Aggressive enforcement reflected in continuing trend of escalating enforcement actions and monetary relief, as well as expanding reach of securities laws.
I. Introduction: Enforcement Results and Notable Developments
In our year-end 2022 and mid-year 2023 updates, we noted that the Commission’s Division of Enforcement has maintained its agenda of persistent enforcement activity including ongoing sweeps, expansive remedies (including increased penalties and high numbers of officer and director bars), and aggressive rulemaking. These trends have continued through the end of 2023, marking a particularly active Commission under Chair Gary Gensler’s leadership.
A. 2023 Enforcement Results
The enforcement statistics for fiscal year 2023 reflect that the Commission filed a total of 501 stand-alone enforcement actions last year, an eight percent increase over fiscal year 2022, though short of the SEC’s five-year high mark in fiscal year 2019[1]:
The Commission obtained orders for $4.949 billion in financial remedies in fiscal year 2023, second only to the Commission’s record-breaking 2022. In 2023, the SEC recovered over twice as much in disgorgement as compared to penalties, consistent with its general pattern. These statistics were inverted in 2022, primarily due to the significant penalties (without disgorgement) that the Commission recovered in its industry-wide settlements with broker-dealers (and one affiliated investment adviser) relating to alleged recordkeeping violations in connection with employee use of off-channel platforms for business communications.
Notably, in 2023, the SEC also obtained 133 officer and director bars—the highest number obtained in a decade.[2]
The distribution of actions across subject matter was generally consistent with prior years, with the majority of cases involving public company financial reporting, broker-dealers and investment advisers, and securities offerings.[3] The SEC brought 62 stand-alone actions against investment advisers (17% of actions in 2023) reflecting a sustained focus on investment adviser regulation and enforcement, albeit down from the prior year (26% of actions in 2022).[4] The percentage of stand-alone enforcement actions relating to securities offerings reflected a substantial increase over the prior year (33% of actions in 2023, compared to 23% of actions in 2022) and there were modest increases year-over-year in the areas of issuer reporting (17% of actions in 2023, compared to 16% of actions in 2022) and broker-dealer enforcement (12% of actions in 2023, compared to 10% of actions in 2022).[5] There was a decrease in the percentage of stand-alone actions relating to insider trading in 2023 (6% of actions in 2023, compared to 9% of actions in 2022) although it continues to remain a focus area for the SEC.[6] See Sections II (Public Company Accounting, Financial Reporting, and Disclosure), III (Investment Advisers), IV (Broker-Dealers), V (Cryptocurrency and Other Digital Assets), and VI (Insider Trading), infra, for our discussions of significant actions in these areas in the second half of 2023.
B. Continued Focus on Cryptocurrency Coming to an End?
The past year continued to be an active year for the Commission with respect to its enforcement efforts over crypto asset securities. In the second half of 2023, the SEC brought two novel settled actions relating to the unregistered offerings of crypto asset securities in the form of NFTs.[7] On the heels of its earlier actions against two prominent crypto platforms alleging that they failed to register as securities exchanges and broker-dealers,[8] the SEC filed an action against a third platform in November.[9] It also filed complaints against various other crypto exchanges, all for allegedly not registering with the Commission.[10]
While the SEC has described its efforts as “addressing the alleged rampant noncompliance in the crypto asset intermediary space,”[11] the SEC has explicitly declined rulemaking in this area. In his December 2023 statement denying a petition for rulemaking by one of the crypto platforms against which the Commission had filed a complaint, Chair Gensler reiterated the Commission’s intent to continue to rely on the investment contract test articulated in SEC v. Howey in 1946 as the basis for its crypto enforcement efforts.[12] Chair Gensler’s statement also discussed the need for the Commission to “maintain discretion regarding rulemaking priorities” despite the unprecedented—with the exception of the Dodd-Frank era—scale and breadth of rulemaking during his tenure.[13] In their dissent, Commissioners Peirce and Uyeda—who have previously criticized the Commission’s substantial rulemaking activity—noted the need to address “issues presented by new technologies and other innovations” by hearing from “a wide range of market participants and other interested parties.”[14]
It remains to be seen whether the Commission will prevail in its interpretation of the Howey test as applied to digital assets. In October, the court in SEC v. Ripple Labs declined to allow the SEC to appeal the court’s July 2023 ruling (discussed in our mid-year alert as a “landmark legal victory for the cryptocurrency industry”),[15] and later that month, the SEC dropped its aiding and abetting claims against two Ripple executives.[16] The Ripple case is scheduled to go to trial in April 2024, and motions to dismiss in other significant cases are currently pending.[17] In the meantime, enforcement activity in this area—particularly against major market participants—may be slowing down as the industry awaits the outcome of the litigations. See Section V, infra, for our discussion of significant crypto enforcement activity in the second half of 2023.
C. What Is Not an Internal Controls Violation?
In early 2023, the SEC brought an enforcement action against a public company alleging that its failure to adequately analyze certain employment-related issues amounted to securities law violations. Specifically, the SEC alleged that the company’s failure to “collect and analyze employee complaints of workplace misconduct” amounted to an internal controls violation, even though it found no misstatement relating to such complaints.[18]
In the second half of the year, the SEC brought an additional controls case against a public company relating to its stock buyback program. The SEC specifically alleged that the company’s use of Rule 10b5-1 plans that included “accordion” provisions—which gave the company flexibility on when it could buy back stock—reflected that the company had “insufficient accounting controls”; for this controls violation, the company paid a sizeable $25 million penalty.[19] In their dissent, Commissioners Peirce and Uyeda noted that “[w]e do not have the authority to tell companies how to run themselves, but we now routinely use Section 13(b)(2)(B) to do just that” and further noted that the company’s alleged failures had nothing to do with accounting controls as required by the statute.[20] In 2020, the Commission brought a similar case (with a similar $20 million penalty) alleging violations of Section 13(b)(2)(B) of the Exchange Act in connection with a stock buyback—in that case, the allegation was that the company’s process to assess whether it was in possession of material non-public information at the time of the buyback was inadequate.[21] And in that case, Commissioner Peirce also issued a strongly worded dissent noting simply that “the Order does not articulate any securities law violations.”[22]
Perhaps in response to the drumbeat of dissents by Republican-appointed commissioners in these internal controls matters, Chair Gensler recently defended the Commission’s focus on corporate governance in remarks before the American Bar Association, referring to the “critical role that corporate governance plays to protect investors and facilitate capital formation” and noting that while “Congress conceived the SEC primarily as a disclosure-based agency,” corporate governance principles have long appeared in the federal securities laws.[23] Chair Gensler described the SEC’s recent rulemaking initiatives relating to corporate governance, which have focused on executive compensation clawbacks, limitations on stock buyback plans, transparency in proxy voting, and shortening the deadlines for beneficial ownership reporting, and concluded his remarks by noting that the SEC’s projects “follow Congress’s vision that a federal regulator, the SEC, play a role alongside state law in addressing corporate governance-related issues—to align incentives and build trust in the markets.”[24]
The recent cases and comments illustrate both the Commission’s continuing emphasis on scrutinizing stock buybacks, and more broadly, on using all available tools to bring general corporate governance issues within the purview of the securities laws.
D. Recordkeeping and Whistleblower Protection
In keeping with the emphasis on “conduct that undermines oversight of the securities industry,”[25] fiscal year 2023 was a very significant year for the SEC’s continued industry-wide sweep relating to off-channel business communications and for its whistleblower program.
Recordkeeping
In August and September 2023, the SEC announced settled charges against 21 broker-dealers and investment advisers, resulting in combined penalties of $368 million for the alleged failure to maintain and preserve off-channel communications.[26] The Fall 2023 settlements follow 19 earlier settlements, for a total of approximately $1.5 billion in penalties for alleged recordkeeping violations, and more are expected to come in 2024. Each of the settlements involved admissions, improvements to policies and procedures, and most notably, undertakings to retain independent compliance consultants. One of the firms in the September 2023 announcement self-reported to the SEC—the third firm so far to do so out of 40 firms that agreed to settle charges in the sweep.
In September, the SEC additionally announced settled orders against two credit rating agencies for failure to preserve electronic records.[27] Both agencies allegedly failed to retain or preserve text messages and other electronic communications that employees used relating to how credit ratings were determined. As with the broker-dealer and investment advisers, both agencies admitted to the SEC’s recordkeeping findings, and agreed to retain independent compliance consultants in addition to paying civil penalties for $4 million and $6 million. In announcing the settlement, the Commission emphasized the “critical gatekeeping function” of ratings agencies.
Whistleblower Protection
As we reported in our mid-year alert, the Commission awarded a record-breaking $279 million to two whistleblowers in May 2023 in one case. Overall, the Commission received over 18,000 whistleblower tips in 2023, reflecting a substantial 50% increase over the—at the time record-breaking—number of tips it received in 2022.[28] Significant awards in the second half of the year included the following:
- Awards totaling more than $104 million in August to seven whistleblowers, representing the fourth-largest payout in the SEC whistleblower program’s history.[29] The seven whistleblowers included two sets of joint claimants and three single claimants, all of whom provided information that prompted or significantly contributed to the SEC investigation and related actions by another agency.
- An award of $18 million in August to a whistleblower who, after initially reporting conduct internally, provided information and subsequent cooperation that prompted an SEC investigation and respective enforcement action.[30]
- An award of $28 million in December to seven whistleblowers, composed of a single claimant and two sets of joint claimants.[31] The single claimant and first set of joint claimants were credited with providing “significant and detailed information early in the investigation,” while the second set of joint claimants provided “new, but more limited, information later in the investigation.”
Additionally, enforcement activity and ongoing sweeps reflect the Commission’s aggressive position that agreements with employees and clients that contain confidentiality provisions, but do not provide exceptions for whistleblowing, are a violation of the Dodd-Frank whistleblower protection rule. In January 2024, the SEC brought settled charges with a penalty of $18 million—a record penalty for a purported violation of the whistleblower protection rule—against a broker-dealer for entering into settlement agreements with clients that did not contain whistleblowing carveouts.[32] Three months earlier, in September 2023, the SEC brought three settled actions for purported violations of the rule including: (1) an Order with a registered investment adviser for entering into employee confidentiality agreements that did not contain a whistleblowing carveout, and for entering into employee release agreements that required employees to affirm they had not filed complaints with a government agency;[33] and (2) an Order with a privately held energy and technology company for entering into employee separation agreements that required employees to waive rights to monetary whistleblower awards.[34]
In recent remarks before the New York City Bar Association’s Compliance Institute, Director of Enforcement Gurbir Grewal described these recent actions and noted that the message is that the Commission “take[s] compliance with [the Whistleblower Protection Rule] very seriously, and so should each of you who work in a compliance function or advise companies.”[35] In discussing both the recent whistleblower and recordkeeping actions, Director Grewal further expanded that it is the Commission’s expectation that employees working in a compliance function (i) educate themselves and are aware of SEC Orders “and the violative language cited by the Commission”; (ii) engage with personnel in different business units “to learn about their activities, strategies, risks, financial incentives, counterparties, and sources of revenues and profits”; and (iii) execute and implement effective policies.[36]
E. Senior Staffing Update
At the end of the year, the SEC named Dean C. Metry as the Commission’s Chief Administrative Law Judge, replacing James E. Grimes who had served in the position for two years.[37] Metry has 22 years of experience as an Administrative Law Judge, most recently as the Associate Chief Judge of the Office of Medicare Hearings and Appeals for the U.S. Department of Health and Human Services, and before that as an Administrative Law Judge for the Department of Homeland Security and the Social Security Administration. Metry also served four years in the Navy Judge Advocate General Corps as trial counsel and a summary courts martial officer.
In September, George Botic was appointed to a term as a Board Member of the Public Company Accounting Oversight Board (PCAOB), replacing outgoing Board member Duane DesParte.[38] Botic most recently served as the Director of the PCAOB’s Division of Registration and Inspections, and has also held other roles at PCAOB including Director of the Office of International Affairs, special advisor to former Chair James R. Doty, and Deputy Director of the Registration and Inspections Division.
There were several changes at the senior staff level and in regional leadership, including within the Division of Examination, Media Relations and Speechwriting, and office and regional directors:
- In July, Natasha Vij Greiner and Keith E. Cassidy were named interim Acting Co-Directors of the Division of Examinations while Division Director Richard Best took extended medical leave.[39] Greiner concurrently serves as a Deputy Director of the Division, the National Associate Director of the Investment Adviser/Investment Company (IA/IC) examination program, and the Associate Director of the Home Office IA/IC examination program. Cassidy concurrently serves as a Deputy Director of the Division of Examinations at large and the National Associate Director of the Division’s Technology Controls Program.
- In October, Stephanie Allen replaced Aisha Johnson as the SEC’s Director of Media Relations and Speechwriting.[40] In this capacity, she will lead media relations for the Office of Public Affairs and serve as the primary spokesperson for the SEC and Chair Gensler. Allen previously served as the Executive Director of the Ludwig Institute for Shared Economic Prosperity and the Director of Strategic Communications and Marketing at Promontory Financial Group, an IBM Company.
- In November, Kate E. Zoladz was named Regional Director of the Los Angeles Office after serving as the Acting Co-Director since June 2023 and as the Associate Regional Director for Enforcement since October 2019.[41]
- In December, Daniel R. Gregus left his position as Director of the Chicago Regional Office after leading the Chicago office since 2021 and serving for longer than 30 years at the SEC.[42] For the time being, Vanessa Horton and Kathryn Pyszka will serve as Acting Co-Directors of the regional office.
II. Public Company Accounting, Financial Reporting, and Disclosure
A. Financial Reporting
In September, the SEC charged a ridesharing platform with violations of Section 13(a) of the Exchange Act and Rule 13a-1 for failing to disclose in its 10-K a related person transaction involving a large shareholder’s sale of approximately 2.6% of the company’s shares in the weeks prior to the company’s IPO.[43] The Commission alleged that the shareholder declined to sign a lockup agreement and instead informed the company that it wanted to sell a substantial portion of its shares before the IPO. This transaction required approval of the company’s board of directors, which initially declined the transaction based on concerns that the shareholder’s affiliation with one of the directors could result in material, nonpublic information being imputed to the shareholder. The company later approved a transaction—set-up by an investment advisor for which the director served as an employee—in which the shareholder would ultimately sell its shares at a pre-IPO discount to an unaffiliated investor. For his help with facilitating the sale, the director received millions of dollars of compensation from the investment advisor that arranged the deal. The company settled the charges without admitting or denying the Commission’s findings, and agreeing to pay a civil monetary penalty of $10 million.
Also in September, the SEC charged a telecommunication and internet provider with failing to disclose material information about unsupported adjustments the company made in several filings.[44] The Commission alleged that the company began to notice a discrepancy between two key operational systems that caused a mismatch between actual expenses based on invoices and calculations of what should be paid under existing contracts. Despite the company’s knowledge of the issue, it allegedly failed to implement adequate policies and procedures to provide reasonable assurance that the cost of revenue reflected in the company’s financial statements was based on adequate support. The Commission further alleged that the company made unsupported adjustments to its financial results that lowered its cost of revenue by more than $35 million, without disclosing material facts about the adjustments. The Commission determined not to impose civil monetary penalties based on the company’s self-reporting and cooperation.
In the same month, the SEC also announced settled charges against a consumer products company and its former CEO for fraud and reporting violations.[45] The Commission alleged that the company pulled sales forward into earlier quarters without adequate disclosure and engaged in accounting practices that were inconsistent with GAAP while overriding its internal accounting controls, giving the misleading appearance that the company had achieved sales growth in line with its targets. Both the company and the CEO settled the charges without admitting or denying the SEC’s findings, agreeing to pay civil penalties of $12.5 million and $110,000, respectively.
Later in September, the SEC charged an owner and operator of distributed solar energy assets with violating antifraud, proxy, and reporting provisions of the federal securities laws.[46] According to the Commission, the company’s revenue projections, featured in public filings ahead of a SPAC merger, were misleading because the sales pipeline consisted almost entirely of speculative sales opportunities, including sales to potential customers with whom the company had little or no contact, customers to whom the company could not legally sell its products, and stale sales opportunities. The company agreed to pay a civil penalty of $11 million without admitting or denying the SEC’s findings.
At the end of September, the SEC filed a complaint against the former chief commercial officer (CCO) and former CFO of a telecommunications company for allegedly violating the antifraud provisions and other provisions of the federal securities laws.[47] According to the Commission, the CCO, former CFO, and controller engaged in a fraudulent scheme by allegedly recognizing revenue from customers’ non-binding purchase orders, allowing the company to materially overstate its revenue. The Commission seeks injunctive relief, disgorgement and prejudgment interest, civil penalties, and officer and director bars against the former CCO and former CFO. The complaint also seeks to order the former CFO to reimburse the company for compensation pursuant to Section 304 of the Sarbanes-Oxley Act. The controller settled the charges, agreeing to an officer and director bar, an accountant bar, and to be subject to future proceedings to determine any monetary relief. In a parallel action, the U.S. Attorney’s Office for the Southern District of New York announced criminal charges against the CCO and former CFO.
In December, the SEC announced settled fraud charges against a publicly traded UAE-based energy company, the company’s former CEO, and its interim CEO, who previously served as chief strategy officer.[48] The SEC order alleged that the NASDAQ-traded company, before and after it went public through a special-purpose acquisition transaction, from 2018 to early 2021, misstated between 30 and 80 percent of its revenues in SEC filings related to its offer and sale of up to $500 million of securities. To this end, the company allegedly created false invoices that inflated its revenues from UAE-based oil facilities by over $70 million over three years. The SEC also alleged that the former and interim CEOs knew, or were reckless in not knowing, of the conduct. The company settled the charges, which alleged violations of the antifraud, proxy statement, reporting, and book-and-records provisions of the federal securities laws, and agreed not to issue the $500 million in securities and to pay a $5 million penalty without admitting or denying the SEC’s findings. The company further announced a restatement of its audited 2018 to 2020 financial statements. The former and interim CEOs also settled their respective charges without admitting or denying the SEC’s findings, and each agreed to a $100,000 civil penalty and a permanent officer and director bar.
Also in December, the SEC filed charges against three related companies and their CEO with engaging in a multi-year scheme causing the defendants to allegedly report materially false and misleading financial statements.[49] According to the complaint, the CEO allegedly booked billions of dollars’ worth of fictitious transactions, primarily through the Nigerian subsidiaries of his companies, and ultimately misrepresented to investors that the companies had hundreds of millions of dollars in cash balances, and used the inflated financial statements to facilitate the sale of two subsidiaries to U.S.-listed public companies at grossly inflated values. The SEC further alleged that the CEO and defendant companies created fake bank statements, falsified general ledgers, and submitted forged and fabricated documents to their auditors to facilitate the scheme. The complaint seeks permanent injunctions, disgorgement, civil penalties, an officer and director bar, and a clawback, pursuant to Section 304 of the Sarbanes-Oxley Act, of the CEO’s bonuses and profits obtained from the issuance of the defendant companies’ stock.
