Liability When Stockholder’s Merger Consideration is Paid to Hackers

In Sorenson Impact Foundation v. Continental Stock Transfer & Trust Company (Apr. 1, 2022), computer hackers intercepted the email communications of a law firm (the “Law Firm”) involved with the $130 million merger pursuant to which Tassel Parent, Inc. (the “Buyer,” a subsidiary of private equity firm KKR) was acquiring Graduation Alliance, Inc. (the “Target”). The hackers posed online as two of the Target’s actual stockholders and succeeded in having the merger consideration paid to them instead of the stockholders. The hackers were never apprehended or identified. The actual stockholders—Sorenson Impact Foundation and James Lee Sorenson Family Foundation—brought suit in the Delaware Court of Chancery against Continental Stock Transfer & Trust Company (the “Paying Agent”), the Buyer, and the Target (which was the surviving corporation and which we refer to herein, in combination with the Buyer, as the “Company”). Vice Chancellor Glasscock (i) dismissed the claims against the Paying Agent on the basis of lack of personal jurisdiction; (ii) let stand the claims against the Company; and (iii) left open the issue whether the Law Firm (which had communicated directly with the hackers) was a necessary party to the action and must be joined as a defendant.

Background. The Sorenson entities properly submitted their letters of transmittal and stock certificates to the Paying Agent, requesting payment in their name to an account at Zions Bank in Utah. Computer hackers then intercepted the Sorenson entities’ email communications with the Law Firm. (Which entity was represented by the Law Firm was in dispute.) Assuming the identity of the Sorenson entities, the hackers then communicated via email with the unsuspecting Law Firm and requested that payment of the merger consideration be changed to an international account at a Hong Kong bank. A week later, they requested that the payment be made in the name of HongKong Wemakos Furniture Trading Co. The Law Firm communicated these instructions to the Paying Agent.

The Paying Agent Agreement, between the Buyer and the Paying Agent (the “PAA”), stated that the Buyer would provide the Paying Agent with a schedule listing the stockholders to be paid the merger consideration. The PAA also provided that the Paying Agent would examine submitted letters of transmittal to ascertain that they were properly completed; would consult with the Buyer with respect to any actions needed to correct any “irregularities” in the letters of transmittal; and could waive any such irregularities if approved in writing by designated officers of the Buyer. The form of letter of transmittal stated that a shareholder requesting payment in a name other than that on the stock certificate would have to provide a “medallion guarantee” of its signature by a qualified provider.

The Paying Agent informed the Law Firm that the purportedly updated letter of transmittal from the Sorenson entities required a medallion guarantee and none was provided. The Paying Agent allegedly discussed the issue with certain (unspecified) “defendants” and offered three options that it would find acceptable such that it would proceed with payment. The Buyer could (i) require that the medallion guarantee be submitted; (ii) waive the medallion guarantee requirement and provide the Paying Agent with a hold harmless agreement; or (iii) change the name on the payment schedule to match the HongKong Wemakos name. Allegedly, the defendants, rushing to resolve the issue before a deadline for closing, chose option (iii). The Buyer changed the Sorenson entities’ names on the payment schedule and the Paying Agent then made payment to the account the hackers had designated.

Discussion

The Paying Agent is not subject to Delaware jurisdiction. The court rejected the plaintiffs’ argument that the Delaware forum selection provisions in the Merger Agreement and the letter of transmittal were binding on the Paying Agent. First, the Paying Agent was a New York domiciliary. The PAA was governed by New York law and, although the form of letter of transmittal was an exhibit to the PAA and the Merger Agreement was an exhibit to the form of letter of transmittal, the PAA contained no “explicit manifestation of intent” to incorporate by reference the terms of the Merger Agreement or the letter of transmittal. Moreover, the Merger Agreement specifically provided that the Paying Agent was not a party to nor bound by the Merger Agreement; and the letter of transmittal did not constitute a contract that created enforceable duties (and, in any event, also did not contain an explicit manifestation of intent to incorporate by reference the Merger Agreement or the PAA). Second, the court held that the Paying Agent, merely by acting for the two Delaware corporations that were merging, did not have sufficient minimum contacts with Delaware for the state to assert jurisdiction under its long-arm statute. Finally, the court observed that, as the PAA was “a commonplace commercial contract,” with no Delaware-specific law at issue, Delaware had no special interest in adjudicating the dispute.

The Company, although it technically complied with the Merger Agreement requirement to pay the merger consideration to the Paying Agent, may be liable for not “ensuring” ultimate payment to the Sorenson entities. Under the Merger Agreement, the Buyer was required to pay “to the Paying Agent” the amount due to all stockholders who submitted letters of transmittal meeting the conditions relating thereto. The Sorenson entities had satisfied such conditions and submitted a letter of transmittal; and the Buyer had made such payment to the Paying Agent. However, the court found that it was “reasonably conceivable” (the standard applicable at the pleading stage) that the Merger Agreement, “[r]ead holistically,” could be interpreted to impose an obligation on the Buyer “to do more than make a payment to its agent, that is, to ensure payment to the ‘entitled’ stockholders….” Notwithstanding that the plaintiffs did not plead that the Buyer had breached the Merger Agreement (but, instead, had pleaded that the Buyer was vicariously liable for the Paying Agent’s breach of the PAA), the court found that the Complaint gave sufficient notice to the Buyer that it was being sued for failure to pay the merger consideration that was due to the plaintiffs, in violation of the Merger Agreement. The court therefore rejected dismissal, at the pleading stage, of a breach of contract claim against the Company.

