As the Corona Virus continues to spread and cause some issues in the world’s supply chain as well as the major equity markets, corporate governance issues are now being thrust into the spotlight. After all, how does the Board of Directors react to a pandemic? What are the rights of shareholders? What corporate governance practices are necessary to help companies address major crisis? To address these issues, it helps to first consider what corporate governance really entails. Hence a little summary on Corporate Governance and what In-House Counsel should consider.
1. When in-house counsel is briefing the Board of Directors, the briefing should at least cover the following:

• The structure of the corporation
• Basic Organizational Documents
• The role of the shareholders
• The annual meeting of the shareholders
• Liability of shareholders, if any
• The role of the Board of Directors
• Board Meetings
• Board Committees

2. What are the basic organizational documents

• In the US, the organizational structure and roles and duties of the shareholders, directors and officers are determined by the laws of the state in which the corporation is formed and by the basic organizational documents for a corporation. In the US, many corporations are incorporated in the state of Delaware, known for its advanced laws relating to the establishment of corporations.
• One of the documents is the Articles of Incorporation (Charter). The charter sets out the fundamental characteristics of the corporation such as its name, nature of business and classes of stock.
• Another document is called the Bylaws. The bylaws determine the specific procedures for governing the corporation, including:
- Procedures for shareholder and board meetings
- The size of the board
- The officers that the corporation may elect or appoint

3. The Role of the Shareholders

• The shareholders elect the directors
• The shareholders approve certain matters including:
- Authorization of additional shares of stock
- Mergers and acquisitions involving the corporation
- Sale of the corporation’s businesses or substantially all of its assets.
- Dissolution of the corporation
- Change of the corporation’s name
- Amendment of the Bylaws
- Management and operation of the corporation’s business are not included within the legal scope of the shareholder activity
- An annual meeting of the shareholders is required at which the shareholders elect or re-elect the directors

4. Liabilities of Shareholders

• Under US laws, a corporation is a distinct entity, a separate form and independent of its shareholders. A parent company (as a shareholder) as a rule is not liable for the debts, judgements and other liabilities of its subsidiary.
• Shareholders in SU are not usually liable for the debts and liabilities of the company.
• However, the shareholder, may become liable for liabilities for the company if corporate formalities are not followed.
• It is therefore essential that formalities of the corporate existence separate from shareholders be adhered to.
• Processes need to be developed to prevent the -“Piercing of the Corporate Veil”.
• The theory of “piercing the corporate veil” is not a test but a judgment as to which circumstances warrant a departure from the general rule of limited liability.
• Sound corporate practices requires consideration of the various factors that are used in determining whether to pierce the corporate veil.
• Elements of “Piercing the Corporate Veil” include:
-control by the shareholder (often a parent company) to such a degree that the subsidiary has become its mere instrumentality
-fraud or wrong by the parent or shareholder through its subsidiary
-unjust loss or injury to a third party claimant (such as insolvency of the subsidiary)

5. The Role of the Board of Directors

• The board of directors is accountable to the shareholders
• The board must ensure that effective systems of control are in place for safeguarding the corporation’s assets
• The board of directors may legally act only as a body and function in accordance with the Bylaws
• Directors are not responsible for running the business on a day-to day basis
• If a director is an officer, he or she executes documents in the capacity of the office held
• States confer broad powers upon board members and imposes corresponding duties and obligations
• To protect the board’s managerial power, Courts employ the business judgment rule
• The business judgement rule protects directors from liability as long as the directors acted :
- On an informed basis
- In good faith
- In the honest belief that the action taken was in the best interests of the corporation

• The specific responsibilities of the Board includes:
- Strategy
- Planning
- Control
• Duties owed by the Board of Directors to the shareholders and corporation include:
- The duties of care, loyalty and disclosure
- The duty of care focuses on the processes and methods by which the Board reaches decisions
- Standard for a breach of the duty is gross negligence

• Informed judgement requires a director to be :
-Fully informed on matters before the board
-Fully informed of all material information available to the board
-Fully informed of the terms, conditions and consequences of the transaction
- Discussion by the board should be frank, deliberate and open

• The board must represent the interests of the company and shareholders and proceed with a critical eye
• The board must independently assess matters before the board
• Each board member must act in a deliberate and knowledgeable manner
• The duty of due care means each board member must act in good faith
• Decisions must be rational
• As a general matter, each board member owes undivided allegiance to the corporation

6. Board Meetings

• The board of directors should meet as often as necessary
• The bylaws set the minimum number of directors

