Search results for: sec

Stop me if you have seen this before. You visit the website of a U.S. privately held manufacturer, and you click on the “About Us” page (if one exists) to find only generic information that could describe any manufacturing business in the United States. There often is no listing of who runs the business – let alone who owns it – and sometimes, there is no information as to how big the facility is or how many employees work there. Often, there is no information as to when the business was founded or its history. 

Contrast that with many international privately held businesses – including in Europe. The websites often have a listing of the executive team, ownership information, employee headcount, and most importantly the top line revenue of the business (and perhaps even its profitability). 

Why the difference? Why are international businesses more transparent? 

The answer to these questions is not readily obvious, but at least in part, the “secrecy” that U.S. businesses have as to the ownership and or revenue information is baked into U.S. corporate law. Up until the time of the passage of the Corporate Transparency Act, lawyers would always talk about the fact that forming in Delaware (as an example) was straightforward and that much of the company’s underlying information would not need to be disclosed. Often, our international clients are surprised by this, as the disclosure rules outside the United States can be extreme, including the disclosure of passports as an example.

I have represented a lot of privately held manufacturers and I understand why certain companies do not want to disclose information. However, I would maintain that U.S. privately held businesses should consider more disclosure – not less – for a few reasons. First, in an era where manufacturers are desperate to find employees, transparency can only help. Knowing who owns the company, who runs it, how big it is, how many employees work there, and the history (i.e., stability) of the organization can be an effective recruiting tool. Second, this information can also help potential customers as they conduct diligence on whether to do business with you. There are other reasons as well.

At the very least, U.S. privately held manufacturers should think about whether maintaining secrecy of all information is actually helping them in any way or just serving as a barrier for growth.

True to its word, the SEC released its proposed rule, The Enhancement and Standardization of Climate-Related Disclosures for Investors, last week. The rule would require companies to disclose a wide variety of climate-related information, including information about climate-related risks that are reasonably likely to have material impacts on its business and/or its consolidated financial statements, and greenhouse gas (GHG) emissions metrics that could help investors assess those risks.

Much has been made of the proposed requirements for GHG emissions reporting—not just for Scope 1 and 2 emissions (emissions from company operations and from the generation of electricity purchased and consumed by the company)—but also for Scope 3 emissions, or emissions from upstream and downstream activities in a company’s value chain. In this post, we will focus on the Scope 3 emissions requirements in the proposed rule.

First, not all companies would be required to report Scope 3 emissions. The proposed rules would require disclosure of Scope 3 emissions only if:

  • The emissions are material, or if there is a substantial likelihood that a reasonable investor would consider them important when making an investment or voting decision; or
  • The company has set a GHG emissions reduction target or goal that includes its Scope 3 emissions.

In limiting the reporting requirement, the SEC sought “[t]o balance the importance of Scope 3 emissions with the potential relative difficulty in data collection and measurement . . . .”

The SEC declined to propose a quantitative metric for the determination of materiality of Scope 3 emissions (although the proposed rule notes that some companies rely on such a metric, and it also seeks additional comment on whether such a metric should be included). Instead, it proposed to use its commonly known materiality standard, explaining that a “one-size-fits-all” approach would not capture the variability of regulatory, policy, and market conditions across companies, nor would it adequately capture the transition risk that is tied to GHG emissions and the choices that a company can make about its value chain because of them.

For companies that have set a GHG emissions reduction target or goal, the proposed rule states that disclosure is needed to help investors understand the potential costs associated with meeting such a goal and track the company’s progress along the way.

So what are Scope 3 emissions? As explained above, Scope 3 emissions are those from upstream and downstream activities in a company’s value chain. Some examples of these upstream and downstream activities include:

  • Purchased goods and services;
  • Transportation and distribution of purchased goods, raw materials, and other inputs;
  • Waste generated in operations;
  • Business travel and commuting by employees;
  • Transportation and distribution of sold products, goods, or other outputs; and
  • End-of-life treatment of a company’s sold products.

