From the Derivatives Practice Group: The SEC expanded the definitions of “Dealers” and “Government Securities Dealers” this week and Hong Kong weighed in on crypto and virtual asset regulation.

New Developments

  • SEC Adopts Rule to Expand Definitions of “Dealers” and “Government Securities Dealers.” On February 6, the SEC adopted a rule that requires market participants to register as “dealers” or “government securities dealers” for the first time and become members of a self-regulatory organization (SRO). The final rule, codified in Exchange Act Rules 3a5-4 and 3a44-2, purports to define the phrase “as a part of a regular business” in Sections 3(a)(5) and 3(a)(44) of the Securities Exchange Act of 1934 to identify certain activities that would cause persons engaging in such activities to be “dealers” or “government securities dealers” and be subject to the registration requirements of Sections 15 and 15C of the Act, respectively. Under the final rule, any person that engages in activities as described in the rule is a “dealer” or “government securities dealer” and, absent an exception or exemption, required to: register with the SEC under Section 15(a) or Section 15C, as applicable; become a member of an SRO; and be subject to applicable SRO and Treasury rules and requirements. Notably, the rule is non-exclusive, meaning that even if a firm does not meet any of the criteria in the rule, the SEC claims that the firm could still be a dealer anyway depending on the “facts and circumstances.” [NEW]
  • SEC and CFTC Adopt Amendments to Enhance Private Fund Reporting. On February 8, the SEC adopted amendments to Form PF, the confidential reporting form for certain SEC-registered investment advisers to private funds, including those that also are registered with the CFTC as commodity pool operators or commodity trading advisers. According to the SEC, the amendments, which the CFTC concurrently adopted, are designed to enhance the ability of the Financial Stability Oversight Council (FSOC) to monitor and assess systemic risk and to bolster the SEC’s oversight of private fund advisers and the agency’s investor protection efforts. The SEC and CFTC also agreed to a memorandum of understanding related to the sharing of Form PF data. The SEC stated that, among other things, the amendments to Form PF will enhance how large hedge fund advisers report investment exposures, borrowing and counterparty exposure, market factor effects, currency exposure, turnover, country and industry exposure, central clearing counterparty reporting, risk metrics, investment performance by strategy, portfolio liquidity, and financing and investor liquidity in an effort to provide better insight into the operations and strategies of these funds and their advisers and improve data quality and comparability. Further, the amendments will require additional basic information about advisers and the private funds they advise, including identifying information, assets under management, withdrawal and redemption rights, gross asset value and net asset value, inflows and outflows, base currency, borrowings and types of creditors, fair value hierarchy, beneficial ownership, and fund performance, which, according to the SEC, will provide greater insight into private funds’ operations and strategies, assist in identifying trends, including those that could create systemic risk, improve data quality and comparability, and reduce reporting errors. The amendments will also require more detailed information about the investment strategies, counterparty exposures, and trading and clearing mechanisms employed by hedge funds, while also removing duplicative questions. [NEW]
  • CFTC Global Markets Advisory Committee Advances Key Recommendations. On February 8, the CFTC’s Global Markets Advisory Committee (GMAC), sponsored by Commissioner Caroline D. Pham, formally advanced eight recommendations to the CFTC that are intended to enhance the resiliency and efficiency of global markets, including U.S. Treasury markets, repo and funding markets, and commodity markets. To date, this is the largest number of recommendations advanced by a CFTC Advisory Committee in a single meeting. The GMAC’s Global Market Structure Subcommittee prepared four recommendations: (1) appropriately calibrated block and cap sizes under CFTC Part 43 swap data reporting rules, intended to enhance market liquidity and financial stability; (2) addition of certain central counterparties (CCPs) as permitted counterparties under CFTC Rule 1.25(d), intended to promote the well-functioning of the repo market; (3) expansion of cross-margining between the CME Group and the Fixed Income Clearing Corporation, intended to support greater efficiency in the U.S. Treasury markets; and (4) best practices for exchange volatility control mechanisms, intended to address market stress and market dislocation during periods of high volatility. The GMAC’s Technical Issues Subcommittee prepared four additional recommendations, as follows: (5) adoption of lessons learned from a global default simulation across CCPs, intended to address systemic risk and promote financial stability; (6) harmonization of the treatment of money market funds as eligible collateral, intended to improve market liquidity; (7) improvement of trade reporting for market oversight, intended to ensure international standardization and global aggregation and analysis of data to address systemic risk; and (8) improvement of trade reporting for market oversight, intended to facilitate data sharing across jurisdictions for systemic risk analysis. [NEW]
  • CFTC Customer Advisory Alerts App and Social Media Users to Financial Romance Fraud. On February 7, the CFTC’s Office of Customer Education and Outreach (OCEO) issued a customer advisory alerting dating/messaging app and social media users to a scam asking for financial support or giving investment advice using the platforms. The Customer Advisory: Six Warning Signs of Online Financial Romance Frauds, reminds app and social media users to be wary of texts and messages from strangers that promote cryptocurrency investments. According to the OCEO, the text could actually be from international criminal organizations that trick victims into investing money in cryptocurrency or foreign currency scams only to defraud them. The OCEO stated that the scam can take advantage of even the savviest of investors because fraudsters develop relationships with their victims through weeks of seemingly authentic text messaging conversations, a practice known as “grooming.” The advisory points out several warning signs of a financial grooming fraud, which include fraudsters attempting to move conversations from a dating or social media platform to a private messaging app, as well as their claims of wealth from cryptocurrency or foreign currency trading due to insider information. The advisory also includes steps users can take to avoid financial grooming frauds. [NEW]
  • CFTC Extends Public Comment Period on Proposed Rule on Protection of Clearing Member Funds. On February 2, the CFTC extended the deadline for the public comment period on a proposed rule to address protecting clearing member funds held by derivatives clearing organizations. The deadline is being extended to March 18, 2024. The CFTC stated that it provided the extension in response to a request by a commenter. [NEW]
  • Commissioner Pham Announces Additional Executive Staff Appointments. CFTC Commissioner Caroline D. Pham announced new executive staff appointments in her Washington, D.C. office on February 1. Taylor Foy joins Commissioner Pham’s team as a Senior Advisor and Nicholas Elliot has joined as a Confidential Assistant and Policy Advisor. [NEW]
  • CFTC’s Energy and Environmental Markets Advisory Committee to Meet February 13. On January 30, 2024, CFTC Commissioner Summer K. Mersinger, sponsor of the Energy and Environmental Markets Advisory Committee (EEMAC) announced the EEMAC will hold a public meeting from 9:00 a.m. to 11:30 a.m. (MST) on Tuesday, February 13 at the Colorado School of Mines in Golden, Colorado. The CFTC stated that at this meeting, the EEMAC will explore the role of rare earth minerals in transitional energy and electrification, including the potential development of derivatives products to offer price discovery and hedging opportunities in these markets. Additionally, the meeting will include a presentation and discussion on the federal prudential financial regulators proposed rules implementing Basel III and the implications for and impact on the derivatives market. Finally, the two EEMAC subcommittees will offer an update on their continued work related to traditional energy infrastructure and metals markets.
  • CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s OCEO issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets.
  • CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024.
  • CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024.
  • BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management.

New Developments Outside the U.S.

  • Hong Kong Government Launches Consultation on Regulating OTC Trading of Virtual Assets. On February 8, the Hong Kong government launched a public consultation on legislative proposals to introduce a licensing regime for providers of over-the-counter trading services of virtual assets (VAs). Under the proposed licensing regime, any person who conducts a business in providing spot trading services of VAs-for-money or money-for-VAs will be required to be licensed by the Commissioner of Customs and Excise, irrespective of whether the services are provided through a physical outlet and/or digital platforms. Licensees will be required to comply with AML/CFT requirements and other regulatory requirements. The public consultation period ends on April 12, 2024. [NEW]
  • HKMA Consults on Capital Treatment of Cryptoasset Exposures. On February 7, the Hong Kong Monetary Authority (HKMA) published a Consultation Paper on CP24.01 Cryptoasset Exposures setting out a proposal for implementing new regulations on the prudential treatment of cryptoasset exposures based on the Basel Committee on Banking Supervision’s Prudential treatment of cryptoasset exposures standard. According to the consultation paper, for the purpose of the prudential treatment of cryptoasset exposures, cryptoassets will be defined as private digital assets that depend on cryptography and distributed ledger technologies or similar technologies. The HKMA has scheduled a preliminary consultation on the proposed amendments to the rules in the second half of 2024 and aims to put new standards into effect no earlier than July 1, 2025. [NEW]
  • EU Co-Legislators Reach Provisional Agreement on EMIR 3. On February 6, the EU co-legislators reached a provisional political trilogue agreement on the European Market Infrastructure Regulation 3. On the issue of an active account requirement, while the agreement is based on the less punitive operational active account with representativeness approach proposed by the Council of the EU, the European Parliament has proposed that counterparties should clear at least five trades through an EU CCP in each of the most relevant subcategories. The original approach proposed by the council only required one trade per relevant subcategory. On the topic of supervision, the agreement includes a new role for the European Securities and Markets Authority (ESMA) as co-chair of CCP supervisory colleges alongside national competent authorities and a coordinating role in an emergency. [NEW]
  • ESA’s Joint Board of Appeal Confirms ESMA’s Decision to Withdraw the Recognition of Dubai Commodities Clearing Corporation. On February 6, the Joint Board of Appeal of the European Supervisory Authorities (the ESAs) unanimously decided to dismiss the appeal brought by Dubai Commodities Clearing Corporation (DCCC) against ESMA and to therefore confirm the ESMA decision to withdraw its recognition. The application was brought in relation to ESMA’s Decision, adopted under Article 25p of Regulation (EU) No 648/2012 (EMIR), to withdraw the recognition of DCCC as a Tier 1 third-country CCP. The decision is a consequence of the United Arab Emirates (UAE) being included by the European Commission on the list of high-risk third countries presenting strategic deficiencies in their national anti-money laundering and counter financing of terrorism (AML/CFT) regime, provided for in the Commission Delegated Regulation (EU) 2016/1675. The Joint Board of Appeal of the ESAs had decided to suspend the ESMA decision in October 2023 until the outcome of the appeal was concluded. With today’s publication, the suspension has expired and the ESMA decision has become fully operational. [NEW]
  • ESMA Publishes Guidelines on CCP Recovery and Resolution. On February 2, ESMA published two sets of guidelines relating to the EU CCP Recovery and Resolution Regulation. The first set of guidelines provides EU authorities with guidance on the provisions that should be included in cooperation arrangements with third-country authorities, on matters such as the exchange of information for the preparation and maintenance of resolution plans, and on the mechanisms for prompt informing to parties before any early intervention power or resolution action. The second set of guidelines provides EU authorities with guidance on practical arrangements for the establishment and functioning of the resolution college for EU CCPs, and to facilitate the effective operation of the college. [NEW]
  • ESAs Recommend Steps to Enhance the Monitoring of BigTechs’ Financial Services Activities. On February 1, the ESAs published a Report setting out the results of a stock take of BigTech direct financial services provision in the EU. The Report identifies the types of financial services currently carried out by BigTechs in the EU pursuant to EU licenses and highlights inherent opportunities, risks, regulatory and supervisory challenges. The stock take showed that BigTech subsidiary companies currently licensed to provide financial services pursuant to EU law mainly provide services in the payments, e-money and insurance sectors and, in limited cases, the banking sector. However, the ESAs have yet to observe their presence in the market for securities services. To further strengthen the cross-sectoral mapping of BigTechs’ presence and relevance to the EU’s financial sector, the ESAs propose to set-up a data mapping tool. The ESAs explained that this tool is intended to provide a framework that supervisors from the National Competent Authorities would be able to use to monitor on an ongoing and dynamic basis the BigTech companies’ direct and indirect relevance to the EU financial sector.
  • ESMA Publishes Risk Monitoring Report. On January 31, the ESMA published its first risk monitoring report of 2024, where it sets out the key risk drivers currently facing financial markets. Beyond the risk drivers, ESMA’s report provides an update on structural developments and the status of key sectors of financial markets, during the second half of 2023. The report considers structural developments in various areas, including market-based finance, sustainable finance, securities markets, and asset management.
  • ESMA Consults on Reverse Solicitation and Classification of Crypto Assets as Financial Instruments Under MiCA. On January 29, ESMA, published two Consultations Papers on guidelines under Markets in Crypto Assets Regulation (MiCA), one on reverse solicitation and one on the classification of crypto-assets as financial instruments. ESMA is seeking input on proposed guidance relating to the conditions of application of the reverse solicitation exemption and the supervision practices that National Competent Authorities may take to prevent its circumvention. ESMA is also seeking input on establishing clear conditions and criteria for the qualification of crypto-assets as financial instruments.

New Industry-Led Developments

  • ISDA Response on Anti-Greenwashing Rules. On January 26, ISDA submitted a response to the UK Financial Conduct Authority’s consultation on GC23/3: Guidance on the Anti-Greenwashing Rule. In the response, ISDA highlights that actual or perceived misrepresentation of sustainability features may have a detrimental impact on investor and consumer perceptions of sustainable finance products, and ISDA supports efforts to enhance trust in the market. ISDA considers that sustainability-linked derivatives, environmental, social and governance derivatives and voluntary carbon credits fall within the scope of the rule.
  • Joint Response to EC on BMR. On January 23, ISDA, the Global Financial Markets Association and the Futures Industry Association (FIA) submitted a joint response to the EC call for feedback on the review of the scope and regime for non-EU benchmarks. The response sets out the associations’ comments on the EC’s proposal, along with potential draft amendments and additional revisions that were considered to support the EC’s aims. In the response, the associations welcome the EC’s recognition of the problems caused by the current drafting of the Benchmark Regulation (BMR). The associations support the aim of establishing a third-country regime that is sustainable in the long term once the current transitional regime expires, and overall consider that the proposal will result in a more proportionate regime for users and administrators of benchmarks.
  • ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (+1 212.351.3869, [email protected])

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

Roscoe Jones Jr., Washington, D.C. (202.887.3530, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki, New York (212.351.4028, [email protected])

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

A team of Gibson Dunn lawyers, working with The Promise of Justice Initiative (PJI) in New Orleans, has secured the release of pro bono client B.T., who in 1983 was convicted by an unconstitutional, non-unanimous jury in Louisiana. Over the dissenting votes of two jurors—who, like B.T., were Black—B.T. was found guilty of an alleged armed robbery. After his counsel failed to present any arguments on his behalf during sentencing, B.T. was sentenced to 99 years at hard labor without benefit of probation, parole, or suspension. B.T., then 19 years of age, received what was effectively a life sentence despite important mitigating facts: the alleged robbery was of $400, B.T. had never before been accused of a violent crime, he had lived a difficult childhood, no one was physically injured during the alleged robbery, and two jurors had reasonable doubt he was guilty at all. After spending the past 40 years incarcerated in Louisiana state prisons, including Angola, B.T. received an amended sentence reduced to time served. He was released as a free man on November 17, 2023.

Gibson Dunn has been working with PJI to help individuals like B.T. seek justice after being convicted by Jim Crow juries. The U.S. Supreme Court held non-unanimous juries to be unconstitutional in Ramos v. Louisiana in 2020, but the Court’s subsequent decision in Edwards v. Vannoy held that Ramos would not apply retroactively, leaving those already convicted and incarcerated prior to 2020 without hope of relief.

Despite these challenges, Gibson Dunn and PJI successfully negotiated with the Orleans Parish District Attorney’s Office to file an uncontested post-conviction relief application that provided B.T. with a new sentencing hearing under state law. The application for a hearing was granted, and during the hearing, the judge resentenced B.T. to 40 years, with full credit for time served.

B.T. was released into a three-year reentry program created by Criminal District Court Judges in Orleans Parish that will provide comprehensive resources and support as he adjusts to life outside of incarceration. B.T.—who is known by those around him for his selflessness, wisdom, and unwavering optimism—is excelling in the program.

The Gibson Dunn team includes associates Anna Aguillard, Alexandra Buettner, and Sam Whipple, with supervision by partner M. Kendall Day.

2023 was a transformative year for the legal, regulatory, and policy landscape around artificial intelligence (“AI”). Public debate as well as commercial and public sector deployment of AI capabilities hit a fever pitch, though many of the legal frameworks that hit major milestones in 2023 predate the generative AI phenomenon.

The European Union’s (“EU”) AI Act overcame near derailment by the emergence of foundation models (so-called “general purpose AI”) and now approaches the finish line, on track for 2024 to become the first comprehensive AI law on the books, directly regulating AI systems based on inherent risk, with sweeping consequences far beyond EU borders.

For now, the U.S. continues to rely on a largely sectoral, self-regulatory approach to AI.  While efforts to develop a federal framework fell short, the landscape remained dynamic: a sweeping White House executive order, private sector commitments around cutting-edge frontier models, regulatory guidance and emergent best practices grounded in the National Institute of Standards and Technology (“NIST”) AI Risk Management Framework 1.0, and statements by agencies including the Federal Trade Commission (“FTC”), Department of Justice (“DOJ”), Equal Employment Opportunity Commission (“EEOC”), Securities and Exchange Commission (“SEC”), and Consumer Financial Protection Bureau (“CFPB”), as well as ongoing efforts by the Senate to develop AI legislative frameworks.  At the federal and state level, legislative and regulatory focus sharpened on the allegedly improper use of protected data (for example, personal or copyrighted data) to develop models and improve products and services.

2024 promises more of the same.  In a year where half the world’s population is slated to cast a ballot in an election, and as AI increasingly establishes itself as a topic with certain but unclear geopolitical import, governments will continue to experiment in deploying different regulatory models to governed foundation models and other types of AI deployments in an effort to achieve political, societal, and geopolitical goals.  These developments will occur in parallel with emergent and evolving societal norms around the use and acceptance of AI, and broader understandings about potential risks.

This will take place across legal domains.  For example, competition authorities around the world have already signaled increasing scrutiny of the market impacts of leading companies in the AI space.  In the EU, the AI Act will require virtually all companies using AI in their products, services and supply chains on the EU market to assess their risk profile and potential liability under the new framework.  Similar comprehensive AI laws and governance tools continue to be proposed and debated elsewhere around the world.  In the U.S., the FTC, California’s Privacy Protection Agency (“CPPA”), and other federal and state regulators are poised to continue their efforts to establish themselves as key agencies in this fast-evolving space.  We also expect to see new AI-related state legislation and a regulatory enforcement focus on data governance and usage in high-risk spaces, such as employment, insurance, and healthcare, and a reimagined intellectual property legal landscape thanks to guidance from the U.S. Copyright Office and court rulings in pending high-profile federal lawsuits.

Our AI Review and Outlook – 2024 focuses on these legal and regulatory developments and also examines other notable policy updates in the U.S. and the EU, with an eye toward the key issues and developments to watch in 2024.  Key developments include:

  • Forward progress with the EU’s AI Act, which will broadly regulate AI systems based on inherent risk and impose specific requirements on foundation models.
  • The long-awaited release of the White House AI Executive Order, which imposes affirmative reporting requirements on foundation model developers and aims to create new AI standards and guidelines across federal agencies.
  • The FTC’s continued enforcement focus and resolution streamlining the agency’s ability to issue civil investigative demands (CIDs) in investigations relating to AI.
  • IP-related litigation and policy developments with respect to protections for AI-generated works and copyright infringement in connection with generative AI tools.
  • The array of regulatory and legislative developments centered around the intersection of AI and employment law.

TABLE OF CONTENTS

I. EU POLICY & REGULATORY DEVELOPMENTS

II. U.S. LEGISLATIVE, REGULATORY & POLICY DEVELOPMENTS

III. U.S. SECTOR-SPECIFIC DEVELOPMENTS
A. Intellectual Property
B. Privacy
C. Employment
D. Insurance

IV. SELECT ADDITIONAL INTERNATIONAL DEVELOPMENTS
_________________________

I. EU POLICY & REGULATORY DEVELOPMENTS

A. EU AI Act

In late 2023, the EU reached a long-awaited milestone in comprehensive AI regulation.  After almost 6 months of trilogue negotiations, the European Commission, the Council and the Parliament reached a political agreement on the provisional rules that will comprise the first global AI regulation – the EU AI Act – on December 8, 2023.[1]

The provisional agreement on the EU AI Act will:

  • Establish a broad and extraterritorial scope of application,
  • Prohibit certain uses of AI entirely, and
  • Define a broad range of other uses as “high-risk” and subject to stringent requirements.

A number of procedural steps remain before the AI Act can be finalized; however, the staggered (and relatively rapid) planned enforcement of certain provisions bears note.  Provisions related to prohibited AI systems are set to become enforceable six months after the Act is finalized; and provisions related to so-called General Purpose AI (“GPAI”) become enforceable 12 months after this date.  The rest of the AI Act is expected to become enforceable in 2026.

The “long arm” of the AI Act will impact a broad range of businesses—including, but not limited to, those that intend to provide or deploy AI systems within the EU.[2]  The distinct posture of the AI Act, based in part on fundamental and human rights jurisprudence, requires companies to think differently when preparing compliance strategies, including:

  • Proactive engagement with novel regulatory measures, such as a fundamental rights impact assessment for certain AI systems, and
  • Reimagining and documenting strategic decision-making related to internal governance and compliance in the face of unpredictable and uncertain go-forward risks.

A draft of the final text was released on January 21, 2024, but the provisional agreement must now be formally approved by the EU Member States and the European Parliament.  For more details into related developments, please see our previous alerts analyzing the European Commission’s 2021 proposal on the AI Act, the European Council’s common position in December 2022, the European Parliament’s negotiating position in June 2023), and the political agreement reached on December 8, 2023.

B. AI Liability Directive & Product Liability Directive

In September 2023, the AI Liability Directive (“AILD”) and the Product Liability Directive (“PLD”) were introduced as part of a comprehensive package to facilitate the responsible deployment of artificial intelligence in Europe.[3]

The AILD focuses on fault-based liability under national regimes for damages caused by specific AI systems, establishing standardized rules for information access and burden of proof.  Simultaneously, the PLD, updated in a political agreement in December 2023, broadens no-fault liability for defective products to encompass digital entities such as software, including those powered by AI.  The legislation, poised for formal approval, is set to govern products entering the market 24 months post-directive enforcement.  Notably, it introduces provisions for compensating a range of losses, including data corruption, and outlines conditions for presuming product defectiveness in specific scenarios.

C. EDPS Opinions on AILD and PLD

In October 2023, the European Data Protection Supervisor (“EDPS”) issued “Opinion 42/2023 on the Proposals for two Directives on AI liability rules.”[4]

Key points include the EDPS’ emphasis on extending liability rules to AI systems used by EU institutions, advocating for broad procedural safeguards, suggesting comprehensive and understandable disclosure of information, and recommending a reconsideration of additional measures for consumers to prove fault or causality.  The EDPS also proposed explicitly stating that the AILD does not prejudice Union data protection law and suggested shortening the review period for AILD to expedite assessing compensation effectiveness.

II. U.S. LEGISLATIVE, REGULATORY & POLICY DEVELOPMENTS

A. White House AI Executive Order

On November 1, 2023, the Biden Administration released its long-awaited Executive Order on AI (“EO”).[5]

The goals and overarching themes of the EO are to:

  • Ensure the safety and security of AI by developing standardized metrics to assess AI safety, evaluating the safety of new AI systems, and clearly identifying AI-generated content;
  • Promote the responsible innovation of new AI technologies by investing in AI-related training and R&D and managing forthcoming AI-related IP issues;
  • Ensure that American workers are not negatively affected by developments in AI;
  • Protect civil rights by preventing and mitigating the use of AI to discriminate;
  • Ensure that AI developments do not undermine existing laws and corporate obligations;
  • Protect privacy and civil liberties, such as ensuring that private data is retained and used with consent, and preventing AI technologies from chilling First Amendment rights;
  • Manage the risks arising from the federal government’s own use of AI, including by training relevant public servants in AI-related issues; and
  • Ensure that the federal government leads the way in the development and management of AI technologies.

Although the EO attempts to address a variety of pressing AI-related issues, it is largely focused on directing federal agencies to develop guidance on the use of AI; the creation of new standards, including for labeling AI-generated content and ensuring the safety and security of critical infrastructure; safety testing models; and detecting AI-generated content and authenticating AI-related content.  The EO’s focus on privacy includes developing guidelines for federal agencies to evaluate the effectiveness of privacy-preserving techniques.

Select notable requirements created by the EO include: (1) affirmative reporting requirements for AI companies developing or intending to develop foundation models; (2) the creation of new standards, including for labeling AI-generated content, and for ensuring the safety and security of critical infrastructure; and (3) the creation of a cybersecurity program that develops AI tools to find and fix vulnerabilities in critical software.

As relevant to the private sector, the EO contains three specific requirements.  First, it purports to require that developers of high-capability foundation models report and provide information to the federal government, as discussed below.  Second, it imposes separate reporting requirements for companies that acquire, possess, or develop “potential” large-scale computing clusters, including disclosing the existence and location of these clusters and their power.  Third, the EO requires the Secretary of Commerce to propose new regulations that require U.S. cloud service providers to notify the government if non-U.S. individuals or entities who use their services start training large AI models that could be used for malicious purposes.

1. Reporting Requirements for High Capability Foundation Models

Section 4.2(a) seeks to impose affirmative reporting requirements for companies that (1) develop or have the intent to develop “foundation models,” or (2) “acquire, develop or possess” large compute clusters.

The EO requires developers of large, high-capability foundation models to provide information to the federal government about (1) model safety and training, (2) steps taken to protect model weights, and, perhaps most concerning, (3) the results of all red-team safety testing.  This requirement is written to apply broadly to a range of foundation models that are considered “dual use.”  Importantly, this covers not only models that “exhibit a high level of performance at tasks that pose a serious risk to security, national economic security, national public health or safety,” or any combination of the above, but also models that “could be easily modified” to do so, even if they include technical safeguards that attempt to prevent users from using such “unsafe capabilities.”  Accordingly, a company that has the intent to develop a foundation model that could be modified (including by a third party) to exhibit such risks is subject to this registration requirement.

As such, companies appear required to assess model risk and report accordingly.  The EO does not clearly define who would determine that a foundation model presents such “serious risks” or how such a determination would be made.  It would require companies to make this determination on their own, and provide examples including models that: make weapons of mass destruction accessible; enable “powerful” cyber-offensive operations against a range of targets; or allow an AI model to evade human control or oversight (including through “deception”).

Simultaneously, Section 4.2(b) would appear to independently establish a temporary registration requirement for models trained on a certain quantity of computing power.  The Secretary of Commerce (in consultation with other executive agencies) is directed to establish “technical conditions” for models “that would be subject” to these reporting requirements.  The import of these “technical conditions” and their relationship to a determination of “serious risk” and attendant reporting obligations remains to be seen.

2. OMB Implementing Guidance

On November 1, 2023, the Office of Management and Budget (“OMB”) published a draft memorandum to assist in implementing the EO.[6]  The guidance in the memorandum is primarily focused on operationalizing standards for federal government actors, but holds predictive value for companies contracting with government agencies and may be instructive as to what future federal regulation may hold for the private sector.[7]

The key proposed policies would: institute government-wide “minimum practices” to be employed with regards to any “rights-impacting” or “safety-impacting” AI; require agency-specific AI strategies, which would include planning for data sharing, workforce training, and cybersecurity measures; and instruct agencies to designate a Chief AI Officer to oversee all AI use within each agency.[8] OMB is expected to publish the final guidance document in 2024.[9]

3. Next Steps

The U.S. Department of Commerce (“Commerce”), NIST, the Bureau of Industry and Security (“BIS”), the National Telecommunications and Information Administration (“NTIA”), and the U.S. Patent and Trademark Office (“USPTO”) will play a key role in implementing the EO.  Commerce has been given 90 days to establish the reporting requirements.[10]  On December 19, 2023, NIST released an RFI seeking public comment to support its response to the EO and develop guidelines for evaluation and red-teaming as well as consensus-based standards.[11]  Responses were due Friday, February 2, 2024, and NIST anticipates publishing draft guidelines for public comment in due course.

B. Voluntary Commitments for Frontier AI Models

On July 21, 2023, the White House announced that several major technology companies had made voluntary commitments to ensure the safe development of frontier AI systems.

Among the commitments are efforts to develop markings on AI-generated content that can allow users to understand that the content derives from an AI system, to internally and externally red-team generative AI systems’ safety, and to prioritize research on how AI models can protect privacy and safeguard against potential bias and discrimination.[12] In the following months, additional companies signed on to the White House’s voluntary commitments as well.[13]

C. NIST’s Focus on AI

On January 26, 2023, NIST released the first version of its Artificial Intelligence Risk Management Framework (“AI RMF”).[14]

The AI RMF is designed to assist organizations in mapping out and assessing AI risks and “trustworthiness” in the development and use of AI products, systems and services.  The AI RMF follows direction from Congress for NIST to develop the framework, and was produced in close collaboration with the private and public sectors.  It is intended to provide practical guideposts that are adaptable to the rapidly evolving AI landscape, and outlines core fundamental functions that organizations should consider when developing trustworthy AI systems, including governance, risk assessments, and risk management.  NIST also established the Trustworthy & Responsible AI Resource Center that will serve as a repository for current guidance on AI that can assist companies and organizations in institutionalizing the AI RMF.  For more details on NIST’s AI RMF, see our alert, NIST Releases First Version of AI Risk Management Framework.

On March 8, 2023, NIST released a draft report that defines certain key terminology and creates a taxonomy of attacks and mitigation techniques relating to adversarial machine learning (“ML”).[15]  The report aims to inform standards and future practice guides for assessing and managing the security of AI systems by establishing a common language for the rapidly developing adversarial ML landscape.  Specifically, the report outlined three categories of attacks: evasions (where adversary generates adversarial examples), data and model poisoning (where attacks occur during the training of a machine learning algorithm to introduce integrity violations), and data and model privacy (where attacks seek to reconstruct training data or infer datasets).  In June 2023, NIST also announced the creation of a Public Working Group on Generative AI, which is intended to build upon the AI RMF and address developments in the AI sector.[16]  On December 21, 2023, NIST issued a Request for Information (“RFI”), relating to its assignments under the White House’s AI Executive Order.[17]  The RFI spans a range of broad categories, including red-teaming exercises, benchmarking, and watermarking.

D. U.S. Congressional Actions

Members of the U.S. Congress demonstrated a keen interest in AI in 2023, including by holding AI-related hearings, meeting with key stakeholders, and introducing various bills to regulate AI.  However, these efforts were largely fragmented and the proposals are unlikely to result in passage and enactment.[18]

Throughout 2023, both the House and Senate held hearings on a range of topics relating to AI, including AI regulation, potential risks with IP and misinformation, and national security considerations.  In April of 2023, Senate Majority Leader Chuck Schumer (D-NY) spearheaded a bipartisan effort to develop a comprehensive AI policy framework that “outlines a new regulatory regime” and implements “robust” oversight efforts.  This theoretical framework focused on the following four proposed guardrails:  (i) identification of who trained the algorithm and who its intended audience is; (ii) disclosure of its data source; (iii) an explanation for how it arrives at its responses; and (iv) transparent and strong ethical boundaries.[19]  When Senator Schumer spoke at the Center for Strategic and International Studies in June 2023, he referred to the framework as the “SAFE Innovation Framework.”[20]

Although proposals made little progress, a few themes have emerged.

  • Requiring disclosure of or developing the means to label AI products as distinct from human-originated work. For example, Representative Ritchie Torres (D-NY) introduced the AI Disclosure Act of 2023, which would require any “output” created by generative AI to include a disclaimer stating that the output was generated by AI as follows: “DISCLAIMER: this output has been generated by artificial intelligence.”[21]  It would apply to videos, photos, text, audio, or “any other AI generated material.”  The bill does not offer any guidance regarding how to determine when an output counts as “AI-generated,” what types of models or tools are covered, or whether the bill is directed at any or all of the following: users, deployers, or developers of generative AI systems.
  • Regulating foundation models. On December 22, Representatives Anna Eshoo (D-CA) and Don Beyer (D-VA) introduced the AI Foundation Model Transparency Act, a bill aimed at empowering the FTC “to set standards for what information high-impact foundation models must provide to the FTC and what information they must make available to the public.”[22] Under the bill, the FTC would be directed to “promulgate regulations that establish standards specifying information to improve the transparency of foundation models by covered entities with respect to training data, model documentation, data collection in inference, and operations of foundation models.”  Failure to adhere to the regulations would constitute an unfair or deceptive act or practice under the FTC Act.

Additional proposals included bills intended to: restrict Section 230 immunity for civil claims premised on generative AI,[23][24] prohibit the distribution of materially deceptive AI-generated audio, images, or video relating to federal candidates in political ads,[25] and restrict the use of the “name[s], image[s] and likeness[es] (NIL)” of artists.[26]

Given the blistering pace of technological development and fast-moving regulatory landscape on the matter of AI, it remains to be seen whether Congress will be successful in passing comprehensive AI legislation in this legislative session.  As Justice Kagan noted recently during oral argument, “Congress can hardly see a week in the future with respect to this subject, let alone a year or a decade in the future.”[27]

E. Joint Agency Statement on Bias and Discrimination

On April 25, 2023, officials from the DOJ, FTC, CFPB, and EEOC issued a joint statement stating the agencies would “vigorously use [their] collective authorities to protect individuals’ rights regardless of whether legal violations occur through traditional means or advanced technologies.”[28]

While the joint statement is nonbinding, it highlights the following three areas of AI as potential sources of discrimination in automated systems that may result in enforcement from these agencies:

  • Data and Datasets. Where AI is applied to “unrepresentative or imbalanced datasets, datasets that incorporate historical bias, [] datasets that contain other types of errors,” and data correlated with “protected classes,” an AI tool’s use may lead to unfair or discriminatory outcomes.
  • Model Opacity and Access. Where automated systems are “black boxes” that lack transparency and are not understood or clear to even the developer of the tool itself (let alone the general public), the use of that system can make it more difficult to know if an automated system is fair.
  • Design and Use. Where AI tools are designed without context for the ultimate uses of the tool, the tool may rely on flawed assumptions about “users, relevant context, or the underlying practices or procedures” the tool seeks to augment or replace.

F. FTC Enforcement and Policy

In 2023, the FTC doubled down on its focus on AI through an array of blogs, policy statements, and enforcement actions, starting the year with the launch of its Office of Technology to bolster in-house technical expertise and capacity, signaling its commitment to enforcing consumer protection laws in the high-tech space.[29]

Underlining this ambition, on November 21, 2023, the FTC approved a significant resolution streamlining FTC Staff’s ability to issue civil investigative demands (CIDs) in investigations relating to AI.[30]  In announcing the resolution, the FTC defined AI broadly to include (but not be limited to) “machine-based systems that can, for a set of defined objectives, make predictions, recommendations, or decisions influencing real or virtual environments.”  The announcement further stated that generative AI “can be used to generate synthetic content including images, videos, audio, text, and other digital content that appear to be created by humans.”  The resolution will be in place for 10 years and will likely facilitate the FTC in launching AI-related investigations.

1. FTC’s Policy Statements, Blog Posts, and Guidance

In May 2023, the FTC issued a policy statement[31] and accompanying press release,[32] warning about misuses of biometric information and the potential harm to consumers.

The statement asserted that the FTC “is committed to combating unfair or deceptive acts related to the collection and use of consumers’ biometric information and the marketing and use of biometric information technologies.”  The FTC emphasized that it will scrutinize statements about the collection and use of biometric information and warned that companies should not make false statements about the extent of their collection or use of biometric information, underscoring that “[b]usinesses also must ensure that they are not telling half-truths—for example, a business should not make an affirmative statement about some purposes for which it will use biometric information but fail to disclose other material uses of the information.”  The statement recommends that companies continuously monitor compliance with Section 5 of the FTC Act and have a system for receiving and addressing consumer complaints and disputes related to biometric information.[33]

In late June 2023, the FTC published a blog post about generative AI and its impact on competition, expressing concern that a small number of companies could control the essential “building blocks” of generative AI—data, talent, and computational resources–and thus stifle competition.[34]

Specifically, the FTC took the view that the volume and quality of data needed to train a generative AI model may lock out new players in the market who do not have access to large quantities of end-user data.  Further, the FTC noted that the minimum resources needed to fully train a model can pose a prohibitive cost of entry, potentially leading to a market where entrants must use pre-trained models that are controlled by a small number of incumbents.  As a result, the FTC asserted that it will use its “full range of tools to identify and address unfair methods of competition.”[35]

On May 1, 2023, the FTC published a blog post focusing on the use of generative AI in advertising and the ways in which it could “steer people unfairly or deceptively into harmful decisions.”[36]

The FTC’s concern arises from so-called “unearned human trust,” which is the tendency to trust the output from machines (i.e., “automation bias”) and the ability of AI to mimic human interaction.  The blog post reiterated that, in the FTC’s view, advertisements should always be clearly labeled as such, and noted that outputs of any generative AI “influenced by a commercial relationship” should be disclosed.

2. FTC Issues Order Prohibiting Use of Facial Recognition System

On December 19, 2023, the FTC announced a complaint and proposed stipulated order (“Order”) against a retail company in connection with the company’s alleged unfair use of facial recognition technology.[37] 

Notably, the Order prohibits the company from using any facial recognition system for five years and requires that the company and its third-party vendors delete any images collected from facial recognition systems as well as any algorithms or products derived from such images and photos.

In his accompanying statement, Commissioner Bedoya noted that the settlement “offers a strong baseline for what an algorithmic fairness program should look like” beyond the use of facial recognition and offered two additional comments that suggest the FTC continues to be focused on enforcement in relation to AI tools used for automated decision-making in particular (emphases added):

  • “Beyond giving people notice, industry should carefully consider how and when people can be enrolled in an automated decision-making system, particularly when that system can substantially injure them.”
  • “… [N]o one should walk away from this settlement thinking that this Commission affirmatively supports the use of biometric surveillance in commercial settings […] there is a powerful policy argument that there are some decisions that should not be automated at all; many technologies should never be deployed in the first place.”[38]

G. SEC

Demonstrating a continued focus on the use of AI in the financial sector, the Securities and Exchange Commission (“SEC”) sent RFIs to several investment advisers relating to AI-related topics, including marketing documents, algorithmic models used to manage client portfolios, third-party providers, and compliance training.[39]

The use of AI technologies to optimize, forecast, or direct investment-related behaviors or outcomes has accelerated, which has, in turn, increased market access, efficiency, and returns for investors.  In a series of statements, SEC Chair Gary Gensler has warned about potential harms that could emerge from the financial industry’s growing adoption of AI, from inadvertent bias and conflicts of interest to a risk of financial instability.

In July 2023, the SEC proposed rules regarding the use of data analytics, including AI, which would require firms to neutralize any conflicts in which AI put the firm’s interests above a client’s.  The proposed rules would require a firm to evaluate and determine whether its use of certain technologies in investor interactions involves a conflict of interest that results in the firm’s interests being placed ahead of investors.[40]  Firms would then be required to neutralize the effect of any such conflicts and would be permitted to employ tools that they believe would address these risks specific to the technology they use.  Lastly, the rules would require a firm to maintain written policies and procedures designed to achieve compliance with the proposed rules and to make and keep related books and records.

H. CFPB

The CFPB significantly increased its focus on AI and automated decision-making tools in 2023, issuing public statements and new guidance as well as proposing new rules focused on creditors and lenders.

On June 1, 2023, the CFPB proposed a rule that would govern the use of so-called “automated valuation models” used by mortgage originators and secondary market issuers to determine the value of a home.[41]  The rule would require institutions to take certain steps to minimize inaccuracy and bias, including by “adopt[ing] and maintain[ing] policies, practices, procedures, and control systems to ensure that automated valuation models . . . adhere to quality and control standards.”[42]  These standards should ensure a high level of confidence in the valuation, protect against data manipulation, avoid conflicts of interest, require random testing of the models, and comply with applicable nondiscrimination law.  The CFPB also released an issue spotlight in June 2023, which focused on the potential risks associated with the use of chatbots by financial institutions, including diminished customer service, running afoul of federal consumer financial protection laws, and causing harm to consumers.[43]

In addition to the proposed rule, the CFPB also issued a Consumer Protection Circular in September 2023, titled “Adverse Action Notification Requirements and the Proper Use of the CFPB’s Sample Forms Provided in Regulation B,” which contained guidance aimed at ensuring transparency for consumers who receive an adverse decision on an application for credit.[44]  The guidance emphasizes that creditors must provide accurate and specific reasons for adverse decisions made by complex algorithms, a requirement that is not automatically satisfied by the use of a sample adverse action checklist.

I. HHS

On December 13, 2023, the U.S. Department for Health and Human Services (“HHS”) issued its first rule regarding the use of AI in healthcare.

Titled “Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing” (“HTI-1”), and issued through the Office of the National Coordinator for Health Information Technology (“ONC”), the final version of the rule followed a comprehensive, months-long rulemaking process.[45]

HTI-1 revises the previous certification criterion to require that health IT offerings facilitate the use of predictive models and algorithms in healthcare decision-making, and inform users about the use of predictive models and algorithms.[46]  The rule broadly defines predictive models and algorithms in healthcare as “technology that supports decision-making based on algorithms or models that derive relationships from training data and then produce an output that results in prediction, classification, recommendation, evaluation, or analysis.”[47]  ONC specifically includes large language models and other models generally relying on training data in a list of exemplar technologies that would likely meet the Rule’s definition of predictive technology.[48]

To be certified, predictive intervention technologies must support a baseline set of “source attributes,” or categories of technical performance and quality information, including the intervention’s purpose, potential out-of-scope uses, development, external validation history, quantitative measures of performance, and any maintenance requirements.[49]  Developers seeking certification of predictive health IT products must also ensure the source attribute information their predictive technology draws on is complete and up-to-date, and adopt and maintain certain intervention risk management practices.[50]  Additionally, HTI-1 also identifies additional requirements for maintaining certification under the Program.[51]  HHS has signaled that additional regulations are on the horizon, including a forthcoming HTI-2.[52]

III. U.S. SECTOR-SPECIFIC DEVELOPMENTS

A. Intellectual Property

1. Copyright Office and Courts Limit Protection for AI-Generated Works

On March 16, 2023, the Copyright Office concluded that AI-generated material may be eligible copyrightable material to the extent that it is the result of the author’s “own mental conception, to which [the author] gave visible form.”[53]  This guideline followed a decision in February 2023, when the Copyright Office decided to grant copyright protection to only portions of a book, named Zarya of the Dawn, that was deemed the expressive material of the author, and not the associated images generated by an AI tool.[54]  Subsequently, on August 30, 2023, the Copyright Office published a Notice of Inquiry (“NOI”) seeking comment on the copyright law and policy issues implicated by AI systems, and generative AI in particular.[55] Specifically, the Copyright Office sought public comments on: (1) the use of copyrighted works to train AI models; (2) the copyrightability of material generated using AI systems; (3) potential liability for infringing works generated using AI systems; and (4) the treatment of generative AI outputs that imitate the identity or style of human artists.

On August 18, 2023, the District Court for the District of Columbia held that AI-generated output cannot be copyrighted because such work lacks human authorship.[56]  Plaintiff Stephen Thaler had attempted to register the output of his generative AI system with the Copyright Office, listing the system as the author and himself as the assignee.  The court affirmed the conclusion that the Copyright Act and the Constitution both provide for the granting of copyright to “authors,” who must be humans, and concluded that a work generated autonomously by a generative AI system is not eligible for copyright.

2. Courts Begin to Contend With Alleged Copyright Infringement by Generative AI

2023 saw a series of copyright infringement litigation filed across U.S. federal courts in connection with generative AI tools and platforms and the data used to develop them.  For example, a group of authors brought a putative class action suit alleging that a major technology company used copyrighted books to train its large language models.  On November 20, 2023, the Northern District of California dismissed the copyright infringement claim, reasoning that an allegation that the model was trained on copyrighted materials is insufficient to show that all the models’ outputs are themselves infringing.[57]  Similarly, a group of visual artists brought a putative class action suit alleging that developers of AI art tools used their copyright-protected works to train their models.  In October 2023, the Northern District of California dismissed all but one claim, relating to direct copyright infringement by one AI art tool developer.  The court held that plaintiff’s discovery of their copyrighted work on a search platform that shows users whether their works have been used for AI training was sufficient to state a claim for direct infringement.[58]  Meanwhile, a number of companies developing generative AI tools have announced the creation of copyright indemnity shields under which the companies will indemnify customers, subject to varying limitations, for certain copyright infringement liability stemming from their use of the companies’ generative AI systems.[59]

3. Copyright Management Information Claims

Many lawsuits against companies developing generative AI technologies assert claims under the Digital Millennium Copyright Act for the removal of copyright management information (“CMI”).  On May 11, the Northern District of California refused to dismiss CMI claims brought by plaintiffs against developers of a code-generating AI system.  Plaintiffs alleged that the companies had trained AI programs to “ignore or remove CMI.”[60]  The court held that plaintiffs had sufficiently alleged that the companies “intentionally designed the programs to remove CMI from any licensed code they reproduce as output.”[61]  By contrast, on October 30, 2023, the Northern District of California dismissed a CMI claim in a separate case because the complaint failed to identify the “particular types of their CMI from their works that they believe was removed or altered,” in connection with the use of their works in the defendant’s training set.[62]  In this putative class action, a group of visual artists brought a CMI claim that a generative AI company had scraped their works from public datasets, and had “stripped or altered” the CMI associated with such works.  We expect to see more development in the court’s rulings on CMI-related claims in 2024.

B. Privacy

Several U.S. states have passed new comprehensive privacy laws, some of which contain obligations directly implicating businesses’ use of AI and automated decision-making technologies (“ADMT”). 

On March 15, 2023, the Colorado Attorney General finalized the Colorado Privacy Act (“CPA”) regulations that included AI- and ADMT-specific requirements relating to notice, opt-outs, and data protection assessments.[63]  In late November 2023, the California Privacy Protection Agency (“CPPA”) released discussion draft regulations intended to facilitate CPPA board discussion on ADMT and risk assessments (the “Draft Regulations”).[64]  The Draft Regulations provide an expansive definition of ADMT[65] while also proposing ADMT-specific obligations relating to notice, opt-out rights, and risk assessments.  Specifically, under the Draft Regulations, consumers would have the right to opt-out of ADMT for decisions that produce “legal or similarly significant effects” on an individual as well as the right to access certain information about a businesses’ use of ADMT.  The draft would also require risk assessments for the use of ADMT, which would need to include a description of why the business seeks to use the ADMT, the “operational elements” of the processing, and the safeguards that the business will put in place to mitigate negative privacy impacts on consumers.[66]  The proposal carves out key areas of future discussion for the CPPA Board, including the profiling of children under 16 and the use of consumer information for model training.

These pre-rulemaking Draft Regulations were discussed during the December 8, 2023 CPPA board meeting.[67]  Several board members expressed concerns that the discussion draft regulations were overly broad and suggested narrowing the definition of profiling to target ADMT which is particularly concerning and intrusive to avoid regulating low-risk ADMT.  We expect that the Draft Regulations will be amended and that certain provisions may be informed by other emerging U.S. and global AI regulations, including the EU’s approach under the draft AI Act.

C. Employment

1. EEOC

Following the EEOC’s publication of a draft Strategic Enforcement Plan (“SEP”) for Fiscal Years 2023-2027 on January 10, 2023, it released the final SEP on September 21, 2023, which makes clear that the agency will remain focused on the use of AI in employment.

As employers are increasingly using technology in employment, the SEP makes clear that the EEOC intends to focus on employment decisions, practices, and policies in which employers leverage technology (broadly defined), including machine learning, AI, algorithmic decision-making, and other automated employment decision-making tools.  The EEOC will also place special emphasis on aiming to eliminate barriers arising from purportedly exclusionary job advertisements, restrictive or inaccessible application systems, and AI systems that intentionally exclude or adversely impact protected groups for recruitment or hiring.

This priority aligns with the EEOC’s ongoing attention to AI and automation in 2023, including issuing its second set of technical guidance on AI,[68] reaching a conciliation agreement requiring a job search website operator to re-write its algorithm following claims of national origin discrimination,[69] and finalizing a consent decree in a case alleging algorithmic age discrimination.[70]  Employers can expect more technology-related cases to be brought by the EEOC in addition to ongoing AI regulation at the state and local levels, including in New York and California, and an uptick in proposals from Congress, such as the Algorithmic Accountability Act of 2023.[71]

On May 18, 2023, the EEOC released new technical guidance on employers’ use of AI under Title VII of the Civil Rights Act of 1964.[72]

The guidance outlines key considerations that, in the EEOC’s view, help ensure that automated employment tools do not violate Title VII of the Civil Rights Act of 1964 (“Title VII”) when making employment decisions.

The guidance provides that the “four-fifths rule” merely acts as “a rule of thumb” when analyzing adverse impact with respect to algorithmic decision-making tools and is not necessarily sufficient to show that a tool is lawful under Title VII.  Further, the EEOC encourages employers to routinely conduct self-assessments of their AI tools to monitor for potentially disproportionate effects and states that an employer’s failure to take steps to adopt a less discriminatory algorithm that was considered during the development process may give rise to liability.

2. New York City Local Law 144

On July 5, 2023, New York City’s Department of Consumer and Worker Protection (the “DCWP”) began enforcing Local Law 144, the broadest law governing AI in employment in the US.

Under Local Law 144, an automated employment decision tool (“AEDT”), is defined as “any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that issues simplified output, including a score, classification, or recommendation, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons.”[73]  Local Law 144 prohibits employers from utilizing an AEDT in hiring and promotion decisions unless it has been the subject of an annual bias audit by an “independent auditor” no more than one year prior to use.  The law also imposes certain posting and notice requirements to applicants and employees who are subject to the use of an AEDT.

For more detailed insights into Local Law 144, please see our prior coverage of the Final Rules, DCWP’s FAQs, and Local Law 144’s Scope.

D. Insurance

The Colorado Division of Insurance has implemented a final regulation, effective on November 14, 2023, that requires life insurers operating in Colorado to integrate AI governance and risk-management measures.[74]

These measures must be reasonably designed to prevent unfair discrimination in the utilization of AI models leveraging external consumer data and information sources, which are defined to include biometric data.  Under the regulations, insurers must remediate any instances of detected unfair discrimination.  The regulation requires insurers to conduct a comprehensive gap analysis and risk assessments and imposes specific documentation requirements, including maintaining an up-to-date inventory of AI models, documenting material changes, bias assessments, ongoing monitoring, vendor selection processes, and annual reviews.

IV. SELECT ADDITIONAL INTERNATIONAL DEVELOPMENTS

A. United Kingdom

In 2023, the UK Government demonstrated further support for its proposed “pro-innovation” and “context-specific” AI regulatory regime.

On March 29, 2023, the UK Government published the AI White Paper, which proposes sector-specific oversight of the development and use of AI alongside empowering existing regulators like the Information Commissioner’s Office (ICO), the Financial Conduct Authority (FCA), Competition and Markets Authority (CMA), and the Office of Communications (Ofcom), agencies that will be called upon to regulate the use of AI within the scope of their existing remits.[75]   In 2023, UK regulators published guidance regarding the use and regulation of AI, including:

  • ICO – Eight questions that developers and users need to ask about generative IA (April 3, 2023)[76]
  • FCA – Innovation, AI & the future of financial regulation, text taken from a speech by Jessica Rusu, FCA Chief Data, Information and Intelligence Officer, at the Innovate Finance Global Summit (April 17, 2023)[77]
  • CMA – Initial review of competition and consumer protection consideration in the development and use of AI foundation models (May 4, 2023)[78]
  • Ofcom- What generative AI means for the communications sector (June 8, 2023)[79]

On March 15, 2023, the UK Government responded to recommendations made in the Pro-innovation Regulation of Technologies Review prepared by Sir Patrick Vallance, the Government Chief Scientific Advisor, to clarify issues relating to IP and AI.  The UK Government accepted the recommendations and announced that a code of practice on copyright and AI would be developed with the UK Intellectual Property Office (“IPO”) with input from users and rights holders.[80]  However, in February 2024, the UK Government announced that it was abandoning plans to develop the code.[81]

On July 7, 2023, the Parliament’s Communications and Digital Committee launched an inquiry into large language models (LLMs) and sought public comment on its work in evaluating the work of the UK Government and regulators, examining how well this addresses current and future technological capabilities, and reviewing the implications of approaches taken elsewhere in the world.[82]

On November 1 and 2, 2023, the UK Government hosted the AI Safety Summit 2023 (the “AI Summit”), which brought together representatives from a broad range of countries, companies, and civil society groups.  The AI Summit was primarily built around round-table discussions on global safety and societal risks, as well as sessions focused on the steps that frontier AI developers, national policymakers, the international community, and the scientific community should take.  Countries attending the first day of the Summit, including the United States, China, Japan, the UK, members of the EU, Korea, Singapore, and Brazil, agreed to the Bletchley Declaration, which recognizes that AI presents the potential to enhance human wellbeing as well as risks, particularly arising from “highly capable general-purpose AI models, including foundation models.”[83]

At the Summit, UK Prime Minister Rishi Sunak announced the creation of a UK AI Safety Institute (the “Institute”), a new global hub based in the UK and tasked with testing the safety of emerging types of AI,[84] and Vice President Kamala Harris announced the creation of a US AI Safety Institute housed by NIST.[85]

B. Canada

As part of a bill introduced in June 2022, Canada has made progress with respect to its proposed Artificial Intelligence and Data Act (AIDA),[86] which is intended to promote responsible AI systems in the private sector through a risk-based approach.

Under the risk analysis, harm may be individual or collective, physical, psychological, or economic, and biased output can arise if an AI system causes disadvantage without justification on the basis of one or more of the grounds in the Canadian Human Rights Act.[87]  In March 2023, the AIDA companion document was issued,[88] which laid out a general approach for AIDA, identified a liability scheme, and provided “key factors” as guidance for companies to assess the high-impact risks of their AI system.  Relatedly, on September 27, 2023, Canada’s Minister of Innovation, Science and Industry announced a voluntary code of conduct for organizations engaged in the development and management of generative AI systems[89] to effectively serve as a bridge between the present and when the AIDA may come into force.[90]

At a local level, as of September 2023, Quebec’s “Act to modernize legislative provisions as regards the protection of personal information” requires that individuals whose personal information is processed exclusively by an automated decision-making system must be informed of such processing.[91]  The Act also guarantees the right to be informed of the personal information used to make an automated decision upon request and the right to have such personal information corrected.

*          *          *

[1] Council of the EU, Artificial intelligence act: Council and Parliament strike a deal on the first rules for AI in the world, press release of 9 December 2023, https://www.consilium.europa.eu/en/press/press-releases/2023/12/09/artificial-intelligence-act-council-and-parliament-strike-a-deal-on-the-first-worldwide-rules-for-ai/.

[2] The scope of some of the broadest jurisdictional hooks, including governing companies that are responsible for generating output from AI tools that have effect in the Union, remains to be seen.

[3]  EU updates product liability regime to include software, Artificial Intelligence, Euractiv (Dec. 14, 2023), https://www.euractiv.com/section/digital/news/eu-updates-product-liability-regime-to-include-software-artificial-intelligence/.

[4] EDPS issues opinions on AI liability proposals, International Association of Privacy Professionals (Oct. 13, 2023), https://iapp.org/news/a/edps-issues-opinions-on-ai-liability-proposals/.

[5] Exec. Order 14,110 on the Safe, Secure, and Trustworthy Development and Use of Artificial Intelligence, 88 Fed. Reg. 75,191 (Nov. 1, 2023).

[6] Request for Comments on Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence Draft Memorandum, 88 Fed. Reg. 75626 (Nov. 3, 2023); The White House, OMB, OMB Releases Implementation Guidance Following President Biden’s Executive Order on Artificial Intelligence (Nov. 1, 2023), https://www.whitehouse.gov/omb/briefing-room/2023/11/01/omb-releases-implementation-guidance-following-president-bidens-executive-order-on-artificial-intelligence/.

[7] See Mohan & Lamm, Practical Insights for Employers Using AI (Dec. 19, 2023), Gibson Dunn, https://www.gibsondunn.com/wp-content/uploads/2023/12/practical-insights-for-employers-using-ai.pdf.

[8] See Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence, Office of Mgmt. & Budget (2023), https://www.whitehouse.gov/wp-content/uploads/2023/11/AI-in-Government-Memo-draft-for-public-review.pdf.

[9] OMB is now reviewing the almost 200 comments it received on the guidance.  Comment files can be found on the federal regulations website, https://www.regulations.gov/docket/OMB-2023-0020/comments.

[10] Artificial Intelligence, U.S. Department of Commerce, https://www.commerce.gov/issues/artificial-intelligence#:~:text=On%20October%2030%2C%20President%20Joseph,supports%20workers%20and%20protects%20consumers.

[11] NIST Calls for Information to Support Safe, Secure and Trustworthy Development and Use of Artificial Intelligence, NIST (Dec. 19, 2023), https://www.nist.gov/news-events/news/2023/12/nist-calls-information-support-safe-secure-and-trustworthy-development-and.

[12] White House, Ensuring Safe, Secure, and Trustworthy AI (2023), https://www.whitehouse.gov/wp-content/uploads/2023/07/Ensuring-Safe-Secure-and-Trustworthy-AI.pdf.

[13] White House, “FACT SHEET: Biden-⁠Harris Administration Secures Voluntary Commitments from Eight Additional Artificial Intelligence Companies to Manage the Risks Posed by AI” (Sept. 12, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/09/12/fact-sheet-biden-harris-administration-secures-voluntary-commitments-from-eight-additional-artificial-intelligence-companies-to-manage-the-risks-posed-by-ai/.

[14] NIST Risk Management Framework, https://www.nist.gov/itl/ai-risk-management-framework.

[15] A. Oprea, Adversarial Machine Learning: A Taxonomy and Terminology of Attacks and Mitigations, NIST (Mar. 8, 2023), https://csrc.nist.gov/pubs/ai/100/2/e2023/ipd.

[16] NIST, Biden-Harris Administration Announces New NIST Public Working Group on AI, https://www.nist.gov/news-events/news/2023/06/biden-harris-administration-announces-new-nist-public-working-group-ai.

[17] NIST, Request for Information (RFI) Related to NIST’s Assignments Under Sections 4.1, 4.5 and 11 of the Executive Order Concerning Artificial Intelligence (Sections 4.1, 4.5, and 11), https://www.federalregister.gov/documents/2023/12/21/2023-28232/request-for-information-rfi-related-to-nists-assignments-under-sections-41-45-and-11-of-the#:~:text=SUMMARY%3A,issued%20on%20October%2030%2C%202023.

[18] In the first of a series of closed-door meetings with technology industry CEOs and other industry stakeholders, Senator Schumer stated that he does not “just want to put together legislation” because “[i]f you go too fast, you could ruin things.” Mohar Chaterjee & Brendan Bordelon, Senate Starts to Fracture over How to Govern AI, Politico (Sept. 13, 2023), https://www.politico.com/news/2023/09/13/schumer-senate-ai-policy-00115794.  Senator Todd Young (R-IN) indicated in August that it is unlikely that Congress will pass “sweeping” regulation of AI.  Steven Overly, Congress Unlikely to Pass Sweeping New AI laws, Key GOP Senator Says, Politico (Aug. 3, 2023), https://www.politico.com/news/2023/08/03/congress-ai-laws-todd-young-00109553.

[19] Schumer Launches Major Effort To Get Ahead Of Artificial Intelligence, Senate Democrats (Apr. 13, 2023), https://www.democrats.senate.gov/newsroom/press-releases/schumer-launches-major-effort-to-get-ahead-of-artificial-intelligence.

[20] Chuck Schumer, Majority Leader, U.S. Senate, Remarks of Sen. Chuck Schumer, Launches SAFE Innovation in the AI Age at CSIS, https://www.csis.org/analysis/sen-chuck-schumer-launches-safe-innovation-ai-age-csis.

[21] U.S. Rep. Ritchie Torres Introduces Federal Legislation Requiring Mandatory Disclaimer for Material Generated by Artificial Intelligence, congressional Office of Ritchie Torres (June 5, 2023), https://ritchietorres.house.gov/posts/u-s-rep-ritchie-torres-introduces-federal-legislation-requiring-mandatory-disclaimer-for-material-generated-by-artificial-intelligence.

[22] Eshoo, Beyer Introduce Landmark AI Regulation (Dec. 22, 2023), https://eshoo.house.gov/media/press-releases/eshoo-beyer-introduce-landmark-ai-regulation-bill; AI Foundation Model Transparency Act of 2023 (Dec. 21, 2023), https://beyer.house.gov/uploadedfiles/ai_foundation_model_transparency_act_text_118.pdf.

[23]

[24] Hawley, Blumenthal Introduce Bipartisan Legislation to Protect Consumers and Deny AI Companies Section 230 Immunity, U.S. Senate Office of Josh Hawley (June 14, 2023), https://www.hawley.senate.gov/hawley-blumenthal-introduce-bipartisan-legislation-protect-consumers-and-deny-ai-companies-section.

[25] Klobuchar, Hawley, Coons, Collins Introduce Bipartisan Legislation to Ban the Use of Materially Deceptive AI-Generated Content in Elections, U.S. Senate Office of Amy Klobuchar (Sept. 12, 2023), https://www.klobuchar.senate.gov/public/index.cfm/2023/9/klobuchar-hawley-coons-collins-introduce-bipartisan-legislation-to-ban-the-use-of-materially-deceptive-ai-generated-content-in-elections.

[26] Senators Coons, Blackburn, Klobuchar, Tillis Announce Draft of Bill to Protect Voice and Likeness of Actors, Singers, Performers, and Individuals from AI-generated Replicas, U.S. Senate Office of Chris Coons (Oct. 12, 2023), https://www.coons.senate.gov/news/press-releases/senators-coons-blackburn-klobuchar-tillis-announce-draft-of-bill-to-protect-voice-and-likeness-of-actors-singers-performers-and-individuals-from-ai-generated-replicas.

[27] Relentless Inc. v. Dep’t of Com., No. 21-1886 (oral argument Jan. 17, 2024).

[28] Dep’t of Justice, Fed. Trade Comm’n, Consumer Fin. Prot. Bureau, Equal Emp’t & Opportunity Comm’n, Joint Statement on Enforcement Efforts Against Discrimination and Bias in Automated Systems (Apr. 25, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/EEOC-CRT-FTC-CFPB-AI-Joint-Statement%28final%29.pdf.

[29] S. Nguyen, A Century of Technological Evolution at the Federal Trade Commission, FTC (Feb. 17, 2023), available at:https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/century-technological-evolution-federal-trade-commission.

[30] FTC, FTC Authorized Compulsory Process for AI-related Products and Services (Nov. 21, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/11/ftc-authorizes-compulsory-process-ai-related-products-services.

[31] Fed. Trade Comm’n, “Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act,” (May 18, 2023) https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf (FTC’s policy statement on biometric information).

[32] Press Release, Fed. Trade Comm’n, FTC Warns About Misuses of Biometric Information and Harm to Consumers Press (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-warns-about-misuses-biometric-information-harm-consumers.

[33] Relatedly, on November 16, the FTC announced a “Voice Cloning Challenge” to promote the development of ideas to prevent, monitor, and evaluate malicious uses of voice cloning technology that could harm consumers.  FTC, The FTC Voice Cloning Challenge (Nov. 16, 2023), https://www.ftc.gov/news-events/contests/ftc-voice-cloning-challenge.

[34] Fed. Trade Comm’n, Generative AI Raises Competition Concerns (June 29, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/06/generative-ai-raises-competition-concerns.

[35] Id.

[36] Fed. Trade Comm’n, The Luring Test: AI and the engineering of consumer trust (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/05/luring-test-ai-engineering-consumer-trust.

[37] FTC, Rite Aid Banned from Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.

[38] Statement of Commissioner Alvardo M. Bedoya On FTC v. Rite Aid Corporation & Rite Aid Headquarters Corporation, Commission File No. 202-3190 (Dec. 19, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/2023190_commissioner_bedoya_riteaid_statement.pdf.

[39] Richard Vanderford, SEC Probes Investment Advisers’ Use of AI, The Wall Street Journal (Dec. 10, 2023), https://www.wsj.com/articles/sec-probes-investment-advisers-use-of-ai-48485279.

[40] Press Release, SEC, SEC Proposes New Requirements to Address Risks to Investors from Conflicts of Interest Associated with the use of Predictive Data Analytics by Broken-Dealers and Investment Advisers (July 26, 2023), https://www.sec.gov/news/press-release/2023-140.

[41] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[42] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg.40,670 (June 21, 2023).

[43] Press Release, Consumer Financial Protection Bureau, CFPB Issue Spotlight Analyzes “Artificial Intelligence” Chatbots in Banking (June 3, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issue-spotlight-analyzes-artificial-intelligence-chatbots-in-banking.

[44] Press Release, Consumer Financial Protection Bureau, CFPB Issues Guidance on Credit Denials by Lenders Using Artificial Intelligence (Sept. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/.

[45] In addition to collecting public comments, ONC convened a task force consisting of various stakeholder groups (including direct patient care providers, public health groups, patients, health IT developers, standards development organizations, and others) to evaluate the proposed rule and provide draft revisions based on input collected from a range of external subject matter experts.  See HTI-1 Proposed Rule Task Force 2023, Report to the Health Information Technology Advisory Committee (June 15, 2023), https://www.healthit.gov/sites/default/files/facas/2023-06-15_HTI-1-PR-TF-2023_Recommendations_Report.pdf.

[46] 45 C.F.R. § 170.315(b)(11) (2024).

[47] 45 C.F.R. § 170.102 (2024).

[48] Dep’t of Health and Human Services, Comments to Rule on HTI-1 (Jan. 2, 2024), at 177, https://www.federalregister.gov/d/2023-28857.

[49] 45 C.F.R. § 170.315(b)(11)(iv)(A) and (B) (2024).

[50] 45 C.F.R. § 170.315(b)(11)(vi) (2024).

[51] U.S. Dep’t of Health and Human Services, HTI-1 Overview Fact Sheet, https://www.healthit.gov/sites/default/files/page/2023-12/HTI-1_Gen-Overview_factsheet_508.pdf.

[52] U.S. Dep’t of Health and Human Services, HHS Finalizes Rule to Advance Health IT Interoperability and Algorithm Transparency (Dec. 13, 2023), https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-to-advance-health-it-interoperability-and-algorithm-transparency.html.

[53] Copyright Registration Guidance: Works Containing Material Generated by Artificial Intelligence, 88 Fed. Reg. 16,190 (Mar. 16, 2023), https://www.federalregister.gov/documents/2023/03/16/2023-05321/copyright-registration-guidance-works-containing-material-generated-by-artificial-intelligence.

[54] Letter from U.S. Copyright Office re: Zarya of the Dawn (Feb. 21, 2023), https://copyright.gov/docs/zarya-of-the-dawn.pdf.

[55] Copyright Office, Artificial Intelligence and Copyright, Notice of Inquiry and Request for Comment, Fed. Reg. 88, 167 (Aug. 30, 2023), http://www.govinfo.gov/content/pkg/FR-2023-08-30/pdf/2023-18624.pdf.

[56] Thaler v. Perlmutter, No. 1:22-cv-1564, 2023 WL 5333236 (D.D.C. Aug. 18, 2023).

[57] Kadrey v. Meta Platforms, Inc., No. 3:23-cv-03417-VC, 2023 WL 8039640 (N.D. Cal. Nov. 20, 2023).

[58] Andersen v. Stability AI, No. 3:23-cv-00201-WHO, 2023 WL 7132064 (N.D. Cal. Oct. 30, 2023).

[59] Kyle Wiggers, Some Gen AI Vendors Say They’ll Defend Customers from IP Lawsuits. Others, Not So Much, TechCrunch+ (Oct. 26, 2023), https://techcrunch.com/2023/10/06/some-gen-ai-vendors-say-theyll-defend-customers-from-ip-lawsuits-others-not-so-much/?guccounter=1.

[60] Doe 1 v. Github, Inc., No. 22-cv-06823-JST, 2023 WL 3449131, at *11 (N.D. Cal. May 11, 2023).

[61] Id.

[62] Andersen v. Stability AI, No. 3:23-cv-00201-WHO, 2023 WL 7132064, at *11 (N.D. Cal. Oct. 30, 2023).

[63] Colo. Code Regs. § 904-3.

[64] California Privacy Protection Agency, Draft Automated Decisionmaking Technologies Regulations (“Draft ADMT Regulations”) (Nov. 27, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf; California Privacy Protection Agency, New Rules Subcommittee Revised Draft Risk Assessment Regulations  (“Draft Risk Assessment Regulations”) (Dec. 8, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft_redline.pdf.

[65] AMDT is defined as “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking” and “includes profiling.”

[66] See Draft Risk Assessment Regulations, §7152.

[67] ADMT is defined as “any system, software, or process—including one derived from machine-learning, statistics, or other data-processing or artificial intelligence—that processes personal information and uses computation as whole or part of a system to make or execute a decision or facilitate human decisionmaking” and includes profiling. See Draft ADMT Regulations, § 7001.

[68] For more information, please see Gibson Dunn’s Client Alert, Keeping Up with the EEOC: AI Focus Heats Up with Title VII Guidance (May 23, 2023), https://www.gibsondunn.com/keeping-up-with-the-eeoc-focus-heats-up-with-title-vii-guidance/.

[69] For more information, please see Gibson Dunn’s Client Alert, Keeping Up with the EEOC: 5 Takeaways from its Algorithm Rewriting Settlement (Mar. 23, 2023), https://www.gibsondunn.com/keeping-up-with-the-eeoc-5-takeaways-from-its-algorithm-rewriting-settlement/.

[70] EEOC, iTutorGroup to Pay $365,000 to Settle EEOC Discriminatory Hiring Suit (Sept. 11, 2023), https://www.eeoc.gov/newsroom/itutorgroup-pay-365000-settle-eeoc-discriminatory-hiring-suit.

[71] Wyden, Booker and Clarke Introduce Bill to Regulate Use of Artificial Intelligence to Make Critical Decisions like Housing, Employment and Education (Sept. 21, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-booker-and-clarke-introduce-bill-to-regulate-use-of-artificial-intelligence-to-make-critical-decisions-like-housing-employment-and-education.

[72] EEOC, EEOC Releases New Resource on Artificial Intelligence and Title VII (May 18, 2023), https://www.eeoc.gov/newsroom/eeoc-releases-new-resource-artificial-intelligence-and-title-vii.

[73] NYC, Int. 1894-2020, Local Law 144, https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4344524&GUID=B051915D-A9AC-451E-81F8-6596032FA3F9.

[74] Co. Div. Ins., Notice of Adoption – New Regulation 10-1-1 Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (effective Nov. 14, 2023), https://doi.colorado.gov/announcements/notice-of-adoption-new-regulation-10-1-1-governance-and-risk-management-framework.

[75] AI regulation: A pro-innovation approach to AI regulation, UK government white paper (Mar. 29, 2023), https://www.gov.uk/government/publications/ai-regulation-a-pro-innovation-approach.

In contract, note the Artificial Intelligence (Regulation) Bill (Nov. 22, 2023), https://bills.parliament.uk/publications/53068/documents/4030. On November 22, 2023, the Artificial Intelligence (Regulation) Bill (“AI Bill”) was introduced to the UK Parliament’s House of Lords as a private members bill. The main purpose of the AI Bill is the creation of an ‘AI Authority’, which would have the function of (inter alia) ensuring that relevant regulators take account of AI and align their approaches, undertaking a gap analysis of regulatory responsibilities in respect of AI, and coordinating a review of legislation to assess its suitability to address the challenges and opportunities presented by AI.

[76] ICO, Generative AI: Eight questions that developers and users need to ask (Apr. 3, 2023), https://ico.org.uk/about-the-ico/media-centre/news-and-blogs/2023/04/generative-ai-eight-questions-that-developers-and-users-need-to-ask/

[77] FCA, Innovation, AI & the future of financial regulation (Apr. 17, 2023), https://www.fca.org.uk/news/speeches/innovation-ai-future-financial-regulation

[78] CMA, Initial review of competition and consumer protection considerations in the development and use of AI foundation models (4 May, 2023)

https://www.gov.uk/government/news/cma-launches-initial-review-of-artificial-intelligence-models

[79] Ofcom, What generative AI means for the communications sector (8 June 2023), https://www.ofcom.org.uk/news-centre/2023/what-generative-ai-means-for-communications-sector

[80] UK Government, Summary of the Government’s ongoing programme of work to develop a code of practice on copyright and AI (29 June 2023), https://www.gov.uk/guidance/the-governments-code-of-practice-on-copyright-and-ai.

[81] UK Shelves Proposed AI Copyright Code in Blow to Creative Industries, Fin. Times (Feb. 4, 2024), https://www.ft.com/content/a10866ec-130d-40a3-b62a-978f1202129e.

[82] UK Parliament, Call for Evidence (July 7, 2023), https://committees.parliament.uk/call-for-evidence/3183; Communications Committee launches inquiry into large language models – Committees – UK Parliament

[83] The Bletchley Declaration by Countries Attending the AI Safety Summit, 1-2 November 2023 Policy Paper (Nov. 11, 2023), https://www.gov.uk/government/publications/ai-safety-summit-2023-the-bletchley-declaration/the-bletchley-declaration-by-countries-attending-the-ai-safety-summit-1-2-november-2023.

[84] UK Government Press Release ‘Prime Minister launches new AI Safety Institute’ (Nov. 2, 2023) https://www.gov.uk/government/news/prime-minister-launches-new-ai-safety-institute.

[85] Remarks by Vice President Harris on the Future of Artificial Intelligence (Nov. 1, 2023), https://www.whitehouse.gov/briefing-room/speeches-remarks/2023/11/01/remarks-by-vice-president-harris-on-the-future-of-artificial-intelligence-london-united-kingdom/.

