The most widely read magazine for Canadian lawyers
Issue link: https://digital.canadianlawyermag.com/i/354248
14 A u g u s t 2 0 1 4 w w w . C A N A D I A N L a w y e r m a g . c o m H arry Truman famously had a sign on his desk in the Oval Office that said: "The buck stops here!" Certainly this is not what Harry meant, but a buck is not worth now what it was during his presidency. Truman probably would not recognize how political responsibil- ity has evolved either. What has not changed, though, is the visceral appeal of that slogan, and how it speaks to a leader's assumption of responsibil- ity. Its simplicity, however, masks an important consideration: just because it is courageous, comforting, and evidence of strong leadership for an institution's ultimate directing mind(s) to assume responsibility, it does not always mean in all cases responsibility should rest there. (My children often point out to me when I identify issues like this I express them in a manner as confusing as the message in a fortune cookie, which I could accept until the characterization was recently refined to say this would only be the case if the fortune cookies were baked large enough to house the pompous verbosity of an old lawyer. Ouch.) What triggered this reflection on responsibility was the recent shareholder meeting of Target Corp. The story started at the end of last year, when hackers stole information associated with approxi- mately 40 million credit and debit card accounts of Target's customers during the holiday season. The theft had very sig- nificant consequences for Target and its shareholders, including the expenditure of many millions of dollars in investi- gations, training and security enhance- ments, the resignations of the company's chief executive and chief information officers, the initiation of multiple claims against the company, and a meaningful decline in the market price of the com- pany's shares. In the lead up to Target's 2014 annual meeting of shareholders, Institutional Shareholder Services Inc., a powerful proxy advisory firm, recommended Target's shareholders vote against the election of seven of its 10 director nomi- nees for "failing to provide sufficient risk oversight" in connection with the com- pany's cybersecurity breach. ISS asserted the seven directors, who were members of the Target board's audit and/or cor- porate responsibility committees, failed to properly monitor the risk of theft of customer information. I have written previously in this space about the role of proxy advisory firms, and so will not repeat myself. I will note, however, since that time the Canadian Securities Administrators have advised they will develop a poli- cy-based approach to the regulation of proxy advisory firms, in order to pro- mote transparency and understanding in proxy advisory services. What is notable in the case of Target is the assumption made in ISS' recommen- dation about the role and responsibilities of the board. In making its recommenda- tion, ISS highlighted the role of the audit and corporate responsibility committees in providing risk oversight and, in the context of Target's business, found these committees should have been more cog- nizant of the company's exposure to cyber attacks and better prepared. This raises the question of the scope of board responsibilities. If the board's oversight role is focused on risk identification and assessment, and ensuring the com- pany implements appropriate systems and personnel to detect and monitor risks, is it clear there were oversight fail- ures simply because there was a breach? Target noted in its proxy statement "the primary responsibility for the identifica- tion, assessment and management of the various risks that we face belongs with management," and Target's senior executives tendered their resignations. ISS also criticized Target for not having an independent chairperson of its board of directors and suggested this may have played a role in the board's failure to provide effective risk oversight. At a higher level, the real question is whether companies would be better off replacing boards entirely, or at least in part, in cases such as this. At the recent Target shareholder meeting, all of the board members (including the seven ISS had recommended against) were voted back into office by signifi- cant margins. This perhaps suggests the shareholders have spoken, at least in this circumstance, as to their view of the proper sphere and consequences of board responsibility. Ultimately, as with many legal issues, each circumstance is very fact-specific, and the answer that best serves the inter- ests of the company will depend on the forces at play. Target's sharehold- ers demonstrated their recognition that imposing ultimate responsibility on the board for every adverse occurrence may be unwarranted or worse. Those seek- ing clear direction on how this principle applies in all cases will be disappointed, sort of like receiving the apocryphal for- tune cookie message: "Your fortune is in another cookie." Neill May is a partner at Goodmans LLP in Toronto focusing on securities law, with an emphasis on M&A and corporate finance. E-mail him at nmay@ goodmans.ca. The opinions expressed in this article are those of the author alone. Banking on CorporatE by neill May You may be hungry again for responsibility in an hour O P I N I O N