• A director cannot delegate his or her vote by proxy to another director
• Board meetings are governed by formalities
• Decisions are reflected in resolutions
• Minutes of board meetings:
- Should not recite details of the discussions during the meetings
- The minutes should be limited to recording the normal decisions of the board and key information essential to decisions.
- The board is permitted to adapt actions in writing without a meetings and without the requirement of notice using a “Unanimous Written Consent”

Recently, a number of airlines have announced plans to cancel flights to South Korea due to the corona virus outbreak. Korean companies such as Samsung and LG have had to shut down production lines in some of their Korean based plants as well, causing a cascading number of economic issues to impact Korea’s economy as well as the world’s supply chain. Much of the world’s high tech based supply chain is based in Northeast Asia ( China, South Korea, Japan, etc.) and the negative effects of the corona virus can be seen everywhere. As a major supplier of memory chips, cell phones, computers, consumer electronics and home appliances, any disruption in Korea’s economy spells trouble for the rest of the world.

Until recently, for companies doing business in South Korea, the most pressing geo-political risk was the threat of war. Seoul is not far from the DMZ and any altercation between North and South Korea would have an immediate impact upon Seoul and its surrounding cities. However, the impact of the current virus, drives home the fact that for companies doing business in South Korea, not only do they have to think of geo-political risk in terms of war, but as health emergencies and pandemics as well. Therefore, a company contemplating potential business projects in Korea must at least on a tactical level consider the implications of geopolitical risks as well as everyday market risks such as financial, legal and operational risks.

Considering recent geo-political events, many companies should review old risk management policies and procedures, in case updates are needed. Companies are only now beginning to realize they are not prepared to handle the escalating risks caused by the corona virus. Of course, what happens if there really is a true global pandemic? Many companies are not prepared for that. Some risk management processes that should be reviewed are not being considered as they are viewed as too expensive or impractical. Such is the case with political risk insurance.

Companies face many kinds of risks when engaged in offshore projects; of course geo- political risk is one of them. This comes about when a government changes its policy, ideology or even itself which creates instability, disorder, war, strikes, riots, etc. Or of course health risks that effect the region. What must be done to manage such risks? Political risk insurance comes to mind, but some forms of political risk insurance that are offered by capital –exporting nations ( such as OPIC, etc.) is subject to politically motivated conditions or motivations that may not take the needs of the investor into account. Case in point- OPIC can only operate in countries which have a bilateral investment treaty with the US. If you are a US investor trying to invest in a country which lacks a bilateral investment treaty with the US- you are out of luck when trying to obtain political risk insurance from OPIC. This is true of outer countries which supply similar political risk insurance through export development programs.

For more on political risk see my previous blog: “Managing Political Risk” at Seoullegalriskmgmt.com.

The recent outbreak of the Corona Virus is a perfect example of how risk, whether biological in nature, man-made, environmental or regulatory, can rapidly change a company’s business plan or effect the current global business outlook. As the virus continues to spread, business plans are being impacted, especially the business plans of companies in the travel, tourism and convention industries. This should give everyone pause and perhaps encourage everyone to reflect on the current risk management processes they have in place including employee safety related processes. Perhaps it is time to change the processes. Or at least re-examine them.

When talking to your staff or to other departments, how often have you heard the phrase “That the way we have always done things.” Just because corporate processes have been done one way doesn’t mean that the best way or even in todays’ fast changing world- the right way. Even after the financial meltdown of 2008 many companies continued to use the failed metrics that got them into trouble in the first place. Even the credit markets haven’t changed as much as you would think after 2008. Why?

I truly believe that once processes are created in a corporate or bureaucratic environment, it is as if the processes have been set in stone. They are very hard to change. Even if the world around the company has changed. It is human nature to accept what has been done in the past. Few people want to “rock the boat” even if the proverbial boat is actually sinking. Companies get into real trouble because of this. What happens if the company’s business model actually is out of date or its business plan is no longer viable? Just because it worked in the past doesn’t mean it will work in the future. Do the processes really mitigate risk or not?

I therefore caution everyone not to blindly accept the current risk management processes in place. Risk managers as well as in house counsel and other managers should be challenging risk management metrics on a regular basis. Counsel should be auditing departments on a regular basis. Does that compliance program really work? Does the safety program really work? Maybe the plans worked properly 5 years ago. But what about today?

Remember, if local or national laws have changed maybe the current processes are out of date. If the products that your company manufactures or the services it provides have changed maybe the internal processes surrounding the review of those products and services are out of date. What about the current social environment? What about the regulatory environment? When reviewing your current product liability review processes have you factored in the new risks created by the Internet of all Things? These risks are real. Are you ready for them?