[86] Parliament of Canada, An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (last accessed Jan. 5, 2024), https://www.parl.ca/legisinfo/en/bill/44-1/c-27. See also Department of Justice Canada, Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts (Nov. 27, 2023), https://www.justice.gc.ca/eng/csj-sjc/pl/charter-charte/c27_1.html#:~:text=The%20Consumer%20Privacy%20Protection%20Act%20would%20repeal%20parts%20of%20the,for%20commercial%20activity%20in%20Canada.#:~:text=The%20Consumer%20Privacy%20Protection%20Act%20would%20repeal%20parts%20of%20the,for%20commercial%20activity%20in%20Canada.

[87] Canadian Human Rights Act (R.S.C., 1985 c. H-6), https://laws-lois.justice.gc.ca/eng/acts/h-6/page-1.html.

[88] Government of Canada, The Artificial Intelligence and Data Act (AIDA) – Companion document (Mar. 13, 2023), https://ised-isde.canada.ca/site/innovation-better-canada/en/artificial-intelligence-and-data-act-aida-companion-document#s4.

[89] News Release, Minister Champagne launches voluntary code of conduct relating to advanced generative AI systems, Government of Canada (Sept. 27, 2023), https://www.canada.ca/en/innovation-science-economic-development/news/2023/09/minister-champagne-launches-voluntary-code-of-conduct-relating-to-advanced-generative-ai-systems.htmlSee Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, Government of Canada (Sept. 2023), https://ised-isde.canada.ca/site/ised/en/voluntary-code-conduct-responsible-development-and-management-advanced-generative-ai-systems.

[90] The voluntary code provides for measures that developers and managers of advanced generative AI systems commit to implementing consistent with “six core principles” and seek commensurate outcomes, including accountability, safety, fairness and equity, transparency, human oversight and monitoring, and validity and robustness.  See Voluntary Code of Conduct on the Responsible Development and Management of Advanced Generative AI Systems, Government of Canada (Sept. 2023), https://ised-isde.canada.ca/site/ised/en/voluntary-code-conduct-responsible-development-and-management-advanced-generative-ai-systems.

[91] An Act to modernize legislative provisions as regards the protection of personal information, SQ 2021, c 25 (September 23, 2021), https://www.canlii.org/en/qc/laws/astat/sq-2021-c-25/latest/sq-2021-c-25.html.


The following Gibson Dunn lawyers assisted in preparing this update: Cassandra Gaedt-Sheckter, Vivek Mohan, Robert Spano, Eric Vandevelde, Frances Waldmann, Emily Lamm, Hugh Danilack, Justine Deitz, Leon Freyermuth, Kate Googins*, Christoph Jacob, Kunal Kanodia, Alice Knowles, Evan Kratzer, Ashley Marcus, Jay Minga, Peter Moon, Lucy Musson, Yannick Oberacker, John Ryan*, Hayley Smith, Julie Sweeney, Vivian Tran, Apratim Vidyarthi, and Samantha Yi*.

Gibson, Dunn & Crutcher’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s Artificial Intelligence practice group:

United States:
Cassandra L. Gaedt-Sheckter – Co-Chair, Palo Alto (+1 650.849.5203, [email protected])
Vivek Mohan – Co-Chair, Palo Alto (+1 650.849.5345, [email protected])
Eric D. Vandevelde – Co-Chair, Los Angeles (+1 213.229.7186, [email protected])
Ryan T. Bergsieker – Denver (+1 303.298.5774, [email protected])
S. Ashlie Beringer – Palo Alto (+1 650.849.5327, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Natalie J. Hausknecht – Denver (+1 303.298.5783,[email protected])
Jane C. Horvath – Washington, D.C. (+1 202.955.8505, [email protected])
Martie Kutscher Clark – Palo Alto (+1 650.849.5348,[email protected])
Ari Lanin – Los Angeles (+1 310.552.8581, [email protected])
Carrie M. LeRoy – Palo Alto (+1 650.849.5337, cleroy@gibsondunn.
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Ashley Rogers – Dallas (+1 214.698.3316, [email protected])
Alexander H. Southwell – New York (+1 212.351.3981, [email protected])
Sara K. Weed – Washington, D.C. (+1 202.955.8507, [email protected])
Debra Wong Yang – Los Angeles (+1 213.229.7472, [email protected])

Europe:
Robert Spano – Co-Chair, London/Paris (+44 20 7071 4000, [email protected])
Ahmed Baladi – Paris (+33 (0) 1 56 43 13 00, [email protected])
Nicholas Banasevic* – Managing Director, Brussels (+32 2 554 72 40, [email protected])
Patrick Doris – London (+44 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, [email protected])

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

*Nicholas Banasevic, Managing Director in the firm’s Brussels office and an economist by background, is not admitted to practice law.

*Kate Googins, an associate in the Los Angeles office admitted to practice in Colorado, is practicing under supervision of members of the California Bar.

*Samantha Yi, an associate in the Washington, D.C. office admitted to practice in Maryland, is practicing under supervision of members of the District of Columbia Bar under D.C. App. R. 49.

*John Ryan, a recent law graduate in the Palo Alto office, is not admitted to practice law.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome

In the face of a rocky year for M&A transactions, 2023 presented new issues for dealmakers. Hear from seasoned practitioners on how deals are getting done and the issues being confronted. The discussion will cover various M&A-related topics, including the following:

  • Hot-button purchase agreement provisions;
  • Navigating the new landscape for non-compete covenants;
  • Capturing stock premium-based damages in busted deals;
  • Revised antitrust merger guidelines; and
  • M&A debt financing outlook for 2024 and its impact on deal-making.


PANELISTS:

Robert B. Little is a partner in Gibson, Dunn & Crutcher’s Dallas office, and he is a Global Co-Chair of the Mergers and Acquisitions Practice Group. Mr. Little has consistently been named among the nation’s top M&A lawyers every year since 2013 by Chambers USA. His practice focuses on corporate transactions, including mergers and acquisitions, securities offerings, joint ventures, investments in public and private entities, and commercial transactions. Mr. Little has represented clients in a variety of industries, including energy, retail, technology, infrastructure, transportation, manufacturing and financial services.

Krista Hanvey is co-chair of Gibson Dunn’s Employee Benefits and Executive Compensation practice group and co-partner in charge in the firm’s Dallas office. She counsels clients of all sizes across all industries, both public and private, using a multi-disciplinary approach to compensation and benefits matters that crosses tax, securities, labor, accounting and traditional employee benefits legal requirements. Ms. Hanvey has significant experience with all aspects of executive compensation, health and welfare benefit plan, and retirement plan compliance, planning, and transactional support. She also routinely advises clients with respect to general corporate and non-profit governance matters.

Evan M. D’Amico is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher, where his practice focuses primarily on mergers and acquisitions. Mr. D’Amico advises companies, private equity firms, boards of directors and special committees in connection with a wide variety of complex corporate matters, including mergers and acquisitions, asset sales, leveraged buyouts, spin-offs and joint ventures.

Kristen Limarzi represents clients in merger and non-merger investigations before the DOJ, the Federal Trade Commission, and foreign antitrust enforcers. Her experience in merger matters spans the gamut of sectors, including consumer products, healthcare, oil and gas, telecommunications, financial and other data services, transportation, and high tech products. Leveraging her prior experience as a top enforcement official in the U.S. Department of Justice’s Antitrust Division, Kristen brings a practical approach to helping clients navigate the increasingly complex antitrust enforcement environment.

Douglas S. Horowitz is a partner in the New York office of Gibson, Dunn & Crutcher. Doug is the head of Leveraged and Acquisition Finance, co-chair of Gibson Dunn’s Global Finance Practice Group, and an active member of the Capital Markets Practice Group and Securities Regulation and Corporate Governance Practice Group.


MCLE CREDIT INFORMATION

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome

Please join us for a discussion about the latest developments and trends in U.S. and international anti-money laundering (AML) and sanctions laws, regulations, and enforcement. In particular, we will cover recent updates related to BSA/AML and sanctions rulemaking, legislation, and guidance. We will also have a detailed discussion of key areas of focus seen in recent enforcement actions, including digital assets, fintech partnerships and innovative technologies, customer risk ratings and diligence processes, financial transactions involving Russia, cybersecurity, and risk-based compliance measures. We will also discuss compliance expectations and best practices, and what to expect for BSA/AML and sanctions in 2024, including with respect to anticipated FinCEN rulemaking for investment advisers and real estate businesses.



PANELISTS:

F. Joseph Warin is chair of the 250-person Litigation Department of Gibson Dunn’s Washington, D.C. office, and he is co-chair of the firm’s global White Collar Defense and Investigations Practice Group. Mr. Warin’s practice includes representation of corporations in complex civil litigation, white collar crime, and regulatory and securities enforcement – including Foreign Corrupt Practices Act investigations, False Claims Act cases, special committee representations, compliance counseling and class action civil litigation. His clients include corporations, officers, directors and professionals in regulatory, investigative and trials involving federal regulatory inquiries, criminal investigations and cross-border inquiries by dozens of international enforcers. Mr. Warin is admitted to practice in the District of Columbia.

Stephanie L. Brooker is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher. She is co-chair of the firm’s Global White Collar Defense and Investigations, Financial Institutions, and Anti-Money Laundering Practice Groups. She is a former federal prosecutor and the former Director of the Enforcement Division at the U.S. Department of Treasury’s Financial Crimes Enforcement Network (FinCEN). As a prosecutor, Ms. Brooker investigated and prosecuted a broad range of white collar and other federal criminal matters, briefed and argued criminal appeals, and served as the Chief of the Asset Forfeiture and Money Laundering Section in the U.S. Attorney’s Office for the District of Columbia. Ms. Brooker’s practice focuses on internal investigations, regulatory enforcement defense, white-collar criminal defense, and compliance counseling. She handles a wide range of white collar matters, including representing financial institutions, multi- national companies, and individuals in connection with criminal, regulatory, and civil enforcement actions involving sanctions; anti-corruption; anti-money laundering (AML)/Bank Secrecy Act (BSA); digital assets and fintech; securities, tax, and wire fraud, foreign influence; sensitive employee issues; and other legal issues. She routinely handles complex cross-border investigations. Ms. Brooker’s practice also includes BSA/AML and FCPA compliance counseling and deal due diligence and significant criminal and civil asset forfeiture matters. She is admitted to practice in the District of Columbia.

M. Kendall Day is a nationally recognized white-collar partner in the Washington, D.C. office of Gibson, Dunn & Crutcher, where he is co-chair of Gibson Dunn’s Global Fintech and Digital Assets Practice Group, co-chair of the firm’s Financial Institutions Practice Group, co-leads the firm’s Anti-Money Laundering practice, and is a member of the White Collar Defense and Investigations and Crisis Management Practice Groups. Prior to joining Gibson Dunn, Mr. Day had a distinguished 15-year career as a white collar prosecutor with the Department of Justice (DOJ), rising to the highest career position in the DOJ’s Criminal Division as an Acting Deputy Assistant Attorney General. In various leadership positions, from 2013 until 2018, Mr. Day supervised investigations and prosecutions of many of the country’s most significant and high-profile cases involving allegations of corporate and financial misconduct. He also exercised nationwide supervisory authority over the DOJ’s money laundering program, particularly any BSA and money-laundering charges, deferred prosecution agreements and non-prosecution agreements involving financial institutions. Mr. Day is licensed to practice in the Commonwealth of Virginia and the District of Columbia.

Adam M. Smith is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher and serves as co-chair of the firm’s International Trade Practice Group. As one of the nation’s leading international lawyers, Mr. Smith focuses on international trade compliance and white collar investigations, including with respect to federal and state economic sanctions enforcement, CFIUS, the Foreign Corrupt Practices Act, embargoes, and export and import controls. Mr. Smith previously served in the Obama Administration as the Senior Advisor to the Director of the U.S. Treasury Department’s Office of Foreign Assets Control (OFAC) and as the Director for Multilateral Affairs on the National Security Council. He is admitted to practice in the District of Columbia and Maryland.

Ella Alves Capone is Of Counsel in the Washington, D.C. office of Gibson, Dunn & Crutcher. She is a member of the White Collar Defense and Investigations, Global Financial Regulatory, and Anti-Money Laundering Practice Groups. Ms. Capone’s practice focuses on advising multinational corporations and financial institutions on Bank Secrecy Act/anti-money laundering (BSA/AML), anti-corruption, sanctions, and payments regulatory and enforcement matters. She has particularly extensive experience advising major banks, casinos, social media and gaming platforms, marketplaces, fintechs, payment service providers, and cryptocurrency businesses on regulatory compliance. Ms. Capone is admitted to practice in the District of Columbia and New York, as well as before the United States District Courts for the Eastern and Southern Districts of New York.

Chris Jones is a senior associate in the Los Angeles office of Gibson, Dunn & Crutcher and a member of the White Collar Defense and Investigations and Anti-Money Laundering Practice Groups. Mr. Jones has experience representing clients in a wide range of anti-corruption, anti-money laundering, litigation, sanctions, securities, and tax matters. He has represented various corporations, including a number of financial technology and cryptocurrency companies, in investigations by the DOJ, SEC, FinCEN, and OFAC. Mr. Jones is admitted to practice in the District of Columbia, California and New York.


MCLE CREDIT INFORMATION

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 2.0 credit hours may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 2.0 hours. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 2 hours toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome

Washington, D.C. partner George Hazel and Houston partner Gregg Costa, both former judges, are joined by retired Judge Mark A. Drummond, a former trial lawyer who subsequently served as a judge for 20 years. Judge Drummond is now the program director for the National Institute for Trial Advocacy, where he trains lawyers on the most effective ways to present evidence to juries; he also serves as judicial director of the Civil Jury Project at the NYU School of Law.  The three former judges discuss the value of civil jury trials, and describe and debate several innovations that are being introduced to civil jury trials, such as jurors asking questions, lawyers providing daily summations, expert witnesses testifying back-to-back, jurors discussing evidence before deliberation, and judges limiting the length of trials.

Previous Episode | Next Episode


HOSTS:

Gregg Costa is co-chair of the firm’s Trials Practice Group.  Gregg offers clients a unique perspective as a former federal trial and appellate judge. His broad experience—having handled complex civil and criminal matters, at trial and on appeal, as advocate and judge—allows him to offer invaluable skills and strategic insights for both trials and investigations.

George Hazel is a partner in the Washington office of Gibson, Dunn & Crutcher and a member of the firm’s Litigation and White Collar Defense and Investigations Practice Groups.  A former federal trial judge and criminal prosecutor, Mr. Hazel brings a broad range of trial experience, having presided over approximately 50 jury trials in federal court and handled 20 jury trials and 30 bench trials as an attorney in federal and state court.  Since his return to private practice, Lawdragon  has named him one of the “500 Leading Global Litigators” of 2024.

As commercial transactions become more complex, arbitration agreements deserve attention and scrutiny by parties, because they can greatly influence how a dispute could unfold.

International transactions with Asian parties using arbitration as their preferred mode of dispute resolution continue to rise. In recent years, U.S. and European counterparties feature among the most frequent users of Singapore and Hong Kong as seats of arbitration.

Singapore and Hong Kong are regarded as two leading, pro-arbitration seats for international arbitration. As commercial transactions become more complex, parties have been seeking variations to the standard model arbitration clause to fit the specifics of their transactional requirements. No longer ‘midnight clauses’, arbitration agreements deserve attention and scrutiny by parties because they can greatly influence how a dispute could unfold.

This update considers the top 10 issues regarding arbitration clauses that we commonly advise on nowadays, and the extent to which the courts of Singapore or Hong Kong have dealt with them.

#

ISSUE

SUMMARY

EXPLANATION

1.

Are optional or asymmetrical clauses enforceable?

Yes

Both Singapore and Hong Kong have confirmed that optional arbitration clauses (giving parties the option, not obligation, to arbitrate their  disputes), and asymmetrical arbitration clauses (entitling only one party the right to refer the dispute to arbitration) are enforceable. A lack of mutuality in obligations per se does not render the clause unenforceable.

In an optional clause, it is advisable to stipulate whether the other party is bound by the other party’s choice (i.e., whether the first mover dictates the forum).

In an asymmetrical clause, it is advisable to stipulate a process (e.g., written notice of a dispute arising) that would trigger a longstop date by which the party holding the right to refer the dispute to arbitration has to exercise or forfeit it.

2.

Are pre-arbitration requirements (e.g., mediation or negotiations):

a. Enforceable?

b. A question of admissibility or jurisdiction?

Yes

Singapore and Hong Kong take different positions

Pre-arbitration requirements or arb-med-arb protocols or multi-tiered dispute resolution clauses are enforceable.

The stringency with which such clauses will be enforced depends on the language used. Where clear obligations are imposed and expressed as mandatory, the court will require full and not merely substantial compliance.

A party’s failure to adhere to conditions precedent to the arbitration is currently viewed as a matter going to admissibility under Hong Kong law such that it is only for the tribunal to decide if the preconditions are met, and if not, to decide whether to stay proceedings pending satisfaction of those conditions.

Singapore law is not settled on this but there is authority suggesting that the tribunal lacks jurisdiction to proceed if the preconditions are not met. A party that disagrees whether the preconditions are satisfied may challenge jurisdiction before the tribunal and ultimately in court.

3.

Can parties mix and match institutions and arbitral rules?

Possible; not advisable

Only Singapore law has confirmed that a clause mixing institutions (e.g., ICC rules administered by the SIAC) and their arbitral rules can be enforced.

However, this is not advisable and institutions like the ICC have now stipulated in their rules that only they can administer their own rules.

4

Are there presumptions relating to parties’ choice of the law governing the arbitration agreement?

 

Yes; recommend stating the law governing the arbitration agreement

The law governing the main contractual obligations of the parties is, in principle, distinct from the law governing the arbitration, which in turn need not follow the law of the seat (i.e., the procedural law).

Most contracts will at least stipulate the law governing the contract, and by the choice of the seat, they will have chosen the procedural law.

However, many contracts remain silent on the law governing the arbitration agreement itself (possibly on the assumption that the law governing the contract governs the arbitration agreement as well). This has spawned a series of cases. It is advisable to specifically stipulate the law that parties desire to govern the arbitration agreement (which affects validity and interpretation).

In the absence of an express choice, the court will examine whether there is an implied choice of law. There is a presumption that the law governing the main contract governs the arbitration agreement. That presumption can be displaced by (a) the terms of the arbitration agreement, or (b) whether the effectiveness and validity of the arbitration agreement would be impacted by applying the presumption.

In the absence of an express or implied choice, the system of law that has the closest and most real connection to the arbitration agreement will govern.

It should be noted that this test follows the English position, which is about to be changed by statutory reform such that the law of the arbitration agreement will be presumed to follow the law of the seat. It remains to be seen whether the Singapore or Hong Kong courts adopt the new English position.

5.

Can the allocation of costs and interest be dealt with by agreement, including the costs of third party funding?

 

Yes

The allocation of costs and interest is a matter for the tribunal and the courts would not generally interfere in their award.

The default rule in both jurisdictions is that costs follow the event. Parties may agree for each party to bear their own costs. Unlike in England, there is no statutory prohibition in Singapore and Hong Kong against allocating all the costs to one party regardless the outcome.

Tribunals tend to award pre-award interest on a compounded basis to compensate the claimant for being out of the money, and post-award interest based on the prevailing statutory rate. Parties may also wish to stipulate whether and at what rate interest should apply.

Third party funding is permitted in Singapore and Hong Kong for international arbitrations. There is no reason in principle why the costs of third party funding cannot be awarded to the successful claimant and tribunals have allowed this. To avoid any dispute, parties may stipulate the tribunal may award such costs.

6.

Can parties carve out issues for judicial determination?

By extension, may parties appeal questions of law?

 

Yes

No

The scope of the arbitration clause is a matter for agreement by parties, and it can be as wide or narrow as parties deem appropriate. This means it is possible to carve out certain issues for judicial determination. This could be useful to obtain a ruling on a certain definition or clause that parties might be using across multiple contracts, or a standard term.

However, neither Hong Kong nor Singapore permits appeals on issues of law if otherwise those questions are referable to arbitration.

It is unclear whether parties can agree to refer certain issues to an ‘appellate tribunal’, which some industry arbitration rules provide for. How such agreements square with the legislation in Singapore and Hong Kong remains untested.

7.

Can parties address multiparty or consolidation issues by agreement?

 

With great caution

Depending on the arbitral rules adopted, there may be default provisions as to the process to be undertaken in a multiparty or consolidated arbitration. The most important of which is that the original parties may not be able to appoint their own arbitrators.

It could be possible for parties to stipulate that the ‘anchor’ parties get their choice of arbitrator. But this could raise issues of due process and equality. This explains why most institutional rules provide (e.g.) that where a party is joined, the tribunal is then appointed only by the institution and not the parties, or that if there are multiple claimants or respondents, they have to agree on their arbitrator or the institution will appoint the arbitrators.

What can be useful is an express provision stipulating that parties agree that disputes arising out of a defined group of contracts are to be capable of consolidation and/or that parties to the defined group of contracts agree to be joined in any such proceedings.

8.

Can parties agree on expedition?

 

Yes

It is possible for parties to stipulate that their arbitration should be conducted in accordance with the expedited rules of the institution, or simply that the arbitration is conducted and completed within a defined period of time.

Conversely, parties may stipulate that their arbitration will not be expedited even if it may qualify for expedition under the relevant rules.

9.

Should parties pay attention to questions of arbitrability?

Yes; ensure the disputed subject-matter is arbitrable under laws of the arbitration agreement and the seat

 

Typically, the law governing the arbitration agreement determines whether the dispute is arbitrable. This could be a trap for the unwary, and makes the choice of the law governing the arbitration agreement important (see above).

The Singapore courts have recently ruled that at the pre-award stage, a dispute cannot be referred to arbitration if it is not arbitrable by both the law of the arbitration agreement and the law of the seat. Thus, while the choice of a ‘safe’ seat like Singapore or Hong Kong should avoid most arbitrability issues, advice should be taken in relation to whether the governing law of the contract would regard any potential dispute as not being arbitrable.

In the commercial context, the question of arbitrability often arises when the dispute involves the validity of intellectual property rights and minority oppression claims.

10.

Can parties choose their supervisory court?

Yes, in Singapore

 

In Singapore, the default supervisory court is the General Division of the High Court. However, parties may choose the Singapore International Commercial Court as their supervisory court. The advantages of doing so have been summarised in a previous update.

In Hong Kong-seated arbitrations, the Hong Kong courts (specifically the Court of First Instance) will be the court of supervisory jurisdiction.

Notwithstanding the permutations open to parties to create bespoke arbitration agreements, one must be careful not to add unnecessary complexity. While some variations can be useful (e.g., provisions on costs and interest), one counterpoint to balance is that the further an agreement deviates from the standard model clause, the more opportunities a recalcitrant respondent may have to raise arguments challenging jurisdiction or admissibility.


The following Gibson Dunn lawyers prepared this update: Paul Tan, Alex Wong, Jonathan Lai, and Viraen Vaswani.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders or members of the firm’s International Arbitration practice group:

Cyrus Benson – London (+44 20 7071 4239, [email protected])
Brian W. Gilchrist OBE – Hong Kong (+852 2214 3820, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Rahim Moloo – New York (+1 212.351.2413, [email protected])
Philip Rocher – London (+44 20 7071 4202, [email protected])
Paul Tan – Singapore (+65 6507 3677, [email protected])
Alex Wong – Hong Kong (+852 2214 3822, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome

2023 was another extraordinarily active year in the world of trade controls, including sweeping new trade restrictions on Russia and China, aggressive enforcement of sanctions and export controls, and extensive collaboration among sister agencies and partner countries.

In 2023, the United States, the European Union, and the United Kingdom continued to push the limits of economic statecraft by imposing new trade restrictions on major economies such as Russia and China, and aggressively enforcing existing measures.  Throughout his tenure, President Biden has imposed sanctions at an unprecedented rate by adding nearly 5,500 names to restricted party lists maintained by the U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”)—a yearly average nearly double that of the Trump administration and triple the pace under President Obama.  Approximately one-third of all parties presently on U.S. sanctions lists were placed there by President Biden.  That sharp upswing continued in 2023 as the United States added a near-record number of individuals and entities to OFAC sanctions lists:

In addition to the sheer number of new sanctions designations, the past year was noteworthy for the scale and scope of enforcement actions targeting sanctions and export control violations.  OFAC and the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) each issued record-breaking civil monetary penalties measured in the hundreds of millions of dollars and closely coordinated with the U.S. Department of Justice to mount criminal prosecutions—marking a historically aggressive approach to enforcing trade controls.

Indeed, a high degree of collaboration among sister agencies and partner countries was one of the signal developments of the past year as policymakers in Washington, London, and other allied capitals magnified the impact of sanctions, export controls, import restrictions, and foreign investment reviews by frequently issuing joint guidance and tightly aligning their controls to make trade restrictions more challenging for Moscow, Beijing, and other targets to evade.

As roughly half the world’s population prepares to head to the polls over the next twelve months—including in major elections in the United States, the European Union, and the United Kingdom—policymakers have little incentive to slow their use of economic coercive measures before facing their electorates.  Very few politicians would be criticized for demonstrating strength against adversaries and competitors via enhanced sanctions or export controls.  All the more so because tools like sanctions and export controls can be promulgated with little perceived risk and even more limited perceived cost to the governments imposing them.  As a consequence, the heavy use of trade controls as a primary instrument of foreign policy appears poised to continue its growth regardless who occupies the White House, Downing Street, or any of the other halls of power up for grabs in 2024.

I. Global Trade Controls on Russia

A. Blocking Sanctions
B. Services Prohibitions
C. Price Cap on Crude Oil and Petroleum Products
D. Export Controls
E. Countering Evasion
F. Secondary Sanctions
G. Import Prohibitions
H. Possible Further Trade Controls on Russia

II. U.S. Trade Controls on China

A. Export Controls
B. Uyghur Forced Labor Prevention Act
C. Industrial Policy
D. Investment Restrictions
E. Possible Further Trade Controls on China

III. U.S. Sanctions

A. Venezuela
B. Iran
C. Myanmar
D. Sudan
E. Counter-Terrorism
F. Other Major Sanctions Programs
G. Crypto/Virtual Currencies
H. OFAC Enforcement Trends and Compliance Lessons

IV. U.S. Export Controls

A. Multilateral Coordination
B. Commerce Department

V. Committee on Foreign Investment in the United States (CFIUS)

A. CFIUS Annual Report
B. Expanded Jurisdiction
C. State Law Investment Restrictions
D. Geographic Focus

VI. U.S. Outbound Investment Restrictions

A. Proposed Rulemaking
B. Public Comments and Unresolved Issues

VII. European Union

A. Trade Controls on China
B. Sanctions Developments
C. Export Controls Developments
D. Foreign Direct Investment Developments

VIII. United Kingdom

A. Trade Controls on China
B. Sanctions Developments
C. Export Controls Developments
D. Foreign Direct Investment Developments

I. Global Trade Controls on Russia

Following the Kremlin’s full-scale invasion of Ukraine in early 2022, a coalition of leading democracies—including the United States, the European Union, the United Kingdom, Canada, Australia, and Japan—unleashed a historic barrage of trade restrictions on Russia.  As the war in Ukraine stretched on into 2023, the United States and its allies shifted from rapidly introducing new and often novel trade controls to incrementally expanding existing measures such as blocking sanctions, services bans, export controls, and import bans.  To further pressure Moscow, the United States authorized secondary sanctions on foreign financial institutions that, knowingly or unknowingly, facilitate significant transactions involving Russia’s military-industrial base, and partnered with allied countries to crack down on sanctions and export control evasion.  Such seemingly disparate measures were each calculated to deny Russia the capital and materiel needed to wage war in Ukraine.  The European Union and the United Kingdom—each departing from their historic practice—increasingly imposed extraterritorial measures, including asset freezes on third-country entities that support Russia’s war in Ukraine or that facilitate the contravention of relevant prohibitions.

These restrictions have generally been effective at “pouring sand into the gears” of Russia’s war machine as the Kremlin has experienced shortages of key components such as semiconductors, employed elaborate transshipment schemes, and turned to suppliers of last resort like North Korea and Iran to restock its arsenal.  Such trade restrictions also appear to be exacting a toll on Russia’s broader economy as soaring defense spending has led to rising inflation, widening budget deficits, and forgone investment in priorities such as education and healthcare that threaten to sap Russia’s long-term growth prospects.  By imposing countermeasures that restrict companies’ ability to depart Russia, including an “exit tax” and outright asset seizures, Moscow risks further chilling foreign investment.  Meanwhile, the coalition continues to hold a handful of policy options in reserve.  Depending upon events on the ground and political dynamics at home, U.S. and allied officials could in coming months escalate economic pressure on Russia by designating additional sanctions and export control evaders, further restricting exports of sensitive components, or severing from the U.S. financial system one or more foreign banks for enabling Russia’s ongoing military campaign.  They could even go after various third rails in Russia—further restricting gas flows and potentially seizing Russian state assets (including central bank assets) held abroad.

A. Blocking Sanctions

Since February 2022, the United States, the European Union, and the United Kingdom, in an extraordinary burst of activity, have each added thousands of new Russia-related individuals and entities to their respective consolidated lists of sanctioned persons.  While the lists do not entirely overlap, which has increased the compliance burden on multinational firms, the level of coordination among the allies has magnified the impact of sanctions by making them more challenging to evade.  Underscoring the breadth of new sanctions designations, the United States on seven occasions this past year alone added 100 or more new Russia-related targets to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List—an astonishing pace considering that around 10,000 parties had been added to the SDN List over the preceding twenty years combined.  The European Union also designated more than 100 individuals and entities as part of its Russia sanctions program on three separate occasions, and the United Kingdom reached similar heights on two occasions, in 2023.  This pace of change, combined with the breadth and depth of such changes, has made it increasingly difficult for the private sector to keep up.

Blocking sanctions are arguably the most potent tool in a country’s sanctions arsenal, especially for countries such as the United States with an outsized role in the global financial system.  Upon becoming designated an SDN (or other type of blocked person), the targeted individual or entity’s property and interests in property that come within U.S. jurisdiction are blocked (i.e., frozen) and U.S. persons are, except as authorized by OFAC, generally prohibited from engaging in transactions involving the blocked person.  The same applies to persons designated by the European Union or the United Kingdom.  The SDN List, and its EU and UK equivalents, therefore function as the principal sanctions-related restricted party lists.  Moreover, the effects of blocking sanctions often reach beyond the parties identified by name on these lists.  By operation of OFAC’s Fifty Percent Rule (or, in the EU and the UK, the even broader ownership and control tests), restrictions generally also extend to entities owned 50 percent or more in the aggregate by one or more blocked persons (or, in the EU and the UK, entities that are majority-owned or controlled by blocked persons), whether or not the entity itself has been explicitly identified.

During 2023, the allies repeatedly used their targeting authorities to block Russian political and business elites, as well as substantial enterprises operating in sectors such as banking, energy, and technology seen as critical to financing and sustaining the Kremlin’s war effort.  Notable designations included:

Many of the parties described above were designated pursuant to Executive Order (“E.O.”) 14024, which authorizes blocking sanctions against persons determined to operate or have operated in certain sectors of the Russian Federation economy identified by the U.S. Secretary of the Treasury.

In addition to naming more than 1,000 new Russia-related individuals, entities, vessels, and aircraft to their respective sanctions lists, the United States and the European Union this past year continued to expand the potential bases upon which parties can become designated for engaging with Russia.  The European Union introduced a new criteria for designation whereby persons who benefit from the forced transfer of ownership or control over Russian subsidiaries of EU companies can become subject to asset freeze measures.  Meanwhile, building upon the ten sectors that had been identified in prior years, the Biden administration during 2023 authorized the imposition of blocking sanctions on parties that operate in Russia’s metals and mining, architecture, engineering, construction, manufacturing, and transportation sectors—which appear to have been selected for their potential to generate hard currency or to, directly or indirectly, contribute to Russia’s wartime production capabilities.  Crucially, OFAC has indicated that parties operating in those sectors are not automatically sanctioned, but rather risk becoming sanctioned if they are determined by the Secretary of the Treasury to have engaged in targeted activities.  That said, after initially treading lightly around Russian oil, gas, and metals producers to avoid roiling global markets, the Biden administration in recent months has shown a growing willingness to impose blocking sanctions on participants in Russia’s extractive industries, as well as on third-country sanctions and export control evaders.  These trends appear poised to continue during the year ahead.

B. Services Prohibitions

Since the opening months of the war in Ukraine, the United States, the European Union, and the United Kingdom have supplemented their use of blocking sanctions by banning the exportation to Russia of certain professional, technical, and financial services—especially including services used to bring Russian energy to market.

Executive Order 14071 prohibits the exportation from the United States, or by a U.S. person, of any category of services as may be determined by the Secretary of the Treasury, to any person located in the Russian Federation.  Acting pursuant to that broad and flexible legal authority, the United States during the first year of the war barred U.S. exports to Russia of ten categories of services that, if misused, could enable sanctions evasion, bolster the Russian military, and/or contribute to Russian energy revenues.  In May 2023, the United States expanded upon those earlier prohibitions by barring the exportation to Russia of architecture and engineering services in a seeming effort to prevent U.S. technical expertise from being used to enhance Russia’s energy and military infrastructure.

The European Union and the United Kingdom have similarly prohibited the provision of a range of professional services to entities in Russia, subject to limited exceptions.  During the past year, the European Union tweaked the range of available derogations and exceptions and expanded the scope of its professional services restrictions to include the provision of software for the management of enterprises and software for industrial design and manufacture.  The United Kingdom implemented a new, strictly framed ban on the provision of legal advisory services—which temporarily froze the ability of lawyers in the country to advise on a wide scope of even Russia-related issues.  Fortunately, this situation was eased by the issuance of a general license shortly thereafter.

Those incremental adjustments aside, over the past year the allies chiefly focused on implementing and enforcing a novel form of services ban designed to cap the price of seaborne Russian crude oil and petroleum products.

C. Price Cap on Crude Oil and Petroleum Products

Effective December 5, 2022, the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom, alongside the European Union and Australia (collectively, the “Price Cap Coalition”), prohibited the provision of certain services that support the maritime transport of Russian-origin crude oil from Russia to third countries, or from a third country to other third countries, unless the oil has been purchased at or below a specified price.  A separate price cap with respect to Russian-origin petroleum products became effective on February 5, 2023.  The types of services that are potentially restricted varies modestly among the Price Cap Coalition countries, but generally includes activities such as brokering, financing, and insurance.  A detailed analysis of the price cap, and how it is being implemented by key members of the Price Cap Coalition, can be found in a previous client alert.

From a policy perspective, the price cap is intended to curtail Russia’s ability to generate revenue from the sale of its energy resources, while still maintaining a stable supply of these products on the global market.  The measure is also designed to avoid imposing a blanket ban on the provision of all services relating to the transport of Russian oil and petroleum products, which could have far-reaching and unintended consequences for global energy prices.  Accordingly, the price cap functions as an exception to an otherwise broad services ban.  Best-in-class maritime service providers, which are overwhelmingly based in Price Cap Coalition countries, are permitted to continue supporting the maritime transport of Russian-origin oil and petroleum products, but only if such oil or petroleum products are sold at or below a certain price.

After spending much of the prior year designing the price cap mechanism, the coalition during 2023 shifted to implementing and enforcing this new and untested policy instrument—and were quickly met with Russian efforts at circumvention.  For example, tankers carrying Russian crude oil sold above the price cap have reportedly used deceptive practices such as falsifying location data and transaction documents to continue availing themselves of coalition services.  Such activities prompted OFAC in April 2023 to publish an alert warning that shipments from Russia’s Pacific coast, including especially the port of Kozmino where a substantial oil pipeline terminates, may present elevated risks of price cap evasion.

As the year progressed, Russia-related parties heavily invested in building a so-called “shadow fleet” that, instead of illicitly using Price Cap Coalition service providers, seeks to avoid coalition services altogether.  Broadly speaking, the shadow fleet (also known as the “ghost fleet”) involves an alternative ecosystem of hundreds of aging and questionably seaworthy oil tankers, backed by sub-standard insurers, that operate outside the jurisdiction of Price Cap Coalition countries.  By virtue of their age, opaque ownership, and questionable financial backing, such oil tankers are at high risk of accidents and unlikely to bear the cost of damage to other vessels or the environment.  As a consequence, many ports refuse calls by these vessels.  Nevertheless, as these vessels offer oil above the price cap and below the market price, for some jurisdictions, the economics of this oil has proven too attractive to turn down.  As a result, the shadow fleet has contributed to Russian oil being sold at an increasingly narrow discount to global prices.  Over the long term, this could further undercut the price cap’s efficacy.  Coalition policymakers meanwhile cite the shadow fleet as evidence that the price cap is at least partially succeeding in diverting resources from the war in Ukraine.  In short, said one U.S. official, “buying tankers makes it harder for the Kremlin to buy tanks.”

Amid questions about the price cap’s continuing effectiveness, the coalition during the final months of the year pivoted to a second phase of implementation that has so far involved imposing blocking sanctions on a small, but growing, number of maritime industry participants and issuing updated guidance to compliance-minded companies.

Notably, OFAC in October, November, and December 2023, and continuing in January 2024, added a total of 39 shipping companies, vessels, and oil traders to the SDN List for their alleged involvement in using Price Cap Coalition service providers to transport Russian-origin crude oil priced above $60 per barrel after the price cap policy became effective.  Such limited designations appear to have been calibrated as a series of warning shots—reflecting the delicate balance that policymakers face in deterring market participants from facilitating the transport of high-priced Russian oil without clamping down so aggressively as to spook financial institutions, shippers, and oil traders away from lawful dealings in Russian oil, which could reduce supply and drive up global energy prices.  Moreover, policymakers are being careful to balance broader geopolitical interests to avoid seeing the rest of the BRICS, for example, more aggressively support Moscow’s revanchism.  Even so price cap-related designations appear highly likely during the months ahead.

Concurrent with the initial round of designations described above, the Price Cap Coalition in October 2023 published an advisory describing for maritime oil industry participants, including governmental and private sector actors, suggested best practices to minimize the risk of enabling a prohibited transaction involving Russian oil.  Although many of the advisory’s suggestions hew closely to the U.S. Government’s 2020 Global Maritime Sanctions Advisory, such as monitoring for signs that a vessel has improperly disabled its location-tracking Automatic Identification System and/or engaged in ship-to-ship transfers, the coalition also offers a number of price cap-specific recommendations.  Among other measures, industry participants are encouraged to require oil tankers to carry legitimate and properly capitalized insurance; be certified as seaworthy by a reputable classification society; and furnish itemized invoices that separately list all ancillary costs (e.g., shipping, insurance, freight) so that the price at which the underlying Russian oil was sold can be readily determined.

To steer clear of a potential enforcement action, service providers from Price Cap Coalition countries that deal in seaborne Russian crude oil or petroleum products need to be able to provide certain evidence that the price cap was not breached in respect of the shipment that they are servicing.  For example, the United States, the European Union, and the United Kingdom have each set forth a detailed recordkeeping and attestation process by which maritime transportation industry actors can benefit from a “safe harbor” from prosecution arising out of violations by third parties.  In December 2023, the Price Cap Coalition released more stringent guidance requiring service providers based in Price Cap Coalition countries to collect attestations with greater frequency and to gather more granular pricing information.  To benefit from the safe harbor, covered service providers now must receive attestations each time they lift or load Russian-origin oil or petroleum products, and must also retain, provide, or receive an itemized list of ancillary costs such as shipping, insurance, and freight, which additional information is designed to prevent transaction parties from obscuring the price at which Russian oil was sold.

In parallel, the European Union in December 2023 moved to bolster the price cap by requiring EU operators to obtain authorization from a national competent authority prior to selling or transferring ownership of an oil tanker to a Russian individual or entity, or for use in Russia.  EU operators must also notify a national competent authority of each sale or transfer of a tanker to parties based in third countries (i.e., other than the European Union or Russia).  These EU measures are calculated to stunt the growth of Russia’s shadow fleet.

D. Export Controls

During 2023, the United States, the European Union, and the United Kingdom continued to find ways to expand their already unprecedented range of export controls targeting Russia and Belarus.  Many of these changes either build upon novel controls introduced in 2022, or seek to align each jurisdiction’s existing controls with those implemented by allies and partners.

In conjunction with the first anniversary of Russia’s further invasion of Ukraine, the U.S. Department of Commerce’s Bureau of Industry and Security in February 2023 announced significant expansions of the Russian and Belarusian Industry Sector Sanctions, including the addition of over 500 items, identified by Harmonized Tariff Schedule (“HTS”) codes, to lists of commercial, industrial, and luxury items that now require an export license for Russia or Belarus.  The agency’s use of HTS codes—which are widely used around the globe for classifying goods—appears to have been driven by a policy interest in expanding the reach of U.S. export controls beyond the items identified on BIS’s Commerce Control List.  Rather, BIS is now increasingly relying on a common tool (the HTS codes) that will allow for greater coordination and interoperability with restrictions put in place by allied and partner countries, while also enabling BIS to control exports of commercial items that, under U.S. regulations, are designated EAR99.  After Iranian unmanned aerial vehicles (“UAVs”) appeared on the battlefield in Ukraine, in some cases with U.S.-branded parts and components, BIS also announced new controls on commercial items that are used in the production of UAVs when destined for Iran, Russia, Crimea, or Belarus.  Notably, the new UAV-related controls reach foreign-made products when such items rely upon certain U.S.-origin software or technology through the application of a new Iran-related Foreign Direct Product Rule.

From May 2023 to January 2024, BIS added over 1,300 items to the list of electronics, industrial items, manufacturing equipment, and materials that require an export license to Russia or Belarus.  As a result, under U.S. law, four entire chapters of the Harmonized Tariff Schedule are now subject to an export licensing requirement when goods identified in those chapters—including nuclear items (Chapter 84); electrical machinery and equipment (Chapter 85); aircraft, spacecraft, and parts thereof (Chapter 88); and optical, photographic, precision, medical, or surgical instruments (Chapter 90)—are destined for Russia or Belarus.  These and other updates brought U.S. controls on commercial items into closer harmony with controls imposed by the European Union and the United Kingdom, which have generally imposed controls based on their equivalents to the HTS codes used by the United States.  BIS also updated the list of jurisdictions that have implemented substantially similar export controls targeting Russia and Belarus to include Taiwan alongside 37 previously identified countries.  This list exempts these partner jurisdictions from U.S. controls on commercial items.

New measures implemented by the European Union and the United Kingdom track the trends discussed above.  For instance, the European Union’s twelfth Russia sanctions package imposed new export restrictions on dual-use items, advanced technology, and industrial goods worth €2.3 billion per year.  The European Union also expanded the scope of existing export restrictions to include a prohibition on the sale, license, or transfer of intellectual property rights and trade secrets relating to several categories of goods or technology, and bolstered transit restrictions—a novel kind of export control which the United States has yet to impose.  Over the course of 2023, the United Kingdom also broadened the range of goods subject to trade sanctions through various amendments to primary legislation.

In light of these expanded controls targeting Russia, divestiture transactions continue to raise thorny issues.  Companies headquartered virtually anywhere in the world that desire to divest their Russian operations must now consider whether such divestment would result in the transfer of U.S.-controlled items to end users in Russia.  Increasingly, such transfers trigger an export licensing requirement, including for dual-use and commercial items.  Accordingly, in furtherance of the U.S. Government’s policy of enabling companies to exit the Russian and Belarusian markets, BIS announced a case-by-case license review policy for license applications submitted by companies that are curtailing or closing all operations in Russia or Belarus and are headquartered outside of Country Groups D:1, D:5, E:1, or E:2 (i.e., certain jurisdictions that present heightened national security concerns, are subject to a United Nations (“UN”) or U.S. arms embargo, and/or are subject to a U.S. trade embargo).  The European Union has introduced similar new grounds on which national competent authorities may authorize the sale, supply, or transfer of listed goods and technology, along with associated intellectual property, in the context of transactions that are strictly necessary for divestment from Russia or the wind-down of business activities in Russia.  Parallel provisions have been implemented by the United Kingdom and fleshed out in published guidance.

In addition to these regulatory changes, BIS maintained a heavy focus on Russia-related enforcement.  As discussed in more detail below, in 2023 the agency’s Office of Export Enforcement had a banner year, including the launch of the Disruptive Technology Strike Force in partnership with the U.S. Department of Justice (“DOJ”) to bring criminal enforcement actions against individuals and entities that circumvent export controls on Russia, China, and Iran.  In some cases, criminal enforcement actions by DOJ were accompanied by the addition of Russia-related parties to the Entity List.  In 2023, BIS added well over 100 new entities to the Entity List under the destination of Russia alone, as well as many other entities located around the world, including in allied and partner countries, for allegedly supplying Russia’s defense sector with U.S.-origin goods, including semiconductors, electronics, and aviation equipment.

E. Countering Evasion

In addition to imposing new sanctions and export controls, the United States and its allies devoted considerable resources to shoring up existing trade restrictions on Russia by working to limit opportunities for evasion.  Such efforts involved a high degree of interagency and international coordination, including the provision of substantial external guidance designed to better equip the private sector to detect, prevent, and report on Russian attempts to circumvent U.S. and allied trade controls.  These multi-jurisdictional, joint guidance documents often emphasized practical sets of “red flags” to help identify evasion efforts and articulated heightened due diligence and compliance expectations by U.S. and allied regulators, especially when transactions involve certain high-priority items with potential military applications.  Taken together, these joint notices, which were once rare, suggest that coalition sanctions and export controls authorities remain hyper-vigilant for potential Russia-related trade controls violations, and Russian circumvention and evasion will likely remain a top global priority for enforcement actions going forward.

1. Interagency Collaboration

Within the United States, a constellation of federal agencies sought to undercut Russian sanctions and export control evasion by issuing a series of joint guidance documents.  Like the multi-jurisdictional notices discussed above, these multi-agency releases were also historically rare, often undercut by bureaucratic challenges which appear to have subsided.  In 2023, these joint agency advisories included:

  • BIS, OFAC, and DOJ (March 2023): Three U.S. Government agencies in March 2023 issued a joint compliance note detailing common ways in which malign actors have sought to circumvent U.S. sanctions and export controls, identifying key indicators a transaction party may be seeking to evade U.S. trade controls, and highlighting recent civil and criminal enforcement actions.
  • BIS and FinCEN (May 2023): Building on a first-of-its-kind joint alert published the prior year by BIS and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”), those same two agencies in May 2023 issued a supplemental export control evasion alert that established a new Suspicious Activity Report (“SAR”) key term for financial institutions to use when reporting possible attempts to evade U.S. export controls on Russia (“FIN-2022-RUSSIABIS”) and describes evasion typologies and “red flags.”  The introduction of a dedicated key term is designed to allow U.S. authorities to, within the enormous volume of SARs that FinCEN receives each year, quickly identify possible instances of Russia-related evasion.
  • BIS and FinCEN (November 2023): BIS and FinCEN in November 2023 issued a further joint notice that expands upon the two agencies’ Russia-related export control guidance to target export control evasion worldwide.  The November joint notice announced the creation of a second new Suspicious Activity Report key term (“FIN-2023-GLOBALEXPORT”) that financial institutions can use to report transactions that potentially involve evasion of U.S. export controls globally (excluding Russia which, as noted above, has its own unique key term), and provides an expansive list of “red flag” indicators of potential evasion.
  • BIS, OFAC, DOJ, State, and Homeland Security (December 2023): In the broadest yet example of multi-agency guidance, in December 2023 five U.S. Government agencies issued a public advisory concerning sanctions and export control evasion in the maritime transportation industry.  In that document, U.S. authorities indicate that maritime actors are expected to “know your cargo,” highlight tactics employed by bad actors to facilitate the illegal transfer of cargo, and note maritime industry-specific “red flags” such as ship-to-ship transfers and unusual shipping routes.

While the U.S. agencies described above have closely collaborated since the outbreak of the war in Ukraine, the volume of joint guidance and the extent of cooperation between sister agencies this past year were unprecedented and suggest that going forward the United States is likely to further break down silos between international trade disciplines in favor of a whole-of-government approach to countering sanctions and export control evasion.  Although enhanced enforcement will impose even greater risks on the private sector, the collaboration between agencies will hopefully portend a more unified approach which could make compliance more straightforward.

2. International Collaboration

Beyond collaborations within the U.S. Government, the United States and its allies and partners joined together over the past year to limit Russian sanctions and export control evasion.  Notable multilateral guidance focused on Russian circumvention included:

  • REPO Task Force (March 2023): Established within days of the Kremlin’s full-scale invasion of Ukraine, the Russian Elites, Proxies, and Oligarchs (“REPO”) Task Force is an information-sharing partnership of allied finance and justice ministries designed to promote joint action on sanctions, asset freezing, asset seizure, and criminal prosecution.  In March 2023, the REPO Task Force issued a global advisory that identifies Russian sanctions evasion typologies, including conducting dealings through family members and close associates, using real estate to conceal ill-gotten gains, and accessing the international financial system through enablers such as lawyers, accountants, and trust service providers.
  • Five Eyes (September 2023): The longstanding intelligence-sharing partnership known as the Five Eyes—comprising Australia, Canada, New Zealand, the United Kingdom, and the United States—in June 2023 committed to extend their cooperation to include coordinating on export control enforcement.  In September 2023, the Five Eyes followed through on that commitment by publishing joint guidance for industry and academia identifying certain high-priority items such as integrated circuits and other electronic components, organized by Harmonized System (“HS”) code, that present heightened risk of being diverted to Russia for use on the battlefield in Ukraine.
  • United States, European Union, United Kingdom, and Japan (May to October 2023): In parallel with efforts by the Five Eyes, the United States, the European Union, the United Kingdom, and Japan published and periodically updated a common list of high-priority items that, as of this writing, identifies by HS code 45 items deemed especially high risk for diversion due to their potential use in Russian weapons systems.  By widely disseminating a uniform list of items, coalition members sought to align controls across jurisdictions and concentrate finite compliance resources on a subset of items considered crucial to the Russian war effort.

3. Key Red Flags

The joint notices, alerts, and guidance described above each offer practical guidance to the private sector on detecting potential Russian evasion and circumvention, including identifying techniques commonly used to conceal the end user, final destination, or funding source for a transaction.  Although those documents are designed for different audiences and each contain a subtly different set of recommendations, several common “red flags” for Russian sanctions and export control evasion recur across nearly all the multiagency and multilateral guidance issued in 2023 and include:

  • Use of complex or opaque corporate structures to obscure ownership, source of funds, or countries involved;
  • Reluctance by parties to provide requested information, including the names of transaction counterparties, beneficial ownership details, or written end-user certifications; and
  • Transaction-level inconsistencies such as publicly available information regarding the counterparty (e.g., address, website, phone number, line of business) that appears at odds with an item’s purported use or destination. In part, this guidance seeks to address the ever-growing challenge of transshipment and diversion in which legal exports to a third country wind up being reexported to Russia or other jurisdictions of concern.

A further recurring theme of guidance issued over the past year is the importance of private sector cooperation to the success of U.S. and allied trade controls on Russia, and heightened expectations on the part of U.S. and allied regulators concerning private sector compliance.  Many of these notices reiterate the expectation that private actors adopt risk-based compliance measures, including management commitment, risk assessments, internal controls, testing and auditing, training, empowering staff to report potential violations, and seeking written compliance certifications for higher-risk exports.

F. Secondary Sanctions

As part of a broader effort to limit sanctions and export control evasion, the United States in an unprecedented escalation of pressure on Moscow authorized secondary sanctions on foreign financial institutions that, knowingly or unknowingly, facilitate significant transactions involving Russia’s military-industrial base.  These new restrictive measures are noteworthy not simply because they create new secondary sanctions risks for foreign banks and other financial institutions, but also because they expose these financial institutions to such risks based on the facilitation of trade in certain enumerated goods, and do so under a standard of strict liability (i.e., without requiring any culpable mental state such as knowledge).  In short, these restrictions do what many had long thought to be coming—place broader export control compliance obligations on financial institutions.

Under certain U.S. sanctions programs—namely, those targeting Iran, North Korea, Russia, Syria, and Hong Kong—persons outside of U.S. jurisdiction that engage in enumerated transactions with certain targeted persons or sectors, including transactions with no ostensible U.S. nexus, risk becoming subject to U.S. secondary sanctions.  Such measures target certain significant transactions involving, for example, Iranian port operators, shipping, and shipbuilding.  In practice, secondary sanctions are highly discretionary in nature and principally designed to prevent non-U.S. persons from engaging in certain specified transactions that are prohibited to U.S. persons.  If OFAC determines that a non-U.S. person has engaged in such transactions, the agency may impose punitive measures on the non-U.S. person which vary from the relatively innocuous (e.g., blocking use of the U.S. Export-Import Bank) to the severe (e.g., blocking use of the U.S. financial system or blocking all property interests).  Until December 2023, non-U.S. persons only potentially risked secondary sanctions exposure, under the small handful of sanctions programs that include such measures, for knowingly engaging in certain significant transactions.

As we discuss in a prior client alert, the Biden administration on December 22, 2023 issued Executive Order 14114 and related guidance authorizing OFAC to impose secondary sanctions on foreign financial institutions that are deemed to have:

  • Conducted or facilitated a significant transaction involving any person designated an SDN for operating in Russia’s technology, defense and related materiel, construction, aerospace, or manufacturing sectors, or any other sector that may subsequently be determined by the U.S. Secretary of the Treasury (such persons, “Covered Persons“); or
  • Conducted or facilitated a significant transaction, or provided any service, involving Russia’s military-industrial base, including the direct or indirect sale, supply, or transfer to Russia of specified items such as certain machine tools, semiconductor manufacturing equipment, electronic test equipment, propellants and their precursors, lubricants and lubricant additives, bearings, advanced optical systems, and navigation instruments (such items, “Covered Items“).

Upon a determination by the Secretary of the Treasury that a foreign financial institution has engaged in one or more of the sanctionable transactions described above, OFAC can (1) impose full blocking measures on the institution or (2) prohibit the opening of, or prohibit or impose strict conditions on the maintenance of, correspondent accounts or payable-through accounts in the United States.  Such measures are a potentially powerful deterrent to engaging in dealings involving Covered Persons or Covered Items as the potential consequence of such a transaction (i.e., imposition of blocking sanctions or loss of access to the U.S. financial system) is tantamount to a death sentence for a globally connected bank.

Critically, these new Russia-related secondary sanctions do not require that a foreign financial institution knowingly engage in such a transaction.  This departs from the language that OFAC has historically used when crafting thresholds needed for the imposition of secondary sanctions.  Provided that OFAC’s traditional multi-factor test for whether a transaction is “significant” is met, the prospect of strict liability secondary sanctions risk—which is entirely new in U.S. sanctions—will undoubtedly alter the diligence and risk calculus for financial institutions that may still be dealing in legally permitted Russia-related trade.

Compounding the potential compliance challenges for foreign financial institutions, E.O. 14114 appears to create an extraterritorial U.S. export control-like regime in the guise of secondary sanctions.  Financial institutions, including foreign financial institutions, are already subject to a certain degree of compliance obligations under U.S. export control laws when it comes to knowingly facilitating prohibited trade in items that are subject to U.S. export controls.  However, with the issuance of E.O. 14114, these entities now risk losing access to the U.S. financial system for even inadvertently engaging in a transaction involving Covered Items—regardless whether such items are subject to a U.S. export licensing requirement—destined for Russia.

E.O. 14114 will likely cause many foreign financial institutions to reexamine their risk appetite and related controls when it comes to trade-related activity involving Russia.  As a practical matter, many foreign banks, confronted with the prospect of U.S. secondary sanctions exposure and the considerable due diligence challenge of assessing whether a particular transaction might implicate Russia’s military-industrial base, may end up erring on the side of overcompliance by declining to engage in otherwise lawful dealings involving Russia.

G. Import Prohibitions

Consistent with a whole-of-government approach to limiting Russian revenue, the United States, the European Union, and the United Kingdom expanded prohibitions on the importation into their respective territories of certain Russian-origin goods—principally consisting of items closely associated with Russia or that otherwise have the potential to generate hard currency for the Kremlin.

During the initial year of the war in Ukraine, the Biden administration used this particular policy tool to bar imports into the United States of certain energy products of Russian Federation origin, namely crude oil, petroleum, petroleum fuels, oils, and products of their distillation, liquified natural gas, coal, and coal products; followed by fish, seafood, alcoholic beverages, non-industrial diamonds; and eventually gold.  As with other Russia-related sanctions authorities, the Secretary of the Treasury has broad discretion under Executive Order 14068 to, at some later date, extend the U.S. import ban to additional Russian-origin goods.

The United States initially excluded from its import bans Russian-origin goods that have been incorporated or substantially transformed (i.e., fundamentally changed in form, appearance, nature, or character) into another product in a third country.  However, in December 2023, in tandem with the new Russia-related secondary sanctions described above, President Biden amended Executive Order 14068 to authorize the Secretary of the Treasury to prohibit the importation into the United States of certain products that have been mined, extracted, produced, or manufactured wholly or in part in the Russian Federation, or harvested in waters under the jurisdiction of the Russian Federation or by Russia-flagged vessels, regardless whether such specified products have been incorporated or substantially transformed into other products outside of Russia.  Acting pursuant to this authority, OFAC issued a determination barring the importation into the United States of foreign-made goods that contain any amount of Russian-origin salmon, cod, pollock, or crab, and indicated that a similar prohibition on importing certain Russian diamonds processed in third countries is expected to follow soon.  Similarly, the European Union and the United Kingdom adopted an import ban on iron and steel products processed in a third country using Russian iron or steel products.  Such enhanced import prohibitions on a narrow subset of products (i.e., certain fish, certain diamonds, iron and steel products) will likely present considerable practical challenges—similar to the Uyghur Forced Labor Prevention Act with respect to goods linked to China’s Xinjiang Uyghur Autonomous Region—for importers who may now be required to demonstrate that their supply chains do not, directly or indirectly, trace back to Russia.

The European Union and the United Kingdom during 2023 also expanded the range of Russian goods subject to more traditional import prohibitions.  Notable additions include diamonds and various metals, delivering a further blow to the Kremlin’s ability to finance its war in Ukraine and other destabilizing activities globally.

H. Possible Further Trade Controls on Russia

Leading democracies in 2023 continued to expand the dizzying array of trade restrictions imposed on Russia.  While the coalition has not yet exhausted its policy toolkit, barring dramatic developments on the ground, the coming year appears likely to be defined by a further tightening of restrictions on Moscow.

Policymakers in Washington, London, and other allied capitals appear poised to continue aggressively blacklisting third-country sanctions and export controls evaders.  To stanch the flow of sensitive components to the Russian military, the coalition may further expand its common list of high-priority items to subject additional goods to heightened scrutiny.  The United States could also leverage its new Executive Order 14114 to secondarily sanction one or more foreign financial institutions—severing their access to mainstream finance—as a warning to other banks considering engaging with Russia’s military-industrial base.

More severe measures—such as blocking sanctions on the Government of the Russian Federation or conceivably a complete embargo on Russia like the U.S. measures that presently apply to Cuba, Iran, North Korea, Syria, and certain Russian-occupied regions of Ukraine—also remain available.  However, in light of wavering political support for Kiev in some allied capitals, a seeming stalemate on the battlefield, and the imperative of maintaining stable energy prices, such restrictions appear unlikely to be imposed in the near term absent a complete breakdown in relations with Moscow.

II. U.S. Trade Controls on China

Despite the continuing challenge posed by Russia, the year in trade was largely defined by the deepening economic, technological, and security rivalry between the United States and China.  Following a year marked by high tensions over Taiwan and a near-total breakdown in communications, relations between Washington and Beijing gradually stabilized in 2023, culminating in a long-awaited summit at which President Biden and China’s President Xi Jinping pledged to responsibly manage competition between the two superpowers.

That brief moment notwithstanding, U.S. officials from across the political spectrum continue to view China—with its rapidly advancing military and technological capabilities, state-led economy, and troubling human rights record—as the “pacing challenge” for U.S. national security.  To meet that perceived threat, the United States during 2023 again pushed the limits of economic statecraft by expanding export controls on semiconductors and supercomputers, vigorously enforcing import prohibitions on goods linked to forced labor, heavily subsidizing domestic manufacturing, scrutinizing inbound Chinese investments, and for the first time ever putting into place a system that will restrict outbound investments into certain sensitive technologies.  With U.S. elections in November 2024 and bipartisan consensus on the perceived strategic threat that China poses to the United States and its allies, the pace of new trade controls on China seems unlikely to slow any time soon.  One of the only questions is whether Congress or the Executive will take the lead.

A. Export Controls

Despite a mild thawing in U.S.-China relations following the November 2023 summit between Presidents Biden and Xi, controlling the manufacture and supply of certain advanced technologies remained a core feature of U.S. trade policy toward Beijing.  During 2023, the United States aggressively employed a range of export control measures to slow China’s technological development, including further restricting exports of certain advanced semiconductors and supercomputers, adding over 100 Chinese organizations to BIS’s Entity List, and using the threat of further additions to the Entity List to incentivize Chinese firms (and the Chinese government) to permit timely end-use checks on authorized exports.

1. Expanded Controls on Semiconductors and Supercomputers

On October 17, 2023, the U.S. Department of Commerce’s Bureau of Industry and Security announced two new interim final rules updating and expanding certain export controls targeting advanced computing integrated circuits (“Advanced ICs”), computer commodities that contain such Advanced ICs, and certain semiconductor manufacturing equipment (“SME”).  These two interim final rules build upon the groundbreaking and extensive unilateral controls implemented by the United States in October 2022.  Detailed descriptions of the original and expanded controls can be found in our client alerts published in October 2022, February 2023, and October 2023.

The October 2023 interim final rules are designed to strengthen, expand, and reinforce the original October 2022 rules, which curtailed China’s ability to purchase and manufacture Advanced ICs for use in advanced weapon systems and other military applications of artificial intelligence (“AI”), products that enable mass surveillance, and other technologies used in the abuse of human rights.  Broadly speaking, the new interim final rules impose controls on additional types of SME, refine the restrictions on U.S. persons to ensure U.S. companies cannot provide support to advanced SME in China, expand license requirements for the export of SME to apply to additional countries, adjust the licensing requirement criteria for Advanced ICs, and impose new measures to address risks of circumvention of the controls by expanding them to additional destinations.

Perhaps the most significant development in the new interim final rules is the expansion of certain controls to destinations beyond China (including the Hong Kong special administrative region) and the Macau special administrative region.  Namely, the interim final rule on advanced computing items and supercomputer and semiconductor end uses expands the previous controls to 21 other destinations for which the United States maintains an arms embargo (i.e., so-called Country Group D:5 countries) and revises a previously imposed foreign direct product rule targeting non-U.S.-origin products used in advanced computing and supercomputers to apply to these same Country Group D:5 destinations.  Similarly, the interim final rule on SME items expands the relevant controls to an additional 44 destinations (i.e., all destinations specified in Country Groups D:1, D:4, and D:5, excluding Cyprus and Israel).  The expanded destination scope of these rules is intended to account for the possibility that counterparties located in these jurisdictions might try to obtain these highly controlled items for end users in other destinations and to apply the prohibitions to the longer list of countries that the United Nations and the United States have identified as posing heightened risks.

Apart from expanding the territorial application of the previous rules, the two interim final rules similarly refine the item-specific Export Control Classification Numbers (“ECCNs”) subject to the heightened controls.  BIS abandoned the previous ECCN 3B090 introduced in the October 2022 version of the regulations and instead determined that identifying specific SME for control in ECCNs 3B001 and 3B002 represents a more manageable arrangement.  BIS also refined the Advanced ICs captured under existing controls by adding a new “performance density” parameter to prevent users from purchasing and combining a large number of smaller datacenter AI chips to equal the computing power of more powerful chips already restricted under the previous controls.  And BIS added new “.z” paragraphs to ECCNs 3A001, 4A003, 4A004, 4A005, 5A002, 5A004, 5A992, 5D002, and 5D992 to enable exporters to more easily identify products that incorporate Advanced ICs and items used for supercomputers and semiconductor manufacturing that meet or exceed the newly refined performance parameters.

Some of the most far-reaching restrictions contained in the October 2022 controls are the restrictions BIS placed on U.S. person support for the development and production of Advanced ICs and SME in specified jurisdictions, even when such activities did not involve items subject to the U.S. Export Administration Regulations (“EAR”).  In the interim final rules, BIS both clarified and expanded these prohibitions, while codifying some of the guidance previously provided in the agency’s October 2022 Frequently Asked Questions.  Specifically, BIS broadened these controls to extend to U.S. person support for development or production of Advanced ICs and SME at any facility of an entity headquartered in, or whose ultimate parent company is headquartered in, either Macau or a country subject to a U.S. arms embargo where the production of Advanced ICs occurs (i.e., Country Group D:5 countries).  At the same time, BIS clarified that its facility-focused support prohibition is intended to include facilities engaged in all phases of production, including where important late-stage product engineering or early-stage manufacturing steps, among others, may occur.  However, BIS narrowed its facility-based prohibition in one important respect, by limiting the scope of the restrictions to exclude “back-end” production steps such as assembly, testing, or packaging steps that do not alter the technology level of an Advanced IC.  Importantly, BIS also added an exclusion to the new restrictions for U.S. persons employed or working on behalf of a company headquartered in the United States or a closely allied country (i.e., destinations specified in Country Group A:5 or A:6) and not majority owned by an entity that is headquartered in Macau or a destination specified in Country Group D:5.

In conjunction with BIS’s expanded destination and item-based licensing requirements, BIS issued two new temporary general licenses, valid through the end of 2025, that authorize companies headquartered in the United States and closely allied countries to continue shipping less sensitive items to certain facilities in Country Group D:1, D:4, and D:5 locations.  These authorizations appear to be driven by a U.S. policy interest in enabling such companies to continue using facilities located in a restricted destination to perform more limited manufacturing tasks such as assembly, inspection, testing, quality assurance, and distribution in order to allow additional time for Advanced IC and SME producers located in the United States and closely allied countries to identify alternative supply chains outside of these more-restricted destinations.

BIS also created a new license exception—Notified Advanced Computing (“NAC”)—that authorizes exports of certain less-powerful Advanced ICs and associated items to Country Group D:1, D:4, and D:5 destinations.  For items ultimately intended for Macau or a destination specified in Country Group D:5, advanced notice and approval from BIS is required, a process that enables BIS to monitor and track which end users are seeking these Advanced ICs and for what purpose.  In particular, at least 25 days prior to any export or reexport to Macau or a destination specified in Country Group D:5, an application must be submitted via BIS’s Simplified Network Application Process Redesign (“SNAP-R”) system.  BIS will review any such applications and render a decision within the allotted 25 days as to whether the use of License Exception NAC is permitted.  The export must also be made pursuant to a written purchase order, unless the export is for commercial samples, and cannot involve any prohibited end users or end uses (including “military end users” or “military end uses,” as defined in the EAR).  Exporters are also required to report their use of License Exception NAC in their export clearance filings (i.e., electronic export information, or EEI, filings).

Although the two new interim final rules provide much-needed guidance, they also make it evident that BIS has high expectations for the private sector to be at the forefront of handling complex due diligence.  Given the need to review multiple information sources, even including a counterparty’s aspirational development or production of technology, this type of screening is especially difficult to automate, and companies with relevant products will need to expend more compliance resources to fully address BIS’s heightened diligence expectations.

In December 2023, BIS released limited guidance concerning the application of these new interim final rules, including the process for calculating “performance density” used to determine the threshold for Advanced ICs, the information needed for the use of License Exception NAC, the scope of the new temporary general licenses, and clarifications on the new exclusions from prohibited U.S. person activities.  However, based upon the number and variety of requests for public comment included in the two interim final rules, further refinements and possible future expansions of these controls appear likely.  BIS specifically requested public comments on a number of issues implicated by the interim final rules, including the impact of potential controls on datacenter infrastructure-as-a-service offerings for AI training and suggestions for further refining technical parameters to distinguish Advanced ICs and computers commonly used for small- or medium-scale training of AI foundational models from those used for large AI foundational models with different capabilities of concern.

Apart from the imposition of new unilateral controls, the Biden administration continues to engage in extensive diplomatic efforts to encourage closely allied countries to adopt similar controls on chip-making equipment.  In advance of any nascent multilateral regimes, the new export controls imposed by the United States reflect an effort to minimize some of the known collateral impacts that current unilateral controls could have on international trade flows, especially on the Advanced IC and SME supply chains of U.S. and allied country companies, and to encourage a collective “friend-shoring” of U.S. and allied country supply chains for critical technologies.  To what extent such efforts will hinder or help the development of additional multilateral controls remains to be seen, though recent actions by the Japanese and Dutch governments to implement limited though still meaningful controls on Advanced ICs and SME supply chains indicate some initial success in the United States’ efforts to expand the new controls across multiple jurisdictions.

2. China-Related Entity List and Military End-User List Designations and Removals

In addition to novel measures such as stringent controls on semiconductors and supercomputers, the Biden administration over the last several years has used traditional export controls such as the Entity List to target China-based organizations.  As noted in our 2022 Year-End Sanctions and Export Controls Update, the expanding size, scope, and profile of the Entity List now rivals OFAC’s SDN List as a tool of first resort when U.S. policymakers seek to exert strategic pressure, especially against significant economic actors in major economies.  2023 saw a solidification of this trend.  The United States made extensive use of the Entity List throughout the past year, designating over 150 Chinese entities—more than double the number of Chinese entities added to the same list in 2022.

Entities can be designated to the Entity List upon a determination by the interagency End-User Review Committee (“ERC”)—which is composed of representatives of the U.S. Departments of Commerce, State, Defense, Energy and, where appropriate, the Treasury—that the entities pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.  Much like being added to the SDN List, the level of evidence needed to be included on the Entity List is minimal and far less than the “beyond a reasonable doubt” standard that U.S. courts use when assessing guilt or innocence.  Despite this, the impact of being included on the Entity List can be catastrophic.  Through Entity List designations, BIS prohibits the export of specified U.S.-origin items to designated entities without BIS licensing.  With respect to potential licensing for Entity List exports, BIS will typically announce either a policy of denial or ad hoc evaluation of license requests.  The practical impact of any Entity List designation varies in part on the scope of items BIS defines as subject to the new export licensing requirement, which could include all or only some items that are subject to the EAR.  Those exporting to parties on the Entity List are also precluded from making use of any BIS license exceptions.  However, because the Entity List prohibition applies only to exports of items that are “subject to the EAR,” even U.S. persons are still free to provide many kinds of services and to otherwise continue dealing with those designated in transactions that occur wholly outside of the United States and without items subject to the EAR.  (This is one of the key ways in which the Entity List differs from the SDN List.)

The ERC has over the past several years steadily expanded the bases upon which companies and other organizations may be designated to the Entity List.  In many cases over the past year, BIS turned to conventional reasons for designating Chinese entities such as their providing support for China’s military modernization efforts, attempting to divert or reexport goods to restricted parties, or enabling cybersecurity activities deemed threatening to U.S. national security.  Other designations, however, relied on more specific justifications, often in response to current events, such as the designation of six Chinese entities in February 2023 for supporting the People’s Liberation Army’s “aerospace programs including airships and balloons and related materials and components” following public outcry over Chinese high-altitude balloons flying over North American airspace.  More in line with designations from the past several years, the ERC in March 2023 added several entities to the Entity List for their alleged involvement in human rights violations such as high-tech surveillance of minority groups in China’s Xinjiang Uyghur Autonomous Region.  Other Chinese entities were designated in June 2023 for providing “cloud-based supercomputing capabilities” in support of hypersonics research conducted by China’s military, while an additional 13 entities were designated in October 2023 for their involvement with the development of Advanced ICs.

Notably, during 2023 no new Chinese entities were added to BIS’s non-exhaustive Military End-User (“MEU”) List, which was developed to help exporters determine which organizations in Belarus, Burma, Cambodia, China, Russia, or Venezuela are considered “military end users” for which an export license may be required.  However, one previously designated entity, China-based Zhejiang Perfect New Material Co., Ltd, was removed from the MEU List in September 2023 following a request for removal submitted to BIS—suggesting that, although the process can be long and cumbersome for the targeted entity, BIS is still actively considering petitions for removal, even when such entities are located in sensitive jurisdictions.

3. China-Related Unverified List Designations and Removals

As in previous years, BIS made use of the Unverified List throughout the year to incentivize named entities to comply with robust end-use checks.  A foreign person may be added to the Unverified List when BIS (or U.S. Government officials acting on BIS’s behalf) cannot verify that foreign person’s bona fides (i.e., legitimacy and reliability relating to the end use and end user of items subject to the EAR) in the context of a transaction involving items subject to the EAR.  This situation may occur when BIS cannot satisfactorily complete an end-use check, such as a pre-license check or a post-shipment verification, for reasons outside of the U.S. Government’s control.  Any exports, reexports, or in-country transfers to parties named on the Unverified List require the use of an Unverified List statement, and Unverified List parties are not eligible for license exceptions under the EAR that would otherwise be available to those parties but-for their designation to the list.

Notably, BIS in October 2022 implemented a new two-step process whereby companies that do not complete requested end-use checks within 60 days will be added to the Unverified List.  If companies are added to the Unverified List due to the host country’s interference, after a subsequent 60 days of the end-use check not being completed, such companies will be moved from the Unverified List to the more restrictive Entity List.  That process is designed to further incentivize targeted entities—and, at least in the case of China, their home governments—to permit BIS end-use checks to proceed in a timely manner as cooperative entities can be rewarded with removal from the Unverified List and uncooperative entities risk becoming subject to even more stringent controls.

This seemingly subtle policy change appeared to pay dividends during 2023 as a total of 32 entities from China were removed from the Unverified List in August and December 2023, and continuing in January 2024, after BIS was able to verify their bona fides through an end-use check—suggesting a willingness on the part of Chinese authorities to change their behavior to retain access to U.S.-origin items.

