Corp Fin has posted two new CF Disclosure Guidance Topics. Topic No. 7,  Confidential Treatment Applications Submitted Pursuant to Rules 406 and 24b-2, supersedes SLBs 1 and 1A and relates to the process for submission of requests for confidential treatment, not under the new streamlined approach adopted earlier this year (although the Topic does take up the new process for extensions), but rather under the old alternative approach that still lives but is now rarely used. Topic No. 8, which relates to Intellectual Property and Technology Risks Associated with International Business Operations, provides helpful guidance regarding disclosures that Corp Fin believes companies should consider with respect to intellectual property and technology risks that could arise in connection with international operations, especially in locations where protection of intellectual property may be a bit dicey.  The new topics make clear that they are just that—staff guidance—and have no legal force or effect nor do they alter or amend applicable law or create new or additional obligations. Nevertheless, the new guidance, especially Topic No. 8 regarding IP risk disclosure, provides useful checklists of issues to consider and is definitely worth a look.

Happy holidays everyone!

 

Confidential Treatment

You might recall that, under the SEC’s streamlined approach to confidential treatment under the 2019 amendments to Item 601(b) of Reg S-K, which became effective in April, companies are now able to redact information from material contracts without the need to submit in advance formal confidential treatment requests, so long as the redacted information (i) is not material and (ii) would be competitively harmful if publicly disclosed. Upon request by the staff, companies are required to provide, on a supplemental basis, an unredacted paper copy and supporting analyses regarding materiality and competitive harm. (See this PubCo post.) Because it is streamlined and much more convenient, this process is preferred by most.  But the new guidance topic isn’t about the new process—it’s about old process, which continues in place as an alternative. In addition, some filings, such as Schedules 13D or filings with exhibit requirements in Item 1016 of Reg M-A, are not eligible for the new approach and are still required to submit CTRs as the only method  available to secure confidential treatment. The guidance does address, however, the new process for extensions.

The guidance runs through the steps for submitting a CTR, making clear that, in assessing the request, the staff also considers the materiality of the omitted information and whether there are excessive omissions.

With regard to identification of the FOIA exemption on which the company is relying—typically the exemption for “commercial or financial information obtained from a person and privileged or confidential”—the guidance refers to the 2019 SCOTUS decision in Food Marketing Institute v. Argus Leader Media, which broadened the definition of “confidentiality” under FOIA Exemption 4, tossing out the “substantial com­petitive harm” test. As a result, it should be substantially easier for parties to claim “confidentiality” under FOIA when filing a CTR.  Interestingly, the new rules for confidentiality that streamlined the process and no longer require submission of a CTR do not directly advert to FOIA Exemption 4. Instead of referring to Exemption 4, ironically, the new rules expressly recite certain requirements for claims of confidentiality drawn from Exemption 4, including the competitive harm standard that was eliminated by SCOTUS in the decision.  (See this PubCo post.) Accordingly, although the case is clearly applicable to the old CTR approach, whether the decision will have any significant impact on the SEC’s new streamlined process for seeking confidentiality will  really depend on whether the SEC elects to take up the issue at some point. (See this PubCo post.)

The guidance also discusses the process for obtaining extensions after the time has expired. The guidance notes that filing the redacted exhibit on EDGAR following the streamlined new procedures will not work to provide confidential treatment for the previously filed information. Instead, companies can use the short-form application for extensions, which provides a streamlined process to file an application to extend the time. The short-form process is an alternative to the traditional method to request an extension of confidential treatment for previously granted requests, but it is not the exclusive method. The guidance states that the short-form application may be used only if the confidential material is the subject of an unexpired order granting confidential treatment. (See this PubCo post.) The guidance notes that, in light of “the Food Marketing Institute decision, applicants for confidential treatment extensions no longer need to satisfy the competitive harm standard that may have been applied to their original applications.”

Disclosure of Intellectual Property and Technology Risks

Topic No. 8 concerns disclosures that companies should consider with respect to intellectual property and technology risks potentially arising out of international operations, especially in jurisdictions where protection of corporate proprietary information and intangible assets, such as intellectual property, trademarks, trade secrets, know-how and customer information and records, may be a bit dicey.  These risks may be present in many circumstances, but are more acute for companies that “conduct business in certain foreign jurisdictions, house technology, data and intellectual property abroad, or license technology to joint ventures with foreign partners.”

The guidance highlights that the principles-based disclosure system under the federal securities laws requires timely and complete disclosure of material information, particularly material risks, whether or not there is a specific line-item requirement to disclose information. In addition, disclosure items such as MD&A, business, legal proceedings, disclosure controls and procedures, and/or financial statements may require disclosure regarding the actual theft or compromise of technology, data or intellectual property if material. 