B. Public Statements and Disclosures
In July, the SEC announced settled charges on a neither admit nor deny basis against a “smart” window manufacturer and its former CFO for allegedly failing to disclose $28 million in projected warranty-related liabilities to address a defect in the company’s product; the SEC filed a complaint against the company’s former CFO relating to the conduct.[50] In a series of reports and statements filed with the Commission, the company included liabilities related to its costs to manufacture replacements for defective windows, but allegedly failed to include related shipping and installation costs in its accrued liabilities. The Commission did not enforce a civil penalty against the company based in part on the company’s self-reporting, remedial measures, and cooperation; its complaint against the former CFO is pending, and seeks permanent injunctions, civil penalties, and an officer and director bar.
In September, the SEC filed settled charges against a manufacturer of hydrogen fuel cell electric vehicles, the company’s CEO, and the company’s managing director of its European subsidiary.[51] The SEC’s order alleged that the company exaggerated the status of its dealings with potential customers and suppliers to create the appearance that vehicle sales were imminent. The complaint further alleged that shortly before the company’s IPO via a SPAC, the company claimed to have sold its first hydrogen electric vehicle and posted a misleading video on social media that allegedly gave the misleading impression that the depicted vehicle ran on hydrogen. The company and the officer defendants agreed to pay civil penalties of $25 million, $100,000 and $200,000, respectively, without admitting or denying the charges.
Also in September, the SEC charged six officers, directors, and major shareholders of public companies for failing to timely report information about their holdings and transactions in company stock, and against five publicly traded companies for contributing to, or failing to report, their insiders’ filing issues.[52] The Commission used data analytics to identify the charged insiders as filing Form 4 and Schedules 13D and 13G reports late, with some filings delayed by years. Without admitting or denying the findings, the six individuals and five public companies agreed to pay civil penalties.
In October, the SEC filed a complaint against a software company and its chief information security officer alleging fraud and internal control failures related to cybersecurity risks.[53] The SEC alleged that the company—which was a victim of a two-year-long cyberattack and data breach—misled investors about the adequacy of its cybersecurity abilities, even though it was allegedly aware of related weaknesses and increasing risks of cyberattacks. The SEC’s complaint seeks injunctive relief, disgorgement, and civil penalties, as well as an officer and director bar against the chief information security officer. The complaint is notable in that it represents the first time the SEC has filed fraud charges against a chief information security officer, which is a position that does not have accounting or financial reporting responsibility.
In November, the SEC filed a complaint against former co-CEOs of a private technology services startup for violating the antifraud provisions of the federal securities laws by misleading investors about the company’s finances.[54] The Commission alleged that the co-CEOs made material misrepresentations and falsified documents concerning the company’s cash position and historical financial performance while raising money from investors, including by creating and providing investors with falsified bank records and a fake audit report. The co-CEOs agreed to the entry of a partial judgment imposing permanent and conduct-based injunctions and an officer and director bar, but reserving the issues of disgorgement, prejudgment interest, and a civil penalty for further determination by the court. The U.S. Attorney’s Office for the Eastern District of California announced parallel criminal charges as well.
In December, the SEC filed a complaint charging the former CEO and co-founder of a medical device startup with defrauding investors of approximately $41 million and making false and misleading statements about one of the company’s key medical device products.[55] The Commission alleged that the former CEO knew, or was reckless in not knowing, that one of the components of one of the company’s medical devices, which was implanted into patients’ bodies, was non-functional. The SEC also alleged that the former CEO misrepresented to investors that the medical device had been approved by the FDA and that it was the only effective device of its kind on the market. According to the complaint, the former CEO also made false and misleading statements to investors about the company’s historical revenues, revenue projections, and business model. The complaint seeks permanent injunctions, disgorgement plus prejudgment interest, a civil penalty, and an officer and director bar. The U.S. Attorney’s Office for the Southern District of New York filed criminal charges against the former CEO as well.
C. Auditors and Accountants
In September, the SEC settled charges against a former accounting firm partner for improper professional conduct involving the firm’s quality control system for its assurance practice.[56] Similar to the allegations underlying an earlier SEC settlement in June with the accounting firm,[57] the SEC alleged that the former partner failed to sufficiently address and remediate deficiencies in the firm’s quality control system, primarily in connection with the increase in audits of special purpose acquisition companies (SPACs) beginning in 2020, which had been identified by the firm and in inspections by the Public Company Accounting Oversight Board (PCAOB). The former partner also allegedly failed to implement sufficient monitoring procedures to detect audit deficiencies. Without admitting or denying the allegations, the former partner agreed to pay a civil penalty of $75,000, and to forgo holding a leadership position at a registered public accounting firm for a period of three years.
Also in September, the SEC filed an action charging an accounting firm and its professional services firm with violating the auditor independence laws and aiding and abetting their clients’ violations of the federal securities laws.[58] The SEC’s complaint alleges that the firms improperly included indemnification provisions in engagement letters for more than 200 audits, reviews, and exams, including after the firm’s senior partners were allegedly notified that inclusion of indemnification provisions in engagement letters rendered the firm not independent. The complaint seeks a permanent injunction, disgorgement, and a civil monetary penalty against the firms.
III. Investment Advisers
A. Misaligned Interests
In August, the SEC filed a settled action against a fund administrator for causing its client to violate provisions of the Advisers Act relating to a fraud against a private fund and its investors.[59] The SEC alleged that the fund administrator, based on materially false and misleading statements from its client—an investment adviser charged separately with fraud by the SEC in 2022—sent investors account statements that materially overstated the value of their investments, which had suffered significant losses as a result of trading by the adviser. The fund administrator agreed, without admitting or denying the SEC’s findings, to pay a penalty and disgorgement totaling more than $122,000. The SEC considered remedial actions undertaken by the fund administrator in determining to accept its offer of settlement. The matter is notable as a follow on investigation of a service provider to a registered investment adviser for causing the adviser’s previously settled violations. The settlement is consistent with the SEC’s increased focus on the use of service providers by registered investment advisers, including its pending rule proposal “Outsourcing by Investment Advisers”.
In September, the SEC filed a settled action against an investment advisory firm and its owner for allegedly allocating profitable securities trades to favored accounts, including the firms’ own accounts, while allocating a disproportionate amount of unprofitable trades to disfavored clients.[60] The SEC found that the firm and its owner received at least $2.7 million in profits from the alleged “cherry-picking” scheme and that the owner made false and misleading statements to clients and prospective clients about the firm’s trading practices. Without admitting or denying the SEC’s findings, the firm and its owner agreed to pay more than $3 million in civil penalties and disgorgement.
Also in September, the SEC filed a settled action against an investment adviser for alleged breaches of fiduciary duty that it owed to private funds that it advised.[61] The SEC alleged that the firm failed to consider whether a fee acceleration agreement—which enabled the investment adviser to receive accelerated monitoring fees from a portfolio company when the company was sold—was in its clients’ best interests. The investment adviser further allegedly transferred expiring funds into a new private fund, thereby locking up investor money for 11 years without client permission, and loaned money to private funds managed by an affiliated adviser without the clients’ knowledge, and without considering the clients’ best interests. Without admitting or denying the SEC’s findings, the investment adviser agreed to pay a civil penalty of $1.6 million.
In November, the SEC filed a complaint against an individual—serving as both the president and chief compliance officer of an investment adviser—for his involvement in an alleged multiyear fraud that concealed losses of over $350 million from investors.[62] The SEC’s complaint alleges that the defendant misled investors through sham documents to believe that their investments were diversified, and then funneled their investments to a single sub-adviser that incurred heavy losses. The complaint further alleges that the defendant separately caused hedge funds under his firm’s advisement to incur heavy losses resulting from highly illiquid investments. The SEC’s complaint seeks a permanent injunction, disgorgement, civil penalties, and an officer and director bar. The U.S. Attorney’s Office for the District of New Jersey announced parallel criminal charges.
Also in November, the SEC filed an action against a real estate investment company, its CEO, and several entities controlled by the CEO, for allegedly engaging in a scheme to misappropriate $35 million of investor funds.[63] The SEC separately alleged that the CEO and an entity under his control attempted to manipulate, and profit from, a certain corporation’s stock by, after first buying 72,000 call options in the corporation for well under the stock price, falsely stating in a press release that they would purchase a majority stake in the corporation at a price per share well over the then-current trading price. The SEC’s complaint seeks permanent injunctive relief, the appointment of a receiver, disgorgement, a civil penalty, and temporary restraining orders and asset freezes.
B. Disclosure Issues
In August, the SEC announced settled charges against an investment adviser, its parent company, and their majority owner and founder, an individual, with breaching fiduciary duties by disadvantaging a client in order to obtain $20 million in rescue financing in 2019.[64] That client, an exchange-traded fund (“ETF”) tracking an index of cannabis companies, had been funded by a broker-dealer since 2018. The ETF’s founder and investment adviser were allegedly aware of funding options from other lenders that would been more beneficial to the ETF, but nonetheless failed to inform the ETF’s trustees about these options in order to keep the ETF’s business with its initial broker-dealer. According to the SEC, the investment adviser had separate financing contracts with the broker-dealer and allegedly did not want to risk losing those contracts. Without admitting or denying the SEC’s findings, the investment adviser and its parent company agreed to pay, jointly and severally, a penalty of $4 million, and the founder agreed to a $400,000 penalty, an associational bar under the Advisers Act, a prohibition under the Investment Company Act with the ability to reapply after three years, and to comply with certain undertakings.
In September, the SEC charged an alternative investment platform with failing to disclose critical information to investors in an asset-backed securities offering.[65] The platform allegedly made multiple offerings, to a single foreign borrower, to finance loans for the deconstruction of ships, despite allegedly learning that the borrower’s collateral—certain ships—for earlier loans were either “broken up” or missing entirely. The platform later determined that the borrower had stolen the deconstruction proceeds for several ships, leaving investors with millions of dollars in losses. Without admitting or denying the SEC’s findings, the platform agreed to disgorgement and civil monetary penalties totaling approximately $1.9 million.
Later in September, the SEC filed a settled action against an investment adviser and its principal for disclosure and compliance violations with respect to conflicts of interest.[66] According to the SEC, the investment adviser and its principal advised certain clients to invest in three companies in which the principal had decision-making authority and significant ownership interests. The SEC further alleged that the investment adviser and its principal failed to disclose to clients that their investments would be temporarily used for purposes such as funding the adviser’s payroll and to repay loans owed to the principal or to other affiliated companies. Without admitting or denying the SEC’s findings, the investment adviser and its principal agreed to pay, jointly and severally, a civil penalty of $250,000. The SEC considered remedial actions undertaken by the adviser and its principal, including promptly repaying certain debts totaling $1.65 million, in determining to accept its offer of settlement.
Also in late September, the SEC filed settled charges against an investment adviser related to undisclosed conflicts of interest involving a cash sweep program—through which one of the adviser’s affiliated custodians transferred clients’ uninvested cash into interest-earning accounts—and receipt of revenue-sharing payments from third-party custodians.[67] According to the SEC, from at least September 2016 to January 2021, the adviser did not inform clients that it helped set the fee that its affiliate custodian received for operating the cash sweep program, which reduced the amount of interest paid to those clients. Additionally, from at least January 2016 through August 2019, the adviser allegedly received custodial support payments from some third-party custodians based on assets held in certain funds, but failed to disclose that there were more favorable options available for use by clients that would not have resulted in payments to the adviser. Without admitting or denying the SEC’s findings, the adviser agreed to pay a civil penalty and disgorgement totaling over $18 million.
In October, the SEC filed settled charges against an investment adviser relating to its description of investments that composed a significant portion of a publicly traded fund it advised.[68] The SEC’s order alleged that the adviser inaccurately described a company in which it made significant investments in multiple, publicly available reports filed with the SEC, and that the adviser allegedly stated that the company paid a higher interest rate than was actually the case. Without admitting or denying the SEC’s findings, the adviser agreed to pay a $2.5 million penalty. In determining to accept the adviser’s offer of settlement, the SEC considered cooperative and remedial actions undertaken by the adviser, including voluntarily covering losses associated with the investment and revising its disclosures promptly after discovering the errors and before the SEC began its investigation.
C. Anti-Money Laundering and ESG
In September, the SEC filed two settled actions against an investment adviser for allegedly failing to develop an Anti-Money Laundering (“AML”) program for its mutual funds, and by making materially misleading misstatements about its Environmental, Social, and Governance (“ESG”) process.[69] Regarding the alleged AML program deficiency, the SEC alleged that the investment adviser failed to establish and implement AML policies specific to its mutual funds’ business, to design reasonable transaction-monitoring policies to detect money laundering activities, and to conduct AML training specific to its mutual funds. In the second action, the SEC alleged that the investment adviser failed to implement certain research requirements as part of its global ESG Integration Policy from August 2018 until late 2021, contrary to what it allegedly led investors to believe through certain public statements. Without admitting or denying the SEC’s findings, the firm agreed to pay civil penalties totaling over $25 million to resolve the AML and ESG actions. In determining to accept the investment adviser’s settlement offer, the SEC considered the adviser’s cooperation throughout the investigation, including its provision of detailed factual summaries and substantive presentations to the Commission.
D. Miscellaneous Advisory Issues: Fees, Custody Rule, and Marketing Rule
In August, the SEC filed a settled action against two investment advisers for allegedly overcharging investment advisory accounts more than $26.8 million in advisory fees from at least 2002 through December 2022.[70] According to the SEC, the advisers failed to enter agreed-upon reduced advisory rates into their billing systems and failed to adopt and implement written compliance policies and procedures reasonably designed to prevent overbilling. The advisers paid affected accountholders approximately $40 million, including interest, to reimburse them for the overcharged fees and agreed, without admitting or denying the SEC charges, to pay a $35 million civil penalty.
In September, the SEC filed settled actions against nine investment advisers for allegedly advertising hypothetical performance to the general public on their websites without timely adopting or implementing related policies and procedures designed to ensure that the advertised hypothetical performance was relevant to investors’ objectives and financial situations.[71] The SEC additionally alleged that two of the advisers failed to maintain required copies of their advertisements. Without admitting or denying the SEC’s findings, each of the charged firms agreed to pay civil penalties ranging from $50,000 to $175,000.
Also in September, the SEC filed settled actions against five investment advisers for allegedly failing to comply with requirements related to the safekeeping of client assets.[72] The SEC charged three of the advisers with also failing to timely update SEC disclosures regarding audits of their private fund clients’ financial statements. The SEC alleged that each of the advisers failed to have audits performed, deliver audited financials to investors in a timely manner, ensure a qualified custodian maintained client assets, promptly file amended Forms ADV to reflect they had received audited financial statements, and/or properly describe the status of its financial statement audits for multiple years when filing its Form ADV. Without admitting or denying the findings, the advisers agreed to pay civil penalties ranging from $50,000 to $225,000.
IV. Broker-Dealers
A. Trading Issues
In July, the SEC filed an action against a U.S. Army financial counselor for defrauding, among others, the survivors and loved ones of U.S. military service members who died during active duty service.[73] According to the SEC, the financial counselor directed the survivors and loved ones to transfer their benefits into brokerage accounts he managed outside of his official duties with the U.S. Army and, in connection with the brokerage accounts, incurred commissions and losses, both realized and unrealized, of more than $5 million from November 2017 through January 2023. The SEC alleges that the financial counselor engaged in unauthorized trading and recommended excessive trades and higher risk strategies that did not match customers’ investment profiles. The SEC’s complaint alleges violations of the anti-fraud provisions of the federal securities laws and Regulation Best Interest, and seeks permanent injunctions, disgorgement, and civil penalties.
B. Recordkeeping and Filing Issues
In July, the SEC filed settled charges against a broker-dealer for allegedly failing to file Suspicious Activity reports (SARs) from 2009 to 2019.[74] During the relevant period, with respect to suspicious activity where no suspect was identified, the broker-dealer allegedly only reported such activity for transactions of $25,000 or greater—which is the proper reporting threshold for national banks, but not for broker-dealers, which must report all suspicious activity at or above the $5,000 threshold regardless of whether a suspect has been identified—and as a result allegedly failed to file hundreds of required SARs. Without admitting or denying the SEC’s findings, the firm agreed to pay a $6 million penalty. The SEC considered the firm’s cooperation and immediate remedial actions, which included updates to policies, procedures, and automated surveillance systems, when agreeing to the settlement.
In addition to the swath of off-channel communications recordkeeping cases discussed in Section I, supra, in August, the SEC filed settled charges against a broker-dealer firm for allegedly violating recordkeeping requirements in connection with firm expenses related to its underwriting business.[75] According to the SEC’s order, from at least 2009 to May 2019, the broker-dealer failed to review or verify the method it used to calculate and record indirect underwriting expenses associated with its work as an underwriter. Without admitting or denying the SEC’s findings, the broker-dealer agreed to pay a civil penalty of $2.9 million.
Also in August, the SEC filed settled charges against a broker-dealer for allegedly failing to establish an anti-money laundering surveillance program with respect to certain transactions until September 2020, and as a result allegedly failing to file at least 461 SARs associated with microcap and penny stock security trades.[76] Without admitting or denying the alleged facts, the broker-dealer agreed to pay a $1.5 million penalty.
Also in September, the SEC filed settled charges against a broker-dealer for alleged violations of Rule 200(g) of Regulation SHO.[77] According to the SEC’s order, the broker-dealer, as a result of a coding error in the firm’s automatic trading system, incorrectly marked millions of orders for a period of five years, denoting that some short sales were long sales and vice versa, which resulted in the provision of inaccurate data to regulators. Without admitting or denying the findings, the broker-dealer agreed to pay a $7 million penalty, remediate the coding error, and review the firm’s programming and coding logic involved in processing transactions.
C. Information Barriers and MNPI
In September, the SEC filed a complaint against a broker-dealer for allegedly making false and misleading statements and omissions regarding information barriers that impacted the use of customer information.[78] According to the complaint, the broker-dealer and its affiliates operated two distinct types of businesses, “customer-facing trade execution services” that generated materially non-public information (MNPI) regarding trade orders and executions, and “proprietary trading operations” intended to prevent the misuse of MNPI. The SEC’s complaint alleges that although the broker-dealer purported to maintain information barriers, the firm allegedly failed to safeguard a database containing all post-trade information generated from customer orders, including customer-identifying information and other material non-public information, from around January 2018 to April 2019. The SEC further alleges that the broker-dealer misled customers about the adequacy of the information barriers, and overstated the controls and processes it had in place to secure institutional customers’ post-execution trade data. The SEC is seeking disgorgement and civil penalties.
V. Cryptocurrency and Other Digital Assets
A. Cryptocurrency Platforms and Networks
In August, the SEC announced a settled action against a crypto asset trading platform and its co-founder and former CEO based on allegations that they operated an unregistered national securities exchange, broker, and clearing agency.[79] According to the SEC’s order, the company—which allegedly provided services to U.S. investors in connection with crypto assets that were offered and sold as securities—and its co-founder and former CEO directed issuers of crypto assets made available on the platform to delete problematic statements that might lead to scrutiny from regulators. Without admitting or denying the SEC’s allegations, the defendants agreed to disgorgement and a civil penalty totaling approximately $24 million. The platform’s foreign affiliate also agreed to settle charges that it failed to register as a national securities exchange.