B. Uyghur Forced Labor Prevention Act

2023 marked the first full year of enforcement of the Uyghur Forced Labor Prevention Act (“UFLPA”).  As we describe in a prior client alert, that groundbreaking law, which took effect in June 2022, establishes a rebuttable presumption that all goods mined, produced, or manufactured even partially within China’s Xinjiang Uyghur Autonomous Region (“Xinjiang”), or by entities identified on the UFLPA Entity List, are the product of forced labor and are therefore barred from entry into the United States.  After a year of active enforcement by U.S. Customs and Border Protection (“CBP”), recent calls from Congress to further strengthen and expand enforcement signal a continued focus on the UFLPA in the year ahead.

Despite criticisms that progress has been too slow, in 2023 the U.S. Government made notable additions both to CBP’s list of high-risk commodities for priority UFLPA enforcement, as well as to the UFLPA Entity List maintained by the U.S. Department of Homeland Security (“DHS”).  CBP’s release of a document attached to UFLPA detention notices confirmed an expansion of scrutiny from products previously identified as high-risk (i.e., tomatoes, cotton, polysilicon, polyvinyl chloride, and aluminum) to now include batteries, tires, and steel products.  These newly added targets, which appear to have stemmed from private sector research published in late 2022 on possible links to Xinjiang in automotive supply chains, highlight continuing close coordination between DHS and the non-governmental and academic communities in identifying risks and specific parties of concern.  Throughout 2023, the interagency Forced Labor Enforcement Task Force, led by DHS, also added 10 entities (and some of their subsidiaries) to the UFLPA Entity List.  One of these entities, Ninestar Corporation, has since challenged its designation before the U.S. Court of International Trade, citing a lack of information provided by DHS regarding the reasons for its listing.  The outcome of that case could have broader implications for the type and extent of information that agencies are required to provide to individuals and entities that are added to U.S. Government restricted party lists.

Notably, CBP sought to increase transparency regarding UFLPA enforcement, and published additional guidance to importers concerning the law’s broad standards and high bar for challenging potential detentions at U.S. ports.  The launch of the UFLPA Statistics Dashboard on CBP’s website in March 2023 has provided key insights into the number, value, and type of shipments detained under the UFLPA to date.  As of November 2023, over 6,000 shipments had been detained under the UFLPA, valued at more than $2.2 billion.  Despite the UFLPA’s focus on and close association with China, the majority of goods detained to date have somewhat surprisingly originated from countries other than China, including Malaysia, Vietnam, and Thailand.  This serves as an important reminder both of transshipment risk given today’s global supply chains and the critical role of Chinese materials in supply chains of companies throughout the world and especially in Southeast Asia.

CBP statistics further reveal that slightly more than half of all shipments detained to date under the UFLPA have ultimately been released into the United States.  In light of the lack of reporting to Congress of any granted “exceptions” to the UFLPA’s rebuttable presumption, as required by the statute, these releases appear to all be the result of successful “applicability reviews.”  CBP published guidance in February 2023 on the applicability review process, in which importers submit evidence that a given shipment is outside of the scope of the UFLPA altogether, and thus the rebuttable presumption does not apply (i.e., the goods are not mined, produced, or manufactured wholly or in part in Xinjiang or by an entity on the UFLPA Entity List).  That guidance, which indicates importers must be able to submit evidence tracing their supply chains back to the raw materials, highlights the need for robust supply chain due diligence programs and the development of novel recordkeeping and contracting tools that enable buyers of goods to extend their supply chain tracing well beyond the first tier of suppliers.  Although the UFLPA has its roots in Great Depression-era legislation that first restricted the importation into the United States of goods linked to forced labor, the UFLPA remains a relatively new human rights policy tool that appears ripe for further guidance and vigorous enforcement during the year ahead.

C. Industrial Policy

In a sea change from longstanding U.S. aversion to state industrial policy, the United States continued to embrace a protectionist-leaning “modern industrial and innovation strategy” to counteract China’s influence on the world stage.  After the U.S. Congress adopted two massive legislative packages—the CHIPS and Science Act of 2022 (the “CHIPS Act”) and the Inflation Reduction Act of 2022 (the “IRA”)—that direct billions of dollars toward boosting domestic manufacturing, in 2023 the Biden administration began implementing these laws by issuing multiple sets of regulations defining which parties are (and are not) potentially eligible to receive U.S. subsidies, in each case with an eye toward preventing taxpayer dollars from flowing to China.

The CHIPS Act provides over $50 billion in incentives for semiconductor manufacturers to invest in production capacity in the United States.  Notably, those incentives can be clawed back if manufacturers violate so-called guardrails, mandated by Congress, barring certain investments in “countries of concern,” namely China, Russia, Iran, and North Korea.  In September 2023, the U.S. Department of Commerce issued a final rule implementing the CHIPS Act national security guardrails.  Among other things, the rule bars recipients of CHIPS Act funding, for 10 years from the date of award, from expanding production facilities in countries of concern by 10 percent or more for legacy chips, and by 5 percent or more for chips that are advanced or critical to U.S. national security.  The rule also defines the categories of joint research and technology licensing that are prohibited under the CHIPS Act to include most activities involving entities owned or controlled by a country of concern, as well as entities identified on BIS’s Entity List and OFAC’s Non-SDN Chinese Military-Industrial Complex Companies (“NS-CMIC”) List.  From a policy perspective, the CHIPS Act guardrails are designed to prevent taxpayer-funded incentives from accruing to the benefit of China’s semiconductor industry and, over time, shift the geography of semiconductor manufacturing activities away from China and toward the United States and other friendly jurisdictions.

In a parallel effort to relocate electric-vehicle (“EV”) supply chains from China to the United States, the Inflation Reduction Act includes billions of dollars in subsidies for EVs assembled in North America—a move that has rankled close U.S. allies in Europe who have criticized the measure as protectionist and discriminatory against European goods.  Among other limitations, the IRA stipulates that, to be eligible for an up to $7,500 tax credit, an EV must undergo final assembly in North America, a certain percentage of the critical minerals in the vehicle’s battery must be extracted or processed in the United States or in a country with which the United States has a free trade agreement, and the vehicle’s battery cannot contain any components manufactured in certain countries of concern such as China.  To assuage allied concerns regarding the IRA, the United States in March 2023 entered into a critical minerals agreement with Japan, and is presently negotiating similar agreements with the European Union and the United Kingdom, which could enable companies based in those jurisdictions to benefit from U.S. electric-vehicle subsidies.  Meanwhile, the U.S. Department of the Treasury in December 2023 issued a notice of proposed rulemaking further defining which EVs are potentially ineligible for U.S. subsidies by virtue of their ties to China.  These developments, taken together, suggest a willingness on the part of the Biden administration to implement and interpret the IRA in a manner that simultaneously advantages core U.S. allies and withholds benefits from Beijing.

D. Investment Restrictions

In conjunction with export controls, the Biden administration, acting through the Committee on Foreign Investment in the United States (“CFIUS” or the “Committee”), continued to closely scrutinize acquisitions of, and investments in, U.S. businesses by Chinese investors.  As discussed more fully in Section V.A, below, CFIUS appears to be especially focused on identifying non-notified transactions involving Chinese acquirors (i.e., transactions that have already been completed and which were not brought to CFIUS’s attention), including through use of the Committee’s increased monitoring and enforcement capabilities.

During calendar year 2022, the most recent period for which data is available, Chinese investors once again eschewed the CFIUS short-form declaration process, filing only 5 declarations and 36 notices.  Those figures are generally consistent with the period from 2020 to 2022.  This apparent preference of Chinese investors to forgo the short-form declaration in favor of the prima facie lengthier notice process may indicate a calculus that, amid U.S.-China geopolitical tensions, the likelihood of the Committee clearing a transaction involving a Chinese investor through the scaled-down declaration process is quite low.

In addition to the Committee’s purview over inbound investments, the Biden administration in August 2023 issued a long-awaited Executive Order and Advance Notice of Proposed Rulemaking (“ANPRM”) outlining proposed restrictions on outbound investment by U.S. persons in certain mainland China, Hong Kong, and Macau entities.  As discussed in Section VI, below, while there remains significant uncertainty surrounding the timing and contours of an eventual final rule, the Biden administration proposal in its current form would significantly restrict U.S. investments in certain sectors of China’s economy deemed critical to U.S. national security, including artificial intelligence, semiconductor manufacturing, and quantum information technologies.  Such restrictions are highly novel and a significant departure from historical practice.

E. Possible Further Trade Controls on China

The Executive branch was not alone in pushing for stringent new trade controls on China.  The U.S. Congress throughout 2023 continued to churn out legislation and policy proposals to govern the U.S.-China economic relationship—some of which enjoy strong bipartisan support.  At the start of the year, the U.S. House of Representatives created the Select Committee on the Strategic Competition Between the United States and the Chinese Communist Party (the “Select Committee”) to “investigate and submit policy recommendations on the status of the Chinese Communist Party’s economic, technological, and security progress and its competition with the United States.”  The Select Committee’s top Republican and Democratic members have tackled issues relating to China in a notably bipartisan manner compared to the rest of the House, including in December 2023 issuing a report with almost 150 policy recommendations to “fundamentally reset the United States’ economic and technological competition with the People’s Republic of China.”  The committee’s recommendations include, among others:

  • Preventing reliance on China for advanced technology and reducing China’s access to the U.S. market by authorizing the President to ban certain Chinese-produced technology products; banning Chinese-owned social media; and funding “rip-and-replace” efforts to remove products from Chinese-owned telecommunications vendors from U.S. networks;
  • Restricting U.S. outbound investment in more sectors than are presently covered by President Biden’s August 2023 Executive Order and limiting market access for companies from foreign adversary countries by requiring them to make human rights certifications;
  • Strengthening export controls by providing BIS increased resources and extending export licensing requirements to entities that are majority owned by one or more parties identified on BIS’s Entity List—similar to OFAC’s Fifty Percent Rule; and
  • Empowering CFIUS to review greenfield investments and joint ventures involving foreign adversary entities, streamlining the Committee’s review of transactions from allied countries, and allowing the Committee to re-open mitigated transactions.

Although it is challenging for a closely divided and highly partisan Congress to negotiate and pass legislation—and there is little time left before members’ attention turns to the November 2024 election—the Select Committee’s bipartisan imprimatur could give these recommendations traction in the Republican-led House, but probably not in the Democratically controlled Senate.  Even if not enacted this year, the Select Committee’s recommendations offer hints as to the future direction of U.S. policy toward Beijing, especially if the Senate flips to Republican control after the next election.  Accordingly, before further engaging with China, multinational enterprises may wish to consider the potential impact of these proposals on their business should Congress or the Executive branch decide to act on them in the coming months.

III. U.S. Sanctions

Although Russia and China dominated U.S. trade policy for much of the past year, OFAC remained extraordinarily active on other fronts—including modulating U.S. sanctions on Venezuela, Iran, Myanmar, and Sudan; leveraging U.S. counter-terrorism sanctions authorities in response to the Hamas attack on Israel in October and follow-on violence perpetrated by various Iranian proxies; heavily focusing on the virtual currency sector; and bringing record-setting enforcement actions.

A. Venezuela

Following the signing of an electoral roadmap between Venezuela’s opposition and the regime of President Nicolás Maduro, the Biden administration in October 2023 announced a significant relaxation of U.S. sanctions on Venezuela.  That easing of restrictions on Caracas, however, did not last long as the United States soon reversed course and partially revoked sanctions relief in January 2024 following democratic backsliding by Maduro.

As we describe in a prior client alert, the broad package of measures unveiled in October 2023—which eased restrictions on Venezuela’s oil and gas sector, gold sector, and secondary trading in certain Government of Venezuela securities—marked a seismic shift from the “maximum pressure” campaign that since 2019 has prohibited virtually all U.S. nexus dealings involving key sectors of Venezuela’s energy-driven economy.  From a policy perspective, such incremental, and in some cases time-limited, sanctions relief was calculated to incentivize the Maduro regime to take concrete steps toward the restoration of Venezuelan democracy with an eye toward holding a free and fair presidential election in late 2024.

Among the measures announced in October 2023, the most impactful was Venezuela General License 44 which authorizes U.S. persons, until April 18, 2024, to engage in all transactions related to oil or gas sector operations in Venezuela, including transactions involving state-owned oil giant Petróleos de Venezuela, S.A. (“PdVSA”), subject to certain conditions.  Crucially, that general license sets forth a non-exhaustive list of authorized activities that includes:  (1) the production, lifting, sale, and exportation of oil or gas from Venezuela, and the provision of related goods and services; (2) payment of invoices for goods or services related to oil or gas sector operations in Venezuela; (3) new investment in oil or gas sector operations in Venezuela; and (4) delivery of oil and gas from Venezuela to creditors of the Government of Venezuela, including creditors of PdVSA entities, for the purpose of debt repayment.

In addition to easing sanctions on Venezuelan oil and gas, the Biden administration further broadened the Maduro regime’s access to potential sources of hard currency by easing sanctions on Venezuela’s gold sector.  In particular, OFAC issued—and, again, later revoked—a general license authorizing most U.S. nexus transactions involving Venezuela’s state-owned gold mining company, CVG Compania General de Mineria de Venezuela CA (“Minerven”), and its majority-owned entities.  In a key development for investors and financial institutions, OFAC also amended a pair of general licenses to authorize U.S. persons to both sell and purchase certain specified Venezuelan sovereign bonds and specified PdVSA debt and equity, thereby permitting secondary trading in previously restricted Government of Venezuela securities.

The easing of U.S. sanctions on Venezuela was noteworthy both for its breadth and for the fact that much of the relief extended to Caracas rested on a promise by the Maduro regime to take further steps toward the restoration of Venezuelan democracy.  When the regime failed to uphold its end of the bargain, including by refusing to lift a ban on a leading presidential candidate holding public office, the U.S. Government quickly revoked the general license that had authorized dealings involving the gold mining company Minerven—and indicated that, absent a change in behavior by the Maduro regime, the more economically consequential general license authorizing U.S. nexus dealings involving the country’s oil or gas sector could soon meet a similar fate.  As of this writing, the U.S. sanctions relief extended to Venezuela just months ago appears highly tenuous and could be revoked in its entirety in coming months—potentially causing whiplash for investors that had begun to explore collecting on old debts, and launching new energy ventures, involving Venezuela.

B. Iran

Relations between the United States and Iran took a sharp downward turn during 2023.  After starting the year engaged in indirect talks over a possible return to the Joint Comprehensive Plan of Action (“JCPOA”)—the 2015 Iran nuclear agreement that the Trump administration renounced and exited in 2018—tensions between Washington and Tehran spiked following the October 2023 attack by the Iranian-supported Hamas terrorist group that claimed 1,200 civilian lives and spurred an Israeli ground invasion of the Gaza Strip.  As a Middle East-wide network of Iran-backed militias dubbed the “axis of resistance,” including Hamas, Hezbollah, and the Houthis, continued to mount attacks across the region—including at least one lethal assault on U.S. troops—debate quickly turned to whether the United States and Iran might come to blows.  As these developments unfolded, the Biden administration announced new sanctions designations targeting Iran’s UAV and ballistic missile program, petroleum and petrochemicals trade, hostage taking, and domestic repression; revoked Iranian access to funds that had been set aside for humanitarian trade; and prepared to levy further sanctions following a wave of deadly attacks by Iranian proxies.

Throughout 2023, OFAC continued to aggressively use its targeting authorities to add individuals and entities complicit in Iran’s destabilizing activities to the SDN List.  Frequent targets of Iran-related sanctions designations included parties allegedly involved in:

Although the United States continued to modestly increase sanctions pressure on Iran even as the two sides negotiated over the JCPOA, including completing a September 2023 prisoner swap, relations between Washington and Tehran deteriorated following Hamas’s attack on Israel.  The Biden administration quickly suspended a humanitarian trade channel that would have granted Iran limited access to $6 billion held in a restricted account in Qatar.  OFAC also stepped up the pace of new sanctions designations, with a particular emphasis on targeting individuals and entities associated with Iranbacked militant groups.  As the Biden administration began to militarily respond to the January 2024 attack by an Iran-aligned group that left three U.S. soldiers dead, and continued leading multinational efforts against the Houthis’ attacks on Red Sea shipping, the security situation in the Middle East remains highly fluid.  In coming weeks and months, the United States appears highly likely to further accelerate the pace of Iran-related designations and could, in an effort to constrict Tehran’s sources of funding and support, begin imposing secondary sanctions on non-U.S. parties that knowingly engage in significant transactions involving Iran.

C. Myanmar

Since seizing power in a February 2021 coup, the military junta in Myanmar (also called “Burma”) has wreaked havoc on the country’s civilian population through a brutal campaign of repression, including airstrikes.  As the humanitarian situation continued to deteriorate, the United States in 2023 moved to restrict the flow of materiel and funding to the Myanmar military (known as the “Tatmadaw”), including by targeting dealings involving jet fuel and imposing limited sanctions on Myanmar’s state-owned energy company.

Over the past several years, U.S. sanctions on Myanmar have increasingly focused on restricting transactions that could enable the Tatmadaw’s human rights abuses.  Continuing this trend, OFAC in March 2023 added to the SDN List numerous individuals and entities involved in the “importation, storage, and distribution of jet fuel to Burma’s military” and concurrently published guidance emphasizing that providing jet fuel to the Tatmadaw could be sanctionable under one or more of the provisions of Executive Order 14014.  These efforts culminated in August 2023 with OFAC’s issuance of a determination authorizing blocking sanctions on persons determined to operate in the jet fuel sector of the Burmese economy, coupled with the designation of two individuals and three entities for their alleged involvement in procuring and distributing jet fuel to Myanmar’s military regime.  OFAC also continued to target the junta itself by imposing blocking sanctions on Myanmar’s Ministry of Defense, as well as on various military and regime officials.

In addition to targeting jet fuel, OFAC sought to limit the junta’s key sources of revenue.  Consistent with sanctions in prior years targeting state-owned enterprises, a round of Burma sanctions in January 2023 included the designation of two state-owned mining companies.  In June 2023, OFAC designated two state-owned financial institutions, Myanma Foreign Trade Bank and Myanma Investment and Commercial Bank, to deprive the regime of access to foreign exchange.  In January 2024, in connection with the third anniversary of the military’s seizure of power, OFAC also added to the SDN List several individuals and entities that have financially enabled the regime, including by purchasing foreign currency on the junta’s behalf.

A recurring focus of speculation since the coup, however, has revolved around whether OFAC might target the state-owned energy company Myanma Oil and Gas Enterprise (“MOGE”), which represents the largest single source of revenue for the military regime and is a critical supplier of energy for Myanmar’s civilian sector as well as the economies of several states in Southeast Asia.  After designating two MOGE directors earlier in the year, OFAC broke new ground in October 2023 by promulgating Directive 1 under E.O. 14014, which prohibits U.S. persons from providing broadly defined “financial services” to or for the benefit of MOGE.  By imposing limited, sectoral sanctions—under which U.S. persons (and non-U.S. persons when engaging in a transaction with a U.S. touchpoint) are prohibited from engaging in only certain narrow types of activities with designated entities—rather than full blocking sanctions, OFAC appears to have been seeking to minimize collateral consequences for the people of Myanmar and its neighbors that would result from targeting an enterprise as large and interconnected as MOGE.  Myanmar now joins a very small group of OFAC sanctions programs—presently Russia, Venezuela, and China—that feature sectoral restrictions.  Following the model of those sanctions programs, it is conceivable that OFAC could in the future further restrict dealings involving Myanmar’s oil and gas sector, as the Trump administration did by escalating from sectoral to full blocking sanctions on Venezuela’s state-owned oil company.

D. Sudan

Since April 2023, two rival military factions in Sudan—the Sudan Armed Forces and the Rapid Support Forces—have waged a brutal civil war that has led to thousands of casualties and displaced millions of people both inside Sudan and outside the country.  Following the outbreak of fighting, President Biden in May 2023 issued Executive Order 14098, which authorizes OFAC to impose blocking sanctions on individuals and entities deemed responsible for undermining Sudan’s democratic transition or exacerbating the country’s instability.  OFAC to date has announced five rounds of sanctions designations pursuant to this new authority, targeting parties on both sides of the conflict, including high-ranking military and government officials for allegedly fueling the conflict in Sudan or perpetrating human rights abuses.

Crucially, despite the new Executive Order and recent additions to the SDN List, the United States has not re-imposed comprehensive sanctions on Sudan.  Those original measures were lifted in October 2017 in response to apparent moves toward democracy.  As such, the few U.S. sanctions on Sudan that remain in place principally restrict U.S. nexus dealings involving a small, but growing, number of Sudanese individuals and entities identified on the SDN List, plus such parties’ majority-owned entities.  That said, in light of the politically uncertain climate and potential for further sanctions designations, businesses considering engaging with Sudan may wish to proceed with caution if such activities will involve parties closely associated with Sudan’s military, intelligence, or security services.

E. Counter-Terrorism

Following the October 7, 2023 attack by Hamas terrorists on Israeli civilians, the United States has expansively used its counter-terrorism sanctions authorities to target Iran-backed militant groups.

The Biden administration has on multiple occasions imposed blocking sanctions on individuals and entities associated with Hamas.  Although dealings involving Hamas itself have long been restricted by virtue of that group’s designation as both a Foreign Terrorist Organization (“FTO”) and a Specially Designated Global Terrorist (“SDGT”), recent actions by OFAC—often in coordination with the United Kingdom and other allied states—have chiefly targeted the organization’s alleged financial facilitators.  To minimize the potential collateral consequences of such designations, including the possibility that global banks could de-risk from even lawful transactions involving the Gaza Strip, OFAC in November 2023 published guidance reiterating that numerous general licenses remain available to authorize legitimate humanitarian trade in support of the Palestinian people.

Elsewhere around the region, Ansarallah (commonly known as the “Houthis”)—the Iran-aligned rebel movement that exercises de facto control over northern Yemen—has conducted escalating drone and missile strikes targeting shipping in and around the Red Sea, ostensibly in response to Israel’s ground invasion of Gaza.  In addition to launching a series of coordinated airstrikes with British forces against Houthi targets in Yemen, the United States on January 17, 2024 re-named Ansarallah a Specially Designated Global Terrorist.  The designation, which appears calibrated to impose tangible consequences on an armed group disrupting global shipping without exacerbating the humanitarian situation inside Yemen, is unusual and noteworthy in several key respects:

  • The Houthis had recently been de-listed. Shortly after President Biden assumed office, the U.S. Department of State in February 2021 announced the lifting of the Houthis’ designation as both a Foreign Terrorist Organization and a Specially Designated Global Terrorist.  The Houthis were initially designated during the waning days of the Trump administration, triggering bipartisan concern about deepening the already significant practical challenges of delivering aid to the Yemeni people.
  • In re-designating the Houthis in January 2024, the Biden administration deliberately named the group an SDGT—which subjects the Houthis to full blocking sanctions—without also applying the Foreign Terrorist Organization label. An FTO designation carries far more onerous restrictions, including possible criminal liability for parties that provide “material support” to such a group, that could have deterred humanitarian organizations from providing aid to Yemen.
  • The Houthis’ designation came with a 30-day delay, with restrictions set to take effect on February 16, 2024. U.S. blocking sanctions typically take effect immediately to minimize the risk of asset flight.  The delayed effective date appears calculated to give the Houthis an opportunity and an incentive to halt their attacks on Red Sea shipping.
  • OFAC issued multiple general licenses and published guidance affirming that Yemen is not now, and will not on February 16, 2024 become, subject to comprehensive sanctions—an apparent effort to provide non-governmental organizations comfort to continue providing lawful humanitarian assistance to the Yemeni people.

Whether, and for how long, the Houthis remain a designated terrorist organization will depend on the rapidly shifting security situation in Yemen as the Biden administration has, for now, left the door open to lifting sanctions on the group in the event that their attacks cease.

F. Other Major Sanctions Programs

Although Cuba, North Korea, and Syria remain subject to comprehensive U.S. sanctions—as a result of which U.S. persons are, except as authorized by OFAC, generally prohibited from engaging in transactions with a nexus to those jurisdictions—each of those sanctions programs was comparatively quiet during 2023.  As of this writing, the Biden administration has not announced any new Cuba-related designations or regulatory changes in over a year.  The chief sanctions development out of Syria consisted of the issuance of a since-expired general license and related guidance designed to facilitate the flow of humanitarian aid to the Syrian people following a devastating series of earthquakes in February 2023.  OFAC also continued to, from time to time, designate additional parties for engaging in North Korea-related activities, including generating revenue for Pyongyang, supporting the Kim regime’s weapons programs, and facilitating arms transfers from North Korea to Russia.  However, any one of those three programs could quickly become more active during the coming year—including, for example, if North Korea were to conduct a nuclear test or continue to threaten an assault on South Korea.

G. Crypto/Virtual Currencies

In 2023, OFAC amplified its focus on illicit finance in the virtual currency sector through a mix of new designations to the SDN List and aggressive enforcement actions.  These actions, which build on or otherwise supplement prior designations, suggest OFAC’s continued willingness to target malicious cyber-actors, often in coordination with other U.S. Government agencies and increasingly agencies in allied jurisdictions.

In April 2023, OFAC designated Genesis Market, one of the largest illicit marketplaces for stolen credentials and sensitive data, including email addresses, usernames and passwords, and mobile device identifiers.  In parallel, the U.S. Department of Justice and counterparts abroad announced criminal enforcement actions against Genesis Market users and seized associated domain names to effectively shut down the marketplace.  While Genesis Market was operational, tens of millions of dollars’ worth of virtual currency was reportedly exchanged on the platform.  These U.S. Government actions echo the earlier designation and takedown of Hydra Market, which we describe in our 2022 Year-End Sanctions and Export Controls Update.

In August 2023, OFAC designated one of the co-founders of the virtual currency mixer Tornado Cash—a platform allegedly used by the Lazarus Group, a North Korea state-sponsored hacking group, to launder hundreds of millions of dollars of stolen virtual currency.  The designation was made pursuant to both cyber-related and North Korea-related sanctions authorities on the basis of providing “material support” to the already-sanctioned Tornado Cash and the Lazarus Group.  In coordination, DOJ unsealed an indictment against two Tornado Cash co-founders alleging conspiracy to commit sanctions and anti-money laundering violations.

The Biden administration followed up on those actions in November 2023 by designating Sinbad.io (“Sinbad”), another virtual currency mixer known to be a “key money-laundering tool” of the Lazarus Group used for laundering millions of dollars of ill-gotten virtual currency.  In particular, Sinbad was allegedly used to launder a significant portion of the $100 million in virtual currency stolen in June 2023 in a heist linked to the Lazarus Group.

These designations together suggest that OFAC continues to focus not just on financial criminals, but also the platforms, tools, software, and even algorithms used in those crimes and the creators of such technologies.  Although hacking threats are dispersed throughout the globe, the North Korea-based Lazarus Group has been a recurring feature of OFAC’s cyber-related designations.  It would not be unsurprising if, in coming months, OFAC were to announce additional sanctions designations aimed at further denying the Lazarus Group resources to carry out its malicious activities.

H. OFAC Enforcement Trends and Compliance Lessons

2023 was a historic year for OFAC enforcement as the agency, for the first time ever, imposed a combined $1.5 billion in civil monetary penalties.  Although the number of OFAC enforcement actions resulting in monetary penalties was unexceptional—17 cases is roughly in line with the agency’s long-term average—the size of those penalties was striking.  In just the past year, OFAC levied two of the six largest civil penalties in its history, including a $508 million settlement with a global tobacco company and a record-breaking $968 million settlement with a leading cryptocurrency exchange.

Within OFAC’s enforcement actions for 2023, a few notable trends stand out.  More than half of the agency’s published cases were brought against providers of financial services (6 of 17) or virtual currency services (4 of 17), both of which are likely to remain enforcement priorities during the year ahead.  Moreover, multiple cases—including the two largest penalties imposed by OFAC this past year—involved parallel resolutions with DOJ (and other agencies), suggesting an increased appetite on the part of the U.S. Government for civil and criminal enforcement of U.S. sanctions.

We highlight below the most noteworthy compliance lessons from OFAC’s 2023 enforcement actions, some of which are thematically consistent with prior years and others of which are relatively new.  Many of these takeaways were explicitly communicated by OFAC, which includes a “compliance considerations” section in the web notice for each of its enforcement actions:

  • Non-U.S. companies should ensure that their activities do not “cause” U.S. persons to violate U.S. sanctions restrictions: Per OFAC, non-U.S. companies are on notice of this obligation when they avail themselves of U.S. customers, goods, technology, or services.  Four non-U.S. companies were penalized this past year for “causing” violations, with most alleged to have utilized the U.S. financial system in transactions otherwise involving non-U.S. parties—a common fact pattern in recent years.  Despite criticisms of the arguably extraterritorial reach of actions like these, OFAC has not been shy about bringing them.
  • U.S. parent companies should take steps to ensure that their non-U.S. subsidiaries comply with applicable sanctions restrictions: OFAC has repeatedly recommended that multinational enterprises assess the sanctions risks of their foreign subsidiaries, particularly those operating in high-risk jurisdictions.  The agency has cautioned against pursuing new business overseas without setting up proper compliance controls such as policies for U.S. person directors, officers, and employees to recuse themselves from prohibited activities and whistleblower programs to identify prohibited conduct.
  • Restricted party screening protocols should utilize all available relevant information: In at least six enforcement actions in 2023, across economic sectors, OFAC highlighted the importance of reviewing counterparties’ identifying information both at the outset of the business relationship and on a recurring basis thereafter.  If available, location-related information and documentation—such as Internet Protocol (“IP”) addresses, top-level domains, passports, and customer-provided addresses—is key to effective restricted party screening.
  • Virtual currency companies should incorporate risk-based sanctions compliance at an early stage: OFAC has said that it expects compliance from “day one,” even where a company may still be establishing itself and developing its product offerings.  Moreover, companies are responsible for ensuring the sanctions compliance of the technologies, software, and platforms that they employ, even if those technologies are “autonomous.”  This has ramifications not only for virtual currency companies, but also startups working with artificial intelligence and other emerging technologies.  OFAC clearly showed in 2023 how active it can be in policing the sanctions compliance of virtual currency companies, and so it may surprise some observers that the agency has asked Congress to significantly expand and clarify its enforcement authority in the virtual currency space.
  • Companies should remain vigilant for efforts by persons in Russia and Russian-occupied regions of Ukraine to evade sanctions: Almost half of OFAC’s published cases in 2023 alleged violations of its Ukraine- and Russia-related sanctions (7 of 17)—a much higher percentage than in the years preceding Russia’s full-scale invasion of Ukraine.  As the war persists, we expect to see many more Russia-related enforcement actions.

In sum, OFAC has adopted an extraordinarily aggressive posture in a number of areas that could portend a return to the ninefigure penalties that defined sanctions enforcement for much of the last decade.

IV. U.S. Export Controls

As made evident through U.S. policy toward Russia and China, in 2023 export controls continued their rise as indispensable and central tools to further broader U.S. national security interests.  A key part of this strategy involved coordinating controls with close allies and partners.

A. Multilateral Coordination

1. Export Controls and Human Rights

In March 2023, the United States and partner countries released the Code of Conduct for the Export Controls and Human Rights Initiative, which was founded during the Summit for Democracy in 2021 to create a framework for coordinated export controls to advance human rights.  As we describe in an earlier client alert, the Code of Conduct calls for subscribing states to consider human rights as a crucial part of the effective application of export controls, consult with regulated parties, and cooperate with other subscribing states on this front.

Together with the announcement of the Code of Conduct, the U.S. Department of Commerce published a final rule explicitly confirming that human rights abuses worldwide can be a basis for adding parties to the Entity List.  Concurrently therewith, BIS added to the Entity List 11 entities based in Myanmar, China, Nicaragua, and Russia for their alleged involvement in human rights abuses such as suppressing peaceful protests with surveillance technology or conducting aerial attacks on civilians.

While the Export Controls and Human Rights Initiative was initially founded by the United States, Australia, Denmark, and Norway, 21 more countries joined to endorse the voluntary Code of Conduct upon its release—Albania, Bulgaria, Canada, Costa Rica, Croatia, Czechia, Ecuador, Estonia, Finland, France, Germany, Japan, Kosovo, Latvia, the Netherlands, New Zealand, North Macedonia, the Republic of Korea, Slovakia, Spain, and the United Kingdom.  Many of these countries were already closely coordinating regarding trade controls resulting from the war in Ukraine.

These 25 subscribing states gathered in Washington, D.C. again in September 2023 for the inaugural plenary hosted by the U.S. Department of State.  While highlighting the various trade controls tools that the United States is already employing to counter human rights violations and abuses, senior U.S. officials acknowledged that “the United States cannot confront the issue of dual-use tech being used to commit [human rights] abuses alone.”  With the collaborative momentum and experience gained from developing and implementing Russia-related sanctions and export controls, we are likely to see increasing global cooperation on human rights-related controls, including on surveillance technologies or other items used for arbitrary arrest, detention, and/or suppression of peaceful protests.

2. Allies, Partners, and Incentives

Cooperation on human rights is just one example of the growing importance of multilateralism as a core tenet of U.S. trade controls policy.  Another example can be found in the June 2023 formal agreement among the Five Eyes partners—Australia, Canada, New Zealand, the United Kingdom, and the United States—to coordinate on export control enforcement.

To further strengthen these global ties and partnerships, BIS on December 8, 2023, issued three separate rules amending the EAR to liberalize export licensing requirements to certain countries that are allies of the United States or members of multilateral export control regimes.

In the first final rule, BIS made two changes to eliminate licensing requirements for exports to certain friendly countries.  First, BIS removed Proliferation of Chemical and Biological Weapons (“CB”) controls on specified pathogens and toxins that are destined for the 43 Australia Group member countries—a forum that is potentially ripe for further export controls coordination as Russia is not a member.  Items affected by this change are now controlled under CB Column 2, which does not require a license for exports to Australia Group member countries, instead of CB Column 1.  Second, BIS removed Crime Control and Detection (“CC”) controls on certain items that are destined for Austria, Finland, Ireland, Liechtenstein, South Korea, Sweden, and Switzerland.  Items affected by this change are controlled under CC Column 1 and Column 3, which no longer result in license requirements for these seven allied countries.

In the second final rule, BIS expanded license exception eligibility for Missile Technology (“MT”) controlled items to resolve certain domestic inefficiencies and harmonize controls with other Missile Technology Control Regime member countries.  With this change, exporters may rely on license exceptions Temporary Imports, Exports, Reexports, and Transfers (“TMP”), Governments (“GOV”), and Technology and Software – Unrestricted (“TSU”) for MT-controlled items subject to the specific terms and conditions specified in the relevant regulations, and may rely on license exception Aircraft, Vessels, and Spacecraft (“AVS”) for additional ECCNs.

In a third proposed rule, BIS proposed changes to license exception Strategic Trade Authorization (“STA”) to encourage its use by allied and partner countries.  As part of the proposed rule, BIS raised several questions for public comment, including “[w]hat additional changes could be made to License Exception STA to further facilitate exports, reexports, and transfers (in-country) between and among destinations identified in both Country Group A:5 in supplement no. 1 to part 740 and supplement no. 3 to part 746.”  BIS received comments on the proposed rule through February 6, 2024, and will likely issue a final rule based on public feedback.

In all three rules, BIS emphasized the importance of multilateral and plurilateral export controls, which the agency described as “the most effective path toward accomplishing our national security and foreign policy objectives.”  These changes demonstrate continuing efforts by the U.S. Government at fostering global coalitions around export controls implementation and enforcement and creating incentives for more countries to join the alliance.

B. Commerce Department

1. Disruptive Technology Strike Force

Under the Biden administration, BIS has prioritized regulations that restrict the flow of advanced technology to U.S. adversaries.  In a continuation of this regulatory priority, the Department of Justice’s National Security Division and the Department of Commerce’s BIS in February 2023 launched the Disruptive Technology Strike Force to protect certain advanced U.S. technologies from being illegally acquired and used by nation-state adversaries such as Russia, China, and Iran.  The Disruptive Technology Strike Force includes experts throughout government—including the Federal Bureau of Investigation, Homeland Security Investigations, and more than a dozen U.S. Attorneys’ Offices.

According to U.S. Deputy Attorney General Lisa O. Monaco, the Strike Force’s mandate is to restrict adversaries’ abilities to acquire, use, and/or abuse innovative U.S. technology to “enhance their military capabilities, support mass surveillance programs that enable human rights abuses and all together undermine our values.”  The Strike Force specifically targets technology related to supercomputing and exascale computing, artificial intelligence, advanced manufacturing equipment and materials, quantum computing, and biosciences—which technologies can be used to improve calculations in weapons design and testing; improve the speed and accuracy of military or intelligence decision-making; and break or develop unbreakable encryption algorithms that protect sensitive communications and classified information.

Within its first year, the Strike Force’s efforts have already led to five indictments in connection with efforts to provide materials, trade secrets, and items for military capabilities in Russia, China, and Iran; three temporary denial orders (“TDOs”); and 42 new Entity Listings.

The establishment of the Disruptive Technology Strike Force suggests an ongoing commitment to maintaining the United States’ technological edge over its adversaries and reflects a bipartisan trend of aggressively utilizing export controls to pursue policy and national security goals.  The Strike Force’s ability to investigate violations and impose criminal and administrative penalties increases the potential risk of non-compliance.  As such, companies involved in the design, production, or export of “disruptive” technologies subject to U.S. jurisdiction should closely monitor their end users and end uses.

2. Updated Voluntary Self-Disclosure Policy

Throughout 2023 and early 2024, BIS continued to refine and calibrate its approach to voluntary self-disclosures of possible violations of the Export Administration Regulations.

BIS implemented a transformative policy shift in a June 2022 memorandum that introduced a 60-day “fast track” review for voluntary self-disclosures of minor or technical infractions, while reserving a more comprehensive review for significant possible violations of the EAR.  In April 2023, BIS further clarified its stance in a new agency memorandum (the “2023 EAR Enforcement Memo”) allowing parties to bundle multiple voluntary self-disclosures for minor or technical infractions into one overarching submission.  As discussed below, BIS subsequently clarified that bundled self-disclosures for minor or technical infractions may be submitted quarterly.

BIS also announced in the 2023 EAR Enforcement Memo that a failure to disclose significant violations will now be treated as an aggravating factor, thereby heightening the incentives for entities to voluntarily disclose and emphasizing the importance of an effective compliance program.  This is a significant departure from past practice.  Previously, BIS treated voluntary self-disclosures of possible violations as a mitigating factor in assessing penalties, but a failure to submit was treated in a neutral manner.  Under the new policy, when an export control violation reflects potential national security harms, it will be treated as an aggravating factor under the agency’s enforcement guidelines.  This is in part because BIS considers a failure to disclose as indicative of the inadequacy of a corporate compliance program, which is itself a factor under BIS’s settlement guidelines.  In another major departure, the 2023 EAR Enforcement Memo also incentivizes parties to disclose possible export control violations by other parties by clarifying that a track record of cooperation, including as part of a third-party disclosure, could be considered a mitigating factor should the disclosing party be investigated for a future, even unrelated, enforcement action.  Together, the clarified policy of the 2023 EAR Enforcement Memo is intended to encourage parties to voluntarily disclose possible violations.

Since implementing the above-described changes, BIS reports that it received 80 percent more voluntary self-disclosures containing potentially serious violations during fiscal year 2023 than in the prior fiscal year.  Moreover, the agency reports reduced processing time for minor or technical disclosures and 33 percent more tips from third parties.

In a separate memorandum released on January 16, 2024, BIS announced four new enhancements to the agency’s voluntary self-disclosure program intended to further streamline the preparation and review of voluntary self-disclosures.  First, as previewed above, the new enhancements clarified BIS’s allowance of bundled disclosures of minor or technical infractions to allow parties to submit this bundle quarterly.  Second, the agency decreased submitting parties’ diligence burden in two ways:  (1) BIS now requests that parties submit abbreviated narrative accounts of the violation in lieu of the more onerous supporting documentation listed in Section 764.5(c)(4) of the EAR, unless specifically requested by BIS’s Office of Export Enforcement (“OEE”); and (2) BIS no longer requires the five-year lookback period recommended in Section 764.5(c)(3) of the EAR.  Third, BIS strongly encourages submission of voluntary self-disclosures via email.  Last, BIS and OEE will expedite requests for corrective action that would otherwise be prohibited by Section 764.5(f) of the EAR, and specifically invites parties to request permission to engage in such corrective action even if they are not submitting a voluntary self-disclosure.  These enhancements are designed to help BIS and regulated parties prioritize their compliance resources on significant violations and to take quick corrective action where appropriate.

3. BIS Enforcement Trends

OFAC was not alone in bringing record-breaking enforcement actions during 2023.  BIS in April 2023 announced a $300 million civil penalty against two affiliates of a global technology company for allegedly selling hard disk drives to Huawei Technologies Co. Ltd. (“Huawei”) in violation of U.S. export controls.  This enforcement action is not only the largest standalone administrative penalty in the agency’s history, but also the first action targeting an alleged violation of the Huawei-specific Foreign Direct Product Rule—a notoriously complex regulatory provision that expands the scope of U.S. export controls to certain foreign-produced items that are derivative of specified U.S. software and technology.

Moreover, BIS enforcement activity was not limited to one major case.  The agency over the course of 2023 secured an all-time number of convictions, temporary denial orders, and post-conviction denial orders.  In a sign of the aggressiveness of BIS enforcement, the agency in early 2024, in an unprecedented move, announced a $15 million bounty on an Iranian national accused of violating U.S. export controls by procuring for Iran’s Islamic Revolutionary Guard Corps goods and technology used in attack UAVs that were subsequently sold to Russia.

In light of increasing U.S. export enforcement risks, even companies outside of the United States should carefully analyze the potential applicability of U.S. export controls with the broad jurisdictional reach of provisions like the Foreign Direct Product Rule in mind.

4. Extended Renewal Period of Temporary Denial Orders

When BIS determines that an individual or entity presents an imminent risk of violating the EAR or has been convicted of violating certain U.S. laws and regulations—including U.S. sanctions and export control laws and regulations—BIS may issue an order denying that person export privileges.  The effect of a denial order is that the targeted person is typically prohibited from participating in any way in any transaction involving items subject to the EAR, including both exporting from the United States and receiving or benefiting from any export, reexport, or transfer of any item subject to the EAR.

Depending upon the circumstances, BIS may issue one of two types of denial orders.  BIS may issue a temporary denial order, which historically has been renewable for multiple periods of up to 180 days, upon a determination that such an order is necessary to prevent an imminent violation of the EAR.  Alternatively, upon a determination that any person has been convicted of violating certain specified U.S. statutes or any regulations issued pursuant thereto (including the EAR or OFAC’s sanctions regulations), BIS may issue a denial order for a period of up to ten years from the date of conviction.  As noted above, a denial order—which results in the target being added to the Denied Persons List—is an especially powerful tool as it completely severs a non-U.S. person’s access to the U.S. supply chain.

In August 2023, BIS amended Section 766.24(d)(1) of the EAR, creating an additional ability to renew an existing temporary denial order for one year under certain conditions.  While maintaining BIS’s ability to renew an existing TDO for 180 days if “the denial order is necessary in the public interest to prevent an imminent violation,” the amendment adds the ability to specify an extended renewal period of one year upon a showing that the party subject to the TDO has engaged in a pattern of repeated, ongoing, and/or continuous apparent violations of the EAR, and that the extended renewal is appropriate to address such continued apparent violations.

In its final rule, BIS offered three examples of circumstances under which an extended renewal would be appropriate.  Namely, if the respondent has:

  • Acted in apparent blatant disregard of the EAR;
  • Attempted to circumvent or otherwise appeared to violate the restrictions of a TDO or the EAR; or
  • Otherwise acted in a manner demonstrating a pattern of apparent noncompliance with the requirements of the EAR.

BIS specifically identified repeat offenders of Russia-related controls as the type of cases in which extended renewals would serve as an enhanced deterrent to potential offenders and enhanced notice to companies and individuals wishing to do business with the subjects of the TDO.

5. Antiboycott Enforcement Policy

In our 2022 Year-End Sanctions and Export Controls Update, we highlighted BIS’s intensified enforcement approach toward U.S. antiboycott regulations, marked by significant adjustments to violation categories.  This past year, BIS continued to enhance its enforcement posture with respect to the antiboycott regulations, especially concerning the Arab League Boycott of Israel.  In 2023, BIS imposed over $425,000 in penalties on companies for alleged violations of the antiboycott regulations.

In an agency memorandum issued in July 2023, BIS announced that the agency has amended its Boycott Request Reporting Form to require the filer to specify the party who made the boycott-related request and published an Antiboycott Policy Statement on the Department of Commerce’s Office of Acquisition Management website for government contractors.  In light of the enhanced regulations and enforcement priorities, U.S. firms with potential foreign boycott exposure should consider implementing robust policies to ensure antiboycott compliance.

V. Committee on Foreign Investment in the United States (CFIUS)

In addition to sanctions and export controls, the Committee on Foreign Investment in the United States—the interagency committee tasked with reviewing the national security risks associated with foreign investments in U.S. companies—remained active during 2023 as the Committee reviewed a record number of filings and continued to closely scrutinize China-related deals.  Over the past year, CFIUS also expanded its jurisdiction to include additional military installations, competed with state-level restrictions on foreign investment, increased scrutiny of deals involving Japanese and Middle Eastern investors, and prepared to operate alongside a brand new outbound investment review mechanism unveiled by the United States.

A. CFIUS Annual Report

In July 2023, CFIUS published its annual report to Congress detailing the Committee’s activity during calendar year 2022 (the “CFIUS Annual Report”).  As noted in a prior client alert, our key takeaways from the CFIUS Annual Report include:

  • While the total number of filings before CFIUS largely stayed on pace with 2021, with the Committee reviewing a total of 440 filings (compared to 436 filings in 2021), the CFIUS Annual Report data may suggest a significant proportional increase in CFIUS filings in light of significantly slower mergers and acquisitions activity and decreased foreign direct investment in 2022;
  • Declaration filings jumped 30 percent from 2020 to 2021, but decreased by approximately 6 percent in 2022, possibly suggesting a growing hesitation in the market to use the Committee’s short-form declaration process;
  • More than 50 percent of all non-real estate notices reviewed by the Committee were transactions in the finance, information, and services sector, signaling that transactions wherein sensitive personal data is very likely to be at issue continue to account for a large portion of the Committee’s caseload (and will likely continue to do so going forward); and
  • A 67 percent increase from 2021 in instances where the Committee adopted mitigation measures and conditions to mitigate the national security risks associated with a transaction, combined with an uptick in withdrawn notices, may suggest that the Committee is taking a more aggressive stance on imposing conditions on its approvals.

B. Expanded Jurisdiction

In May 2023, the Committee published two new frequently asked questions (“FAQs”) that have had substantial impacts on parties notifying the Committee of a transaction.  The first FAQ clarified CFIUS’s interpretation of the “completion date” for a transaction, effectively negating the use of “springing rights” for mandatory filings.  The second FAQ confirms that CFIUS can request certain information from passive investors, including limited partners in an investment fund.

Under 31 C.F.R. § 800.206, the term “completion date,” with respect to a transaction, is the earliest date upon which any ownership interest, including a contingent equity interest, is conveyed, assigned, delivered, or otherwise transferred to a person, or a change in rights that could result in a covered control transaction or covered investment occurs.  In the first FAQ, the Committee explained that, in a transaction where the ownership interest is conveyed before the foreign person receives the corresponding rights, the “completion date” is the earliest date upon which the foreign person acquired any of the equity interest.  For example, if Company A acquired a 25 percent ownership interest in Company B on July 1, but its right to control Company B was deferred until after CFIUS reviews the transaction, the “completion date” for the transaction is July 1.  Using this example, the Committee indicated that if the transaction is subject to the mandatory declaration requirement pursuant to 31 C.F.R. § 800.401, the latest date that the parties can file the transaction with CFIUS is June 1.

In practice, the first FAQ means that parties can no longer use a springing rights strategy to delay the onset of a mandatory CFIUS filing because CFIUS no longer distinguishes between initial passive equity investments and future CFIUS triggering rights.  In other words, parties may not delay submitting a mandatory filing by deferring acquisition of control, governance, or information access rights, while otherwise closing the investment.  Parties have frequently utilized this strategy as a means to ensure the quick exchange of capital for equity interests that transfer upon execution of the transaction documents.  Now, this strategy is no longer workable, as parties must submit a mandatory filing no later than 30 days prior to the transfer of the initial passive equity interest, even if the parties have negotiated a different structure.

The practical effect of the second FAQ is that the Committee may request information on all foreign investors involved, directly or indirectly, in a transaction, including limited partners that have passively invested in an investment fund at any level, regardless of any confidentiality provisions or contract arrangements between the limited partners and the foreign investor.  Parties before the Committee have typically disclosed limited partners with five percent or more ownership and/or non-customary rights.  However, this FAQ may change that approach.  Going forward, on a case-by-case basis, we expect the Committee to consider the nationality, identity, and capabilities of limited partners.  In particular, the FAQ explains that CFIUS may request identifying information for indirect foreign person investors, their jurisdiction(s) of organization, and information with respect to any governance rights and other contractual rights that investors collectively or individually may have in an indirect or direct acquirer or the U.S. business to facilitate the Committee’s review regarding jurisdictional or national security risk-related considerations.

Proximity to sensitive U.S. military installations and properties is an important element of the Committee’s review over certain covered real estate transactions.  Specifically, the Committee has jurisdiction to review certain purchases or leases by, or concessions to, a foreign person of real estate in close proximity (the area that extends outward one mile from the boundary of the military installation or facility) to, or the extended range of (within a 100-mile radius), specific military installations and properties listed at Parts 1 and 2 of Appendix A to Part 802 of the Committee’s regulations (“Appendix A”).

In August 2023, the Committee released a final rule adding eight new military installations to Part 2 of Appendix A, which became effective September 22, 2023.  The eight additional military installations include:

  • Air Force Plant 42, located in Palmdale, California;
  • Dyess Air Force Base, located in Abilene, Texas;
  • Ellsworth Air Force Base, located in Box Elder, South Dakota;
  • Grand Forks Air Force Base, located in Grand Forks, North Dakota;
  • Iowa National Guard Joint Force Headquarters, located in Des Moines, Iowa;
  • Lackland Air Force Base, located in San Antonio, Texas;
  • Laughlin Air Force Base, located in Del Rio, Texas; and
  • Luke Air Force Base, located in Glendale, Arizona.

Importantly, many military installations have been renamed, and CFIUS’s Geographic Reference Tool is not always updated.  Thus, parties should carefully cross-reference the names of military installations when conducting any proximity analysis.

The new rule followed shortly after the Committee determined that it did not have jurisdiction over the proposed purchase by Fufeng Group Limited (“Fufeng”), a Chinese company, of a 370-acre site in North Dakota located approximately 12 miles from Grand Forks Air Force Base.  That proposed purchase faced significant political backlash and was ultimately terminated by local officials.  We expect CFIUS will continue to expand the list of sensitive facilities going forward, so transaction parties should closely watch for future additions to Appendix A.

C. State Law Investment Restrictions

Following the Fufeng controversy, U.S. states have quickly begun passing their own laws impacting real estate transactions within their borders.  For example, in May 2023, Florida passed a law barring foreign principals from “countries of concern” (including China, Russia, Iran, North Korea, Venezuela, and Syria) from acquiring an interest in agricultural property or property near sensitive military sites.  More than 20 states have adopted legislation restricting foreign ownership of U.S. land, and actions to amend or enact such legislation are pending in many other states.

As we discuss in a prior client alert, state laws vary in their approaches to address the potential national security and economic implications of foreign ownership of U.S. land.  Some states mandate disclosure of foreign ownership of U.S. land, while other states directly prohibit certain transactions and may require divestiture of foreign-owned land.  Additionally, laws differ as to who is subject to the restrictions, with some legislation seeking to regulate real property transactions with individuals and entities from a list of named countries, and other legislation seeking to govern purchases by all non-U.S. citizens.

The constitutionality of these laws remains uncertain.  A group of Chinese citizens and lawful residents of Florida and a Florida corporation challenged Florida’s new law under several federal statutes, including the Fair Housing Act.  The U.S. Department of Justice has filed a statement of interest in the case supporting the plaintiffs’ motion for a preliminary injunction and arguing that the Fair Housing Act preempts Florida’s law.

More than a dozen bills have been introduced in the U.S. Congress to address concerns about foreign acquisitions of U.S. real estate.  Some bills would expand federal reporting requirements in connection with foreign investments in agricultural land and increase penalties for nondisclosure.  Other bills would expand CFIUS jurisdiction to encompass more categories of land, such as certain foreign investments in agricultural land and in U.S. businesses engaged in agriculture or biotechnology related to agriculture.

The state measures described above add another complex layer to the various U.S. restrictions at the federal level targeting trade and financial flows with China (and, in some cases, several other challenging jurisdictions).  International investors and multinational businesses now must consider not only federal law when undertaking transactions in the United States, but must also factor in state-specific restrictions that may play an increasingly important role in managing their commercial engagements and exposure in the country.

D. Geographic Focus

In 2024, parties should expect the Committee to heavily scrutinize investments by foreign investors with ties to China.  This is perhaps not surprising amid increased geopolitical tensions between Washington and Beijing.

Notably, CFIUS has increased its scrutiny of transactions involving Middle Eastern investors, especially under circumstances in which such investors have close business ties to China.  Close examinations of Japanese investors’ relationships with Chinese shareholders have also contributed to lengthier investigation timelines.

Due to the Committee’s focus on third-party risk from China, parties should carefully consider the structure of investments.  For example, there is an exception to mandatory filing requirements for investment funds managed exclusively by general partners that are not foreign persons, so long as the foreign limited partners are sufficiently passive.  At bottom, companies with extensive links to China, including companies with a large Chinese customer base, should expect a thorough and rigorous review by the Committee.

VI. U.S. Outbound Investment Restrictions

While CFIUS review of inbound investments into the United States has been a feature of U.S. trade controls for decades, the Biden administration during 2023 laid the foundation for unprecedented outbound restrictions on how U.S. persons deploy capital abroad.  Momentum for such a regime appears to have been driven in part by concerns among U.S. officials at the prospect of U.S. investors financing or otherwise enabling efforts by strategic competitors such as China to develop critical technologies within their own borders.  Although the regulations are still under development as officials review public comments and debate how to tailor any such regime to avoid unduly restricting investments that present little risk to U.S. national security, developments over the past few months suggest that the United States could soon stand up an entirely new outbound investment review mechanism.

A. Proposed Rulemaking

On August 9, 2023, President Biden issued Executive Order 14105 authorizing restrictions on certain forms of outbound investment in semiconductors and microelectronics, quantum information technologies, and artificial intelligence systems.  While the Executive Order did not immediately impose new legal obligations on outbound investments, it was accompanied by an Advance Notice of Proposed Rulemaking issued by the U.S. Department of the Treasury, the agency tasked with primary implementation authority for the Executive Order.  The ANPRM provides further details about the contours of the planned requirements and restrictions.  In terms of timing, the ANPRM formally began the rulemaking process by seeking significant public input to assist Treasury in crafting the final text of the regulations.

The proposed new restrictions largely track reports that the Biden administration would focus on a narrow set of high-technology sectors, imposing an outright ban on a small set of transactions and requiring notification to the U.S. Government on a broader set of others.  Specifically, E.O. 14105 focuses on direct and indirect investments by “U.S. persons” in a “covered foreign person,” which those measures define to consist of Chinese, Hong Kong, and Macau entities engaged in the business of targeted “national security technologies and products,” which terms are still in the process of being defined.

Importantly, the proposed outbound investment regime is not a “catch and release” program, and in contrast to the mandatory filing requirements under CFIUS, the Treasury Department has clearly stated in the ANPRM that it is “not considering a case-by-case determination on an individual transaction basis as to whether the transaction is prohibited, must be notified, or is not subject to the program.”  It will not be a “reverse CFIUS.”  Rather, the onus will be on the parties to a given transaction to determine whether the prohibitions or notification requirements apply.

While unique, the proposed outbound rules draw on existing regulatory regimes such as export controls on software and technology, sanctions programs restricting transactions with specific parties or geographies, and inbound foreign direct investment controls under CFIUS.  A novel feature of the proposed outbound regime, however, is its specific targeting of U.S. capital and intangible benefits—identified in the ANPRM as “managerial assistance, access to investment and talent networks, market access, and enhanced access to additional financing”—that often accompany investments in high-technology sectors of the Chinese economy, and which are perceived as threats to U.S. national security.

While E.O. 14105 envisions both civil and criminal penalties for violations of the proposed regulations, the ANPRM focuses on civil penalties, as is standard, with potential criminal conduct being referred to the U.S. Department of Justice.  The ANPRM proposes imposing civil penalties up to the maximum allowed under the International Emergency Economic Powers Act, currently over $350,000 per violation.

B. Public Comments and Unresolved Issues

It will likely be some time before the final U.S. outbound investment rules take shape.  Although the ANPRM provides useful insight into the likely scope and scale of the final regulations, it also requested comments from the public on 83 specific questions—the answers to which remain unsettled.  Treasury’s public comment period for the ANPRM closed on September 28, 2023.

The comment period generated significant interest from industries that will be affected by the potential outbound investment regime, with input from major actors in the investment community; manufacturers; semiconductor, microelectronics, and quantum companies; financial institutions; and trade associations.  As we discuss in more detail in a separate client alert, commenters from across industries emphasized the need for more clarity, narrower coverage to prevent chilling investment and spillover into non-targeted industries, and wider exemptions.

Specifically, many commenters noted that the contemplated definitions are vague with respect to which U.S. actors or investors, foreign partners, and types of investments and transactions are subject to the restrictions.  Commenters also overwhelmingly requested clear steps and extensive guidance to make it easier for investors to comply, in addition to requests for other details on how compliance standards will be applied.  Finally, commenters sought to clarify the Treasury Department’s proposed covered transactions and expand exemptions to prevent overbroad coverage.  In particular, commenters sought to ensure that passive investments by both limited partners and non-limited partners, venture capital and private equity investments, and other transactions are not covered by the regulations.  Major financial institutions and investment commenters urged the Treasury Department to clarify that coverage does not indiscriminately restrict services provided by financial institutions to their customers with respect to covered transactions.

In addition to the public comments described above, the proposed outbound investment regime has drawn opposition from prominent members of Congress.  Critics of the proposal in its current form include the influential chairman of the House Financial Services Committee who, in a letter to Treasury Secretary Janet Yellen, questioned the Biden administration’s policy of decreasing U.S.-driven investment in China, arguing that public policy should instead be to increase private U.S. investment and control of Chinese entities.  The chairman further questioned whether the program should be administered by OFAC, rather than through the CFIUS regime.  These criticisms are significant because they may identify grounds for parties to challenge the final regulations and because they highlight a sharp disagreement in the top levels of government regarding the role of U.S. investment in China.

The Biden administration appears to have expended considerable effort engaging with U.S. allies concerning the scope of the proposed restrictions, with the result that new outbound investment regimes appear to be gaining traction in jurisdictions such as the European Union.  Ahead of the eventual publication of final regulations in the United States, the Biden administration is expected to continue engaging with Congressional leadership and global allies on these issues, as well as assessing the public comments it has received from business industry leaders and practitioners.  Although an exact timeline for publication of a final rule has not been set, it is possible that a new U.S. outbound investment regime could take effect in the coming year.

VII. European Union

A. Trade Controls on China

Departing from the trend in recent years of skirting around China policy, a March 2023 speech by European Commission President Ursula von der Leyen assertively set the tone for EU-China relations going forward.  Amid a ballooning EU-China trade deficit, von der Leyen called out China’s calculated attempt at subverting the international order through the deliberate creation of economic dependencies and the extortive use of economic leverage, as well as China’s positioning as a global peace-breaker—supporting Tehran and Moscow, ramping up its military posture, and spreading disinformation.  Von der Leyen further noted that China has clearly moved on from an era of “reform and opening” toward a new era of “security and control” no longer governed by the logic of free markets and open trade.  Despite these remarks, von der Leyen noted the interconnectedness between the European and Chinese economies and, in a nod to U.S. nomenclature on the subject, concluded that the European Union should focus on de-risking from China, rather than de-coupling.

Tangible action followed throughout the year.  In response to surging, government-assisted Chinese electric vehicles exports, the European Union launched an ex officio anti-subsidy investigation into the import of Chinese-manufactured EVs.  As the European Commission, the bloc’s executive branch, has already found evidence of support by state actors at preferential terms, the imposition of tariffs, along with corresponding Chinese retaliatory measures, appears to be a distinct possibility as a result of the investigation.  The European Union has historically been more comfortable deploying trade defense measures such as tariffs and anti-dumping or countervailing duties on China, as opposed to trade or financial sanctions measures.  However, while the European Union has yet to implement any particularly impactful sanctions measures as it continues to lack a China-related sanctions program, this year it reportedly considered blacklisting eight Chinese companies it had found to be assisting Russia’s military operations in Ukraine.  While the measures ultimately failed to rally the support of all EU Member States (which is required for such measures), the Commission’s bold move to put these listings on the European Council’s agenda is noteworthy.  Following these developments, European Council chief Charles Michel during a year-end visit presented China’s President Xi Jinping with a list of Chinese companies that may soon become subject to EU sanctions unless exports of dual-use items to Russia are addressed.  As global tensions rise, appetite for EU-wide sanctions measures targeting China-based bad actors is likely to increase.

In terms of legislative initiatives, the European Union in September 2023 implemented its own Chips Act, which is designed to leverage private-public partnerships in order to onshore semiconductor manufacturing.  In November 2023, the European Council and Parliament reached provisional agreement on the proposed Critical Raw Materials Act, which was first unveiled in March 2023 and aims to ensure that not more than 65 percent of EU consumption of identified strategic raw materials comes from a single third country.  The European Union also continued to develop EU-wide forced labor legislation.  As the post-UFLPA Chinese redirection of solar panels and related products into the European Union intensifies, Europe’s prospects for a UFLPA-like “rebuttable presumption” that goods are made with slave labor have improved.  In October 2023, the Internal Market and International Trade committees amended the Commission’s proposed draft of the EU Forced Labor Import Ban and tasked the Commission with creating a list of geographic areas and economic sectors at high risk of using forced labor, in relation to which the burden of proof would shift to companies—rather than enforcing authorities—to demonstrate that items have not been produced with forced labor.  Finally, the Anti-Coercion Instrument—a regulation enabling the Commission to take proportionate countermeasures to induce the cessation of economic coercion levied at the European Union or one of its Member States—entered into force in December 2023.  While none of these initiatives explicitly mentions China, all form part of Europe’s China strategy and indeed many were implemented in direct response to certain Chinese actions.

The most comprehensive expression of the Commission’s vision for a more resilient Europe came with the publication, together with the EU High Representative for Foreign Affairs and Security Policy, of a communication to the European Parliament, the European Council, and the Council on a new European Economic Security Strategy.  This communication laid the groundwork for a discussion among EU Member States and various EU institutions with a view to creating a common framework designed to minimize risks stemming from increased geopolitical tensions and accelerated technological shifts, while preserving maximum levels of economic openness.  While the communication—in keeping with European tradition—also does not mention China, it echoes von der Leyen’s speech earlier in the year and points to economic security risks related to the resilience of supply chains, physical and cyber security of critical infrastructure, technology security and technology leakage, and the weaponization of economic dependencies and economic coercion.  The strategy is multi-pronged and notably includes proposals to bolster the European Union’s foreign investment screening tools, enhance cooperation among Member States in relation to dual-use export controls—including in relation to research security with respect to the development of technologies with dual-use potentials—and examine whether to adopt outbound investment controls akin to the proposed regime announced by the United States.  As China-EU trade tensions are poised to continue into 2024, the European Union is likely to maintain an assertive economic security posture.  Further details on the European Economic Security Strategy are expected in early 2024.

B. Sanctions Developments

1. Institutional and Procedural Developments within the European Union

The European Union and its Member States continued to make unprecedented progress toward harmonizing European sanctions enforcement.  Such harmonization is long overdue and without it effective sanctions enforcement will continue to be lacking.  At present, not all EU Member States even criminalize the violation of EU sanctions and, even among those Member States that do, criminal laws on evidentiary requirements, burden of proof standards, and penalties vary substantially.  The inconsistent enforcement of restrictive measures not only undermines the effectiveness of EU sanctions, but also existing legal loopholes and lack of harmonization facilitates violations and encourages the practice of forum shopping.  To address these issues, European authorities took several notable steps in the direction of centralized sanctions enforcement.  Crucially, in December 2023, the European Parliament and the European Council reached a provisional political agreement on the Commission’s December 2022 proposal for a Directive aimed at harmonizing criminal offenses and penalties for the violation of EU restrictive measures.  Once adopted, the new rules will include a list of criminal offenses related to the violation and circumvention of EU sanctions such as failing to freeze assets, providing prohibited or restricted services, or providing false information to conceal funds that should be frozen.  The new rules will also establish common basic standards for penalties for both individuals and entities, including imprisonment for at least five years for certain offenses and enhanced rules on freezing of assets subject to EU sanctions.  To move the proposal forward, the European Parliament and the Council will now have to formally adopt the political agreement, after which the Directive will enter into force following its publication in the Official Journal of the European Union.

As proposals for the establishment of an EU-wide sanctions enforcement authority or for an enhanced role for the European Public Prosecutor’s Office have yet to gain enough momentum to translate into a Commission initiative, individual EU Member States are ramping up their domestic efforts.  In Germany, the Federal Government has approved a draft Financial Crime Prevention Act (Finanzkriminalitätsbekämpfungsgesetz) (“FKBG”), which, if adopted by the Bundestag and the Bundesrat, will set up a new Federal Office for Fighting Financial Crime (Bundesamt zur Bekämpfung von Finanzkriminalität) (“BBF”).  The BBF is expected to become the new agency hosting the Central Office for Sanctions Enforcement (Zentralstelle für Sanktionsdurchsetzung) (“ZfS”) as of June 2025 in order to achieve synergies between sanctions and anti-money laundering enforcement and to improve cooperation between investigative enforcement and criminal prosecution.  The ZfS has been particularly active since its creation in early 2023, with reports of more than 150 cases currently under investigation and spectacular raids in pursuit of cases.  Similarly, the Latvian State Revenue Service has started more than 250 criminal proceedings for violations of EU sanctions, and Dutch authorities have imposed fines for breaches of the EU Russia sanctions regime.  While the European Union has yet to establish centralized sanctions agencies akin to OFAC in the United States or the United Kingdom’s Office of Financial Sanctions Implementation (“OFSI”), Eurojust and Europol are not standing idle, having recently supported a coordinated action of the Dutch, German, Latvian, Lithuanian, and Canadian authorities against the alleged violation of sanctions on Russia.

2. Focus on Circumvention and Evasion

Having implemented a wide range of financial and trade sanctions against Russia over the last two years, the European Union is now struggling to secure Member States’ support for further substantive measures.  For instance, despite having significantly reduced its reliance on Russian energy imports, the European Union has not yet fully weaned itself off of Russian energy, which has frozen the bloc’s potential sanctions on liquified natural gas.  Facing these political and economic realities that are unlikely to resolve in the near term, European authorities are instead focusing on more attainable and politically neutral goals such as enhancing tools against sanctions circumvention and evasion.  With the introduction of new powers to combat sanctions circumvention as part of its eleventh Russia sanctions package, the European Union can now restrict the sale, supply, transfer, or export of specified sanctioned goods and technology to certain third countries considered to be at high risk of being used for circumvention.  While this power has not yet been used and European Commission representatives have made it clear that it is a measure of last resort (i.e., to be used only following engagement with the third countries in question), it marks a significant step in the direction of more aggressive European sanctions implementation.  Measures introduced to achieve similar objectives include, among others, the introduction of a provision compelling EU exporters to contractually prohibit the re-exportation to or for use in Russia of a number of goods and technologies, a full ban on trucks with Russian trailers and semi-trailers from transporting goods to the European Union, and the simplification of crucial annexes to EU trade sanctions regulations to reduce circumvention of sanctions by misclassification of goods.

Relatedly, the European Commission published extensive guidance on the topics of circumvention and evasion to help European economic operators identify, assess, and understand possible risks.  That guidance—a first on the topic—outlines due diligence best practices and includes an extensive list of circumvention red flags, which the Commission expects European economic operators to be aware of and incorporate into their risk assessments.  The Commission guidance has been followed by separate guidelines at the Member State level, with Germany’s Federal Ministry for Economic Affairs and Climate Action (Bundesministerium für Wirtschaft und Klimaschutz) (“BMWK”) issuing further guidance for companies to tackle circumvention and evasion of trade sanctions.  As discussed more fully above, the European Union together with its international partners published a List of Common High Priority Items intended to support compliance by exporters, and also targeted anti-circumvention actions by customs and enforcement agencies of partner countries to prevent their territories from being abused for circumvention of EU sanctions.

3. Iran Sanctions and Policy

The European Union has yet to develop a coherent and uniform stance in relation to Iran.  Historically, in addition to implementing UN sanctions, the European Union imposed a wide range of autonomous economic and financial sanctions on Iran.  The European Council recently decided to refrain from lifting these restrictive measures on Transition Day (i.e., October 18, 2023), as originally envisaged under the Joint Comprehensive Plan of Action.

The European Union has also reacted to Iran’s support for Russia’s invasion of Ukraine.  In July 2023, the Council established a new framework for restrictive measures in view of Iran’s provision of military support to Syria and Russia.  This new regime prohibits the export from the European Union to Iran of components used in the construction and production of unmanned aerial vehicles.  It also provides for travel restrictions and asset freeze measures that could be imposed against persons responsible for, supporting, or involved in Iran’s UAV program.  The Council made use of its designation powers to add several Iranian individuals and entities to its asset freeze target list for undermining or threatening the territorial integrity, sovereignty, and independence of Ukraine.

Despite these actions, discontent looms among European politicians and bureaucrats, some of whom view the European Union’s policy on Iran as weak.  Members of the European Parliament recently criticized EU High Representative Josep Borrell’s Iran policy, claiming it had failed and that it is purely symbolic.  Borrell, however, suggested that the political will among all 27 EU Member States to dramatically alter the European Union’s policy on Iran is currently lacking.  The debate is likely to continue in coming months, as the European Union is also weighing whether to punish Iran for its support of Hamas.  Germany, France, and Italy are reportedly in the process of introducing unilateral measures such as a ban on the export of components used in the production of missiles.  This situation will likely continue to evolve as tensions in the Middle East rise in the wake of attacks by various Iran-backed militias, including Hamas, Hezbollah, and the Houthis.

C. Export Controls Developments

The need for coordinated action at the Union level in the area of export controls has become pressing.  Authorities in EU Member States have already started taking matters into their own hands which could threaten to further splinter any pan-European approach.  For example, in 2023 the U.S. Government spearheaded a significant effort to persuade the Netherlands and Japan—two countries with advanced semiconductor manufacturing equipment capabilities—to establish controls similar to the U.S. restrictions described in Section II.A.1, above.  In June 2023, as part of this trilateral agreement, the Netherlands imposed export controls on advanced semiconductor production equipment bound for China.  Italy, too, used its so-called “golden power” to restrict the flow of information and know-how relating to proprietary technologies to China-based Sinochem, Pirelli’s largest shareholder and, to crack down on circumvention of EU trade sanctions on Russia, implemented national legislation imposing a prior authorization requirement for exports of certain dual-use goods for use in aviation to Armenia, Iran, Kazakhstan, and Kyrgyzstan.  Spain adopted a national control list imposing new export controls on quantum computing, additive manufacturing, and other emerging technologies for reasons of national security.  As the uncoordinated proliferation of national controls by EU Member States risks creating loopholes, jeopardizing the integrity of the single market, and weakening the bloc’s economic security, the European Commission is pressing for the centralized implementation of a wider set of export controls.

In light of the above and as a function of its de-risking strategy, 2023 saw the European Union take decisive steps toward bloc-wide export controls for a broad set of sensitive technologies.  The Commission issued a recommendation—as a part of the European Economic Security Strategy—to conduct a risk assessment exercise aimed at identifying vulnerabilities in connection with advanced semiconductors, artificial intelligence, and quantum and bio-technologies (i.e., technology areas considered highly likely to present the most sensitive and immediate risks to technology security and leakage).  Potential controls restricting the export of these four types of technologies may follow in early 2024.  The wider European Economic Security Strategy also promises to address gaps in the current dual-use regulation, with a view to introducing uniform controls on a wider range of items.  In the meantime, for the first time, the Commission compiled all unilaterally implemented lists.

D. Foreign Direct Investment Developments

With the publication of the European Economic Security Strategy, the Commission announced plans to revise the 2020 Foreign Direct Investment (“FDI”) Screening Regulation that sets minimum requirements for Member States’ FDI screening, including an expanded list of sectors and activities that will trigger a screening requirement and implementing measures to harmonize processes across Member States’ regimes.  Earlier in the year, the European Court of Auditors had published a special report that found “significant divergences” in Member States’ screening mechanisms.  22 of 27 Member States presently have screening mechanisms in place, and EU members have significantly increased their screening of foreign investments, formally screening more than half of all investment authorization requests.  Despite the recent heightened focus on FDI screening, the EU regime, which seeks to balance the free movement of capital against national security concerns, remains less aggressive than companion regimes in the United States and the United Kingdom.  EU Member States authorize the overwhelming majority of transactions without conditions and, in July 2023, the European Court of Justice conservatively interpreted the EU regime’s reach, holding that screening cannot be used as a protectionist tool, as foreign investments cannot be restricted on the basis of purely economic considerations.

However, there have been recent examples of certain EU Member States taking a harder line.  In October 2023, a U.S. company was forced to abandon its global takeover of a Canadian target after the French government vetoed the acquisition of two French subsidiaries under France’s FDI regime.  While the rationale for this decision is not public, it appears that Paris’s concerns stemmed from the transaction’s potential to cause the two subsidiaries—which supply parts for nuclear submarines and reactors—to become subject to U.S. export control rules, thereby threatening supply to the French market.  The parties have indicated that, although a package of remedies and undertakings was offered to French authorities, such measures were not sufficient to resolve the government’s concerns.