Scope 3 emissions data is difficult to gather and quantify, but the SEC is hoping that companies required to report will be able to influence the activities in their value chain and gather emissions data in the process:

“Although a registrant may not own or control the operational activities in its value chain that produce Scope 3 emissions, it nevertheless may influence those activities, for example, by working with its suppliers and downstream distributors to take steps to reduce those entities’ Scopes 1 and 2 emissions (and thus help reduce the registrant’s Scope 3 emissions) and any attendant risks. As such, a registrant may be able to mitigate the challenges of collecting the data required for Scope 3 disclosure.”

The proposed rule suggests that Scope 3 emissions data can be found in the following sources:

  • Emissions reported by parties in the registrant’s value chain, and whether such reports were verified by the registrant or a third party, or unverified;
  • Data concerning specific activities, as reported by parties in the registrant’s value chain; and
  • Data derived from economic studies, published databases, government statistics, industry associations, or other third-party sources outside of a registrant’s value chain, including industry averages of emissions, activities, or economic data.

Companies required to report Scope 3 emissions must do so individually (i.e., listing the emissions from each GHG), and also in the aggregate (carbon dioxide equivalent). They must also report GHG intensity, or the ratio of the impact of GHG emissions per unit of total revenue and per unit of production. The risks associated with climate change must also show up in a company’s financial statement metrics, with certain metrics (for Scope 3 emissions, think transition risk) required to be included in a note to a registrant’s audited financial statements. Lastly, if a company is required to report historic data on its income statement and cash flow statement, it should be prepared to do the same for emissions data (to the extent such emissions data is reasonably available).

The proposed rule would phase in the reporting of Scope 3 emissions, with the first reporting required for large accelerated filers in fiscal year 2024 (filed in 2025). Smaller reporting companies would be exempt from the Scope 3 emissions reporting requirements.

The SEC is seeking comment on the proposed rule. The comment period will remain open until at least May 20, 2022.

While we await the SEC’s proposed rules regarding mandatory climate change disclosures (signaled to be coming as soon as next Monday, March 21), the SEC has been digging in to company filings to scrutinize how, if at all, its registrants are addressing climate change. As we previously reported, the SEC took a number of actions last year to suggest that there would be increased attention, and perhaps enforcement, related to the depth of a company’s climate change disclosures. True to its word, the past year has seen an increase in SEC comment letters focused on climate change and the scope of disclosures being made under existing regulations, as well as the SEC’s 12-year-old guidance on disclosures related to climate change.

In September of last year, the SEC released a sample comment letter to demonstrate the types of inquiries the SEC might make if it was not satisfied with a company’s climate change disclosures. The SEC has followed up by issuing comment letters to companies in line with the sample that was released. A selection of the types of inquiries seen in the comment letters are as follows:

  • We note that you provide more expansive disclosure in your corporate social responsibility (CSR) report than you provided in your SEC filings. Please advise us what consideration you gave to providing the same type of climate-related disclosure in your SEC filings as you provided in your CSR report.
  • In your CSR report, you state that you are committed to lowering the total amount of energy that you consume in your operations and reducing your greenhouse gas emissions. Please revise your disclosure to identify any material past and/or future capital expenditures for climate-related projects related to these initiatives. If material, please quantify these expenditures.
  • Disclose the material effects of transition risks related to climate change that may affect your business, financial condition, and results of operations, such as policy and regulatory changes that could impose operational and compliance burdens, market trends that may alter business opportunities, credit risks, or technological changes.
  • We note the disclosure in your annual report and proxy statement about enhancements you made during 2020 and 2021 to your environmental initiatives. Please quantify any material capital expenditures or compliance costs related to these initiatives.
  • To the extent material, discuss the indirect consequences of climate-related regulation or business trends, such as the following:
    • decreased demand for goods and services that produce significant greenhouse gas emissions or are related to carbon-based energy sources;
    • increased demand for goods and services that result in lower emissions than competing products;
    • increased competition to develop innovative new products and services that result in lower emissions; and
    • any anticipated reputational risks resulting from operations or products that produce material greenhouse gas emissions
  • If material, discuss the significant physical effects of climate change on your operations and results. This disclosure may include quantification of material weather-related damages to your property or operations and any weather-related impacts on the cost or availability of insurance.