In November, the SEC filed a complaint against a cryptocurrency trading platform—which had already agreed in February 2023 to pay $30 million in disgorgement and civil penalties to settle an SEC action involving an alleged failure to register a cryptocurrency asset—for operating as an unregistered securities exchange, broker, dealer, and clearing agency.[80] According to the complaint, since at least September 2018, the cryptocurrency trading platform has made hundreds of millions of dollars by facilitating the buying and selling of cryptocurrency asset securities. The complaint also alleges that the cryptocurrency trading platform’s business practices, internal controls, and recordkeeping practices, including the alleged comingling of customer money and cryptocurrency assets with its own, posed risks to customers and deprived investors of required protections. The litigation is ongoing and the SEC seeks disgorgement and penalties.
In January 2024, the SEC moved to drop charges that it initially brought against a cryptocurrency company and individual defendants based on what the SEC alleged was a fraudulent scheme to sell cryptocurrency asset securities to U.S. investors.[81] The SEC brought its initial charges against the defendants in 2023, and had also obtained a temporary asset freeze, restraining order, and other emergency relief against them. However, several months later, the defendants moved for sanctions against the SEC, arguing that Commission counsel presented false and misleading evidence when pursuing its restraining order, which defendants further argued had severely disrupted their business. The court issued the SEC a show cause order, but the SEC moved for dismissal, asking the court to decline sanctions and to do nothing more than dismiss the initial charges without prejudice.
B. Non-Fungible Tokens (“NFTs”) and Other Products
In August, the SEC charged a media and entertainment company with conducting an unregistered offering of crypto asset securities in the form of purported non-fungible tokens (NFTs) from October to December 2021.[82] According to the SEC’s order, the company encouraged investors to view the NFTs as an investment into the business, and emphasized that investors would profit and receive tremendous value if the business was successful. The SEC’s order alleged that the NFTs were investment contracts and therefore allegedly qualified as securities that were not exempt from registration. Without admitting or denying the SEC’s findings, the media and entertainment company agreed to pay disgorgement and a civil penalty totaling over $5.5 million. The company further agreed to destroy all NFTs in its possession or control, publish notice of the order on its websites and social media channels, and eliminate any royalties it might receive from future secondary market transactions. In determining to accept the company’s settlement offer, the Commission considered remedial actions through which the company repurchased approximately $7.7 million worth of NFTs from investors.
In September, the SEC settled charges against a fintech company that provides cryptocurrency asset-related financial products and services for failing to register the offers and sales of its retail cryptocurrency lending product.[83] According to the SEC’s order, from March 2020 to March 2022, the company allowed U.S. investors to tender U.S. dollars in exchange for a promise to pay interest, and the company converted this cash into cryptocurrency assets, pooled the cryptocurrency assets, and controlled how the assets were used to generate income, which purportedly qualified as the offer and sale of securities that were not exempt from registration. The SEC did not impose civil penalties due to the company’s cooperation and prompt remedial actions, including its voluntary decision to cease offering accounts to new investors and asking existing investors to withdraw funds shortly after the SEC announced charges against a similar cryptocurrency asset investment product.
Also in September, the SEC charged a company with conducting an unregistered offering of cryptocurrency asset securities in the form of purported NFTs.[84] According to the order, the company offered and sold cryptocurrency asset securities to the public in an unregistered offering that was not exempt from registration, violating Sections 5(a) and 5(c) of the Securities Act. Without admitting or denying the allegations, the company agreed to pay a civil penalty of $1 million as well as to publish notice of the settlement on its website and social media channels and destroy all NFTs in its possession.
VI. Insider Trading
In July, the SEC filed a complaint charging a multi-billionaire investor with allegedly obtaining material nonpublic information regarding portfolio companies of a biotechnology investment fund where he was the principal investor, and then allegedly tipping that information to his then-girlfriend and two of his private pilots.[85] The SEC also brought charges against the three individuals who allegedly traded on the information and reaped over $545,000 in combined profits. The SEC alleges that the investor informed his girlfriend, along with the two pilots, about clinical trial results regarding a separate company, and that he provided this information to his two pilots “as a substitute for a formal retirement plan” and loaned them each $500,000 to execute the trades. The three individuals soon thereafter allegedly traded on this material nonpublic information and allegedly profited more than $373,000 in total. The SEC’s complaint remains pending in the Southern District of New York; the investor recently pled guilty to parallel criminal charges.[86]
In August, the SEC filed a second round of insider-trading charges against a former broker who had settled separate insider trading charges last year regarding a data-analytics company’s prospective acquisition.[87] The latest indictment, filed in the Southern District of New York, alleged that the defendant used two Cayman Islands-based entities to purchase 23,000 shares of the data-analytics company’s stock prior to its acquisition announcement, which ultimately resulted in almost $400,000 in ill-gotten profits. The former broker, without admitting or denying the allegations, agreed to pay an approximately $1.2 million civil penalty to settle the charges, and the two offshore entities, which were named as relief defendants, agreed to disgorgement.
In September, the SEC filed a complaint charging three siblings with illegal trading based on inside information about an equipment rental company’s offer to acquire a storage company.[88] According to the SEC’s complaint filed in the Central District of California, one brother learned about the acquisition as an accounting manager for the storage company. He then allegedly bought shares of the storage company and encouraged his brother and sister to do the same, and the three siblings realized combined profits of $650,000. The brother who created the scheme, without admitting or denying the allegations, agreed to a to-be-determined civil penalty, disgorgement, and a five-year officer and director bar. The U.S. Attorney’s Office for the Central District of California also announced securities fraud charges against that brother. The remaining siblings consented to paying monetary fines and disgorgement totaling over $340,000, and the second brother agreed to a five-year officer and director bar.
Also in September, the SEC filed an action against a former analyst for a major investment firm and an international investment bank, as well as three others, charging insider trading.[89] The SEC’s complaint alleges that the analyst used his work at the two financial institutions to learn about merger and acquisition transactions as well as strategic partnerships prior to their public announcements, and tipped material nonpublic information about at least six of these transactions to his childhood friend in exchange for a share of what ended up being $322,000 of illegal profits. The analyst also allegedly tipped four of the transactions to one of his college friends, resulting in $113,000 in profits, and that friend then tipped information about at least two transactions to another college friend, resulting in $25,000 in profits. The U.S. Attorney’s Office for the Southern District of New York announced parallel criminal charges. Both investigations are ongoing.
Looking ahead, enforcement of insider trading may increase in 2024 depending on how the Commission’s “shadow trading” theory—reflecting the use of inside information in one company to buy stocks in a different company with potential to be impacted by the information—fares at trial in the case of SEC v. Panuwat, Case Number 3:21-cv-06322, currently scheduled to begin in March 2024 in the U.S. District Court for the Northern District of California.
[1] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.
[2] Id.
[3] Id.
[4] Compare Addendum to SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234, with Addendum to SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2022 (Nov. 15, 2022), available at https://www.sec.gov/news/press-release/2022-206.
[5] Id.
[6] Id.
[7] SEC Press Release, SEC Charges LA-Based Media and Entertainment Co. Impact Theory for Unregistered Offering of NFTs (Aug. 28, 2003), available at https://www.sec.gov/news/press-release/2023-163; SEC Press Release, SEC Charges Creator of Stoner Cats Web Series for Unregistered Offering of NFTs (Sept. 13, 2023), available at https://www.sec.gov/news/press-release/2023-178.
[8] SEC Press Release, SEC Charges Coinbase for Operating as an Unregistered Securities Exchange, Broker, and Clearing Agency (June 6, 2023), available at https://www.sec.gov/news/press-release/2023-102; SEC Press Release, SEC Files 13 Charges Against Binance Entities and Founder Changpeng Zhao (June 5, 2023), available at https://www.sec.gov/news/press-release/2023-101.
[9] SEC Press Release, SEC Charges Kraken for Operating as an Unregistered Securities Exchange, Broker, Dealer, and Clearing Agency (Nov. 20, 2023), available at https://www.sec.gov/news/press-release/2023-237.
[10] See, e.g., SEC Press Release, SEC Charges Crypto Trading Platform Beaxy and its Executives for Operating an Unregistered Exchange, Broker, and Clearing Agency (Mar. 29, 2023), available at https://www.sec.gov/news/press-release/2023-64; SEC Press Release, SEC Charges Crypto Asset Trading Platform Bittrex and its Former CEO for Operating an Unregistered Exchange, Broker, and Clearing Agency (Apr. 17, 2023), available at https://www.sec.gov/news/press-release/2023-78; SEC Press Release, SEC Charges Crypto Entrepreneur Justin Sun and His Companies for Fraud and Other Securities Law Violations (Mar. 22, 2023), available at https://www.sec.gov/news/press-release/2023-59.
[11] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.
[12] SEC Statement, Statement on the Denial of a Rulemaking Petition Submitted on behalf of Coinbase Global Inc. (Dec. 15, 2023), available at https://www.sec.gov/news/statement/gensler-coinbase-petition-121523; see also SEC v. W.J. Howey Co., 328 U.S. 293 (1946).
[13] SEC Statement, Statement on the Denial of a Rulemaking Petition Submitted on behalf of Coinbase Global Inc. (Dec. 15, 2023), available at https://www.sec.gov/news/statement/gensler-coinbase-petition-121523.
[14] SEC Statement, Statement Regarding Denial for Petition for Rulemaking (Dec. 15, 2023), available at https://www.sec.gov/news/statement/peirce-uyeda-petition-121523.
[15] Jonathan Stempel, US SEC Cannot Appeal Ripple Labs Decision, Judge Rules, Reuters (Oct. 4, 2023), https://www.reuters.com/legal/us-sec-cannot-appeal-ripple-labs-decision-judge-rules-2023-10-04/.
[16] Jody Godoy, US SEC Drops Claims Against Two Ripple Labs Executives, Reuters (Oct. 19, 2023), https://www.reuters.com/markets/us/sec-dropping-claims-against-ripple-executives-court-filing-2023-10-19/.
[17] Sec. and Exch. Comm’n. v. Ripple Labs Inc., No. 1:20-cv-10832 (S.D.N.Y.).
[18] SEC Press Release, Activision Blizzard to Pay $35 Million for Failing to Maintain Disclosure Controls Related to Complaints of Workplace Misconduct and Violating Whistleblower Protection Rule (Feb. 3, 2023), available at https://www.sec.gov/news/press-release/2023-22.
[19] SEC Press Release, Charter Communications to Pay $25 Million Penalty for Stock Buyback Controls Violations (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-235.
[20] SEC Statement, The SEC’s Swiss Army Statute: Statement on Charter Communications, Inc. (Nov. 14, 2023), available at https://www.sec.gov/news/statement/peirce-uyeda-statement-charter-communications-111423#_ftn6.
[21] SEC Press Release, SEC Charges Andeavor for Inadequate Controls Around Authorization of Stock Buyback Plan (Oct. 15, 2020), available at https://www.sec.gov/news/press-release/2020-258.
[22] SEC Statement, The SEC Levels Up: Statement on In re Activision Blizzard (Feb. 3, 2023), available at https://www.sec.gov/news/statement/peirce-statement-activision-blizzard-020323.
[23] SEC Speech, “They Are Merely the Agents”: Prepared Remarks before the American Bar Association (Dec. 7, 2023), available at https://www.sec.gov/news/speech/gensler-prepared-remarks-american-bar-association-231207.
[24] Id.
[25] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.
[26] SEC Press Release, SEC Charges 10 Firms with Widespread Recordkeeping Failures (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-212; SEC Press Release, SEC Charges 11 Wall Street Firms with Widespread Recordkeeping Failures (Aug. 8, 2023), available at https://www.sec.gov/news/press-release/2023-149.
[27] SEC Press Release, SEC Charges Two Credit Rating Agencies, DBRS and KBRA, with Longstanding Recordkeeping Failures (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-211.
[28] SEC Press Release, SEC Announces Enforcement Results for Fiscal Year 2023 (Nov. 14, 2023), available at https://www.sec.gov/news/press-release/2023-234.
[29] SEC Press Release, SEC Awards Whistleblower More Than $104 Million to Seven Whistleblowers (Aug. 4, 2023), available at https://www.sec.gov/news/press-release/2023-147.
[30] SEC Press Release, SEC Awards Whistleblower More Than $18 Million (Aug. 25, 2023), available at https://www.sec.gov/news/press-release/2023-161.
[31] SEC Press Release, SEC Awards More Than $28 Million to Seven Whistleblowers (Dec. 22, 2023), available at https://www.sec.gov/news/press-release/2023-257.
[32] SEC Press Release, J.P. Morgan to Pay $18 Million for Violating Whistleblower Protection Rule (Jan. 16, 2024), available at https://www.sec.gov/news/press-release/2024-7.
[33] SEC Press Release, SEC Charges D. E. Shaw with Violating Whistleblower Protection Rule (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-213.
[34] SEC Press Release, SEC Charges Privately Held Monolith Resources for Using Separation Agreements that Violated Whistleblower Protection Rules (Sept. 8, 2023), available at https://www.sec.gov/news/press-release/2023-172.
[35] SEC Speech, Remarks at New York City Bar Association Compliance Institute (Oct. 24, 2023), available at https://www.sec.gov/news/speech/grewal-remarks-nyc-bar-association-compliance-institute-102423.
[36] Id.
[37] SEC Press Release, Dean C. Metry Named Chief Administrative Law Judge at SEC (Dec. 22, 2023), available at https://www.sec.gov/news/press-release/2023-259.
[38] SEC Press Release, SEC Appoints George Botic to the Public Company Accounting Oversight Board (Sept. 27, 2023), available at https://www.sec.gov/news/press-release/2023-202.
[39] SEC Press Release, SEC Names Natasha Vij Greiner and Keith E. Cassidy Interim Acting Co-Directors of the Division of Examinations (July 25, 2023), available at https://www.sec.gov/news/press-release/2023-137.
[40] SEC Press Release, SEC Names Stephanie Allen as Director of Media Relations and Speechwriting (Oct. 4, 2023), available at https://www.sec.gov/news/press-release/2023-218.
[41] SEC Press Release, SEC Names Kate E. Zoladz as Regional Director of Los Angeles Office, available at https://www.sec.gov/news/press-release/2023-241.
[42] SEC Press Release, Daniel R. Gregus, Director of the Chicago Regional Office, to Depart the SEC (Dec. 7, 2023), available at https://www.sec.gov/news/press-release/2023-246.
[43] SEC Press Release, SEC Charges Lyft with Failure to Disclose Board Member’s Financial Interest in Private Shareholder’s Pre-IPO Stock Transaction (Sept. 18, 2023), available at https://www.sec.gov/news/press-release/2023-182.
[44] SEC Press Release, SEC Charges GTT Communications for Disclosure Failures (Sept. 25, 2023), available at https://www.sec.gov/news/press-release/2023-195.
[45] SEC Press Release, SEC Charges Newell Brands and Former CEO for Misleading Investors About Sales Performance (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-210.
[46] SEC Press Release, SEC Charges Electric Vehicle Co. for Misleading Revenue Projections Ahead of SPAC Merger (Sept. 28, 2023), available at https://www.sec.gov/news/press-release/2023-208.
[47] SEC Press Release, SEC Charges Former Pareteum Executives with Accounting and Disclosure Fraud (Sept. 28, 2023), available at https://www.sec.gov/news/press-release/2023-205.
[48] SEC Press Release, SEC Charges UAE-Based Brooge Energy and Former Executives with Fraud (Dec. 22, 2023), available at https://www.sec.gov/news/press-release/2023-256.
[49] SEC Press Release, SEC Charges Tingo Mobile Founder, Three Companies with Massive Fraud and Obtains Emergency Relief (Dec. 19, 2023), available at https://www.sec.gov/news/press-release/2023-254.
[50] SEC Press Release, SEC Charges “Smart” Window Manufacturer, View Inc., with Failing to Disclose $28 Million Liability (July 3, 2023), available at https://www.sec.gov/news/press-release/2023-126.
[51] SEC Press Release, SEC Charges Hydrogen Vehicle Co. Hyzon Motors and Two Former Executives for Misleading Investors (Sept. 26, 2023), available at https://www.sec.gov/news/press-release/2023-200.
[52] SEC Press Release, SEC Charges Corporate Insiders for Failing to Timely Report Transactions and Holdings (Sept. 27, 2023), available at https://www.sec.gov/news/press-release/2023-201.
[53] SEC Press Release, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), available at https://www.sec.gov/news/press-release/2023-227.
[54] SEC Press Release, SEC Charges Former Co-CEOs of Tech Start-Up Bitwise Industries for Falsifying Documents While Raising $70 Million From Investors (Nov. 9, 2023), available at https://www.sec.gov/news/press-release/2023-233.
[55] SEC Press Release, SEC Charges Former CEO of Medical Device Startup Stimwave with $41 Million Fraud (Dec. 19, 2023), available at https://www.sec.gov/news/press-release/2023-255.
[56] SEC Press Release, SEC Charges National Office Partner at Marcum for Causing Widespread Quality Control Deficiencies (Sept. 12, 2023), available at https://www.sec.gov/news/press-release/2023-174.
[57] SEC Press Release, SEC Charges Audit Firm Marcum LLP for Widespread Quality Control Deficiencies (June 21, 2023), available at https://www.sec.gov/news/press-release/2023-114.
[58] SEC Press Release, SEC Charges International Accounting Firm Prager Metis with Hundreds of Auditor Independence Violations (Sept. 29, 2023), available at https://www.sec.gov/news/press-release/2023-214.
[59] SEC Press Release, Fund Administrator Charged For Missing Red Flags (Aug. 7, 2023), available at https://www.sec.gov/news/press-release/2023-148.
[60] SEC Press Release, SEC Charges Connecticut Advisory Firm GlennCap and its Owner with Cherry-Picking (Sept. 14, 2023), available at https://www.sec.gov/news/press-release/2023-180.
[61] SEC Press Release, SEC Charges Private Equity Fund Adviser American Infrastructure Funds for Breaching Its Duties (Sept. 22, 2023), available at https://www.sec.gov/news/press-release/2023-193.
[62] SEC Press Release, SEC Charges President/CCO of Prophecy Asset Management Advisory Firm with Multi-Year Fraud (Nov. 2, 2023), available at https://www.sec.gov/news/press-release/2023-231.
[63] SEC Press Release, SEC Charges Phoenix-Area Real Estate Fund Adviser Jonathan Larmore with $35 Million Fraud (Nov. 29, 2023), available at https://www.sec.gov/news/press-release/2023-242.
[64] SEC Press Release, SEC Charges New Jersey-Based ETF Manager for Fraudulent Conduct and Bars Founder (Aug. 1, 2023), available at https://www.sec.gov/news/press-release/2023-144.