It is a fundamental truth that all things change. Some change faster than others. Regardless, don’t rely on your old or standard risk management processes to continue to provide the same level of comfort they did in the past. Continue to review and to modify them if necessary.

Like some of its neighbors in Asia, South Korea has taken data protection very seriously and has implemented a general data protection law- the Personal Information Protection Act or “PIPA”. It first amended the PIPA in 2016 by adding additional regulations and requirements. Unlike some of its neighbors however, South Korea has also enacted other laws over the last 2 years that place strict requirements on data privacy in other sectors such as IT Networks, credit card information, cloud computing and online advertising. Recently, additional major amendments to PIPA were passed by the National Assembly of Korea because of Big Data /AI /IoT concerns.

The amendments to the PIPA that have been adopted include: (i) clarification of the definition of “personal information,” (ii) the introduction of pseudonymized information and the permitted use of pseudonymized information for research and statistical purposes without the data subject’s consent, (iii) the introduction of compatibility, (iv) the transfer of the Network Act’s personal information-related provisions to the PIPA and (v) elevation of the Personal Information Protection Commission’s (“PIPC’s”) status to a central administrative agency responsible for the enforcement of the PIPA. A short summary follows:

1. Key Provisions of the Amended PIPA

(1) Clarification of the definition of “personal information”

As is the case under the current PIPA, the definition of “personal information” under the amended PIPA continues to include “information that can be easily combined with any other information to identify a specific individual.” The amended PIPA provides clearer direction on what this means, by stipulating the criteria for determining whether certain information can be “easily combined with any other information to identify a specific individual.

(2) Introduction of “pseudonymized information”

The amended PIPA introduces the concept of “pseudonymized information,” which means “information which, through the process of pseudonymization, may no longer be used to identify a specific individual without using or combining additional information to restore the information to its original state.”
The amendment stipulates the principles governing the pseudonymization methods in the PIPA itself, rather than delegating the authority to the President to determine such methods in the Presidential Decree. Therefore, data handlers are advised to continue monitoring the position of the pertinent regulators, including any guidelines to be issued by them, and see how the principles stipulated in the amended PIPA are applied in practice going forward.

(3) Use of personal information within the scope reasonably related to the original purpose of the collection

The amended PIPA allows data handlers to use or provide personal information within the scope reasonably related to the original purpose of the collection without the consent of the data subject. The amended PIPA has relaxed the existing consent-oriented regulations which have been subject to continued criticism for being excessively formalistic and stringent, and adopted the purpose limitation principle of the GDPR, which allows the use of personal information for purposes that are not incompatible with the purpose of initial collection.

(4) Exclusion of anonymized information from the application of the PIPA.

The amended PIPA explicitly provides that any information which cannot be used to identify a specific individual even if the information is combined with any other information, after reasonably considering factors such as time, cost, technology (“Anonymized Information”), is not subject to the provisions of the PIPA.

(5) Transfer of the Network Act’s personal information-related provisions to the PIPA.

The amended PIPA includes a new chapter on the “Special Provisions for the Processing of Personal Information by Information and Communications Service Providers and Recipients of Personal Information (collectively, the “ICSPs”)” (“Special Provisions”), which basically consists of the Network Act’s provisions relating to personal information protection that are not in harmony with those set forth in the PIPA.
.
(6) Consent no longer required for an ICSP’s outsourcing of data processing to a third party.

Under Article 25 of the current Network Act, an ICSP who wishes to outsource the processing of personal information to a third party (“Outsourcing”) is obligated, in principle, to obtain the data subject’s (i.e., user’s) consent. However, this provision was not transferred to the amended PIPA as part of the Special Provisions, and thus the PIPA’s provisions on Outsourcing will now apply to an ICSP who wishes to engage in Outsourcing. Under the current PIPA, the data subject’s consent is not required for Outsourcing.

The new amendments to PIPA are meaningful in that they help provide clearer guidance to data handlers on what constitutes the lawful processing of personal information as well as setting forth standards for the secure processing of personal information. It is expected that the amended PIPA is expected to go into effect 6 months from its promulgation date, and the amendment of the PIPA’s implementing regulations shall take place in the upcoming months.

Management of litigation, like management of most business processes, begins with a business plan and a budget. In this case, prior to trial, when a company seeks an appropriate law firm to represent it, it needs an acceptable litigation plan and budget. Law firms many times will try to push back on the request of a budget, claiming legal costs are hard to predict. This, of course, is not the case. Experienced lawyers, whether in the United States, Europe, or Asia, are very familiar with the legal costs in their own geographic region as well as costs and expenses associated with the particular issue, such as patent litigation or class actions. Certain costs may be hard to quantify, such as defense litigation costs (which may depend on how aggressive a plaintiff is in trial), but for the most part, law firms can provide a litigation plan and budget using approximate or ballpark figures.