Potential Theft of Technology and Intellectual Property. A key risk identified in the guidance is the potential theft or compromise of technology, IP and data, including by state-affiliated actors, “through direct intrusion includ[ing] cyber intrusions into a company’s computer systems and physical theft through corporate espionage, including with the assistance of insiders,” as well as indirectly through reverse engineering by joint venture partners or others and infringement of patents or theft of know-how or trade secrets. In addition, the guidance observes that companies “may be required to compromise protections or yield rights to technology, data or intellectual property in order to conduct business in or access markets in a foreign jurisdiction, either through formal written agreements or due to legal or administrative requirements in the host nation,” which could impede the company’s current and future competitive position. The guidance provides the following examples:

  • “patent license agreements pursuant to which a foreign licensee retains rights to improvements on the relevant technology, including the ability to sever such improvements and receive a separate patent, and the right to continued use of technology or intellectual property after the patent or license term of use expires;
  • foreign ownership restrictions, such as joint venture requirements and foreign investment restrictions that potentially compromise control over a company’s technology and proprietary information;
  • the use of unusual or idiosyncratic terms favoring foreign persons, including those associated with a foreign government, in technology license agreements, such as access and license provisions, as direct or indirect conditions to conducting business in the foreign jurisdiction; and
  • regulatory requirements that restrict the ability of companies to conduct business, unless they agree to store data locally, use local services or technology in connection with their international operations, or comply with local licensing or administrative approvals that involve the sharing of intellectual property.”

 Assessing and Disclosing Risks.  The guidance encourages each company to assess these risks and consider their potential impact on its business, financial condition and results of operations, and reputation, stock price and long-term value. If the risks are material to investment and voting decisions, the guidance advises companies to “provide disclosure that allows investors to evaluate these risks through the eyes of management. Importantly, disclosure about these risks should be specifically tailored to a company’s unique facts and circumstances. In this same vein, where a company’s technology, data or intellectual property is being or previously was materially compromised, stolen or otherwise illicitly accessed, hypothetical disclosure of potential risks is not sufficient to satisfy a company’s reporting obligations.” [Emphasis added.]

SideBar

With regard to “hypothetical” risk disclosure, see the recent complaint filed by the SEC against pharma Mylan N.V.  Among other things, the SEC alleged that Mylan’s risk factor disclosure was misleading: it had framed a claim by the government that Mylan had misclassified its biggest product, the EpiPen, as a “generic,” overcharging Medicaid by hundreds of millions of dollars, as a hypothetical possibility, when, in fact, the claim had already been made.  More specifically, Mylan did not disclose the claim or the investigation in its risk factors, instead stating only that the government “may take a position contrary to a position we have taken,” and that the government may find its submissions to be incorrect.  However, the government had already taken a contrary position and asserted that the submissions were wrong. Framed as hypotheticals, the SEC charged, these risk factors were misleading. As a consequence of these and other failures, the SEC alleged, Mylan’s SEC filings were false and misleading in violation of the Securities Act and Exchange Act.  Mylan agreed to pay $30 million to settle the SEC’s charges. (See this PubCo post.)

The guidance offers the following questions for companies to consider when assessing their disclosure obligations:

  • “Is there a heightened risk to your technology or intellectual property because you have or expect to maintain significant assets or earn a material amount of revenue abroad?
  • Do you operate in an industry or foreign jurisdiction that has caused, or may cause, you to be particularly susceptible to the theft of technology or intellectual property or the forced transfer of technology? Do you believe that your products have been, or may be, subject to counterfeit and sale, including through e-commerce?
  • Have you directly or indirectly transferred or licensed technology or intellectual property to a foreign entity or government, such as through the creation of a joint venture with a foreign entity? Do you store technology or intellectual property locally in a foreign jurisdiction? Are you required to use equipment and services provided by a state actor, including equipment or services that could result in a reduction in protections?
  • Have you entered into a patent or technology license agreement with a foreign entity or government that provides such entity with rights to improvements on the underlying technology and/or rights to continued use of the technology following the licensing term, including in connection with a joint venture?
  • Are you subject to a requirement that foreign parties must be controlling shareholders or hold a majority of shares in a joint venture in which you are involved, or are you involved in a joint venture that is subject to foreign ownership restrictions or requirements that a foreign party retain certain ownership rights?
  • Have you provided access to your technology or intellectual property to a state actor or regulator in connection with foreign regulatory or licensing procedures, including but not limited to local licensing and administrative procedures?
  • Have you been required to yield rights to technology or intellectual property as a condition to conducting business in or accessing markets located in a foreign jurisdiction?Are you operating in foreign jurisdictions where the ability to enforce rights over intellectual property is limited as a statutory or practical matter?
  • Do you conduct business in a foreign jurisdiction or through a joint venture that may be subject to state secrecy or other laws, such as those limiting or prohibiting the export of data or financial documentation? Are you able to readily produce data or other information that is housed internationally in response to regulatory requirements or inquiries?
  • Have conditions in a foreign jurisdiction caused you to relocate or consider relocating your operations to a different host nation? Have you considered related material costs, such as costs to train new employees, establish new facilities and supply chains, and the impact of any related gaps or lags in production, manufacture and/or export of your products?
  • Do you have controls and procedures in place to adequately protect technology and intellectual property from potential compromise or theft? Do these policies and procedures enable you to identify risks and incidents, analyze the impact on your business, respond expediently, appropriately and effectively when incidents occur and repair any damage caused by such incidents? Are your controls and procedures designed to detect:
    • malfeasance by employees, contractors or other insiders who may have access to your technology and intellectual property;
    • industrial, corporate or other espionage events;
    • unauthorized intrusions into commercial computer networks; and
    • other forms of theft and cyber-theft of your technology and intellectual property?
  • What level of risk oversight and management does the board of directors and executive officers have with regard to the company’s data, technology and intellectual property and how these assets may be impacted by operations in foreign jurisdictions where they may be subject to additional risks? What knowledge do these individuals have about these risks and what role do they have in responding if and when an issue arises?”