[65] SEC Press Release, SEC Charges Alternative Investment Platform YieldStreet for Misleading Investors (Sept. 12, 2023), available at https://www.sec.gov/news/press-release/2023-175.
[66] SEC Press Release, SEC Charges Advisory Firm Bruderman Asset Management and its Principal for Failing to Disclose Misuse of Investment Funds (Sept. 26, 2023), available at https://www.sec.gov/news/press-release/2023-197.
[67] SEC Press Release, SEC Charges California Advisory Firm AssetMark for Failing to Disclose Multiple Financial Conflicts (Sept. 26, 2023), available at https://www.sec.gov/news/press-release/2023-199.
[68] SEC Press Release available at https://www.sec.gov/news/press-release/2023-226.
[69] SEC Press Release, Deutsche Bank Subsidiary DWS to Pay $25 Million for Anti-Money Laundering Violations and Misstatements Regarding ESG Investments (Sept. 25, 2023), available at https://www.sec.gov/news/press-release/2023-194.
[70] SEC Press Release, Wells Fargo Settles with SEC for Charging Excessive Advisory Fees (Aug. 25, 2023), available at https://www.sec.gov/news/press-release/2023-159.
[71] SEC Press Release, SEC Sweep into Marketing Rule Violations Results in Charges Against Nine Investment Advisers (Sept. 11, 2023), available at https://www.sec.gov/news/press-release/2023-173.
[72] SEC Press Release, SEC Charges Five Advisory Firms for Custody Rule Violations (Sept. 5, 2023), available at https://www.sec.gov/news/press-release/2023-168.
[73] SEC Press Release, SEC Charges Former Army Financial Counselor Who Defrauded Gold Star Family Members (July 7, 2023), available at https://www.sec.gov/news/press-release/2023-127.
[74] SEC Press Release, SEC Charges Merrill Lynch and Parent Company for Failing to File Suspicious Activity Reports (July 11, 2023), available at https://www.sec.gov/news/press-release/2023-128; Merrill Lynch, Exchange Act Release No. 97872, (July 11, 2023), https://www.sec.gov/files/litigation/admin/2023/34-97872.pdf.
[75] SEC Press Release, SEC Charges Citigroup Global Markets Inc. With Recordkeeping Failures concerning Underwriting Expenses, available at https://www.sec.gov/news/press-release/2023-165 (Aug. 29, 2023); Citigroup Global Markets Inc., Exchange Act Release No. 98238 (Aug. 29 2023), https://www.sec.gov/files/litigation/admin/2023/34-98238.pdf.
[76] SEC Press Release, SEC Charges Archipelago Trading Services with Failing to File Suspicious Activity Reports (Aug. 29, 2023), available at https://www.sec.gov/news/press-release/2023-164; Archipelago Trading Services, Inc., Exchange Act No. 98234 (Aug. 29, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98234.pdf.
[77] SEC Press Release, SEC Charges Citadel Securities for Violating Order Marking Requirements of Short Sale Regulations (Sept. 22, 2023), available at https://www.sec.gov/news/press-release/2023-192; Citadel Securities LLC, Exchange Act Release No. 98482 (Sept. 22, 2023), https://www.sec.gov/files/litigation/admin/2023/34-98482.pdf.
[78] SEC Press Release, SEC Charges Virtu for False and Misleading Disclosures Relating to Information Barriers (Sept. 12, 2023), available at https://www.sec.gov/news/press-release/2023-176; Complaint, SEC v. Virtu, No. 1:23-cv-8072 (S.D.N.Y., Sept. 12, 2023), https://www.sec.gov/files/litigation/complaints/2023/comp-pr2023-176.pdf.
[79] SEC Press Release, Crypto Asset Trading Platform Bittrex and Former CEO to Settle SEC Charges for Operating an Unregistered Exchange, Broker, and Clearing Agency (Aug. 10, 2023), available at https://www.sec.gov/news/press-release/2023-150.
[80] SEC Press Release, Kraken to Discontinue Unregistered Offer and Sale of Crypto Asset Staking-As-A-Service Program and Pay $30 Million to Settle SEC Charges (Feb. 9, 2023), available at https://www.sec.gov/news/press-release/2023-25; SEC Press Release, SEC Charges Kraken for Operating as an Unregistered Securities Exchange, Broker, Dealer, and Clearing Agency (Nov. 20, 2023), available at https://www.sec.gov/news/press-release/2023-237.
[81] Casey Wagner, SEC moves to drop DEBT Box case, for now, after sanctions threats, Blockworks Inc. (Jan. 30, 2024), available at https://blockworks.co/news/sec-sanctions-debt-box; Motion to Dismiss, Sec. and Exch. Comm’n. v. Digital Licensing Inc., (d/b/a “DEBT Box”), et al., Case No. 2:23-cv-00482-RJS (Jan. 31, 2024).
[82] SEC Press Release, SEC Charges LA-Based Media and Entertainment Co. Impact Theory for Unregistered Offering of NFTs (Aug. 28, 2023), available at https://www.sec.gov/news/press-release/2023-163.
[83] SEC Press Release, Linus Financial Agrees to Settle SEC Charges of Unregistered Offer and Sale of Securities (Sept. 7, 2023), available at https://www.sec.gov/news/press-release/2023-171.
[84] SEC Press Release, SEC Charges Creator of Stoner Cats Web Series for Unregistered Offering of NFTs (Sept. 13, 2023), available at https://www.sec.gov/news/press-release/2023-178.
[85] SEC Press Release, SEC Charges Investor Joseph C. Lewis and Associates with Insider Trading (July 26, 2023), available at https://www.sec.gov/news/press-release/2023-138.
[86] Corinne Ramey, British Billionaire Joe Lewis Pleads Guilty to U.S. Insider Trading, Wall Street Journal (Jan. 24, 2024), https://www.wsj.com/finance/investing/british-billionaire-joe-lewis-pleads-guilty-to-insider-trading-9a8c6475.
[87] SEC Press Release, SEC Charges Florida Investment Adviser a Second Time for Insider Trading (Aug. 2, 2023), available at https://www.sec.gov/news/press-release/2023-145.
[88] SEC Press Release, SEC Charges Three Southern California Siblings with Insider Trading (Sept. 27, 2023), available at https://www.sec.gov/news/press-release/2023-203.
[89] SEC Press Release, SEC Charges Former Financial Industry Analyst and Three Others with Insider Trading (Sept. 28, 2023), available at https://www.sec.gov/news/press-release/2023-204.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any leader or member of the firm’s Securities Enforcement practice group, or the following authors:
Mark K. Schonfeld – Co-Chair, New York (+1 212.351.2433, [email protected])
David Woodcock – Co-Chair, Dallas (+1 214.698.3211, [email protected])
Tina Samanta – New York (+1 212.351.2469, [email protected])
Lauren Cook Jackson – Washington, D.C. (+1 202.955.8293, [email protected])
Timothy M. Zimmerman – Denver (+1 303.298.5721, [email protected])
*Lauren Hernandez and Jerelyn Luther are recent law graduates in the Denver and New York offices respectively and not admitted to practice law.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
This is a landmark decision under Delaware law that raises important considerations for Boards and independent directors when deciding upon significant compensation awards.
In a 200-page decision following a five-day trial, Chancellor Kathaleen McCormick of the Delaware Court of Chancery ruled in favor of Tesla stockholders who had brought a derivative lawsuit challenging the multiyear compensation arrangement awarded to Tesla CEO Elon Musk.[1] The plaintiff-stockholders alleged that Tesla’s directors breached their fiduciary duties by awarding Musk performance-based stock options in January 2018 with a potential $55.8 billion maximum value and a $2.6 billion grant date fair value (the “Grant”). The Court found that the defendants—Musk, Tesla, Inc. and six individual directors—failed to meet their burden to prove that the Grant was “entirely fair,” the standard under Delaware law that the Court applied in light of the Court’s determination that Musk held controlling stockholder status with respect to the Grant. As a remedy, the Court ordered the complete rescission of the Grant, which had been approved by a majority vote of disinterested stockholders.[2] The Court opened its opinion by asking: “Was the richest person in the world overpaid?” And the Court concluded that, yes, he was: “In the final analysis, Musk launched a self-driving process, recalibrating the speed and direction along the way as he saw fit. The process arrived at an unfair price.”[3]
The Grant
On January 21, 2018, Tesla’s Board of Directors (the “Board”)[4] unanimously approved the Grant, which would vest based on Tesla’s achievement of certain market capitalization goals, as well as operational milestones related to revenue and adjusted EBITDA targets. The Grant was “the largest potential compensation opportunity ever observed in public markets by multiple orders of magnitude—250 times larger than the contemporaneous median peer compensation plan and over 33 times larger than the plan’s closest comparison, which was Musk’s prior compensation plan.”[5]
The Board conditioned the Grant on approval by a majority vote of disinterested stockholders. A February 8, 2018 proxy statement (the “Proxy”) notified stockholders of a vote on the Grant, which was held on March 21, 2018. Despite ISS and Glass Lewis recommending votes against approval of the Grant, stockholders (excluding Musk’s and his brother’s ownership) approved the Grant with 73% in favor. The Grant began vesting in 2020; as of June 30, 2022, the Grant was nearly fully vested, with all market cap and adjusted EBITDA milestones achieved, and three revenue milestones achieved, with one more deemed probable of achievement.[6]
Court found stockholder vote approving the Grant was not fully informed
The Court determined that it was “undeniable that, with respect to the Grant, Musk controlled Tesla”[7] and, therefore, that the Board’s approval of the Grant was a conflicted-controller transaction. As a result, the Board’s decision would be examined under an “entire fairness” standard―the Delaware courts’ “most onerous standard of review.”[8] However, Delaware law allows defendants facing an entire fairness standard to shift the burden of proof to the plaintiff by showing that the transaction was approved by a fully informed vote of the majority of the minority stockholders.
The Court found that the stockholder vote approving Musk’s Grant was not fully informed for two reasons:
- the Proxy inaccurately described key directors as independent, when several of them had extensive personal and professional relationships of long duration with Musk, including owing much of their personal wealth to Musk; and
- the Proxy misleadingly omitted details about the process by which Musk’s Grant was approved, including material preliminary conversations between Musk and the Compensation Committee chairman, as well as Musk’s role in setting the terms of the Grant and the timing of the Committee’s work.
The Court concluded: “Put simply, neither the Compensation Committee nor the Board acted in the best interests of the Company when negotiating Musk’s compensation plan. In fact, there is barely any evidence of negotiations at all. Rather than negotiate against Musk with the mindset of a third party, the Compensation Committee worked alongside him, almost as an advisory body.”[9]
The “extraordinary nature of the Grant”[10]
In addition to the process of approving the Grant, the Court considered its “price.” “The Board never asked the $55.8 billion question: Was the plan even necessary for Tesla to retain Musk and achieve its goals?”[11] The Court concluded that it was not for three key reasons:
- Musk already owned 21.9% of Tesla, which ownership stake gave him incentive to push Tesla to grow its market capitalization even without the additional compensation;
- there was no risk that Musk would depart Tesla without receiving the Grant, nor did the Board condition the package on Musk devoting any set amount of time to Tesla; and
- the Grant’s performance conditions were not, in fact, ambitious and difficult to achieve.[12]
It was also significant to the Court that the Grant process lacked a traditional benchmarking analysis.[13] “The incredible size of the biggest compensation plan ever—an unfathomable sum—seems to have been calibrated to help Musk achieve what he believed would make “a good future for humanity” [related to Musk’s goal of colonizing Mars]. …. [T]hat had no relation to Tesla’s goals with the compensation plan.”[14]
Observations and Considerations for Boards and Independent Directors
Much of Chancellor McCormick’s decision may be unique to the “Superstar CEO”[15] status that Musk holds and the facts and circumstances at Tesla and its Board, as well as the Court’s determination (for the first time in the Chancery Court) that Musk was a controlling stockholder. Nevertheless, the decision is a landmark one under Delaware law and raises important considerations for Boards and independent directors when deciding upon significant compensation awards.
- Document the Process. The Court was very focused on the rushed, casual decision-making of Tesla’s Compensation Committee. In their testimony, several Board members said they couldn’t remember meetings where important elements of the Grant were discussed. If considering a significant award, boards and compensation committees would be better served by undertaking a thorough analysis, including rigorous benchmarking, and documenting that process through e-mails, detailed meeting minutes, formalized presentations, and other written records.
- Awards Should Have Clear Rationales. Musk’s award had no mechanism for actually keeping his attention focused on Tesla, as opposed to his other business interests. While the extent of Musk’s outside interests may be a distinguishing factor, compensation committees going forward should be mindful of the concerns the Court expressed around that issue and consider whether and how to ensure that significant awards to executives are clearly and closely aligned to the Company’s business objectives. Performance conditions for such awards will also be analyzed in retrospect so boards should be sure to pressure test the rigor of those goals and contemporaneously document why goals were determined to be challenging.
- Expect Extra Scrutiny of Independent Directors. The Court was particularly disturbed by the close personal and business relationships of Tesla’s Compensation Committee members with Musk, such that they viewed awarding the Grant as a collaborative process with Musk, rather than an arm’s length negotiation. Expect, when considering significant compensation awards, that all elements of an independent director’s connections with the executive-grantee—including length of board service—to be closely examined for indicia of objectivity.
__________
[1] Richard J. Tornetta et al. v. Elon Musk et al., case number 2018-0408, in the Court of Chancery of the State of Delaware.
[2] The Court noted that Musk had not yet exercised any of the options underlying the Grant. Opinion at 8.
[3] Opinion at 7.
[4] Tesla’s nine-person Board included Musk, his brother Kimbal Musk, Brad W. Buss, Robyn M. Denholm, Ira Ehrenpreis, Antonio J. Gracias, Steve Jurvetson, James Murdoch, and Linda Johnson Rice. Tesla’s Compensation Committee was comprised of Ehrenpreis (the committee chair), Buss, Denholm and Gracias.
[5] Opinion at 1.
[6] Opinion at 92.
[7] Opinion at 112.
[8] Opinion at 104.
[9] Opinion at 128.
[10] Opinion at 143.
[11] Opinion at 6.
[12] Opinion at 183.
[13] Opinion at 144.
[14] Opinion at 180.
[15] Opinion at 120.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Executive Compensation and Employee Benefits, Securities Regulation and Corporate Governance, or Securities Litigation practice groups, the authors, or any of the following practice leaders and members:
Executive Compensation and Employee Benefits:
Michael J. Collins – Washington, D.C. (202.887.3551, [email protected])
Stephen W. Fackler – Palo Alto/New York (+1 650.849.5385, [email protected])
Sean C. Feller – Los Angeles (+1 310.551.8746, [email protected])
Krista Hanvey – Dallas (+ 214.698.3425, [email protected])
Securities Regulation and Corporate Governance:
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
Ron Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Securities Litigation:
Colin B. Davis – Orange County (+1 949.451.3993, [email protected])
Brian M. Lutz – San Francisco (+1 415.393.8379, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202.887.3726, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Gibson Dunn has formed a Workplace DEI Task Force, bringing to bear the Firm’s experience in employment, appellate and Constitutional law, DEI programs, securities and corporate governance, and government contracts to help our clients develop creative, practical, and lawful approaches to accomplish their DEI objectives following the Supreme Court’s decision in SFFA v. Harvard. Prior issues of our DEI Task Force Update can be found in our DEI Resource Center. Should you have questions about developments in this space or about your own DEI programs, please do not hesitate to reach out to any member of our DEI Task Force or the authors of this Update (listed below).
Fearless Fund Oral Argument:
On January 31, 2024, the Eleventh Circuit heard oral argument in American Alliance for Equal Rights’ (AAER) appeal of the district court’s denial of its motion for preliminary injunction in American Alliance for Equal Rights v. Fearless Fund Management, LLC, No. 23-13138 (11th Cir. 2023). On the panel were Judge Robin S. Rosenbaum, Judge Kevin C. Newsom, and Judge Robert J. Luck.
During the argument, AAER asserted that Fearless Fund’s charitable grant program—which provides $20,000 grants to Black female entrepreneurs—is a racially discriminatory contract subject to Section 1981. But Fearless Fund, represented by Gibson Dunn, asserted that the program is expressive speech protected by the First Amendment, such that the traditional Section 1981 analysis does not apply.
Judge Rosenbaum addressed the First Amendment issue, asking counsel for AAER, Gilbert Dickey of Consovoy McCarthy, “if . . . the entire point of the organization and the donation is to send the message that . . . Black businesswomen are worthy and have been overlooked and left out, then why isn’t that speech?” Mr. Dickey responded that the case law does not permit consideration of an organization’s “previously expressed views to decide whether the actual conduct is expressive.” Pressed further by Judge Newsom to explain the “hydraulic relationship between whether [the program] is subject to Section 1981 and the First Amendment interests at stake,” Mr. Dickey questioned whether a donation in any circumstance could be considered expressive. And in response to Judge Rosenbaum’s hypothetical contest awarded to whoever “does the most to further Black businesswomen,” Mr. Dickey argued that “implications of this case for the First Amendment are pretty minor” because nonprofits would be “free to discriminate based on the message an organization is sending but not on protected characteristics.”
Arguing on behalf of Fearless Fund, Jason Schwartz of Gibson Dunn emphasized that Fearless Fund’s grant program is “core expressive activity” in line with the “proud tradition in this country” of charitable giving by organizations dedicated to specific causes. He called AAER’s suit an “unprecedented effort to use Section 1981 to force a charity to reverse its message or shut down.” Mr. Schwartz argued this inappropriate application of the Reconstruction-era statute would force an untenable result: “give to everyone or no one.”
Mr. Schwartz distinguished “traditional commercial transactions—employment, housing,” from “charitable giving . . . recognized as protected by the First Amendment,” emphasizing that “Americans speak with their money; they magnify their message with their money.” To explore this line between regulatable conduct and First Amendment-protected speech, Judge Luck posed several hypotheticals, including whether, under Fearless Fund’s reasoning, a charity’s contract for the purchase of office supplies would warrant similar protection. When Judge Luck pressed on the claim that “just because it’s a charity it falls outside of 1981 . . . that can’t be right,” Mr. Schwartz agreed, but contended that, here, “the core expressive activity of the Fearless Foundation is to send this message, which, for what it’s worth, is the message of Section 1981.”
Judge Newsom also presented Mr. Schwartz with a hypothetical from AAER’s brief—a “white man only contest”—to which Mr. Schwartz responded, “First of all, no matter how repugnant I might find that, the First Amendment protects all speech,” explaining that a program set up the same way as the Fearless Fund program may be protected, depending on how it is structured.
Mylan Denerstein of Gibson Dunn, also on behalf of the Fearless Fund, argued that AAER had not met the high bar for organizational standing, noting that AAER’s position would require “the court [to] grant a preliminary injunction when we don’t even know who the businesses are.” She emphasized that AAER “fail[ed] to state that they’ve applied for grants or need money or mentorship” and “don’t show the viability of their business,” which further weighed against finding injury sufficient for standing.