The increase in comment letters is one of the many ways we expect to see the SEC continue its focus on climate change, and may just be the tip of the iceberg with the potential for mandatory climate change disclosure rules on the horizon.

This post was authored by Linn Foster Freedman and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Since the Colonial Pipeline and JBS meat manufacturing security incidents, attention is finally being paid to the cybersecurity vulnerabilities of critical infrastructure in the U.S. and in particular, the potential effect on day to day life and national security if large and significant manufacturers’ production are disrupted. In the wake of these recent incidents in the manufacturing sector, Unit 42 of Palo Alto Networks has published research that may be considered a warning to the manufacturing sector and is worth notice. The warning is about the activities of Prometheus, “a new player in the ransomware world that uses similar malware and tactics to ransomware veteran Thanos.”

According to the Executive Summary, Unit 42 “has spent the past four months following the activities of Prometheus” which “leverages double-extortion tactics and hosts a leak site, where it names new victims and posts stolen data available for purchase.” Prometheus claims to be part of REvil, but Unit 42 says it has “seen no indication that these two ransomware groups are related in any way.” Unit 42 further states that Prometheus claims to have victimized 30 organizations in different industries, in more than a dozen countries, including the U.S.

Prometheus came on the scene in February 2021 as a new variant of the strain Thanos. Unit 42 is unable to provide information on how the Prometheus ransomware is being delivered, but surmise that it is through typical means, such as “buying access to certain networks, brute-forcing credentials or spear phishing for initial access.” It then first kills backups and security processes and enables the encryption process. It then “drops two ransom notes” that contain the same information about the fact that the network has been hacked and important files encrypted and instructions of how to recover them. If the ransom demand is not met, the data will be published on a shaming site and publishes the “leak status” of each victim. According to Unit 42 “[M]anufacturing was the most impacted industry among the victim organizations we observed, closely followed by the transportation and logistics industry.”

What we have seen in the past is that when ransomware groups are successful in one industry, they use the information learned from initial attacks to target other companies in that sector. They leverage the knowledge from one attack to future attacks assuming that since the first one was successful, subsequent attacks will be successful as well. Since industry specific networks are similar, it is seamless to attack one victim, learn from it, then leverage that knowledge to attack similarly situated victims.

With threat attackers’ focus on the manufacturing sector right now, we anticipate seeing more attacks against manufacturers from groups such as Prometheus.

This post was authored by Linn Foster Freedman and is also being shared on our Data Privacy + Cybersecurity Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Manufacturers of products often are not prepared for, or aware that cybersecurity incidents can disrupt production and distribution of product. A recent filing by Molson-Coors Beverage Company illustrates that manufacturers face similar cybersecurity risks as other industries.

On March 11, 2020, Molson-Coors filed a Form 8-K with the Securities and Exchange Commission stating that:

Molson  Coors  Beverage  Company  (the  “Company”)  announced  that  it  experienced  a  systems  outage  that  was  caused  by  a  cybersecurity incident. The Company has engaged leading forensic information technology firms and legal counsel to assist the Company’s investigation into the incident and the Company is working around the clock to get its systems back up as quickly as possible.

Although the Company is actively managing this cybersecurity incident, it has caused and may continue to cause a delay or disruption to parts of the Company’s business, including its brewery operations, production, and shipments. In addition to the other information set forth in this report, one should carefully consider the discussion  on  the  risks  and  uncertainties  that  cybersecurity  incidents  and  operational  disruptions  to  key  facilities  may  have  on  the  Company,  its  business  and financial results contained in Part I, “Item 1A. Risk Factors” in its 2020 Annual Report on Form 10-K, filed with the SEC on February 11, 2021.

Manufacturing businesses may wish to consider prioritizing cybersecurity readiness in their processes, including backup plans, contingent operations plans, and disaster recovery plans.