The court dismissed the claims against the Company for vicarious liability of the Paying Agent’s alleged contractual breaches; but let stand the claims against the Company for unjust enrichment. With respect to the claim for vicarious liability, the court stated that, under Delaware law, while a principal (the Company) may be liable for torts committed by an agent (the Paying Agent) when the agent’s tortious conduct was undertaken pursuant to the agency relationship, a party cannot be vicariously liable for its agent’s non-tortious conduct (such as breach of contract). The court noted that while the plaintiffs had pleaded a tort claim (negligence) against the Paying Agent, they had failed to plead a vicarious liability claim against the Company associated with the tort (and instead had pleaded only breach of contract). With respect to the claim for unjust enrichment, the court, without discussion, wrote that it was difficult to see how the Company “can have liability apart from breach of contract.” However, the court, stating that it was “mindful of the alternative nature of the claims,” and that it was “bow[ing] under the weight of precedent,” declined to dismiss the claim “at this time” and left it for “consideration on a record.”

The court left open the issue whether the Law Firm was a necessary party to the action. The Company argued that the Law Firm, which was not named as a defendant, was a necessary party to the suit. The court requested supplemental briefing on the issue before ruling on it.

Practice Points

• M&A participants should carefully plan to avoid, and to appropriately respond to, possible hacking—and should consider specifically addressing the potential liability issues in the event that hacking (or other improper diversion of merger consideration) occurs. M&A transactions present significant opportunities for cyber criminals. While previous hacking attempts usually have involved stealing information for purposes of engaging in insider trading, Sorenson highlights the risk of hackers successfully intercepting email chains, assuming the identities of actual shareholders, and re-directing payment of the merger consideration to themselves. A buyer, seller, target and paying agent, as well as legal counsel, should seek to ensure that appropriate systems are in place to prevent hacking. Even with careful planning and processes, however, hacking may be successful. Thus, M&A parties should consider specifically addressing in their agreements who would (and who would not) be liable if any of them was hacked. The court, citing the plot of The Maltese Falcon, framed the issue as follows:

Two parties contract for the sale of a chattel: say, a statuette of a falcon covered in black enamel. The payment is to be in cash. Neither wishes to make the transfer in person. Accordingly, they agree that the buyer will hire an agent who is to deliver the bird. Once delivery is made, the agent is to receive cash from the buyer, which he is then to pay over to the seller. The first part of the transaction is completed without incident. The buyer immediately resells the dingus to new buyers, who then take it on a ship and out of the jurisdiction. The agent then departs with the cash. As he is approaching the buyer’s home to complete the payment, a gunsel accosts him, and robs him of the cabbage. This mugger, despite the best efforts of the police, is never apprehended or even identified. Who in this scenario must bear the loss?

• A buyer, the target, and the paying agent (as well as legal counsel) all should pay attention to red flags with respect to letters of transmittal and seek to ensure an appropriate resolution of any irregularities. Red flags might include, for example, last minute changes to a letter of transmittal or payment instructions; a name change in the payment instructions without the required guarantee of signature; or a failure to meet other specified requirements (especially if relating to a large payment amount and, perhaps, if payment is to be redirected from a U.S. bank to a foreign bank for a U.S. shareholder). In Sorenson, arguably the red flags would have warranted that the Paying Agent make a call to (rather than communicate only by email with) the purported stockholders regarding the irregularities in their letter of transmittal. Further, the Paying Agent should have followed the instructions in the PAA to obtain the written consent of the designated officers of the Buyer. Moreover, arguably, the Paying Agent should not have offered, and the Buyer should not have chosen, the option of simply changing the stockholder’s name on the payment schedule. While that option resolved the issue for the Paying Agent on a technical basis, it offered no substantive substitute protection for the missing medallion guarantee.
• Sorenson also serves as a reminder that, under Delaware law: (i) If parties intend that an agreement incorporates by reference another agreement, they must include in the agreement an “explicit manifestation of intent” therefor. (ii) If parties intend that the terms in a letter of transmittal (or other ancillary documents) will be binding on any party, they must state as much in a binding agreement (such as the merger agreement or paying agent agreement, depending on which parties are to be bound), as a letter of transmittal generally is not a contract that creates enforceable duties. (iii) A buyer may wish to consider providing in the paying agent agreement that the paying agent will be bound by the forum selection and/or submission to jurisdiction provisions in the merger agreement. (iv) Target stockholders should keep in mind that a buyer can have vicarious liability (as a principal) for misconduct by the paying agent only if the paying agent’s conduct was tortious (e.g., negligence). Buyer liability for the paying agent’s breach of the paying agent agreement may arise only based on an aiding and abetting claim.