The panel did not indicate when it expects to issue a ruling.
Media Coverage:
- AP, ”Grant Program for Black Women Comes under Tough Questioning in Key Anti-DEI Lawsuit” (including post-argument press conference video) (January 31)
- Law360, “11th Circ. Weighs Legality of Grant Contest for Black Women” (January 31)
- Law.com, “Appellate Judges Ask if Civil Rights Law Bars Grant Program for Black Business Women” (January 31)
- Courthouse News Service, “Challenge to Grant Program for Black Women Entrepreneurs Lands at 11th Circuit” (January 31)
- CNN, “Fearless Fund Challenges Court Order Blocking a Grant Program Exclusively for Black Women Entrepreneurs” (January 31)
- Atlanta Journal-Constitution, “Fearless Fund Goes to Court Again in Racial Discrimination Lawsuit” (January 31)
- U.S. News & World Report, “Venture Capital Fund Defends Grants for Black Women in U.S. Appeals Court” (January 31)
- Bloomberg Law, “Venture Fund’s Diversity Grant Defense Meets Doubtful Court” (January 31)
- Reuters, “Venture Capital Fund Defends Grants for Black Women in U.S. Appeals Court” (January 31)
- Wall Street Journal, “Minority Business Grants: A New Front in the Legal Battle Over Racial Preferences” (January 31)
Key Developments:
On January 30, 2024, Utah Governor Spencer Cox signed House Bill 261 (“HB 261”) into law. HB 261 prohibits state education institutions and government entities from using DEI statements in hiring and providing trainings promoting differential treatment based on personal identity characteristics. HB 261 also mandates that state education institutions replace DEI offices with general access “student success and support” offices. The bill defines maintaining any of these policies or programs as a “prohibited discriminatory practice.” HB 261 progressed rapidly through the legislature, passing only ten days after its introduction. Alongside it, another anti-DEI bill in Utah, House Bill 111 (“HB 111”), has been voted out of committee to the full House. As introduced, HB 111 would prohibit private employers from requiring training in or compelling beliefs about various DEI-related concepts, although the bill was significantly weakened in committee. We are tracking the progress of this bill and will provide additional updates if it passes.
On January 26, 2024, Students for Fair Admissions (“SFFA”) asked the Supreme Court to grant an emergency injunction in its ongoing battle against West Point, bringing its campaign against race-conscious admissions back to the nation’s highest court. SFFA sued West Point on September 19, 2023, arguing that the military academy’s continued use of race-conscious admissions after SFFA v. Harvard is unconstitutional. After the district court denied its request for a preliminary injunction on January 3, 2024, SFFA filed an emergency appeal to the Second Circuit the next day. Instead of waiting for the Second Circuit to rule, SFFA filed an emergency application for an injunction with the Supreme Court, requesting that the court enjoin West Point from considering applicants’ race after the school’s application window closes on January 31. SFFA argued that West Point should be subject to the same constitutional analysis as other schools, despite language in SFFA v. Harvard suggesting military academies might receive more deference. SFFA claimed West Point applicants will suffer irreparable harm if the Supreme Court does not act before West Point’s application cycle closes on January 31. On January 30, 2024, West Point filed its opposition to SFFA’s requested injunction, arguing that there is no “emergency” supporting the injunction, since West Point has been considering applications since August 2023, will continue to do so through May 2024, and has already issued offers to hundreds of candidates. West Point also noted that SFFA failed to establish irreparable harm because SFFA’s members remain eligible to apply to West Point for at least three additional admissions cycles. West Point asserted that the military’s judgment merits “substantial deference” and that a diverse officer corps is “necessary for an effective fighting force.”
On January 25, 2024, AFL filed a formal judicial conduct complaint with Chief Judge Diane S. Sykes of the United States Court of Appeals for the Seventh Circuit. The complaint accuses three judges on the United States District Court for the Southern District of Illinois—Chief Judge Nancy J. Rosenstengel, Judge Staci M. Yandle, and Judge David W. Dugan—of race and sex discrimination in violation of the Rule for Judicial-Conduct and Judicial-Disability Proceedings 4(a), Judicial Code of Conduct Canon 2(A), and the Fifth Amendment of the United States Constitution. Specifically, the complaint highlights the judges’ policies allowing parties to move for oral argument with the promise that, if the motion is granted, a “newer, female, [or] minority attorney” will argue the motion. AFL’s complaint maintains that these policies intentionally discriminate on the basis of sex and race, amounting to “cognizable judicial misconduct” under the applicable judicial rules. Further, AFL argues that allowing these policies to stand undermines judicial integrity and public trust in the judicial system as it gives some parties additional advocacy opportunities for their clients solely on the basis of an advocate’s race or gender.
On January 17, 2024, AFL filed an administrative complaint with the Department of Labor’s Office of Federal Contract Compliance Programs (“OFCCP”), seeking investigations into three airlines—American Airlines, United Airlines, and Southwest Airlines—for alleged violations of federal contract law. AFL claimed that the airlines’ race-based and gender-based hiring targets constitute race- and sex-based discrimination in violation of Executive Order 11246, which requires government contracts to contain an Equal Opportunity Clause prohibiting discrimination, and authorizes the Secretary of Labor to sanction government contractors via contract cancellation, ineligibility, and other penalties. AFL’s American Airlines letter mentioned the airline’s stated commitment to DEI and programs available to Black professionals, while the Southwest letter cited the increase in the company’s diverse hires as evidence of unlawful consideration of race and gender in hiring. Finally, the United letter cited DEI targets in the airline’s 2022 Corporate Responsibility Report and DEI initiatives that favor women and minority-owned subcontractors. These letters follow the November 1, 2023 civil rights complaints AFL submitted to the EEOC regarding the same airlines.
On January 17, 2024, AFL sent a FOIA request to the Federal Bureau of Investigation (FBI). AFL requested all records of communications to and from the FBI’s Chief Diversity Officer, Scott McMillion, from April 2021 to April 2023. Citing McMillion’s comments that “diversity, equity, inclusion and accessibility is literally within [the FBI’s] DNA” and an FBI diversity report that showed the agency has increased employee racial, ethnic, and gender diversity, AFL speculated that the FBI’s hiring process violates Title VII and the Equal Protection Clause.
On January 11, 2024, AFL filed a letter with the EEOC calling for the Commission to conduct an investigation of Nike. AFL accused Nike of knowingly and intentionally using race, color, sex, and national origin as motivating factors in numerous employment decisions in violation of Title VII. AFL sent a similar letter to Nike’s board, highlighting the same alleged violations. In the letters, AFL pointed to language on Nike’s website expressing the company’s intent to set “clear and ambitious targets . . . to increase diverse representation at Nike.” AFL claimed that one way Nike realizes this target is through the creation of “Employee Networks,” which are limited to members of eight specific “favored categories.” These categories focus on race, sex, or gender. AFL maintained that Nike’s explicit focus on only those categories demonstrates the company’s discriminatory intent to deprive “whites, males, and heterosexuals” of the opportunity to gain “real benefits” from inclusion in these Employee Networks. Additionally, AFL cited Nike’s self-reported data as evidence of the company’s express intent to discriminate in favor of certain historically underrepresented demographics. For example, AFL cited Nike’s Fiscal Year 2022 report, which states that the company achieved 51% gender diversity and 38.8% racial diversity. AFL claimed that featuring these statistics demonstrates Nike’s efforts to discriminate against other demographics.
Media Coverage and Commentary:
Below is a selection of recent media coverage and commentary on these issues:
- New York Times, “‘America Is Under Attack’: Inside the Anti-D.E.I. Crusade” (January 20): The Times’s Nicholas Confessore reports on thousands of documents newly obtained by the newspaper, providing new details about the recent wave of anti-DEI bills being considered—and in some instances, passed—in state legislatures. Despite polls showing that most Americans support the values underlying DEI, over 20 states considered or passed anti-DEI legislation in 2023. The Times secured documents including emails, grant proposals, and draft reports that the article claims show how conservative activists, centered at California’s Claremont Institute, “formed a loose network of think tanks, political groups and Republican operatives in at least a dozen states” in an effort to “eliminat[e] ‘social justice education’ from American schools.” According to Confessore, the internal documents reveal that (at least in some cases) racist, sexist, and homophobic beliefs were motivating factors. Confessore also suggested that the documents signal the importance of the anti-DEI movement as a Republican fundraising tool and talking point that is anticipated to become even more prominent as the 2024 election nears.
- Forbes, “Diversity In Leadership Increases Chances Of Success By 39%” (January 21): Julie Kratz, founder of DEI training organizations Next Pivot Point and Little Allies, reports on new research by McKinsey & Company describing a growing business case for DEI. The research suggests that there is a “39% increased likelihood of outperformance” for companies in the top quartile of ethnic and gender leadership diversity as compared to those in the bottom quartile. Kratz notes that business justifications for diversity are not new, but several factors—including limited diversity in C-suites and lack of accountability—hinder progress. To overcome these challenges, Kratz recommends that companies set aside the “‘one and done’ approach” to DEI training and focus on “a model of continuous learning.”
- Wall Street Journal, “DEI Is Worth Saving From Its Excesses” (January 22): Roland Fryer, Harvard economist and founder of venture capital firm Equal Opportunity Ventures, writes in an opinion piece that “[o]pponents and supporters of DEI have very different ideas about what it is.” Fryer recognizes the need for companies to evaluate their diversity initiatives and to identify and eliminate illegal practices, but also advocates for maintaining commitment to developing diverse talent. Fryer suggests that employers should focus on eliminating racial bias “not only because discrimination is wrong but because it is a market failure that prevents the right people from being placed in the right positions.” Companies should be aware of these biases, evident in disparate rates of hiring, promotion, and starting compensation. Fryer recommends use of machine learning to help avoid bias in personnel decisions.
- Law360, “EEOC’s Lucas Calls Mark Cuban ‘Dead Wrong’ In DEI Push” (January 29): Law360’s Patrick Hoff reports on a public exchange on the social media platform X between billionaire businessman Mark Cuban and EEOC Commissioner Andrea Lucas. In recent weeks, Cuban has taken to X to defend the business case for DEI. But when he posted on January 28 that, in hiring, “race and gender can be part of the equation,” Commissioner Lucas replied, calling Cuban “dead wrong on black-letter Title VII law.” According to Hoff, in an email to Law360, Cuban clarified that X “is a place to argue” and that he follows the law “in every way.” Although a spokesperson for the EEOC told Law360 that Lucas’s social media posts are her own and not reflective of the agency’s opinions, Lucas told the news outlet that she views public education “in any media” as part of her role. Hoff notes that, in the wake of SFFA, Lucas has stood alone among the EEOC’s commissioners in publicly denouncing race-based corporate DEI policies.
Case Updates:
Below is a list of updates in new and pending cases:
1. Contracting claims under Section 1981, the U.S. Constitution, and other statutes:
- Mid-America Milling Company v. U.S. Department of Transportation, No. 3:23-cv-00072-GFVT (E.D. Ky. 2023): Two plaintiff construction companies sued the Department of Transportation, asking the court to enjoin DOT’s Disadvantaged Business Enterprise (DBE) Program, an affirmative action program that awards contracts to minority-owned and women‑owned small businesses in DOT-funded construction projects with the statutory aim of granting 10% of certain DOT-funded contracts to these businesses nationally. Plaintiffs allege that the program constitutes unconstitutional race discrimination in violation of the Fifth Amendment.
- Latest update: On January 16, 2024, DOT filed its motion to dismiss the complaint. DOT argued that the plaintiffs’ allegations that they lost contracts to DBE firms were conclusory and speculative because they failed to allege specific facts about the nature of the contracts, the type of industry, and whether or not those contracts were actually covered by the DBE program. DOT also argued that the plaintiffs failed to allege an injury sufficient for standing because, although they alleged they had bid for DBE contracts, they did not identify the contracts with enough specificity, as not all DOT contracts contain a DBE goal. Finally, DOT argued the plaintiffs failed to join as indispensable parties the state or local agencies who actually implement the DBE goals and channel DOT funds to contractors.
- Landscape Consultants of Texas, Inc. v. City of Houston, No. 4:23-cv-3516–DH (S.D. Tx. 2023): Plaintiff landscaping companies owned by white individuals challenged Houston’s government contracting set-aside program for “minority business enterprises” that are owned by members of racial and ethnic minority groups. The companies claim the program violates the Fourteenth Amendment and Section 1981.
- Latest update: On January 12, 2024, the district court denied both the City of Houston’s and Midtown Management District’s motions to dismiss, without issuing a written opinion
- Do No Harm v. Pfizer, No. 1:22-cv-07908–JLR (S.D.N.Y. 2022), on appeal at No. 23-15 (2d Cir. 2023): On September 15, 2022, plaintiff association representing physicians, medical students, and policymakers sued Pfizer, alleging that the company’s Breakthrough Fellowship Program, which provided minority college seniors summer internships, two years of employment post-graduation, and a scholarship, violated Section 1981, Title VII, and New York law. The association alleges that the program illegally excludes white and Asian applicants. The association is represented by Consovoy McCarthy PLLC, the firm that also represents American Alliance for Equal Rights in multiple lawsuits. In December 2022, the court granted Pfizer’s motion to dismiss, finding that the plaintiff did not have associational standing because they did not identify at least one member by name, instead only submitting declarations from anonymous members. The association appealed to the Second Circuit, which heard oral argument on October 3, 2023.
- Latest update: On December 21, 2023, Do No Harm filed a Rule 28(j) notice of supplemental authority to support its claim that it has standing despite its reliance on unnamed members. Pointing to a recent district court decision in SFFA v. U.S. Naval Academy that found standing on the basis of pseudonymous plaintiffs, the association argued that the district court misread Supreme Court precedent. On January 12, 2024, Pfizer responded with its own Rule 28(j) letter, contesting the plaintiff’s characterization of the Naval Academy decision and arguing that even if the use of pseudonymous members was sufficient to create standing, the pseudonymous members in the current case still lacked standing because they had declined to apply for Pfizer’s fellowship program after Pfizer changed the requirements—something Pfizer also argued served to moot the case.
2. Employment discrimination under Title VII and other statutory law:
- Gerber v. Ohio Northern University, No. 2023-1107-CVH (Ohio. Ct. Common Pleas Hardin Cty. 2023): On June 30, 2023, a law professor sued his former employer, Ohio Northern University, for terminating his employment after an internal investigation determined that he bullied and harassed other faculty members. On January 23, 2024, the plaintiff, now represented by America First Legal, filed an amended complaint. The plaintiff claims that his firing was actually in retaliation for his vocal and public opposition to the university’s stated DEI principles and race-conscious hiring, which he believed were illegal. The plaintiff alleged that the investigation and his termination breached his employment contract, violated Ohio civil rights statutes, and constituted various torts, including defamation, false light, conversion, infliction of emotional distress, and wrongful termination in violation of public policy.
- Latest update: The defendant has until February 20, 2024 to respond to the plaintiff’s second amended complaint.
- De Piero v. Pennsylvania State University, No. 2:23-cv-02281-WB (E.D. Pa. 2023): A white male professor sued his employer, Penn State University, claiming that university-mandated DEI trainings, discussions with coworkers and supervisors about race and privilege in the classroom, and comments from coworkers about his “white privilege” constituted a hostile work environment that led him to quit his job. He claimed that after he reported that he felt harassed and published an opinion piece objecting to the impact of DEI concepts in the classroom, the university retaliated against him by investigating him for bullying and aggressive behavior towards his colleagues. The plaintiff alleged harassment, retaliation, and constructive discharge in violation of Title VI, Title VII, Section 1981, Section 1983, the First Amendment, and Pennsylvania civil rights laws.
- Latest update: On January 11, 2024, the district court granted the defendant’s motion to dismiss in part, dismissing all of the plaintiff’s claims except for his hostile work environment claim. On that claim, the judge found that some of his allegations, including that he was required to attend trainings that “discussed racial issues in essentialist and deterministic terms” and “ascrib[ed] negative traits to white people . . . plausibly amount to ‘pervasive’ harassment.” The court made clear that “training on concepts such as ‘white privilege’ . . . can contribute positively . . . in an educational institution,” but that when those discussions occur “with a constant drumbeat of essentialist, deterministic, and negative language, they risk liability under federal law.”
- Haltigan v. Drake, No. 5:23-cv-02437-EJD (N.D. Cal. 2023): A white male psychologist sued the University of California Santa Cruz, arguing that a requirement that prospective faculty candidates submit and be evaluated in part on the basis of statements explaining their views and understanding of DEI principles functioned as a loyalty oath that violated his First Amendment freedoms. The plaintiff claimed that because he is “committed to colorblindness and viewpoint diversity”––which he alleged was contrary to UC Santa Cruz’s position on DEI––he would be compelled to alter his political views to be a viable candidate for the position. The plaintiff sought a declaration that the University’s DEI statement requirement violated the First Amendment and a permanent injunction against the enforcement of the requirement.
- Latest update: On January 12, 2024, the district court granted UC Santa Cruz’s motion to dismiss with leave to amend, finding that the plaintiff lacked standing because he had not actually applied for a professor position. The court rejected the plaintiff’s claim that he had “competitor standing” because he only expressed a general interest in the position, and did not allege that he had undertaken any preparations or concrete steps to apply. The court also rejected the argument that the plaintiff had First Amendment prudential standing, sometimes recognized in license application cases, because he was seeking a job, not a license or a permit. Finally, the court found that the plaintiff had not sufficiently alleged that it would have been futile to apply without a DEI statement because UC Santa Cruz might have accepted his application notwithstanding his lack of a statement.
- Weitzman v. Fred Hutchinson Cancer Center, No. 2:24-cv-00071-TLF (W.D.WA. 2024): On January 16, 2024, a white Jewish female former employee of a medical center sued her former employer, alleging that she was terminated for expressing her discomfort with DEI-related content shared in the workplace by coworkers, objecting to DEI-related training, and expressing her political opposition to DEI-aligned ideologies. She also claimed that her employer failed to act when she was allegedly discriminated against because of her religion and race by other coworkers. The plaintiff alleged her employer’s conduct constituted racial discrimination, a hostile work environment, and retaliation in violation of the Washington Law against Discrimination (WLAD) and Section 1981; discrimination and retaliation on the basis of political ideology in violation of the Seattle Municipal Code; and intentional infliction of emotional distress and wrongful termination in violation of public policy under common law.
- Latest update: The defendant has not yet responded to the complaint.
3. Challenges to agency rules, laws, and regulatory decisions:
- Saadeh v. New Jersey State Bar Association, No. MID-L-006023-21 (N.J. Super. Ct. 2021), on appeal at A-2201-22 (N.J. Super. Ct. App. Div. 2023): On October 15, 2021, a Palestinian and Muslim attorney and bar member sued the New Jersey State Bar Association (NJSBA), alleging that the NJSBA’s practice of reserving certain trustee and committee positions for members of “underrepresented groups” including Black, Hispanic, Asian, women, and LGBTQ attorneys constituted racial discrimination in violation of New Jersey state civil rights laws.