VIII. United Kingdom

A. Trade Controls on China

Although the United Kingdom continues to refine its approach to China’s increasingly assertive stance in global affairs, 2023 did not see any decisive turning points.  In March 2023, the UK Government released the much-anticipated “Integrated Review Refresh 2023: Responding to a More Contested and Volatile World” (the “2023 Review”), the United Kingdom’s expression of its national security and foreign policy.  While it had been expected that the United Kingdom would label China a “threat,” the words “epoch-defining challenge” were ultimately chosen to replace the optically weaker “systemic challenge” label chosen for the previous iteration of the review.  Beyond semantics, steering clear of describing China as a threat amply demonstrates the United Kingdom’s continued ambivalence toward Beijing, despite being under significant pressure from core allies to revise (and strengthen) its stance.  Nevertheless, the 2023 Review highlighted UK concerns with the Chinese Communist Party’s conduct, specifically calling out China’s strengthening of its relationship with Russia, its disregard for human rights and international commitments in Tibet, Xinjiang, and Hong Kong, the militarization of disputes in the South China Sea, China’s refusal to renounce the use of force in Taiwan, the country’s ruthless use of its economic power to coerce unaligned countries, and the sanctioning of British parliamentarians in an effort to undermine free speech critical of China.

While practical takeaways specifically relating to China mainly consisted of increased multilateral cooperation with core allies and enhanced investment in diplomatic efforts, the 2023 Review mentioned other tangible initiatives.  The UK Government expressed a commitment to bolster the United Kingdom’s economic security and pledged to publish a new strategy on supply chains and imports of technologies of strategic importance to the United Kingdom and its allies, as well as a refresh of the Critical Minerals Strategy and the creation of a new semiconductor strategy aimed at improving the resilience of semiconductor supply chains.  Similar initiatives are being pursued by the United Kingdom’s core allies, as described in Sections II and VII.A, above.

Despite the commitments made in the 2023 Review, the UK Parliament’s Intelligence and Security Committee in July 2023 published a detailed report calling out the lack of a clear, forward-looking China strategy and the failure to deploy a whole-of-government approach when countering threats posed by China.  The report highlighted the inadequacy of UK protections against Chinese interference and Beijing’s deliberate attempt at creating economic dependencies it could (and often has chosen to) weaponize.  In particular, the report exposes the multifaceted nature of the intelligence threat posed by China and calls out the economic dependency risks stemming from China’s deliberate use of investment activities as a platform, as evidenced by the political influence China gains from its very significant investment in the UK civil nuclear sector.  Furthermore, the report found that China has increased espionage efforts in the United Kingdom, “prolifically and aggressively” collecting human intelligence, gathering information through social media, and routinely targeting current and former civil servants.

The government’s response to the report was mostly defensive and stopped short of making any new commitments.  Rather, it focused on the protective (though not protectionist) measures implemented so far.  Among them, the National Security Act 2023 stands out.  In force since December 2023, the Act is the most significant overhaul of UK national security law in over a century and directly responds to threats of espionage, foreign interference in the political process, disinformation, and cyber-attacks.  Notably, the Act creates new criminal offenses of obtaining or disclosing protected information, obtaining and disclosing trade secrets, and assisting a foreign intelligence service, and also expands the scope of existing investigative powers.  The offense of obtaining or disclosing trade secrets is particularly novel as it criminalizes espionage in relation to information that has existing or potential commercial, economic, or industrial value, such as a new technology developed in the United Kingdom.  In a similar vein, the government also devised the new Foreign Influence Registration scheme, which will require registration of arrangements to carry out political influence activities in the United Kingdom at the direction of a foreign power.  This is similar to the United States’ Foreign Agents Registration Act (“FARA”).

Overall, the United Kingdom continued to pursue an indirect approach to China policy, generally refraining from frontally addressing challenges.  That trend is likely to continue in 2024.  Examples of this quiet approach include the rejection of most license applications for companies seeking to export semiconductor technology to China, the continued use of anti-dumping measures on imports of raw materials from China, and the UK Government’s £1 billion investment in the semiconductor sector which is clearly designed to compete with Beijing.

B. Sanctions Developments

1. Ownership and Control Tests

The “ownership and control” tests employed in the UK financial sanctions context were the focus of significant attention by both practitioners and the judiciary in 2023.  The UK Court of Appeal’s obiter comments in the Boris Mints & Ors v. PJSC National Bank Trust & Anor case generated significant confusion regarding the breadth of the concept of “control,” particularly in relation to the potential influence exercised by public officials over Russian companies by virtue of their role.  The decision suggested a very broad interpretation of “control” that could theoretically have included almost all Russian government ministries, state-owned enterprises, and functions.  Immediately following publication of the Mints judgment, the Foreign, Commonwealth & Development Office (“FCDO”) issued a statement noting that the FCDO—in charge of UK sanctions policy and designations—will customarily designate a public body by name when it considers that a designated official has control over such body, and further noted that there is “no presumption on the part of the Government that a private entity based in or incorporated . . . in any jurisdiction in which a public official is designated is in itself sufficient evidence to demonstrate that the relevant official exercises control over that entity.”  OFSI also unequivocally departed from the Court of Appeal’s comments with its new guidance on public officials, published jointly with the FCDO.  Indeed, a subsequent High Court judgment (Litasco SA v. Der Mond Oil and Gas Africa) departed from the Court of Appeal’s obiter comments and noted that the UK control test is concerned with “an existing influence of a designated person over a relevant affair of the company . . . not a state of affairs which a designated person is in a position to bring about.”  Such interpretations by the FCDO and the High Court, which align with longstanding practice, provided a welcome dose of regulatory clarity for parties seeking to comply with UK sanctions.

2. Focus on Circumvention and Evasion

Alongside its core allies, the United Kingdom during 2023 identified countering circumvention and evasion as key priorities going forward.  In this regard, the most noteworthy development is the United Kingdom’s increasingly frequent designation of foreign, non-Russian companies that actively participate in sanctions evasion schemes, aid Russia’s war effort, and/or otherwise contribute to the destabilization of Ukraine.  Some examples include the imposition of UK sanctions on United Arab Emirates-based entities using opaque corporate structures and deceptive shipping practices to facilitate trade in Russian oil above the price cap; Iranian individuals and entities involved in providing UAVs for use by the Russian military; and prominent entities such as Sun Ship Management for supporting Russian efforts to circumvent or undermine the effects of UK and allied sanctions.  This trend toward designating third-country entities, which departs from the United Kingdom’s historic practice, seems certain to continue and intensify during the year ahead.

3. Cross-Agency Cooperation and Multilateralism

Again following the example of its U.S. partners, 2023 also witnessed an unprecedented level of cooperation among UK government agencies in relation to the effective implementation of UK sanctions.  Several departments of government are engaging in information sharing and have issued guidance and compliance notes, often jointly.  Examples of pluri-seal publications include several “Red Alerts” published by the UK National Crime Agency (“NCA”), each of which was prepared in cooperation with one or more UK government agencies.  For instance, a December 2023 Red Alert on Exporting High Risk Goods and a November 2023 Red Alert on Gold-Based Financial and Trade Sanctions Circumvention were issued by National Economic Crime Centre (i.e., a multi-agency unit in the NCA), OFSI, and the FCDO, working in conjunction with law enforcement and financial sector partners as part of the Joint Money Laundering Intelligence Taskforce.  Recent compound settlement notices published by HM Revenue & Customs (“HMRC”) in relation to breaches of UK trade sanctions on Russia have also underscored the extent of enforcement cooperation among HMRC, OFSI, the FCDO, and the NCA.

Similarly, the UK Financial Conduct Authority (“FCA”) is cooperating with OFSI in relation to compliance by regulated firms, with a particular focus on systems and controls designed to mitigate the risk of breaching sanctions and facilitating evasion.  Indeed, in 2023, the FCA invested significant resources to assess the sanctions compliance programs of more than 90 financial services firms and identified several areas for improvement.  The FCA now expects to be notified of any self-disclosures to OFSI, and may take independent action concerning sanctions issues when it deems necessary.

UK government agencies also extensively coordinated with their counterparts in closely allied jurisdictions.  Relations with OFAC remain particularly close following the 2022 launch of the OFSI-OFAC partnership (the first anniversary of which was celebrated with a joint publication reiterating the effectiveness of that collaboration), numerous joint designations (e.g., in relation to the Russia-based cybercrime gang Trickbot), publication of a joint fact sheet on Russia-related humanitarian authorizations, and frequent participation in joint engagements.  The United Kingdom also continues to make use of its wider network by engaging with Group of Seven (“G7”) allies to coordinate new sanctions on Russia, working with its Five Eyes partners to issue joint guidance identifying critical items used in Russian weapons systems, and signing a new accord with South Korea in relation to the joint enforcement of sanctions against North Korea.  The United Kingdom’s multilateral approach to sanctions implementation is expected to intensify further in 2024.

4. Enforcement Update

OFSI made use of its new enforcement disclosure power for the first time in August 2023.  Pursuant to Section 149(3) of the Policing and Crime Act 2017, OFSI is now authorized to publish details of financial sanctions breaches—including details on the identity of the person committing the breach—even under circumstances in which OFSI determines that the breaches are not serious enough to justify a civil monetary penalty.  OFSI’s first published disclosure underscores the importance of effective sanctions policies and procedures and adequate resourcing in the field of sanctions compliance, and importantly reiterates that approaching OFSI on a voluntary basis will be treated as a mitigating factor in determining what consequence, if any, to impose.

Similar concepts were threaded throughout OFSI’s guidance on enforcement and monetary penalties for breaches of financial sanctions, last updated in December 2023, which articulates the agency’s due diligence expectations.  While noting that there is no one-size-fits-all approach to sanctions compliance, OFSI indicated that it will consider the degree and quality of a company’s due diligence if the agency ever investigates a potential violation of financial sanctions.  OFSI expects to see evidence of a reasonable risk-based decision-making process, carried out in good faith.  The guidance also clarifies the range of options available to OFSI, depending upon the severity of the breach.  For instance, minor sanctions breaches are likely to be dealt with via a private warning letter, provided that there are no significant aggravating factors and the breach does not form part of a wider pattern.  Moderate breaches are likely to be dealt with via a public disclosure without monetary penalty, and serious breaches are likely to attract monetary penalties or, in the most egregious cases, will be referred to UK law enforcement agencies for criminal investigation and potential prosecution.  OFSI also reiterated that the standard of proof for civil investigations is the “balance of probabilities,” meaning that a breach is more likely than not to have occurred, rather than the “beyond reasonable doubt” standard that applies in the criminal context.  Finally, OFSI shed light on some non-determinative factors that the agency can consider as aggravating, including:  the circumvention of any prohibitions or the facilitation of the contravention of any prohibitions; a high financial value associated with a breach; the breach’s ability to harm the regime’s objectives; and a regulated person’s failure to meet regulatory standards.

5. Iran Sanctions and Policy Update

The United Kingdom’s stance toward Iran is being reshaped as geopolitical tensions rise and Iran continues to act as a global destabilizing force.  Indeed, the UK Government’s 2023 Review, discussed above, included a commitment to counter, in cooperation with allies, the threat to regional and international security posed by the Iranian regime.

Ahead of Joint Comprehensive Plan of Action Transition Day (i.e., October 18, 2023), the UK Government, together with the governments of France and Germany, issued a joint statement committing to maintaining nuclear proliferation-related measures on Iran, as well as arms and missile embargoes.  The statement explicitly called out Iran’s refusal to return to the JCPOA and Tehran’s continued expansion of its nuclear program and its stockpile of enriched uranium without any credible civilian justification.

On Transition Day, the UK Government followed up by translating former UN sanctions into UK law and, alongside 46 other countries that have endorsed the Proliferation Security Initiative, issued a joint statement affirming a commitment to implement effective measures to interdict the transfer to and from Iran of missile-related materials, including those related to UAVs; adopt streamlined procedures for the rapid exchange of relevant information concerning Iran’s proliferation activities; work to strengthen relevant national legal authorities to address Iranian missile- and UAV-related issues; and take specific actions in support of interdiction efforts related to Iran’s missile and UAV programs.

The United Kingdom in July 2023 announced a new Iran sanctions regime developed to respond to unprecedented threats from the Government of Iran and Iranian-backed armed groups, including efforts to undermine peace and security across the Middle East and plots to kill individuals on UK soil.  This new instrument, which took effect in December 2023, replaces the existing Iran Human Rights sanctions regulations, and enables the alignment of Iran-related sanctions regulations as far as possible.  Among several designations and restrictive measures imposed, the new regime notably includes export restrictions on drone components, as well as new powers to impose transport sanctions on ships involved in contravening existing sanctions or owned or controlled by sanctioned individuals.

These developments follow the previous broadening of sanctions on Iran in relation to human rights violations and the designation of Iranian companies under the Russia sanctions regime, and aim to bring most Iran-related restrictive measures under one heading.  As hostilities in the Middle East continue to escalate, the implementation of new UK restrictive measures targeting Iran in 2024 cannot be ruled out.

C. Export Controls Developments

1. Multilateral Cooperation

The United Kingdom has taken an increasingly multilateral approach to export controls in response to Russia’s full-scale invasion of Ukraine and growing geopolitical challenges.  In March 2023, the UK Government issued a joint statement with 10 other countries on the need for domestic and international controls of commercial spyware technology.  Noting the threat to civil liberties and national security that the misuse of such technologies poses, the United Kingdom pledged to work with other democracies to share information and to prevent the export of software, equipment, and technology to end users who are likely to use them for malicious cyber activity.  As discussed under Sections I.E and IV.A, above, the UK Government and its Five Eye partners also announced a joint effort in June 2023 to enforce export controls, and on multiple occasions this past year the United States, the European Union, the United Kingdom, and Japan issued and updated their common list of high-priority items deemed critical to Russia’s war effort—which items may present elevated risks of export control evasion and will likely be a top enforcement priority going forward.

2. Enforcement Update

As part of its efforts to combat circumvention and evasion, the United Kingdom in December 2023 announced that it is launching a new Office of Trade Sanctions Implementation (“OTSI”), which will allocate implementation and enforcement of UK trade sanctions to a dedicated agency.

OTSI will be responsible for civil enforcement of trade sanctions, including those against Russia which have become incredibly complex and warrant the assembly of a specialist team on the government’s side.  The agency will operate in parallel with OFSI, which will continue to exclusively deal with financial sanctions.  OTSI will issue guidance, act as a point of contact, investigate potential breaches, issue civil penalties, and refer cases to HMRC for criminal enforcement where needed.

OTSI is designed to fill a gap in UK sanctions implementation and enforcement.  In light of the growing overlap between sanctions and export controls brought about by the United Kingdom’s sweeping Russia-related trade restrictions, HMRC is pursuing civil enforcement of trade sanctions breaches.  However, HMRC is also tasked with export control enforcement, and its resources risk being strained in the long run.  Over the past year, however, this has not stopped HMRC from pursuing several civil and criminal enforcement actions.  For example, in August 2023, HMRC fined a UK company £1 million for trading unlicensed goods in violation of Russia sanctions—the largest penalty for violations of Russia sanctions to date.

UK enforcement actions were not, however, limited to violations of Russia sanctions.  HMRC announced a fine of nearly £1 million for the unlicensed export of dual-use goods in May 2023, as well as several smaller settlements throughout the year for the unlicensed export of dual-use and military goods.  In addition to imposing civil penalties, HMRC brought criminal enforcement actions against corporate entities.  In May 2023, the agency announced that a criminal investigation into the suspected deliberate evasion of UK export controls had led to a guilty plea for an unlicensed shipment of controlled chemicals, a dual-use good.

Despite having increased the issuance of substantial fines, HMRC continues to abide by its longstanding practice not to disclose details of persons found in violation of UK export controls and trade sanctions.

D. Foreign Direct Investment Developments

Following a sustained downward trend in inbound foreign direct investment flows, the United Kingdom adopted a more permissive approach to FDI screening in 2023.  The past year saw no orders blocking or unwinding transactions, and only six final orders imposing conditions on acquisitions.  While China was the clear focus of most prohibitions and conditional orders in 2022, only one of the six final orders announced in 2023 involved investors linked to China.  Instead, the United Kingdom in 2023 focused on issuing orders protecting military and defense assets such as transmission systems, satellite services, and naval propulsion systems regardless of the acquirer’s nationality.  Four of the six final orders involved acquirers from countries that have traditionally been friends or close allies of the United Kingdom, including the United States, Canada, and France, suggesting that the United Kingdom is prepared to exercise its FDI screening powers without regard to where the acquirer is based when it believes that UK national security is at stake.

As the third anniversary of the regime approaches, the UK Government called on stakeholders both inside and outside of the United Kingdom to complete an in-depth survey on UK FDI screening with an eye toward making the regime as business friendly as possible.

* * *

In short, 2023 was another extraordinarily active year in the world of trade controls.  Between Russia’s ongoing war in Ukraine, continuing frosty relations between Washington and Beijing, instability in the Middle East and parts of Africa and Latin America, and a rapidly approaching U.S. presidential election (as well as elections in dozens of countries around the world), we expect further seismic shifts to keep multinational enterprises occupied throughout the months ahead.


The following Gibson Dunn lawyers prepared this update: Scott Toussaint, Irene Polieri, Adam M. Smith, Stephenie Gosnell Handler, Christopher Timura, Michelle Kirschner, Benno Schwarz, Attila Borsos, Roscoe Jones, David Wolber, Amanda Neely, Dharak Bhavsar, Felicia Chen, Justin duRivage, Justin Fishman, Konstantinos Flogaitis*, Mason Gauch, Erika Suh Holmberg, Zach Kosbie, Hayley Lawrence, Allison Lewis, Nikita Malevanny, Jacob McGee, Chris Mullen, Sarah Pongrace, Nick Rawlinson, Anna Searcey, Samantha Sewall, Alana Sheppard*, Dominic Solari, Elsie Stone, Audi Syarief, Alana Tinkler, Lauren Trujillo, Gerti Wilson, Claire Yi, and Zach Young.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. For additional information about how we may assist you, please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following leaders and members of the firm’s International Trade practice group:

United States
Ronald Kirk – Co-Chair, Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Co-Chair, Washington, D.C. (+1 202.887.3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202.887.3690, [email protected])
David P. Burns – Washington, D.C. (+1 202.887.3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202.955.8685, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202.955.8250, [email protected])
Sarah L. Pongrace – New York (+1 212.351.3972, [email protected])
Anna Searcey – Washington, D.C. (+1 202.887.3655, [email protected])
Samantha Sewall – Washington, D.C. (+1 202.887.3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202.955.8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202.887.3588, [email protected])
Claire Yi – New York (+1 212.351.2603, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202.955.8270, [email protected])

Asia
Kelly Austin – Hong Kong/Denver (+1 303.298.5980, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])
Qi Yue – Beijing (+86 10 6502 8534, [email protected])
Dharak Bhavsar – Hong Kong (+852 2214 3755, [email protected])
Felicia Chen – Hong Kong (+852 2214 3728, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])

Europe
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Susy Bullock – London (+44 20 7071 4283, [email protected])
Patrick Doris – London (+44 207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 20 7071 4205, [email protected])
Michelle M. Kirschner – London (+44 20 7071 4212, [email protected])
Penny Madden KC – London (+44 20 7071 4226, [email protected])
Irene Polieri – London (+44 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 160, [email protected])

*Konstantinos Flogaitis, a trainee solicitor in the London office, is not admitted to practice law.

*Alana Sheppard, an associate in the New York office, is practicing under supervision of members of the New York bar.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This edition of Gibson Dunn’s Federal Circuit Update for January 2024 summarizes the current status of several petitions pending before the Supreme Court, and recent Federal Circuit decisions interpreting a forum selection clause in a settlement agreement, deciding the appropriate scope of an opposition to a motion to amend in an inter partes review proceeding, and reviewing the International Trade Commission’s determination of what satisfies the economic prong of the domestic industry requirement.

Federal Circuit News

Noteworthy Petitions for a Writ of Certiorari:

In January 2024, there were a few new potentially impactful petitions filed before the Supreme Court:

  • Vanda Pharmaceuticals Inc. v. Teva Pharmaceuticals USA, Inc. (US No. 23-768): The question presented is “Whether obviousness requires a showing of ‘predictable’ results, as this Court held in KSR, or a mere ‘reasonable expectation of success,’ as the Federal Circuit has held both before and after KSR?”  The respondents waived their right to file a response.
  • Ficep Corp. v. Peddinghaus Corp. (US No. 23-796): The questions presented are “1. Does a claim directed to patent-eligible subject matter (here, manufacturing) nevertheless become ineligible as ‘abstract’ if the process is improved using automation?  Should an ‘abstract-idea’ behind a claim to a patent-eligible process be identified and, if so, how and at what level of abstraction? 2. What is the appropriate standard for determining whether a claim is ‘inventive,’ conferring eligibility under Alice step 2, including whether objective evidence of inventiveness and technological improvement is relevant? 3. Is either what a claim is ‘directed to’ and whether that is abstract, or whether a claim is ‘inventive’ as articulated in Alice step 2, only for a judge to decide as a legal matter or does it include fact issues and, if the latter, are they for a jury?”  The response is due February 23, 2024.
  • Liquidia Technologies, Inc. v. United Therapeutics Corp. (US No. 23-804): The questions presented are “1.  Whether a party may be liable for induced patent infringement when the PTAB has already issued a final written decision determining that the same patent is invalid.    Whether a final written decision of the PTAB remains preclusive while it is pending on appeal.”  The respondent waived its right to file a response.  The petition will be considered during the Court’s February 16, 2024 conference.

As we summarized in our December 2023 update, there are a few petitions pending before the Supreme Court.  We provide an update below:

  • In VirnetX Inc. v. Mangrove Partners Master Fund, Ltd. (US No. 23-315), the respondents filed their opposition briefs on December 27, 2023, and the petitioners filed their reply on January 10, 2024. An amicus curiae brief has been filed by the Cato Institute.  The petition will be considered during the Court’s February 16, 2024 conference.
  • The Court denied the petition in Intel Corp. v. Vidal (US No. 23-135).

Upcoming Oral Argument Calendar

The list of upcoming arguments at the Federal Circuit is available on the court’s website.

Key Case Summaries (January 2024)

Dexcom, Inc. v. Abbott Diabetes Care, Inc., No. 23-1795 (Fed. Cir. Jan. 3, 2024):  In 2014, DexCom and Abbott entered into a settlement and license agreement that contained inter alia a forum selection clause identifying the District of Delaware as the exclusive jurisdiction, and a covenant not to challenge either party’s patents until March 31, 2021.  The covenant expressly included inter partes reviews (“IPRs”) in the definition of “challenge,” but provided a few exceptions when a party could file an IPR.  After the covenant period expired, DexCom sued Abbott for patent litigation, and Abbott filed IPRs on the asserted patents in response.  DexCom claimed breach of contract and moved for a preliminary injunction to enjoin the IPRs from proceeding, arguing that Abbott had violated the forum selection clause, which required disputes to be filed in Delaware.  The district court assumed that DexCom had shown a likelihood of success on the merits, but denied the injunction on the basis that DexCom had not demonstrated irreparable harm because it had participated in the IPR proceedings for six months before seeking injunctive relief.  The district court also decided that the balance of hardships and public interest weighed against injunctive relief.

The Federal Circuit (Stoll, J., joined by Dyk and Hughes, JJ.) affirmed.  The Court held that the district court erred by assuming a likelihood of success on the merits, but determined that the error was harmless because DexCom was unlikely to succeed on its breach of contract claim, and thus, the preliminary injunction would have been denied even under the correct rationale.  Specifically, the Court held that the parties’ agreement provided specific exceptions to the covenant not to challenge, including circumstances under which a party could file an IPR.  The Court therefore reasoned that the forum selection clause cannot “operate to prohibit the filing of IPRs after” the covenant period “if it allowed them during.”  The Court found nothing in the agreement that would indicate the forum selection clause had different interpretations during the covenant period versus after the covenant period.

Cywee Group Ltd. v. ZTE (USA), Inc., No. 21-1855 (Fed. Cir. Jan. 18, 2024):   ZTE filed an IPR challenging CyWee’s patent directed to a 3D pointing device, which was instituted by the Patent Trial and Appeal Board (“Board”).  LG Electronics Inc. (“LG”) later filed an IPR petition challenging the same patent and moved to join ZTE’s ongoing IPR, acknowledging that its own petition was untimely because it had been more than a year since CyWee sued LG.  While LG’s joinder motion was pending, CyWee moved to amend the claims.  ZTE opposed, and the Board issued preliminary guidance that the amended claims would not succeed.  The Board then granted LG’s joinder motion, but restricted LG to an “understudy” role, allowing LG only to “assume the primary role” in the limited circumstance “if ZTE ceases to participate in the IPR.”  In light of the Board’s preliminary guidance, CyWee filed a revised motion to amend.  ZTE decided not to oppose the revised motion to amend, so LG stepped in and moved for leave to oppose, which was ultimately granted by the Board.  LG argued that CyWee’s revised amended claims would have been obvious over three prior art references, including at least one reference that ZTE did not cite in its opposition to the original motion to amend.  The Board denied CyWee’s revised motion to amend on the basis that the revised amended claims would have been obvious.

The Federal Circuit (Prost, J., joined by Hughes and Stoll, JJ.) affirmed.  The Court found no error in the Board’s conclusion that the proceeding was no longer “meaningfully adversarial” when ZTE decided not to oppose the motion to amend, and thus, held that the Board did not err in allowing LG to step into the primary role to oppose the revised motion to amend.  CyWee also argued that LG should not have been allowed to introduce a new prior art reference in opposing the revised motion to amend.  The Court explained that while 35 U.S.C. § 315(c) “does not authorize the joined party to bring new issues” outside of the petition into the existing proceeding, the limitation “does not apply in the context of motions to amend where the patent owner has introduced new claims into the proceedings.”

Roku, Inc. v. International Trade Commission, No. 22-1386 (Fed. Cir. Jan. 19, 2024):  Universal Electronics, Inc. filed a complaint with the International Trade Commission against Roku for importing certain TV products that infringe Universal’s patent directed to a “universal control engine,” which translates between devices using different communication protocols (such as HDMI, Wi-Fi, or Bluetooth).  Universal relied on QuickSet, a technology it developed that is incorporated into multiple smart TVs and practices the teachings of Universal’s patent, to satisfy the economic prong of the domestic industry requirement.  The Commission found Universal had shown substantial investment in engineering and research and development related to the QuickSet platform satisfying the economic prong of the domestic industry requirement.

The Federal Circuit (Hughes, J., joined by Dyk and Stoll, JJ.) affirmed.  Roku argued that the Commission erred in determining Universal had satisfied the economic prong of the domestic industry requirement by focusing on Universal’s investments in the QuickSet technology installed on smart TVs, rather than the smart TVs themselves.  However, the Court held that the economic prong of the domestic industry requirement demands only “sufficiently substantial investment in the exploitation of the intellectual property,” and does not require expenditures on the whole products themselves.  Thus, the Court affirmed the Commission’s determination that Universal’s investments in QuickSet satisfied the economic prong of the domestic industry.


The following Gibson Dunn lawyers assisted in preparing this update: Blaine Evanson, Jaysen Chung, Audrey Yang, Al Suarez, Julia Tabat, and Vivian Lu

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups, or the following authors:

Blaine H. Evanson – Orange County (+1 949.451.3805, [email protected])
Audrey Yang – Dallas (+1 214.698.3215, [email protected])

Appellate and Constitutional Law:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202.955.8547, [email protected])
Allyson N. Ho – Dallas (+1 214.698.3233, [email protected])
Julian W. Poon – Los Angeles (+ 213.229.7758, [email protected])

Intellectual Property:
Kate Dominguez – New York (+1 212.351.2338, [email protected])
Y. Ernest Hsin – San Francisco (+1 415.393.8224, [email protected])
Josh Krevitt – New York (+1 212.351.4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212.351.3922, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Aggressive enforcement reflected in continuing trend of escalating enforcement actions and monetary relief, as well as expanding reach of securities laws.

I.   Introduction:  Enforcement Results and Notable Developments

In our year-end 2022 and mid-year 2023 updates, we noted that the Commission’s Division of Enforcement has maintained its agenda of persistent enforcement activity including ongoing sweeps, expansive remedies (including increased penalties and high numbers of officer and director bars), and aggressive rulemaking.  These trends have continued through the end of 2023, marking a particularly active Commission under Chair Gary Gensler’s leadership.

A.   2023 Enforcement Results

The enforcement statistics for fiscal year 2023 reflect that the Commission filed a total of 501 stand-alone enforcement actions last year, an eight percent increase over fiscal year 2022, though short of the SEC’s five-year high mark in fiscal year 2019[1]:

The Commission obtained orders for $4.949 billion in financial remedies in fiscal year 2023, second only to the Commission’s record-breaking 2022.  In 2023, the SEC recovered over twice as much in disgorgement as compared to penalties, consistent with its general pattern.  These statistics were inverted in 2022, primarily due to the significant penalties (without disgorgement) that the Commission recovered in its industry-wide settlements with broker-dealers (and one affiliated investment adviser) relating to alleged recordkeeping violations in connection with employee use of off-channel platforms for business communications.

Notably, in 2023, the SEC also obtained 133 officer and director bars—the highest number obtained in a decade.[2]

The distribution of actions across subject matter was generally consistent with prior years, with the majority of cases involving public company financial reporting, broker-dealers and investment advisers, and securities offerings.[3]  The SEC brought 62 stand-alone actions against investment advisers (17% of actions in 2023) reflecting a sustained focus on investment adviser regulation and enforcement, albeit down from the prior year (26% of actions in 2022).[4]  The percentage of stand-alone enforcement actions relating to securities offerings reflected a substantial increase over the prior year (33% of actions in 2023, compared to 23% of actions in 2022) and there were modest increases year-over-year in the areas of issuer reporting (17% of actions in 2023, compared to 16% of actions in 2022) and broker-dealer enforcement (12% of actions in 2023, compared to 10% of actions in 2022).[5]  There was a decrease in the percentage of stand-alone actions relating to insider trading in 2023 (6% of actions in 2023, compared to 9% of actions in 2022) although it continues to remain a focus area for the SEC.[6]  See Sections II (Public Company Accounting, Financial Reporting, and Disclosure), III (Investment Advisers), IV (Broker-Dealers), V (Cryptocurrency and Other Digital Assets), and VI (Insider Trading), infra, for our discussions of significant actions in these areas in the second half of 2023.

B.   Continued Focus on Cryptocurrency Coming to an End?

The past year continued to be an active year for the Commission with respect to its enforcement efforts over crypto asset securities.  In the second half of 2023, the SEC brought two novel settled actions relating to the unregistered offerings of crypto asset securities in the form of NFTs.[7]  On the heels of its earlier actions against two prominent crypto platforms alleging that they failed to register as securities exchanges and broker-dealers,[8] the SEC filed an action against a third platform in November.[9]  It also filed complaints against various other crypto exchanges, all for allegedly not registering with the Commission.[10]

While the SEC has described its efforts as “addressing the alleged rampant noncompliance in the crypto asset intermediary space,”[11] the SEC has explicitly declined rulemaking in this area.  In his December 2023 statement denying a petition for rulemaking by one of the crypto platforms against which the Commission had filed a complaint, Chair Gensler reiterated the Commission’s intent to continue to rely on the investment contract test articulated in SEC v. Howey in 1946 as the basis for its crypto enforcement efforts.[12]  Chair Gensler’s statement also discussed the need for the Commission to “maintain discretion regarding rulemaking priorities” despite the unprecedented—with the exception of the Dodd-Frank era—scale and breadth of rulemaking during his tenure.[13]  In their dissent, Commissioners Peirce and Uyeda—who have previously criticized the Commission’s substantial rulemaking activity—noted the need to address “issues presented by new technologies and other innovations” by hearing from “a wide range of market participants and other interested parties.”[14]

It remains to be seen whether the Commission will prevail in its interpretation of the Howey test as applied to digital assets.  In October, the court in SEC v. Ripple Labs declined to allow the SEC to appeal the court’s July 2023 ruling (discussed in our mid-year alert as a “landmark legal victory for the cryptocurrency industry”),[15] and later that month, the SEC dropped its aiding and abetting claims against two Ripple executives.[16]  The Ripple case is scheduled to go to trial in April 2024, and motions to dismiss in other significant cases are currently pending.[17]  In the meantime, enforcement activity in this area—particularly against major market participants—may be slowing down as the industry awaits the outcome of the litigations.  See Section V, infra, for our discussion of significant crypto enforcement activity in the second half of 2023.

C.   What Is Not an Internal Controls Violation?

In early 2023, the SEC brought an enforcement action against a public company alleging that its failure to adequately analyze certain employment-related issues amounted to securities law violations.  Specifically, the SEC alleged that the company’s failure to “collect and analyze employee complaints of workplace misconduct” amounted to an internal controls violation, even though it found no misstatement relating to such complaints.[18]

In the second half of the year, the SEC brought an additional controls case against a public company relating to its stock buyback program.  The SEC specifically alleged that the company’s use of Rule 10b5-1 plans that included “accordion” provisions—which gave the company flexibility on when it could buy back stock—reflected that the company had “insufficient accounting controls”; for this controls violation, the company paid a sizeable $25 million penalty.[19]  In their dissent, Commissioners Peirce and Uyeda noted that “[w]e do not have the authority to tell companies how to run themselves, but we now routinely use Section 13(b)(2)(B) to do just that” and further noted that the company’s alleged failures had nothing to do with accounting controls as required by the statute.[20]  In 2020, the Commission brought a similar case (with a similar $20 million penalty) alleging violations of Section 13(b)(2)(B) of the Exchange Act in connection with a stock buyback—in that case, the allegation was that the company’s process to assess whether it was in possession of material non-public information at the time of the buyback was inadequate.[21]  And in that case, Commissioner Peirce also issued a strongly worded dissent noting simply that “the Order does not articulate any securities law violations.”[22]

Perhaps in response to the drumbeat of dissents by Republican-appointed commissioners in these internal controls matters, Chair Gensler recently defended the Commission’s focus on corporate governance in remarks before the American Bar Association, referring to the “critical role that corporate governance plays to protect investors and facilitate capital formation” and noting that while “Congress conceived the SEC primarily as a disclosure-based agency,” corporate governance principles have long appeared in the federal securities laws.[23]  Chair Gensler described the SEC’s recent rulemaking initiatives relating to corporate governance, which have focused on executive compensation clawbacks, limitations on stock buyback plans, transparency in proxy voting, and shortening the deadlines for beneficial ownership reporting, and concluded his remarks by noting that the SEC’s projects “follow Congress’s vision that a federal regulator, the SEC, play a role alongside state law in addressing corporate governance-related issues—to align incentives and build trust in the markets.”[24]

The recent cases and comments illustrate both the Commission’s continuing emphasis on scrutinizing stock buybacks, and more broadly, on using all available tools to bring general corporate governance issues within the purview of the securities laws.

D.   Recordkeeping and Whistleblower Protection

In keeping with the emphasis on “conduct that undermines oversight of the securities industry,”[25] fiscal year 2023 was a very significant year for the SEC’s continued industry-wide sweep relating to off-channel business communications and for its whistleblower program.

Recordkeeping

In August and September 2023, the SEC announced settled charges against 21 broker-dealers and investment advisers, resulting in combined penalties of $368 million for the alleged failure to maintain and preserve off-channel communications.[26]  The Fall 2023 settlements follow 19 earlier settlements, for a total of approximately $1.5 billion in penalties for alleged recordkeeping violations, and more are expected to come in 2024.  Each of the settlements involved admissions, improvements to policies and procedures, and most notably, undertakings to retain independent compliance consultants.  One of the firms in the September 2023 announcement self-reported to the SEC—the third firm so far to do so out of 40 firms that agreed to settle charges in the sweep.

In September, the SEC additionally announced settled orders against two credit rating agencies for failure to preserve electronic records.[27]  Both agencies allegedly failed to retain or preserve text messages and other electronic communications that employees used relating to how credit ratings were determined.  As with the broker-dealer and investment advisers, both agencies admitted to the SEC’s recordkeeping findings, and agreed to retain independent compliance consultants in addition to paying civil penalties for $4 million and $6 million.  In announcing the settlement, the Commission emphasized the “critical gatekeeping function” of ratings agencies.

Whistleblower Protection

As we reported in our mid-year alert, the Commission awarded a record-breaking $279 million to two whistleblowers in May 2023 in one case.  Overall, the Commission received over 18,000 whistleblower tips in 2023, reflecting a substantial 50% increase over the—at the time record-breaking—number of tips it received in 2022.[28]  Significant awards in the second half of the year included the following:

  • Awards totaling more than $104 million in August to seven whistleblowers, representing the fourth-largest payout in the SEC whistleblower program’s history.[29] The seven whistleblowers included two sets of joint claimants and three single claimants, all of whom provided information that prompted or significantly contributed to the SEC investigation and related actions by another agency.
  • An award of $18 million in August to a whistleblower who, after initially reporting conduct internally, provided information and subsequent cooperation that prompted an SEC investigation and respective enforcement action.[30]
  • An award of $28 million in December to seven whistleblowers, composed of a single claimant and two sets of joint claimants.[31] The single claimant and first set of joint claimants were credited with providing “significant and detailed information early in the investigation,” while the second set of joint claimants provided “new, but more limited, information later in the investigation.”

Additionally, enforcement activity and ongoing sweeps reflect the Commission’s aggressive position that agreements with employees and clients that contain confidentiality provisions, but do not provide exceptions for whistleblowing, are a violation of the Dodd-Frank whistleblower protection rule.  In January 2024, the SEC brought settled charges with a penalty of $18 million—a record penalty for a purported violation of the whistleblower protection rule—against a broker-dealer for entering into settlement agreements with clients that did not contain whistleblowing carveouts.[32]  Three months earlier, in September 2023, the SEC brought three settled actions for purported violations of the rule including: (1) an Order with a registered investment adviser for entering into employee confidentiality agreements that did not contain a whistleblowing carveout, and for entering into employee release agreements that required employees to affirm they had not filed complaints with a government agency;[33] and (2) an Order with a privately held energy and technology company for entering into employee separation agreements that required employees to waive rights to monetary whistleblower awards.[34]

In recent remarks before the New York City Bar Association’s Compliance Institute, Director of Enforcement Gurbir Grewal described these recent actions and noted that the message is that the Commission “take[s] compliance with [the Whistleblower Protection Rule] very seriously, and so should each of you who work in a compliance function or advise companies.”[35]  In discussing both the recent whistleblower and recordkeeping actions, Director Grewal further expanded that it is the Commission’s expectation that employees working in a compliance function (i) educate themselves and are aware of SEC Orders “and the violative language cited by the Commission”; (ii) engage with personnel in different business units “to learn about their activities, strategies, risks, financial incentives, counterparties, and sources of revenues and profits”; and (iii) execute and implement effective policies.[36]

E.   Senior Staffing Update

At the end of the year, the SEC named Dean C. Metry as the Commission’s Chief Administrative Law Judge, replacing James E. Grimes who had served in the position for two years.[37]  Metry has 22 years of experience as an Administrative Law Judge, most recently as the Associate Chief Judge of the Office of Medicare Hearings and Appeals for the U.S. Department of Health and Human Services, and before that as an Administrative Law Judge for the Department of Homeland Security and the Social Security Administration.  Metry also served four years in the Navy Judge Advocate General Corps as trial counsel and a summary courts martial officer.

In September, George Botic was appointed to a term as a Board Member of the Public Company Accounting Oversight Board (PCAOB), replacing outgoing Board member Duane DesParte.[38]  Botic most recently served as the Director of the PCAOB’s Division of Registration and Inspections, and has also held other roles at PCAOB including Director of the Office of International Affairs, special advisor to former Chair James R. Doty, and Deputy Director of the Registration and Inspections Division.

There were several changes at the senior staff level and in regional leadership, including within the Division of Examination, Media Relations and Speechwriting, and office and regional directors:

  • In July, Natasha Vij Greiner and Keith E. Cassidy were named interim Acting Co-Directors of the Division of Examinations while Division Director Richard Best took extended medical leave.[39] Greiner concurrently serves as a Deputy Director of the Division, the National Associate Director of the Investment Adviser/Investment Company (IA/IC) examination program, and the Associate Director of the Home Office IA/IC examination program.  Cassidy concurrently serves as a Deputy Director of the Division of Examinations at large and the National Associate Director of the Division’s Technology Controls Program.
  • In October, Stephanie Allen replaced Aisha Johnson as the SEC’s Director of Media Relations and Speechwriting.[40] In this capacity, she will lead media relations for the Office of Public Affairs and serve as the primary spokesperson for the SEC and Chair Gensler.  Allen previously served as the Executive Director of the Ludwig Institute for Shared Economic Prosperity and the Director of Strategic Communications and Marketing at Promontory Financial Group, an IBM Company.
  • In November, Kate E. Zoladz was named Regional Director of the Los Angeles Office after serving as the Acting Co-Director since June 2023 and as the Associate Regional Director for Enforcement since October 2019.[41]
  • In December, Daniel R. Gregus left his position as Director of the Chicago Regional Office after leading the Chicago office since 2021 and serving for longer than 30 years at the SEC.[42] For the time being, Vanessa Horton and Kathryn Pyszka will serve as Acting Co-Directors of the regional office.

II.   Public Company Accounting, Financial Reporting, and Disclosure

A.   Financial Reporting

In September, the SEC charged a ridesharing platform with violations of Section 13(a) of the Exchange Act and Rule 13a-1 for failing to disclose in its 10-K a related person transaction involving a large shareholder’s sale of approximately 2.6% of the company’s shares in the weeks prior to the company’s IPO.[43]  The Commission alleged that the shareholder declined to sign a lockup agreement and instead informed the company that it wanted to sell a substantial portion of its shares before the IPO.  This transaction required approval of the company’s board of directors, which initially declined the transaction based on concerns that the shareholder’s affiliation with one of the directors could result in material, nonpublic information being imputed to the shareholder.  The company later approved a transaction—set-up by an investment advisor for which the director served as an employee—in which the shareholder would ultimately sell its shares at a pre-IPO discount to an unaffiliated investor.  For his help with facilitating the sale, the director received millions of dollars of compensation from the investment advisor that arranged the deal.  The company settled the charges without admitting or denying the Commission’s findings, and agreeing to pay a civil monetary penalty of $10 million.

Also in September, the SEC charged a telecommunication and internet provider with failing to disclose material information about unsupported adjustments the company made in several filings.[44]  The Commission alleged that the company began to notice a discrepancy between two key operational systems that caused a mismatch between actual expenses based on invoices and calculations of what should be paid under existing contracts.  Despite the company’s knowledge of the issue, it allegedly failed to implement adequate policies and procedures to provide reasonable assurance that the cost of revenue reflected in the company’s financial statements was based on adequate support.  The Commission further alleged that the company made unsupported adjustments to its financial results that lowered its cost of revenue by more than $35 million, without disclosing material facts about the adjustments.  The Commission determined not to impose civil monetary penalties based on the company’s self-reporting and cooperation.

In the same month, the SEC also announced settled charges against a consumer products company and its former CEO for fraud and reporting violations.[45]  The Commission alleged that the company pulled sales forward into earlier quarters without adequate disclosure and engaged in accounting practices that were inconsistent with GAAP while overriding its internal accounting controls, giving the misleading appearance that the company had achieved sales growth in line with its targets.  Both the company and the CEO settled the charges without admitting or denying the SEC’s findings, agreeing to pay civil penalties of $12.5 million and $110,000, respectively.

Later in September, the SEC charged an owner and operator of distributed solar energy assets with violating antifraud, proxy, and reporting provisions of the federal securities laws.[46]  According to the Commission, the company’s revenue projections, featured in public filings ahead of a SPAC merger, were misleading because the sales pipeline consisted almost entirely of speculative sales opportunities, including sales to potential customers with whom the company had little or no contact, customers to whom the company could not legally sell its products, and stale sales opportunities.  The company agreed to pay a civil penalty of $11 million without admitting or denying the SEC’s findings.

At the end of September, the SEC filed a complaint against the former chief commercial officer (CCO) and former CFO of a telecommunications company for allegedly violating the antifraud provisions and other provisions of the federal securities laws.[47]  According to the Commission, the CCO, former CFO, and controller engaged in a fraudulent scheme by allegedly recognizing revenue from customers’ non-binding purchase orders, allowing the company to materially overstate its revenue.  The Commission seeks injunctive relief, disgorgement and prejudgment interest, civil penalties, and officer and director bars against the former CCO and former CFO.  The complaint also seeks to order the former CFO to reimburse the company for compensation pursuant to Section 304 of the Sarbanes-Oxley Act.  The controller settled the charges, agreeing to an officer and director bar, an accountant bar, and to be subject to future proceedings to determine any monetary relief.  In a parallel action, the U.S. Attorney’s Office for the Southern District of New York announced criminal charges against the CCO and former CFO.

In December, the SEC announced settled fraud charges against a publicly traded UAE-based energy company, the company’s former CEO, and its interim CEO, who previously served as chief strategy officer.[48]  The SEC order alleged that the NASDAQ-traded company, before and after it went public through a special-purpose acquisition transaction, from 2018 to early 2021, misstated between 30 and 80 percent of its revenues in SEC filings related to its offer and sale of up to $500 million of securities.  To this end, the company allegedly created false invoices that inflated its revenues from UAE-based oil facilities by over $70 million over three years.  The SEC also alleged that the former and interim CEOs knew, or were reckless in not knowing, of the conduct.  The company settled the charges, which alleged violations of the antifraud, proxy statement, reporting, and book-and-records provisions of the federal securities laws, and agreed not to issue the $500 million in securities and to pay a $5 million penalty without admitting or denying the SEC’s findings.  The company further announced a restatement of its audited 2018 to 2020 financial statements.  The former and interim CEOs also settled their respective charges without admitting or denying the SEC’s findings, and each agreed to a $100,000 civil penalty and a permanent officer and director bar.

Also in December, the SEC filed charges against three related companies and their CEO with engaging in a multi-year scheme causing the defendants to allegedly report materially false and misleading financial statements.[49] According to the complaint, the CEO allegedly booked billions of dollars’ worth of fictitious transactions, primarily through the Nigerian subsidiaries of his companies, and ultimately misrepresented to investors that the companies had hundreds of millions of dollars in cash balances, and used the inflated financial statements to facilitate the sale of two subsidiaries to U.S.-listed public companies at grossly inflated values.  The SEC further alleged that the CEO and defendant companies created fake bank statements, falsified general ledgers, and submitted forged and fabricated documents to their auditors to facilitate the scheme.  The complaint seeks permanent injunctions, disgorgement, civil penalties, an officer and director bar, and a clawback, pursuant to Section 304 of the Sarbanes-Oxley Act, of the CEO’s bonuses and profits obtained from the issuance of the defendant companies’ stock.

B.   Public Statements and Disclosures

In July, the SEC announced settled charges on a neither admit nor deny basis against a “smart” window manufacturer and its former CFO for allegedly failing to disclose $28 million in projected warranty-related liabilities to address a defect in the company’s product; the SEC filed a complaint against the company’s former CFO relating to the conduct.[50]  In a series of reports and statements filed with the Commission, the company included liabilities related to its costs to manufacture replacements for defective windows, but allegedly failed to include related shipping and installation costs in its accrued liabilities.  The Commission did not enforce a civil penalty against the company based in part on the company’s self-reporting, remedial measures, and cooperation; its complaint against the former CFO is pending, and seeks permanent injunctions, civil penalties, and an officer and director bar.

In September, the SEC filed settled charges against a manufacturer of hydrogen fuel cell electric vehicles, the company’s CEO, and the company’s managing director of its European subsidiary.[51]  The SEC’s order alleged that the company exaggerated the status of its dealings with potential customers and suppliers to create the appearance that vehicle sales were imminent.  The complaint further alleged that shortly before the company’s IPO via a SPAC, the company claimed to have sold its first hydrogen electric vehicle and posted a misleading video on social media that allegedly gave the misleading impression that the depicted vehicle ran on hydrogen.  The company and the officer defendants agreed to pay civil penalties of $25 million, $100,000 and $200,000, respectively, without admitting or denying the charges.

Also in September, the SEC charged six officers, directors, and major shareholders of public companies for failing to timely report information about their holdings and transactions in company stock, and against five publicly traded companies for contributing to, or failing to report, their insiders’ filing issues.[52]  The Commission used data analytics to identify the charged insiders as filing Form 4 and Schedules 13D and 13G reports late, with some filings delayed by years.  Without admitting or denying the findings, the six individuals and five public companies agreed to pay civil penalties.

In October, the SEC filed a complaint against a software company and its chief information security officer alleging fraud and internal control failures related to cybersecurity risks.[53]  The SEC alleged that the company—which was a victim of a two-year-long cyberattack and data breach—misled investors about the adequacy of its cybersecurity abilities, even though it was allegedly aware of related weaknesses and increasing risks of cyberattacks.  The SEC’s complaint seeks injunctive relief, disgorgement, and civil penalties, as well as an officer and director bar against the chief information security officer.  The complaint is notable in that it represents the first time the SEC has filed fraud charges against a chief information security officer, which is a position that does not have accounting or financial reporting responsibility.

In November, the SEC filed a complaint against former co-CEOs of a private technology services startup for violating the antifraud provisions of the federal securities laws by misleading investors about the company’s finances.[54]  The Commission alleged that the co-CEOs made material misrepresentations and falsified documents concerning the company’s cash position and historical financial performance while raising money from investors, including by creating and providing investors with falsified bank records and a fake audit report.  The co-CEOs agreed to the entry of a partial judgment imposing permanent and conduct-based injunctions and an officer and director bar, but reserving the issues of disgorgement, prejudgment interest, and a civil penalty for further determination by the court.  The U.S. Attorney’s Office for the Eastern District of California announced parallel criminal charges as well.

In December, the SEC filed a complaint charging the former CEO and co-founder of a medical device startup with defrauding investors of approximately $41 million and making false and misleading statements about one of the company’s key medical device products.[55]  The Commission alleged that the former CEO knew, or was reckless in not knowing, that one of the components of one of the company’s medical devices, which was implanted into patients’ bodies, was non-functional.  The SEC also alleged that the former CEO misrepresented to investors that the medical device had been approved by the FDA and that it was the only effective device of its kind on the market.  According to the complaint, the former CEO also made false and misleading statements to investors about the company’s historical revenues, revenue projections, and business model.  The complaint seeks permanent injunctions, disgorgement plus prejudgment interest, a civil penalty, and an officer and director bar.  The U.S. Attorney’s Office for the Southern District of New York filed criminal charges against the former CEO as well.

C.   Auditors and Accountants

In September, the SEC settled charges against a former accounting firm partner for improper professional conduct involving the firm’s quality control system for its assurance practice.[56]  Similar to the allegations underlying an earlier SEC settlement in June with the accounting firm,[57] the SEC alleged that the former partner failed to sufficiently address and remediate deficiencies in the firm’s quality control system, primarily in connection with the increase in audits of special purpose acquisition companies (SPACs) beginning in 2020, which had been identified by the firm and in inspections by the Public Company Accounting Oversight Board (PCAOB).  The former partner also allegedly failed to implement sufficient monitoring procedures to detect audit deficiencies.  Without admitting or denying the allegations, the former partner agreed to pay a civil penalty of $75,000, and to forgo holding a leadership position at a registered public accounting firm for a period of three years.

Also in September, the SEC filed an action charging an accounting firm and its professional services firm with violating the auditor independence laws and aiding and abetting their clients’ violations of the federal securities laws.[58]  The SEC’s complaint alleges that the firms improperly included indemnification provisions in engagement letters for more than 200 audits, reviews, and exams, including after the firm’s senior partners were allegedly notified that inclusion of indemnification provisions in engagement letters rendered the firm not independent.  The complaint seeks a permanent injunction, disgorgement, and a civil monetary penalty against the firms.

III.   Investment Advisers

A.   Misaligned Interests

In August, the SEC filed a settled action against a fund administrator for causing its client to violate provisions of the Advisers Act relating to a fraud against a private fund and its investors.[59]  The SEC alleged that the fund administrator, based on materially false and misleading statements from its client—an investment adviser charged separately with fraud by the SEC in 2022—sent investors account statements that materially overstated the value of their investments, which had suffered significant losses as a result of trading by the adviser.  The fund administrator agreed, without admitting or denying the SEC’s findings, to pay a penalty and disgorgement totaling more than $122,000.  The SEC considered remedial actions undertaken by the fund administrator in determining to accept its offer of settlement.  The matter is notable as a follow on investigation of a service provider to a registered investment adviser for causing the adviser’s previously settled violations.  The settlement is consistent with the SEC’s increased focus on the use of service providers by registered investment advisers, including its pending rule proposal “Outsourcing by Investment Advisers”.

In September, the SEC filed a settled action against an investment advisory firm and its owner for allegedly allocating profitable securities trades to favored accounts, including the firms’ own accounts, while allocating a disproportionate amount of unprofitable trades to disfavored clients.[60]  The SEC found that the firm and its owner received at least $2.7 million in profits from the alleged “cherry-picking” scheme and that the owner made false and misleading statements to clients and prospective clients about the firm’s trading practices.  Without admitting or denying the SEC’s findings, the firm and its owner agreed to pay more than $3 million in civil penalties and disgorgement.

Also in September, the SEC filed a settled action against an investment adviser for alleged breaches of fiduciary duty that it owed to private funds that it advised.[61]  The SEC alleged that the firm failed to consider whether a fee acceleration agreement—which enabled the investment adviser to receive accelerated monitoring fees from a portfolio company when the company was sold—was in its clients’ best interests.  The investment adviser further allegedly transferred expiring funds into a new private fund, thereby locking up investor money for 11 years without client permission, and loaned money to private funds managed by an affiliated adviser without the clients’ knowledge, and without considering the clients’ best interests.  Without admitting or denying the SEC’s findings, the investment adviser agreed to pay a civil penalty of $1.6 million.

In November, the SEC filed a complaint against an individual—serving as both the president and chief compliance officer of an investment adviser—for his involvement in an alleged multiyear fraud that concealed losses of over $350 million from investors.[62]  The SEC’s complaint alleges that the defendant misled investors through sham documents to believe that their investments were diversified, and then funneled their investments to a single sub-adviser that incurred heavy losses.  The complaint further alleges that the defendant separately caused hedge funds under his firm’s advisement to incur heavy losses resulting from highly illiquid investments.  The SEC’s complaint seeks a permanent injunction, disgorgement, civil penalties, and an officer and director bar.  The U.S. Attorney’s Office for the District of New Jersey announced parallel criminal charges.

Also in November, the SEC filed an action against a real estate investment company, its CEO, and several entities controlled by the CEO, for allegedly engaging in a scheme to misappropriate $35 million of investor funds.[63]  The SEC separately alleged that the CEO and an entity under his control attempted to manipulate, and profit from, a certain corporation’s stock by, after first buying 72,000 call options in the corporation for well under the stock price, falsely stating in a press release that they would purchase a majority stake in the corporation at a price per share well over the then-current trading price.  The SEC’s complaint seeks permanent injunctive relief, the appointment of a receiver, disgorgement, a civil penalty, and temporary restraining orders and asset freezes.

B.   Disclosure Issues

In August, the SEC announced settled charges against an investment adviser, its parent company, and their majority owner and founder, an individual, with breaching fiduciary duties by disadvantaging a client in order to obtain $20 million in rescue financing in 2019.[64]  That client, an exchange-traded fund (“ETF”) tracking an index of cannabis companies, had been funded by a broker-dealer since 2018.  The ETF’s founder and investment adviser were allegedly aware of funding options from other lenders that would been more beneficial to the ETF, but nonetheless failed to inform the ETF’s trustees about these options in order to keep the ETF’s business with its initial broker-dealer.  According to the SEC, the investment adviser had separate financing contracts with the broker-dealer and allegedly did not want to risk losing those contracts.  Without admitting or denying the SEC’s findings, the investment adviser and its parent company agreed to pay, jointly and severally, a penalty of $4 million, and the founder agreed to a $400,000 penalty, an associational bar under the Advisers Act, a prohibition under the Investment Company Act with the ability to reapply after three years, and to comply with certain undertakings.

In September, the SEC charged an alternative investment platform with failing to disclose critical information to investors in an asset-backed securities offering.[65]  The platform allegedly made multiple offerings, to a single foreign borrower, to finance loans for the deconstruction of ships, despite allegedly learning that the borrower’s collateral—certain ships—for earlier loans were either “broken up” or missing entirely.  The platform later determined that the borrower had stolen the deconstruction proceeds for several ships, leaving investors with millions of dollars in losses.  Without admitting or denying the SEC’s findings, the platform agreed to disgorgement and civil monetary penalties totaling approximately $1.9 million.

Later in September, the SEC filed a settled action against an investment adviser and its principal for disclosure and compliance violations with respect to conflicts of interest.[66]  According to the SEC, the investment adviser and its principal advised certain clients to invest in three companies in which the principal had decision-making authority and significant ownership interests.  The SEC further alleged that the investment adviser and its principal failed to disclose to clients that their investments would be temporarily used for purposes such as funding the adviser’s payroll and to repay loans owed to the principal or to other affiliated companies.  Without admitting or denying the SEC’s findings, the investment adviser and its principal agreed to pay, jointly and severally, a civil penalty of $250,000.  The SEC considered remedial actions undertaken by the adviser and its principal, including promptly repaying certain debts totaling $1.65 million, in determining to accept its offer of settlement.

Also in late September, the SEC filed settled charges against an investment adviser related to undisclosed conflicts of interest involving a cash sweep program—through which one of the adviser’s affiliated custodians transferred clients’ uninvested cash into interest-earning accounts—and receipt of revenue-sharing payments from third-party custodians.[67]  According to the SEC, from at least September 2016 to January 2021, the adviser did not inform clients that it helped set the fee that its affiliate custodian received for operating the cash sweep program, which reduced the amount of interest paid to those clients.  Additionally, from at least January 2016 through August 2019, the adviser allegedly received custodial support payments from some third-party custodians based on assets held in certain funds, but failed to disclose that there were more favorable options available for use by clients that would not have resulted in payments to the adviser.  Without admitting or denying the SEC’s findings, the adviser agreed to pay a civil penalty and disgorgement totaling over $18 million.

In October, the SEC filed settled charges against an investment adviser relating to its description of investments that composed a significant portion of a publicly traded fund it advised.[68]  The SEC’s order alleged that the adviser inaccurately described a company in which it made significant investments in multiple, publicly available reports filed with the SEC, and that the adviser allegedly stated that the company paid a higher interest rate than was actually the case.  Without admitting or denying the SEC’s findings, the adviser agreed to pay a $2.5 million penalty.  In determining to accept the adviser’s offer of settlement, the SEC considered cooperative and remedial actions undertaken by the adviser, including voluntarily covering losses associated with the investment and revising its disclosures promptly after discovering the errors and before the SEC began its investigation.

C.   Anti-Money Laundering and ESG

In September, the SEC filed two settled actions against an investment adviser for allegedly failing to develop an Anti-Money Laundering (“AML”) program for its mutual funds, and by making materially misleading misstatements about its Environmental, Social, and Governance (“ESG”) process.[69]  Regarding the alleged AML program deficiency, the SEC alleged that the investment adviser failed to establish and implement AML policies specific to its mutual funds’ business, to design reasonable transaction-monitoring policies to detect money laundering activities, and to conduct AML training specific to its mutual funds.  In the second action, the SEC alleged that the investment adviser failed to implement certain research requirements as part of its global ESG Integration Policy from August 2018 until late 2021, contrary to what it allegedly led investors to believe through certain public statements.  Without admitting or denying the SEC’s findings, the firm agreed to pay civil penalties totaling over $25 million to resolve the AML and ESG actions.  In determining to accept the investment adviser’s settlement offer, the SEC considered the adviser’s cooperation throughout the investigation, including its provision of detailed factual summaries and substantive presentations to the Commission.

D.   Miscellaneous Advisory Issues:  Fees, Custody Rule, and Marketing Rule

In August, the SEC filed a settled action against two investment advisers for allegedly overcharging investment advisory accounts more than $26.8 million in advisory fees from at least 2002 through December 2022.[70]  According to the SEC, the advisers failed to enter agreed-upon reduced advisory rates into their billing systems and failed to adopt and implement written compliance policies and procedures reasonably designed to prevent overbilling.  The advisers paid affected accountholders approximately $40 million, including interest, to reimburse them for the overcharged fees and agreed, without admitting or denying the SEC charges, to pay a $35 million civil penalty.

In September, the SEC filed settled actions against nine investment advisers for allegedly advertising hypothetical performance to the general public on their websites without timely adopting or implementing related policies and procedures designed to ensure that the advertised hypothetical performance was relevant to investors’ objectives and financial situations.[71]  The SEC additionally alleged that two of the advisers failed to maintain required copies of their advertisements.  Without admitting or denying the SEC’s findings, each of the charged firms agreed to pay civil penalties ranging from $50,000 to $175,000.

Also in September, the SEC filed settled actions against five investment advisers for allegedly failing to comply with requirements related to the safekeeping of client assets.[72]  The SEC charged three of the advisers with also failing to timely update SEC disclosures regarding audits of their private fund clients’ financial statements.  The SEC alleged that each of the advisers failed to have audits performed, deliver audited financials to investors in a timely manner, ensure a qualified custodian maintained client assets, promptly file amended Forms ADV to reflect they had received audited financial statements, and/or properly describe the status of its financial statement audits for multiple years when filing its Form ADV.  Without admitting or denying the findings, the advisers agreed to pay civil penalties ranging from $50,000 to $225,000.

IV.   Broker-Dealers

A.   Trading Issues

In July, the SEC filed an action against a U.S. Army financial counselor for defrauding, among others, the survivors and loved ones of U.S. military service members who died during active duty service.[73]  According to the SEC, the financial counselor directed the survivors and loved ones to transfer their benefits into brokerage accounts he managed outside of his official duties with the U.S. Army and, in connection with the brokerage accounts, incurred commissions and losses, both realized and unrealized, of more than $5 million from November 2017 through January 2023.  The SEC alleges that the financial counselor engaged in unauthorized trading and recommended excessive trades and higher risk strategies that did not match customers’ investment profiles.  The SEC’s complaint alleges violations of the anti-fraud provisions of the federal securities laws and Regulation Best Interest, and seeks permanent injunctions, disgorgement, and civil penalties.

B.   Recordkeeping and Filing Issues

In July, the SEC filed settled charges against a broker-dealer for allegedly failing to file Suspicious Activity reports (SARs) from 2009 to 2019.[74]  During the relevant period, with respect to suspicious activity where no suspect was identified, the broker-dealer allegedly only reported such activity for transactions of $25,000 or greater—which is the proper reporting threshold for national banks, but not for broker-dealers, which must report all suspicious activity at or above the $5,000 threshold regardless of whether a suspect has been identified—and as a result allegedly failed to file hundreds of required SARs.  Without admitting or denying the SEC’s findings, the firm agreed to pay a $6 million penalty.  The SEC considered the firm’s cooperation and immediate remedial actions, which included updates to policies, procedures, and automated surveillance systems, when agreeing to the settlement.

In addition to the swath of off-channel communications recordkeeping cases discussed in Section I, supra, in August, the SEC filed settled charges against a broker-dealer firm for allegedly violating recordkeeping requirements in connection with firm expenses related to its underwriting business.[75]  According to the SEC’s order, from at least 2009 to May 2019, the broker-dealer failed to review or verify the method it used to calculate and record indirect underwriting expenses associated with its work as an underwriter.  Without admitting or denying the SEC’s findings, the broker-dealer agreed to pay a civil penalty of $2.9 million.

Also in August, the SEC filed settled charges against a broker-dealer for allegedly failing to establish an anti-money laundering surveillance program with respect to certain transactions until September 2020, and as a result allegedly failing to file at least 461 SARs associated with microcap and penny stock security trades.[76]  Without admitting or denying the alleged facts, the broker-dealer agreed to pay a $1.5 million penalty.

Also in September, the SEC filed settled charges against a broker-dealer for alleged violations of Rule 200(g) of Regulation SHO.[77]  According to the SEC’s order, the broker-dealer, as a result of a coding error in the firm’s automatic trading system, incorrectly marked millions of orders for a period of five years, denoting that some short sales were long sales and vice versa, which resulted in the provision of inaccurate data to regulators.  Without admitting or denying the findings, the broker-dealer agreed to pay a $7 million penalty, remediate the coding error, and review the firm’s programming and coding logic involved in processing transactions.

C.   Information Barriers and MNPI

In September, the SEC filed a complaint against a broker-dealer for allegedly making false and misleading statements and omissions regarding information barriers that impacted the use of customer information.[78]  According to the complaint, the broker-dealer and its affiliates operated two distinct types of businesses, “customer-facing trade execution services” that generated materially non-public information (MNPI) regarding trade orders and executions, and “proprietary trading operations” intended to prevent the misuse of MNPI.  The SEC’s complaint alleges that although the broker-dealer purported to maintain information barriers, the firm allegedly failed to safeguard a database containing all post-trade information generated from customer orders, including customer-identifying information and other material non-public information, from around January 2018 to April 2019.  The SEC further alleges that the broker-dealer misled customers about the adequacy of the information barriers, and overstated the controls and processes it had in place to secure institutional customers’ post-execution trade data.  The SEC is seeking disgorgement and civil penalties.

V.   Cryptocurrency and Other Digital Assets

A.   Cryptocurrency Platforms and Networks

In August, the SEC announced a settled action against a crypto asset trading platform and its co-founder and former CEO based on allegations that they operated an unregistered national securities exchange, broker, and clearing agency.[79]  According to the SEC’s order, the company—which allegedly provided services to U.S. investors in connection with crypto assets that were offered and sold as securities—and its co-founder and former CEO directed issuers of crypto assets made available on the platform to delete problematic statements that might lead to scrutiny from regulators.  Without admitting or denying the SEC’s allegations, the defendants agreed to disgorgement and a civil penalty totaling approximately $24 million.  The platform’s foreign affiliate also agreed to settle charges that it failed to register as a national securities exchange.

In November, the SEC filed a complaint against a cryptocurrency trading platform—which had already agreed in February 2023 to pay $30 million in disgorgement and civil penalties to settle an SEC action involving an alleged failure to register a cryptocurrency asset—for operating as an unregistered securities exchange, broker, dealer, and clearing agency.[80]  According to the complaint, since at least September 2018, the cryptocurrency trading platform has made hundreds of millions of dollars by facilitating the buying and selling of cryptocurrency asset securities.  The complaint also alleges that the cryptocurrency trading platform’s business practices, internal controls, and recordkeeping practices, including the alleged comingling of customer money and cryptocurrency assets with its own, posed risks to customers and deprived investors of required protections.  The litigation is ongoing and the SEC seeks disgorgement and penalties.

In January 2024, the SEC moved to drop charges that it initially brought against a cryptocurrency company and individual defendants based on what the SEC alleged was a fraudulent scheme to sell cryptocurrency asset securities to U.S. investors.[81]  The SEC brought its initial charges against the defendants in 2023, and had also obtained a temporary asset freeze, restraining order, and other emergency relief against them.  However, several months later, the defendants moved for sanctions against the SEC, arguing that Commission counsel presented false and misleading evidence when pursuing its restraining order, which defendants further argued had severely disrupted their business.  The court issued the SEC a show cause order, but the SEC moved for dismissal, asking the court to decline sanctions and to do nothing more than dismiss the initial charges without prejudice.

B.   Non-Fungible Tokens (“NFTs”) and Other Products

In August, the SEC charged a media and entertainment company with conducting an unregistered offering of crypto asset securities in the form of purported non-fungible tokens (NFTs) from October to December 2021.[82]  According to the SEC’s order, the company encouraged investors to view the NFTs as an investment into the business, and emphasized that investors would profit and receive tremendous value if the business was successful.  The SEC’s order alleged that the NFTs were investment contracts and therefore allegedly qualified as securities that were not exempt from registration.  Without admitting or denying the SEC’s findings, the media and entertainment company agreed to pay disgorgement and a civil penalty totaling over $5.5 million.  The company further agreed to destroy all NFTs in its possession or control, publish notice of the order on its websites and social media channels, and eliminate any royalties it might receive from future secondary market transactions.  In determining to accept the company’s settlement offer, the Commission considered remedial actions through which the company repurchased approximately $7.7 million worth of NFTs from investors.

In September, the SEC settled charges against a fintech company that provides cryptocurrency asset-related financial products and services for failing to register the offers and sales of its retail cryptocurrency lending product.[83]  According to the SEC’s order, from March 2020 to March 2022, the company allowed U.S. investors to tender U.S. dollars in exchange for a promise to pay interest, and the company converted this cash into cryptocurrency assets, pooled the cryptocurrency assets, and controlled how the assets were used to generate income, which purportedly qualified as the offer and sale of securities that were not exempt from registration.  The SEC did not impose civil penalties due to the company’s cooperation and prompt remedial actions, including its voluntary decision to cease offering accounts to new investors and asking existing investors to withdraw funds shortly after the SEC announced charges against a similar cryptocurrency asset investment product.

Also in September, the SEC charged a company with conducting an unregistered offering of cryptocurrency asset securities in the form of purported NFTs.[84]  According to the order, the company offered and sold cryptocurrency asset securities to the public in an unregistered offering that was not exempt from registration, violating Sections 5(a) and 5(c) of the Securities Act.  Without admitting or denying the allegations, the company agreed to pay a civil penalty of $1 million as well as to publish notice of the settlement on its website and social media channels and destroy all NFTs in its possession.

VI.   Insider Trading

In July, the SEC filed a complaint charging a multi-billionaire investor with allegedly obtaining material nonpublic information regarding portfolio companies of a biotechnology investment fund where he was the principal investor, and then allegedly tipping that information to his then-girlfriend and two of his private pilots.[85]  The SEC also brought charges against the three individuals who allegedly traded on the information and reaped over $545,000 in combined profits.  The SEC alleges that the investor informed his girlfriend, along with the two pilots, about clinical trial results regarding a separate company, and that he provided this information to his two pilots “as a substitute for a formal retirement plan” and loaned them each $500,000 to execute the trades.  The three individuals soon thereafter allegedly traded on this material nonpublic information and allegedly profited more than $373,000 in total.  The SEC’s complaint remains pending in the Southern District of New York; the investor recently pled guilty to parallel criminal charges.[86]

In August, the SEC filed a second round of insider-trading charges against a former broker who had settled separate insider trading charges last year regarding a data-analytics company’s prospective acquisition.[87]  The latest indictment, filed in the Southern District of New York, alleged that the defendant used two Cayman Islands-based entities to purchase 23,000 shares of the data-analytics company’s stock prior to its acquisition announcement, which ultimately resulted in almost $400,000 in ill-gotten profits.  The former broker, without admitting or denying the allegations, agreed to pay an approximately $1.2 million civil penalty to settle the charges, and the two offshore entities, which were named as relief defendants, agreed to disgorgement.

In September, the SEC filed a complaint charging three siblings with illegal trading based on inside information about an equipment rental company’s offer to acquire a storage company.[88]  According to the SEC’s complaint filed in the Central District of California, one brother learned about the acquisition as an accounting manager for the storage company.  He then allegedly bought shares of the storage company and encouraged his brother and sister to do the same, and the three siblings realized combined profits of $650,000.  The brother who created the scheme, without admitting or denying the allegations, agreed to a to-be-determined civil penalty, disgorgement, and a five-year officer and director bar.  The U.S. Attorney’s Office for the Central District of California also announced securities fraud charges against that brother.  The remaining siblings consented to paying monetary fines and disgorgement totaling over $340,000, and the second brother agreed to a five-year officer and director bar.

Also in September, the SEC filed an action against a former analyst for a major investment firm and an international investment bank, as well as three others, charging insider trading.[89]  The SEC’s complaint alleges that the analyst used his work at the two financial institutions to learn about merger and acquisition transactions as well as strategic partnerships prior to their public announcements, and tipped material nonpublic information about at least six of these transactions to his childhood friend in exchange for a share of what ended up being $322,000 of illegal profits.  The analyst also allegedly tipped four of the transactions to one of his college friends, resulting in $113,000 in profits, and that friend then tipped information about at least two transactions to another college friend, resulting in $25,000 in profits.  The U.S. Attorney’s Office for the Southern District of New York announced parallel criminal charges. Both investigations are ongoing.

Looking ahead, enforcement of insider trading may increase in 2024 depending on how the Commission’s “shadow trading” theory—reflecting the use of inside information in one company to buy stocks in a different company with potential to be impacted by the information—fares at trial in the case of SEC v. Panuwat, Case Number 3:21-cv-06322, currently scheduled to begin in March 2024 in the U.S. District Court for the Northern District of California.

[1] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.

[2] Id.

[3] Id.

[4] Compare Addendum to SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234, with Addendum to SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2022 (Nov. 15, 2022), available at https://www.sec.gov/news/press-release/2022-206.

[5] Id.

[6] Id.

[7] SEC Press Release, SEC Charges LA-Based Media and Entertainment Co. Impact Theory for Unregistered Offering of NFTs (Aug. 28, 2003), available at https://www.sec.gov/news/press-release/2023-163; SEC Press Release, SEC Charges Creator of Stoner Cats Web Series for Unregistered Offering of NFTs (Sept. 13, 2023), available at https://www.sec.gov/news/press-release/2023-178.

[8] SEC Press Release, SEC Charges Coinbase for Operating as an Unregistered Securities Exchange, Broker, and Clearing Agency (June 6, 2023), available at https://www.sec.gov/news/press-release/2023-102; SEC Press Release, SEC Files 13 Charges Against Binance Entities and Founder Changpeng Zhao (June 5, 2023), available at https://www.sec.gov/news/press-release/2023-101.