This week, we are pleased to have a guest post from John L. Cordani, Jr.  John is a member of Robinson+Cole’s Manufacturing Industry Team and regularly counsels clients on intellectual property issues involving patent procurement, licensing, and litigation.

For the past several years, the patent offices in the United States and Mexico have operated under a type of patent examination fast-tracking and work-sharing agreement known as a Patent Prosecution Highway (PPH). This agreement between the United States Patent and Trademark Office (USPTO) and the Mexican Institute of Industrial Property (IMPI) was set to expire in June of this year, and the status of the program going forward was uncertain.

But on January 28, the Offices announced a new agreement that promises to improve upon the PPH system by creating an even “more streamlined approach” to obtaining a Mexican patent once a corresponding U.S. patent is granted than that presently offered under the PPH. Read the full article on IPWatchdog.com

This week we are pleased to have a guest post from Edward Heath and Kevin Daly.  Attorneys Heath and Daly are members of Robinson & Cole’s Manufacturing Industry Group and regularly counsel clients on anti-corruption compliance.

A Brief Overview of the FCPA

The Foreign Corrupt Practices Act (FCPA) is a federal statute that prohibits United States companies and individuals from bribing foreign government officials in order to gain or retain business.  It is a major civil and criminal enforcement priority for the federal government.  Each year, the aggregate amount of penalties paid under the FCPA totals hundreds of millions of dollars.

Although it is well known that the FCPA applies to U.S. companies and U.S. individuals (e.g., U.S. citizens and residents) there is a common misconception that its reach ends at our borders.  However, there are some circumstances where the FCPA can reach individuals outside of the U.S.  Foreign persons who act as the agents, employees, officers, directors or shareholders of U.S. companies can be held liable under the FCPA.  Foreign persons who commit an FCPA violation while in the U.S. are also covered.

Recent Court Decision Addresses Geographic Reach 

The United States Court of Appeals for the Second Circuit’s recently issued a decision affirming this point.  United States v. Hoskins arose out of an alleged bribery scheme involving Alstom, S.A. (“Alstom”), a global company based in France that operates in the power and transportation industries.  Specifically, the government claims that Alstom and several of its subsidiaries (including UK-based and U.S.-based subsidiaries) bribed Indonesian government officials in order to obtain a $118 million power contract from the Indonesian government.  The government contends that Mr. Hoskins, while working in France for Alstom’s U.K. subsidiary, was one of the people responsible for approving and authorizing the alleged bribes.  Although parts of the alleged scheme occurred within the U.S. (e.g., payments were made from U.S. bank accounts), and some co-conspirators were based in the U.S., Mr. Hoskins never traveled to the U.S., never was employed by Alstom’s U.S. subsidiary, and is not a U.S. citizen or resident.

The government charged Mr. Hoskins with violating the FCPA, alleging that he conspired and aided and abetted in FCPA violations committed by others.  The Second Circuit, however, rejected the government’s theories.  The court held that Congress set the limits on the geographic reach of the FCPA in the statute, and that the scope cannot be expanded  through accomplice or conspiracy liability theories to reach persons, like Mr. Hoskins, who are beyond the geographic reach of the statute.

Nonetheless, the court held that he can be tried on the theory that he acted as an agent for Alstom’s U.S. subsidiary.  Agents of U.S. companies are explicitly covered by the FCPA, regardless of whether they are U.S. citizens or residents.  To convict on such a theory, the government would be required to prove that that Hoskins was an agent of Alstom’s U.S. subsidiary.

While Hoskins is only binding within the Second Circuit (Connecticut, New York, and Vermont), and the government is evaluating further appellate options, it poses an obstacle to government efforts to expand FCPA liability beyond the specific categories of foreign persons enumerated in the statute.

 

Inogen, which manufactures portable oxygen devices, has alerted the Securities and Exchange Commission in a recent filing that it is notifying 30,000 individuals that their personal information was compromised when a hacker gained access to one of its employees’ email accounts through a phishing scheme. Continue Reading Manufacturing Sector Getting Hit with Cyber-Attacks: Portable Oxygen Device Manufacturer Notifies 30,000 Patients of Breach

The 2016 Manufacturing Report by Sikich finds that there has been a progressive growth in cyber-attacks in the manufacturing sector. This is consistent with the most recent IBM /X-Force Research 2016 Cyber Security Intelligence Index, which  notes that the manufacturing industry represents the second most attacked industry, just behind health care.

