is to allow Facebook to take advantage of a lesser-known exemption from registration under the Securities Act of 1933 known as the “3(a)(10) exemption.” Because Facebook is issuing securities in connection with the Instagram acquisition, the 23 million shares to be issued are required to either be registered or they must be exempt from the registration requirements of the Securities Act. The 3(a)(10) exemption allows companies to issue securities in an exchange transaction without registration provided that either a court or designated state agency finds that the transaction is fair to the recipients of the new securities. This exemption was popular during the tech boom and has both advantages and disadvantages when compared with the most common exemption provided by Rule 506 of Regulation D promulgated under the Securities Act. 

Most smaller companies tend to offer and sell securities on an exempt basis because of the substantial costs of conducting a registered offering. There are a laundry list of exemptions but only a few are of much practical use. Most exempt offerings are structured to take advantage
Continue Reading Is Facebook’s acquisition of Instagram fair to Instagram shareholders?

More interesting times have arrived for holders of Facebook stock. The stock, which has been brutally beaten down from its IPO price, faces new challenges as the “lockup” restrictions (which have been in place since the IPO) began to expire on August 16. This means that a significant number of Facebook shareholders are now able to sell their shares in the open market, and significant numbers of Facebook shares will be freed from these restrictions over the next few months. The sale of a substantial number of Facebook shares could obviously drive the stock price down even more. The big questions now:  Who will or won’t sell their stock as these restrictions lapse?

This situation is also a great lesson for entrepreneurs who are contemplating the possibility of taking their companies public. Most observers thought that Facebook’s IPO was a certain success, but so far it’s been a very tough road. One big concern here is that the problems that Facebook has faced with its transition to public company status will divert management’s attention from the company’s business tactics and strategy at a very critical time. 

Facebook went public at a price of $38 per share. Many observers felt that this price was too high, and the market apparently agreed. The stock has not been back to its IPO price since the first day of trading, and its closing price on August 17 was $19.05 per share (a 49.9% decline from the IPO price). The stock price went below $19.00, but has since rebounded to close at $19.44 today. In any case the company has lost almost half of its market value since the IPO. Even at this reduced price the stock is still trading at about 30 times projected next years’ earnings. It’s interesting to note that Google and Apple currently trade at 12 to 13 multiples, so Facebook’s stock is still very highly valued even after its decline.

Lockup restrictions on stock sales by insiders and other parties are normally demanded by underwriters as part of the IPO process. These restrictions help to reduce volatility in the market price of a newly public company’s stock, and they help to ensure that existing shareholders
Continue Reading Significant stock price questions loom as Facebook lockup restrictions begin to lapse

New mandated cybersecurity disclosure requirements appear to be imminent. Cybersecurity has become a critical issue for most companies, and almost all companies today face cybersecurity risks due to the substantial increases in the volume of data and information stored online, the rise of multiple platforms for accessing data and the sophistication of criminal hackers. Cyber incidents such as a data breach or an intrusion into a company’s systems can have very negative and expensive results. These risks are considerably higher for any company that stores personal information or that operates in a regulated industry such as financial services or health care. Despite this significant increase in cybersecurity risks and the liabilities associated with such cyber incidents, however, public companies to date have had very little guidance regarding their disclosure obligations in this area.

The primary guidance that the SEC has issued on cybersecurity disclosure to date has been the 2011 CF Disclosure Guidance:  Topic No. 2 (Cybersecurity) (the “Release”) issued by the SEC’s Division of Corporation Finance on October 13, 2011. This Release was helpful in that it gave some indication of the Division of Corporation Finance’s positions on cybersecurity issues and cyber incidents. The Release provided overall guidance, however, and did not provide detailed information or instructions on cyber disclosure. Additionally, the Release did not contain official SEC rules or regulations. Accordingly, companies could use the Release for broad principles but were still left to develop disclosure information about cybersecurity and other similar matters based on their own evaluations of what should be disclosed.

Under the Release, some of the items that public companies are advised to address include:

  1. review the adequacy of their disclosure regarding cybersecurity and cyber incidents on a regular basis;
  2. disclose the risks of cyber incidents in “Risk Factors” if these items are significant risk factors that would make an investment in the company speculative or risky;
  3. disclose known or threatened cyber incidents;
  4. address cybersecurity risks and cyber incidents in the Company’s Management’s Discussion and Analysis if the costs or other consequences associated with such incidents are reasonably likely to have a material effect on the Company’s results of operations, liquidity or financial condition or would cause reported financial information to not be indicative of future operating results or financial condition;
  5. disclose a cyber incident in “Description of Business” if the cyber incident materially affected the company’s products, services, relationships with customers or suppliers or competitive conditions;
    Continue Reading Get ready for increased cybersecurity disclosure requirements