[9] SEC Press Release, SEC Charges Kraken for Operating as an Unregistered Securities Exchange, Broker, Dealer, and Clearing Agency (Nov. 20, 2023), available at https://www.sec.gov/news/press-release/2023-237.

[10] See, e.g., SEC Press Release, SEC Charges Crypto Trading Platform Beaxy and its Executives for Operating an Unregistered Exchange, Broker, and Clearing Agency (Mar. 29, 2023), available at https://www.sec.gov/news/press-release/2023-64; SEC Press Release, SEC Charges Crypto Asset Trading Platform Bittrex and its Former CEO for Operating an Unregistered Exchange, Broker, and Clearing Agency (Apr. 17, 2023), available at https://www.sec.gov/news/press-release/2023-78;  SEC Press Release, SEC Charges Crypto Entrepreneur Justin Sun and His Companies for Fraud and Other Securities Law Violations (Mar. 22, 2023), available at https://www.sec.gov/news/press-release/2023-59.

[11] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.

[12] SEC Statement, Statement on the Denial of a Rulemaking Petition Submitted on behalf of Coinbase Global Inc. (Dec. 15, 2023), available at https://www.sec.gov/news/statement/gensler-coinbase-petition-121523; see also SEC v. W.J. Howey Co., 328 U.S. 293 (1946).

[13] SEC Statement, Statement on the Denial of a Rulemaking Petition Submitted on behalf of Coinbase Global Inc. (Dec. 15, 2023), available at https://www.sec.gov/news/statement/gensler-coinbase-petition-121523.

[14] SEC Statement, Statement Regarding Denial for Petition for Rulemaking (Dec. 15, 2023), available at https://www.sec.gov/news/statement/peirce-uyeda-petition-121523.

[15] Jonathan Stempel, US SEC Cannot Appeal Ripple Labs Decision, Judge Rules, Reuters (Oct. 4, 2023), https://www.reuters.com/legal/us-sec-cannot-appeal-ripple-labs-decision-judge-rules-2023-10-04/.

[16] Jody Godoy, US SEC Drops Claims Against Two Ripple Labs Executives, Reuters (Oct. 19, 2023), https://www.reuters.com/markets/us/sec-dropping-claims-against-ripple-executives-court-filing-2023-10-19/.

[17] Sec. and Exch. Comm’n. v. Ripple Labs Inc., No. 1:20-cv-10832 (S.D.N.Y.).

[18] SEC Press Release, Activision Blizzard to Pay $35 Million for Failing to Maintain Disclosure Controls Related to Complaints of Workplace Misconduct and Violating Whistleblower Protection Rule (Feb. 3, 2023), available at https://www.sec.gov/news/press-release/2023-22.

[19] SEC Press Release, Charter Communications to Pay $25 Million Penalty for Stock Buyback Controls Violations (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-235.

[20] SEC Statement, The SEC’s Swiss Army Statute:  Statement on Charter Communications, Inc. (Nov. 14, 2023), available at https://www.sec.gov/news/statement/peirce-uyeda-statement-charter-communications-111423#_ftn6.

[21] SEC Press Release, SEC Charges Andeavor for Inadequate Controls Around Authorization of Stock Buyback Plan (Oct. 15, 2020), available at https://www.sec.gov/news/press-release/2020-258.

[22] SEC Statement, The SEC Levels Up: Statement on In re Activision Blizzard (Feb. 3, 2023), available at https://www.sec.gov/news/statement/peirce-statement-activision-blizzard-020323.

[23] SEC Speech, “They Are Merely the Agents”:  Prepared Remarks before the American Bar Association (Dec. 7, 2023), available at https://www.sec.gov/news/speech/gensler-prepared-remarks-american-bar-association-231207.

[24] Id.

[25] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.

[26] SEC Press Release, SEC Charges 10 Firms with Widespread Recordkeeping Failures (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-212; SEC Press Release, SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures (Aug. 8, 2023), available at https://www.sec.gov/news/press-release/2023-149.

[27] SEC Press Release, SEC Charges Two Credit Rating Agencies, DBRS and KBRA, with Longstanding Recordkeeping Failures (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-211.

[28] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.

[29] SEC Press Release, SEC Awards Whistleblower More Than $104 Million to Seven Whistleblowers (Aug. 4, 2023), available at https://www.sec.gov/news/press-release/2023-147.

[30] SEC Press Release, SEC Awards Whistleblower More Than $18 Million (Aug. 25, 2023), available at https://www.sec.gov/news/press-release/2023-161.

[31] SEC Press Release, SEC Awards More Than $28 Million to Seven Whistleblowers (Dec. 22, 2023), available at https://www.sec.gov/news/press-release/2023-257.

[32] SEC Press Release, J.P. Morgan to Pay $18 Million for Violating Whistleblower Protection Rule (Jan. 16, 2024), available at https://www.sec.gov/news/press-release/2024-7.

[33] SEC Press Release, SEC Charges D. E. Shaw with Violating Whistleblower Protection Rule (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-213.

[34] SEC Press Release, SEC Charges Privately Held Monolith Resources for Using Separation Agreements that Violated Whistleblower Protection Rules (Sept. 8, 2023), available at https://www.sec.gov/news/press-release/2023-172.

[35] SEC Speech, Remarks at New York City Bar Association Compliance Institute (Oct. 24, 2023), available at https://www.sec.gov/news/speech/grewal-remarks-nyc-bar-association-compliance-institute-102423.

[36] Id.

[37] SEC Press Release, Dean C. Metry Named Chief Administrative Law Judge at SEC (Dec. 22, 2023), available at https://www.sec.gov/news/press-release/2023-259.

[38] SEC Press Release, SEC Appoints George Botic to the Public Company Accounting Oversight Board (Sept. 27, 2023), available at https://www.sec.gov/news/press-release/2023-202.

[39] SEC Press Release, SEC Names Natasha Vij Greiner and Keith E. Cassidy Interim Acting Co-Directors of the Division of Examinations (July 25, 2023), available at https://www.sec.gov/news/press-release/2023-137.

[40] SEC Press Release, SEC Names Stephanie Allen as Director of Media Relations and Speechwriting (Oct. 4, 2023), available at https://www.sec.gov/news/press-release/2023-218.

[41] SEC Press Release, SEC Names Kate E. Zoladz as Regional Director of Los Angeles Office, available at https://www.sec.gov/news/press-release/2023-241.

[42] SEC Press Release, Daniel R. Gregus, Director of the Chicago Regional Office, to Depart the SEC (Dec. 7, 2023), available at https://www.sec.gov/news/press-release/2023-246.

[43] SEC Press Release, SEC Charges Lyft with Failure to Disclose Board Member’s Financial Interest in Private Shareholder’s Pre-IPO Stock Transaction (Sept. 18, 2023), available at https://www.sec.gov/news/press-release/2023-182.

[44] SEC Press Release, SEC Charges GTT Communications for Disclosure Failures (Sept. 25, 2023), available at https://www.sec.gov/news/press-release/2023-195.

[45] SEC Press Release, SEC Charges Newell Brands and Former CEO for Misleading Investors About Sales Performance (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-210.

[46] SEC Press Release, SEC Charges Electric Vehicle Co. for Misleading Revenue Projections Ahead of SPAC Merger (Sept. 28, 2023), available at https://www.sec.gov/news/press-release/2023-208.

[47] SEC Press Release, SEC Charges Former Pareteum Executives with Accounting and Disclosure Fraud (Sept. 28, 2023), available at https://www.sec.gov/news/press-release/2023-205.

[48] SEC Press Release, SEC Charges UAE-Based Brooge Energy and Former Executives with Fraud (Dec. 22, 2023), available at https://www.sec.gov/news/press-release/2023-256.

[49] SEC Press Release, SEC Charges Tingo Mobile Founder, Three Companies with Massive Fraud and Obtains Emergency Relief (Dec. 19, 2023), available at https://www.sec.gov/news/press-release/2023-254.

[50] SEC Press Release, SEC Charges “Smart” Window Manufacturer, View Inc., with Failing to Disclose $28 Million Liability (July 3, 2023), available at https://www.sec.gov/news/press-release/2023-126.

[51] SEC Press Release, SEC Charges Hydrogen Vehicle Co. Hyzon Motors and Two Former Executives for Misleading Investors (Sept. 26, 2023), available at https://www.sec.gov/news/press-release/2023-200.

[52] SEC Press Release, SEC Charges Corporate Insiders for Failing to Timely Report Transactions and Holdings (Sept. 27, 2023), available at https://www.sec.gov/news/press-release/2023-201.

[53] SEC Press Release, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), available at https://www.sec.gov/news/press-release/2023-227.

[54] SEC Press Release, SEC Charges Former Co-CEOs of Tech Start-Up Bitwise Industries for Falsifying Documents While Raising $70 Million From Investors (Nov. 9, 2023), available at https://www.sec.gov/news/press-release/2023-233.

[55] SEC Press Release, SEC Charges Former CEO of Medical Device Startup Stimwave with $41 Million Fraud (Dec. 19, 2023), available at https://www.sec.gov/news/press-release/2023-255.

[56] SEC Press Release, SEC Charges National Office Partner at Marcum for Causing Widespread Quality Control Deficiencies (Sept. 12, 2023), available at https://www.sec.gov/news/press-release/2023-174.

[57] SEC Press Release, SEC Charges Audit Firm Marcum LLP for Widespread Quality Control Deficiencies (June 21, 2023), available at https://www.sec.gov/news/press-release/2023-114.

[58] SEC Press Release, SEC Charges International Accounting Firm Prager Metis with Hundreds of Auditor Independence Violations (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-214.  

[59] SEC Press Release, Fund Administrator Charged For Missing Red Flags (Aug. 7, 2023), available at https://www.sec.gov/news/press-release/2023-148.

[60] SEC Press Release, SEC Charges Connecticut Advisory Firm GlennCap and its Owner with Cherry-Picking (Sept. 14, 2023), available at https://www.sec.gov/news/press-release/2023-180.

[61] SEC Press Release, SEC Charges Private Equity Fund Adviser American Infrastructure Funds for Breaching Its Duties (Sept. 22, 2023), available at https://www.sec.gov/news/press-release/2023-193.

[62] SEC Press Release, SEC Charges President/CCO of Prophecy Asset Management Advisory Firm with Multi-Year Fraud (Nov. 2, 2023), available at https://www.sec.gov/news/press-release/2023-231.

[63] SEC Press Release, SEC Charges Phoenix-Area Real Estate Fund Adviser Jonathan Larmore with $35 Million Fraud (Nov. 29, 2023), available at https://www.sec.gov/news/press-release/2023-242.

[64] SEC Press Release, SEC Charges New Jersey-Based ETF Manager for Fraudulent Conduct and Bars Founder (Aug. 1, 2023), available at https://www.sec.gov/news/press-release/2023-144.

[65] SEC Press Release, SEC Charges Alternative Investment Platform YieldStreet for Misleading Investors (Sept. 12, 2023), available at https://www.sec.gov/news/press-release/2023-175.

[66] SEC Press Release, SEC Charges Advisory Firm Bruderman Asset Management and its Principal for Failing to Disclose Misuse of Investment Funds (Sept. 26, 2023), available at https://www.sec.gov/news/press-release/2023-197.

[67] SEC Press Release, SEC Charges California Advisory Firm AssetMark for Failing to Disclose Multiple Financial Conflicts (Sept. 26, 2023), available at https://www.sec.gov/news/press-release/2023-199.

[68] SEC Press Release available at https://www.sec.gov/news/press-release/2023-226.

[69] SEC Press Release, Deutsche Bank Subsidiary DWS to Pay $25 Million for Anti-Money Laundering Violations and Misstatements Regarding ESG Investments (Sept. 25, 2023), available at https://www.sec.gov/news/press-release/2023-194.

[70] SEC Press Release, Wells Fargo Settles with SEC for Charging Excessive Advisory Fees (Aug. 25, 2023), available at https://www.sec.gov/news/press-release/2023-159.

[71] SEC Press Release, SEC Sweep into Marketing Rule Violations Results in Charges Against Nine Investment Advisers (Sept. 11, 2023), available at https://www.sec.gov/news/press-release/2023-173.

[72] SEC Press Release, SEC Charges Five Advisory Firms for Custody Rule Violations (Sept. 5, 2023), available at https://www.sec.gov/news/press-release/2023-168.

[73] SEC Press Release, SEC Charges Former Army Financial Counselor Who Defrauded Gold Star Family Members (July 7, 2023), available at https://www.sec.gov/news/press-release/2023-127.

[74] SEC Press Release, SEC Charges Merrill Lynch and Parent Company for Failing to File Suspicious Activity Reports (July 11, 2023), available at https://www.sec.gov/news/press-release/2023-128; Merrill Lynch, Exchange Act Release No. 97872, (July 11, 2023), https://www.sec.gov/files/litigation/admin/2023/34-97872.pdf.

[75] SEC Press Release, SEC Charges Citigroup Global Markets Inc. With Recordkeeping Failures concerning Underwriting Expenses, available at https://www.sec.gov/news/press-release/2023-165 (Aug. 29, 2023); Citigroup Global Markets Inc., Exchange Act Release No. 98238 (Aug. 29 2023),  https://www.sec.gov/files/litigation/admin/2023/34-98238.pdf.

[76] SEC Press Release, SEC Charges Archipelago Trading Services with Failing to File Suspicious Activity Reports  (Aug. 29, 2023), available at https://www.sec.gov/news/press-release/2023-164; Archipelago Trading Services, Inc., Exchange Act No. 98234 (Aug. 29, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98234.pdf.

[77] SEC Press Release, SEC Charges Citadel Securities for Violating Order Marking Requirements of Short Sale Regulations (Sept. 22, 2023), available at https://www.sec.gov/news/press-release/2023-192; Citadel Securities LLC, Exchange Act Release No. 98482 (Sept. 22, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98482.pdf.

[78] SEC Press Release, SEC Charges Virtu for False and Misleading Disclosures Relating to Information Barriers (Sept. 12, 2023), available at https://www.sec.gov/news/press-release/2023-176; Complaint, SEC v. Virtu, No. 1:23-cv-8072 (S.D.N.Y., Sept. 12, 2023), https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-176.pdf.

[79] SEC Press Release, Crypto Asset Trading Platform Bittrex and Former CEO to Settle SEC Charges for Operating an Unregistered Exchange, Broker, and Clearing Agency (Aug. 10, 2023), available at https://www.sec.gov/news/press-release/2023-150.

[80] SEC Press Release, Kraken to Discontinue Unregistered Offer and Sale of Crypto Asset Staking-As-A-Service Program and Pay $30 Million to Settle SEC Charges (Feb. 9, 2023), available at https://www.sec.gov/news/press-release/2023-25; SEC Press Release, SEC Charges Kraken for Operating as an Unregistered Securities Exchange, Broker, Dealer, and Clearing Agency (Nov. 20, 2023), available at https://www.sec.gov/news/press-release/2023-237.

[81] Casey Wagner, SEC moves to drop DEBT Box case, for now, after sanctions threats, Blockworks Inc. (Jan. 30, 2024), available at https://blockworks.co/news/sec-sanctions-debt-box; Motion to Dismiss, Sec. and Exch. Comm’n.  v. Digital Licensing Inc., (d/b/a “DEBT Box”), et al., Case No. 2:23-cv-00482-RJS (Jan. 31, 2024).

[82] SEC Press Release, SEC Charges LA-Based Media and Entertainment Co. Impact Theory for Unregistered Offering of NFTs (Aug. 28, 2023), available at https://www.sec.gov/news/press-release/2023-163.

[83] SEC Press Release, Linus Financial Agrees to Settle SEC Charges of Unregistered Offer and Sale of Securities (Sept. 7, 2023), available at https://www.sec.gov/news/press-release/2023-171.

[84] SEC Press Release, SEC Charges Creator of Stoner Cats Web Series for Unregistered Offering of NFTs (Sept. 13, 2023), available at https://www.sec.gov/news/press-release/2023-178.

[85] SEC Press Release, SEC Charges Investor Joseph C. Lewis and Associates with Insider Trading (July 26, 2023), available at https://www.sec.gov/news/press-release/2023-138.

[86]  Corinne Ramey, British Billionaire Joe Lewis Pleads Guilty to U.S. Insider Trading, Wall Street Journal (Jan. 24, 2024), https://www.wsj.com/finance/investing/british-billionaire-joe-lewis-pleads-guilty-to-insider-trading-9a8c6475.

[87] SEC Press Release, SEC Charges Florida Investment Adviser a Second Time for Insider Trading (Aug. 2, 2023), available at https://www.sec.gov/news/press-release/2023-145.

[88] SEC Press Release, SEC Charges Three Southern California Siblings with Insider Trading (Sept. 27, 2023), available at https://www.sec.gov/news/press-release/2023-203.

[89] SEC Press Release, SEC Charges Former Financial Industry Analyst and Three Others with Insider Trading (Sept. 28, 2023), available at https://www.sec.gov/news/press-release/2023-204.


The following Gibson Dunn lawyers assisted in preparing this update: Mark Schonfeld, David Woodcock, Tina Samanta, Lauren Jackson, Timothy Zimmerman, Michael Ulmer, Monica Woolley, Priya Datta, Ina Kosova, Nicholas Whetstone, Hayden McGovern, Ming Lee Newcomb, Lauren Hernandez*, and Jerelyn Luther*.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Securities Enforcement practice group, or the following authors:

Mark K. Schonfeld – Co-Chair, New York (+1 212.351.2433, [email protected])
David Woodcock – Co-Chair, Dallas (+1 214.698.3211, [email protected])
Tina Samanta – New York (+1 212.351.2469, [email protected])
Lauren Cook Jackson – Washington, D.C. (+1 202.955.8293, [email protected])
Timothy M. Zimmerman – Denver (+1 303.298.5721, [email protected])

*Lauren Hernandez and Jerelyn Luther are recent law graduates in the Denver and New York offices respectively and not admitted to practice law.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Our 2023 Annual Report celebrates our successes throughout the year. We are proud to share a sampling of the fantastic results we achieved for our clients, an overview of awards and accolades we received, and a selection of our remarkable DEI and pro bono efforts. You can read the 2023 Annual Report here.

This is a landmark decision under Delaware law that raises important considerations for Boards and independent directors when deciding upon significant compensation awards.

In a 200-page decision following a five-day trial, Chancellor Kathaleen McCormick of the Delaware Court of Chancery ruled in favor of Tesla stockholders who had brought a derivative lawsuit challenging the multiyear compensation arrangement awarded to Tesla CEO Elon Musk.[1]  The plaintiff-stockholders alleged that Tesla’s directors breached their fiduciary duties by awarding Musk performance-based stock options in January 2018 with a potential $55.8 billion maximum value and a $2.6 billion grant date fair value (the “Grant”). The Court found that the defendants—Musk, Tesla, Inc. and six individual directors—failed to meet their burden to prove that the Grant was “entirely fair,” the standard under Delaware law that the Court applied in light of the Court’s determination that Musk held controlling stockholder status with respect to the Grant.  As a remedy, the Court ordered the complete rescission of the Grant, which had been approved by a majority vote of disinterested stockholders.[2]  The Court opened its opinion by asking:  “Was the richest person in the world overpaid?”  And the Court concluded that, yes, he was:  “In the final analysis, Musk launched a self-driving process, recalibrating the speed and direction along the way as he saw fit. The process arrived at an unfair price.”[3]

The Grant

On January 21, 2018, Tesla’s Board of Directors (the “Board”)[4] unanimously approved the Grant, which would vest based on Tesla’s achievement of certain market capitalization goals, as well as operational milestones related to revenue and adjusted EBITDA targets.  The Grant was “the largest potential compensation opportunity ever observed in public markets by multiple orders of magnitude—250 times larger than the contemporaneous median peer compensation plan and over 33 times larger than the plan’s closest comparison, which was Musk’s prior compensation plan.”[5]

The Board conditioned the Grant on approval by a majority vote of disinterested stockholders. A February 8, 2018 proxy statement (the “Proxy”) notified stockholders of a vote on the Grant, which was held on March 21, 2018.  Despite ISS and Glass Lewis recommending votes against approval of the Grant, stockholders (excluding Musk’s and his brother’s ownership) approved the Grant with 73% in favor.  The Grant began vesting in 2020; as of June 30, 2022, the Grant was nearly fully vested, with all market cap and adjusted EBITDA milestones achieved, and three revenue milestones achieved, with one more deemed probable of achievement.[6]

Court found stockholder vote approving the Grant was not fully informed

The Court determined that it was “undeniable that, with respect to the Grant, Musk controlled Tesla”[7] and, therefore, that the Board’s approval of the Grant was a conflicted-controller transaction.  As a result, the Board’s decision would be examined under an “entire fairness” standard―the Delaware courts’ “most onerous standard of review.”[8]  However, Delaware law allows defendants facing an entire fairness standard to shift the burden of proof to the plaintiff by showing that the transaction was approved by a fully informed vote of the majority of the minority stockholders.

The Court found that the stockholder vote approving Musk’s Grant was not fully informed for two reasons:

  • the Proxy inaccurately described key directors as independent, when several of them had extensive personal and professional relationships of long duration with Musk, including owing much of their personal wealth to Musk; and
  • the Proxy misleadingly omitted details about the process by which Musk’s Grant was approved, including material preliminary conversations between Musk and the Compensation Committee chairman, as well as Musk’s role in setting the terms of the Grant and the timing of the Committee’s work.

The Court concluded:  “Put simply, neither the Compensation Committee nor the Board acted in the best interests of the Company when negotiating Musk’s compensation plan. In fact, there is barely any evidence of negotiations at all. Rather than negotiate against Musk with the mindset of a third party, the Compensation Committee worked alongside him, almost as an advisory body.”[9]

The “extraordinary nature of the Grant”[10]

In addition to the process of approving the Grant, the Court considered its “price.”  “The Board never asked the $55.8 billion question:  Was the plan even necessary for Tesla to retain Musk and achieve its goals?”[11]  The Court concluded that it was not for three key reasons:

  • Musk already owned 21.9% of Tesla, which ownership stake gave him incentive to push Tesla to grow its market capitalization even without the additional compensation;
  • there was no risk that Musk would depart Tesla without receiving the Grant, nor did the Board condition the package on Musk devoting any set amount of time to Tesla; and
  • the Grant’s performance conditions were not, in fact, ambitious and difficult to achieve.[12]

It was also significant to the Court that the Grant process lacked a traditional benchmarking analysis.[13]  “The incredible size of the biggest compensation plan ever—an unfathomable sum—seems to have been calibrated to help Musk achieve what he believed would make “a good future for humanity” [related to Musk’s goal of colonizing Mars]. …. [T]hat had no relation to Tesla’s goals with the compensation plan.”[14]

Observations and Considerations for Boards and Independent Directors

Much of Chancellor McCormick’s decision may be unique to the “Superstar CEO”[15] status that Musk holds and the facts and circumstances at Tesla and its Board, as well as the Court’s determination (for the first time in the Chancery Court) that Musk was a controlling stockholder.  Nevertheless, the decision is a landmark one under Delaware law and raises important considerations for Boards and independent directors when deciding upon significant compensation awards.

  1. Document the Process. The Court was very focused on the rushed, casual decision-making of Tesla’s Compensation Committee.  In their testimony, several Board members said they couldn’t remember meetings where important elements of the Grant were discussed.  If considering a significant award, boards and compensation committees would be better served by undertaking a thorough analysis, including rigorous benchmarking, and documenting that process through e-mails, detailed meeting minutes, formalized presentations, and other written records.
  2. Awards Should Have Clear Rationales. Musk’s award had no mechanism for actually keeping his attention focused on Tesla, as opposed to his other business interests.  While the extent of Musk’s outside interests may be a distinguishing factor, compensation committees going forward should be mindful of the concerns the Court expressed around that issue and consider whether and how to ensure that significant awards to executives are clearly and closely aligned to the Company’s business objectives. Performance conditions for such awards will also be analyzed in retrospect so boards should be sure to pressure test the rigor of those goals and contemporaneously document why goals were determined to be challenging.
  3. Expect Extra Scrutiny of Independent Directors. The Court was particularly disturbed by the close personal and business relationships of Tesla’s Compensation Committee members with Musk, such that they viewed awarding the Grant as a collaborative process with Musk, rather than an arm’s length negotiation.  Expect, when considering significant compensation awards, that all elements of an independent director’s connections with the executive-grantee—including length of board service—to be closely examined for indicia of objectivity.

__________

[1] Richard J. Tornetta et al. v. Elon Musk et al., case number 2018-0408, in the Court of Chancery of the State of Delaware.

[2] The Court noted that Musk had not yet exercised any of the options underlying the Grant.  Opinion at 8.

[3] Opinion at 7.

[4] Tesla’s nine-person Board included Musk, his brother Kimbal Musk, Brad W. Buss, Robyn M. Denholm, Ira Ehrenpreis, Antonio J. Gracias, Steve Jurvetson, James Murdoch, and Linda Johnson Rice. Tesla’s Compensation Committee was comprised of Ehrenpreis (the committee chair), Buss, Denholm and Gracias.

[5] Opinion at 1.

[6] Opinion at 92.

[7] Opinion at 112.

[8] Opinion at 104.

[9] Opinion at 128.

[10] Opinion at 143.

[11] Opinion at 6.

[12] Opinion at 183.

[13] Opinion at 144.

[14] Opinion at 180.

[15] Opinion at 120.


The following Gibson Dunn lawyers prepared this alert: Sean Feller, Krista Hanvey, Ron Mueller, Christina Andersen, and Gina Hancock.

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Executive Compensation and Employee Benefits, Securities Regulation and Corporate Governance, or Securities Litigation practice groups, the authors, or any of the following practice leaders and members:

Executive Compensation and Employee Benefits:
Michael J. Collins – Washington, D.C. (202.887.3551, [email protected])
Stephen W. Fackler – Palo Alto/New York (+1 650.849.5385, [email protected])
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+ 214.698.3425, [email protected])

Securities Regulation and Corporate Governance:
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Ron Mueller – Washington, D.C. (+1 202.955.8671, [email protected])

Securities Litigation:
Colin B. Davis – Orange County (+1 949.451.3993, [email protected])
Brian M. Lutz – San Francisco (+1 415.393.8379, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202.887.3726, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Gibson Dunn has formed a Workplace DEI Task Force, bringing to bear the Firm’s experience in employment, appellate and Constitutional law, DEI programs, securities and corporate governance, and government contracts to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).

Fearless Fund Oral Argument:

On January 31, 2024, the Eleventh Circuit heard oral argument in American Alliance for Equal Rights’ (AAER) appeal of the district court’s denial of its motion for preliminary injunction in American Alliance for Equal Rights v. Fearless Fund Management, LLC, No. 23-13138 (11th Cir. 2023). On the panel were Judge Robin S. Rosenbaum, Judge Kevin C. Newsom, and Judge Robert J. Luck.

During the argument, AAER asserted that Fearless Fund’s charitable grant program—which provides $20,000 grants to Black female entrepreneurs—is a racially discriminatory contract subject to Section 1981. But Fearless Fund, represented by Gibson Dunn, asserted that the program is expressive speech protected by the First Amendment, such that the traditional Section 1981 analysis does not apply.

Judge Rosenbaum addressed the First Amendment issue, asking counsel for AAER, Gilbert Dickey of Consovoy McCarthy, “if . . . the entire point of the organization and the donation is to send the message that . . . Black businesswomen are worthy and have been overlooked and left out, then why isn’t that speech?” Mr. Dickey responded that the case law does not permit consideration of an organization’s “previously expressed views to decide whether the actual conduct is expressive.” Pressed further by Judge Newsom to explain the “hydraulic relationship between whether [the program] is subject to Section 1981 and the First Amendment interests at stake,” Mr. Dickey questioned whether a donation in any circumstance could be considered expressive. And in response to Judge Rosenbaum’s hypothetical contest awarded to whoever “does the most to further Black businesswomen,” Mr. Dickey argued that “implications of this case for the First Amendment are pretty minor” because nonprofits would be “free to discriminate based on the message an organization is sending but not on protected characteristics.”

Arguing on behalf of Fearless Fund, Jason Schwartz of Gibson Dunn emphasized that Fearless Fund’s grant program is “core expressive activity” in line with the “proud tradition in this country” of charitable giving by organizations dedicated to specific causes. He called AAER’s suit an “unprecedented effort to use Section 1981 to force a charity to reverse its message or shut down.” Mr. Schwartz argued this inappropriate application of the Reconstruction-era statute would force an untenable result: “give to everyone or no one.”

Mr. Schwartz distinguished “traditional commercial transactions—employment, housing,” from “charitable giving . . . recognized as protected by the First Amendment,” emphasizing that “Americans speak with their money; they magnify their message with their money.” To explore this line between regulatable conduct and First Amendment-protected speech, Judge Luck posed several hypotheticals, including whether, under Fearless Fund’s reasoning, a charity’s contract for the purchase of office supplies would warrant similar protection. When Judge Luck pressed on the claim that “just because it’s a charity it falls outside of 1981 . . . that can’t be right,” Mr. Schwartz agreed, but contended that, here, “the core expressive activity of the Fearless Foundation is to send this message, which, for what it’s worth, is the message of Section 1981.”

Judge Newsom also presented Mr. Schwartz with a hypothetical from AAER’s brief—a “white man only contest”—to which Mr. Schwartz responded, “First of all, no matter how repugnant I might find that, the First Amendment protects all speech,” explaining that a program set up the same way as the Fearless Fund program may be protected, depending on how it is structured.

Mylan Denerstein of Gibson Dunn, also on behalf of the Fearless Fund, argued that AAER had not met the high bar for organizational standing, noting that AAER’s position would require “the court [to] grant a preliminary injunction when we don’t even know who the businesses are.” She emphasized that AAER “fail[ed] to state that they’ve applied for grants or need money or mentorship” and “don’t show the viability of their business,” which further weighed against finding injury sufficient for standing.

The panel did not indicate when it expects to issue a ruling.

Media Coverage:

Key Developments:

On January 30, 2024, Utah Governor Spencer Cox signed House Bill 261 (“HB 261”) into law. HB 261 prohibits state education institutions and government entities from using DEI statements in hiring and providing trainings promoting differential treatment based on personal identity characteristics. HB 261 also mandates that state education institutions replace DEI offices with general access “student success and support” offices. The bill defines maintaining any of these policies or programs as a “prohibited discriminatory practice.” HB 261 progressed rapidly through the legislature, passing only ten days after its introduction. Alongside it, another anti-DEI bill in Utah, House Bill 111 (“HB 111”), has been voted out of committee to the full House. As introduced, HB 111 would prohibit private employers from requiring training in or compelling beliefs about various DEI-related concepts, although the bill was significantly weakened in committee. We are tracking the progress of this bill and will provide additional updates if it passes.

On January 26, 2024, Students for Fair Admissions (“SFFA”) asked the Supreme Court to grant an emergency injunction in its ongoing battle against West Point, bringing its campaign against race-conscious admissions back to the nation’s highest court. SFFA sued West Point on September 19, 2023, arguing that the military academy’s continued use of race-conscious admissions after SFFA v. Harvard is unconstitutional. After the district court denied its request for a preliminary injunction on January 3, 2024, SFFA filed an emergency appeal to the Second Circuit the next day. Instead of waiting for the Second Circuit to rule, SFFA filed an emergency application for an injunction with the Supreme Court, requesting that the court enjoin West Point from considering applicants’ race after the school’s application window closes on January 31. SFFA argued that West Point should be subject to the same constitutional analysis as other schools, despite language in SFFA v. Harvard suggesting military academies might receive more deference. SFFA claimed West Point applicants will suffer irreparable harm if the Supreme Court does not act before West Point’s application cycle closes on January 31. On January 30, 2024, West Point filed its opposition to SFFA’s requested injunction, arguing that there is no “emergency” supporting the injunction, since West Point has been considering applications since August 2023, will continue to do so through May 2024, and has already issued offers to hundreds of candidates. West Point also noted that SFFA failed to establish irreparable harm because SFFA’s members remain eligible to apply to West Point for at least three additional admissions cycles. West Point asserted that the military’s judgment merits “substantial deference” and that a diverse officer corps is “necessary for an effective fighting force.”

On January 25, 2024, AFL filed a formal judicial conduct complaint with Chief Judge Diane S. Sykes of the United States Court of Appeals for the Seventh Circuit. The complaint accuses three judges on the United States District Court for the Southern District of Illinois—Chief Judge Nancy J. Rosenstengel, Judge Staci M. Yandle, and Judge David W. Dugan—of race and sex discrimination in violation of the Rule for Judicial-Conduct and Judicial-Disability Proceedings 4(a), Judicial Code of Conduct Canon 2(A), and the Fifth Amendment of the United States Constitution. Specifically, the complaint highlights the judges’ policies allowing parties to move for oral argument with the promise that, if the motion is granted, a “newer, female, [or] minority attorney” will argue the motion. AFL’s complaint maintains that these policies intentionally discriminate on the basis of sex and race, amounting to “cognizable judicial misconduct” under the applicable judicial rules. Further, AFL argues that allowing these policies to stand undermines judicial integrity and public trust in the judicial system as it gives some parties additional advocacy opportunities for their clients solely on the basis of an advocate’s race or gender.

On January 17, 2024, AFL filed an administrative complaint with the Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”), seeking investigations into three airlines—American Airlines, United Airlines, and Southwest Airlines—for alleged violations of federal contract law. AFL claimed that the airlines’ race-based and gender-based hiring targets constitute race- and sex-based discrimination in violation of Executive Order 11246, which requires government contracts to contain an Equal Opportunity Clause prohibiting discrimination, and authorizes the Secretary of Labor to sanction government contractors via contract cancellation, ineligibility, and other penalties. AFL’s American Airlines letter mentioned the airline’s stated commitment to DEI and programs available to Black professionals, while the Southwest letter cited the increase in the company’s diverse hires as evidence of unlawful consideration of race and gender in hiring. Finally, the United letter cited DEI targets in the airline’s 2022 Corporate Responsibility Report and DEI initiatives that favor women and minority-owned subcontractors. These letters follow the November 1, 2023 civil rights complaints AFL submitted to the EEOC regarding the same airlines.

On January 17, 2024, AFL sent a FOIA request to the Federal Bureau of Investigation (FBI). AFL requested all records of communications to and from the FBI’s Chief Diversity Officer, Scott McMillion, from April 2021 to April 2023. Citing McMillion’s comments that “diversity, equity, inclusion and accessibility is literally within [the FBI’s] DNA” and an FBI diversity report that showed the agency has increased employee racial, ethnic, and gender diversity, AFL speculated that the FBI’s hiring process violates Title VII and the Equal Protection Clause.

On January 11, 2024, AFL filed a letter with the EEOC calling for the Commission to conduct an investigation of Nike. AFL accused Nike of knowingly and intentionally using race, color, sex, and national origin as motivating factors in numerous employment decisions in violation of Title VII. AFL sent a similar letter to Nike’s board, highlighting the same alleged violations. In the letters, AFL pointed to language on Nike’s website expressing the company’s intent to set “clear and ambitious targets . . . to increase diverse representation at Nike.” AFL claimed that one way Nike realizes this target is through the creation of “Employee Networks,” which are limited to members of eight specific “favored categories.” These categories focus on race, sex, or gender. AFL maintained that Nike’s explicit focus on only those categories demonstrates the company’s discriminatory intent to deprive “whites, males, and heterosexuals” of the opportunity to gain “real benefits” from inclusion in these Employee Networks. Additionally, AFL cited Nike’s self-reported data as evidence of the company’s express intent to discriminate in favor of certain historically underrepresented demographics. For example, AFL cited Nike’s Fiscal Year 2022 report, which states that the company achieved 51% gender diversity and 38.8% racial diversity. AFL claimed that featuring these statistics demonstrates Nike’s efforts to discriminate against other demographics.

Media Coverage and Commentary:

Below is a selection of recent media coverage and commentary on these issues:

  • New York Times, “‘America Is Under Attack’: Inside the Anti-D.E.I. Crusade” (January 20): The Times’s Nicholas Confessore reports on thousands of documents newly obtained by the newspaper, providing new details about the recent wave of anti-DEI bills being considered—and in some instances, passed—in state legislatures. Despite polls showing that most Americans support the values underlying DEI, over 20 states considered or passed anti-DEI legislation in 2023. The Times secured documents including emails, grant proposals, and draft reports that the article claims show how conservative activists, centered at California’s Claremont Institute, “formed a loose network of think tanks, political groups and Republican operatives in at least a dozen states” in an effort to “eliminat[e] ‘social justice education’ from American schools.” According to Confessore, the internal documents reveal that (at least in some cases) racist, sexist, and homophobic beliefs were motivating factors. Confessore also suggested that the documents signal the importance of the anti-DEI movement as a Republican fundraising tool and talking point that is anticipated to become even more prominent as the 2024 election nears.
  • Forbes, “Diversity In Leadership Increases Chances Of Success By 39%” (January 21): Julie Kratz, founder of DEI training organizations Next Pivot Point and Little Allies, reports on new research by McKinsey & Company describing a growing business case for DEI. The research suggests that there is a “39% increased likelihood of outperformance” for companies in the top quartile of ethnic and gender leadership diversity as compared to those in the bottom quartile. Kratz notes that business justifications for diversity are not new, but several factors—including limited diversity in C-suites and lack of accountability—hinder progress. To overcome these challenges, Kratz recommends that companies set aside the “‘one and done’ approach” to DEI training and focus on “a model of continuous learning.”
  • Wall Street Journal, “DEI Is Worth Saving From Its Excesses” (January 22): Roland Fryer, Harvard economist and founder of venture capital firm Equal Opportunity Ventures, writes in an opinion piece that “[o]pponents and supporters of DEI have very different ideas about what it is.” Fryer recognizes the need for companies to evaluate their diversity initiatives and to identify and eliminate illegal practices, but also advocates for maintaining commitment to developing diverse talent. Fryer suggests that employers should focus on eliminating racial bias “not only because discrimination is wrong but because it is a market failure that prevents the right people from being placed in the right positions.” Companies should be aware of these biases, evident in disparate rates of hiring, promotion, and starting compensation. Fryer recommends use of machine learning to help avoid bias in personnel decisions.
  • Law360, “EEOC’s Lucas Calls Mark Cuban ‘Dead Wrong’ In DEI Push” (January 29): Law360’s Patrick Hoff reports on a public exchange on the social media platform X between billionaire businessman Mark Cuban and EEOC Commissioner Andrea Lucas. In recent weeks, Cuban has taken to X to defend the business case for DEI. But when he posted on January 28 that, in hiring, “race and gender can be part of the equation,” Commissioner Lucas replied, calling Cuban “dead wrong on black-letter Title VII law.” According to Hoff, in an email to Law360, Cuban clarified that X “is a place to argue” and that he follows the law “in every way.” Although a spokesperson for the EEOC told Law360 that Lucas’s social media posts are her own and not reflective of the agency’s opinions, Lucas told the news outlet that she views public education “in any media” as part of her role. Hoff notes that, in the wake of SFFA, Lucas has stood alone among the EEOC’s commissioners in publicly denouncing race-based corporate DEI policies.

Case Updates:

Below is a list of updates in new and pending cases:

1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:

  • Mid-America Milling Company v. U.S. Department of Transportation, No. 3:23-cv-00072-GFVT (E.D. Ky. 2023): Two plaintiff construction companies sued the Department of Transportation, asking the court to enjoin DOT’s Disadvantaged Business Enterprise (DBE) Program, an affirmative action program that awards contracts to minority-owned and women‑owned small businesses in DOT-funded construction projects with the statutory aim of granting 10% of certain DOT-funded contracts to these businesses nationally. Plaintiffs allege that the program constitutes unconstitutional race discrimination in violation of the Fifth Amendment.
    • Latest update: On January 16, 2024, DOT filed its motion to dismiss the complaint. DOT argued that the plaintiffs’ allegations that they lost contracts to DBE firms were conclusory and speculative because they failed to allege specific facts about the nature of the contracts, the type of industry, and whether or not those contracts were actually covered by the DBE program. DOT also argued that the plaintiffs failed to allege an injury sufficient for standing because, although they alleged they had bid for DBE contracts, they did not identify the contracts with enough specificity, as not all DOT contracts contain a DBE goal. Finally, DOT argued the plaintiffs failed to join as indispensable parties the state or local agencies who actually implement the DBE goals and channel DOT funds to contractors.
  • Landscape Consultants of Texas, Inc. v. City of Houston, No. 4:23-cv-3516–DH (S.D. Tx. 2023): Plaintiff landscaping companies owned by white individuals challenged Houston’s government contracting set-aside program for “minority business enterprises” that are owned by members of racial and ethnic minority groups. The companies claim the program violates the Fourteenth Amendment and Section 1981.
    • Latest update: On January 12, 2024, the district court denied both the City of Houston’s and Midtown Management District’s motions to dismiss, without issuing a written opinion
  • Do No Harm v. Pfizer, No. 1:22-cv-07908–JLR (S.D.N.Y. 2022), on appeal at No. 23-15 (2d Cir. 2023): On September 15, 2022, plaintiff association representing physicians, medical students, and policymakers sued Pfizer, alleging that the company’s Breakthrough Fellowship Program, which provided minority college seniors summer internships, two years of employment post-graduation, and a scholarship, violated Section 1981, Title VII, and New York law. The association alleges that the program illegally excludes white and Asian applicants. The association is represented by Consovoy McCarthy PLLC, the firm that also represents American Alliance for Equal Rights in multiple lawsuits. In December 2022, the court granted Pfizer’s motion to dismiss, finding that the plaintiff did not have associational standing because they did not identify at least one member by name, instead only submitting declarations from anonymous members. The association appealed to the Second Circuit, which heard oral argument on October 3, 2023.
    • Latest update: On December 21, 2023, Do No Harm filed a Rule 28(j) notice of supplemental authority to support its claim that it has standing despite its reliance on unnamed members. Pointing to a recent district court decision in SFFA v. U.S. Naval Academy that found standing on the basis of pseudonymous plaintiffs, the association argued that the district court misread Supreme Court precedent. On January 12, 2024, Pfizer responded with its own Rule 28(j) letter, contesting the plaintiff’s characterization of the Naval Academy decision and arguing that even if the use of pseudonymous members was sufficient to create standing, the pseudonymous members in the current case still lacked standing because they had declined to apply for Pfizer’s fellowship program after Pfizer changed the requirements—something Pfizer also argued served to moot the case.

2. Employment discrimination under Title VII and other statutory law:

  • Gerber v. Ohio Northern University, No. 2023-1107-CVH (Ohio. Ct. Common Pleas Hardin Cty. 2023): On June 30, 2023, a law professor sued his former employer, Ohio Northern University, for terminating his employment after an internal investigation determined that he bullied and harassed other faculty members. On January 23, 2024, the plaintiff, now represented by America First Legal, filed an amended complaint. The plaintiff claims that his firing was actually in retaliation for his vocal and public opposition to the university’s stated DEI principles and race-conscious hiring, which he believed were illegal. The plaintiff alleged that the investigation and his termination breached his employment contract, violated Ohio civil rights statutes, and constituted various torts, including defamation, false light, conversion, infliction of emotional distress, and wrongful termination in violation of public policy.
    • Latest update: The defendant has until February 20, 2024 to respond to the plaintiff’s second amended complaint.
  • De Piero v. Pennsylvania State University, No. 2:23-cv-02281-WB (E.D. Pa. 2023): A white male professor sued his employer, Penn State University, claiming that university-mandated DEI trainings, discussions with coworkers and supervisors about race and privilege in the classroom, and comments from coworkers about his “white privilege” constituted a hostile work environment that led him to quit his job. He claimed that after he reported that he felt harassed and published an opinion piece objecting to the impact of DEI concepts in the classroom, the university retaliated against him by investigating him for bullying and aggressive behavior towards his colleagues. The plaintiff alleged harassment, retaliation, and constructive discharge in violation of Title VI, Title VII, Section 1981, Section 1983, the First Amendment, and Pennsylvania civil rights laws.
    • Latest update: On January 11, 2024, the district court granted the defendant’s motion to dismiss in part, dismissing all of the plaintiff’s claims except for his hostile work environment claim. On that claim, the judge found that some of his allegations, including that he was required to attend trainings that “discussed racial issues in essentialist and deterministic terms” and “ascrib[ed] negative traits to white people . . . plausibly amount to ‘pervasive’ harassment.” The court made clear that “training on concepts such as ‘white privilege’ . . . can contribute positively . . . in an educational institution,” but that when those discussions occur “with a constant drumbeat of essentialist, deterministic, and negative language, they risk liability under federal law.”
  • Haltigan v. Drake, No. 5:23-cv-02437-EJD (N.D. Cal. 2023): A white male psychologist sued the University of California Santa Cruz, arguing that a requirement that prospective faculty candidates submit and be evaluated in part on the basis of statements explaining their views and understanding of DEI principles functioned as a loyalty oath that violated his First Amendment freedoms. The plaintiff claimed that because he is “committed to colorblindness and viewpoint diversity”––which he alleged was contrary to UC Santa Cruz’s position on DEI––he would be compelled to alter his political views to be a viable candidate for the position. The plaintiff sought a declaration that the University’s DEI statement requirement violated the First Amendment and a permanent injunction against the enforcement of the requirement.
    • Latest update: On January 12, 2024, the district court granted UC Santa Cruz’s motion to dismiss with leave to amend, finding that the plaintiff lacked standing because he had not actually applied for a professor position. The court rejected the plaintiff’s claim that he had “competitor standing” because he only expressed a general interest in the position, and did not allege that he had undertaken any preparations or concrete steps to apply. The court also rejected the argument that the plaintiff had First Amendment prudential standing, sometimes recognized in license application cases, because he was seeking a job, not a license or a permit. Finally, the court found that the plaintiff had not sufficiently alleged that it would have been futile to apply without a DEI statement because UC Santa Cruz might have accepted his application notwithstanding his lack of a statement.
  • Weitzman v. Fred Hutchinson Cancer Center, No. 2:24-cv-00071-TLF (W.D.WA. 2024): On January 16, 2024, a white Jewish female former employee of a medical center sued her former employer, alleging that she was terminated for expressing her discomfort with DEI-related content shared in the workplace by coworkers, objecting to DEI-related training, and expressing her political opposition to DEI-aligned ideologies. She also claimed that her employer failed to act when she was allegedly discriminated against because of her religion and race by other coworkers. The plaintiff alleged her employer’s conduct constituted racial discrimination, a hostile work environment, and retaliation in violation of the Washington Law against Discrimination (WLAD) and Section 1981; discrimination and retaliation on the basis of political ideology in violation of the Seattle Municipal Code; and intentional infliction of emotional distress and wrongful termination in violation of public policy under common law.
    • Latest update: The defendant has not yet responded to the complaint.

3. Challenges to agency rules, laws, and regulatory decisions:

  • Saadeh v. New Jersey State Bar Association, No. MID-L-006023-21 (N.J. Super. Ct. 2021), on appeal at A-2201-22 (N.J. Super. Ct. App. Div. 2023): On October 15, 2021, a Palestinian and Muslim attorney and bar member sued the New Jersey State Bar Association (NJSBA), alleging that the NJSBA’s practice of reserving certain trustee and committee positions for members of “underrepresented groups” including Black, Hispanic, Asian, women, and LGBTQ attorneys constituted racial discrimination in violation of New Jersey state civil rights laws.
    • Latest update: On November 9, 2022, the trial judge ruled that the NJSBA’s practice was racially discriminatory, and ordered it to end the practice and consider all attorneys in good standing eligible for the positions. The court found that the practice was an illegal quota rather than a valid affirmative action program. The court also held that the First Amendment did not protect the NJSBA’s practices. The NJSBA appealed, and on January 18, 2024, the Appellate Division of the New Jersey Superior Court heard oral argument. The NJSBA argued that the trial court applied the incorrect Supreme Court precedent and that under the correct framework, the NJSBA’s practice is a valid, tailored affirmative action plan that redresses the historical underrepresentation of non-white attorneys in the positions at issue. The plaintiff argued that the practice is not legal affirmative action because it does not address the root causes of racial imbalances and is not based on a detailed analysis of the NJSBA’s membership and demographic data.
  • Palsgaard v. Christian, et al., No. 1:23-cv-01228-SAB (E.D. Cal. 2023): In August 2023, California community college professors filed suit and moved for a preliminary injunction against the state’s new DEI-related evaluation competencies and corresponding language in their faculty contract, which they allege requires them to endorse the state’s views on DEI concepts. The plaintiffs challenge the DEI rules and contract language as compelled speech in violation of the First and Fourteenth Amendments. On December 15, 2023 the defendants filed their motions to dismiss.
    • Latest update: On January 19, 2024, the plaintiffs filed a joint opposition to the defendants’ motions to dismiss. Plaintiffs argued that they had standing to challenge the DEI rules and faculty contract and that they had not waived their First Amendment rights. Plaintiffs also argued that their constitutional claims should not be dismissed because the regulations compel them to espouse the state’s preferred message and that both the rules and faculty contract are overbroad and vague.
  • Earls v. North Carolina Judicial Standards Commission, No. 1:23-cv-00734-WO-JEP (M.D.N.C. 2023): On June 20, 2023, North Carolina Supreme Court Justice Anita Earls, the only non-white female justice on the court, made comments in an interview regarding the diversity of the appellate bench and of the attorneys who appear before the N.C. Supreme Court, and her opinion regarding implicit bias in the state judiciary and attempts to diversify the North Carolina courts. In response, on August 15, 2023, the North Carolina Judicial Standards Commission initiated an investigation into whether Justice Earls violated provisions of the judicial code requiring her to act in a manner that promotes “public confidence in the integrity” of the judicial system. On August 29, 2023, Justice Earls filed a lawsuit claiming that the Commission’s investigation was part of an ongoing effort to restrict and chill her free speech rights in violation of the First Amendment. She claimed that as a result of the investigation, she turned down opportunities to speak on matters related to diversity and equity, demonstrating the investigation’s chilling effect. On November 21, 2023, the district court denied Justice Earls’ request for a preliminary injunction on the grounds that the Commission’s actions likely met strict scrutiny because its investigation was justified by the compelling interest of safeguarding public confidence in the integrity and fairness of the judicial system, and the investigation process appeared narrowly tailored.
    • Latest update: On January 17, 2024, Justice Earls voluntarily dismissed her case after the Commission dismissed the investigation against her without recommending disciplinary action.

4. Educational Institutions and Admissions (Fifth Amendment, Fourteenth Amendment, Title VI, Title IX):

  • Students for Fair Admissions, Inc. v. University of Texas at Austin, 1:20-cv-00763-RP (W.D. Tex. 2020): On July 20, 2020, SFFA sued the University of Texas, alleging that UT Austin’s methods of considering race in undergraduate admissions violated the Equal Protection Clause of the Fourteenth Amendment, Section 1981, Title VII, the Texas Constitution, and Texas state law.
    • Latest update: On January 11, 2024, UT Austin replied to SFFA’s opposition to its motion to dismiss, renewing its argument that the case is moot because UT Austin has changed its admissions policies. It further argued that the case was not still live under the “voluntary cessation” doctrine because the policy change was compelled by the Supreme Court’s SFFA v. Harvard decision, and SFFA failed to show UT Austin’s change was not made in good faith. UT Austin also responded to SFFA’s summary judgment motion, asserting that SFFA’s evidence that UT still collects demographic information is not sufficient to show that it discriminates on the basis of race. Also on January 11, civil rights groups acting as intervenors on behalf of UT Austin opposed SFFA’s motion for summary judgment, arguing that SFFA is not entitled to summary judgment because it has not shown that UT’s facially neutral policy is being implemented in a discriminatory manner. They also replied to SFFA’s opposition to the motion to dismiss, arguing that SFFA lacks standing because none of its members have applied to UT Austin under the new policy, and that the case is moot because SFFA is challenging a policy that no longer exists.

The following Gibson Dunn attorneys assisted in preparing this client update: Jason Schwartz, Mylan Denerstein, Blaine Evanson, Molly Senger, Zakiyyah Salim-Williams, Matt Gregory, Zoë Klein, Mollie Reiss, Teddy Rube, Alana Bevan, Marquan Robertson, Janice Jiang, Elizabeth Penava, Skylar Drefcinski, and Mary Lindsay Krebs.


Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:

Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, [email protected])

Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, [email protected])

Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, [email protected])

Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, [email protected])

Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, [email protected])

Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This briefing examines in depth the circulars and consultation paper issued by the SFC and HKMA in December 2023.

Throughout the course of 2023, the Hong Kong Securities and Futures Commission (“SFC”) and the Hong Kong Monetary Authority (“HKMA”) showed clear indications of their increased openness to virtual assets (“VA”), including through the implementation of the SFC’s Hong Kong virtual asset trading platform (“VATP”) regime,[1] and the release of multiple circulars liberalising the regulatory approach to this area.[2] This trend continued through until the very end of 2023, with the SFC and HKMA being very active in this space in late December. In particular, the SFC on December 22, 2023 issued a circular significantly relaxing the approach to virtual asset exchange traded funds (“VA ETFS”) and other funds with exposure to VA, followed by a joint SFC-HKMA circular in relation to intermediaries’ virtual asset-related activities and an HKMA consultation paper setting out a proposed legislative regime for the issuance of stablecoins. This client briefing examines the two circulars and consultation paper in further depth.

I. SFC Circular on SFC-Authorised Funds With Exposure to Virtual Assets

On December 22, 2023, the SFC published a circular on SFC-authorised funds with exposure to virtual assets (“SFC Circular”), and sets out the requirements under which the SFC will consider authorising funds with exposure to VA of more than 10% of their net asset value (“NAV”) (“SFC-authorised VA Funds”).[3] The SFC Circular supersedes an earlier circular on VA futures ETFs issued on October 31, 2022 (“October 2022 Circular”).[4] The key practical effect of the replacement of the October 2022 Circular is to expand the scope of VA ETFs that may be authorised by the SFC, as the October 2022 Circular only provided for the authorisation of VA ETFs with Bitcoin futures and Ether futures traded on the Chicago Mercantile Exchange (“CME”) as the underlying assets. The SFC Circular removes this requirement.

However, all funds with either direct (i.e. as a result of purchasing of tokens directly by the fund) or indirect investment exposure to VA seeking SFC authorisation must comply with a range of requirements, as summarised in the table below.[5] Further, (i) funds having or intending to have VA exposure of more than 10% of NAV that wish to seek the SFC’s authorisation or (ii) existing SFC-authorised funds that plan to obtain VA exposure of more than 10% of their NAV should consult and seek prior approval from the SFC by contacting the relevant case officer of the Investment Products Division.

Area

Key changes from the October 2022 Circular and/or key requirements

Eligible underlying VA

  • SFC-authorised VA Funds should only invest (indirectly or directly) in VA tokens that are accessible to Hong Kong public for trading on SFC-licensed VATPs.

Investment strategy

  • As noted above, the SFC Circular has removed the requirement under the October 2022 Circular that VA ETFs must only have as their underlying Bitcoin futures and Ether futures traded on Chicago Mercantile Exchange. However, the SFC Circular does allow SFC-authorised VA Funds to only have exposure to VA futures traded on conventional regulated futures exchanges. Further, the management company of such funds must be able to demonstrate that: (i) the relevant VA futures have adequate liquidity and (ii) the roll costs of the relevant VA futures are manageable and how such roll costs will be managed.
  • Indirect exposures to eligible VA via other exchange-traded products are subject to applicable requirements in the UT Code and other requirements which may be imposed by the SFC.
  • SFC-authorised VA Funds must not have leveraged exposure to VA at the fund level.
  • SFC-authorised VA Funds that primarily adopt a futures-based investment strategy are expected to adopt an active investment strategy to allow flexibility in portfolio composition, rolling strategy and handling of any market disruption events.

Transactions and direct acquisitions of spot VA

  • Transactions and acquisitions of spot VA by SFC-authorised VA Funds should be conducted through SFC-licensed VATPs or authorised institutions (“AIs”) or their subsidiaries in accordance with any applicable HKMA requirements.
  • For in-cash subscriptions and redemptions, SFC-authorised spot VA ETFs should acquire and dispose of spot VA through SFC-licensed VATPs, either on or off platform.
  • For in-kind subscriptions, participating dealers (“PDs”) should transfer spot VA to SFC-authorised spot VA ETFs’ custody accounts with SFC-licensed VATPs or AIs (and vice versa where in-kind redemptions are concerned).
  • Both in-cash and in-kind subscription and redemption are permitted for SFC-authorised spot VA ETFs.
  • For ETFs that invest in spot VA, PDs should be SFC-licensed corporations or registered institutions.

Custody

  • The trustee/custodian of an SFC-authorised VA Fund should only delegate its VA custody function to an SFC-licensed VATP or an AI (or a subsidiary of a locally incorporated AI) which meets the expected standards for VA custody issued by the HKMA from time to time.
  • The trustee/custodian and any delegate responsible for taking custody of VA holdings of an SFC-authorised VA Fund should comply with additional requirements: (i) it should ensure segregation between the VA holdings and its own assets as well as the assets it holds for other clients; (ii) it should store most of the VA holdings in a cold wallet, and minimise the amount and duration of VA held in a hot wallet; (iii) it should ensure the seeds and private keys are securely stored in Hong Kong, tightly restricted to authorised personnel, and sufficiently resistant to speculation or collusion, and properly backed up to mitigate any single point of failure.

Management companies

  • Management companies of SFC-authorised VA Funds should have a good track record of regulatory compliance, and at least one competent staff member with relevant experience in the management of VA or related products.
  • The SFC’s Licensing Department may also impose additional terms and conditions on such management companies.

Valuation

  • When valuing spot VA, the management companies of SFC-authorised VA Funds should adopt an indexing approach based on VA trade volume across major VA trading platforms (i.e. a benchmark index published by a reputable provider that reflects a significant share of trading activities in the underlying spot VA).

Service providers

  • Management companies should confirm that all necessary service providers (such as fund administrators, participating dealers, market makers and index providers) are competent, available and ready to support the SFC-authorised VA Funds.

Disclosure and investor education

  • The offering documents (including the product key facts statements (“KFS”)) of SFC-authorised VA Funds should disclose the investment limits and key risks related to the funds’ VA exposures.
  • Product KFSs for SFC-authorised VA Funds should contain upfront disclosure of the investment objectives and the key risks associated with the underlying VA exposures, such as: (i) price risk, custody risk, cybersecurity risk and fork risk for investments in spot VA; and (ii) potentially large roll costs and operational risks for investments in VA futures.

Distribution

    • Please refer to Section II below.

II. SFC and HKMA Joint Circular on Intermediaries’ Virtual Asset-Related Activities

On December 22, 2023, the SFC and HKMA issued a joint circular on intermediaries’ virtual asset-related activities (“Joint Circular”) which provides updated guidance to intermediaries carrying on VA-related activities, in respect of (i) the distribution of investment products with exposure to VAs; (ii) the provision of VA dealing services; (iii) the provision of VA advisory services; and (iv) the management of portfolios investing into VAs.[6]  The Joint Circular supersedes an earlier joint circular published on October 20, 2023.[7]

The Joint Circular emphasises that VA-related products[8] will very likely be considered complex products and that intermediaries distributing VA-related products considered to be complex products will generally be required to comply with the SFC’s requirements on the sale of complex products (including most notably ensuring suitability of VA-related products, regardless of whether the intermediary has solicited or recommended that its clients invest in the product in question).

However, the SFC and HKMA have also imposed two additional investor protection measures on the distribution of VA-related products to address specific risks related to these products:

  1. Restrictions on sale: Subject to certain exceptions (as discussed further below), the SFC and HKMA have indicated that VA-related complex products should only be offered to professional investors (“PIs”); and
  2. VA knowledge test: Intermediaries must assess whether clients (other than institutional PIs and qualified corporate PIs) have knowledge of investing in virtual assets or VA-related products prior to effecting a transaction in VA-related products on their behalf. Where a client does not have the requisite knowledge, the intermediary may only proceed if it has provided sufficient training to the client on the nature and risks of VAs and the clients have sufficient net worth to bear potential losses from trading VA-related products.[9]

However, while the above investor protection measures appeared in the earlier joint circular dated October 20, 2023, the SFC and HKMA have in the Joint Circular stated that the selling restrictions above will not apply to SFC-authorised VA Funds (i.e. funds approved for public offering), subject to intermediaries complying with the following additional safeguards:

  • For SFC-authorised VA Funds listed and traded on the Hong Kong Stock Exchange (“SEHK”), client orders can be executed on exchange without the need to comply with the suitability requirement or minimum information and warning statements requirements,[10] providing there has been no solicitation or recommendation by the intermediary.
  • For SFC-authorised VA Funds that are not listed, or for listed funds where trading occurs off exchange, intermediaries will still have to comply with the abovementioned requirements, as well as undertaking the VA knowledge test set out above on the clients concerned.

Further, the SFC and HKMA have also reminded intermediaries that where these SFC-authorised VA funds are also VA derivative funds, intermediaries also  need to comply with the requirements for derivative products set out in the Joint Circular.

To assist intermediaries in determining whether an investment product with exposure to VA is complex and the corresponding selling requirements that may apply to the product, the Joint Circular also includes a flowchart which sets out the relevant factors and the corresponding selling requirements.[11]

III. Legislative Proposal on Issuance of Stablecoins

On December 27, 2023, the Financial Services and the Treasury Bureau (“FSTB”) and the HKMA jointly issued a public consultation paper regarding their proposed legislative regime for the regulation of stablecoins (“Legislative Proposal”).[12] This followed the HKMA’s January 2022 discussion paper inviting feedback on its proposed regulatory approach towards crypto-assets and stablecoins (“Discussion Paper”) (as covered in our previous client alert)[13] and its January 2023 consultation conclusions (“Consultation Conclusions”)[14] (as covered in a subsequent client alert).

The introduction of the Legislative Proposal is driven by the potential interconnectedness between the virtual assets (“VA”) market and the traditional financial system. Specifically, the FSTB and HKMA view stablecoins, especially fiat-referenced stablecoin (“FRS”) as a key monetary and financial stability risk area which could lead to a spill-over from the VA sector to the traditional financial system, and vice versa.

A. Legislative Scope and Approach

The FSTB and HKMA have proposed that, rather than amending existing legislation (including the Payment Systems and Stored Value Facilities Ordinance (“PSSVFO”)), their intention is to introduce a new piece of legislation which will address specific features of stablecoins and could more readily serve as the foundation for the extension of the regulatory regime to other forms of VAs down the track. The FSTB and HKMA have also proposed that the issuance of an FRS by an FRS licensee would be excluded from the scope of existing regulatory regimes, including those applicable to securities (e.g. collective investment schemes) and SVFs.

The FSTB and HKMA have proposed that initially, the licensing regime will apply only to issuers of fiat-referenced stablecoins (“FRS”) – that is, stablecoins which have as their specified asset one or more fiat currencies.[15] The FSTB and HKMA have noted that while a FRS which derives value from arbitrage or algorithm will be caught by the regulatory regime, it is highly unlikely (as explained further below) that such FRS will be able to meet the HKMA’s licensing requirements.

That said, the FSTB and HKMA have left the door open to extend the regulatory regime to other forms of VAs (presumably including other types of stablecoins) by describing the proposed FRS issuance regime as a “first step” in the regulation of virtual assets. Notably, the FSTSB and HKMA have proposed that the legislative regime should empower the “authorities” to modify the parameters of in-scope stablecoins and activities, but have not specified if this power would be reserved to the HKMA specifically or to the HKMA in consultation with the FSTB (for example). In exercising any such power to modify the regime, the “authorities” would be required to consider a number of factors (such as the risks posed to the monetary and financial stability of Hong Kong), and the materiality of the case (such as the market share and the value in circulation) before exercising this power.

B. Licensing Requirements for FRS Issuers

Under the Legislative Proposal, an FRS issuer will have to be licensed with the HKMA before it can:

Issue, or hold itself out as issuing, an FRS in Hong Kong;

  • Issue, or hold itself out as, issuing a stablecoin that purports to maintain a stable value with reference to the value of the Hong Kong dollar; or
  • Actively market its issuance of FRS to the Hong Kong public.

In order to be licensed, the FRS issuer must demonstrate that it could meet the following licensing requirements, as summarised below:

Licensing Requirements

Description

Management of reserves and stabilisation mechanism

Full backing

  • The value of the reserve assets backing an FRS must be at least equal to the par value of the FRS (at a minimum) at all times.
  • Issuers of FRS which derive value from arbitrage or algorithms will not be granted a license, given the inherent difficulties of maintaining a stabilisation mechanism in the absence of any backing assets.

Investment limitations

  • The reserve assets must be of high quality and high liquidity with minimal market, credit and concentration risk.
  • Reserve assets must be held in the referenced currency, although flexibility may  be allowed on a case-by-case basis subject to the HKMA’s approval.
  • The composition of the reserved assets should be determined with reference to the FRS’s liquidity requirements, including how liquidity requirements will be met through the management and investment of reserve assets.
  • The HKMA will need to be satisfied of the appropriateness of the types of assets held by the FRS issuer, and expects that each issuer will have a regularly reviewed investment policy regarding assets that are suitable for holding as reserve assets.

Segregation and safekeeping of reserve assets

  • FRS issuers will be expected have effective trust arrangements to ensure that reserve assets are appropriately segregated and available to satisfy FRS holders’ redemption, as well as their legal right and priority claim in the event of insolvency.
  • Reserve assets must be stored in segregated accounts with licensed banks or with other asset custodians (subject to the HKMA’s approval of the proposed arrangements).
  • FRS issuers must maintain effective internal controls to protect the reserve assets from operational risks, including risks of theft, fraud and misappropriation.

Risk management and controls

  • FRS issuers must put in place adequate policies, guidelines and controls for the proper management of all investment activities associated with the management of the reserve assets. This includes having comprehensive liquidity risk management practices which address the approach to large scale redemptions – i.e. run scenarios or other scenarios of liquidity stress. FRS issuers must also conduct periodic stress tests to monitor the adequacy and the liquidity of the reserve assets.

Disclosure and reporting

  • FRS issuers must regularly publish the total amount of FRS in circulation, the mark-to-market value of reserve assets and the composition of reserve assets.
  • FRS issuers will also be expected to (in consultation with the HKMA) engage a qualified and independent auditor to perform regular attestations in relation to their FRS, including the (i) composition and market value of the reserve assets; (ii) the par value of FRS in circulation; (iii) whether the reserve assets are adequate to fully back the value of FRS in circulation and are sufficient liquid (as of the last business day of the period covered by the attestation); and (iv) whether the conditions on the reserves management as imposed by the HKMA have all been fulfilled.
  • The Legislative Proposal recommends that the total amount of FRS in circulation and the value of reserve assets be disclosed at least daily, the composition of reserve assets be disclosed at least weekly, and attestation by the independent auditor be performed at least monthly.

Prohibition on paying interest

  • FRS issuers must not pay interest to FRS users.
  • Any income or loss from the reserve assets, including but not limited to interest payments, dividends or capital gains or losses are attributable to the FRS issuer.

Effective stabilisation

  • The FRS issuer is ultimately responsible for ensuring the effective functioning of the stabilisation mechanism of its FRS, notwithstanding any engagement of third parties to carry out the stabilisation activity.

Redemption requirements

  • The HKMA expects for FRS users to have the right to redeem their FRS at par value with the FRS issuer to have a claim on the reserve assets (or the issuer if the issuer is not able to meet redemption obligations).
  • An FRS issuer is expected to process redemption requests without undue costs and on a timely basis. The issuer must not impose unreasonable conditions on redemption, such as a very high minimum threshold amount.
  • In the event that fees for redemption are charged, such fees must be clearly communicated to FRS users and must be proportionate, at a level that do not deter redemption.
  • The FRS issuer must meet the redemption request at par value by paying in the fiat currency underlying the relevant FRS.
  • Where channels for FRS users to exchange their FRS into fiat currency become unavailable (e.g. due to disruption to infrastructure), the FRS issuer must nevertheless still be able to ensure direct redemption for all FRS users at part in a reasonably timely manner.
  • The FRS issuer is expected to draw up and maintain a contingency plan to enable orderly redemption of FRS by FRS users in the event that the FRS issuer is unable to meet redemption requests (including in the case of suspension or revocation of the issuer’s licence).

Restrictions on business activities[16]

  • The HKMA’s approval must be sought before an FRS issuer can commence any new lines of business. To this end, the FRS issuer must conduct a risk assessment and demonstrate to the HKMA that adequate resources are allocated to the issuance and maintenance of the FRS, that the new business will not introduce significant risks, and that proper risk controls are in place to ensure that the new line of business will not impair its functions as an FRS issuer.
  • However, provided that the FRS issuer have adequate systems for the segregation and safekeep of FRS and handling of deposit and withdrawal requests for FRS, the FRS issuer will be allowed to conduct activities ancillary or incidental to its issuance of FRS, such as providing wallet services for the FRS it issues.
  • The FRS issuer is prohibited from carrying on lending and financial intermediation or other regulated activities (e.g. regulated activities under the SFO).

Physical presence in Hong Kong[17]

  • The FRS issuer must be a company incorporated in Hong Kong with a registered office in Hong Kong.
  • Its key personnel and senior management must be based in Hong Kong, and must be empowered with effective management and control of FRS issuance and related activities.

Financial resources requirements[18]

  • The FRS issuer is expected to maintain a minimum paid-up share capital to be HKD 25,000,000 or 2% of the par value of FRS in circulation, whichever is higher.

Disclosure requirements

  • The FRS issuer is expected to disclose general information about the issuer itself, the rights and obligations of its FRS users, the FRS stabilisation mechanism, reserves management arrangements, the underlying technology and the risks through a published white paper.
  • The FRS issuer must also disclose their redemption policies, including the timeframe for the redemption process, the applicable fees and the right of FRS users to redemption.

Governance, knowledge and experience

  • Controllers, chief executives and directors of an FRS issuer must be fit and proper. Their appointment and any changes to the ownership and management of the FRS issuer are subject to HKMA approval.
  • The FRS issuer is expected to have an adequate system of control for the appointment of the senior management team and suitable staff under a robust corporate governance structure.

Risk management requirements

  • An FRS issuer is expected to implement appropriate risk management processes and measures, such as adequate security and internal controls, effective fraud monitoring and detection measures; technological risk management measures; and contingency arrangements to address operational disruptions.
  • The FRS issuer must also perform risk assessments on a sufficiently frequent basis and at a minimum, on an annual basis, to ensure adequacy of its internal controls.

Audit requirements

  • The FRS issuer are required to submit audited financial statements to the HKMA annually.
  • Where required by the HKMA, the FRS issuer must submit reports prepared by external independent auditors and assessors to validate the management and operational soundness of the FRS issuance, such as whether the FRS issuer has adequate systems of control for the management of reserve assets, cybersecurity and the integrity of smart contracts.

Anti-money laundering and counter-financing of terrorism requirements

  • The FRS issuer must ensure that the design and implementation of its issuance business has adequate and appropriate systems of control for preventing or combating possible money laundering and terrorism financing, and for ensuring compliance with the Anti-Money Laundering and Counter-Terrorist Financing Ordinance (“AMLO”) and any other related rules or regulations issued by the HKMA. This includes ensuring that the FRS issuer has adequate customer due diligence measures in relation to FRS issuance, redemption, transaction monitoring and travel rule requirements.

Notwithstanding the above, the HKMA will have the power to impose, amend and cancel ongoing licensing conditions on an FRS issuer, where necessary. These additional conditions can include requirements on reserve assets and restrictions on the types of services that could be undertaken by the FRS issuer.

Licenses granted under the FRS issuer licensing regime will be open-ended, i.e. licences will remain valid until or unless revoked by the HKMA or the FRS issuer ceases to operate. However, the issue of any new FRS (i.e. other than that which the FRS issuer received a licence to issue) will require the consent of the HKMA before it can issue any new FRS under its license. Further, all licensed FRS issuers must display their licence number on any advertising materials and consumer facing materials or software applications.

C. Custody and offering of FRS

With regard to offering of FRS, the FSTB and HKMA have indicated that they consider that FRS issued by unlicensed entities are unsuitable for use by the public. As a result, their intention is that only licensed FRS issuers, authorized institutions, licensed corporations and licensed VATPs can offer FRS in Hong Kong or actively market such offerings in Hong Kong. Meanwhile, authorized institutions, licensed corporations and licensed VATPs can offer FRS issued by unlicensed entities to professional investors only.

With regard to custody, we understand that the FSTB, HKMA and the SFC are continuing to examine the appropriate regulatory approach for such activities. Further regulatory guidance on this topic (including guidance from the HKMA on the provision of VA custodial services by authorised institutions) is expected in the short to medium term.

D. Supervisory Powers of the HKMA

Mirroring similar provisions under the Banking Ordinance, the Legislative Proposal confers supervisory powers on the HKMA to act in the event that a licensee (i) has become or is likely to become insolvent or unable to meet its obligations; (ii) is carrying on its business in a manner detrimental to the interests of its users or its creditors; or (iii) has contravened any of its licensing conditions or provisions of the proposed regulatory regime. In these circumstances, the HKMA will have the power to:

  • Require a licensee to implement any action relating to the licensee’s affairs, business or property that the HKMA considers as necessary, including restricting the licensee’s business of FRS issuance;
  • Direct a licensee to seek advice on the management of its affairs, business and property from an advisor appointed by the HKMA; and
  • Require a licensee’s affairs, business and property to be managed by a HKMA-appointed manager.

The HKMA’s consent will also be required for changes in ownership or management of FRS issuers, including with regard to any proposed amalgamation, sale or disposal of all or part of the business of an FRS issuer, change of control (including change of majority or minority shareholder controller, or indirect controller) and the appointment of chief executives and directors.

Additionally, the HKMA will also have the power to gather information, including request information or documents from licensees, or to conduct on-site examinations at the licensee’s premises. Where the HKMA has reasonable cause to suspect non-compliance, the HKMA will have the power to conduct investigations into the licensee and persons relevant to the suspected contravention. The HKMA will also have the power to give directions to bring an FRS issuer into compliance with its statutory obligation to ensure the protection of the FRS issuer. Finally, the HKMA will also have the power to make regulations to operationalise the FRS regulatory regime and issue guidelines regarding the way in which it expects to perform its functions with regards to this new regime.