Manufacturing companies often don’t believe that they are targets since they do not hold vast amounts of consumer data. Therefore, they do not concentrate on cybersecurity and remain vulnerable. These two reports show that the risk of a cyber-attack is high and real to the manufacturing sector.

According to the Sikich report, the risks to the manufacturing sector include:

  • Operational downtime
  • Physical damage
  • Product manipulation
  • Theft of intellectual property and sensitive data

 These reports are a dose of reality to the manufacturing sector that it is under attack, and the threats and risks of cyber intrusions are real and are not dissipating. Addressing these risks and the potential devastating consequences are critical for any company in the manufacturing sector.

This post was authored by Linn Foster Freedman and is also being shared on our Data Privacy +Security Insider blog. If you’re interested in getting updates on developments affecting data privacy and security, we invite you to subscribe to the blog.

Last month, we posted about the United States Senate’s passage of the Defend Trade Secrets Act of 2016.  Breaking news:  It passed.  Thanks to members of our Labor & Employment (Ian Clarke-Fisher) and Intellectual Property Litigation groups (Jim Nault) for this guest post.

On May 11, 2016, President Barack Obama signed the Defend Trade Secrets Act of 2016 (the “DTSA”), providing a federal civil cause of action for the misappropriation of trade secrets under the Economic Espionage Act.  Both the Senate and House of Representatives passed the DTSA with near unanimous support in April.  A link to the DTSA can be found here.

Moving forward, the DTSA appears to provide manufacturers with a new avenue to address a wide range of trade secret issues.  In addition, in light of the notice requirement contained in the DTSA, employers should review their confidentiality agreements, provisions, and policies to determine how best to navigate the new law.

For companies with trade secrets “related to a product or service used in, or intended for use in, interstate or foreign commerce,” the DTSA provides the following important provisions, among others:

·        Federal Civil Action.  The DTSA creates a federal civil cause of action, giving original jurisdiction to  United States District Courts.  This will allow companies to decide whether to bring claims in federal or state courts, and may have the net effect of moving most trade secret litigation to federal courts.  Such a move will invariably include federal supplemental jurisdiction for claims for breach of contract, related common law claims, and state statutory claims.  Importantly, similar to federal employment laws, the DTSA does not supersede state trade secret laws.

·        Seizure of Property.  The DTSA includes a provision that permits the Court to issue an order, upon ex parte application in “extraordinary circumstances,” seizing property to protect against to improper dissemination of trade secrets.  Interestingly, the DTSA permits such an order only if the moving party has not publicized the requested seizure.  If granted, the Court is required to schedule a seizure hearing and the moving party will be required to provide security in an amount to be determined by the Court for the payment of any possible damages suffered as the result of a wrongful or excessive seizure.

·        Damages and Attorney’s Fees.  In addition to the seizure of property and injunctive relief, the DTSA permits for the recovery of damages for actual losses and unjust enrichment, and allows for exemplary (double) damages trade secrets that are “willfully or maliciously misappropriated.”  The DTSA also provides for the recovery of reasonable attorney’s fees in limited instances, including if the Court determines that the claims of misappropriation were brought in bad faith.

·        Whistleblower Protections and Notice Requirement.  The DTSA further includes civil and criminal immunity under federal and state trade secret laws for any disclosures made to a governmental agency for the purpose of reporting or investigating a legal violation or filed in a lawsuit, if such filing is made under seal.  Furthermore, and having likely broader application, the DTSA requires that an employer provide notice of these protections in any employment agreement governing confidential information or provide a cross-referenced policy document setting forth the employer’s reporting policy.  Failure to comply with the notice requirement prohibits the recovery for exemplary damages and attorney’s fees under the DTSA.