- Latest update: On November 9, 2022, the trial judge ruled that the NJSBA’s practice was racially discriminatory, and ordered it to end the practice and consider all attorneys in good standing eligible for the positions. The court found that the practice was an illegal quota rather than a valid affirmative action program. The court also held that the First Amendment did not protect the NJSBA’s practices. The NJSBA appealed, and on January 18, 2024, the Appellate Division of the New Jersey Superior Court heard oral argument. The NJSBA argued that the trial court applied the incorrect Supreme Court precedent and that under the correct framework, the NJSBA’s practice is a valid, tailored affirmative action plan that redresses the historical underrepresentation of non-white attorneys in the positions at issue. The plaintiff argued that the practice is not legal affirmative action because it does not address the root causes of racial imbalances and is not based on a detailed analysis of the NJSBA’s membership and demographic data.
- Palsgaard v. Christian, et al., No. 1:23-cv-01228-SAB (E.D. Cal. 2023): In August 2023, California community college professors filed suit and moved for a preliminary injunction against the state’s new DEI-related evaluation competencies and corresponding language in their faculty contract, which they allege requires them to endorse the state’s views on DEI concepts. The plaintiffs challenge the DEI rules and contract language as compelled speech in violation of the First and Fourteenth Amendments. On December 15, 2023 the defendants filed their motions to dismiss.
- Latest update: On January 19, 2024, the plaintiffs filed a joint opposition to the defendants’ motions to dismiss. Plaintiffs argued that they had standing to challenge the DEI rules and faculty contract and that they had not waived their First Amendment rights. Plaintiffs also argued that their constitutional claims should not be dismissed because the regulations compel them to espouse the state’s preferred message and that both the rules and faculty contract are overbroad and vague.
- Earls v. North Carolina Judicial Standards Commission, No. 1:23-cv-00734-WO-JEP (M.D.N.C. 2023): On June 20, 2023, North Carolina Supreme Court Justice Anita Earls, the only non-white female justice on the court, made comments in an interview regarding the diversity of the appellate bench and of the attorneys who appear before the N.C. Supreme Court, and her opinion regarding implicit bias in the state judiciary and attempts to diversify the North Carolina courts. In response, on August 15, 2023, the North Carolina Judicial Standards Commission initiated an investigation into whether Justice Earls violated provisions of the judicial code requiring her to act in a manner that promotes “public confidence in the integrity” of the judicial system. On August 29, 2023, Justice Earls filed a lawsuit claiming that the Commission’s investigation was part of an ongoing effort to restrict and chill her free speech rights in violation of the First Amendment. She claimed that as a result of the investigation, she turned down opportunities to speak on matters related to diversity and equity, demonstrating the investigation’s chilling effect. On November 21, 2023, the district court denied Justice Earls’ request for a preliminary injunction on the grounds that the Commission’s actions likely met strict scrutiny because its investigation was justified by the compelling interest of safeguarding public confidence in the integrity and fairness of the judicial system, and the investigation process appeared narrowly tailored.
- Latest update: On January 17, 2024, Justice Earls voluntarily dismissed her case after the Commission dismissed the investigation against her without recommending disciplinary action.
4. Educational Institutions and Admissions (Fifth Amendment, Fourteenth Amendment, Title VI, Title IX):
- Students for Fair Admissions, Inc. v. University of Texas at Austin, 1:20-cv-00763-RP (W.D. Tex. 2020): On July 20, 2020, SFFA sued the University of Texas, alleging that UT Austin’s methods of considering race in undergraduate admissions violated the Equal Protection Clause of the Fourteenth Amendment, Section 1981, Title VII, the Texas Constitution, and Texas state law.
- Latest update: On January 11, 2024, UT Austin replied to SFFA’s opposition to its motion to dismiss, renewing its argument that the case is moot because UT Austin has changed its admissions policies. It further argued that the case was not still live under the “voluntary cessation” doctrine because the policy change was compelled by the Supreme Court’s SFFA v. Harvard decision, and SFFA failed to show UT Austin’s change was not made in good faith. UT Austin also responded to SFFA’s summary judgment motion, asserting that SFFA’s evidence that UT still collects demographic information is not sufficient to show that it discriminates on the basis of race. Also on January 11, civil rights groups acting as intervenors on behalf of UT Austin opposed SFFA’s motion for summary judgment, arguing that SFFA is not entitled to summary judgment because it has not shown that UT’s facially neutral policy is being implemented in a discriminatory manner. They also replied to SFFA’s opposition to the motion to dismiss, arguing that SFFA lacks standing because none of its members have applied to UT Austin under the new policy, and that the case is moot because SFFA is challenging a policy that no longer exists.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following practice leaders and authors:
Jason C. Schwartz – Partner & Co-Chair, Labor & Employment Group
Washington, D.C. (+1 202-955-8242, [email protected])
Katherine V.A. Smith – Partner & Co-Chair, Labor & Employment Group
Los Angeles (+1 213-229-7107, [email protected])
Mylan L. Denerstein – Partner & Co-Chair, Public Policy Group
New York (+1 212-351-3850, [email protected])
Zakiyyah T. Salim-Williams – Partner & Chief Diversity Officer
Washington, D.C. (+1 202-955-8503, [email protected])
Molly T. Senger – Partner, Labor & Employment Group
Washington, D.C. (+1 202-955-8571, [email protected])
Blaine H. Evanson – Partner, Appellate & Constitutional Law Group
Orange County (+1 949-451-3805, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: ISDA and ESMA were particularly active this week, releasing several global reports.
New Developments
- CFTC’s Energy and Environmental Markets Advisory Committee to Meet February 13. On January 30, 2024, CFTC Commissioner Summer K. Mersinger, sponsor of the Energy and Environmental Markets Advisory Committee (EEMAC) announced the EEMAC will hold a public meeting from 9:00 a.m. to 11:30 a.m. (MST) on Tuesday, February 13 at the Colorado School of Mines in Golden, Colorado. The CFTC stated that at this meeting, the EEMAC will explore the role of rare earth minerals in transitional energy and electrification, including the potential development of derivatives products to offer price discovery and hedging opportunities in these markets. Additionally, the meeting will include a presentation and discussion on the federal prudential financial regulators proposed rules implementing Basel III and the implications for and impact on the derivatives market. Finally, the two EEMAC subcommittees will offer an update on their continued work related to traditional energy infrastructure and metals markets. [NEW]
- CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s Office of Customer Education and Outreach issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets.
- CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024.
- CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024.
- BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management.
- CFTC Cancels Open Meeting. On January 20, the CFTC cancelled its open meeting scheduled for January 22. According to the CFTC, Tthe following matters will be resolved through the CFTC’s seriatim process:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions.
- CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs.
- CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France.
New Developments Outside the U.S.
- ESAs Recommend Steps to Enhance the Monitoring of BigTechs’ Financial Services Activities. On February 1, the European Supervisory Authorities (ESAs) published a Report setting out the results of a stock take of BigTech direct financial services provision in the EU. The Report identifies the types of financial services currently carried out by BigTechs in the EU pursuant to EU licenses and highlights inherent opportunities, risks, regulatory and supervisory challenges. The stock take showed that BigTech subsidiary companies currently licensed to provide financial services pursuant to EU law mainly provide services in the payments, e-money and insurance sectors and, in limited cases, the banking sector. However, the ESAs have yet to observe their presence in the market for securities services. To further strengthen the cross-sectoral mapping of BigTechs’ presence and relevance to the EU’s financial sector, the ESAs propose to set-up a data mapping tool. The ESAs explained that this tool is intended to provide a framework that supervisors from the National Competent Authorities would be able to use to monitor on an ongoing and dynamic basis the BigTech companies’ direct and indirect relevance to the EU financial sector. [NEW]
- ESMA Publishes Risk Monitoring Report. On January 31, the European Securities and Markets Authority (ESMA) published its first risk monitoring report of 2024, where it sets out the key risk drivers currently facing financial markets. Beyond the risk drivers, ESMA’s report provides an update on structural developments and the status of key sectors of financial markets, during the second half of 2023. The report considers structural developments in various areas, including market-based finance, sustainable finance, securities markets, and asset management. [NEW]
- ESMA Consults on Reverse Solicitation and Classification of Crypto Assets as Financial Instruments Under MiCA. On January 29, ESMA, published two Consultations Papers on guidelines under Markets in Crypto Assets Regulation (MiCA), one on reverse solicitation and one on the classification of crypto-assets as financial instruments. ESMA is seeking input on proposed guidance relating to the conditions of application of the reverse solicitation exemption and the supervision practices that National Competent Authorities may take to prevent its circumvention. ESMA is also seeking input on establishing clear conditions and criteria for the qualification of crypto-assets as financial instruments. [NEW]
- EC Publishes Amendments to Clearing Obligation Scope in Light of Benchmark Reform. On January 22, the delegated regulation amending the regulatory technical standards (RTS) defining the scope of the clearing obligation (CO) was published in the EU Official Journal, with the amended requirements due to enter into force 20 days after publication. The European Commission (EC) stated that the amendments were introduced in light of the transition to the TONA and SOFR benchmarks referenced in certain over-the-counter derivatives contracts. The amendment to the scope of the CO consists of introducing TONA overnight indexed swaps (OIS) with maturities up to 30 years and extending the SOFR OIS class subject to the CO to maturities up to 50 years. The adoption follows the publication by ESMA, on February 1, 2023, of its final report on changes to the scope of the CO and the derivatives trading obligations (DTO) in light of the benchmark transition, following a consultation last year, to which ISDA responded on September 30, 2022. This ESMA report included two draft amending RTS: one draft RTS amending the scope of the CO and one draft RTS amending the scope of the DTO. The delegated regulation containing the RTS amending the scope of the CO has now been published. The RTS on the DTO has not yet been adopted.
New Industry-Led Developments
- ISDA Response on Anti-Greenwashing Rules. On January 26, ISDA submitted a response to the UK Financial Conduct Authority’s consultation on xGC23/3: Guidance on the Anti-Greenwashing Rule. In the response, ISDA highlights that actual or perceived misrepresentation of sustainability features may have a detrimental impact on investor and consumer perceptions of sustainable finance products, and ISDA supports efforts to enhance trust in the market. ISDA considers that sustainability-linked derivatives, environmental, social and governance derivatives and voluntary carbon credits fall within the scope of the rule. [NEW]
- Joint Response to EC on BMR. On January 23, ISDA, the Global Financial Markets Association and the Futures Industry Association (FIA) submitted a joint response to the EC call for feedback on the review of the scope and regime for non-EU benchmarks. The response sets out the associations’ comments on the EC’s proposal, along with potential draft amendments and additional revisions that were considered to support the EC’s aims. In the response, the associations welcome the EC’s recognition of the problems caused by the current drafting of the Benchmark Regulation (BMR). The associations support the aim of establishing a third-country regime that is sustainable in the long term once the current transitional regime expires, and overall consider that the proposal will result in a more proportionate regime for users and administrators of benchmarks. [NEW]
- ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components.
- ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions.
- BCBS-IOSCO Report Sets Out Recommendations for Good Margin Practices in Non-Centrally Cleared Markets. On January 17, the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO) published a report on streamlining VM processes and IM responsiveness of margin models in non-centrally cleared markets, which sets out recommendations for market practices intended to enhance market functioning. The report articulates the policy analyses work carried out by the BCBS-IOSCO in two areas discussed in the September 2022 Review of margining practices: (i) exploring the need to streamline variation margin processes in non-centrally cleared markets and (ii) investigating the responsiveness of initial margin models in non-centrally cleared markets. The consultative report sets out eight recommendations intended to encourage the widespread implementation of good market practices but does not propose any policy changes to the BCBS-IOSCO frameworks. BCBS and IOSCO stated that the first four recommendations aim to address challenges that could inhibit a seamless exchange of variation margin during a period of stress. The other four highlight practices for market participants to implement initiatives in an effort to ensure the calculation of initial margin is consistently adequate for contemporaneous market conditions and proposes that supervisors should monitor whether these developments are sufficient to make this model responsive enough to extreme market shocks.
- ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives.
- BCBS, CPMI, and IOSCO Publish Consultative Report on Transparency and Responsiveness of Initial Margin in Centrally Cleared Markets. On January 16, BCBS, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and IOSCO jointly published a consultative report—Transparency and responsiveness of initial margin in centrally cleared markets– review and policy proposals—which interested parties are invited to comment on. BCBS, CPMI, and IOSCO stated that the ten policy proposals in the report aim to increase the resilience of the centrally cleared ecosystem by improving participants’ understanding of central counterparties (CCPs) initial margin calculations and potential future margin requirements. The proposals cover CCP simulation tools, CCP disclosures, measurement of initial margin responsiveness, governance frameworks and margin model overrides, and clearing member transparency.
- ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets.
- ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and SIFMA submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation.
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Darius Mehraban, New York (212.351.2428, [email protected])
Jason J. Cabral, New York (212.351.6267, [email protected])
Adam Lapidus – New York (+1 212.351.3869, [email protected])
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
Roscoe Jones Jr., Washington, D.C. (202.887.3530, [email protected])
William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])
David P. Burns, Washington, D.C. (202.887.3786, [email protected])
Marc Aaron Takagaki, New York (212.351.4028, [email protected])
Hayden K. McGovern, Dallas (214.698.3142, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Among the meaningful changes in the Final Rules, the Commission did not adopt a safe harbor from the “investment company” definition under the Investment Company Act of 1940, as amended (the “Investment Company Act”) for SPACs.
On January 24, 2024, the U.S. Securities and Exchange Commission (the “Commission”), by a three-to-two vote, adopted new rules and amendments (the “Final Rules”) to enhance disclosure and investor protections in initial public offerings (“IPO”) by special purpose acquisition companies (“SPACs”) and in subsequent business combinations between SPACs and private operating companies (“de-SPAC transaction”).[1]
The Final Rules are thematically aligned with the rule proposal issued by the Commission nearly two years ago in March 2020,[2] but with meaningful changes as noted below, including not adopting a safe harbor from the “investment company” definition under the Investment Company Act of 1940, as amended (the “Investment Company Act”) for SPACs.
The adopting release for the Final Rules (the “Adopting Release”) provides a lengthy and comprehensive discussion that builds upon the Commission’s prior statements and actions regarding SPAC IPOs and de-SPAC transactions.[3] As noted by the Commission’s Chair, Gary Gensler, in the accompanying press release, the Final Rules are intended to “help ensure that the rules for SPACs are substantially aligned with those of traditional IPOs.”[4] Chair Gensler further noted that the measures adopted in the Final Rules “will help protect investors by addressing information asymmetries, misleading information, and conflicts of interest in SPAC and de-SPAC transactions.”[5]
The Adopting Release is available here and a Fact Sheet is available here. The Final Rules will become effective 125 days after publication in the Federal Register. Compliance with the structured data requirements, which require tagging of information disclosed pursuant to new subpart 1600 of Regulation S-K in Inline XBRL, will be required 490 days after publication of the rules in the Federal Register.
I. Overview
There are four key components of the Final Rules:
- Disclosure and Investor Protection. The Final Rules impose specific disclosure requirements with respect to, among other things, compensation paid to sponsors, potential conflicts of interest, shareholder dilution, and the fairness of the business combination, for both the SPAC IPOs and de‑SPAC transactions;
- Business Combinations Involving Shell Companies. Under the Final Rules, the Commission will deem a business combination transaction involving a reporting shell company and a private operating company as a “sale” of securities under the Securities Act of 1933, as amended (the “Securities Act”), amend the financial statement requirements applicable to transactions involving shell companies, and amend the current “blank check company” definition to make clear that SPACs cannot rely on the safe harbor provision under the Private Securities Litigation Reform Act of 1995, as amended (the “PSLRA”) when marketing a de-SPAC transaction;
- Projections. The Final Rules amend the Commission’s guidance on the presentation of projections in any filings with the Commission (not only on de-SPAC transactions, but affecting all projections filed with the Commission) and adds new guidance only for de-SPAC transactions, in both instances to address the reliability of such projections; and
- Status of SPACs under the Investment Company Act of 1940. The Proposed Rules included a safe harbor that qualifying SPACs could have used to avoid registering as investment companies under the Investment Company Act. The Final Rules do not include a safe harbor, and instead, the Commission takes the position that SPACs should consider investment company status in light of the facts and circumstances and provides further guidance on what actions might cause a SPAC to fall into the investment company definition.
We provide below our key takeaways, a summary of the Final Rules and links to Commissioner statements regarding the Final Rules.
II. Key Takeaways
Below are the key takeaways from the Final Rules:
- Timing. Although the Final Rules will not be in effect for about 4 months, existing SPACs and their targets should expect to receive comments from the Commission staff along the broader lines of the Final Rules. SPACs and their targets also should consider the extent to which they will want to comply voluntarily with certain of the Final Rules, especially those focused on financial statement requirements and enhanced disclosures.
- Conforming SPACs to Traditional IPOs. The Final Rules go to great lengths to contrast the current SPAC regulatory regime against the one applicable to traditional IPOs and to “level” the playing field between the two. Closer alignment of the two regimes may reduce some potential benefits of a de-SPAC transaction (g., availability of alternative financing sources and expedited path to becoming a public company) while also exposing the SPAC, its target and their advisors to additional liability.
- No PSLRA Protection. The PSLRA safe harbor against a private right of action for forward-looking statements is not available in, among other transactions, an offering by a blank check company or a “penny stock” issuer, or in an initial public offering. Some market participants believed the PSLRA safe harbor was otherwise available in de-SPAC transactions when a SPAC is not a blank check company under Rule 419. Under the Final Rules, the Commission adopts a new definition of “blank check company” for purposes of the PSLRA making clear that SPACs may no longer rely on the safe harbor provision under the PSLRA as it relates to the use of projections and other forward-looking statements when marketing a de-SPAC The lack of the PSLRA safe harbor, especially coupled with enhanced disclosure requirements relating to projections under the Final Rules, may lead to changes in the presentation of projections and assumptions, or the abandonment of projections in a SPAC board’s evaluation of a potential de-SPAC target, which will further undermine the viability of the de-SPAC transaction as an alternative to traditional IPOs for target companies that do not have a lengthy operating history.
- Co-Registrant Liability. The Final Rules impose Section 11 liability on target companies and their officers and directors as co-registrants under Form S-4 and Form F-4 Liability will now extend to both SPAC and target company disclosures contained in such filings. Target companies assessing a de-SPAC transaction should now consider whether its current director and officer liability insurance is sufficient prior to the filing of an initial Form S-4 or Form F-4 for its de-SPAC transaction given the potential for increased liability related to the target’s disclosures.