E. Disciplinary Framework

The Legislative Proposal contemplates the creation of both a criminal and a civil framework. It will be a criminal offence to:

  • Issue an FRS in Hong Kong without a licence;
  • Advertise the issuance of FRS by an unlicensed issuer;
  • Fail to produce documents or information as required by the HKMA;
  • Provide false information to the HKMA; and
  • Contravene other conditions imposed by the HKMA in connection with the FRS licensing regime.

Separately, the HKMA will also have the power to impose civil and supervisory sanctions, including:

  • Issuing a caution, warning, reprimand or order to take specified action(s);
  • Issuing a temporary suspension, suspension or revocation of an FRS issuer’s license;
  • A pecuniary penalty not exceeding HK$10,000,000 or 3 times the amount of profit gained or loss avoided as a result of the contravention, whichever is higher; and
  • Any combination of the above.

As a check and balance, an appeal tribunal mechanism will be set up to address appeals against the HKMA’s disciplinary decisions. A person dissatisfied with the decision of the appeal tribunal will be able to appeal to the Court of Appeal against the determination on a point of law.

F. Transitional Arrangements

The FRS Issuer Licensing Regime is proposed to commence one month upon gazettal of the proposed new ordinance. However, the FSTB and HKMA have proposed a transitional arrangement to ensure the smooth transition into the new regime. Under this transitional regime, pre-existing FRS issuers conducting FRS issuance with a meaningful and substantial presence in Hong Kong prior to the commencement of the regime can continue to operate under a non-contravention period of six months, subject to submitting a licence application to the HKMA within the first three months of the commencement of the regime. This comparatively short transitional period (if not extended in the final version of the legislative regime) means that stablecoin issuers will need to take steps to quickly prepare licence applications (and establish a meaningful and substantial presence in Hong Kong if they do not already have one) following the gazettal of the new ordinance. Those pre-existing FRS issuers which fail to submit a licence application to the HKMA within the first three months will need to wind down its business by the end of the fourth month of the commencement of the regime.

__________

[1] See “Hong Kong SFC Consults On Licensing Regime For Virtual Asset Trading Platform Operators”, published by Gibson, Dunn & Crutcher (March 2, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-consults-on-licensing-regime-for-virtual-asset-trading-platform-operators/; and “New Hong Kong Regulatory Requirements and Licensing Regime for Virtual Asset Trading Platforms Finalised as Legislation Takes Effect”, published by Gibson, Dunn & Crutcher (June 7, 2023), available at https://www.gibsondunn.com/new-hong-kong-regulatory-requirements-and-licensing-regime-for-virtual-asset-trading-platforms-finalised-as-legislation-takes-effect/.

[2] “Hong Kong’s SFC Updates Guidance on Tokenised Securities-Related Activities”, published by Gibson, Dunn & Crutcher (November 10, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-updates-guidance-on-tokenised-securities-related-activities/.

[3] “Circular on SFC-Authorised Funds With Exposure to Virtual Assets”, published by the Securities and Futures Commission (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/products/product-authorization/doc?refNo=23EC65.

[4] “Circular on Virtual Asset Futures Exchange Traded Funds”, published by the Securities and Futures Commission (October 31, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=22EC60.

[5] These requirements are in addition to meeting the applicable requirements in the Overarching Principles Section and the Code on Unit Trusts and Mutual Funds in the SFC Handbook for Unit Trusts and Mutual Funds, Investment-Linked Assurance Schemes and Unlisted Structured Investment Products.

[6] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=23EC67.

[7] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (October 20, 2023), available here.

[8] “VA-related products” are defined as products which (a) have a principal investment objective or strategy to invest in virtual assets; (b) derive their value principally from the value and characteristics of virtual assets; or (c) track or replicate the investment results or returns which closely match or correspond to virtual assets.

[9] See Appendix 1 of the Joint Circular for the non-exhaustive criteria for assessing whether a client can be regarded as having knowledge of virtual assets.

[10] The minimum information and warning statements requirements require intermediaries to provide clear and easily comprehensible information and warning statements to clients in relation to VA-related products and information on the underlying VA investments; and provide to clients risk disclosure statements (which can be a one-off disclosure) specific to VAs.

[11] See Appendix 3 of the Joint Circular.

[12] “Legislative Proposal to Implement the Regulatory Regime for Stablecoin Issuers in Hong Kong Consultation Paper”, jointly published by the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (December 27, 2023), available at https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2023/20231227e4a1.pdf.

[13] “Another Step Towards the Regulation of Cryptocurrency in Hong Kong: HKMA Releases Discussion Paper on Stablecoins”, published by Gibson, Dunn & Crutcher (September 19, 2022), available at https://www.gibsondunn.com/another-step-towards-the-regulation-of-cryptocurrency-in-hong-kong-hkma-releases-discussion-paper-on-stablecoins/.

[14] “Hong Kong Monetary Authority Introduces Plans To Regulate Stablecoins”, published by Gibson, Dunn & Crutcher (February 7, 2023), available at https://www.gibsondunn.com/hong-kong-monetary-authority-introduces-plans-to-regulate-stablecoins/.

[15] For completeness, the Legislative Proposal defines “stablecoin” to mean “a cryptographically secured digital representation of value that, among other things – (a) is expressed as a unit of account or a store of economic value; (b) is used, or is intended to be used, as a medium of exchange accepted by the public, for the purpose of payment for goods or services; discharge of a debt; and/or investment; (c) can be transferred, stored or traded electronically; (d) uses a distributed ledger or similar technology that is not controlled solely by the issuer; and (e) purports to maintain a stable value with reference to a specified asset, or a pool or basket of assets.” To avoid overlap with the SVF regulatory regime, the FSTB and HKMA have expressly carved out “deposits, including its tokenized or digitally represented form; certain securities or future contracts (mainly authorized collective investment schemes and authorized structured products); float stored in SVFs or SVF banks; and certain digital representations of fiat currencies issued by or on behalf of central banks; and certain digital representation of value that has a limited purpose” from the definition of “stablecoins”.

[16] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

[17] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.

[18] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.


The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Emily Rumble, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Global Financial Regulatory team, including the following members in Hong Kong and Singapore:

William R. Hallatt – Hong Kong (+852 2214 3836, [email protected])
Grace Chong – Singapore (+65 6507 3608, [email protected])
Emily Rumble – Hong Kong (+852 2214 3839, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])
Becky Chung – Hong Kong (+852 2214 3837, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This update provides an overview of key class action-related developments during the fourth quarter of 2023 (October to December).  

Table of Contents

  • Part I reviews decisions from the Sixth and Tenth Circuits reaffirming the importance of courts conducting a “rigorous” analysis of each Rule 23 factor before certifying a class;
  • Part II provides an update on cases analyzing the need for plaintiffs to demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3); and
  • Part III discuses a Ninth Circuit decision scrutinizing the adequacy of a lead plaintiff in a class settlement.

I.    Circuit Courts Continue to Emphasize the Importance of “Rigorously” Analyzing Each Rule 23 Class Certification Factor

In its landmark decision in Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011), the Supreme Court held (among other things) that before certifying a class, district courts must conduct a “rigorous analysis” of the Rule 23 factors.  Id. at 351.  This critical requirement remains alive and well, as we’ve covered in previous updates, including here and here.  And this past quarter, circuit courts have continued to emphasize that district courts cannot grant class certification with a rubber stamp.

In Brayman v. KeyPoint Government Solutions, Inc., 83 F.4th 823 (10th Cir. 2023), the Tenth Circuit vacated an order granting class certification because “[a] rigorous analysis requires more” than a one-paragraph discussion of predominance.  Id. at 838–39.  The district court had certified a class of employees who alleged their employer required them to work uncompensated overtime.  Although the Tenth Circuit declined to conduct the commonality or predominance analyses itself in the first instance, it provided suggestions about “some of the questions that the district court would need to consider when determining what issues in the class action were common issues, what issues were individual issues, and which predominate.”  Id. at 839–41.

As one example, the Tenth Circuit considered how the plaintiffs would prove that an employee worked uncompensated overtime.  The plaintiffs contended that each class member would testify about how many hours they worked per week, yet they failed to present any “expert testimony, statistical data, or representative evidence” showing how this was a common, rather than an individual, issue.  Id. at 839.  As another example, the Tenth Circuit noted that to succeed on their claims, the plaintiffs had to establish that their employer knew of this overtime work, but the plaintiffs’ “unelaborated” interrogatory answers and deposition testimony were not “sufficiently specific and representative to be ‘common’ evidence that would be admissible in each [putative class member]’s individual case” about the employer’s knowledge for that particular individual.  Id. at 840.

Similarly, in In re Ford Motor Co., 86 F.4th 723 (6th Cir. 2023), the Sixth Circuit concluded the district court did not conduct a rigorous analysis of commonality, cautioning that Rule 23 “requires a named plaintiff to offer ‘[s]ignificant’ evidentiary proof that he can meet all four of [its] criteria.”  Id. at 726 (emphasis added).  In re Ford involved allegations about alleged brake design defects in pickup trucks over a five-year period.  Id.  Although the district court certified Rule 23(c)(4) “issue” classes to resolve three primary issues related to the purported defects, it did so with “cursory treatment of commonality.”  Id.  In particular, the district court’s analysis did “not make clear that the three certified issues can each be answered ‘in one stroke.’”  Id. at 727 (quoting Dukes, 564 U.S. at 350).  For instance, one certified issue concerned whether the brakes in the pickup trucks were defective.  Although the plaintiffs alleged this was a common issue, the district court failed to “grapple” with the evidence that certain redesigns and manufacturing changes over the class period made a material difference to the alleged defect.  Id. at 728.  The Sixth Circuit reminded trial judges that they “must evaluate whether each of the four Rule 23(a) factors is actually satisfied, not merely that the factors are properly alleged.”  Id. at 729 (citations omitted) (emphases added).

II.    Circuit Courts Continue to Require Classwide Method of Proving Injury Before Certifying Rule 23(b) Classes

Two decisions from this quarter, Huber v. Simon’s Agency, Inc., 84 F.4th 132 (3d Cir. 2023), and Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), reaffirmed the principle that plaintiffs must demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3).

Huber concerned a putative class action against a medical debt collection agency that allegedly provided misleading and confusing notices to debtors.  See 84 F.4th at 141.  The named plaintiff claimed she incurred extensive financial costs as a result of the misleading information.  See id. at 143.  The district court certified a class of individuals who received the same information from the defendant.  Id. at 142.

On appeal, the Third Circuit held that under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), and circuit precedent, merely receiving a misleading notice, without allegations of financial loss, was insufficient to establish Article III standing.  Huber, 84 F.4th at 148–49.  While the Third Circuit ruled that the class action was justiciable because the named plaintiff herself had standing, it reasoned that unnamed class members would need to put forward specific information about their financial circumstances to meet the justiciability requirement.  Id. at 147–54.  The Third Circuit therefore vacated the certification order and remanded to the district court to assess “the implications of [the] individualized showings [the unnamed class members need to make] for the predominance requirement.”  Id. at 157.

In remanding, the Third Circuit offered guidance as to how the predominance inquiry should unfold:  if few class members are able to show that they suffered concrete financial injuries, then the class should not be considered sufficiently cohesive to warrant certification.  Id. at 157–58.  On the other hand, if many class members appear likely to have standing or “if there is a plausible straightforward method to sort them out at the back end of the case,” then the case may be able to proceed on behalf of the class.  Id.

In a similar case, Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), the Fifth Circuit vacated a class certification order because the plaintiffs failed to identify a classwide way of establishing the defendant’s liability.  Sampson was a breach of contract action against an insurance company based on its use of a particular method of vehicle valuation.  See id. at 417.  The plaintiffs-insureds claimed that if the defendant had used a different valuation method, they would have gotten bigger payouts when they totaled their cars.  Id.

One of the questions on appeal was whether the plaintiffs could establish classwide injury—an essential element of the claims at issue—by relying on their preferred vehicle-valuation standard.  Id. at 421.  According to the plaintiffs, the choice of the appropriate vehicle-valuation standard was only a damages question, and district courts have wide discretion to choose among damages models at the class-certification stage.  Id.  The Fifth Circuit acknowledged that district courts generally do have such discretion, but the purported damages issue was actually entwined with the question of injury.  Id. at 421–22.  Because the selection of the appropriate vehicle-valuation standard was not just a choice between “imperfect damages models,” but rather went to the question of liability, the Fifth Circuit concluded that “a district court’s wide discretion to choose an imperfect estimative-damages model at the certification stage” had no application.  Id. at 422–23.

III.    The Ninth Circuit Vacates Approval of Class Settlement, Holding that Class Representative Who Was Subject to Arbitration Agreement Could Not Adequately Represent Class Members Who Were Not

As reported in several previous updates (including here and here), circuit courts have continued the trend of taking more active roles in scrutinizing class settlements.  This past quarter, the Ninth Circuit vacated the approval of a class settlement in a case against a dating app, holding that the lead plaintiff was not an adequate representative of the class due to her conflict of interest and failure to vigorously litigate on behalf of all 240,000 class members.  See Kim v. Allison, 87 F.4th 994 (9th Cir. 2023).

In Kim, the plaintiff alleged a dating app’s age-based pricing scheme violated California law.  Id. at 999.  The defendant successfully moved to compel arbitration as to the lead plaintiff because she had agreed to a version of the app’s terms of use that included an arbitration clause.  Id.  While the plaintiff was appealing the order compelling arbitration, she negotiated a class settlement.

In this second appeal from the settlement approval, objectors focused their arguments on the lead plaintiff’s lack of adequacy, arguing that “unlike the remainder of the class, [the plaintiff] was subject to a binding arbitration order” and the class definition did not account for that important difference.  87 F.4th at 999.  The Ninth Circuit agreed that the plaintiff was an inadequate representative and vacated the settlement.

With respect to the plaintiff’s conflict of interest, the Ninth Circuit emphasized that she was subject to an agreement to arbitrate, while potentially 7,000 other class members were not.  Id. at 1001.  The court reasoned that the plaintiff had a strong interest in settling her claims since she has “no chance of going to trial,” even “at the cost of a broad release of other claims that are not subject to arbitration.”  Id.  The conflict was “exacerbated” by other provisions in the version of the terms of use that she accepted, including a Texas choice-of-law provision and limitation on liability that did not bind other class members.  Id.  The court also faulted the plaintiff for making inadequate efforts to conduct discovery before reaching a settlement, and said her “approach to opposing [the defendant]’s motion to compel [arbitration was] not suggestive of vigor” because she “belatedly raised formation challenges” when opposing that motion and failed to make “obvious arguments until after they were forfeited.”  Id. at 1002–03.


The following Gibson Dunn lawyers contributed to this update: Swathi Sreerangarajan, Jenna Bernard, Maura Carey*, Wesley Sze, Lauren Blas, Bradley Hamburger, Kahn Scolnick, and Christopher Chorba.

Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:

Theodore J. Boutrous, Jr. – Los Angeles (+1 213.229.7000, [email protected])
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7396, [email protected])
Theane Evangelis – Co-Chair, Litigation Practice Group, Los Angeles (+1 213.229.7726, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Kahn A. Scolnick – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7656, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213.229.7658, [email protected])
Michael Holecek – Los Angeles (+1 213.229.7018, [email protected])
Lauren M. Blas – Los Angeles (+1 213.229.7503, [email protected])

*Maura Carey is an associate practicing in the firm’s Palo Alto office who is not yet admitted to practice law.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

I. Introduction

In contrast to previous years, the 2023 privacy and cybersecurity landscape in the United States was not shaped by an overarching event like the COVID-19 pandemic or Russia’s invasion of Ukraine. 2023 was nonetheless another groundbreaking year for privacy and cybersecurity on the regulatory and enforcement fronts.

Congress’s failure to pass a comprehensive privacy bill left the White House and federal agencies—along with state legislators and agencies—to lead the charge in regulating privacy and cybersecurity in the United States. The White House doubled down on its push to implement a national strategy on cybersecurity, with important implications for federal, state, and private entities. Numerous federal agencies—including the FTC, SEC, CFPB, and HHS—promulgated privacy and data protection regulations and guidance on a range of issues, including cyber-incident disclosure, children’s online privacy, biometric and genetic data, artificial intelligence (“AI”), and algorithmic decision making. Many agencies also brought enforcement actions against companies and (increasingly) individuals for privacy, data security, and related violations.

States were similarly active in 2023, passing and enforcing a flurry of new comprehensive state privacy laws. State agencies like the New York Department of Financial Services took aggressive steps to tighten data protection regulations for entities under their umbrella. And, while this publication does not focus on AI (a topic which will be covered in detail by Gibson Dunn’s forthcoming Artificial Intelligence Legal Review), the rapid rise and proliferation of AI technology was a defining feature of the privacy and cybersecurity landscape in 2023. Litigation likewise remained active, with notable upticks in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics laws. We expect these trends to accelerate in 2024 and beyond, as the body of privacy and cybersecurity regulation matures and expands.

This Review contextualizes these and other 2023 developments by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, digital, telecommunications, wiretapping, and biometric information privacy laws; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in detail by Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Outlook and Review.

Table of Contents

I. INTRODUCTION

II. REGULATION OF PRIVACY AND DATA SECURITY

A. Regulation of Privacy and Data Security

1. State Legislation and Related Regulations

a. Comprehensive State Privacy Laws

i. Applicability
ii. Exemptions
iii. Data Subject Rights
iv. Data Controller Obligations
v. Enforcement

b. Other State Privacy Laws

i. Washington’s My Health My Data Act
ii. Montana’s Genetic Information Privacy Act
iii. California’s Delete Act
iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules
v. New Child Social Media Laws

2. Federal Legislation

a. Comprehensive Federal Privacy Legislation
b. Other Introduced Legislation

B. Enforcement and Guidance

1. Federal Trade Commission

a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security

i. FTC’s Approach to Data Security
ii. Rulemaking on Commercial Surveillance and Data Security

d. Notable FTC Enforcement Actions
e, Financial Privacy
f. Children’s and Teens’ Privacy
g. Biometric Information

2. Consumer Financial Protection Bureau

a. Personal Financial Data Rights Rulemaking
b. Increased Oversight of Non-bank Entities
c. Increased Scrutiny of Data Brokers
d. Artificial Intelligence and Algorithmic Bias

3. Securities and Exchange Commission

a. Regulation
b. Enforcement

4. Department of Health and Human Services and HIPAA

a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions

5. Other Federal Agencies

a. Department of Homeland Security
b. Department of Justice
c. Department of Commerce
d. Department of Energy
e. Department of Defense
f. Federal Communications Commission

6. State Agencies

a. California
b. Other State Agencies
c. Major Data Breach Settlements

III. CIVIL LITIGATION REGARDING PRIVACY AND DATA SECURITY

A. Data Breach Litigation

1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions
2. Cybersecurity Related Securities Litigation

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
C. Anti-Hacking and Computer Intrusion Statutes

1. CFAA
2. CDAFA

D. Telephone Consumer Protection Act Litigation
E. State Law Litigation

1. California Consumer Privacy Act Litigation

a. Potential Anchoring Effect of CCPA Statutory Damages
b. Requirements for Adequately Stating a CCPA Claim
c. CCPA Violations Under the UCL
d. The CCPA’s 30-Day Notice Requirement
e. Guidance on Reasonable Security Measures in Connection with the CCPA

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act

i. Expansion of BIPA’s Scope
ii. New Recognized Limitations Under BIPA

b. Texas Biometric Privacy Law Litigation
c. New York Biometric Privacy Law Litigation

F. Other Noteworthy Litigation

IV. TRENDS RELATED TO DATA INNOVATIONS AND GOVERNMENTAL DATA COLLECTION

A. Data-Intensive Technologies—Privacy Implications and Trends
B. Emerging Privacy Enhancing Technologies (PETs)
C. Governmental Data Collection

V. CONCLUSION


II. Regulation of Privacy and Data Security

Since 2018, 14 states have enacted comprehensive data privacy legislation. Five of these are currently effective, and the remaining nine will go into effect between 2024 and 2026. A number of additional state legislatures considered comprehensive consumer privacy laws this past year but have yet to enact them. In addition, several states have passed narrower data privacy laws governing the use of specific categories of information, such as health and genetic information. These laws demonstrate the states’ efforts to ensure the protection of consumers’ data in the absence of a comprehensive federal data privacy law. We highlight several of these state privacy laws below and provide an overview of key similarities and differences.

 A. Regulation of Privacy and Data Security

 1. State Legislation and Related Regulations

 a. Comprehensive State Privacy Laws

California was the first state to adopt a comprehensive data privacy law with the enactment of the California Consumer Privacy Act (“CCPA”) in 2018. The California Privacy Rights Act (“CPRA”) amended the CCPA in 2020. Since then, 13 other states—Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia—have followed California in enacting comprehensive privacy laws. As shown in the below list of comprehensive state privacy laws enacted to date, five went into effect in 2023, an additional four will go into effect in 2024, four in 2025, and one in 2026. Most of these generally align with the standard template created by the comprehensive state privacy laws in Virginia, Colorado, Connecticut, and Utah, with a few having unique features, which are highlighted below. Please see last year’s Review for a more detailed assessment of the comprehensive data privacy laws in California, Virginia, Colorado, Connecticut, and Utah, which have all now gone into effect.

Table 1: Comprehensive State Privacy Laws

Law Enacted Date Effective Date
California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)[1] CCPA: June 28, 2018
CPRA: November 3, 2020
CCPA: January 1, 2020
CPRA: January 1, 2023
Virginia Consumer Data Protection Act (VCDPA)[2] March 2, 2021 January 1, 2023
Colorado Privacy Act (CPA)[3] July 7, 2021 July 1, 2023
Connecticut Data Privacy Act (CTDPA)[4] May 10, 2022 July 1, 2023
Utah Consumer Privacy Act (UCPA)[5] March 24, 2022 December 31, 2023
Florida Digital Bill of Rights (FDBR)[6] June 6, 2023 July 1, 2024
Texas Data Privacy and Security Act (TDPSA)[7] June 18, 2023 July 1, 2024
Oregon Consumer Privacy Act (OCPA)[8] July 18, 2023 July 1, 2024
Montana Consumer Data Privacy Act (MTCDPA)[9] May 19, 2023 October 1, 2024
Iowa Consumer Data Protection Act (ICDPA)[10] March 29, 2023 January 1, 2025
Delaware Personal Data Privacy Act (DPDPA)[11] September 11, 2023 January 1, 2025
New Jersey Data Privacy Act
(NJDPA)[12]
January 16, 2024 January 15, 2025
Tennessee Information Protection Act (TIPA)[13] May 11, 2023 July 1, 2025
Indiana Consumer Data Protection Act (INCDPA)[14] May 1, 2023 January 1, 2026

The tables below review core aspects of these laws, including applicability, exemptions, data subject rights, data controller obligations, and enforcement.

i. Applicability

Each comprehensive state privacy law applies to entities that conduct business in that state or provide products and services to residents of that state, and that meet certain applicability thresholds. As shown in Table 2 below, these thresholds typically relate to a company’s annual gross revenue and/or the number of individuals whose personal information the business processes or controls. California is unique in applying its comprehensive privacy law to companies that derive 50% or more of their revenue from selling California residents’ personal information, without pairing that requirement with a minimum number of consumers whose data is processed. Florida and Texas also have distinct requirements: Florida’s statutory thresholds are designed to limit the application of the law to large companies, and Texas’s law does not carry any fixed numerical thresholds with respect to gross revenue or number of consumers’ whose data is processed. Unless otherwise indicated, all thresholds listed below are disjunctive requirements.

Table 2: Applicability of Comprehensive State Privacy Laws

Law Annual Gross Revenue Annual Processing of Consumers’ Data Other Thresholds
CCPA/CPRA
(California)
$25 million or more. Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices. Derives 50% or more of their annual revenue from selling California residents’ personal information.
VCDPA
(Virginia)
N/A Controls or processes the personal data of at least 100,000 Virginia consumers. Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data.
CPA
(Colorado)
N/A Processes the personal data of more than 100,000 Colorado individuals. Derives revenue or receives discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals.
CTDPA
(Connecticut)
N/A Controls or processes the personal data of at least 100,000 Connecticut consumers. Controls or processes the personal data of at least 25,000 consumers and derives over 25% of gross revenue from the sale of personal information.
UCPA
(Utah)
$25 million or more. Controls or processes the personal data of 100,000 or more Utah consumers. Controls or processes the personal data of 25,000 or more Utah consumers and derives 50% or more of gross annual revenue from sale of personal data.
FDBR
(Florida)
$1 billion or more. N/A (i) Derives 50% or more of its global annual revenues from targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation; or (iii) operates an app store that offers at least 250,000 software applications for consumers to download.
TDPSA
(Texas)
N/A N/A (i) Conducts business in Texas or produces products/provides services consumed by residents of Texas; (ii) processes or engages in the sale of personal data; and (iii) does not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions).
OCPA
(Oregon)
N/A Controls or processes the personal data of 100,000 or more Oregon consumers, other than for completing a payment transaction. Controls or processes the personal data of 25,000 or more Oregon consumers and derives 25% or more of gross revenue from sale of personal data.
MTCDPA
(Montana)
N/A Controls or processes the personal data of 50,000 or more Montana consumers, excluding for the purpose of completing payment transactions. Controls or processes the personal data of 25,000 or more Montana consumers and derives more than 25% of gross revenue from sale of personal data.
ICDPA
(Iowa)
N/A Controls or processes the personal data of 100,000 or more Iowa consumers. Controls or processes the personal data of 25,000 or more Iowa consumers and derives more than 50% of gross revenue from the sale of personal data.
DPDPA
(Delaware)
N/A Controls or processes the personal data of at least 35,000 Delaware residents, excluding for the purpose of completing payment transactions. Controls or processes the personal data of at least 10,000 Delaware residents and derives more than 20% of its gross revenue from the sale of personal data.
NJDPA
(New Jersey)
N/A Controls or processes the personal data of at least 100,000 New Jersey consumers. Controls or processes the data of at least 25,000 New Jersey consumers and derives revenue or receives a financial benefit from the sale of the data.
TIPA
(Tennessee)
$25 million or more. Controls or processes the personal data of 170,000 or more Tennessee consumers. Controls or processes the personal data of 25,000 or more Tennessee consumers and derives more than 50% of gross revenue from sale of personal information.
INCDPA
(Indiana)
N/A Controls or processes the personal data of 100,000 or more Indiana residents. Controls or processes the personal data of 25,000 or more Indiana consumers who are residents and derives more than 50% of gross revenue from the sale of personal data.

 ii. Exemptions

All comprehensive state privacy laws also have exemptions for certain entities and categories of data. For example, non-profit entities and entities subject to the GLBA are exempt under most comprehensive state privacy laws. HIPAA-regulated data (but not necessarily entities regulated by HIPAA generally), employee data, and business contact data are likewise typically exempt under all comprehensive state privacy laws, except for in California. California is the only state whose GLBA exemption applies only at the data level, but not the entity level. Other exemptions not included below might include entities or data regulated by other laws, such as the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Table 3 below provides a non-exhaustive list of common exemptions.

Table 3: Exemptions in Comprehensive State Privacy Laws

Law Non-Profits (generally) Consumers Engaged in a Commercial or Employment Context (i.e., employees and business contacts) HIPAA Exemption (at the data level, entity level, or both) GLBA Exemption (at the data level, entity level, or both)
CCPA/CPRA
(California)
N N Data Data
VCDPA
(Virginia)
N Y Both Both
CPA
(Colorado)
Y Y Data Both
CTDPA
(Connecticut)
N Y Both Both
UCPA
(Utah)
N Y Both Both
FDBR
(Florida)
N Y Both Both
TDPSA
(Texas)
N Y Both Both
OCPA
(Oregon)
Y Y Data Data
MTCDPA
(Montana)
N Y Both Both
ICDPA
(Iowa)
N Y Both Both
DPDPA
(Delaware)
Y Y Data Both
NJDPA
(New Jersey)
N Y Data Both
TIPA
(Tennessee)
N Y Both Both
INCDPA
(Indiana)
N Y Both Both

iii. Data Subject Rights

All comprehensive state privacy laws that have been enacted or are in effect provide consumers with the right to access their data, data portability, opt-out of the sale of their data and use of certain data in connection with targeted advertising, and the right to not be discriminated against for exercising their rights. They also provide covered entities with the ability to verify or authenticate the identity of a consumer looking to exercise her rights. However, there are additional rights that are provided by some, but not all, comprehensive state privacy laws. These are outlined in Table 4 below.

Table 4: Data Subject Rights in Comprehensive State Privacy Laws

Law Correct Inaccurate Data Request a List of Third Parties with Whom Data Has Been Disclosed Opt-Out of the Use of Data for Certain Profiling Limit the Use and Disclosure of Sensitive Data Appeal the Denial of Data Subject Rights Requests Right to Appoint Authorized Agents to Submit Data Subject Rights Requests Have Opt-Out Signals Recognized Days to Respond to Requests
CCPA/CPRA
(California)
Y N Y Limit use N Y Y 15 business days for requests to opt-out and limit use; 45 calendar days for other requests
VCDPA
(Virginia)
Y N Y Opt-in Y N N 45 calendar days
CPA
(Colorado)
Y N Y Opt-in Y Y Y 45 calendar days
CTDPA
(Connecticut)
Y N Y Opt-in Y Y Y 45 calendar days
UCPA
(Utah)
N N N Opt-out N N N 45 calendar days
FDBR
(Florida)
Y N Y Opt-in Y N N 45 calendar days
TDPSA
(Texas)
Y N Y Opt-in Y Y Y 45 calendar days
OCPA
(Oregon)
Y Y Y Opt-in Y Y Y 45 calendar days
MTCDPA
(Montana)
Y N Y Opt-in Y N N 45 calendar days
ICDPA
(Iowa)
N N N Opt-out Y N N 90 calendar days
DPDPA
(Delaware)
Y N Y Opt-in Y Y Y 45 calendar days
NJDPA
(New Jersey)
Y N Y Opt-in[15] Y Y Y 45 calendar days
TIPA
(Tennessee)
Y N Y Opt-in Y N N 45 calendar days
INCDPA
(Indiana)
Y N Y Opt-in Y N N 45 calendar days

iv. Data Controller Obligations

All comprehensive state privacy laws impose certain obligations on data controllers (entities that determine the purposes and means of processing of personal data). These include: data minimization; purpose limitations; maintaining privacy policies; maintaining reasonable administrative, technical, and physical data security controls; and contractually obligating personal data processors or service providers to comply with the applicable law. Data minimization in particular may be a significant requirement, as it requires companies to only keep data as long as they have a business need and promptly delete it thereafter. Some of the privacy laws impose additional obligations, which are outlined in Table 5 below. Specifically, some laws require (a) data protection impact assessments, which are designed to identify and minimize data protection risks, (b) financial incentive notices, which disclose discounts or other incentives that are provided in exchange for providing personal information, and (c) specific contractual requirements that set forth how vendors that process data on a business’s behalf will act.

Table 5: Data Controller Obligations in Comprehensive State Privacy Laws

Law Data Protection Impact Assessment Financial Incentive Notice Third-Party/Contractor Contract Requirement
CCPA/CPRA
(California)
Y (not finalized) Y Y
VCDPA
(Virginia)
Y N N
CPA
(Colorado)
Y Y N
CTDPA
(Connecticut)
Y N N
UCPA
(Utah)
N N N
FDBR
(Florida)
Y N N
TDPSA
(Texas)
Y N N
OCPA
(Oregon)
Y N N
MTCDPA
(Montana)
Y N N
ICDPA
(Iowa)
N N N
DPDPA
(Delaware)
Y N N
NJDPA
(New Jersey)
Y N Y
TIPA
(Tennessee)
Y N N
INCDPA
(Indiana)
Y N N

v. Enforcement

Finally, there are differences between how each of these comprehensive state privacy laws are enforced and the penalties for noncompliance. As a general matter, comprehensive state privacy laws provide state attorneys general with sole enforcement authority. To date, the state laws have notably not provided for a private right of action. The only outlier is the CCPA/CPRA, which provides a limited private right of action for consumers affected by data breaches, under certain circumstances. Many states also provide for a right to cure, meaning that a plaintiff must provide a putative defendant with notice and an opportunity to cure the violation prior to bringing suit. The enforcement mechanisms provided for by each comprehensive state privacy law are outlined in Table 6 below.

Table 6: Enforcement of Comprehensive State Privacy Laws

Law Private Right of Action Enforcement Authority Right to Cure Financial Penalties
CCPA/CPRA
(California)
Y[16] California Attorney General and California Privacy Protection Agency N/A Up to $2,500 per violation or $7,500 per intentional violation or violation involving the personal information of minors.
VCDPA
(Virginia)
N Virginia Attorney General 30 days Up to $7,500 per violation.
CPA
(Colorado)
N Colorado Attorney General and local district attorneys 60 days (provision expires January 1, 2025) Up to $20,000 per violation, with a total maximum penalty of $500,000.
CTDPA
(Connecticut)
N Connecticut Attorney General 60 days (provision expires January 1, 2025) Up to $5,000 per violation.
UCPA
(Utah)
N Utah Attorney General and Utah Division of Consumer Protection 30 days Up to $7,500 per violation.
FDBR
(Florida)
N Florida Department of Legal Affairs 45 days (except for violations involving a known child) Up to $50,000 per violation, or triple that where the violation involves a FL consumer under 18 years old, failure to delete or correct applicable personal information, or the continuing to sell or share the personal information after a consumer opts out of such sale or sharing.
TDPSA
(Texas)
N Texas Attorney General 30 days Up to $7,500 per violation.
OCPA
(Oregon)
N Oregon Attorney General 30 days (provision expires January 1, 2026) Up to $7,500 per violation.
MTCDPA
(Montana)
N Montana Attorney General 60 days (provision expires April 1, 2026) Up to $7,500 per violation.
ICDPA
(Iowa)
N Iowa Attorney General 90 days Up to $7,500 per violation.
DPDPA
(Delaware)
N Delaware Department of Justice 60 days (provision expires January 1, 2026) Up to $10,000 per willful violation.
NJDPA
(New Jersey)
N New Jersey Attorney General 30 days (provision expires 18 months after enactment) Up to $10,000 for the first violation and $20,000 for subsequent violations.
TIPA
(Tennessee)
N Tennessee Attorney General 60 days Up to $7,500 per violation.
INCDPA
(Indiana)
N Indiana Attorney General 30 days Up to $7,500 per violation.

b. Other State Privacy Laws

In addition to the comprehensive state privacy laws discussed above, states have continued to legislate in narrower areas, particularly with relation to health or genetic information.

i. Washington’s My Health My Data Act

On April 27, 2023, Washington Governor Jay Inslee signed the “My Health My Data Act” (“MHMDA”) into law, modifying the legal landscape with respect to health-related data for certain Washington entities.[17] The MHMDA creates a privacy regime focused on personal health data.

Covered Entities. The MHMDA applies to “regulated entities” that process “consumer health data.” The law defines “regulated entity” as any “legal entity” that: (1) “[c]onducts business in Washington or produces or provides products or services that are targeted to consumers in Washington”; and (2) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data,” whether “alone or jointly with others.”[18] Practically, the law applies to any entity that does business in Washington and collects or processes consumer health data. Government agencies, tribal nations, and service providers that are contracted to process consumer health data on behalf of a government agency are exempt from this definition and not considered regulated entities.[19] “Small businesses” are not exempt from the MHMDA, but are given an extra three months to comply.[20]

Covered Data. The law defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”[21] Examples of this type of data include surgeries or other health-related procedures, reproductive or sexual health information, and genetic data.[22] The primary statutory carveout from the definition of “consumer health data” is information “used to engage in public or peer-reviewed scientific, historical, or statistical research.”[23] However, the research must be monitored by an independent oversight entity that implements safeguards to mitigate privacy risks, including the risk associated with the reidentification of consumer data.[24] The Washington Attorney General, who is charged with enforcing the MHMDA, has explained that purchases of “toiletry products (such as deodorant, mouthwash, and toilet paper)” do not qualify as “consumer health data,” even though they relate to “bodily functions,” whereas “an app that tracks someone’s digestion or perspiration is collecting consumer health data.”[25]

Key Requirements. The MHMDA prohibits regulated entities from collecting or sharing consumer health data without first satisfying certain notice and consent requirements, including: requiring regulated entities to maintain a “consumer health data privacy policy” linked to on their homepage that discloses:

  • the categories of consumer health data collected and the purpose for which the data is collected;
  • the categories of sources from which the consumer health data is collected;
  • the categories of consumer health data shared; and
  • a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data.[26]

Regulated entities may only collect or share consumer health data if a consumer provides a prior “clear affirmative act” expressing consent, or if the collection is “necessary to provide a product or service that the consumer . . . has requested.”[27]

Consumer Rights. The MHMDA also provides consumers with a number of protections, including the right to: (1) confirm whether a regulated entity is collecting, sharing, or selling their consumer health data; (2) access that data; (3) withdraw consent for the collection and sharing of their consumer health data; and (4) delete their data.[28]

Enforcement. A violation of the MHMDA is considered a violation of the Washington Consumer Protection Act.[29] The Washington Attorney General may enforce the law.[30] Consumers may also pursue private actions for violations of the MHMDA.[31]

ii. Montana’s Genetic Information Privacy Act

On June 7, 2023, Montana Governor Greg Gianforte signed into law the “Montana Genetic Information Privacy Act” (“MTGIPA”). The MTGIPA applies to any entity that offers consumer genetic testing products or services directly to a consumer, or collects, uses, or analyzes genetic data.[32] “Genetic data” is defined as “any data, regardless of format, concerning a consumer’s genetic characteristics.”[33] The MTGIPA requires covered entities to provide a privacy policy and notice regarding their use of genetic data and to obtain a consumer’s “express consent” in order to collect, use, or disclose a consumer’s genetic data.[34] The MTGIPA also requires an entity to “develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.”[35] The Montana Attorney General has sole authority to enforce the MTGIPA.[36]

iii. California’s Delete Act

On October 10, 2023, California Governor Gavin Newson signed the “Delete Act” into law.[37] The law revises California’s data broker registration law and gives consumers the right to manage data held by data brokers free of charge by submitting a single deletion request to a centralized website.[38] After a deletion request is submitted, a data broker is required to delete data within 45 days, and continue deleting any personal information collected about that consumer at least every 45 days thereafter.[39] After a consumer has submitted a deletion request, data brokers are also prohibited from selling or sharing new personal information about the consumer in the future.[40] Consumers will have the option to “selectively exclude” data brokers when submitting a deletion request.[41] The law also requires data brokers to “undergo an audit by an independent third party to determine compliance” with the law.[42]

Under the law, a “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”[43] But the law includes exemptions for entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Confidentiality of Medical Information Act, or HIPAA, and business associates of covered entities under the Confidentiality of Medical Information Act or HIPAA.[44]

iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules

On November 1, 2023, the New York State Department of Financial Services (“NYDFS”) issued its Second Amendment to 23 NYCRR Part 500 (“Part 500”), which establishes numerous cybersecurity requirements for regulated entities.[45] As discussed in more depth in our recent client alert, the amendments to Part 500 include: expanded responsibility for senior governing bodies, obligations to implement additional safeguards, new requirements for larger companies, new and increased obligations related to written policies and procedures, heightened requirements around audits and risk assessments, and additional reporting requirements for cybersecurity incidents. NYDFS is responsible for enforcing Part 500 and has brought several enforcement actions against various financial entities, including banks, money transfer service providers, and cryptocurrency service providers.[46]

v. New Child Social Media Laws

Several states passed laws restricting social media apps, but those laws have been challenged in the courts. For example, Utah’s Social Media Regulation Act[47] requires social media companies with at least 5,000,000 account holders worldwide to verify the age of adults seeking to maintain or open social media accounts; obtain parental consent for users under the age of 18 to open an account; imposes restrictions on children’s accounts; and prohibits collections of certain data and targeted advertising.[48] The law may be enforced by either the Division of Consumer Protection or through a private right of action.[49] Plaintiffs may obtain up to $2,500 in statutory damages per violation, in addition to attorney’s fees and costs.[50] The law has been challenged in two different suits that are ongoing.[51]

A similar law in Arkansas that would require parental permission for children to create certain social media accounts was blocked by a federal judge.[52] The judge concluded in granting the preliminary injunction that the law, as written, was unconstitutionally vague because it failed to adequately define “social media company,” and therefore which entities were subject to its requirements.[53] The judge also agreed that the law likely violates the First Amendment because the age verification process would chill speech by deterring adults from signing up for social media accounts and that the law is unnecessarily overbroad insofar as it attempts to protect minors from harmful or obscene content.[54] And a Montana federal judge blocked a law in that state that would prohibit mobile application stores from offering TikTok to Montana users.[55] The court, in granting the preliminary injunction, found that plaintiffs were likely to succeed on the merits of their arguments—namely, that an outright ban on a specific app likely violates the First Amendment, the Commerce Clause, and is preempted by federal national security law, among other reasons.[56]

2. Federal Legislation

a. Comprehensive Federal Privacy Legislation

Comprehensive federal privacy legislation remains a popular, yet unrealized, objective despite recent congressional efforts.

The American Data Privacy and Protection Act (“ADPPA”) introduced in 2022 was the most advanced attempt to-date at enacting a comprehensive federal privacy bill. However, the bill died when it failed to advance to the House or Senate floors before the last Congress adjourned in January 2023.[57] As proposed, the ADPPA bill required covered companies to engage in “data minimization” and adopt “privacy by design” principles.[58] The ADPPA also prohibited covered entities from designing and employing discriminatory algorithms, and required them to study the impacts of their algorithms.[59]

Government enforcement of the ADPPA would have been left largely to the FTC at the federal level, alongside state attorneys general and other key state officials.[60] But the ADPPA’s addition of a private right of action was a source for serious concern due to the burden and cost of class action lawsuits.[61] The bill also explicitly preempted most state privacy laws—a fact that some believe was largely responsible for the bill’s demise.[62]

Calls for comprehensive federal privacy legislation continued throughout 2023 despite the ADPPA’s failure. In the spring, Congress held hearings on the continuing need for such legislation.[63] President Biden echoed these calls in an executive order (which also enacted AI safety measures).[64] In his 2023 State of the Union address, the President likewise called for stronger online privacy protections for children.[65]

b. Other Introduced Legislation

Congress did not pass any privacy laws in 2023, although a significant number of consumer and individual privacy-related legislation was introduced.[66] This proposed privacy legislation covered a range of topics, including surveillance technologies, health privacy, privacy for children online, facial recognition, AI, and cybersecurity.

Many of the measures attracted significant bipartisan support, but lawmakers remained divided over the same two issues that sunk more comprehensive federal privacy legislation: (1) whether federal privacy laws should preempt state laws (a position attracting more Republican support) and (2) whether it should include a private right of action (which more Democrats favor). Nevertheless, in the absence of comprehensive federal privacy legislation, Congress may still be more likely to enact legislation on a narrower topic that draws more bipartisan support, such as children’s online safety, in the future.[67]

Lawmakers focused in particular on digital privacy and safety in 2023, especially for children on social media. They held widely publicized hearings on the topic, bringing in social media executives for questioning, with more hearings to come in 2024.[68] In July 2023, the U.S. Senate Commerce Committee advanced a pair of measures seeking to put more responsibility on social media platforms to ensure child safety online: the Kids Online Safety Act, which would require platforms to enact measures to prevent harms to minors and to restrict targeted advertising for children under 13;[69] and COPPA 2.0, which would upgrade and expand the original children’s online privacy law, including by adding protections for teens ages 13 to 16.[70]

Other privacy bills introduced in 2023 include: the Informing Consumers about Smart Devices Act (requiring manufacturers to disclose that a camera or microphone is part of a device before purchase),[71] the Stop Spying Bosses Act (requiring disclosure of or prohibiting surveillance, monitoring, and collection of worker data),[72] the UPHOLD Privacy Act (establishing protection for personally identifiable health and location data),[73] the DELETE Act (requiring the FTC to establish a system allowing individuals to request that data brokers delete their personal information),[74] the Data Care Act of 2023 (imposing duty of care, loyalty, and confidentiality on online service providers),[75] the Online Privacy Act of 2023 (establishing individual privacy rights and creating a private right of action and Digital Privacy Agency),[76] and others described in this Review.

Congress also considered cybersecurity-related legislation: the Federal Cybersecurity Vulnerability Reduction Act of 2023 (requiring certain government contractors to adopt vulnerability disclosure policies),[77] the Modernizing the Acquisition of Cybersecurity Experts Act of 2023 (generally barring agencies from setting minimum educational requirements for cybersecurity workers),[78] and the Federal Cybersecurity Workforce Expansion Act (providing training and apprenticeships for cybersecurity workers).[79]

B. Enforcement and Guidance

In 2023, government regulators remained active in enforcement and regulatory efforts related to data privacy, cybersecurity, and new technology. This section summarizes notable regulatory and enforcement efforts by the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFBP”), Securities and Exchange Commission (“SEC”), Department of Health and Human Services (“HHS”), and other federal and state agencies.

1. Federal Trade Commission

The FTC remained active in the regulation and enforcement of cybersecurity and data privacy in 2023—and continued to aggressively pursue new regulatory, enforcement, and litigation matters in other areas as well. Several actions, such as its rulemaking on junk fees, have had important impacts on online businesses. For example, the proposed junk fees rule was introduced in direct response to President Biden’s announced priorities for consumer protection’ and following his call for transparency in consumer pricing.[80] The FTC extended the comment period for the rule through February 7, 2024.[81] As currently drafted, the rule would ban “hidden fees”—or fees that are mandatory, even if provided by a different entity. It would also ban “misleading fees,” essentially requiring disclosure of the purpose and refundability of any fees charged.

The FTC also continued to prioritize algorithmic bias and AI, commercial surveillance, data security, and children’s privacy. Further, the FTC expanded its regulatory and enforcement scope related to biometric information. This section discusses the FTC’s notable actions on these topics in 2023.

a. FTC Organization Updates

In March 2023, Republican Commissioner Christine Wilson resigned abruptly from the FTC, publicly citing her disagreements with Chair Lina Khan’s vision and management of the FTC.[82] This created an additional vacancy on the five-member commission, following the departure of Commissioner Noah Phillips in October 2022.

In July 2023, President Joe Biden nominated two Republican replacements: Virginia Solicitor General Andrew Ferguson and Utah Solicitor General Melissa Holyoak.[83] Prior to his current appointment as Virginia Solicitor General, Ferguson served in numerous roles on the Hill, including as Chief Counsel to Senate Minority Leader Mitch McConnell, as Chief Counsel for Nominations and the Constitution to then-Judiciary Committee Chairman Lindsey Graham, and as Senior Special Counsel to then-Judiciary Committee Chairman Chuck Grassley. Holyoak previously served as President and General Counsel of a nonprofit public-interest law firm that advocates for free markets, free speech, and limited government. In their confirmation hearing, both Holyoak and Ferguson demonstrated interest in regulating big technology companies. Holyoak specifically called out the importance of protecting children online.[84]

Both nominations are currently held up in the Senate.[85] If confirmed, the new Commissioners will not change the Republican-Democrat balance of power at the FTC, which has been led by a Democratic majority since Commissioner Bedoya was confirmed in 2022.

b. Algorithmic Bias and Artificial Intelligence

The FTC continues to signal that AI and algorithms are an enforcement priority. In a mid-year public editorial, for instance, FTC Chair Lina Kahn warned of the risks AI poses, including producing discriminatory outcomes and potential privacy violations.[86]

As reflected in Chair Khan’s editorial, the FTC is particularly concerned about the effects algorithms may have on consumer privacy, including the use of consumer data to train large language models and inadvertent disclosure of personally identifiable information (“PII”) through chatbots. In a series of AI-focused blog posts published from February to August 2023, the FTC warned businesses that they should avoid using automated tools that result in biased or discriminatory impacts. One post further noted that businesses “can’t just blame a third-party developer of the technology” when reasonably foreseeable failures occur; instead, businesses should investigate and identify the foreseeable risks and impact of AI before using it in a consumer-facing setting.[87] In March 2023, the FTC also specifically called out AI technology that simulates human activity and can be used by third-party bad actors to, among other things, target communities of color with fraudulent schemes.”[88] It warned that businesses considering launching tools with such risks must employ deterrents that go beyond “bug corrections or optional features that third parties can undermine via modification or removal.”[89] Other use cases highlighted by the FTC as targets for enforcement include: technology that enables “deepfakes” and “voice cloning,”[90] customizing ads to specific people or groups in a manner that “trick[s] people into making harmful choices[,]”[91] and tools that purport to detect generative AI content.[92]

For a more detailed discussion of regulatory developments in AI, please see Gibson Dunn’s forthcoming Artificial Intelligence Legal Review.

c. Commercial Surveillance and Data Security

i. FTC’s Approach to Data Security

In a February 2023 blog post, the FTC’s Deputy Chief Technology Officer Alex Gaynor highlighted three best practices for effectively protecting user data drawn from recent FTC orders: (i) requiring multi-factor authentication (for consumers and employees); (ii) requiring a company’s systems connections to be encrypted and authenticated; and (iii) requiring data retention schedules to be published and followed.[93] Gaynor warns that these practices alone “are not the sum-total of everything the FTC expects from an effective security program.”[94] He nevertheless suggests a security program is highly likely to be effective if it incorporates these practices.[95]

ii. Rulemaking on Commercial Surveillance and Data Security

As described in Gibson Dunn’s prior alert, the FTC’s Advance Notice of Proposed Rulemaking on commercial surveillance and data security would overhaul the regulatory landscape for corporate internet use. FTC Consumer Protection Chief Samuel Levine noted in a speech in September 2023 that the FTC is currently reviewing over 11,000 comments received in response to the request for comment, which closed on November 21, 2022.[96] If adopted, the rule will have widespread impact, implicating every facet of the internet from advertising to algorithmic decision-making. The advanced notice for the proposed rule, for instance, seeks comment on issues as wide ranging as whether consumer consent is still an effective gatekeeper for corporate data practices, whether the FTC should forbid or limit the development, design, and use of certain automated decision-making systems, and whether the FTC should adopt workplace, teen, or industry-specific (e.g., health- or finance-related) rules around data collection and use. The FTC is expected to take final action on the proposed rule in 2024.[97]

d. Notable FTC Enforcement Actions

In 2023, the FTC maintained its aggressive stance on privacy enforcement, which has been a hallmark of Chair Khan’s tenure. In addition to enforcement actions that hold companies responsible for the activities discussed, there has also been a rise in actions brought against individuals. Below we discuss some of the FTC’s most notable enforcement actions in 2023.

Video Game and Software Developer. In March 2023, the FTC finalized an order in an action originally described in last year’s Review, which will require a large video game and software developer to pay $245 million to refund affected consumers and bans the company from charging consumers through the use of “dark patterns” or otherwise charging consumers without obtaining their affirmative consent.[98] The order also bars the company from blocking consumers’ access to their accounts if the consumer is disputing unauthorized charges.

Home Security Camera Company. The FTC brought an action under Section 5(a) of the FTC Act,[99] challenging a security camera company’s representations regarding security, and alleging that employees and contractors were able to access private videos.[100] A proposed settlement would require deletion of certain data and affected data products “such as data, models, and algorithms derived from videos it unlawfully reviewed,” establishment of a privacy and data security program, obtaining assessments by a third party, and cooperation with a third-party assessor.[101]

Tax Preparation Firms. The FTC issued Notices of Penalty Offenses to five tax preparation firms about the use of information collected for tax preparation services to solicit loan borrowers. A Notice of Penalty Offense is intended to put companies on notice of prior successful enforcement actions against other companies, but does not mean the FTC has found the recipients are violating the law.[102] However, the FTC’s Notice warned that the companies could face civil penalties of up to $50,120 per violation if they use or disclose consumer confidential data collected for tax preparation for other purportedly unrelated purposes, such as advertising, without express consumer consent.[103]

Voice Assistant. In May, DOJ brought an action on behalf of the FTC against a major technology company that includes, among its products, a voice assistant.[104] The FTC alleged that the company improperly prevented parents from deleting their children’s data and retained and risked exposure of sensitive data. The FTC’s settlement with the company, approved in July 2023, requires the company to overhaul its deletion practices, as well as implement stronger privacy safeguards to settle Children’s Online Privacy Protection Act Rule (“COPPA Rule”) claims and deception claims about its data deletion practices.[105]

Telehealth and Prescription Drug Provider. The FTC brought its first enforcement action under the Health Breach Notification Rule, which was originally adopted in 2009 and requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media, when such data is disclosed or acquired without consumers’ authorization.[106] The FTC alleged that the company failed to notify consumers, the FTC, and the media about its disclosure of individually identifiable health information to certain online services. This enforcement action followed a 2021 FTC policy statement that purported to require health apps and other online services to comply with the Health Breach Notification Rule.[107] The company agreed to pay a $1.5 million civil penalty and is barred from sharing user health data with third parties for advertising.[108] The FTC also proposed amendments to the Health Breach Notification Rule, with a public comment period that ended on August 8, 2023.[109]

Genetic Testing Firm. The FTC settled allegations against a genetic testing firm for allegedly leaving user data unprotected, misleading users about their ability to delete their data, and retroactively changing its privacy policy without proper notice to consumers. In addition to monetary penalties of $75,000, as part of the final order, the company is required to take remedial actions including instructing third-party contractors to destroy all DNA samples retained beyond a specified timeframe, notifying the FTC of any unauthorized disclosure of consumer personal health data, and implementing a comprehensive information security program.[110]

In-Store Surveillance and Facial Recognition. For the first time, the FTC alleged that the use of facial recognition technology may be an unfair practice or deceptive under Section 5 of the FTC Act.[111] The FTC alleged that a national pharmacy chain deployed AI-facial recognition technology to identify shoplifters and other problematic shoppers. The FTC’s complaint alleged that the company failed to take reasonable measures to prevent harm to consumers who were erroneously accused by employees of wrongdoing because the technology incorrectly flagged the consumers as matching the profile of a known shoplifter or troublemaker. The FTC banned the retailer’s use of facial recognition technology for five years. While the FTC also alleged the company violated the terms of a 2010 consent decree by failing to comply with its own information security program’s policies and contractual requirements for facial technology vendors, the FTC did not seek civil penalties, and imposed a no-money, no-fault order. The case helpfully articulates what the FTC deems as “best practices” for the use of facial recognition technologies, including the usage of cameras and smartphones by retailers to detect and stop shoplifting and to mitigate risks of misidentification.

e. Financial Privacy

The FTC approved further changes to its Standards for Safeguarding Customer Information Rule (“Safeguards Rule”) in 2023. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The rule was initially amended in October 2021 in response to “widespread data breaches and cyberattacks” by introducing more robust data security requirements for financial institutions to protect their customers’ data.[112] In 2023, the FTC further amended the rule to require financial institutions to report certain data breaches directly to the FTC.[113] Many provisions of the 2021 rule changes went into effect on January 10, 2022, but certain provisions of the Safeguards Rule did not take effect until June 9, 2023.[114] These sections require financial institutions to:

  • Designate a qualified individual to oversee their information security program;
  • Develop a written risk assessment;
  • Limit and monitor who can access sensitive customer information;
  • Encrypt all sensitive information;
  • Train security personnel;
  • Develop an incident response plan;
  • Periodically assess the security practices of service providers; and
  • Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.[115]

The FTC’s 2023 amendments include more specific criteria for what safeguards financial institutions must implement as part of their information security program, and requirements to explain their information-sharing practices and designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.[116] These amendments will not take effect until mid-2024.

f. Children’s and Teens’ Privacy

On December 20, 2023, the FTC announced long-awaited proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).[117] If adopted, the proposed amendments would be the first changes to the COPPA Rule in a decade.[118] The amendments aim to modernize the COPPA framework and shift the burden for protecting children’s privacy and security from parents to service providers.[119] The proposed changes include:

  • Requiring separate opt-in for targeted advertising;
  • Prohibiting conditioning a child’s participation on collection of personal information;
  • Limiting the support for the internal operations exception, which allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information;
  • Imposing restrictions on educational technology companies, including prohibiting these companies’ use of students’ data for commercial purposes;
  • Increasing accountability for Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission;
  • Strengthening data security requirements; and
  • Limiting data retention.[120]

The FTC also recently sought comments from the Entertainment Software Rating Board and others for a new mechanism for obtaining parental consent under the COPPA Rule: “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to accurately confirm a user’s age.[121] The FTC’s request for comments focused on whether such age verification methods would satisfy the COPPA Rule’s requirements and whether it poses a privacy risk to children’s biometric and other personal information.[122]

In 2023, the FTC pursued enforcement action against major technology companies in relation to children’s and teen’s’ privacy. For example, the FTC alleged a technology company violated the COPPA Rule by collecting and illegally retaining personal information from children who signed up for a gaming service without parental consent.[123] The company agreed to pay $20 million and take steps to increase privacy protection for children users to settle the case.[124] The FTC has also proposed changes to its 2020 order with another technology company, alleging in part that the company has not fully complied with the order because it misled parents about their ability to control with whom their children communicated.[125] Among other things, the proposed changes would prohibit the company from monetizing data it collects from users under 18.[126]

g. Biometric Information

On May 18, 2022, the FTC signaled an increased focus on preventing the misuse of biometric information in a policy statement.[127] The policy statement is a first-of-its-kind comprehensive breakdown of the FTC’s view that the commercial use of biometric information poses certain privacy risks to consumers, and it builds on prior workshops and statements analyzing consumer protection issues related to specific technologies that can implicate biometric information.[128]

In the policy statement, the FTC broadly defines biometric information as data depicting or describing a person’s physical, biological, or behavioral traits, characteristics, or measurements, including facial features, iris or retina, fingerprints or handprints, voice, genetics, or characteristic movements or gestures.[129] The FTC warned that certain conduct relating to the use of biometric information and biometric information technologies constitutes an unfair or deceptive practice under Section 5 of the FTC Act, including:

  • Making false or unsubstantiated marketing claims regarding the validity, reliability, accuracy, performance, fairness, or efficacy of technologies relying on biometric information;
  • Making deceptive statements about the collection and use of biometric information;
  • Failing to protect consumers’ biometric information using reasonable data security practices;
  • Collecting biometric information that consumers meant to conceal or keep private (including by implementing “privacy-invasive default settings”);
  • Selling technologies that permit harmful or illegal conduct, such as covert tracking; and
  • Using or selling discriminatory technologies.[130]

To avoid liability under the FTC Act, the FTC recommends that businesses communicate the use and capabilities of biometric information technologies to consumers, ensure biometric information technologies operate fairly and accurately, and implement safeguards to prevent unauthorized access to biometric information. Relying on the policy statement for the first time, the FTC filed a complaint in December 2023 alleging that a drugstore chain surreptitiously used facial recognition technology to identify—sometimes falsely—shoplifters and other customers it deemed problematic, as described above.[131]

2. Consumer Financial Protection Bureau

Notwithstanding increasing congressional antagonism directed at the Consumer Financial Protection Bureau (“CFPB”), the CFPB did not decrease its attention on privacy issues in 2023. Last year, the CFPB issued a long-awaited proposed rule regarding consumer personal financial data rights and signaled an intent to increase its oversight of non-bank entities providing digital wallets and peer-to-peer apps, as well as data brokers that sell certain types of consumer data. The CFPB also parroted the FTC’s concerns with privacy risks associated with AI.

a. Personal Financial Data Rights Rulemaking

On October 19, 2023, the CFPB released a long-awaited Notice of Proposed Rulemaking on Personal Financial Data Rights.[132] If adopted, this rule would establish a regulatory framework where consumers have the power “to break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”[133] The proposed rule would also require covered financial entities to share a consumer’s financial data with authorized third parties upon the consumer’s request.[134] The proposed rule is the first proposal to implement Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), which authorizes the CFPB to prescribe rules under which consumers may access information about themselves from their financial service providers.[135]

Although Section 1033 applies to all consumer financial products or services covered under the Dodd-Frank Act,[136] the proposed rule would limit the scope of covered entities, or “data providers,” to Regulation Z card issuers, Regulation E financial institutions, and other payment facilitation providers, while generally exempting data providers that do not have a consumer interface.[137] Under the proposed rule, data providers must provide consumers and authorized third parties with “covered data,” such as transaction information, account balance, and upcoming bill information, “in an electronic form usable by consumers and authorized third parties,” as provided by Section 1033 of the Dodd-Frank Act.[138]

In addition to requiring third parties to obtain “express informed consent” from the consumer to become authorized to access covered data, the proposed rule would also prohibit such authorized third parties from collecting, using, or retaining the consumer’s relevant data beyond what is “reasonably necessary” to provide the requested product or service to a consumer.[139] The proposal does not define what is “reasonably necessary,” but instead enumerates activities that do not qualify: (i) targeted advertising; (ii) cross-selling of other products or services; or (iii) the sale of covered data.[140] The proposed rule also imposes data accuracy and data security obligations, among other obligations, on authorized third parties.[141]

The comment period for the proposed rule closed on December 29, 2023; CFPB Director Rohit Chopra said that the agency intends to finalize the rule by fall 2024.[142]

b. Increased Oversight of Non-bank Entities

On November 7, 2023, the CFPB issued a proposed rule that, if adopted, would establish supervisory power over big technology firms and other nonbank entities that offer services allowing consumers to digitally transfer money.[143] The proposed rule would apply to “larger participant” nonbank entities that handle more than five million payment transactions per year through digital wallets, peer-to-peer apps, payment apps, and other “covered payment functionalities.”[144] This oversight authority would allow the CFPB to conduct examinations to ensure that these nonbank entities are adhering to applicable laws governing funds transfer, privacy, and consumer protection.[145] The comment period for this proposed rule closed on January 8, 2024.[146]

c. Increased Scrutiny of Data Brokers

In March 2023, the CFPB launched an inquiry into data brokers to inform whether existing Fair Credit Reporting Act (“FCRA”) rules reflect the market realities of “[m]odern data surveillance practices [that] have allowed companies to hover over our digital lives and monetize our most sensitive data.”[147] The agency’s request for information defined “data brokers” broadly as “an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.”[148] That definition could sweep in companies, like credit unions and banks, that are not typically considered data brokers.

On August 15, 2023, Director Chopra also announced that the CFPB will be developing new rules that define a data broker that sells certain types of consumer data as a “consumer reporting agency” (“CRA”) under FCRA.[149] Defining data brokers as CRAs would impose new obligations on data brokers to comply with FCRA’s demanding standards for data accuracy and privacy, including consumer access and consent rights.[150] Director Chopra also announced a second proposal under consideration that will clarify the extent to which credit header data, such as name, date of birth, and social security number, constitute a consumer report, and thereby limit the ability of CRAs to impermissibly disclose identifying contact information.[151] The CFPB intends to propose these changes for public comment in 2024.[152]

d. Artificial Intelligence and Algorithmic Bias

In an April 25, 2023 joint statement with the DOJ, FTC, and Equal Employment Opportunity Commission, the CFPB reaffirmed its commitment to enforce consumer financial protection laws to prevent harmful uses of AI and algorithmic bias.[153] Since then, the CFPB has highlighted risks associated with AI in multiple contexts:

Chatbots. In June 2023, the CFPB released an issue spotlight on the risks associated with the use of chatbots by financial institutions, including consumer financial protection compliance risks and failures to protect consumer privacy and data, diminished trust and customer service, and harm to consumers resulting from inaccurate information.[154]

Home Appraisals. In June 2023, the CFPB also proposed a rule that would govern automated home valuations.[155] The rule would require institutions that employ automated valuation models to take certain steps to minimize inaccuracy and bias by adopting policies, practices, procedures, and control systems to ensure that models adhere to quality control standards designed to ensure a high level of confidence in the estimates produced.[156] Under the proposal, institutions would also be required to protect against the manipulation of data, seek to avoid conflicts of interest, require random sample testing and reviews, and comply with applicable nondiscrimination laws.[157] The public comment period ended on August 21, 2023.[158]

Credit Decisions. In September 2023, the CFPB issued a Consumer Protection Circular titled “Adverse Action Notification Requirements and the Proper Use of the CFPB’s Sample Forms Provided in Regulation B,” concerning lenders’ obligations when using AI to make consumer credit decisions.[159] The guidance emphasizes that creditors must provide accurate and specific reasons for adverse decisions made by complex algorithms, and this requirement is not automatically satisfied by use of a sample adverse action checklist.[160]

3. Securities and Exchange Commission

In 2023, the SEC continued to focus on transparency around cybersecurity risk management and incident disclosure, as made evident by the Commission’s rulemaking and enforcement activity. Most notably, the SEC finalized rules requiring public companies to report material cybersecurity incidents within four business days of determining materiality, as well as periodic disclosures relating to cybersecurity risk management, strategy, and governance. The SEC was also active on the enforcement front, pursuing actions against companies and individuals in connection with cyber incidents. In 2024, we expect to see heightened enforcement activity as the newly adopted cyber rules take effect and as the SEC takes final action on proposed rulemaking for registered entities, particularly those implicating personal information or sensitive data.

a. Regulation

March 2023 – SEC Proposes Rules to Amend Regulation S-P

On March 15, 2023, the SEC proposed rules that would amend Regulation S-P to update and close certain gaps in the requirements pertaining to the protection of customer information.[161] Most importantly, if adopted, the amendments would require broker-dealers, investment companies, registered investment advisers, and transfer agents (“Covered Institutions”) to adopt written policies and procedures for responding to unauthorized access to or use of customer information.[162] The amendments would also require Covered Institutions to notify individuals of unauthorized use of or access to their sensitive information “as soon as practicable,” but not later than 30 days, after discovery of a data breach.[163]

As explained in the adopting release, the rules would also amend other aspects of Regulation S-P, including:

  • Extending the protections of the safeguards and disposal rules to both nonpublic personal information that a Covered Institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;
  • Extending the safeguards rule, as amended, to registered transfer agents, and expanding the disposal rule to include transfer agents registered with another appropriate regulatory agency; and
  • Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.[164]

The public comment period closed on June 5, 2023, but the SEC has not indicated whether and when it will take final action on the proposed amendments.

July 2023 – SEC Adopts New Cybersecurity Disclosure Rules for Public Companies

On July 26, 2023, as reported in Gibson Dunn’s client alert, the SEC adopted a final rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the SEC Act of 1934 (the “Exchange Act”).[165] The final rule requires: (i) Form 8-K disclosure of material cybersecurity incidents within four business days of the company’s determination that the cybersecurity incident is material; and (ii) annual disclosures in Form 10-K regarding the company’s cybersecurity risk management, strategy, and governance.[166] For foreign private issuers, the final rule amends Form 20-F to include requirements parallel to Item 106 regarding risk management, strategy, and governance.[167] In addition, the final rule adds “material cybersecurity incidents” to the items that may trigger a current report on Form 6-K.[168] Under the new rule, foreign private issuers will be required to furnish on Form 6-K information about material cybersecurity incidents that the issuers disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange or to security holders.[169]

Compliance Dates

The Form 8-K disclosure requirement went into effect on December 18, 2023 for most registrants (smaller companies will have until June 5, 2024 to comply); all registrants will have to comply with the annual disclosure requirements beginning with their Form 10-K or 20-F filing for the fiscal year ending on or after December 15, 2023.[170]

Reporting Material Cybersecurity Incidents

Under the final rules, when a company experiences a material cybersecurity incident, it must disclose on Form 8-K, the material aspects of the nature, scope, and timing of the incident, and the material impact or “reasonably likely” material impact on the company, including on its financial condition and results of operations.[171] Importantly, this disclosure must be made within four business days of the company determining that it has experienced a material cyber incident, a determination which must be made “without unreasonable delay after discovery of the incident.”[172] In circumstances where a company has determined that a cybersecurity incident is material but does not have all of the information that is required to be disclosed when the Form 8-K filing is due, the company must later update the disclosure through a Form 8-K amendment.[173]

The final rule permits companies to delay reporting material cyber incidents up to an initial period of 30 days, if the U.S. Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety.[174] However, as confirmed by guidelines released by the Department of Justice,[175] the Attorney General will only permit delayed disclosures in very limited circumstances, so public companies should be prepared to disclose virtually all material cyber incidents within four days after determining materiality.[176] The DOJ guidelines also make clear that even where the Attorney General grants a delay, the delay may not delay filing the Form 8-K in its entirety, but may only pertain to some of the information that is required to be disclosed.[177]

Annual Reporting Requirements

The final rule also requires that public companies include on their Form 10-K filings certain disclosures regarding the company’s cybersecurity risk management, strategy and governance.[178] The final rule also includes parallel requirements for a foreign private issuer’s risk management, strategy, and governance disclosures on Form 20-F.[179]

Risk management strategy and governance disclosure. Companies are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including information regarding:

  • Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
  • Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
  • Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.[180]

Public companies are also required to describe whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.[181] Notably, the final rule requires disclosure of “processes” (as opposed to “policies and procedures”) in order to avoid requiring disclosure of operational details that could be exploited by threat actors and make clear that companies without written policies and procedures need not disclose that fact.

Governance Disclosures. The final rule also requires public companies to describe on Form 10-K how the board of directors oversees the company’s cybersecurity risks. This includes identifying, if applicable, any board committee or subcommittee responsible for the oversight of cybersecurity risks and describing the processes by which the board or such committee is informed about such risks.[182] Additionally, companies must describe management’s role in assessing and managing the company’s material cybersecurity risks from cybersecurity.[183]

September 2023 – SEC Approves Revised Privacy Act Rule

On September 20, 2023, the SEC approved a final rule, adopting amendments to the SEC’s regulations under the Privacy Act of 1974, which governs the federal government’s handling of personal information.[184] The final rule updates and streamlines the SEC’s Privacy Act regulations, including the process for submitting and receiving responses to Privacy Act requests and administrative appeals and provides electronic methods to verify an individual’s identity.[185] Given the extensive nature of the amendments, the final rule replaces entirely the current version of the Privacy Act regulations which was last updated in 2011. The final rule went into effect on October 26, 2023.

Cyber Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies Expected in April 2024.

In February 2022, the SEC proposed cybersecurity rules for registered investment advisers, registered investment companies, and business development companies (the “RIA Rules”).[186] If adopted, the RIA Rules would require covered companies to, among other things, (i) adopt written cybersecurity policies and procedures to address cybersecurity risk, and (ii) report significant cybersecurity incidents, which are those that “significantly affect the critical operations” of a covered company or lead to “unauthorized access or use of information that results in substantial harm” to a covered company, or its clients, funds, or investors.[187] As noted on the SEC’s June 13, 2023 rulemaking agenda, the RIA Rules have entered the final rule stage[188] and are expected to be finalized in April 2024.[189]

Looking ahead, the SEC Division of Examinations announced its priorities for 2024, which stated that it plans to continue focusing on “registrant’s policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents.”[190] SEC Chair Gary Gensler emphasized that the “Division’s efforts, as laid out in the 2024 priorities, enhance trust in our ever-evolving markets.”[191] Information security and cybersecurity will remain a key area of regulation and enforcement for the SEC in 2024.

b. Enforcement

In addition to new rules, in 2023 the SEC continued to pursue enforcement actions at a historically high level against public companies, investment firms, law firms, and individuals.[192] The SEC obtained orders totaling nearly $5 billion in financial remedies in fiscal year 2023, the second-highest amount in SEC history following a record-setting nearly $6.5 billion in fiscal year 2022.[193] Notably, the SEC continued to focus on individuals, with about two-thirds of the SEC’s cases in fiscal year 2023 involving individuals.[194] The SEC also obtained orders that barred 133 individuals from serving as officers or directors for public companies, the highest such number in a decade.[195]

We expect these trends to continue in 2024, particularly as they relate to cybersecurity when the SEC’s newly adopted cyber rules take effect and additional cyber rules are finalized. Below is a summary of some of the most notable cyber-related enforcement actions brought by the SEC in 2023.

Broker-Dealer Username/Password Handling Litigation. In September, 2023, the SEC alleged that a broker-dealer and its parent company allegedly made materially false and misleading statements and omissions regarding information barriers intended to prevent the misuse of sensitive customer information.[196] The SEC alleged that the broker-dealer operated two businesses that were purportedly walled off from each other by data safeguards: a trade order execution service for institutional customers that typically operated on commission, and a proprietary trading business. However, during a 15-month period from 2018 to 2019, the broker-dealer allegedly failed to adequately safeguard a database of post-trade information regarding customer orders that included customer identifying information and further material nonpublic information.[197] The broker-dealer allegedly rendered the database accessible to virtually anyone at its affiliates by leaving the data accessible via “two sets of widely known and frequently shared generic usernames and passwords.”[198] The SEC asserts that this alleged failure to safeguard the information posed significant risk that proprietary traders could abuse it or distribute it outside the entity.[199] The litigation remains pending.