Effective management of litigation and therefore outside legal spend will depend on a well-prepared litigation plan and budget. This, in turn, depends on the proper identification of potential litigation issues and a plan for potentially adversarial proceedings. Questions that should be asked when discussing the plan and budget with outside counsel include:

Is this matter an actual or potentially adversarial proceeding?
Will this matter result in potential commercial litigation?
Will this matter result in potential regulatory litigation?
Will this matter lead to governmental litigation?

Kinds of Actions

An accurate litigation plan and budget will depend on the nature of the proceeding or legal matter at hand. Such matters can be classified as follows:

Commercial litigation
• Antitrust and trade disputes
• Bankruptcy and creditor actions
• Class actions (product liability, etc.)
• Labor and employment

Regulatory proceedings
• Governmental inquiry/informal visit
• Investigations
• Subpoenas
• Government enforcement proceedings
• Administrative tribunals
• Internal corporate investigations

Certain costs will be associated with the nature of the dispute. For instance, commercial litigation costs will be dictated by the cost of discovery, including: depositions, interrogatories, production of documents and things, and physical examinations, etc. Costs involved with regulatory proceedings will involve governmental investigations and internal corporate investigations and perhaps parallel proceedings, criminal as well as civil litigation.

Litigation Management Tools

Litigation management depends upon the in-house legal team or risk manager actively assessing and managing litigation by using an effective litigation management process. The litigation management process should utilize management processes as well as LRM tools.

For a corporation to effectively manage litigation, management needs to understand its role as litigation manager. If it hands over the entire litigation management process to the outside firm representing it, the costs will, of course, substantially increase! The law firm must be managed! The risk manager, corporate manager, or in-house lawyer (General Counsel, etc.) must understand his or her role as a litigation manager. That includes use of management functions and LRM tools.

Management functions
• Effective coordination of legal defense efforts to avoid duplication of costs
• Coordination of use of witness and discovery
• Serve as the central site for all facts, positions, and decisions in legal issues
• Development and implementation of a defense plan
• Internal assessment of facts
• Point of contact for regulators

LRM tools
• Litigation budget
• Coordination of documents
• Use of employee interviews
• Insurance
• Use of defense plan
• Early case assessment
• Alternative fees
• Outside billing guidelines

Only through the regular use of legal risk management tools can a company or organization effectively control its outside legal spend, especially when dealing with litigation.

Like directors in the US and elsewhere, directors in Korean companies have fiduciary related duties to protect and safe-guard the Company and the Company’s assets. Such duties are set forth in the Korean Commercial Code and include:

• Duty of Care as a prudent manager
• Duty of Confidentiality
• Fiduciary Duty-the Duty of Loyalty

In Korea, if a director violates the duty of care as a good manager (including the duty to faithfully perform in the Company’s best interest) he or she may be held liable to the company or even to third parties and could be required to pay damages. Under Article 382-3 of the Korean Commercial Code a director’s duty of care and good faith encompasses a number of duties including the:

• Duty to review the company’s activities
• Duty to review corporate information and documents
• Duty to protect a company’s assets
• Duty to supervise and oversee employees
• Duty to review all major filings with regulatory agencies

A director may even be subject to criminally liability as well as civil liability upon the negligent failure of fulfilling the obligation of care. Directors who violate the provisions of the Korean Commercial Code or the Company’s articles of incorporation may be held jointly and severally liable to the Company. This is true especially when the director’s actions are intentional, or are committed with gross negligence. Such liability may be found when the director fails to fulfill the duty of care and loyalty by:

• The intentional neglect or negligence in performing duties
• The failure to manage affairs as “an ordinary prudent person”
• Endangering company assets through gross negligence
• Engaging in a business that conflicts or competes with the Company
• Using a business opportunity that could benefit the Company for one’s own personal account or the account of a third party

Looking at the civil and common law aspects of the duty of care (Korean courts are trending towards the business judgment rule of the US) the following is true of directors in Korea today:

1. Directors must use reasonable care in protecting the Company’s assets
2. Directors must use reasonable care in providing a safe work place and work environment
3. Directors must use reasonable care when overseeing the Company’s activities

Remember, though serving as a director on the Board of a Korean company may sound exciting it comes with risk. There are restrictions as to what a director can or cannot do and if a director violates his or her fiduciary duty or duty of care, he or she is subject to legal action and even criminal liability.

linkedin facebook pinterest youtube rss twitter instagram facebook-blank rss-blank linkedin-blank pinterest youtube twitter instagram