- Extension of Current Disclosure Guidance (Projections, Dilution, Sponsor, Conflicts). The Final Rules codify current guidance and practice by the Commission, and require additional information and specificity (in some cases, beyond current rules and guidance). Nonetheless, some of the prescriptive rulemakings around enhanced disclosures—including required financial statements, disclosure of sources of dilution, sponsor control and relationships, and potential conflicts of interest—should not be particularly novel for practitioners as many of these requirements are based on existing rules and guidance.
- Board Determination. If required by the law of the jurisdiction of a SPAC’s organization, a SPAC must disclose its board’s determination whether the de-SPAC transaction is advisable and in the best interests of the SPAC and its shareholders and discuss the material factors considered in making the determination. The Final Rules specify that such factors must include, without limitation and to the extent considered, the valuation of the target company, financial projections relied upon by the board of directors, the terms of any financing materially related to the de-SPAC transaction, the dilutive impact of the transaction, and any fairness opinion. While the Proposed Rules would have required disclosure of the SPAC board’s reasonable belief as to the fairness of a de-SPAC transaction and related financings to the SPAC’s shareholders when approving a de-SPAC transaction, that requirement is not included in the Final Rules. Coupled with the enhanced disclosure requirements related to any projections used in a de-SPAC transaction, the Final Rules may result in SPACs not using a target company’s projections to assess a transaction or for marketing purposes, and SPACs may decide against obtaining fairness opinions in connection with de-SPAC transactions.
- Underwriter Liability. The Commission did not adopt its proposal of extending underwriter status (and resulting potential liability) in the de-SPAC transaction to those underwriters to SPAC IPOs involved, directly or indirectly, in the de-SPAC transaction (g., advisory services, placement agent services, and other activities related to the de-SPAC transaction would all be considered direct and indirect activities). Rather, the Commission noted in the Final Rules that it will apply the terms “distribution” and “underwriter” “broadly and flexibly” in light of the facts and circumstances of a particular transaction, including a de-SPAC transaction. The introduction of proposed underwriter liability in the Proposed Rules and pivot back to statutory interpretation creates further ambiguity and uncertainty on a going-forward basis. 2022 and 2023 saw a dramatic pullback by financial advisors in their participation in the SPAC market, and we anticipate that certain financial advisors will choose not to participate in SPAC IPOs and de-SPAC transactions as a result of the ambiguity under the Final Rules.
- Investment Company Act Safe Harbor. The Commission did not adopt its proposed new safe harbor for SPACs under the Investment Company Act, which would have exempted SPACs from being treated as an “investment company” if the SPAC met certain subjective criteria, related to, among other things, the nature and management of the assets held by the SPAC and the SPAC’s general purpose. Similar to its approach with respect to SPAC IPO underwriter liability, the Final Rules opt to provide general guidance regarding activities that could cause a SPAC to be an “investment company.” As a result, SPACs should carefully assess and monitor their activities, and consider changing their operations if necessary to bring them into compliance with the Investment Company Act.
III. Summary of Final Rules
1. New Subpart 1600 of Regulation S-K
The Final Rules create a new Subpart 1600 of Regulation S-K solely related to SPAC IPOs and de-SPAC transactions. Among other things, this new Subpart 1600 prescribes specific disclosure requirements with respect to the sponsor, potential conflicts of interest, potential shareholder dilution, and fairness to shareholders.
Sponsor, Affiliates, and Promoters
To provide investors with a more complete understanding of the role of SPAC sponsors, affiliates, and promoters,[6] the Commission has adopted Item 1603(a) of Regulation S-K, to require:
- Experience. Description of the experience, material roles, and responsibilities of sponsors, affiliates, and promoters.
- Arrangements. Discussion of any agreement, arrangement, or understanding (i) between the sponsor and the SPAC, its officers, directors, or affiliates, in determining whether to proceed with a de-SPAC transaction and (ii) regarding the redemption of outstanding securities.
- Sponsor Control. Discussion of the controlling persons of the sponsor and any persons who have direct or indirect material interests in the sponsor. The Commission declined to adopt the proposed requirement that SPACs also provide an organizational chart that shows the relationship between the SPAC, the sponsor, and the sponsor’s affiliates.
- Lock-Ups. A table describing the material terms of any lock-up agreements with the sponsor and its affiliates.
- Compensation. Discussion of the nature and amounts of all compensation (including securities issued by the SPAC) that has been or will be awarded to, earned by, or paid to the sponsor, its affiliates, and any promoters for all services rendered in all capacities to the SPAC and its affiliates, as well as the nature and amounts of any reimbursements to be paid to the sponsor, its affiliates, and any promoters upon the completion of a de-SPAC
Potential Conflicts of Interest
To provide investors with a more complete understanding of the potential conflicts of interest between (i) any SPAC sponsor or affiliate, target company officers and directors, or the SPAC’s officers, directors, or promoters, and (ii) unaffiliated security holders of the SPAC, the Commission adopted a new Item 1603(b) of Regulation S-K. This new Item includes a discussion of conflicts arising as a result of a determination to proceed with a de-SPAC transaction and from the manner in which a SPAC compensates the sponsor or the SPAC’s executive officers and directors, or the manner in which the sponsor compensates its own executive officers and directors.
Relatedly, Item 1603(c) of Regulation S-K will require disclosure of the fiduciary duties that each officer and director of a SPAC owes to other companies.
Sources of Dilution
In an effort to conform and enhance disclosure relating to dilution in SPAC IPOs and de-SPAC transactions, the Commission has adopted Items 1602 and 1604 of Regulation S-K, respectively.
- IPO Dilution Disclosure. In providing disclosure pursuant to Item 506, SPAC disclosure previously estimated dilution as a function of the difference between the initial public offering price and the pro forma net tangible book value per share after the offering, often including an assumption of the maximum number of shares eligible for redemption in a de-SPAC transaction. The Final Rules will now require additional granularity on the prospectus cover page, requiring SPACs to present redemption scenarios in quartiles up to the maximum redemption scenario. In addition to changes to the cover page, the Final Rules also supplement Item 506 disclosure by requiring a description of material potential sources of future dilution following a SPAC’s initial public offering, as well as tabular disclosure of the amount of potential future dilution from the public offering price that will be absorbed by non-redeeming SPAC shareholders, to the extent quantifiable.
- De-SPAC Dilution Disclosure. In addition to disclosure at the IPO stage of a SPAC’s lifecycle, the Final Rules require additional disclosure regarding material potential sources of dilution as a result of the de-SPAC As seen in comment letters issued by the Commission following the release of the Proposed Rules, the Commission has requested additional granularity with respect to post-closing pro forma ownership disclosure, often requiring the disclosure of various redemption thresholds and the effects of potential sources of dilution. The Final Rules now codify this practice by requiring disclosure in a tabular format that includes intervals representing selected potential redemption levels that may occur across a reasonably likely range of outcomes. The Final Rules do not prescribe specific redemption levels for which dilution information must be provided, but looking at the SPAC IPO dilution requirements (as discussed above), quartile disclosure up to the maximum redemption scenario may be acceptable.
Board Determination Regarding De-SPAC Transaction
Under Item 1606, if the law of the jurisdiction of the SPAC’s organization requires the SPAC’s board of directors to determine whether the de-SPAC transaction is advisable and in the best interests of the SPAC and its shareholders, then the SPAC will be required to disclose that determination. Item 1606 of Regulation S-K will also require a discussion, of the material factors considered in making that determination. This is one of the few areas of the Final Rule where the Commission declined to adopt a more stringent standard, with the initial proposed rule creating a potential “backdoor” opinion requirement by asking that a board of directors affirmatively state whether it reasonably believes a de-SPAC transaction, including any related financing, was fair to the unaffiliated securityholders of the SPAC.
Relatedly, if any director voted against, or abstained from voting on, approval of the de-SPAC transaction or any related financing transaction, SPACs would be required to identify the director, and indicate, if known, after making reasonable inquiry, the reasons for the vote against the transaction or abstention.
2. Aligning De-SPAC Transactions with IPOs
Target Company as Co-Registrant
Under the current rules, only the SPAC and its officers and directors are required to sign the registration statement and are liable for material misstatements or omissions. The Final Rules require the target company to be treated as a co-registrant with the SPAC when a Form S-4 or Form F-4 registration statement is filed by the SPAC in connection with a de-SPAC transaction.[7] Registrant status for a target company and its officers and directors will result in such parties being liable for material misstatements or omissions pursuant to Section 11 of the Securities Act. Under the Final Rules, target companies and their officers and directors will be liable with respect to their own material misstatements or omissions, as well as any material misstatements or omissions made by the SPAC or its officers and directors. As a result, the Final Rules seeks to further incentivize target companies and SPACs to be diligent in monitoring each other’s disclosure.
Smaller Reporting Company Status
Currently, de-SPAC companies are able to avail themselves – as almost all SPACs have done since 2016[8] – of the smaller reporting company rules for at least one year following the de-SPAC transaction (and most SPACs would still retain this status at the time of the de-SPAC transaction when the SPAC is the legal acquirer of the target company). The “smaller reporting company” status benefits the combined company after the de-SPAC transaction by availing it of scaled disclosure and other accommodations as it adjusts to being a public company.
Citing the disparate treatment between traditional IPO companies and de-SPAC companies (the former having to determine smaller reporting company status at the time it files its initial registration statement and the latter retaining the SPAC’s smaller reporting company status until the next annual determination date), the Final Rules require de-SPAC companies to determine compliance with the public float threshold (i.e., public float of (i) less than $250 million, or (ii) in addition to annual revenues less than $100 million, less than $700 million or no public float)[9] prior to the time it makes its first filing with the Commission (other than the Form 8-K filed with Form 10 information).
The public float must be measured as of a date within four business days after the consummation of the de-SPAC transaction. The revenue threshold must be determined by using the annual revenues of the target company as of the most recently completed fiscal year for which audited financial statements are available. The de-SPAC company must reflect its re-determination in its first periodic report due after a 45-day period following the consummation of the de-SPAC transaction.
Target companies will need to consider the burdens of additional reporting requirements in light of the potential of not being able to qualify as a smaller reporting company following their de-SPAC transactions.
PSLRA Safe Harbor
The PSLRA provides a safe harbor for forward-looking statements under the Securities Act and the Securities Exchange Act of 1934, as amended (the “Exchange Act”), under which a company is protected from liability for forward-looking statements in any private right of action under the Securities Act or Exchange Act when, among other things, the forward-looking statement is identified as such and is accompanied by meaningful cautionary statements.
The safe harbor, however, is not available when the forward looking statement is made in connection with an offering by a “blank check company,” a company that is (i) a development stage company with no specific business plan or purpose or has indicated that its business plan is to engage in a merger or acquisition with an unidentified company or companies, or other entity or person, and (ii) is issuing “penny stock.”[10]
Because of the penny stock requirement, many practitioners have considered SPACs to be afforded protection under the PSLRA safe harbor as it does not otherwise meet the second prong of the definition of blank check company for purposes of the PSLRA safe harbor. The Final Rules will adopt a new definition of “blank check company” for purposes of the PSLRA to remove the penny stock requirement, thus effectively removing a SPAC’s ability to qualify for the PSLRA safe harbor provision for the de-SPAC transaction.
This inability to rely on the PSLRA is coupled with the Final Rules’ addition of new and modified projections disclosure requirements (as further discussed below). It remains unclear whether the application of the Final Rules will lead to changes in the use of projections and assumptions (especially considering the current environment where market participants, investors, and financiers have come to expect detailed projections disclosure, similar to what is used in public merger and acquisitions (“M&A”) transactions), or the abandonment of projections in assessing and marketing a de-SPAC transaction.
Underwriter Status and Liability
Historically, Section 11 and Section 12(a)(2) of the Securities Act[11] have imposed underwriter liability on underwriters of a SPAC’s IPO. The Commission declined to adopt its proposal to establish that a de-SPAC transaction would constitute a “distribution” under applicable underwriter regulations, which would have automatically extended underwriter liability to the SPAC IPO underwriter if it engaged in certain de-SPAC activities or compensation arrangements.
Instead, the Final Rules provide general guidance regarding statutory underwriter status, following its “longstanding practice of applying the statutory terms “distribution” and “underwriter” broadly and flexibly, as the facts and circumstances of any transaction may warrant.”[12] The Commission may find a “statutory underwriter” where someone is selling for the issuer or participating in the distribution of securities in the combined company to the SPAC’s investors and the broader public, even though it may not be named as an underwriter in any given offering or may not be engaged in activities typical of a named underwriter in traditional capital raising.[13]
The Commission’s extensive broad interpretation of the concept of “statutory underwriter,” coupled with the traditional “due diligence” defenses of underwriters,[14] suggests that SPACs and target companies should expect extensive diligence requests from financial institutions, advisors, and their counsel in connection with a de-SPAC transaction, requests from investment banks that advisors to a SPAC and its target provide negative assurance and comfort letters in connection with the de-SPAC transaction, and other related changes to the de-SPAC transaction process that add complexity, time, and cost.
3. Business Combinations Involving Shell Companies
The Commission’s concern related to private companies becoming U.S. public companies via de-SPAC transactions is substantially related to the perceived opportunity for such private companies to avoid “Securities Act registration and the related disclosures which are intended to protect investors.”[15]
Rule 145a
Based on the structure of certain de-SPAC transactions, the Commission expressed concern that, unlike investors in transaction structures in which the Securities Act applies (and a registration statement would be filed, absent an exemption), investors in reporting shell companies may not always receive the disclosures and other protection afforded by the Securities Act at the time the change in the nature of their investment occurs, due to the business combination involving another entity that is not a shell company.
Rule 145a intends to address the issue by deeming any direct or indirect business combination of a reporting shell company (other than a business combination related shell company) involving another entity that is not a shell company constitutes “a sale of securities to the reporting shell company’s shareholders.”[16] By deeming such transaction to be a “sale” of securities for the purposes of the Securities Act, the Final Rule is intended to address potential disparities in the disclosure and liability protections available to shareholders of reporting shell companies, depending on the transaction structure deployed.
Rule 145a defines a reporting shell company as a company (other than an asset-backed issuer as defined in Item 1101(b) of Regulation AB) that has:
- no or nominal operations;
- either:
- no or nominal assets;
- assets consisting solely of cash and cash equivalents; or
- assets consisting of any amount of cash and cash equivalents and nominal other assets; and
- an obligation to file reports under Section 13 or Section 15(d) of the Exchange Act.
The Final Rule notes that the sales covered by Rule 145a will not be covered by the exemption provided under Section 3(a)(9) of the Securities Act, because the exchange of securities would not be exclusively with the reporting shell company’s existing security holders, but also would include the target company’s existing security holders.
We would also note that this provision has broader market implications as it would apply to all reporting shell companies (other than a “business combination related shell company,” as defined in Rule 405 under the Securities Act and Rule 12b-2 under the Exchange Act), and not just SPAC transactions.
Financial Statement Requirements in Business Combination Transactions Involving Shell Companies
The Final Rule amends the financial statements required to be provided in a business combination with an intention to bridge the gap between such financial statements and the financial statements required to be provided in an IPO. The Commission views such Final Rule as simply codifying “current staff guidance for transactions involving shell companies.”[17] While the below information is presented in the context of a de-SPAC transaction, we would note that these requirements will apply to all shell companies (other than a “business combination related shell company,” as defined in Rule 405 under the Securities Act and Rule 12b-2 under the Exchange Act), and not just SPAC transactions.
Number of Years of Financial Statements
Rule 15-01(b) will require a registration statement for a de-SPAC transaction where a business is combining with a shell company registrant to include the same financial statements for that business as would be required in a Securities Act registration statement for an IPO of that business.
Audit Requirements
Rule 15-01(a) will require the examination of the financial statements of a business that is or will be a predecessor to a shell company to be audited by an independent accountant in accordance with the standards of the Public Company Accounting Oversight Board (“PCAOB”) for the purpose of expressing an opinion, to the same extent as a registrant would be audited for an IPO, effectively codifying the staff’s existing guidance.[18]
Age of Financial Statements
Rule 15-01(c) will provide for the age of the financial statements of a business involved in a business combination with a shell company to be based on whether such private company would qualify as a smaller reporting company in a traditional IPO process, ultimately aligning with the financial statement requirements in a traditional IPO.
Acquisitions of a Business or Real Estate Operation by a Predecessor
The Commission is implementing a series of rules intended to clarify when companies should disclose financial statements of businesses acquired by SPAC targets or where such business are probable of being acquired by SPAC targets. Rule 15-01(d) will address situations where financial statements of other businesses (other than the predecessor) that have been acquired or are probable to be acquired should be included in a registration statement or proxy/information statement for a de-SPAC transaction. The Final Rule will require application of Rule 3-05 and Rule 8-04 (or Rule 3-14 and Rule 8-06 with respect to real estate operation) of Regulation S-X to acquisitions by a predecessor to the shell company, which the staff views as codifying its existing guidance.
Amendments to the significance tests in Rule 1-02(w) of Regulation S-X will require the significance of the acquisition target of the private target in a de-SPAC transaction to be calculated using the SPAC’s target’s financial information, rather than the SPAC’s financial information.
In addition, Rule 15-01(d)(2) will require the de-SPAC company to file the financial statements of a recently acquired business, that is not or will not be its predecessor pursuant to Rule 3-05(b)(4)(i) in an Item 2.01(f) of Form 8-K filed in connection with the closing of the de-SPAC transaction where such financial statements were omitted from the registration statement for the de-SPAC transaction, to the extent the significance of the acquisition is greater than 20% but less than 50%.
Financial Statements of a Shell Company Registrant after the Combination with Predecessor
Rule 15-01(e) allows a registrant to exclude the financial statements of a SPAC for the period prior to the de-SPAC transaction if (i) all financial statements of the SPAC have been filed for all required periods through the de-SPAC transaction, and (ii) the financial statements of the registrant include the period on which the de-SPAC transaction was consummated. The Final Rule eliminates any distinction between a de-SPAC structured as a forward acquisition or a reverse recapitalization.
Other Amendments
In addition, the Final Rules are also addressing the following related amendments:
- amendment of Item 2.01(f) of Form 8-K to (i) refer to “predecessor,” rather than “registrant,” to clarify that the information required to be provided “relates to the acquired business and for periods prior to consummation of the acquisition”[19] and (ii) establish that registrant need not present audited financial statements for predecessor for any period prior to the earliest audited period if, at the time of filing, the predecessor meets the conditions of an “emerging growth company”; and
- amendment of Rules 3-01, 8-02, and 10-01(a)(1) of Regulation S-X to expressly refer to the balance sheet of the predecessors, consistent with the provision regarding income statements.
4. Enhanced Projections Disclosure
Disclosure of financial projections is not expressly required by the U.S. federal securities laws; however, it has been common practice for SPACs to use projections of the target company and post-de-SPAC company in its assessment of a proposed de-SPAC transaction, its investor presentations, and soliciting material once a definitive agreement is executed.
The Final Rules amend existing Commission guidance under Item 10(b) of Regulation S-K with respect to the use of any projections of future economic performance for any registrant and persons other than the registrant for any filings subject to Regulation S-K, as well as to add new, supplemental disclosure requirements applying only to de-SPAC transactions, under the new Item 1609 of Regulation S‑K.