Settlement for Allegedly Misleading Statements Related to 2020 Ransomware Attack. In March 2023, the SEC imposed a $3 million civil penalty to settle allegations it brought against a public company for making allegedly misleading disclosures concerning a 2020 ransomware attack that had impacted over 13,000 customers.[200]

The SEC alleged that, on July 16, 2020, the company announced a ransomware attacker had not gained access to customer bank account information or Social Security Numbers.[201] Within days of the announcement, however, technology and customer relations personnel allegedly learned that the attacker had accessed and exfiltrated that sensitive information.[202] The employees nonetheless allegedly failed to communicate this information to senior management accountable for its public disclosure because, in the SEC’s view, the company failed to maintain adequate disclosure controls and procedures.[203] As a result, the company’s 10-Q report filed in August 2020 did not include this information about the cyberattack, which the SEC views as an omission of material information. In addition, the SEC alleged that the company’s description of the risk of disclosure of sensitive customer information as a hypothetical risk was misleading.[204]

SEC Alleges Fraud Against Public Company and its CISO. In October 2023, the SEC alleged that a network monitoring software company and its Chief Information Security Officer (“CISO”) engaged in fraud and internal controls violations.[205] The SEC alleges that the company and its CISO overstated its cybersecurity practices and understated or failed to disclose known cybersecurity risks.[206] The SEC’s complaint alleges that the company’s public statements conflicted with its internal assessments.[207] The complaint also alleges that the CISO was aware of the company’s cybersecurity risks, but failed to resolve the issues or sufficiently elevate them.[208] The SEC alleged that the cybersecurity shortfalls rendered the company unable to provide reasonable assurances that its most valuable assets were sufficiently protected.[209] The lapses in cybersecurity practices allegedly resulted in a two-year cyberattack campaign against the software company and some of its customers, including federal and state government agencies.[210] The cyberattack was first disclosed publicly in December 2020, though the SEC alleged that disclosure was incomplete.[211] According to the SEC, the company and CISO allegedly “paint[ed] a false picture of the company’s cyber controls environment.”[212] The SEC alleged that the company and CISO violated antifraud provisions of the securities laws, that the company violated reporting and internal controls provisions, and that the CISO aided and abetted the company’s violations.[213] The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer-and-director bar against the CISO.[214]

Going forward, we expect to see a significant uptick in enforcement activity, particularly around cybersecurity disclosures, given the adoption of the SEC’s cyber disclosure rules which went into effect in December 2023 and other proposed cyber rules pending finalization, as discussed above.

4. Department of Health and Human Services and HIPAA

On February 27, 2023, the Department of Health and Human Services (“HHS”) announced three new divisions within the Office of Civil Rights (“OCR”): an Enforcement Division, a Policy Division, and a Strategic Planning Division.[215] OCR enforces HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, among additional privacy-related and other statutes.[216] OCR explained that its caseload has increased 69 percent from 2017 and 2022.[217] OCR thus created the new divisions to “improve[] OCR’s ability to effectively respond to complaints, put[ting] OCR in line with its peers’ structure and mov[ing] OCR into the future.”[218] The addition of three new divisions in OCR signals and underscores the heightened importance of data privacy and security within HHS.

a. Rulemaking on HIPAA Compliance and Data Breaches

On December 13, 2023, HHS finalized a rule implementing the 21st Century Cures Act that enhances the Office of the National Coordinator for Health Information Technology Certification Program, aimed at advancing interoperability, transparency, and the access, exchange, and use of electronic health information.[219] The final rule is designed to increase algorithm transparency and information sharing for healthcare providers.[220] The provisions of the rule are based on the principles of “fairness, appropriateness, validity, effectiveness and safety,” and include certification criteria for “decision support interventions,” “patient demographics and observations,” “electronic case reporting,” and the “exchange and use” of electronic health information.[221] The final rule goes into effect on February 8, 2024.[222]

b. Telehealth and Data Security Guidance

HHS released a fact sheet in early 2023 identifying what will change as a result of the expiration of the federal Public Health Emergency for COVID-19 on May 11, 2023.[223] HHS stated that the “vast majority” of current Medicare telehealth flexibilities (such as waivers of geographic and originating site restrictions and the allowance of audio-only telehealth services) will remain in place through December 2024.[224] The agency also made some Medicare changes permanent so that they will stay in place now that the public health emergency has ended. These include allowing Federally Qualified Health Centers and Rural Health Centers to “serve as a distant site provider for behavioral/mental telehealth services,” allowing Medicare patients to “receive telehealth services for behavioral/mental health care in their home,” and allowing “behavioral/mental telehealth services” to “be delivered using audio-only communication platforms.”[225]

On July 20, 2023, the FTC and HHS issued a joint letter to 130 hospital systems and telehealth providers, warning them to “exercise extreme caution” with respect to certain online technologies that are incorporated in their websites and apps given the potential privacy risks these technologies may pose to patient data.[226] The letter also reminded healthcare providers about their obligations under HIPAA and the FTC’s Health Breach Notification Rule.[227] Relatedly, on September 15, 2023, the FTC and HHS issued an updated publication addressing businesses’ potential questions related to collecting, using, and sharing consumer health information, and provided links to more detailed guidance.[228]

c. Reproductive and Sexual Health Data

On June 24, 2023, HHS Secretary Xavier Becerra released a statement[229] on the one-year anniversary of Dobbs v. Jackson Women’s Health Org., which reversed Roe v. Wade and ended federal protection for abortion access.[230] The statement highlights HHS’s efforts to protect and expand access to reproductive care, and outlines three “priority areas”:

  1. “Reaffirming the Department’s commitment to protecting the right to abortion care in emergency settings under the Emergency Medical Treatment and Labor Act (EMTALA)”;
  2. “Clarifying protections for birth control coverage under the Affordable Care Act”; and
  3. “Protecting medical privacy – including empowering patients to protect their medical information on smart phones, apps, and other platforms.”[231]

On April 12, 2023, HHS proposed measures to strengthen patient-provider confidentiality related to reproductive health care through a Notice of Proposed Rulemaking for the Privacy Rule.[232] The proposed rule would prohibit the use or disclosure of protected health information (“PHI”) to identify, investigate, sue, or prosecute “patients, providers, and others involved in the provision of legal reproductive health care, including abortion.”[233] The public comment period closed on June 16, 2023; and the proposed rule is expected to be finalized in March 2024.[234]

d. HHS Enforcement Actions

OCR continued to enforce the HIPAA Privacy Rule throughout 2023, which has been a continued focus of the agency in recent years. For example, OCR settled claims against a New York-based non-profit academic medical center for alleged violations in 2020 of the HIPAA Privacy Rule.[235] A national newspaper published an article about the medical center’s COVID-19 emergency response, “which included photographs and information about the facility’s patients” exposing patient information, including COVID-19 diagnoses, medical statuses and prognoses, vital signs, and treatment plans.[236] OCR alleged that the facility disclosed three patients’ protected health information to the press “without first obtaining written authorization from the patients.”[237] The settlement required the facility to pay $80,000 and agree to implement a corrective action plan “to develop written policies and procedures that [complied] with the HIPAA Privacy Rule.”[238]

HHS also focused its enforcement efforts around the HIPAA Right of Access Initiative, which was launched in 2019 and requires covered entities to provide individuals with “timely access to their health information for a reasonable cost” under the HIPAA Privacy Rule.[239] As of December 15, 2023, OCR had brought 46 cases pursuant to the HIPAA Right of Access Initiative.[240] These actions were largely brought against covered entities for failing to provide individuals with copies of protected health information within the required timeframe and/or in accordance with permitted fees.[241]

Data breaches have been another recent priority. In February 2023, a nonprofit health system in Arizona agreed to pay $1.25 million to resolve alleged HIPAA Security Rule violations arising from a 2016 data breach, which disclosed the protected health information of 2.81 million individuals.[242] In addition to the monetary penalty, the hospital system agreed to implement a corrective action plan, and two years of OCR monitoring, to address alleged deficiencies relating to the protection of electronic PHI, including pertaining to risk assessment, vulnerability management, monitoring, authentication and protection of data transit.[243]

In December 2023, OCR also entered into a settlement with a Louisiana-based medical group for $480,000, stemming from a phishing attack that exposed the personal information of over 34,000 individuals.[244] OCR alleged that the group failed to conduct a risk analysis of potential vulnerabilities, as required under HIPAA.[245] As with Banner Health, Lafourche agreed to implement a corrective action plan that OCR will monitor for two years [246]

5. Other Federal Agencies

a. Department of Homeland Security

In 2023, the Department of Homeland Security (“DHS”) continued to pursue various cybersecurity initiatives aimed at securing critical infrastructure and helping organizations respond to the rapidly evolving cyber threat landscape. The year marked an increased focus on cyber incident information sharing and reporting through public-private and cross-border partnerships. On March 2, 2023, DHS Secretary Alejandro N. Mayorkas released a statement about working to implement President Biden’s National Cybersecurity Strategy and emphasized the role of public-private sector collaboration and work with DHS’s Cyber Safety Review Board and Cybersecurity and Infrastructure Security Agency (“CISA”).[247] As required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), DHS and the Cyber Incident Reporting Council issued recommendations to Congress for streamlining the reporting of cyber incidents by establishing standard definitions, timelines, and triggers for reporting; creating a model incident reporting form for federal agencies; and creating a central reporting web portal.[248] These recommendations will inform CISA’s ongoing rulemaking process, as it works towards publishing a Notice of Proposed Rulemaking related to CIRCIA’s reporting requirements by March 2024.[249] Secretary Mayorkas also hosted cyber leaders from 21 nations at the Western Hemisphere Cyber Conference to discuss bilateral and multilateral initiatives to respond to, and facilitate increased information sharing about, cybersecurity challenges, including around critical infrastructure and cyber-enabled crimes and ransomware.[250]

DHS also released multiple reports and advisories outlining recommendations to mitigate risks posed by threat actor groups and vulnerabilities affecting critical infrastructure, including malware attacks by the ransomware group CL0P against users of certain file-transfer software;[251] targeting of industry-standard security tools by threat actor group Lapsus$;[252] and a ransomware variant used to exploit a vulnerability that threatened critical infrastructure.[253]

DHS also increased its State and Local Cybersecurity Grant Program funding from $185 million in FY22 to $374.9 million in FY23, signaling the growing importance of protecting communities from cyber threats.[254]

b. Department of Justice

In 2023, DOJ continued to focus on and expand its capacity to address cyber threats, especially those related to national security. In a series of press releases, DOJ touted certain accomplishments in its ongoing fight against organized cybercrime. For example, it publicized actions it had taken against several ransomware groups, including the Hive and Blackcat, as well as the malware code Qakbot. DOJ also announced significant developments regarding its approach to the issue of algorithmic bias, including an innovative resolution reached with a large social media company and the filing of a statement of interest in a case alleging racial discrimination against rental applicants.

As part of its continued and expanding efforts to counter cyber-related national security threats arising from nation-state actors, DOJ created the National Security Cyber Section (“NatSec Cyber”) within the National Security Division (“NSD”).[255] DOJ noted that NatSec Cyber “will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.”[256]

DOJ continued its aggressive, multifaceted efforts to disrupt domestic and international organized cybercrime via collaboration between the FBI and foreign law enforcement organizations. For example, in January 2023, DOJ announced that its months-long campaign against a ransomware-as-a-service network called the “Hive” culminated in the seizure of thousands of decryption keys that were then distributed to victims of the Hive’s activities, as well as the shutting down of servers and websites used by the Hive to coordinate attacks.[257] The Hive’s ransomware campaign impacted more than 1,500 victims, “including hospitals, school districts, financial firms, and critical infrastructure,” across more than 80 countries, and sought to extort hundreds of millions of dollars in ransomware payments.[258] In May 2023, DOJ publicized an operation code-named “MEDUSA,” which involved the deployment of an FBI-developed tool named “PERSEUS” to disrupt the ability of the highly sophisticated cyber espionage malware named “Snake” to compromise infected computers.[259] Snake, whose development the U.S. government attributes to a unit in the Federal Security Service of the Russian Federation, has been used and adapted for the last nearly 20 years to steal and covertly transfer sensitive information from computer networks in over 50 countries, often in service of Russian interests.[260] In August 2023, DOJ announced another multinational effort to degrade and avert attacks from Qakbot, a malware code used by cybercriminals to create malicious botnets and perpetrate “ransomware, financial fraud, and other cyber-enabled criminal activity.”[261] Finally, in December 2023, DOJ announced that the FBI had successfully built a decryption tool that allowed victims of the ransomware-as-a-service group Blackcat (also known as ALPHV or Noberus) to regain control of their systems.[262] This was in addition to taking control of websites associated with the group, which had previously carried out attacks targeting “government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities—as well as other corporations, government entities, and schools,” costing victims hundreds of millions of dollars in ransom payments, incident response costs, and losses from data damage and theft.[263]

DOJ also waded into issues around algorithmic bias. In January 2023, for example, DOJ announced a resolution reached with a large social media company to address alleged algorithmic bias on its platforms.[264] This development came as part of a settlement stemming from a June 2022 lawsuit filed in the U.S. District Court for the Southern District of New York that asserted the company engaged in discriminatory delivery of housing advertisements based on algorithms partially relying on protected characteristics in violation of the Fair Housing Act (“FHA”).[265] The settlement agreement required the company to create a system (dubbed the Variance Reduction System) to promote the “equitable distribution of ads” across its platforms, subject to certain compliance metrics, oversight by the court, and ongoing monitoring by a third-party reviewer through June 27, 2026.[266] A DOJ official praised the agreement and the company for setting “a new standard for addressing discrimination through machine learning” and called for others to follow the company’s lead.

DOJ also filed a Statement of Interest in an FHA case pending in a Massachusetts federal district court brought by two Black rental applicants alleging unlawful algorithmic tenant screening practices.[267] Plaintiffs alleged that the screening system discriminated “against Black and Hispanic rental applicants in violation of the FHA.”[268] According to DOJ, the Statement confirms its “commitment to ensuring that the Fair Housing Act is appropriately applied in cases involving algorithms and tenant screening software.”[269]

c. Department of Commerce

On March 7, 2023, a bipartisan group of senators proposed the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (“RESTRICT”) Act, which would give the Commerce Secretary the power to ban foreign‐owned technologies if they are found to pose national security threats.[270] The bill, which received support from the Department of Commerce,[271] was referred to the Committee on Commerce, Science, and Transportation, and is currently awaiting further action.[272]

On June 14, 2023, Senator Wyden introduced the Protecting Americans’ Data From Foreign Surveillance Act of 2023, which would update the Protecting Americans’ Data From Foreign Surveillance Act of 2022 that was introduced in June 2023 but not passed.[273] This bill would bar exports of sensitive data to high‐risk countries, as determined by the Department of Commerce.[274] The Department of Commerce would also be tasked with defining sensitive data, though the bill broadly covers data, including browsing history and location data.[275] However, the new export rules would not apply to data encrypted with technology approved by the National Institute of Standards and Technology (“NIST”).[276] The bill was referred to the Committee on Banking, Housing, and Urban Affairs, and currently awaits further progress.[277]

d. Department of Energy

Through the Infrastructure Investment and Jobs Act, the Department of Energy (“DOE”) has provided significant funding to a series of new cybersecurity programs.[278] On September 12, 2023, the DOE announced $39 million of funding for nine new “National Laboratory” projects to strengthen the cybersecurity of distributed energy resources (“DER”).[279] The funding is intended to “support targeted research, development, and demonstration related to different elements of the DER landscape.”[280]

Despite investing in improved cybersecurity for DER, the DOE itself continues to attract scrutiny of its cybersecurity practices, especially from the DOE’s Office of Inspector General (“OIG”). Ongoing concerns regarding the department’s cybersecurity capabilities stem in part from three apparent cyberattacks against DOE national laboratories in late 2022, which were serious enough to prompt House lawmakers to seek details concerning them in early 2023.[281] In November 2023, the OIG released a report discussing “management challenges” at the DOE, including numerous cybersecurity-related deficiencies.[282] In discussing these deficiencies, the report noted structural and resource-based challenges to an effective organization-wide cybersecurity program, some of which stemmed from inconsistent and outdated practices by DOE contractors.[283] Thus, contractors/vendors doing business with the DOE should expect a greater emphasis on and scrutiny of their cybersecurity practices going forward.

e. Department of Defense

In December 2023, the Department of Defense (“DoD”) released a proposal designed to implement its Cybersecurity Maturity Model Certification (“CMMC”) program, broadly aimed at increasing the security of controlled, unclassified information across the defense industry.[284] The CMMC will set three “levels” of cybersecurity requirements based on the nature of information held by contractors, while ultimately creating a baseline level of cybersecurity for almost all DoD contract solicitations.[285] The program will be implemented in phases over several years, giving companies time to study and understand its requirements and prepare staff to comply with them.[286]

f. Federal Communications Commission

The Federal Communications Commission (“FCC”) was particularly focused on the Telephone Consumer Protection Act (“TCPA”) and cybersecurity issues in 2023. In June 2023, the FCC unveiled a new Privacy and Data Protection Task Force that will “coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors.”[287] The task force will address issues such as data breaches of telecommunication providers linked to cyber intrusions and supply chain vulnerabilities.[288]

TCPA Rulemaking. In January 2023, the FCC announced that new rules promulgated under Section 8 of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (“TRACED”) Act[289] would go into effect on July 20, 2023.[290] Among other things, the FCC’s new rules provide additional clarity on exemptions from the TCPA, including establishing limits on the number of exempt calls that can be made to a residence during a 30-day period (for non-commercial, non-advertising, or nonprofit purposes); requiring callers to obtain consent before exceeding the numerical limits on exempt calls; and mandating ways that consumers can opt out of exempted calls to residential lines.[291]

In the last quarter of 2023, the FCC took additional regulatory steps to curb robocalls. On October 23, 2023, FCC Chairwoman Jessica Rosenworcel announced the FCC was opening an inquiry into the impact of artificial intelligence technology on robocalls, particularly for more vulnerable consumers such as seniors and those on fixed incomes.[292] Following that announcement, the FCC sought public input to better understand the impact of emerging AI technologies on unwanted telephone calls and text messages.[293] It seems likely that the FCC will continue to assess AI’s impact in this area.

On December 18, 2023, the FCC also approved new TCPA rules that require lead generators, comparison shopping websites, and similar companies to obtain a consumer’s prior express written consent to receive automated calls from each marketing partner.[294] The rule is intended to end companies’ prior practice of relying on a single consent to receive automated calls from multiple marketing partners. The new rule has closed this loophole, and requires one-to-one consent for each marketing partner.[295] There will be an implementation period of at least 12 months to allow companies to make necessary changes to ensure consent complies with the new rules.[296]

Cyber Trust Mark. In July 2023, the FCC, in coordination with the White House, announced a proposal to create a “U.S. Cyber Trust Mark” label for devices that meet certain cybersecurity and privacy criteria set by the National Institute of Standards and Technology, with voluntary commitments to the standard to be made by manufacturers and retailers.[297] Examples of contemplated features offered by labeled devices include “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”[298] In August 2023, the FCC released a Notice of Proposed Rulemaking regarding the proposal to collect public input, noting that if it votes to establish the program, it could be “up and running” by late 2024.[299]

VoIP and TRS Rules. In December 2023, the FCC approved modifications to data breach notification rules for providers of telecommunications, interconnected Voice over Internet Protocol (“VoIP”), and telecommunications relay services (“TRS”).[300] The modifications expand reportable personally identifiable information and the definition of a “breach,” and require carriers or TRS providers to notify the FCC of breaches, in addition to other existing reporting requirements.[301]

Enforcement. The FCC also levied fines against companies for lax data security standards. In July 2023, the FCC sought a combined $20 million fine against two mobile carriers for alleged violations of FCC rules, which mandate that customer identity be properly authenticated before online access to Customer Proprietary Network Information (“CPNI”) is granted to them.[302] The FCC’s investigation concluded that the companies used “readily available” information to provide online access to CPNI and fell below other compulsory data security standards in violation of multiple parts of the FCC’s rules, thereby placing sensitive customer personal data at risk.[303]

6. State Agencies

Throughout 2023, state privacy enforcers, particularly in California, wielded their authority to attempt to expand the ambit of existing privacy laws.

a. California

California Privacy Protection Agency

On the rulemaking front, the California Privacy Protection Agency (“CPPA”) released draft rules for automated decision-making technology (“ADMT”) on November 27, 2023.[304] The draft focuses on two areas: notice requirements on the use of ADMT and enforcement of two new consumer rights: the right to opt-out of ADMT processing and the right to access information about a business’s use of ADMT.

The draft rules require businesses to provide a “Pre-use Notice” which would allow consumers to exercise these two rights. The notice must inform consumers of the business’s use of ADMT and permit them to opt-out of ADMT processing. It also requires businesses to describe the purpose behind the use of ADMT in specific terms. Consumers may opt-out of ADMT for decisions that produce “legal or similarly significant effects” (1) as an employee, student, job applicant or independent contractor or (2) in publicly accessible places (e.g., via surveillance or facial recognition). Formal rulemaking is expected to begin in early 2024.

The CPPA has also begun to spin up its enforcement division, which began inquiring into manufacturers of connected vehicles, meaning vehicles embedded with features like location sharing, web-based entertainment, smartphone integration, and cameras, in an effort to better understand whether companies in this space are complying with applicable rules.[305]

California Attorney General

The California Attorney General (“CA AG”) has announced several privacy-related enforcement “sweeps” in 2023 in a variety of industries. In early 2023, the CA AG sent out letters to an unspecified number of mobile apps in the retail, travel, and food service industries that purportedly failed to comply with the CCPA, specifically by failing to honor consumer requests to opt out of the sale of their personal data or providing mechanisms for opting out of sale of the personal data.[306] In July 2023, the CA AG announced a separate sweep of large employers’ compliance with CCPA as it related to employee and job applicant information.[307] Businesses are required to provide a way for consumers, workers, and job applicants to be able to access, delete, and opt-out of the sale of their personal information. Despite these regular sweeps, however, the CA AG has not announced any enforcement actions or settlements related to the CCPA.

Although there have not been any CCPA settlements disclosed in 2023, the CA AG did announce a $93 million settlement with a large technology company related to allegations that its location-privacy practices violated California’s Unfair Competition Law, a follow-on to a multistate settlement announced in 2022.[308] The complaint alleged that the company deceived people into consenting to the perpetual collection and use of their location data by asking users if they wanted to “enhance” their “experience.” The complaint also alleged that, even if users turned off their location history, their precise location data was nevertheless collected if other settings remained enabled. Finally, the CA AG alleged that the company continued to use real-time location information to show users ads, even if they turned off ad personalization. Under the terms of the settlement, the company will have to provide a pop-up notification to users who have certain location-tracking toggles enabled, provide additional disclosures to users (including in the account-creation flow) and obtain express affirmative consent prior to sharing precise location information with advertisers, among other requirements. The company will also have to submit an annual compliance report and independent assessor reports.

b. Other State Agencies

New York

In January 2023, the New York Attorney General (“NY AG”) sent a letter to a large live-entertainment company about its use of facial recognition technology that allegedly was preventing entry into its venue by attorneys whose firms are engaged in litigation against the company.[309] The NY AG’s letter requests the company provide justifications for its policy, identify efforts to comply with applicable laws, and ensure that its use of this technology will not lead to discrimination.

In November 2023, the New York State Department of Financial Services announced that a title insurer will pay $1 million for allegedly violating state cybersecurity regulations.[310] The insurer allegedly failed to ensure “full and complete implementation” of its cybersecurity policies and procedures prior to a May 2019 data breach that exposed its customers’ nonpublic information.[311]

Washington

The Washington Attorney General (“WA AG”) announced a $39.9 million settlement with a large technology company related to the WA AG’s lawsuit over its location-tracking practices.[312] The WA AG, like the CA AG, filed a separate lawsuit from the multistate effort that had been settled in November 2022. Similar to the California suit, the WA AG alleged that the company collects location data even when consumers had disabled their location history and that it tracked devices even when location access was turned off. In addition to the monetary penalty, the company agreed to disclose additional information to users where they enabled location-related account setting, ensured that users see information about location tracking and gave users detailed information about types of location data that the company collects and how it will be used.

c. Major Data Breach Settlements

While 2023 did not see as many high-profile data breach settlements as in recent years, with the number of data breach-related case filings reaching new records, major settlements are likely on the horizon.

Many of the notable 2023 settlements were reached with state attorneys general. A software provider in the healthcare and education space agreed to a $49.5 million settlement with numerous state attorneys general (led by Indiana and Vermont) to resolve claims stemming from a ransomware attack that impacted the company and nearly 13,000 customers in 2020.[313] In another notable data breach settlement, the attorneys general of New York, Connecticut, Florida, Indiana, New Jersey, and Vermont entered into a $6.5 million settlement with a major financial services provider arising from two instances in which customer data inadvertently left the company’s custody.[314] And a vision insurance company entered a $2.5 million settlement with the attorneys general of New Jersey, Oregon, Florida, and Pennsylvania stemming from a breach which impacted the health care information of 2.1 million individuals.[315]

Class actions have also resulted in significant settlements. A law firm recently announced that it reached a tentative class settlement with plaintiffs whose personal information was allegedly compromised in a data breach.[316] Once finalized, this settlement will resolve four consolidated lawsuits stemming from the firm’s alleged three-month delay in notifying affected individuals of the breach. And in July 2023, the Southern District of Florida approved a $3 million settlement in a class action suit against a health care network and its parent company arising from a 2021 data breach in which over three million individuals were affected.[317]

III. Civil Litigation Regarding Privacy and Data Security

A. Data Breach Litigation

Cybercrimes targeting consumer data have been increasingly pervasive and this trend continued in 2023. The Identity Theft Resource Center, which compiles statistical information on data breaches, reported 2,116 data breaches in the first nine months of 2023.[318] This number surpasses the 2021 record of 1,862 data breaches and represents a nearly 64% increase of the number of data breaches reported over the same nine-month period in 2022.[319] These trends suggest companies will continue to face more widespread and sophisticated attacks by cybercriminals and the risk of litigation remains elevated for companies dealing with the aftermath of a cyberattack.

One of the largest and most significant data breach litigations in history was filed this year. After the developer of a popular file transfer service announced that its service had been exploited by a Russian cybergang in a data breach that exposed the personally identifiable information of more than 55 million people, more than 200 cases were filed.[320] These actions were centralized in an MDL that is now pending in the District of Massachusetts.[321] At the time of publication, the MDL remains in its early stages, but we expect this case will be one that practitioners will watch closely.

This section summarizes key developments in data breach litigation last year.

1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions

Many data breach cases are litigated in federal court, given large numbers of potentially affected individuals and jurisdictional provisions of the Class Action Fairness Act. Plaintiffs pursuing claims in federal court must satisfy the standing requirements of Article III of the U.S. Constitution, and data breach actions raise significant questions about whether plaintiffs can satisfy this requirement. In 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, a landmark decision that increased the burden on plaintiffs to demonstrate standing in actions for money damages brought in federal court.[322] The Court held that the mere risk of future harm is insufficient to satisfy the concrete injury that Article III requires, especially where the plaintiff is unaware of the risk of future harm.[323] This holding is especially significant in data breach cases where a plaintiff’s data has been breached but not yet misused.

Although TransUnion went a long way towards clarifying how risks of future harm should be analyzed under Article III, appellate courts have continued to grapple with the bounds of the Court’s holding and divergent approaches to the issue of standing persisted in 2023.

Some courts have interpreted TransUnion narrowly and concluded that notwithstanding its holding, plaintiffs can establish standing even if their data has not yet been misused. For example, in Webb v. Injured Workers Pharmacy, LLC, the First Circuit held that a “material risk of future harm can satisfy the concrete-harm requirement” for standing, reasoning that data compromised in targeted attacks (as opposed to inadvertent disclosures) is more likely to be misused, especially when the data is sensitive and other personal information in the exposed data has already been misused.[324] Moreover, to satisfy TransUnion’s requirement of “alleg[ing] a separate, concrete present harm” to have standing to seek damages, the court held that the plaintiffs’ “time spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.”[325] Similarly, the Second Circuit held that a plaintiff suffered “concrete harms as a result of the risk of future harm occasioned by the exposure” of her personal information, in particular because she incurred expenses attempting to mitigate the consequences of the breach.[326] Moreover, the plaintiff’s name and Social Security number were compromised in the targeted attack, and the court reasoned that the exposure of this type of sensitive data led to concrete present harms due to the increased risk that her identity would be stolen in the future.[327]

Other courts have interpreted TransUnion to mandate a stricter approach to standing. For example, in Holmes v. Elephant Insurance Co., a trial court dismissed for lack of standing claims alleging that the plaintiffs’ personal information was compromised in a 2022 data breach.[328] Despite a potential heightened risk of future identity theft, the court found that this risk alone did not constitute an injury in fact unless it was “certainly impending.”[329] Even though two of the three named plaintiffs had alleged their driver’s license information had appeared on the dark web, the court reasoned that unless combined with additional personal information, a driver’s license number could not be used to create a full identity profile, and therefore only constituted a threat of future identity theft.[330] The court also found there was insufficient support for the contention that the risk of identity theft was “certainly impending” without assuming that the plaintiffs were specifically targeted in the breach, that the perpetrator was actively compiling full profiles of plaintiffs, and that the perpetrator would “imminently and successfully attempt to use th[e] information [at issue] to steal the plaintiffs’ identities.”[331] In reaching this conclusion, the court also diverged from the approach taken by the First Circuit in Webb, finding that absent an imminent threat of identity theft, the cost of mitigative measures, such as time spent monitoring financial information, does not constitute an injury sufficient to support standing.[332]

A California district court in Burns v. Mammoth Media, Inc., appeared to agree with this approach, suggesting that “an increased risk of identity theft may constitute a credible threat of real and immediate harm sufficient to constitute an injury in fact for standing purposes.”[333] However, the court ultimately denied standing and dismissed the claims because there were insufficient allegations to establish an increased threat of identity theft based on the type of data compromised. In particular, the plaintiff alleged only that his name, email address, gender, profile creation date, user name, user ID, password, and access token were exposed, but he failed to explain how the specific data compromised was sufficiently sensitive to create a risk of identity theft.[334]

Questions about standing are also significant to class certification, as putative classes that contain large numbers of uninjured class members are frequently not viable.[335] One case from 2023 illustrating this issue is Attias v. CareFirst, Inc., where the District Court for the District of Columbia denied class certification because “the proposed classes . . . would appear to sweep in significant numbers of people who have suffered no injury in fact in light of TransUnion.”[336] Even though the named plaintiffs had adequately demonstrated standing “because they ha[d] spent at least some amount of time or money protecting against the risk of future identity theft,” there was a “serious predominance problem” because not all the putative class members had done the same, thereby necessitating “individualized proof of injury.”[337] These “logistical hurdles of identifying class members who were injured or determining what kinds of mitigation measures might qualify an individual for class membership” meant the court “[could not] conclude that the common issues predominate over individualized inquiries.”[338]

2. Cybersecurity-Related Securities Litigation

In the aftermath of a cybersecurity incident, companies and their officers also frequently face shareholders suits. Although the pace of data breach-related securities case filings has slowed,[339] the past year still saw a fair share of new litigation. For instance, in March 2023, shareholders filed a securities class action under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against a television service provider, alleging that the company overstated its operational efficiency in public statements and SEC filings and maintained deficient cybersecurity infrastructure, leaving the company unable to secure customer data and leaving it vulnerable to cyberattacks and service issues.[340] In another action filed in 2023, shareholders alleged that a financial services technology company violated Sections 12(a)(2) and 15 of the Securities Act of 1933 in connection with the compromise of customer data.[341] The plaintiffs alleged that the company failed to accurately describe its data security capabilities, among other things, in its securities filings. This case remains in the early stages.

Defendants have had success in getting shareholder data-breach claims dismissed on the pleadings, including for failure to plead falsity or scienter with the requisite particularity.[342] For example, the Northern District of California dismissed a shareholder suit related to a January 2022 data security incident.[343] The plaintiffs in that case sued under Section 10(b) and 20(a) of the Securities Exchange Act of 1934, alleging that the company and certain officers made false and misleading statements in the company’s disclosures about its data security practices.[344] The court dismissed these allegations, finding that the plaintiffs failed to allege either falsity or scienter based on the defendants’ general statements about the company’s commitment to data security.[345]

B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies

Last year’s Review noted a deluge of lawsuits brought under federal and state wiretapping statutes. This trend continued in 2023, with recent lawsuits alleging that various businesses invade consumers’ privacy rights and violate federal and state wiretapping statutes by allegedly failing to obtain sufficient and valid consent when using various online “tracking” technologies, such as session replay, pixels, and chat software. Plaintiffs in these cases generally allege that their interactions with businesses’ websites or apps are “communications” between them and the business, which are being “recorded” and “intercepted” by the business through a third-party pixel, software development kit, chat, or session-replay service provider.[346]

Many of these cases focus on claims for violations of wiretapping statutes. Wiretapping statutes were initially intended to prevent surreptitious recording of, or eavesdropping on, phone calls without the consent of the parties involved, but they have evolved to cover other forms of electronic and digital communications. The federal Wiretap Act of 1968, as amended by the Electronic Communications Privacy Act of 1986,[347] is a “one-party” consent statute that allows communications to be intercepted (with certain exceptions) so long as “one of the parties to the communication has given prior consent[.]”[348] Almost all 50 states also have some form of wiretapping statute; most of them are also one-party consent statutes, but a significant minority require “two-party” (or “all-party”) consent.[349] Many recent lawsuits have brought claims under both the federal Wiretap Act and various state statutes, with litigation heavy in all-party consent states like California (where statutory damages can run as high as $5,000 per violation), Pennsylvania, and Florida.[350]

In addition to alleged violations of wiretapping statutes, lawsuits concerning online tracking technologies frequently raise a host of interrelated legal issues.

For example, a plaintiff in a Northern District of California case alleged that a pixel tool was embedded in a university-owned hospital website where the plaintiff entered private medical information concerning her cardiovascular health.[351] Because this information was allegedly redirected to a third-party company, the plaintiff claimed that the defendant violated the California Invasion of Privacy Act (“CIPA”), three separate sections of the Confidentiality of Medical Information Act (“CMIA”), and the California Constitution. The plaintiff also alleged common law causes of action including breach of contract, unjust enrichment, and the right to privacy. The court allowed the common law privacy and two CMIA claims to move forward and dismissed the remaining claims, largely on the basis that the university is an immune public entity. Similarly, in Jackson v. Fandom Inc.,[352] another Northern District of California judge denied the defendant’s motion to dismiss a proposed class action alleging that the defendant, a hosting service for user-generated wikis, violated the federal Video Privacy Protection Act (“VPPA”) by sharing users’ personally identifiable information (“PII”) through pixels. Specifically, the judge found that associating viewing history with the plaintiff’s unique user ID may have constituted unlawful disclosure of PII.[353]

In yet another notable decision, a federal judge dismissed claims against a technology company alleging it had shared information about the plaintiffs’ online activity with a third party via a pixel without the plaintiffs’ consent.[354] The plaintiffs claimed that the company’s terms of use did not inform users that the platform was sharing information with the third party and that its failure to disclose this information was fraud by omission in violation of both California’s Unfair Competition Law (“UCL”) and its Consumer Legal Remedies Act (“CLRA”). They also asserted claims under VPPA and for unjust enrichment. In granting the company’s motion to dismiss these claims, the court reasoned that Rule 9(b)’s heightened pleading standard applied because the alleged fraud stemmed from alleged misrepresentations in the company’s terms of use.[355] The court therefore granted the company’s motion to dismiss the CLRA and UCL claims. In November 2023, the company moved for summary judgment on that claim, which remains pending.

These cases are representative of many others, and we expect plaintiffs to leverage their mixed outcomes to continue to bring and attempt to extract settlements in similar matters.

C. Anti-Hacking and Computer Intrusion Statutes

The federal Computer Fraud and Abuse Act (“CFAA”) generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[356] In recent years, several high-profile court decisions, including the U.S. Supreme Court’s 2021 decision in Van Buren v. United States, have limited the CFAA’s scope.[357] In 2022, these decisions also prompted the Department of Justice to narrow its CFAA enforcement policies,[358] as described in last year’s Review.

1. CFAA

In 2023, courts around the country have continued to grapple with the CFAA’s outer bounds. Summarized below are three cases of particular interest, including a case from the Second Circuit analyzing venue considerations in CFAA actions and a pair of district court cases reaching somewhat different conclusions on whether software constitutes a “computer” under the statute.

Venue in CFAA Criminal Cases. In July 2023, the Second Circuit upheld a criminal CFAA conviction against a venue challenge.[359] The case involved a defendant, a disgruntled former employee, who deleted information from her company’s online database, which was hosted on servers outside of New York.[360] Her deletion of the database prevented some employees in New York from accessing it.[361] A criminal action was brought against the defendant in the Southern District of New York and the defendant argued venue was improper because the data she deleted resided on servers in Virginia and California, and therefore she could not have damaged a computer in New York.[362] The Second Circuit rejected this claim, holding that even though the data was stored on cloud servers elsewhere, the defendant had still “damaged” a computer in New York, because she had “impair[ed] . . . the integrity or availability of data, a program, a system, or information” on a computer there.[363] The Supreme Court denied certiorari.[364] The case is notable not just because of its expansive view of venue in CFAA criminal cases, but also because it raises new questions about the scope of covered harm to “protected computers” in CFAA criminal and civil cases alike—an especially important issue given the interconnectedness of computer networks.

Cloud Computing Systems As Covered “Computers.” In July 2023, an Illinois federal district court held that a “cloud-based system of data storage” constitutes a “computer” under the civil enforcement sections of the CFAA.[365] The defendants in this case allegedly accessed a former employer’s Microsoft Office 365 cloud services after their employer terminated them—by logging in with old and phony credentials.[366] The defendants moved to dismiss the employer’s CFAA claim, arguing a cloud service is not a protected “computer” under the CFAA.[367] The court disagreed.[368] The court reasoned that the CFAA broadly defines a “computer” as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.”[369] Because a cloud system involves storing data on remote servers, and “[s]ervers fit within the plain language” of a computer under the Act, the plaintiff had sufficiently alleged that the defendants improperly accessed a “computer” under the CFAA.[370] The court also rejected the premise that CFAA liability could attach only if the plaintiff, rather than Microsoft, actually owned the remote servers that supported the cloud service.[371]

Software Not a Covered “Computer.” By contrast, in April 2023, a New Jersey federal district court held that “software” does not constitute a protected computer under the CFAA.[372] In this case, the plaintiff claimed that he was hired to install certain software he created on a bank’s computers, but a dispute arose over whether the bank had paid for a license to use the software.[373] The plaintiff sued, claiming, among other things, that by using the software without permission and by locking him out of his bank computer (which allegedly contained the software), the bank violated the CFAA.[374] The court summarily disagreed, noting that the plaintiff had presented “no authority indicating that software is a ‘computer’ within the meaning of the CFAA,” and dismissed the claim.[375]

Generative AI and the CFAA. Another notable development from this past year was the bevy of lawsuits filed against generative AI companies, challenging the companies’ alleged practice of scraping or otherwise obtaining data to train their AI models. Some of these lawsuits claim that these practices—which involve allegedly harvesting publicly accessible data from the Internet or obtaining user data through the use of “plug-ins” installed on third-party websites—violate the CFAA for exceeding authorized access to plaintiffs’ computers.[376] These cases are still at their early stages and will likely need to grapple with the Ninth Circuit’s 2022 decision in hiQ Labs, Inc. v. LinkedIn,[377] which held that the CFAA’s concept of “without authorization” may not apply “when a computer network generally permits public access to its data”—although the Ninth Circuit noted there may be other common law and statutory claims available for those who believe they have been the victims of data scraping.[378]

2. CDAFA

The Comprehensive Data Access and Fraud Act (“CDAFA”) is California’s sister statute to the CFAA, and it creates a private right of action against any person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”[379] “Access” means to “cause output from” the “logical, arithmetical, or memory function resources of a computer.”[380]

In 2023, several district courts considered the interaction between the CDAFA and the recent wave of litigation related to website tracking technologies, including web pixels. Below are two such cases of interest.

Private Browsing Modes and Online Advertising Technologies. In August 2023, a California district court denied a motion for summary judgment on a CDAFA claim. Plaintiffs alleged that a prominent internet company improperly tracked user activity when users were using “private browsing modes.”[381] Plaintiffs claimed that, when third parties embedded certain advertising technologies into their websites, those technologies sent data about the users’ online activities to the company, even if the users were using a private browsing mode.[382] The company sought summary judgment on plaintiffs’ CDAFA claim, arguing that the company could not have “accessed” plaintiffs’ computers under the CDAFA because “website developers,” not the defendant, embed the code that directs users’ browsers to send requests to the company’s servers.”[383] The court rejected this argument, holding that the fact that “website developers chose to embed [the company’s] services onto their websites at most creates a triable issue as to whether developers and not the company . . . ‘cause output from’ plaintiffs’ computers” under the CDAFA.[384] The company separately argued that plaintiffs had suffered no “damage or loss” under the CDAFA, but the court rejected this argument, too, holding that “plaintiffs [had] proffer[ed] evidence that there is a market” for their browsing history data.[385] On December 26, 2023, the parties announced that they had reached a preliminary settlement agreement.[386]

“Technical Barriers” for First-Party Websites. In October 2023, a California district court dismissed with prejudice a CDAFA claim premised on the theory that a chatbox on a developer’s website transmitted certain user information to third parties.[387] The developer argued that it did not act “without permission” under the CDAFA because it did not overcome any “technical or code-based barriers” to insert the third-party code into its own website and allegedly transmit user information.[388] The district court agreed, holding that there are “no technical barriers blocking Defendant from using its own Website” in the manner alleged.[389] The district court also dismissed the claim on the basis that plaintiff had failed to allege any damage or loss under the CDAFA.[390]

D. Telephone Consumer Protection Act Litigation

Originally enacted in 1991, the Telephone Consumer Protection Act (“TCPA”) regulates certain forms of telemarketing and the use of automatic telephone dialing systems (“ATDS”).[391] Historically, much of TCPA litigation centered on issues concerning the technical definition of an ATDS, but that issue was largely clarified through the Supreme Court’s 2021 opinion in Facebook Inc. v. Duguid, which favored a narrower definition that limited it to devices that store or produce telephone numbers by using a random or sequential number generator. [392] Nonetheless, the TCPA continues to be an area of significant regulatory and litigation activity. 2023 was defined by increased regulation and enforcement by the FCC, as well as ongoing federal litigation addressing the scope of the TCPA.

TCPA cases continue to make their way up to the federal appellate courts, which frequently present the issue of whether receipt of a single unsolicited call is sufficient to confer Article III standing. Some circuits have answered in the affirmative. For example, the Sixth Circuit held that a consumer who had received a ringless voicemail had standing to sue under the TCPA.[393] The plaintiff argued, successfully, that the receipt of the unsolicited ringless voicemail was comparable to the common law tort of intrusion upon seclusion.[394] Similarly, in Drazen v. Pinto, an en banc panel of the Eleventh Circuit held that individuals who received even a single unwanted telemarketing text message had standing to sue under the TCPA, overruling the court’s prior decision that held the opposite.[395]

In another notable decision, Hall v. Smosh Dot Com, Inc., the Ninth Circuit held that a phone line subscriber has standing to sue for TCPA violations, even if the subscriber is not the recipient of the call.[396] Even though the plaintiff’s son in that case had received the unwanted text messages, the Ninth Circuit stated that the TCPA does not require that “the owner of a cell phone must also be the phone’s primary or customary user to be injured by unsolicited phone calls or text messages sent to its number.”[397]

Not all courts have read the TCPA so expansively, and appellate courts continue to find communications not covered by the language of the TCPA. For example, in January 2023, the Third Circuit held that faxes sent by a drug testing laboratory, promoting a free educational seminar about opioid use and medication monitoring, did not qualify as “unsolicited advertisements” under the TCPA.[398] In another notable case, the Ninth Circuit held that text messages did not violate the TCPA’s prohibition on “prerecorded voices,” because text messages are not “voice” messages.[399]

In the face of newly implemented rules, shifting case law, and new communications technology, we expect the TCPA to continue to be an area to watch.

E. State Law Litigation

1. California Consumer Privacy Act Litigation

While the regulatory atmosphere around the CCPA evolved in 2023, the litigation landscape remained fairly constant. Consumers, individually or as a class, continued to litigate under the CCPA, making claims for both pecuniary and statutory damages.

a. Potential Anchoring Effect of CCPA Statutory Damages

As discussed in last year’s Review, the CCPA’s provisions for statutory damages have continued to frame settlement negotiations. The CCPA provides that consumers exercising their private right of action for a data breach may recover the greater of statutory damages between $100 and $750 per consumer, per incident, or actual damages.[400] The cases summarized below provide color on how these statutory damages have impacted settlement terms in the CCPA context.

Automobile Manufacturers and Marketing Vendor. In this case, previously discussed in last year’s Review, residents of California and Florida filed class actions alleging that auto manufacturers and a marketing vendor failed to adequately secure customers’ personal information, allowing hackers to steal information such as driver’s license numbers, Social Security numbers, financial account numbers and more.[401] The plaintiffs asserted causes of action for negligence, breach of implied contract, violation of the CCPA, violation of California’s Unfair Competition Law, and breach of contract. The parties agreed to a settlement which was granted final approval on May 31, 2023.[402] The terms of the settlement reflect the potential effects of the CCPA, as California residents whose sensitive personal information was affected received $350, while the non-California residents whose sensitive personal information was exposed would receive only $80 (about 77% less than their California peers).[403]

Ticket Retailer. Consumers who bought tickets from a ticket retailer brought suit after a data breach was disclosed. Plaintiffs alleged that “skimmers” placed on the defendant’s checkout webpage stole their personal sensitive data.[404] Plaintiffs asserted a variety of claims, including negligence, breach of contract, violation of California’s Unfair Competition Law, and violation of the CPPA.[405] The parties reached a $3 million settlement, which was granted final approval on October 30, 2023. The settlement fund provides California sub-class members with an additional $100 “California Statutory Award benefit.”[406]

b. Requirements for Adequately Stating a CCPA Claim

Courts continued to give shape to the requirements to plead a CCPA claim. The decisions below address the facts and allegations required to bring a CCPA action under its limited private right of action, which applies only to data breaches.

Software Company Automatic Renewal Case. The Ninth Circuit recently affirmed the dismissal of a case alleging violations of the CCPA. The plaintiff alleged his data was shared with a credit card processor without his authorization due to the automatic renewal of his subscription. The trial court dismissed his claim because the plaintiff had agreed to the defendant’s End-User License Agreement, which stated his subscription would renew every 12 months unless terminated.[407] The trial court found the disclosure of his personal information was not “without authorization” and was not caused by a failure to implement reasonable security procedures and practices.[408] The Ninth Circuit affirmed.[409]

Online Banking. Plaintiff alleged that the defendant bank violated the CCPA when an unknown individual accessed his bank account, changed his contact information, and obtained new account cards to make purchases. The bank, on a motion to dismiss, argued that the plaintiff had not alleged that a data breach occurred. The court disagreed, finding that plaintiff’s allegations that his account was accessed and personal information obtained because of the failure to implement reasonable security procedures were sufficient to state a claim under the CCPA.[410]

c. CCPA Violations Under the UCL

Violations of the CCPA cannot serve as the predicate for a cause of action under a separate statute including California’s Unfair Competition Law (“UCL”).[411] While there has been no change regarding the inability to use a CCPA violation as the predicate “unlawful” claim under the UCL, one court has found the CCPA may create a property interest upon which a UCL claim may be brought. That decision is summarized below.

Search Engine Company. Originally filed in June 2020, this class action alleges that a large technology company unlawfully collected data from users while using the company’s browser in incognito or private mode.[412] The plaintiffs brought claims, including under the federal Wiretap Act, the California Invasion of Privacy Act (CIPA), and California’s UCL.[413] On summary judgment, the defendant argued that plaintiffs had no economic injury as required for a UCL claim, as they had not lost money or property as a result of the data collection.[414] Plaintiffs argued that their private data has monetary value and they have a property interest in that data “because the [CCPA] affords them the right to exclude Google from selling their data to third parties.”[415] The court agreed with plaintiffs, holding that “plaintiffs have identified an unopposed property interest for at least a portion of the class period under the California Consumer Privacy Act.”[416] The court further found that money damages are not an adequate remedy alone, and that injunctive relief is necessary to address the ongoing data collection.[417]

d. The CCPA’s 30-Day Notice Requirement

The CCPA requires that a “consumer provide[] a business 30 days’ written notice identifying the specific provisions of [the CCPA] the consumer alleges have been or are being violated.”[418] The written notice initiates a 30-day period during which the business may cure any violation. While this cure provision was eliminated by the CPRA, cases addressing the notice-and-cure provisions have continued to move through the courts. Last year’s Review discussed a case dismissing a suit with prejudice where plaintiffs did not comply with the 30-day notice period.[419] The cases below have departed from that decision, illustrating the boundaries of the cure provision as a safeguard.

Consumer Debt Collector. Plaintiffs alleged that their personal information was stolen in a data breach because the information was unencrypted and improperly safeguarded.[420] Plaintiffs brought claims under the CCPA for actual and statutory damages, even though they provided no pre-suit notice for the defendant to cure as required under the CCPA.[421] The court noted that no pre-suit notice is required to the extent plaintiffs sought pecuniary damages, but dismissed the statutory damages claims without prejudice.[422] In dismissing the claim for statutory damages without prejudice, the court expressly declined to follow Griffey, which we discussed in last year’s Review. The Griffey court had dismissed a CCPA claim with prejudice, reasoning that the purpose of the pre-suit notice is to allow the defendant time to cure the violation out of court.[423] Allowing a plaintiff to file a complaint, then send a notice, and then file an amended complaint defeats this remedial purpose of the statutory notice-and-cure provision. The Western District of Washington expressly rejected Griffey’s rationale, concluding that dismissal without prejudice “accords with the remedial nature of the CCPA’s notice provision.”[424]

Money Services Business. After a data breach, plaintiffs brought suit claiming negligence, breach of implied contract, and violation of the CCPA due to the disclosure of their names, Social Security numbers, and driver’s license numbers.[425] Defendant moved to dismiss the CCPA claim, arguing it was barred due to the notice-and-cure provision. Defendant “claimed to have enhanced its security measures” after receiving notice of the alleged violation, and thus “cured all alleged violations within the requisite time period.”[426] The court found this straightforward assertion insufficient because “the implementation and maintenance of reasonable security procedures and practices . . . following a breach does not constitute a cure with respect to that breach.”[427] The court pointed out that the defendant had not provided any additional detail on the nature of its cure, concluding that this was insufficient at the motion-to-dismiss stage.[428]

e. Guidance on Reasonable Security Measures in Connection with the CCPA

In addition to the cases highlighted by last year’s Review,[429] courts have continued to weigh in on what qualifies as reasonable data security measures under the CCPA.

Moving Company. Plaintiffs brought suit after their personal information was stolen by hackers in a cyberattack. Plaintiffs asserted violations of the CCPA for failure to take reasonable precautions to protect their personal information.[430] The court declined to dismiss the CCPA claim, and identified a number of measures the defendants could have taken prior to the breach. Plaintiffs specifically alleged that the defendant’s security measures were inadequate because they failed to implement “adequate filtering software,” “adequate[] training,” “multi-factor authentication,” encryption, and destruction when the personal information was no longer in use.[431] The court also pointed to plaintiff’s complaint, which “identif[ied] fourteen cybersecurity best practices that defendant should have followed but allegedly did not.”[432]

Large National Bank. Plaintiffs brought numerous claims arising out of prepaid benefits payment cards issued by the bank.[433] Plaintiffs alleged that these cards were targeted by bad actors, and the information was easily accessible since the cards had magnetic strips instead of chips. Plaintiffs claimed that erroneous charges and unauthorized transactions resulted in the loss of their funds and alleged violations of the CCPA due to the debit cards’ lack of chip technology, asserting that use of chip technology is a necessary reasonable security measure to protect their personal information. The court agreed, finding that the allegations stated a claim under the CCPA.[434] The court also found that plaintiffs’ allegation that the bank failed to subject its agents to background checks was adequate to state a claim based on failure to implement and maintain reasonable security measures and practices.[435]

2. State Biometric Information Litigation

a. Illinois Biometric Information Privacy Act

2023 was another active year for Illinois’s biometrics law, with courts continuing to expand the scope of the Biometric Information Privacy Act (“BIPA”), but also recognizing new limitations. Perhaps unsurprisingly, Illinois also continued as the leading state with respect to biometrics-related litigation.

i. Expansion of BIPA’s Scope

BIPA’s Statute of Limitations Under Section 15. The Supreme Court of Illinois found that claims brought under Section 15 of BIPA (which relates to retention, collection, disclosure, storage, and use of biometric information) have a five-year statute of limitations, reversing an appellate court’s ruling that placed a one-year limit on such claims.[436] Under Illinois law, “actions . . . to recover damages for an injury done to property, real or personal . . . and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”[437] Part of the court’s justification for finding that the default Illinois statute of limitations five-year catchall applied was because a shorter limit would “thwart [the] legislative intent” of BIPA to provide redress for persons aggrieved and “shorten the amount of time a private entity would be held liable for noncompliance with the Act.”[438] Additionally, upon a certified question from the Seventh Circuit, the Supreme Court of Illinois ruled in a 4-3 decision that BIPA claims “accrue under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[439] The court dismissed ongoing policy-based concerns about massive damages by reiterating that the court “has repeatedly recognized the potential for significant damages awards under the Act” and that such high damages operate as an incentive for private entities to conform to state law.[440] While noting trial courts presiding over a class action “possess the discretion to fashion” a fair yet less-deleterious award, the court concluded that the legislature was the best vehicle to address policy concerns and the plain language of the statute authorized accrual of claims.[441]

BIPA Claims Survive Death. Also in 2023, a federal court in Illinois, hearing a class action case where the named plaintiff passed away, held that BIPA created a personal property interest and claims survive the plaintiff’s death.[442]

ii. New Recognized Limitations Under BIPA

Even so, courts recognized limitations to claims brought under BIPA in 2023.

“Active Steps” In Furtherance of Collecting Biometric Data. For example, an Illinois federal judge dismissed two claims in a proposed class action where an employer used third-party timekeeping software that registered and scanned employee fingerprints which were then stored on a vendor’s cloud storage service.[443] The judge held that the cloud storage vendor did not take an “active step” in furtherance of collecting biometric information merely by contracting with the third party to provide access to the vendor’s cloud storage system, but instead was “merely a vendor to the third party that provided the biometric timekeeping technology and services to [the employer].”[444]

Exceptions to Collections of Biometric Data: In some cases, courts found that certain exceptions privileged the collection of biometric data—for example, one trial court held that the “general health care exemption” to BIPA covered a virtual try-on tool for sunglasses, finding sunglasses to be a Class I medical device under the FDA.[445] Another court denied the plaintiff’s motion to strike the defendant’s affirmative defense that “the biometric identifiers it collects fall within [the general health care] exception because they are collected along with medical information provided by a donor,” such as fingerprints taken prior to donating plasma used to identify the patient during each donation.[446] The court noted that BIPA does not define the term “patient” nor does it define the term “health care” and found that the defendant’s arguments as to why the exception applied were sufficient to survive a motion to strike.[447]

b. Texas Biometric Privacy Law Litigation

As discussed in last year’s Review, in February 2022, Texas Attorney General Ken Paxton brought the first enforcement action under the Texas Capture and Use of Biometric Identifier Act (“CUBI”) more than two decades after its passage in 2001.[448] AG Paxton asserted a CUBI claim against a large social media company alleging that the company’s collection of “facial geometries” in connection with its facial recognition and tagging feature that it deprecated in November 2021 violated CUBI, in addition to bringing claims under Texas’ Deceptive Trade Practices Act.[449] The parties continued to conduct discovery in the case throughout 2023.

In late October 2022, Texas filed a similar action against another large technology company for alleged violations of CUBI.[450] The case is still in the early stages of discovery. These two cases remain the only actions brought under CUBI. Given the preliminary enforcement efforts by the state of Texas, companies can continue to expect heightened state-level scrutiny and enforcement in the biometrics arena in 2024.

c. New York Biometric Privacy Law Litigation

2023 also saw challenges under the N.Y.C. Biometric Privacy Law. On May 19, 2023, two plaintiffs filed a class action against a large live-entertainment company for its alleged use of facial recognition software to keep banned individuals out of its venues.[451] The plaintiffs allege that the company collects biometric information from every person who enters its venues, and then compares that information to an internal database of banned individuals.[452] The complaint further alleges that the company shares this biometric information with at least one third-party vendor, and that the company ultimately benefits in the form of reduced litigation costs.[453]

The plaintiffs allege that this undisclosed collection, use, and disclosure of customers’ biometric data violates the 2021 New York City Biometric Identifier Information Law and the right to privacy guaranteed by Article 5 of the New York Civil Rights Law.[454] Plaintiffs also pleaded an unjust enrichment claim, maintaining that the company wrongfully obtained benefits from the proposed plaintiff class in the form of valuable data.[455]

On January 9, 2024, a federal magistrate judge released a report recommending dismissal of the civil rights and unjust enrichment claims.[456] On the civil rights law claim, the court found that the limitations period of one year had already run for one plaintiff.[457] For the other plaintiff, the court found that the defendant’s alleged collection and use of biometric information to remove banned individuals could not plausibly be understood “as seeking to draw trade at its venues”—a necessary element of a claim under the civil rights statute.[458] The magistrate also recommended dismissing the unjust enrichment claim on the ground that “New York courts have long recognized the Civil Rights Law as ‘preempting all common law claims based on unauthorized use of name, image, or personality, including unjust enrichment claims.’”[459] Thus, under New York law, there can be no unjust enrichment claim arising from use of one’s personal image.[460] The magistrate recommended allowing the New York City Biometric Identifier Law claim to proceed, finding that the defendant’s alleged conduct is consistent with the text and legislative history of the statute.[461]

F. Other Noteworthy Litigation

Supreme Court Declines to Address Scope of Section 230. In last year’s Review, we noted that the U.S. Supreme Court granted certiorari in two cases that could affect the scope of Section 230 of the Communications Decency Act of 1996, which protects “interactive computer services” from liability for user-published content. In each case, Twitter, Inc. v. Taamneh[462] and Gonzalez v. Google LLC,[463] plaintiffs alleged that social media companies were liable under the Anti-Terrorism Act (ATA) for aiding and abetting acts of terrorism that resulted in the deaths of plaintiffs’ family members. According to the plaintiffs, ISIS allegedly used the defendants’ websites to fundraise and recruit new members, with little interference by content moderators—and sometimes even active promotion by the defendants’ algorithms. Both cases came from the Ninth Circuit Court of Appeals, which had allowed the Taamneh case to proceed[464] but held that Section 230 barred most of the claims in Gonzalez.[465]

The U.S. Supreme Court unanimously reversed the Ninth Circuit’s decision in Taamneh, holding that the plaintiffs had not stated a claim under the ATA because they failed to show “any concrete nexus between defendants’ services” and the attack.[466] On the same day, the Court declined to address the Ninth Circuit’s holding regarding Section 230 in Gonzalez, instead remanding the case for reconsideration in light of Taamneh.[467] Thus the Court effectively sidestepped the question of whether Section 230 bars platform liability for algorithmic amplification of user-published content by resolving one case on ATA grounds alone and remanding the other.

Large Technology Companies Continue to Face VPPA-Related Litigation. Several lawsuits were filed in 2023 concerning companies’ collection and management of users’ video-related information. For example, with respect to a lawsuit relating to one major technology company’s management of user video history information, a federal district court dismissed with prejudice a claim that the company’s alleged retention of the plaintiff’s video rental history violated the New York Video Consumer Privacy Act and the Minnesota Video Privacy Law.[468] The court observed that, like the VPPA, these state analogue statutes were meant to prevent unauthorized disclosure of video-related data rather than mere retention of it.[469]

In another video-related case,[470] a federal court held that the plaintiff had adequately pleaded a VPPA violation by alleging that a company disclosed information about the plaintiff’s online activity to his school district, which was using the company’s platform for digital learning during the COVID-19 pandemic.[471] The company moved to dismiss this claim on two grounds: First, it argued that the plaintiff was not a “subscriber” within the meaning of the VPPA, since his account with the defendant was a byproduct of his relationship with the school district.[472] Second, the company argued that any disclosure of PII was permitted by the VPPA because it was done “in the regular course of business” with the school district.[473] The court rejected both arguments, finding that the plaintiff, who held an account directly with the defendant, was plausibly a subscriber.[474] The court also said it was not appropriate to decide the second issue at the motion to dismiss stage, as the company’s contract with the district was not part of the court’s record.[475]

Employers May Be Potentially Liable for Failing to Secure Employees’ Personally Identifiable Information. 2023 also saw new lawsuits focusing on employee data privacy and seeking to hold employers liable for failing to secure employees’ PII or failing to implement appropriate safeguards. For example, the United States Court of Appeals for the Eleventh Circuit ruled that a plaintiff had plausibly alleged a negligence claim against a former employer that failed to protect PII in the employer’s possession.[476] The complaint alleges that as a condition of employment, the plaintiff and members of the proposed class were required to give the defendant certain PII like their names and Social Security numbers.[477] However, the employer did not maintain adequate security measures to protect that information, and the PII was subsequently leaked in a ransomware attack on the employer’s system.[478]

The court held that such an attack was reasonably foreseeable for a large employer like the defendant; that the plaintiff adequately pleaded that the former employer owed him a duty of care; and that failure to comply with standard data security practices was plausibly a breach of that duty.[479] Thus, the court allowed the plaintiff’s negligence claim to move forward.

Likewise, a major car manufacturer was sued for allegedly failing to protect the personal information of 75,000 current and former employees that was exposed in a data breach carried out by former employees of the company.[480] The complaint alleges that the company failed to implement or follow reasonable data security procedures as required by law, and failed to protect the sensitive information of class members from unauthorized action.[481] The case is in its early stages, and there has not yet been any dispositive-motion practice.

IV. Trends Related to Data Innovations and Governmental Data Collection

A. Data-Intensive Technologies—Privacy Implications and Trends

With the continued proliferation of data-intensive technologies, big data processing and its privacy implications continued to be an area of great focus in 2023. In addition to innovations and issues pertaining to AI, which are covered in detail in Gibson Dunn’s forthcoming Artificial Intelligence Legal Review, there was a renewed focus on smart cities, edge computing and privacy-enhancing technologies (PETs).

Smart Cities. The trend over the past decade of cities getting “smarter” continued at a rapid clip in 2023. A “smart city” leverages technology, data-driven decision-making, and digitally connected infrastructure to optimize the quality of municipal services, promote safe and sustainable communities, and achieve operational efficiencies.[482] Most of the technologies that smart cities are currently using do not collect or process personal data. For example, smart street-lighting technologies allow cities to turn on, turn off, and dim street lights based on the time of day and weather events and smart water management technologies allow cities to detect chemicals in drinking water and wastewater systems.[483] However, given that smart city technology applications are fueled by and necessitate large scale collection and processing of data as well as government partnership with the private sector, privacy advocates and policy makers are increasingly concerned about the privacy implications of such technology. These concerns largely relate to:

  • Data security: Smart cities can be vulnerable to cyberattacks because they rely on internet of things (“IoT”) devices, which are common and often insecure targets.[484] Furthermore, local governments often lack the resources to obtain secure technologies, update them, and employ cybersecurity experts.[485] In fact, a recent survey found that nearly one-third of local governments would be unable to detect whether their systems had been hacked.[486]
  • Commercial use of data: Smart city data may be used commercially if a city partners with a private company to pay for technologies and in exchange gives the company access to data the city collects.[487] A privacy concern arises if the city shares sensitive data with private partners.
  • Government surveillance: Some privacy advocates are concerned that governments will use smart city technologies to surveil individuals by obtaining data the government could not otherwise compel access to or by pulling data from different sources to build behavior profiles on individual residents.[488] Critics assert that cities are already theoretically able to aggregate enough data from smart city technologies to build detailed behavior profiles on their residents.[489] Ultimately, these debates may be settled by courts, which will decide if these data collection practices violate U.S. privacy laws or the Fourth Amendment.[490]

Although there has not been any legislation seeking to specifically regulate smart city technologies, many of the existing or pending privacy regulations are potentially applicable. However, as smart city technologies, particularly those implicating personal information or sensitive data, continue to grow in number and capability, we expect to see more specific legislation targeting such technology and use cases.

Edge Computing. The enormous volume of data being generated and processed by data-intensive technologies—e.g., IoT devices—has strained traditional computing models. This has led organizations to increasingly embrace “edge computing”—an emerging decentralized computing paradigm where data is processed closer to where it is generated, thus allowing processing of greater data volumes at greater speed.[491] Experts predict that spending on edge technology will continue to soar.[492] Due to deployment of strong internet infrastructures and a growing awareness of the importance of IoT across industries, the edge computing market is estimated to grow at a compound annual growth rate of 21.6% to hit an estimated $132.11 million in 2028.[493] The number of endpoint devices in use is also expected to skyrocket, with estimates of up to 55.7 billion total IoT devices deployed worldwide in the next few years.[494] Telecommunication companies are expected to play a large role in the growth of edge computing, as their widespread infrastructure and expansive reach position them well, literally (based on their close physical proximity to potential customers) and figuratively, to tap the edge computing market.[495]

Although the rise of edge computing is largely a function of the benefits to data processing speed and volume, edge computing has important data privacy and security benefits. For example, edge computing can mitigate some of the privacy risks innate to centralized storage and processing,[496] by diffusing data and thus reducing the scope and impact of a data breach. Edge computing may also reduce the incentives for malicious actors, as an edge device with one or a few users’ data is a less desirable target than a cloud database with millions of users’ data.[497] However, by the same token, storing and processing data on devices outside of a centralized corporate network potentially makes the data less secure, given that personal edge devices are often less secure than corporate devices.[498]

Some commentators have also suggested that edge computing may be an effective compliance tool, particularly with respect to cross-border data transfer laws. For example, one commentator believes that corporations will be able to use edge computing to manage personal data in adherence with local privacy laws by “placing certain locali[z]ed proxy policies that will not allow certain types of data to leave that legal jurisdiction.”[499] Traces of this can be found in the EU’s federated cloud infrastructure model, GAIA-X, which aims to let national governments apply local laws to cloud-hosted data.[500]

Given the rapid proliferation of data-intensive technologies, we expect organizations to continue to focus on alternative computing paradigms like edge computing, which will bring new benefits and challenges for data privacy and security.

B. Emerging Privacy Enhancing Technologies (PETs)

In March 2023, the White House Office of Science and Technology Policy (“OSTP”) published its “National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.” In sum, the report and strategy calls for development and implementation of PETs in order to mitigate the privacy risks inherent in, and thus unlock the innovative and economic benefits of, large-scale data processing.[501] Examples of PETs include:

  • Homomorphic encryption: Homomorphic encryption is a differential privacy technique (adding noise to the data to prevent an adversary from determining whether any individual’s data was or was not included in the original dataset)[502] that allows computing over encrypted data to produce results in an encrypted form.[503] In other words, the data retains its relevant statistical characteristics for analysis, while hiding the data itself.[504] Then, only authorized users can extract the result from its encrypted format or see the original data.[505] However, homomorphic encryption is currently somewhat limited by higher computational costs and time.[506]
  • Secure multi-party computation: Secure multi-party computation allows several parties to simultaneously perform agreed-upon computations over their data, while permitting each individual entity to learn only the final output.[507] Accordingly, distributed datasets can be computed over without revealing the source data.[508] However, the requirement of joint collaboration can lead to higher communication and computational costs, making it difficult to scale.[509]
  • Federated learning: Federated learning allows multiple entities to collaborate and build machine-learning algorithms to process data on edge devices, such as smartphones.[510] Accordingly, the underlying data is not aggregated. Instead, the locally trained models are aggregated in the cloud.[511] In this way, participants do not have to share their raw data, providing inherent privacy protection. However, federated learning has recently been shown to be vulnerable to model inversion attacks.[512] Research into closing these vulnerabilities and creating privacy-preserving federated learning is ongoing.[513]
  • Zero-knowledge proof: Zero-knowledge proof allows one party, the “prover,” to offer proof to another party, the “verifier,” that a statement is true without revealing any sensitive information.[514] Some digital assets use this technique to prove statements about transactions without revealing additional metadata,[515] and neural networks are using zero-knowledge proof schemes to show that prediction tasks are being carried out, without disclosing any information about the model itself.[516] However, zero-knowledge proof currently has some cost and scalability limitations.[517]

According to the OSTP report, the impetus for a national strategy on PETs is the White House’s belief that large-scale data processing is crucial for innovation and the economy. However, given the complex domestic and international regulatory landscape, the White House recognizes that inherent in such processing are significant privacy risks for data subjects and organization data subjects and organizations.[518] Accordingly, the strategy calls for the adoption of PETs, which can mitigate the privacy risks of large-scale data processing and thus unlock the benefits of data processing to fuel innovation and the economy.

The OSTP report enumerates 16 recommendations across five strategic priorities to advance the development and use of PETs.[519] Importantly, the report specifically calls for the use of secure multi-party computation and zero-knowledge proofs, as well as increased public and private sector partnership and U.S. partnerships/collaboration with foreign governments.

In the absence of a comprehensive federal privacy law and/or regulations specifically focused on privacy-preserving technologies, the OSTP’s strategy signifies what may be the beginning of a burgeoning national standard for the development and use of PETs.

C. Governmental Data Collection

EU-US Data Privacy Framework. In July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding that U.S. protection of cross-border data transfers is comparable to the protection offered by the EU.[520] Speaking during a press conference announcing adoption of the U.S. adequacy decision, EU justice commissioner Didier Reynders said, “[w]ith the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations.”[521]

The decision resolved the legal uncertainty surrounding exports of EU users’ personal data by U.S. companies that had existed since the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield in 2020.[522] However, legal challenges are expected, with critics claiming that the Data Privacy Framework merely “paper[s] over the same fundamental legal conflict between EU privacy rights and U.S. surveillance powers.”[523] Nonetheless, Reynders emphasized that the “new framework is substantially different than the EU-U.S. Privacy Shield as a result of the Executive Order issued by President Biden [in 2022]” and highlighted the reworked redress mechanism that will boast “an independent and impartial tribunal that is empowered to investigate complaints lodged by Europeans and to issue binding remedial decisions.”[524] Finally, Reynders cautioned U.S. technology giants that “[i]t will be for the companies to show that they’re in full compliance with the GDPR [General Data Protection Regulation].”[525]

On July 17, 2023, the Department of Commerce launched the new Data Privacy Framework program website, dataprivacyframework.gov.[526] The website allows U.S. companies to self-certify their participation in and commitment to the EU-U.S. Data Privacy Framework (“DPF”), and, optionally, the UK Extension or Swiss-U.S. DPF Principles, in order to participate in cross-border transfers of personal data.

Government Surveillance Reform Act (GSRA). In November 2023, a bipartisan group of senators introduced the Government Surveillance Reform Act (“GSRA”), which would reform the Foreign Intelligence Act (“FISA”) and amend the Electronic Communications Privacy Act (“ECPA”). Importantly, the GSRA proposes significant restrictions on government surveillance and access to data—including, among other things, (i) protecting Americans from warrantless backdoor searches, (ii) requiring warrants for Americans’ location data, web browsing and search records, and vehicle data, (iii) restricting government collection of Americans’ information as part of large datasets and prohibiting the government from purchasing Americans’ data from data brokers, and (iv) prohibiting the collection of Americans’ domestic communications.[527]

FISA, Section 702 was set to expire at the end of 2023,[528] but Congress approved a short-term extension in December 2023.[529] Under Section 702, the government could collect communications by non-Americans located abroad, without a warrant.[530] However, the private phone calls, emails, and text messages of U.S. persons were captured by the blanket surveillance techniques deployed under Section 702.[531]

In response, several lawmakers vowed not to reauthorize Section 702 without “significant reforms.”[532] The GSRA would ban officials from conducting searches for Americans’ communications unless they first obtain a warrant in a criminal investigation or a FISA Title I order in a foreign intelligence investigation.[533] The new warrant requirement would provide for narrow exceptions in cases of: (1) consent, (2) exigent circumstances, or (3) a government attempt to identify targets of cyberattacks by searching for malicious code embedded in Americans’ communications.[534]

The GSRA would also significantly overhaul the ECPA—which addresses wiretapping, access to stored electronic communications, and other information-collection devices.[535] These changes would alter the rights and obligations of entities already covered by the ECPA and expand the reach of the ECPA to entities not currently subject to it.[536] The GSRA would:

  • Expand the scope of companies subject to the ECPA to include any online service provider.[537] The GSRA would add a new category of service providers—broadly defined as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server”[538]—to the Stored Communications Act’s (“SCA”) provision governing compelled disclosures to governmental entities.[539]
  • Effectively codify the Sixth Circuit’s decision in Warshak v. United States, 631 F.3d 266 (6th Cir. 2010), which held that law enforcement must obtain a warrant to compel the disclosure of the contents of user communications.[540] Further, the GSRA would effectively codify Carpenter v. United States, 138 S. Ct. 2206 (2018), by requiring law enforcement to obtain a warrant to compel the disclosure of location information, web browsing records, online search queries, and covered vehicle data.[541]
  • Prohibit the government from purchasing the personal data of U.S. persons (U.S. citizens and lawful permanent residents) or people reasonably believed to be located inside the United States.[542]
  • Exempt congressional subpoenas from the ECPA, allowing political officials to subpoena the communications and personal data of U.S. persons without any statutory protection.[543]

Dueling Surveillance Bills in the U.S. House of Representatives. In December 2023, the House postponed a planned vote on two competing surveillance bills under a procedural rule called “Queen of the Hill,” whereby the bill with the most votes is sent to the Senate.[544] The House Intelligence Committee advanced the first bill, the FISA Reform and Reauthorization Act of 2023, which faced backlash from privacy rights groups.[545] More than 50 organizations signed a letter demanding the bill’s rejection.[546] By contrast, the second bill, proposed by the House Judiciary Committee, entitled The Protect Liberty and End Warrantless Surveillance Act, received support from privacy advocates.[547] Both bills are still pending in the House.

V. Conclusion

In 2023, the privacy and cybersecurity landscape in the U.S. was defined by an expansion of regulatory and enforcement activity led by federal and state agencies, as well as civil litigation brought by private plaintiffs. This was driven in large part by the rapid development and advances in data-intensive technologies like AI and IoT; the unrelenting cyber threat posed by malicious actors; and related litigation arising from these trends. We expect these trends to continue in 2024 as existing technologies and use cases take hold and new ones emerge. In the absence of comprehensive federal legislation (which is unlikely in an election year), we expect federal and state agencies to continue to lead the charge on the regulatory front and aggressively pursue enforcement actions against companies and individuals. We will continue to track and analyze these developments in the year ahead.

__________

[1] Cal. Civ. Code § 1798.100 et seq.

[2] Va. Code Ann. §§ 59.1-575 to 59.1-585.

[3] Colo. Rev. Stat. Ann. § 6-1-1308.

[4] Conn. Gen. Stat. Ann. § 42-520.

[5] Utah Code §§ 13-61-101 to 13-61-404.

[6] S.B. 262, 125 Reg. Sess. (Fla. 2023) (to be codified in Fla. Stat. § 501.701-22).

[7] H.B. 4, 88 Reg. Sess. (Tex. 2023) (to be codified in Tex. Bus. & Com. Code §§ 541.001 to 541.205).

[8] S.B. 618, 82 Leg. Assemb., Reg. Sess. (Or. 2023) (to be codified in Or. Laws Ch. 369).

[9] S.B. 384, 68 Reg. Sess. (Mont. 2023) (to be codified in Mont. Code § 30-14-2801 to 30-14-2817).

[10] S.F. 262, 89th Gen. Assemb., Reg. Sess. (Iowa 2023) (to be codified in Iowa Code § 715D.1 to 715D.9).

[11] H.B. 154, 152 Gen. Assemb., Reg. Sess. (Del. 2023) (to be codified in 6 Del. Code § 12D).

[12] S.B. 332, 220 Leg. Assemb., Reg. Sess. (N.J. 2023).

[13] H.B. 1181; S.B. 73, 112 Gen. Assemb., Reg. Sess. (Tenn. 2023) (to be codified in Tenn. Code §§ 47-18-3301 to 47-18-3315).

[14] S.B. 5, 123 Gen. Assemb., Reg. Sess. (Ind. 2023) (to be codified in Ind. Code §§ 24-15-1-1 to 24-15-11-2).

[15] Notably, under the NJDPA, “financial information” is included as a form of sensitive data, which is defined as including “a consumer’s account number, account log-in, financial account, or credit or debit number, in combination in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”

[16] Under Civil Code section 1798.150, the damages available for a private right of action to pursue statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief, and “any other relief the court deems proper.” A number of limitations also exist. For example, under Section 1798.150(b), a consumer must give a business an opportunity to “cure” the alleged violation by sending written notice prior to filing suit. If cured within 30 days and the consumer receives “an express written statement” indicating that the violations have been cured and shall not recur, a claim for statutory damages cannot be pursued.

[17] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.

[18] Wash. Rev. Code § 19.373.010(23).

[19] Id. § 19.373.010(23).

[20] Id. §§ 19.373.010(28), 19.373.030(2).

[21] Id. § 19.373.010(8)(a).

[22] Id. § 19.373.010(8)(b).

[23] Id. § 19.373.010(8)(c).

[24] Id.

[25] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.

[26] Wash. Rev. Code §§ 19.373.020; 19.373.030.

[27] Id. §§ 19.373.010(6)(a); 19.373.030.

[28] Id. § 19.373.040(a)–(c).

[29] Id. § 19.373.090.

[30] Id. § 19.255.040.

[31] Id.

[32] Mont. Code § 30-23-102(4).

[33] Id. § 30-23-102(6).

[34] Id. § 30-23-104(1)–(2).

[35] Id. § 330-23-104(5).

[36] Id. § 30-23-106.

[37] Press Release, Senator Josh Becker, Governor Newsom Signs First in the Nation Bill to Protect Consumers’ Data from Unknown Third Parties (Oct. 10, 2023), https://sd13.senate.ca.gov/news/press-release/october-10-2023/governor-newsom-signs-first-in-the-nation-bill-to-protect.

[38] Cal. Civ. Code §§ 1798.99.84; 1798.99.86(a)–(b).

[39] Id. § 1798.99.86(c)–(d).

[40] Id. § 1798.99.86(d)(2).

[41] Id. § 1798.99.86(a)(3).

[42] Id. § 1798.99.86(e)(1).

[43] Id. § 1798.99.80(c).

[44] Id. § 1798.99.80(c)(1)(4).

[45] N.Y. Dep’t of Fin. Servs., Cybersecurity Resource Center, https://www.dfs.ny.gov/industry_guidance/cybersecurity.

[46] N.Y. Dep’t of Fin. Servs., Enforcement and Discipline, https://dfs.ny.gov/industry_guidance/enforcement_actions.

[47] Press Release, Utah Governor Spencer J. Cox, Gov. Cox Signs Bills Focused on Social Media and Youth Mental Health in Utah (Mar. 23, 2023), https://governor.utah.gov/2023/03/23/gov-cox-signs-bills-focused-on-social-media-in-utah/.

[48] Utah Code § 13-63-101, et seq.

[49] Id. §§ 13-63-201–301.

[50] Id. § 13-63-301.

[51] NetChoice, LLC v. Reyes, No. 2:23-cv-00911 (D. Utah); Zoulek v. Hass, No. 2:24-cv-00031 (D. Utah).

[52] NetChoice, LLC v. Griffin, No. 5:23-CV-05105, 2023 WL 5660155, at *7 (W.D. Ark. Aug. 31, 2023).

[53] Id. at *13.

[54] Id. at *17, 40–41.

[55] Alario v. Knudsen, No. CV 23-56-M-DWM, 2023 WL 8270811 (D. Mont. Nov. 30, 2023).

[56] Id. at *4.

[57] American Data Privacy and Protection Act (“ADPPA”), H.R. 8152, 117th Cong. (2022).

[58] Id. §§ 101(a)–(b), 103(a).

[59] Id. § 207(a)(1).

[60] Id. §§ 207(b), 401, 402(a).

[61] Id. § 403(a).

[62] Id. § 404(b)(1).

[63] See Innovation, Data, and Commerce Subcommittee Hearing: “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information,” U.S. House Energy & Commerce Comm. (Apr. 27, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-addressing-america-s-data-privacy-shortfalls-how-a-national-standard-fills-gaps-to-protect-americans-personal-information; Innovation, Data, and Commerce Subcommittee Hearing: “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy,” U.S. House Energy & Commerce Comm. (Mar. 1, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-promoting-u-s-innovation-and-individual-liberty-through-a-national-standard-for-data-privacy.

[64] Exec. Order No. 14,110, 88 Fed. Reg. 75191 (Oct. 30, 2023); see also Press Release, White House, FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence.

[65] Remarks of President Joe Biden – State of the Union Address as Prepared for Delivery, White House (Feb. 7, 2023), https://www.whitehouse.gov/briefing-room/speeches-remarks/2023/02/07/remarks-of-president-joe-biden-state-of-the-union-address-as-prepared-for-delivery.

[66] See Eric McDaniel, Congress Passed So Few Laws This Year That We Explained Them All in 1,000 Words, NPR (Dec. 22, 2023), https://www.npr.org/2023/12/22/1220111009/congress-passed-so-few-laws-this-year-that-we-explained-them-all-in-1-000-words; Müge Fazlioglu, US Federal Privacy Legislation Tracker: Introduced in the 118th Congress (2023-2024), IAPP (last updated Sept. 2023), https://iapp.org/media/pdf/resource_center/us_federal_privacy_legislation_tracker.pdf.

[67] Müge Fazlioglu, U.S. Privacy Legislation in 2023: Something Old, Something New?, IAPP (July 26, 2023), https://iapp.org/news/a/u-s-federal-privacy-legislation-in-2023-something-old-something-new.

[68] Press Release, U.S. Senate Judiciary Comm., Durbin, Graham Announce January 2024 Hearing with Five Big Tech CEOs on their Failure to Protect Children Online (Nov. 29, 2023), https://www.judiciary.senate.gov/press/releases/durbin-graham-announce-january-2024-hearing-with-five-big-tech-ceos-on-their-failure-to-protect-children-online; Full Committee Hearing: “TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms,” U.S. House Energy & Commerce Comm. (Mar. 23, 2023), https://energycommerce.house.gov/events/full-committee-hearing-tik-tok-how-congress-can-safeguard-american-data-privacy-and-protect-children-from-online-harms.

[69] Kids Online Safety Act, S. 1409, 118th Cong. (2023).

[70] Children and Teens’ Online Privacy Protection Act, S. 1418, 118th Cong. (2023).

[71] Informing Consumers about Smart Devices Act, S. 90, 118th Cong. (2023).

[72] Stop Spying Bosses Act, S. 262, 118th Cong. (2023).

[73] UPHOLD Privacy Act of 2023, S. 631, 118th Cong. (2023).

[74] DELETE Act, H.R. 4311, 118th Cong. (2023).

[75] Data Care Act of 2023, S. 744, 118th Cong. (2023).

[76] Online Privacy Act of 2023, H.R. 2701, 118th Cong. (2023).

[77] Federal Cybersecurity Vulnerability Reduction Act of 2023, H.R. 5255, 118th Cong. (2023).

[78] Modernizing the Acquisition of Cybersecurity Experts Act of 2023, H.R. 4502, 118th Cong. (2023).

[79] Federal Cybersecurity Workforce Expansion Act, S. 2256, 118th Cong. (2023).

[80] See Press Release, White House, President Biden Recognizes Actions by Private Sector Ticketing and Travel Companies to Eliminate Hidden Junk Fees and Provide Millions of Customers with Transparent Pricing (June 15, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/06/15/president-biden-recognizes-actions-by-private-sector-ticketing-and-travel-companies-to-eliminate-hidden-junk-fees-and-provide-millions-of-customers-with-transparent-pricing/. See also Press Release, White House, FACT SHEET: Executive Order on Promoting Competition in the American Economy (July 9, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/09/fact-sheet-executive-order-on-promoting-competition-in-the-american-economy/.

[81] Trade Regulation Rule on Unfair or Deceptive Fees, 88 Fed. Reg. 77420 (Nov. 9, 2023), https://www.federalregister.gov/documents/2023/11/09/2023-24234/trade-regulation-rule-on-unfair-or-deceptive-fees; Trade Regulation Rule on Unfair or Deceptive Fees, 89 Fed. Reg. 38 (Jan. 2, 2024).

[82] Christine Wilson, Letter to President Joseph R. Biden (Mar. 2, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p180200wilsonresignationletter.pdf.

[83] See Press Release, White House, President Biden Announces Nominees to Bipartisan Boards and Commissions (July 3, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/03/president-biden-announces-nominees-to-bipartisan-boards-and-commissions.

[84] Melissa Holyoak, Statement Before the U.S. Senate Committee on Commerce, Science, and Transportation (Sep. 20, 2023), https://www.commerce.senate.gov/services/files/51CBECA7-1810-4CCD-8046-0AE99CA34CC4.

[85] Hawley Holds Nominees, Calls for Further Evaluation of McConnell Nominees, Senate Office of Josh Hawley (Dec. 20, 2023), https://www.hawley.senate.gov/hawley-holds-nominees-calls-further-evaluation-mcconnell-nominees.

[86] Lina Khan, Lina Khan: We Must Regulate A.I. Here’s How, New York Times (May 3, 2023), https://www.nytimes.com/2023/05/03/opinion/ai-lina-khan-ftc-technology.html.

[87] Michael Atleson, Keep Your AI Claims in Check, Federal Trade Commission (Feb. 27, 2023), https://www.ftc.gov/business-guidance/blog/2023/02/keep-your-ai-claims-check.

[88] Michael Atleson, Chatbots, Deepfakes, and Voice Clones: AI Deception for Sale, Federal Trade Commission (Mar. 20, 2023), https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale.

[89] Id.

[90] Id.

[91] Michael Atleson, The Luring Test: AI and the Engineering of Consumer Trust, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/05/luring-test-ai-engineering-consumer-trust.

[92] Michael Atleson, Watching the Detectives: Suspicious Marketing Claims for Tools that Spot AI-Generated Content, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/07/watching-detectives-suspicious-marketing-claims-tools-spot-ai-generated-content.

[93] Alex Gaynor, Security Principles: Addressing Underlying Causes of Risk in Complex Systems, Federal Trade Commission (February 1, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems.

[94] Id.

[95] Id.

[96] Samuel Levine, Chief, Federal Trade Commission, Remarks of Chief Samual Levine at the Consumer Data Industry Association Law and Industry Conference (September 21, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/cdia-sam-levine-9-21-2023.pdf.

[97] Mike Swift, US FTC still pondering ‘commercial surveillance’ rulemaking, Slaughter tells tech industry, MLex (Jan. 10, 2024), https://content.mlex.com/#/content/1535579.

[98] Press Release, Federal Trade Commission, FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges (Mar. 14, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-finalizes-order-requiring-fortnite-maker-epic-games-pay-245-million-tricking-users-making.

[99] 15 U.S.C. § 45(a).

[100] Complaint, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023).

[101] Proposed Stipulated Order, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023); Press Release, Federal Trade Commission, FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users’ Cameras (May 31, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers-failed-stop-hackers-taking-control-users.

[102] Notices of Penalty Offenses, Federal Trade Commission, https://www.ftc.gov/enforcement/penalty-offenses.

[103] Press Release, Federal Trade Commission, FTC Warns Tax Preparation Companies About Misuse of Consumer Data (Sep. 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-warns-tax-preparation-companies-about-misuse-consumer-data.

[104] Complaint, U.S. v. Amazon.com, Inc., and Amazon.com Services LLC, Case No. 2:23-cv-00811 (May 31, 2023).

[105] Amazon Alexa, Federal Trade Commission (July 21, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/amazon-alexa.

[106] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.

[107] Press Release, Federal Trade Commission, FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule (Sep. 21, 2023), https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health-breach-notification-rule.

[108] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.

[109] Health Breach Notification Rule, 88 Fed. Reg. 37819, 37839 (June 9, 2023), https://www.federalregister.gov/documents/2023/06/09/2023-12148/health-breach-notification-rule; see also Press Release, Federal Trade Commission, FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-rule.

[110] Press Release, Federal Trade Commission, FTC Finalizes Order with 1Health.io Over Charges it Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy (Sep. 7, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-finalizes-order-1healthio-over-charges-it-failed-protect-privacy-security-dna-data-unfairly.

[111] FTC v. Rite Aid Corp., No. 2:23-cv-05023 (E.D. Pa. Dec. 19, 2023).

[112] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.

[113] Press Release, Federal Trade Commission, FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches (October 27, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.

[114] Press Release, Federal Trade Commission, Compliance deadline for certain revised FTC Safeguards Rule provisions extended to June 2023 (November 15, 2022), https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023.

[115] Id.

[116] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.

[117] Press Release, Federal Trade Commission, FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Comanies’ Ability to Monetize Children’s Data (December 20, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens.

[118] Id.

[119] Id.

[120] Id.; Children’s Online Privacy Protection Rule, 89 Fed. Reg. 2034 (Jan. 11, 2024). https://www.federalregister.gov/documents/2024/01/11/2023-28569/childrens-online-privacy-protection-rule.

[121] Press Release, Federal Trade Commission, FTC Seeks Comment on New Parental Consent Mechanism Under COPPA (July 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-seeks-comment-new-parental-consent-mechanism-under-coppa.

[122] Id.

[123] Press Release, Federal Trade Commission, FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent (June 5, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information.

[124] Id.

[125] Press Release, Federal Trade Commission, FTC Proposes Blanket Prohibition Preventing Facebook from Monetizing Youth Data (May 3, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-blanket-prohibition-preventing-facebook-monetizing-youth-data.

[126] Id.

[127] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.

[128] Press Release, Federal Trade Commission, FTC to Host Identity Authentication Workshop (Feb. 21, 2007) https://www.ftc.gov/news-events/news/press-releases/2007/02/ftc-host-identity-authentication-w; You Don’t Say: An FTC Workshop on Voice Cloning Technologies, Federal Trade Commission (Jan. 28, 2020), https://www.ftc.gov/newsevents/events/2020/01/you-dont-say-ftc-workshop-voice-cloning-technologies; Face Facts: A Forum on Facial Recognition Technology, Federal Trade Commission (Dec. 8, 2011), https://www.ftc.gov/newsevents/events/2011/12/face-facts-forum-facial-recognition-technology; Facing Facts: Best Practices for Common Uses of Facial Recognition Technology, Federal Trade Commission (Oct. 2012), https://www.ftc.gov/reports/facing-facts-best-practices-common-uses-facial-recognition-technologies.

[129] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.

[130] Id.

[131] Press Release, Federal Trade Commission, Rite Aid Banned From Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.

[132] Press Release, Consumer Financial Protection Bureau, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/.

[133] Id.

[134] See id.; Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74809 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[135] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74796 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[136] 12 U.S.C. § 5533(a).

[137] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74803 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.

[138] Id. at 74809.

[139] Id. at 74832.

[140] Id. at 74833.

[141] Id. at 74874.

[142] Id.; Press Release, Consumer Financial Protection Bureau, Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule/.

[143] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.

[144] Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications, 88 Fed. Reg. 80197, 80199, 80204 (Nov. 17, 2023) (to be codified at 12 C.F.R. pt. 1090), https://www.federalregister.gov/documents/2023/11/17/2023-24978/defining-larger-participants-of-a-market-for-general-use-digital-consumer-payment-applications.

[145] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.

[146] Id.

[147] Press Release, Consumer Financial Protection Bureau, CFPB Launches Inquiry Into the Business Practices of Data Brokers (Mar. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-inquiry-into-the-business-practices-of-data-brokers/.

[148] Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16951, 16952 (Mar. 21, 2023), https://www.federalregister.gov/documents/2023/03/21/2023-05670/request-for-information-regarding-data-brokers-and-other-business-practices-involving-the-collection.

[149] Press Release, Consumer Financial Protection Bureau, Remarks of CFPB Director Rohit Chopra at White House Roundtable on Protecting Americans from Harmful Data Broker Practices (Aug. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/remarks-of-cfpb-director-rohit-chopra-at-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.

[150] Id.; see also 15 U.S.C. § 1681b.

[151] Id.

[152] Id.

[153] Press Release, Consumer Financial Protection Bureau, CFPB and Federal Partners Confirm Automated Systems and Advanced Technology Not an Excuse for Lawbreaking Behavior (Apr. 25, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-federal-partners-confirm-automated-systems-advanced-technology-not-an-excuse-for-lawbreaking-behavior/.

[154] Press Release, Consumer Financial Protection Bureau, CFPB Issue Spotlight Analyzes “Artificial Intelligence” Chatbots in Banking (June 3, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issue-spotlight-analyzes-artificial-intelligence-chatbots-in-banking.

[155] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[156] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.

[157] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.

[158] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.

[159] Press Release, Consumer Financial Protection Bureau, CFPB Issues Guidance on Credit Denials by Lenders Using Artificial Intelligence (Sept. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/.

[160] Id.

[161] Press Release, SEC, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (Mar. 15, 2023), https://www.sec.gov/news/press-release/2023-51.

[162] Id.

[163] Id.

[164] Id.

[165] A Small Entity Compliance Guide, SEC, Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure (Nov. 14, 2023), https://www.sec.gov/corpfin/secg-cybersecurity#_ftn1.

[166] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.

[167] Id.

[168] Id.

[169] Id.

[170] Id. at 51924.

[171] Id. at 51898–51899.

[172] Id. at 51945.

[173] Id. at 51909–51910.

[174] The rule also includes another exemption that only applies to companies subject to the Federal Communications (“FCC”) notification rule for breaches of customer proprietary network information (“CPNI”). A more detailed description of this exception is outlined in Gibson Dunn’s July 31, 2023 update.

[175] Id.

[176] DOJ, Department of Justice Material Cybersecurity Incident Delay Determinations (Dec. 12, 2023), https://www.justice.gov/media/1328226/dl?inline.

[177] Id.

[178] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.

[179] Id.

[180] Id. at 51913.

[181] Id.

[182] Id.

[183] Id. at 51914.

[184] The Commission’s Privacy Act Regulations, 88 Fed. Reg. 65807, 65808.

[185] Id. at 65808–09.

[186] Press Release, SEC, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Feb. 9, 2022), https://www.sec.gov/news/press-release/2022-20.

[187] Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (published Mar. 9, 2022) (to be codified at 17 C.F.R. pts. 230, 232, 239, 270, 274, 275, 279), https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business.

[188] SEC, Agency Rule List – Fall 2023, https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST&currentPub=true&agencyCode=&showStage=active&agencyCd=3235&csrf_token=28A8C6498A23E2932F2D7BB0618F4AA9746D20D66D0E1500674B7BEBFD26693EFE119AEDE913D6851EE65F43B418CC81FFA8.

[189] SEC, View Rule (last visited, Jan. 26, 2023), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=3235-AN15.

[190] SEC, 2024 Examination Priorities (Oct. 16, 2023), https://www.sec.gov/files/2024-exam-priorities.pdf.

[191] Press Release, SEC, SEC Division of Examinations Announces 2024 Priorities, https://www.sec.gov/news/press-release/2023-222/.

[192] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.

[193] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.

[194] Id.

[195] Id.

[196] Press Release, SEC, SEC Charges Virtu for False and Misleading Disclosures Relating to Information Barriers (September 12, 2023), https://www.sec.gov/news/press-release/2023-176.

[197] Id.

[198] Id.

[199] Id.

[200] Press Release, SEC, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors (March 9, 2023), https://www.sec.gov/news/press-release/2023-48.

[201] Id.

[202] Id.

[203] Id.

[204] Id.

[205] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227; see also Complaint ¶ 1, SEC v. SolarWinds Corp., No. 1:23-9518 (S.D.N.Y. Oct. 30, 2023), ECF No. 1.

[206] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227.

[207] Id.

[208] Id.

[209] Id.

[210] Id.

[211] Id.

[212] Id.

[213] Id.

[214] Id.

[215] Press Release, Department of Health and Human Services, HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years (Feb. 27, 2023), https://www.hhs.gov/about/news/2023/02/27/hhs-announces-new-divisions-within-office-civil-rights-better-address-growing-need-enforcement-recent-years.html.

[216] Id.

[217] Id.

[218] Id.

[219] Press Release, Department of Health and Human Services, HHS Finalizes Rule to Advance Health IT Interoperability and Algorithm Transparency (Dec. 13, 2023), https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-to-advance-health-it-interoperability-and-algorithm-transparency.html; see also Press Release, Department of Health and Human Services, HHS Proposes New Rule to Further Implement the 21st Century Cures Act (Apr. 11, 2023), https://www.hhs.gov/about/news/2023/04/11/hhs-propose-new-rule-to-further-implement-the-21st-century-cures-act.html.

[220] Id.

[221] Office of the National Coordinator for Health Information Technology, Department of Health and Human Services, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 45 C.F.R. § 170, https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and.

[222] Id.; see also Department of Health and Human Services, Telehealth policy updates (Nov. 9, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates.

[223] Press Release, Department of Health and Human Services, Fact Sheet: End of the COVID-19 Public Health Emergency (May 9, 2023), https://www.hhs.gov/about/news/2023/05/09/fact-sheet-end-of-the-covid-19-public-health-emergency.html.

[224] Id.

[225] Department of Health and Human Services, Telehealth Policy Changes After the COVID-19 Public Health Emergency (Dec. 19, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/policy-changes-after-the-covid-19-public-health-emergency.

[226] Press Release, Department of Health and Human Services, HHS Office for Civil Rights and the Federal Trade Commission Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies (July 20, 2023), https://www.hhs.gov/about/news/2023/07/20/hhs-office-civil-rights-federal-trade-commission-warn-hospital-systems-telehealth-providers-privacy-security-risks-online-tracking-technologies.html.

[227] Id.

[228] FTC, Updated FTC-HHS publication outlines privacy and security laws and rules that impact consumer health data (Sept. 15, 2023), https://www.ftc.gov/business-guidance/blog/2023/09/updated-ftc-hhs-publication-outlines-privacy-security-laws-rules-impact-consumer-health-data.

[229] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.

[230] See Dobbs v. Jackson Women’s Health Org., 597 U.S. 215 (2022).

[231] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.

[232] Press Release, Department of Health and Human Services, HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care (Apr. 12, 2023), https://www.hhs.gov/about/news/2023/04/12/hhs-proposes-measures-bolster-patient-provider-confidentiality-around-reproductive-health-care.html.

[233] Id.; see also Regulatory Initiatives, Department of Health and Human Services, HIPAA Privacy Rule and Reproductive Health Care (Apr. 14, 2023), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.

[234] HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (proposed Apr. 17, 2023) (to be codified at 45 C.F.R. pts. 160, 164); HHS/OCR, View Rule (last visited Jan. 26, 2024), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0945-AA20.

[235] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter (Nov. 20, 2023), https://www.hhs.gov/about/news/2023/11/20/hhs-office-civil-rights-settles-hipaa-investigation-st-josephs-medical-center-disclosure-patients-protected-health-information-news-reporter.html; Department of Health and Human Services, St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan (Aug. 22, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjmc-ra-cap/index.html.

[236] Id.

[237] Id.

[238] Id.

[239] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints With Optum Medical Care Over Patient Access to Records (Dec. 15, 2023), https://www.hhs.gov/about/news/2023/12/15/hhs-office-for-civil-rights-settles-multiple-hipaa-complaints-with-optum-medical-care-over-patient-access-to-records.html.

[240] Id.

[241] See id.

[242] Press Release, Department of Health and Human Services, HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking (Feb. 2, 2023), https://www.hhs.gov/about/news/2023/02/02/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html.

[243] Id.

[244] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation (Dec. 7, 2023), https://www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.

[245] Id.

[246] Id.

[247] Press Release, Department of Homeland Security, Statement from Secretary Mayorkas on President Biden’s National Cybersecurity Strategy (Mar. 2, 2023), https://www.dhs.gov/news/2023/03/02/statement-secretary-mayorkas-president-bidens-national-cybersecurity-strategy.

[248] Press Release, Department of Homeland Security, DHS Issues Recommendations to Harmonize Cyber Incident Reporting for Critical Infrastructure Entities (Sept. 19, 2023), https://www.dhs.gov/news/2023/09/19/dhs-issues-recommendations-harmonize-cyber-incident-reporting-critical.

[249] Brandon Wales, CIRCIA at One Year: A Look Behind the Scenes, Cybersecurity & Infrastructure Security Agency (Mar. 24, 2023), https://www.cisa.gov/news-events/news/circia-one-year-look-behind-scenes; see also Gibson Dunn’s client alert on the Cyber Incident Reporting for Critical Infrastructure Act, https://www.gibsondunn.com/president-biden-signs-into-law-the-cyber-incident-reporting-for-critical-infrastructure-act-expanding-cyber-reporting-obligations-for-a-wide-range-of-public-and-private-entities/.

[250] Press Release, Department of Homeland Security, Joint Statement from 21 Countries and the Organization of American States Following the Department of Homeland Security Western Hemisphere Cyber Conference (Sept. 28, 2023), https://www.dhs.gov/news/2023/09/28/joint-statement-21-countries-and-organization-american-states-following-department.

[251] Press Release, Cybersecurity and Infrastructure Security Agency, CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability (June 7, 2023), https://www.cisa.gov/news-events/news/cisa-and-fbi-release-advisory-cl0p-ransomware-gang-exploiting-moveit-vulnerability.

[252] Press Release, Department of Homeland Security, Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (Aug. 10, 2023), https://www.dhs.gov/news/2023/08/10/cyber-safety-review-board-releases-report-activities-global-extortion-focused; Press Release, Department of Homeland Security, Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (Aug. 11, 2023), https://www.dhs.gov/news/2023/08/11/department-homeland-securitys-cyber-safety-review-board-conduct-review-cloud.

[253] Cybersecurity Advisory, Cybersecurity and Infrastructure Security Agency, #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (Nov. 21, 2023), https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a.

[254] Press Release, Department of Homeland Security, DHS Announces Additional $374.9 Million in Funding to Boost State, Local Cybersecurity (Aug. 7, 2023), https://www.dhs.gov/news/2023/08/07/dhs-announces-additional-3749-million-funding-boost-state-local-cybersecurity.

[255] Press Release, Department of Justice, Justice Department Announces New National Security Cyber Section Within the National Security Division (June 20, 2023), https://www.justice.gov/opa/pr/justice-department-announces-new-national-security-cyber-section-within-national-security.

[256] Id.

[257] Press Release, Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant (Jan. 26, 2023), https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.

[258] Id.

[259] Press Release, Department of Justice, Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (May 9, 2023), https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled.

[260] Id.

[261] Press Release, Department of Justice, Qakbot Malware Disrupted in International Cyber Takedown (Aug. 29, 2023), https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown.

[262] Press Release, Department of Justice, Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant (Dec. 19, 2023), https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant.

[263] Id.

[264] Press Release, Department of Justice, Justice Department and Meta Platforms Inc. Reach Key Agreement as They Implement Groundbreaking Resolution to Address Discriminatory Delivery of Housing Advertisements (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-and-meta-platforms-inc-reach-key-agreement-they-implement-groundbreaking.

[265] Id.

[266] Id.; Roy L. Austin, Jr., An Update on Our Ads Fairness Efforts, Meta (Jan. 9, 2023), https://about.fb.com/news/2023/01/an-update-on-our-ads-fairness-efforts/.

[267] Press Release, Department of Justice, Justice Department Files Statement of Interest in Fair Housing Act Case Alleging Unlawful Algorithm-Based Tenant Screening Practices (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-files-statement-interest-fair-housing-act-case-alleging-unlawful-algorithm.

[268] Id.

[269] Id.

[270] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.

[271] Statements and Releases, White House, Statement from National Security Advisor Jake Sullivan on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/07/statement-from-national-security-advisor-jake-sullivan-on-the-introduction-of-the-restrict-act/; Press Release, Department of Commerce, Statement from U.S. Secretary of Commerce Gina Raimondo on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.commerce.gov/news/press-releases/2023/03/statement-us-secretary-commerce-gina-raimondo-introduction-restrict-act.

[272] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.

[273] Protecting Americans’ Data From Foreign Surveillance Act of 2023, S. 1974, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/1974/text.

[274] Id.

[275] Id.

[276] Id.

[277] Id.

[278] Press Release, Office of Cybersecurity, Energy Security, and Emergency Response, DOE Announces $39 Million in Research Funding to Enhance Cybersecurity of Clean Distributed Energy Resources (Sept. 12, 2023), https://www.energy.gov/ceser/articles/doe-announces-39-million-research-funding-enhance-cybersecurity-clean-distributed.

[279] Id.

[280] Id.

[281] Alexandra Kelley, Cyberattacks on Energy’s National Labs Draw Lawmaker Scrutiny, Nextgov/FCW (Feb. 2, 2023), https://www.nextgov.com/cybersecurity/2023/02/cyberattacks-energys-national-labs-draw-lawmaker-scrutiny/382503/.

[282] Special Report, Department of Energy, Management Challenges at the Department of Energy — Fiscal Year 2024 (Nov. 17, 2023), https://www.energy.gov/sites/default/files/2023-11/DOE-OIG-24-05.pdf.

[283] Id.

[284] Daniel Wilson, Defense Dept. Proposes Long-Awaited Cybersecurity Rule, Law360 (Dec. 22, 2023), https://www.law360.com/cybersecurity-privacy/articles/1780256/defense-dept-proposes-long-awaited-cybersecurity-rule.

[285] Id.

[286] Id.

[287] Press Release, Federal Communications Commission, Chairwoman Rosenworcel Launches Privacy and Data Protection Task Force (June 14, 2023), https://www.fcc.gov/document/chairwoman-rosenworcel-launches-privacy-and-data-protection-task-force.

[288] Id.

[289] Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105, 133 Stat. 3274 (2019); Federal Communications Commission, TRACED Act Implementation (May 1, 2023), https://www.fcc.gov/TRACEDAct.

[290] Limits on Exempted Calls Under the Telephone Consumer Protection Act of 1991, 88 Fed. Reg. 3668 (Jan. 20, 2023) (to be codified at 47 C.F.R. pt. 64).

[291] Id.

[292] Press Release, Federal Communications Commission, Rosenworcel Launches Effort on AI’s Impact on Robocalls and Robotexts (Oct. 23, 2023), https://docs.fcc.gov/public/attachments/DOC-397925A1.pdf.

[293] Federal Communications Commission, FCC Launches Inquiry into AI’s Impact on Robocalls and Robotexts (Nov. 17, 2023), https://www.fcc.gov/consumer-governmental-affairs/fcc-launches-inquiry-ais-impact-robocalls-and-robotexts.

[294] Federal Communications Commission, Second Report and Order, Second Further Notice of Proposed Rulemaking in CG Docket Nos. 02-278 and 21-402, and Waiver Order in CG Docket No. 17-59 (Dec. 18, 2023), https://docs.fcc.gov/public/attachments/FCC-23-107A1.pdf.

[295] Id. at 13–15.

[296] Id. at 20 n.113.

[297] Press Release, White House, Biden-⁠Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (July 18, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/.

[298] Id.

[299] Press Release, Federal Communications Commission, FCC Fact Sheet on Proposed Voluntary Cybersecurity Labeling Program for Internet-Enabled Devices (Aug. 10, 2023), https://docs.fcc.gov/public/attachments/DOC-395909A1.pdf.

[300] Press Release, Federal Communications Commission, FCC Adopts Updated Data Breach Notification Rules To Protect Consumers (Dec. 13, 2023), https://docs.fcc.gov/public/attachments/DOC-399090A1.pdf.

[301] Id.

[302] Press Release, Federal Communications Commission, FCC Proposes $20M Fine for Apparently Failing to Protect Consumer Data (July 28, 2023), https://docs.fcc.gov/public/attachments/DOC-395581A1.pdf.

[303] Id.

[304] A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology, Cal. Privacy Protection Agency (Nov. 27, 2023), https://cppa.ca.gov/announcements/2023/20231127.html; see also Draft Automated Decisionmaking Technology Regulations, Cal. Privacy Protection Agency (Dec. 8, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf.

[305] CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies, Cal. Privacy Protection Agency (July 31, 2023), https://cppa.ca.gov/announcements/2023/20230731.html.

[306] Ahead of Privacy Day, Attorney General Bonta Focuses on Mobile Applications’ Compliance with the California Consumer Privacy Act, Cal. Att’y Gen. (Jan. 27, 2023), https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99.

[307] Attorney General Bonta Seeks Information from California Employers on Compliance with California Consumer Privacy Act, Cal. Att’y Gen. (July 14, 2023), https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance.

[308] Complaint, People v. Google, Case No. 23CV422424 (Santa Clara Cnty. Super. Ct., Sept. 14, 2023), https://oag.ca.gov/system/files/attachments/press-docs/Filed%20stamped%20Google%20Complaint.pdf.

[309] Attorney General James Seeks information from Madison Square garden Regarding Use of Facial Recognition Technology to Deny Entry to Venues, N.Y. Att’y Gen. (Jan. 25, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-seeks-information-madison-square-garden-regarding-use.

[310] DFS Announces $1 million Cybersecurity Settlement with First American Title Insurance Company, N.Y. Dept. of Fin. Servs. (Nov. 28, 2023), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311281

[311]Id.

[312] AG Ferguson’s lawsuit forces Google to pay nearly $40M over deceptive location tracking, Wash. Att’y Gen. (May 18, 2023) https://www.atg.wa.gov/news/news-releases/ag-ferguson-s-lawsuit-forces-google-pay-nearly-40m-over-deceptive-location.

[313] Press Release, Office of the Indiana Attorney General, Attorney General Todd Rokita Secures $49.5 Million Multistate Settlement with Blackbaud for Data Breach (Oct. 5, 2023), https://events.in.gov/event/attorney_general_todd_rokita_secures_495_million_multistate_settlement_with_blackbaud_for_data_breach.

[314] Press Release, New York State Office of the Attorney General, Attorney General James and Multistate Coalition Secure $6.5 Million from Morgan Stanley for Failing to Protect Customer Data (Nov. 16, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-and-multistate-coalition-secure-65-million-morgan-stanley.

[315] Press Release, New Jersey Office of the Attorney General, AG Platkin Co-Leads $2.5-Million Multistate Settlement with EyeMed Over Data Breach that Compromised the Personal Information of Millions of Patients (May 16, 2023), https://www.njoag.gov/ag-platkin-co-leads-2-5-million-multistate-settlement-with-eyemed-over-data-breach-that-compromised-the-personal-information-of-millions-of-patients/.

[316] See Notice of Settlement and Joint Stipulation and [Proposed] Order to Stay Litigation Activities Pending Filing of Mot. for Prelim. Approval, In re Orrick, Herrington & Sutcliffe, LLP Data Breach Litig., No. 3:23-cv-04089 (N.D. Cal. Dec. 21, 2023), ECF No. 50.

[317] See Order Granting Final Approval of Class Action Settlement and Pls.’ Mot. for Att’ys’ Fees and Costs, Desue v. 20/20 Eye Care Network Inc., No. 21-61275 (S.D. Fla. July 8, 2023), ECF No. 100.

[318] Identity Theft Resource Center, Q3 2023 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2023/10/20231011_Q3-2023-Data-Breach-Analysis.pdf.

[319] Identity Theft Resource Center, Q3 2022 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2022/10/20221005_One-Pager_Q3-2022-Data-Breach-Analysis.pdf.

[320] See Transfer Order, In re MOVEit Customer Data Sec. Breach Litig., MDL No. 3083 (J.P.M.L. Oct. 4, 2023); Judicial Panel on Multidistrict Litigation, MDL Statistics Report – Distribution of Pending MDL Dockets by Actions Pending (Jan. 2, 2014), https://www.jpml.uscourts.gov/sites/jpml/files/Pending_MDL_Dockets_By_Actions_Pending-January-2-2024.pdf.

[321] See In re MOVEit Customer Data Sec. Breach Litig., No. 23-3083 (D. Mass.).

[322] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) (holding that plaintiffs who had not suffered concrete harm due to data breach, and instead claimed they are at heightened risk of future harm, lack standing to sue under Article III).

[323] Id. at 437.

[324] 72 F.4th 365, 375 (1st Cir. 2023) (holding that plaintiff adequately alleged standing based on the filing of a fraudulent tax return that likely resulted from information compromised in the data breach).

[325] Id. at 377.

[326] Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 286 (2d Cir. 2023) (cleaned up).

[327] Id. at 287.

[328] 2023 WL 4183380, at *4 (E.D. Va. June 26, 2023).

[329] Id.

[330] Id.

[331] Id.

[332] Id. at *5.

[333] 2023 WL 5608389, at *2 (C.D. Cal. Aug. 29, 2023) (acknowledging that while an increased risk of identity theft stemming from a data breach can constitute a threat of imminent harm sufficient for standing purposes, on the facts of the case, the username and password stolen in the breach were not linked to the plaintiff’s financial accounts, and thus did not give rise to the threat of identity theft).

[334] Id.

[335] See TransUnion, 594 U.S. at 431 (“Every class member must have Article III standing in order to recover individual damages. Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.”).

[336] 344 F.R.D. 38, 52 (D.D.C. 2023).

[337] Id. at 53.

[338] Id. at 55.

[339] See Cornerstone Research, Securities Class Action Trend Cases, https://www.cornerstone.com/insights/research/securities-class-action-trend-cases/.

[340] Complaint ¶ 3, Jaramillo v. Dish Networks Corp., No. 23-734 (D. Colo. Mar. 23, 2023), ECF No. 1.

[341] Complaint ¶ 4, Official Intel. Pty. Ltd., v. Block, Inc., No. 23-2789 (S.D.N.Y. April 3, 2023), ECF No. 1.

[342] 15 U.S.C. § 78u-4(b)(2).

[343] In re Okta, Inc. Securities Litig., 2023 WL 2749193, at *20 (N.D. Cal. Mar. 31, 2023).

[344] Id. at *15.

[345] Id.

[346] See, e.g., Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

[347] 18 U.S.C. § 2510 et seq.

[348] Id. § 2511(2)(d).

[349] See Recording Law, All Party (Two Party) Consent States – List and Details, https://recordinglaw.com/party-two-party-consent-states/ (last visited Jan. 26, 2024) (identifying 13 two-party or all-party consent states).

[350] See, e.g., Cal. Penal Code §§ 631, 632 (wiretapping and eavesdropping statutes); id. § 637.2(a) (authorizing a private right of action and statutory damages).

[351] Doe v. Regents of Univ. of California, No. 23-CV-00598-WHO, 2023 WL 3316766 (N.D. Cal. May 8, 2023).

[352] Jackson v. Fandom, Inc., No. 22-CV-04423-JST, 2023 WL 4670285 (N.D. Cal. July 20, 2023).

[353] Id. at *4–5.

[354] Stark v. Patreon, Inc., 656 F. Supp. 3d 1018 (N.D. Cal. 2023).

[355] Id. at 1039–40.

[356] 18 U.S.C. § 1030(a).

[357] Van Buren v. United States, 141 S. Ct. 1648, 1654–55 (2021).

[358] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), https://www.justice.gov/opa/press-release/file/1507126/download.

[359] United States v. Calonge, 74 F.4th 31, 36 (2d Cir. 2023), cert. denied, 2023 WL 7475309 (U.S. Nov. 13, 2023).

[360] Id. at 33–34.

[361] Id. at 33.

[362] Id. at 33–34.

[363] Id. at 35–36 (citing 18 U.S.C. § 1030(e)(8)).

[364] Calonge v. United States, 2023 WL 7475309 (U.S. Nov. 13, 2023).

[365] ACW Flex Pack LLC v. Wrobel, 2023 WL 4762596, at *6–7 (N.D. Ill. July 26, 2023).

[366] Id. at *3, *6.

[367] Id. at *5.

[368] Id. at *6.

[369] Id. (quoting 18 U.S.C. § 1030(e)(1)) (emphasis removed).

[370] Id. at *6–8.

[371] Id. at *7.

[372] iPurusa, LLC v. Bank of New York Mellon Corp., 2023 WL 3072686, at *7 (D.N.J. Apr. 25, 2023).

[373] Id. at *6.

[374] Id. at *7.

[375] Id.

[376] See, e.g., T. et al v. OpenAI LP et al., Case No. 23-cv-04557, Dkt. 1 ¶¶ 317–326 (N.D. Cal.); P.M. et al v. OpenAI LP et al., Case No. 23-cv-03199-TLT, Dkt. 1 ¶¶ 422–431 (N.D. Cal.); see id. Dkt. 38 (notice of voluntary dismissal).

[377] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).

[378] Id. at 1201.

[379] Cal. Penal Code §§ 502(c)(2) & (e)(1).

[380] Id. § 502(b)(1).

[381] Brown v. Google LLC, 2023 WL 5029899, at *1 (N.D. Cal. Aug. 7, 2023).

[382] Id. at *2.

[383] Id. at *18.

[384] Id. at *19 (citing Cal. Penal Code § 502(c)(2)).

[385] Id.

[386] Brown et al. v. Google LLC, Case No. 4:20-cv-03664, Dkt. 1089 (N.D. Cal.).

[387] Nora Gutierrez v. Converse Inc., 2023 WL 8939221, at *1, *5 (C.D. Cal. Oct. 27, 2023).

[388] Id. at *4 (quoting In re iPhone Application Litig., 2011 WL 4403963, at * 12 (N.D. Cal. Sept. 20, 2011)).

[389] Id.

[390] Id. at *5.

[391] 47 U.S.C. § 227.

[392] Facebook, Inc. v. Duguid, 592 U.S. 395 (2021).

[393] Dickson v. Direct Energy, LP, 69 F.4th 338, 348–49 (6th Cir. 2023).

[394] Id. at 345–48.

[395] Drazen v. Pinto, 74 F.4th 1336, 1345–46 (11th Cir. 2023) (reversing Salcedo v. Hanna, 936 F.3d 1162, 1172 (11th Cir. 2019)).

[396] Hall v. Smosh Dot Com, Inc., 72 F.4th 983, 990–91 (9th Cir. 2023).

[397] Id. at 990.

[398] Mauthe v. Millennium Health LLC, 58 F.4th 93, 97 (3d Cir. 2023). The TCPA defines an “unsolicited advertisement” as “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” 47 U.S.C. § 227(a)(5).

[399] Trim v. Reward Zone USA LLC, 76 F.4th 1157, 1164 (9th Cir. 2023).

[400] Cal. Civ. Code § 1798.150 (West 2023).

[401] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[402] Order Granting Final Approval of Class Action Settlement, Service v. Volkswagen Grp. of Am., Inc., No. C22-01841 (Cal. Super. Ct. Contra Costa Cnty. May. 31, 2023), https://odyportal.cc-courts.org/Portal/DocumentViewer/DownloadDocumentFile/Download?d=10C938A76250CE4331774E2C729A0D43&c=EC610BADE930EF833C9117C84F5729FC&l=4C398088907DD05C6D76EE93BC04CDF4&cn=F44FB09A29DC4E11FE28DCC41D39CD99&fileName=C22-01841%20-%20Order%20Filed%20Re%20Granting%20Final%20Approval&docTypeId=3&isVersionId=False.

[403] Id. at 4.

[404] Carter v. Vivendi Ticketing US LLC, No. SACV2201981(DFMx), 2023 WL 8153712 (C.D. Cal. Oct. 30, 2023).

[405] Id.

[406] Id. at *2.

[407] Gershfeld v. Teamviewer US, Inc., No. SACV2100058(ADSx), 2021 WL 3046775 (C.D. Cal. June 24, 2021).

[408] Id. at 2.

[409] Gershfeld v. TeamViewer US, Inc., No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (mem.).

[410] Alexander v. Wells Fargo Bank, N.A., No. 23-CV-617-DMS-BLM, 2023 WL 5109532 (S.D. Cal. Aug. 9, 2023).

[411] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[412] Brown v. Google LLC, No. 4:20-CV-3664, 2023 WL 5029899 (N.D. Cal. Aug. 7, 2023).

[413] Id.

[414] Id. at *21.

[415] Id.

[416] Id. at *21.

[417] Id.

[418] Cal. Civ. Code § 1798.150(b).

[419] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[420] Guy v. Convergent Outsourcing, Inc., No. C22-1558, 2023 WL 4637318 (W.D. Wash. July 20, 2023).

[421] Cal. Civ. Code § 1798.150(b).

[422] Guy, 2023 WL 4637318.

[423] Griffey v. Magellan Health Inc., No. CV-20-01282-PHX, 2022 WL 1811165, at *6 (D. Ariz. June 2, 2022).

[424] Guy, 2023 WL 4637318, at *9.

[425] Florence v. Order Express, Inc., No. 22 C 7210, 2023 WL 3602248 (N.D. Ill. May 23, 2023).

[426] Id. at *7 (internal quotations omitted).

[427] Cal. Civ. Code § 1798.150(b).

[428] Florence, 2023 WL 3602248, at *7.

[429] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.

[430] Durgan v. U-Haul Int’l Inc., No. CV-22-01565-PHX, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023).

[431] Id. at *7.

[432] Id. at *6.

[433] In re Bank of Am. California Unemployment Benefits Litig., No. 21-MD-2992-LAB-MSB, 2023 WL 3668535 (S.D. Cal. May 25, 2023).

[434] Id. at *13–15.

[435] Id. at *15.

[436] Tims v. Black Horse Carriers, Inc., 216 N.E.3d 845 (Ill. 2023).

[437] 735 Ill. Comp. Stat. Ann. 5/13-205 (2022).

[438] Tims, 216 N.E.3d at 854.

[439] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 920 (Ill. 2023).

[440] Id. at 928.

[441] Id. at 929.

[442] Minor v. Oldcastle Servs. Inc., No. 21‐CV‐503‐SMY (S.D. Ill. Mar. 22, 2023).

[443] Jones v. Microsoft Corp., No. 1:22‐cv‐03437 (N.D. Ill. Jan. 9, 2023).

[444] Id. at 7–8.

[445] Warmack‐Stillwell v. Christian Dior, Inc., No. 22‐C‐4633 (N.D. Ill. Feb. 10, 2023).

[446] Crumpton v. Octapharma Plasma, Inc., 513 F. Supp. 3d 1006, 1015–17 (N.D. Ill. 2021).

[447] Id.

[448] Tex. Bus. & Com. Code § 503.001.

[449] Tex. v. Meta Platforms, Inc., Cause No. 22-0121 (Tex. Dist. Ct. Feb. 8, 2023).

[450] Press Release, Attorney General of Texas, Paxton Sues Google for its Unauthorized Capture and Use of Biometric Data and Violation of Texans’ Privacy (Oct. 20, 2022), https://texasattorneygeneral.gov/news/releases/paxton-sues-google-its-unauthorized-capture-and-use-biometric-data-and-violation-texans-privacy.

[451] Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. filed Apr. 21, 2023).

[452] Second Amended Complaint at 2–3, Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. June 9, 2023).

[453] Id.

[454] Id. at 23–24.

[455] Id. at 25.

[456] Report & Recommendation, Gross v. Madison Square Garden Ent. Corp., No. 23-cv-3380 (S.D.N.Y. Jan. 9, 2024).

[457] Id. at 14.

[458] Id. at 18.

[459] Id. at 20 (quoting Zoll v. Ruder Finn, Inc., No. 01-cv-139 (CSH), 2004 WL 42260, at *4 (S.D.N.Y. Jan. 7, 2004)).

[460] Id. at 21.

[461] Id. at 8–13.

[462] 598 U.S. 471 (2023).

[463] 598 U.S. 617 (2023).

[464] Taamneh, 598 U.S. at 482.

[465] Gonzalez, 598 U.S. at 621.

[466] Taamneh, 598 U.S. at 501–02.

[467] Gonzalez, 598 U.S. at 622.

[468] Minahan v. Google LLC, No. 22-cv-5652, 2023 WL 3605329, at *1 (N.D. Cal. May 1, 2023), appeal filed, No. 23-15775 (9th Cir. May 22, 2023).

[469] Id. at *2.

[470] M.K. v. Google LLC, No. 21-cv-08465, 2023 WL 4937287 (N. D. Cal. filed Oct. 29, 2021).

[471] Id. at *10.

[472] Id. at *3.

[473] Id.

[474] Id. at *5.

[475] Id. at *6–7.

[476] Ramirez v. The Paradies Shops, LLC, 69 F.4th 1213, 1221 (11th Cir. 2023).

[477] Id. at 1216.

[478] Id.

[479] Id. at 1220–21.

[480] Class Action Complaint at 2–3, Pai v. Tesla, Inc., Case 4:23-cv-04550 (N.D. Cal. filed Sept. 5, 2023).

[481] Id.

[482] The Digital Revolution Engineering Smart City Infrastructure, Utilities One (Oct. 27, 2023), https://utilitiesone.com/the-digital-revolution-engineering-smart-city-infrastructure.

[483] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[484] Id.

[485] Diana Baker Freeman, Why Local Governments Are a Target for Cyber Attacks and Steps to Prevent It, Governing (May 6, 2022), https://www.governing.com/sponsored/why-local-governments-are-a-target-for-cyber-attacks-and-steps-to-prevent-it.

[486] Richard Forno, Local Governments Are Attractive Targets for Hackers and Are Ill-Prepared, Ctr. for Internet & Soc’y (Mar. 28, 2022), https://cyberlaw.stanford.edu/blog/2022/03/local-governments-are-attractive-targets-hackers-and-are-ill-prepared.

[487] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[488] Id.

[489] Maya Shwayder, The Future of Smart Cities May Mean the Death of Privacy, Digit. Trends (Apr. 22, 2020), https://www.digitaltrends.com/news/smart-cities-privacy-security/.

[490] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.

[491] What is Edge Computing?, IBM (last visited Jan. 18, 2024), https://www.ibm.com/topics/edge-computing.

[492] Mary K. Pratt, 7 Edge Computing Trends to Watch in 2023 and Beyond, TechTarget (Dec. 8, 2022), https://www.techtarget.com/searchcio/tip/Top-edge-computing-trends-to-watch-in-2020.

[493] Id.

[494] Id.

[495] Id.

[496] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.

[497] Id.

[498] Id.

[499] Id.

[500] Matthew Gooding, Can GAIA-X Solve Europe’s Data Sovereignty Problem?, Tech Monitor (Apr. 8, 2021), https://techmonitor.ai/technology/cloud/what-is-gaia-x-eu-data-sovereignty.

[501] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[502] OECD, Emerging Privacy-Enhancing Technologies, Current Regulatory and Policy Approaches, OECD Digital Economy Papers, No. 351, 2 (Mar. 2023), https://www.oecd-ilibrary.org/deliver/bf121be4-en.pdf?itemId=/content/paper/bf121be4-en&mimeType=pdf.

[503]Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[504] Id.

[505] Id.

[506] Id.

[507] Id.

[508] Id.

[509] Id.

[510] Id.

[511] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.

[512] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[513] Id.

[514] Shafi Goldwasser et al., The Knowledge Complexity of Interactive Proof Systems, 18 SIAM J. Computing 186 (1989).

[515] Eli Ben-Sasson et al., Zerocash: Decentralized Anonymous Payments from Bitcoin, Zerocash, (May 18, 2014), http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf.

[516] Tianyi Liu et al., zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy, Comput. & Commc’ns Sec. (2021), https://doi.org/10.1145/3460120.3485379.

[517] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.

[518] Id.

[519] Id.

[520] Jennifer Bryant, European Commission Adopts EU-US Adequacy Decision, Int’l Ass’n Priv. Pros. (July 10, 2023), https://iapp.org/news/a/european-commission-adopts-eu-u-s-adequacy-decision/.

[521] Id.

[522] Natasha Lomas, Europe’s Top Court Strikes Down Flagship EU-US Data Transfer Mechanism, TechCrunch (July 16, 2020), https://techcrunch.com/2020/07/16/europes-top-court-strikes-down-flagship-eu-us-data-transfer-mechanism/.

[523] Natasha Lomas, Europe Adopts US Data Adequacy Decision, TechCrunch (July 10, 2023), https://techcrunch.com/2023/07/10/eu-us-data-privacy-framework-adoption/.

[524] Id.

[525] Id.

[526] Press Release, Department of Commerce, Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers (July 17, 2023), https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launches-new-website-enabling-us.

[527] Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.

[528] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just. (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.

[529] On December 22, 2023, President Biden signed the National Defense Authorization Act, which included a Congressional measure extending Section 702 until mid-April 2024. Rebecca Beitsch, Congress Approves Short-Term Extension of Warrantless Surveillance Powers, The Hill (Dec. 12, 2023), https://thehill.com/policy/national-security/4360341-fisa-congress-approves-short-term-extension-warrantless-surveillance-powers; see also Press Release, White House, Joseph R. Biden, Statement from President Biden on H.R. 2670, National Defense Authorization Act for Fiscal Year 2024 (Dec. 22, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/12/22/statement-from-president-joe-biden-on-h-r-2670-national-defense-authorization-act-for-fiscal-year-2024/.

[530] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just., (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.

[531] Id.

[532] Id.

[533] Id.

[534] Id.

[535] Electronic Communications Privacy Act (ECPA), Elec. Priv. Info. Ctr. (last visited Jan. 19, 2024), https://epic.org/ecpa/; see also Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.

[536] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. (2023).

[537] Id. § 504.

[538] Id.; 47 U.S.C. § 230(f) (2000).

[539] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. § 504 (2023).

[540] Id. § 501–11.

[541] Id.

[542] Id. § 508.

[543] Id. § 503.

[544] India McKinney, The House Intelligence Committee’s Surveillance ‘Reform’ Bill is a Farce, Elec. Frontier Found. (Dec. 8, 2023), https://www.eff.org/deeplinks/2023/12/section-702-needs-reform-and-oversight-not-expansion-congress-should-oppose-hpsci; see also Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.

[545] Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.

[546] Id.

[547] Press Release, ACLU, Ahead of House Vote, ACLU Sounds Alarm on Bill Greatly Expanding the Government’s Mass Warrantless Surveillance Authority (Dec. 11, 2023), https://www.aclu.org/press-releases/ahead-of-house-vote-aclu-sounds-alarm-on-bill-greatly-expanding-the-governments-mass-warrantless-surveillance-authority.


The following Gibson Dunn lawyers assisted in preparing this alert: Alexander Southwell, Cassandra Gaedt-Sheckter, Natalie Hausknecht, Martie Kutscher Clark, Timothy Loose, Abbey Barrera, Jacob Arber, Tony Bedel, Matt Buongiorno, Eric Hornbeck, Jay Mitchell*, Wesley Sze, Terry Wong, Najatt Ajarar, Michael Brandon, Tawkir Chowdhury, Lanie Corrigan, Justine Deitz, Skylar Drefcinski, Sasha Dudding, Kunal Kanodia, Erin Kim, Brendan Krimsky, Ruby Lang, Emma Li, Ignacio Martinez Castellanos, Jay Minga, Peter Moon, Narayan Narasimhan*, Mason Pazhwak, Matthew Reagan, John Ryan, Christopher Scott*, Becca Smith, Snezhana Stadnik Tapia, Graham Miller Stinnett, Cydney Swain, Julie Sweeney, Trenton Van Oss, Hayato Watanabe, Diego Wright, and Samantha Yi*.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States:
S. Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, [email protected])
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, [email protected])
Ryan T. Bergsieker – Denver (+1 303.298.5774, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Natalie J. Hausknecht – Denver (+1 303.298.5783, [email protected])
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, [email protected])
Kristin A. Linsley – San Francisco (+1 415.393.8395, [email protected])
Timothy W. Loose – Los Angeles (+1 213.229.7746, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Ashley Rogers – Dallas (+1 214.698.3316, [email protected])
Alexander H. Southwell – New York (+1 212.351.3981, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, [email protected])
Debra Wong Yang – Los Angeles (+1 213.229.7472, [email protected])

Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, [email protected])
Nicholas Banasevic* – Managing Director, Brussels (+32 2 554 72 40, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, [email protected])
Robert Spano – London/Paris (+44 20 7071 4000, [email protected])

Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

*Nicholas Banasevic, Managing Director in the firm’s Brussels office and an economist by background, is not admitted to practice law.

*Jay Mitchell and Samantha Yi are associates in the Washington, D.C. office. Jay is admitted in California and Illinois, and Samantha is admitted in Maryland; both are practicing under supervision of members of the District of Columbia Bar under D.C. App. R. 49.

*Narayan Narasimhan and Christopher Scott, recent law graduates in the New York office, are not admitted to practice law.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

From the Derivatives Practice Group: The CFTC cancelled its open meeting this week, but is seeking public comment on a number of issues.

New Developments

  • CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s Office of Customer Education and Outreach issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets. [NEW]
  • CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024. [NEW]
  • CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024. [NEW]
  • BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management. [NEW]
  • CFTC Cancels Open Meeting. On January 20, the CFTC cancelled its open meeting scheduled for January 22. According to the CFTC, Tthe following matters will be resolved through the CFTC’s seriatim process:
    • Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
    • Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
  • CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs.
  • CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France.
  • SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
  • CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
  • SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.

New Developments Outside the U.S.

  • EC Publishes Amendments to Clearing Obligation Scope in Light of Benchmark Reform. On January 22, the delegated regulation amending the regulatory technical standards (RTS) defining the scope of the clearing obligation (CO) was published in the EU Official Journal, with the amended requirements due to enter into force 20 days after publication. The EC stated that Tthe amendments were introduced in light of the transition to the TONA and SOFR benchmarks referenced in certain over-the-counter derivatives contracts. The amendment to the scope of the CO consists of introducing TONA overnight indexed swaps (OIS) with maturities up to 30 years and extending the SOFR OIS class subject to the CO to maturities up to 50 years. The adoption follows the publication by the European Securities and Markets Authority (ESMA), on February 1, 2023, of its final report on changes to the scope of the CO and the derivatives trading obligations (DTO) in light of the benchmark transition, following a consultation last year, to which ISDA responded on September 30, 2022. This ESMA report included two draft amending RTS: one draft RTS amending the scope of the CO and one draft RTS amending the scope of the DTO. The delegated regulation containing the RTS amending the scope of the CO has now been published. The RTS on the DTO has not yet been adopted. [NEW]
  • RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.

New Industry-Led Developments

  • ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components. [NEW]
  • ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions.
  • BCBS-IOSCO Report Sets Out Recommendations for Good Margin Practices in Non-Centrally Cleared Markets. On January 17, the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO) published a report on streamlining VM processes and IM responsiveness of margin models in non-centrally cleared markets, which sets out recommendations for market practices intended to enhance market functioning. The report articulates the policy analyses work carried out by the BCBS-IOSCO in two areas discussed in the September 2022 Review of margining practices: (i) exploring the need to streamline variation margin processes in non-centrally cleared markets and (ii) investigating the responsiveness of initial margin models in non-centrally cleared markets. The consultative report sets out eight recommendations intended to encourage the widespread implementation of good market practices but does not propose any policy changes to the BCBS-IOSCO frameworks. BCBS and IOSCO stated that the first four recommendations aim to address challenges that could inhibit a seamless exchange of variation margin during a period of stress. The other four highlight practices for market participants to implement initiatives in an effort to ensure the calculation of initial margin is consistently adequate for contemporaneous market conditions and proposes that supervisors should monitor whether these developments are sufficient to make this model responsive enough to extreme market shocks. [NEW]
  • ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives.
  • BCBS, CPMI, and IOSCO Publish Consultative Report on Transparency and Responsiveness of Initial Margin in Centrally Cleared Markets. On January 16, BCBS, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and IOSCO jointly published a consultative report—Transparency and responsiveness of initial margin in centrally cleared markets – review and policy proposals—which interested parties are invited to comment on. BCBS, CPMI, and IOSCO stated that the ten policy proposals in the report aim to increase the resilience of the centrally cleared ecosystem by improving participants’ understanding of central counterparties (CCPs) initial margin calculations and potential future margin requirements. The proposals cover CCP simulation tools, CCP disclosures, measurement of initial margin responsiveness, governance frameworks and margin model overrides, and clearing member transparency.
  • ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets.
  • ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation.

The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:

Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])

Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])

Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])

Darius Mehraban, New York (212.351.2428, [email protected])

Jason J. Cabral, New York (212.351.6267, [email protected])

Adam Lapidus – New York (+1 212.351.3869, [email protected])

Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])

Roscoe Jones Jr., Washington, D.C. (202.887.3530, [email protected])

William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])

David P. Burns, Washington, D.C. (202.887.3786, [email protected])

Marc Aaron Takagaki, New York (212.351.4028, [email protected])

Hayden K. McGovern, Dallas (214.698.3142, [email protected])

Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Throughout 2023, regulators around the world continued to face corruption challenges as part of an increasingly competitive—and politically tense—global market. Economic downturns, continued armed conflict, and rising tensions between global superpowers both drove corruption risk, and complicated cooperative enforcement of anti-corruption laws. This webcast will explore the approach taken by emerging markets in addressing these challenges and examine the trends seen in FCPA and local anti-corruption enforcement actions.

Tensions between China and the United States continue to complicate cross-border cooperation, but have not slowed the pace of global and domestic anti-corruption enforcement in the region. China continues to impose new laws and regulations aimed at both bribe payors and recipients, while expanding its anti-corruption sweep in the finance and healthcare sectors. In India, there have been a slew of legislative and regulatory developments that impact compliance requirements and investigative procedures in the country. Widely heralded reforms in Latin America have failed to result in meaningful enforcement actions to curb corruption. In Africa, while recent years have seen encouraging anti-corruption enforcement trends both through local agencies and prosecuting agencies abroad, these advances are threatened by an uptick in non-democratic political transitions and continuing risks of armed conflict. While Russia-focused sanctions have lead many U.S. and European businesses to discontinue operations there, some of Russia‘s neighboring markets have thrived by creating a new map of trade flows, many with new and challenging risk profiles that require significant attention.

Join our team of experienced international anti-corruption attorneys to learn more about how to do business in Asia, Latin America, Europe, CIS and across Africa without running afoul of anti-corruption laws, including the Foreign Corrupt Practices Act (“FCPA”).

Topics to be discussed:

  1. An overview of FCPA enforcement statistics and trends for 2023;
  2. The corruption landscape in key emerging markets, including recent headlines and scandals;
  3. Lessons learned from local anti-corruption enforcement in Asia, Latin America, Europe, CIS, and across Africa;
  4. Key anti-corruption legislative changes in Asia, Latin America, Europe, CIS, and Africa; and
  5. Mitigation strategies for businesses operating in high-risk areas


PANELISTS:

Kelly S. Austin leads Gibson Dunn’s White Collar Defense and Investigations Practice Group in Asia and is a global co-chair of the firm’s Anti-Corruption and FCPA Practice Group. Kelly is ranked annually in the top-tier by Chambers Asia Pacific and Chambers Global in Corporate Investigations/Anti-Corruption: China. Her practice focuses on investigations, regulatory compliance and international disputes. She has extensive expertise in government and corporate internal investigations, including those involving the Foreign Corrupt Practices Act (FCPA) and other anti-corruption laws, and anti-money laundering, securities, and trade control laws.

Kelly is a member of the bars of Colorado, Virginia and the District of Columbia, and is admitted to practice in a variety of district and appellate courts in the United States. She is admitted to practice as a solicitor in Hong Kong.

Patrick Doris is a partner in Gibson Dunn’s Dispute Resolution Group in the London office, where he advises financial sector clients and others on OFAC and EU sanctions violations, responses to major cyber-penetration incidents, and other matters relating to national supervisory and regulatory bodies. Patrick’s practice also includes transnational litigation, cross-border investigations, and compliance advisory for clients including major global investment banks, global corporations, leading U.S. operators in the financial sectors, and global manufacturing companies, among others. Most recently, Patrick was recognised by The Legal 500 UK 2024 in the field of Regulatory Investigations and Corporate Crime.

Patrick speaks English, Spanish, French and Catalan, with recent experience of conducting investigations in each of those languages. He is admitted to practice as a solicitor in England & Wales.

Katharina Humphrey is a partner in Gibson Dunn’s Munich office. She advises clients in Germany and throughout Europe on a wide range of compliance and white collar crime matters. Katharina regularly represents multi-national corporations in connection with cross-border internal corporate investigations and government investigations. She has significant expertise in the areas of anti-bribery compliance – especially regarding the enforcement of German anti-corruption laws and the U.S. Foreign Corrupt Practices Act (FCPA) –, technical compliance, as well as sanctions and anti-money-laundering compliance. She also has many years of experience in advising clients with regard to the implementation and assessment of compliance management systems. The Legal 500 Deutschland 2023 and The Legal 500 EMEA 2023 name her the Rising Star in the field of compliance.

Katharina speaks German, English, French and Italian. She is admitted to practice in Germany (Rechtsanwalt).

Benno Schwarz is a partner in Gibson Dunn’s Munich office and co-chair of the firm’s Anti-Corruption & FCPA Practice Group, where his practice focuses on white collar defense and compliance investigations. Benno is ranked annually as a leading lawyer for Germany in White Collar Investigations/Compliance by Chambers Europe and was named by The Legal 500 Deutschland 2023 and The Legal 500 EMEA 2023 as one of our Leading Individuals in Internal Investigations, and also ranked for Compliance. He is noted for his “special expertise on compliance matters related to the USA and Russia.” Benno advises companies on sensitive cases and investigations involving compliance issues with international aspects, such as the implementation of German or international laws in anti-corruption, money laundering and economic sanctions, and he has exemplary experience advising companies in connection with FCPA and NYDFS monitorships or similar monitor functions under U.S. legal regimes.

Benno speaks German and English and is a state-certified translator (IHK) for Russian, which makes it possible for him to carry out internal investigations and regulatory proceedings in all three languages. He has practiced as an admitted German lawyer (Rechtsanwalt) since 1993.

Patrick F. Stokes is a litigation partner in Gibson Dunn’s Washington, D.C. office, where he is the co-chair of the Anti-Corruption and FCPA Practice Group and a member of the firm’s White Collar Defense and Investigations, Securities Enforcement, and Litigation Practice Groups. Patrick’s practice focuses on internal corporate investigations, government investigations, enforcement actions regarding corruption, securities fraud, and financial institutions fraud, and compliance reviews. He has tried more than 30 federal jury trials as first chair, including high-profile white-collar cases, and handled 16 appeals before the U.S. Court of Appeals for the Fourth Circuit. Patrick regularly represents companies and individuals before DOJ and the SEC, in court proceedings, and in confidential internal investigations. Most recently, Best Lawyers in America® recognized Patrick as a “Best Lawyer” in Criminal Defense: White-Collar (2024).

Patrick is a member of the bars of Maryland and the District of Columbia.

Oliver D. Welch is a resident partner in Gibson Dunn’s Hong Kong office and a partner in the Singapore office. Oliver has extensive experience representing multi-national corporations throughout the Asia region on a wide variety of compliance and anti-corruption issues. He focuses on internal and regulatory investigations, including those involving the Foreign Corrupt Practices Act and regularly counsels clients on their anti-corruption compliance programs and controls, including the drafting of policies, procedures, and training materials designed to foster compliance with global anti-corruption laws. Oliver also frequently advises on anti-corruption due diligence in connection with corporate acquisitions, private equity investments, and other business transactions.

He speaks Korean and is a member of the bars of New York and the District of Columbia.

Ning Ning is an of counsel in the Hong Kong office. Ning’s practice focuses on advising clients on government and internal investigations compliance counseling, and compliance due diligence matters across the Asia-Pacific region. She has represented clients before the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) involving potential violations of the U.S. Foreign Corrupt Practices Act, securities laws, and other white collar defense matters. Ning is a native Mandarin speaker and has extensive experiences in China-related investigations and compliance matters.

Ning is a member of the bar of Illinois. She is admitted to practice as a solicitor in Hong Kong.

Karthik Ashwin Thiagarajan, an of counsel in the Singapore office, assists clients with investigations in the information technology, fin-tech, telecommunications, logistics and fast-moving consumer goods sectors in India and Southeast Asia. He advises clients on internal investigations and anti-corruption reviews in the region. A client praised him for being “on top of his trade” in the India Business Law Journal’s 2019 “Leaders of the pack” report.

Karthik speaks English, Hindi, Tamil and Kannada. He is admitted to practice in India and New York.


MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 2.0 hours. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 2 hours toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

The new thresholds and new filing fees will take effect 30 days after publication in the Federal Register.

On January 22, 2024, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of certain M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”).[1]  Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product.  The new thresholds will take effect 30 days after publication in the Federal Register and apply to transactions that close on or after that date.

The size-of-transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $8.1 million, from $111.4 million in 2023 to $119.5 million for 2024.

Original Threshold

2023 Threshold

2024 Threshold

$10 million

$22.3 million

$23.9 million

$50 million

$111.4 million

$119.5 million

$100 million

$222.7 million

$239 million

$110 million

$245 million

$262.9 million

$200 million

$445.5 million

$478 million

$500 million

$1.1137 billion

$1.195 billion

$1 billion

$2.2274 billion

$2.39 billion

The HSR filing fees have been revised pursuant to the 2023 Consolidated Appropriations Act.  The new filing fees, which will also take effect 30 days after publication in the Federal Register, will be:

Fee

Size of Transaction

$30,000

Valued at less than $173.3 million

$105,000

Valued at $173.3 million or more but less than $536.5 million

$260,000

Valued at $536.5 million or more but less than $1.073 billion

$415,000

Valued at $1.073 billion or more but less than $2.146 billion

$830,000

Valued at $2.146 billion or more but less than $5.365 billion

$2,335,000

$5.365 billion or more

The 2024 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $48,559,000 for Section 8(a)(l) (size of corporation) and $4,855,900 for Section 8(a)(2)(A) (competitive sales).  The Section 8 thresholds took effect on January 22, 2024.

__________

[1] Press Release, Federal Trade Commission, FTC Announces 2024 Update of Size of Transaction Thresholds for Premerger Notification Filings, January 22, 2024, available at: https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-announces-2024-update-size-transaction-thresholds-premerger-notification-filings?utm_source=govdelivery


The following Gibson Dunn attorneys prepared this update: Jamie France, Chris Wilson, and Andrew Cline.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:

Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, [email protected])
Andrew Cline – Washington, D.C. (+1 202.887.3698, [email protected])
Jamie E. France – Washington, D.C. (+1 202.955.8218, [email protected])
Cynthia Richman – Washington, D.C. (+1 202.955.8234, [email protected])
Stephen Weissman – Washington, D.C. (+1 202.955.8678, [email protected])
Chris Wilson – Washington, D.C. (+1 202.955.8520, [email protected])

Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, [email protected])
Saee Muzumdar – New York (+1 212.351.3966, [email protected])

Private Equity:
Richard J. Birns – New York (+1 212.351.4032, [email protected])
Ari Lanin – Los Angeles (+1 310.552.8581, [email protected])
Michael Piazza – Houston (+1 346.718.6670, [email protected])
John M. Pollack – New York (+1 212.351.3903, [email protected])

© 2024 Gibson, Dunn & Crutcher LLP.  All rights reserved.  For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials.  The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel.  Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

Washington, D.C. partner George Hazel and Houston partner Gregg Costa, both former federal judges, are joined by retired Judge Andre Davis, a former federal prosecutor, state judge, and federal judge who left the bench in 2017 to serve as Baltimore’s City Solicitor for almost three years. Judge Davis describes how his experience as a trial judge – which he calls the “best job in America” – informed his time as a federal appellate judge; and all three former judges discuss issues such as the maximum number of motions to raise on appeal and how many of those to include in oral arguments, the importance of well-written, persuasive briefs, and the value of oral arguments, which are often a judge’s first glimpse into their colleagues’ views. Judge Davis also shares what motivated his transition from the bench to Baltimore City Solicitor, which included the opportunity to mentor inexperienced lawyers, hire a new police commissioner, and make much-needed police reforms.

Previous Episode | Next Episode


HOSTS:

Gregg Costa is co-chair of the firm’s Trials Practice Group.  Gregg offers clients a unique perspective as a former federal trial and appellate judge. His broad experience—having handled complex civil and criminal matters, at trial and on appeal, as advocate and judge—allows him to offer invaluable skills and strategic insights for both trials and investigations.

George Hazel is a partner in the Washington office of Gibson, Dunn & Crutcher and a member of the firm’s Litigation and White Collar Defense and Investigations Practice Groups.  A former federal trial judge and criminal prosecutor, Mr. Hazel brings a broad range of trial experience, having presided over approximately 50 jury trials in federal court and handled 20 jury trials and 30 bench trials as an attorney in federal and state court.  Since his return to private practice, Lawdragon  has named him one of the “500 Leading Global Litigators” of 2024.