Amended Item 10(b) of Regulation S-K
Under Item 10(b) of Regulation S-K, management may present projections regarding a registrant’s future performance, provided that (i) there is a reasonable and good faith basis for such projections, and (ii) they include disclosure of the assumptions underlying the projections and the limitations of such projections, and the presentation and format of such projections. Citing concerns of instances where target companies have disclosed projections that lack a reasonable basis,[20] the Final Rules amend Item 10(b) of Regulation S-K as follows:[21]
- Clarification of Applicability to Target Company. Item 10(b) of Regulation S-K currently refers to projections regarding the “registrant.” The Final Rule will modify the language to clarify that the guidance therein applies to any projections of future economic performance of both the registrant and persons other than the registrant (which would include a target company in a de-SPAC transaction), that are included in the registrant’s Commission filings.
- Historical Results. Disclosure of projected measures that are not based on historical financial results or operational history should be clearly distinguished from projected measures that are based on historical financial results or operational history.
- Prominence of Historical Results. Similar to non-GAAP presentation, the Commission will consider it misleading to present projections that are based on historical financial results or operational history without presenting such historical measure or operational history with equal or greater prominence.
- Non-GAAP Measures. Presentation of projections that include a non-GAAP financial measure should include a clear definition or explanation of the measure, a description of the GAAP financial measure to which it is most closely related, and an explanation why the non-GAAP financial measure was used instead of a GAAP measure. The Final Rule notes that the reference to the nearest GAAP measure called for by amended Item 10(b) will not require a reconciliation to that GAAP measure; however, the need to provide a GAAP reconciliation for any non-GAAP financial measures will continue to be governed by Regulation G and Item 10(e) of Regulation S-K.
Important to note that the guidance in the amended Item 10(b) applies to all projections of future economic performance of any registrant and persons other than the registrant that are included in the registrant’s filings with the Commission (not only to de-SPAC transactions).
Proposed Item 1609 of Regulation S-K
In light of the traditional SPAC sponsor compensation structure (i.e., compensation in the form of post-closing equity) and the potential incentives and overall dynamics of a de-SPAC transaction, the Commission has adopted a new rule specific to de-SPAC transactions that will supplement the amendments to Item 10(b) of Regulation S-K (as discussed above). Specifically, the new Item 1609 of Regulation S-K that will require SPACs to provide the accompanying disclosures to financial projections:
- Purpose of Projections. Any projection disclosed by the registrant in the filing (or any exhibit thereto) must include disclosure regarding (i) the purpose for which the projection was prepared, and (ii) the party that prepared the projection.
- Bases and Assumptions. Disclosure will include all material bases of the disclosed projections and all material assumptions underlying the projections, and any material factors that may materially affect such assumptions. This would include a discussion of any factors that may cause the assumptions to be no longer reasonable, material growth or reduction rates or discount rates used in preparing the projections, and the reasons for selecting such growth or reduction rates or discount rates[22].
- Views of Management and the Board. Disclosure must discuss whether or not the projections disclosed continue to reflect the views of the board of directors (or similar governing body) and/or management of the SPAC or target company, as applicable, as of the most recent practicable date prior to the date of the disclosure document required to be disseminated to security holders. If the projections do not continue to reflect the views of the board of directors (or similar governing body) and/or management, the SPAC should include a discussion of the purpose of disclosing the projections and the reasons for any continued reliance by the management or board on the projections.
Similar to the amendments to Item 10(b), the first two requirements summarized above should not come as a particular surprise to existing SPACs and their counsel as projections disclosure has been a significant area of scrutiny by the Commission in the registration statement and proxy statement review process.
We note, however, that the requirement under Item 1609 to add disclosure as to management’s and/or the board’s current views likely will require additional disclosure beyond what has been typical market practice. In particular, projections disclosure in a registration statement or proxy statement is often made in the context of a historical lookback to the projections in place at the time the board of directors of the SPAC assessed whether to enter into a de-SPAC transaction with the target company. These projections typically are not updated with newer data during the pendency of the transaction since the purpose of such disclosure is to inform investors of the board’s rationale for approving the transaction. Item 1609 does not explicitly require the updating of projections, but it does require the parties to disclose whether the included projections reflect the view of the SPAC and the target company as of the date of filing. Moreover, the potential to provide revised projections, coupled with obligations to disclose management’s and board’s continuing views, may prove challenging disclosure to be made between the signing of a business combination agreement and the filing of a registration statement or proxy statement and during the review period for such registration statement or proxy statement.
5. Status of SPACs under the Investment Company Act of 1940
Because pre-transaction SPACs are not engaged in any meaningful business other than investing their IPO proceeds, there has been uncertainty regarding whether they are “investment companies” under the Investment Company Act of 1940.[23] The Proposed Rules included a safe harbor that would have excluded certain SPACs from being defined as investment companies; however, the Commission instead set forth in the Final Rules facts and circumstances guidance relevant to investment-company classification using the five Tonopah factors employed in the standard analysis.[24]
- Nature of SPAC Assets and Income. If a SPAC were to invest in investment securities like corporate bonds—especially if those investments exceeded 40% of the SPAC’s assets—it would likely be an investment company. (Assets commonly held by SPACs today, such as U.S. government securities, money market funds, and cash, likely would not count heavily toward investment-company status.) Similarly, if a SPAC were to derive most of its income from investment securities, it would likely be an investment company.
- Management Activities. If a SPAC were to hold investment securities while its managers did not actively seek a de-SPAC transaction, or while its managers actively managed those securities to achieve investment returns, the SPAC would more likely be an investment company. Relatedly, SPAC sponsors should be aware that they may be classified as “investment advisors” under the Investment Advisors Act of 1940.[25]
- Duration. The longer a SPAC takes to achieve a de-SPAC transaction, the more likely its investment-company-like characteristics qualify it as an investment company. The Commission identifies two timelines as relevant for this analysis. Rule 3a-2 under the Investment Company Act provides a one-year safe harbor for “transient investment companies.” And blank-check companies under Investment Company Act Rule 419 are not investment companies because their duration is limited to 18 months. Because these timelines reflect the Commission’s thinking in similar circumstances, though outside of the SPAC context, SPACs operating beyond 12 or 18 months should assess whether they otherwise qualify as investment companies.
- Holding Out. A SPAC that markets itself like an investment company is likely to be considered to be an investment company. For example, a SPAC that advertises itself an alternative to mutual funds is holding itself out as an investment company.
- Merging with an Investment Company. A SPAC that proposes to engage in a de-SPAC transaction with an investment company is likely to itself be an investment company.
SPACs should carefully assess all the facts and circumstances to determine whether they must register as investment companies. In particular, they should pay attention to the 12- and 18-month thresholds and whether investment securities account for most of their assets, income, or efforts.
IV. Conclusions
These Final Rules come as no surprise to SPAC market participants. Indeed, a comparison of existing de-SPAC transaction disclosure practices with many of the Final Rules merely evidences a codification of what the market has already adopted and anticipated over the nearly twenty-two month period since the Proposed Rules were first released. While the market appears to have already anticipated some of these changes, it remains to be seen whether the Final Rules will have any meaningful effect on current market conditions, as evidenced by the substantial retraction in the SPAC market over the last year, or if the SPAC market itself has naturally run its course in light of broader macro-economic trends.
Although we may view many of the Final Rules as reiterating the status quo, the Commission’s efforts here are noteworthy in that the Final Rules also touch upon broader market considerations. For example, the Final Rules’ facts and circumstances guidance with respect to the applicability of “underwriter” or “investment company” status, and the changes to Item 10(b) related to projections disclosure, are not limited solely to SPACs and should be considered relevant to other public market participants and advisors in similar and adjacent circumstances. As a result, we encourage our clients and public market participants to reach out to us to see how this rulemaking may affect their going-forward operations and business plans.
V. Commissioner Statements
For the published statements of the Commissioners, please see the following links:
Commissioner Caroline A. Crenshaw
Commissioner Mark T. Uyeda (Dissenting)
Commissioner Hester M. Peirce (Dissenting)
[1] U.S. Securities and Exchange Commission, Special Purpose Acquisition Companies, Shell Companies, and Projections, Exchange Act Release No. 99418 (January 24, 2024) (“Final Rules”), available at https://www.sec.gov/files/rules/final/2024/33-11265.pdf.
[2] For our discussion of the proposed rules, see Gibson, Dunn & Crutcher LLP, SEC Proposes Rules to Align SPACs More Closely with IPOs (April 6, 2022), available at https://www.gibsondunn.com/sec-proposes-rules-to-align-spacs-more-closely-with-ipos/.
[3] See Gibson, Dunn & Crutcher LLP, SEC Staff Issues Cautionary Guidance Related to Business Combinations with SPACs (April 6, 2021), link here (addressing certain accounting, financial reporting and governance issues related to SPACs and the combined company following a SPAC business combination), see also Gibson, Dunn & Crutcher LLP, SEC Division of Corporation Finance Issues Interpretations Addressed to SPACs’ Business Combinations (March 24, 2022), link here (discussing new Compliance and Disclosure Interpretations that addressed certain issues related to the business combination process of de-SPAC transactions), and Gibson, Dunn & Crutcher LLP, SEC Publishes C&DIs Addressing Tender Offer Issues (March 17, 2023), link here (discussing new Compliance and Disclosure Interpretations that addressed various tender offer issues in connection with de-SPAC transactions).
[4] U.S. Securities and Exchange Commission, Press Release (2024-8), SEC Adopts Rules to Enhance Investor Protections Relating to SPACs, Shell Companies, and Projections (January 24, 2024), available at https://www.sec.gov/news/press-release/2024-8.
[6] The term “promoter” is defined in Securities Act Rule 405 and Exchange Act Rule 12b-2.
[7] Under Section 6(a) of the Securities Act, each “issuer” must sign a Securities Act registration statement. The Securities Act broadly defines the term “issuer” to include every person who issues or proposes to issue any securities.
[10] The term “penny stock” is defined in 17 CFR 240.3a51-1.
[11] Section 11 of the Securities Act imposes on underwriters, among other parties identified in Section 11(a), civil liability for any part of the registration statement, at effectiveness, which contained an untrue statement of a material fact or omitted to state a material fact required to be stated therein or necessary to make the statements therein not misleading, to any person acquiring such security. Further, Section 12(a)(2) imposes liability upon anyone, including underwriters, who offers or sells a security, by means of a prospectus or oral communication, which includes an untrue statement of a material fact or omits to state a material fact necessary in order to make the statements, in the light of the circumstances under which they were made, not misleading, to any person purchasing such security from them.
[14] Although the Securities Act does not expressly require an underwriter to conduct a due diligence investigation, the Final Rules reiterates the Commission’s long-standing view that underwriters nonetheless have an affirmative obligation to conduct reasonable due diligence. Final Rules, p. 288. This was also mentioned by the Commission in fn. 184 of the Proposed Rule (citing In re Charles E. Bailey & Co., 35 S.E.C. 33, at 41 (Mar. 25, 1953) (“[An underwriter] owe[s] a duty to the investing public to exercise a degree of care reasonable under the circumstances of th[e] offering to assure the substantial accuracy of representations made in the prospectus and other sales literature.”); In re Brown, Barton & Engel, 41 SEC 59, at 64 (June 8, 1962) (“[I]n undertaking a distribution . . . [the underwriter] had a responsibility to make a reasonable investigation to assure [itself] that there was a basis for the representations they made and that a fair picture, including adverse as well as favorable factors, was presented to investors.”); In the Matter of the Richmond Corp., infra note 185 (“It is a well-established practice, and a standard of the business, for underwriters to exercise diligence and care in examining into an issuer’s business and the accuracy and adequacy of the information contained in the registration statement . . . The underwriter who does not make a reasonable investigation is derelict in his responsibilities to deal fairly with the investing public.”)).
[17] Id., p. 112 (citing the staff guidance under the Division of Corporation Finance’s Financial Reporting Manual).
[18] Id., p. 112 (citing the staff guidance under the Division of Corporation Finance’s Financial Reporting Manual at Section 4110.5).
[20] For example, the Commission cites to recent enforcement actions against SPACs, alleging the use of baseless or unsupported projections about future revenues and the use of materially misleading underlying financial projections. See, e.g., In the Matter of Momentus, Inc., et al., Exch. Act Rel. No. 34-92391 (July 13, 2021); SEC vs. Hurgin, et al., Case No. 1:19-cv05705 (S.D.N.Y., filed June 18, 2019); In the Matter of Benjamin H. Gordon, Exch. Act Rel. No. 34-86164 (June 20, 2019); and SEC vs. Milton, Case No. 1:21-cv-6445 (S.D.N.Y., filed July 29, 2021).
[21] The Final Rules made three technical revisions to item 10(b). The first two changes are to enhance clarity and avoid potential ambiguity. The third revision is to create consistency with the terms used in existing Item 10(e)(1)(i)(A) of Regulation S-K. In Item 10(b)(2)(i), they replaced the term “foregoing measures of income” with the term “foregoing measurers of income (loss).” In Item 10(b)(2)(iii), they replaced the term “historical financial measure” with the term “historical financial results.” In Item 10(b)(2)(iv), they revised the item to require a description of the GAAP financial measure “most directly comparable” to the non-GAAP measure, rather than “mostly closely related.”
[22] Two examples of “discount rates” are: (1) the weighted average cost of capital used to discount to present value the future cash flows over the period of years projected in a discounted cash flow analysis and (2) the rate applied to the terminal value in a discounted cash flow analysis to calculate its present value.
[23] See 15 U.S.C. §§ 80a-3(a)(1)(A), (a)(1)(C).
[24] See In the Matter of Tonopah Mining Co., 26 S.E.C. 426 (July 21, 1947).
[25] See 15 U.S.C. § 80b-2(a)(11).
__________
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Capital Markets, Mergers and Acquisitions, Securities Enforcement, or Securities Regulation and Corporate Governance practice groups, or the following practice leaders and authors:
Evan M. D’Amico – Washington, D.C. (+1 202.887.3613, [email protected])
Gerry Spedale – Houston (+1 346.718.6888, [email protected])
James O. Springer – Washington, D.C. (+1 202.887.3516, [email protected])
Rodrigo Surcan – New York (+1 212.351.5329, [email protected])
Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, [email protected])
Saee Muzumdar – New York (+1 212.351.3966, [email protected])
Capital Markets:
Andrew L. Fabens – New York (+1 212.351.4034, [email protected])
Hillary H. Holmes – Houston (+1 346.718.6602, [email protected])
Stewart L. McDowell – San Francisco (+1 415.393.8322, [email protected])
Peter W. Wardle – Los Angeles (+1 213.229.7242, [email protected])
Securities Regulation and Corporate Governance:
Elizabeth Ising – Washington, D.C. (+1 202.955.8287, [email protected])
James J. Moloney – Orange County (+1 949.451.4343, [email protected])
Lori Zyskowski – New York (+1 212.351.2309, [email protected])
Brian J. Lane – Washington, D.C. (+1 202.887.3646, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202.955.8671, [email protected])
Thomas J. Kim – Washington, D.C. (+1 202.887.3550, [email protected])
Mike Titera – Orange County (+1 949.451.4365, [email protected])
Aaron Briggs – San Francisco (+1 415.393.8297, [email protected])
Julia Lapitskaya – New York (+1 212.351.2354, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
An analysis of important trends and developments in AML regulation and enforcement, including key priorities emphasized by enforcers, notable enforcement actions and prosecutions, significant judicial opinions, and an important legislative development.
U.S. enforcers increasingly rely on the anti-money laundering (“AML”) statutes to police a wide variety of conduct. Broadly speaking, there are two types of AML statutes: (1) statutes that prohibit certain conduct (for example, knowingly engaging in a financial transaction with the intent to conceal unlawful activity), or (2) statutes that impose affirmative obligations on certain types of businesses to engage in identification and reporting of suspicious financial activity (for example, the Bank Secrecy Act (“BSA”)).
In this alert, we analyze the most important trends and developments in AML regulation and enforcement by recapping significant developments during the preceding year. In this inaugural edition, we recap 12 of the most important developments of 2023, including key priorities emphasized by enforcers, notable enforcement actions and prosecutions, significant judicial opinions, and an important legislative development.
Agency Priorities
We begin with a look at some of the U.S. government’s most significant priorities in the AML space: national security and the Corporate Transparency Act.
- The Biden Administration Continues to Focus on National Security and AML
In 2023, the Biden administration prioritized investigations and prosecutions in the national security arena, particularly those implicating AML and sanctions. Department of Justice (“DOJ”) officials have repeatedly described sanctions as “the new FCPA”—relevant to an expanding number of industries, the focus of an increasingly multilateral enforcement regime, and subject to voluntary self-disclosure incentives.[1] Even businesses far removed from the defense sector such as tobacco, cement, and shipping faced enforcement actions for allegedly paying insufficient attention to the national security risks posed by certain actors, regions, and activities.[2] Further, money laundering-related cases now routinely intersect with international sanctions and export control violations.[3]
The U.S. government has backed its enforcement priorities with substantial resourcing. DOJ’s National Security Division designated its first Chief Counsel for Corporate Enforcement, Ian Richardson, and announced the hiring of 25 new prosecutors to investigate national security-related economic crimes.[4] Moreover, the Criminal Division’s Bank Integrity Unit likewise added six prosecutors—a 40 percent increase—to target national security-related financial misconduct.[5]
DOJ, along with the Departments of Treasury and Commerce, has embraced a “whole of government” approach to national security and illicit finance. One example is its growing use of inter-agency task forces. In 2023, DOJ’s Task Force Kleptocapture hit its stride with asset seizures (using inter alia money-laundering seizure theories) totaling more than $500 million of criminal assets with ties to the Russian regime.[6] Building on the success of Kleptocapture, the Departments of Justice and Commerce also launched the Disruptive Technology Strike Force,[7] a multi-agency task force that works to prevent U.S. adversaries from illicitly acquiring sensitive U.S. technology. The Disruptive Technology Strike Force already has brought money laundering prosecutions against those who allegedly evaded U.S. trade restrictions.[8] DOJ and Treasury—along with U.S. allies—have likewise continued to convene the Russian Elites, Proxies, and Oligarchs (REPO) Task Force.[9] This task force works to investigate and counter Russian sanctions evasion, including cryptocurrency and money laundering, and has blocked or frozen more than $58 billion of sanctioned Russian assets.[10]
U.S. enforcers have also released a number of alerts emphasizing the interplay between money laundering and national security issues. Treasury’s Financial Crimes Enforcement Network (“FinCEN”) is the U.S. government’s leading anti-money laundering regulator. In 2023, FinCEN issued three AML alerts to help detect potentially suspicious activity relating to Hamas’s financing and Russian export control violations.[11] FinCEN also issued supplemental AML alerts with Commerce’s Bureau of Industry and Security (“BIS”) that highlighted export evasion typologies.[12] In a similar vein, DOJ’s National Security Division began issuing joint advisories with Commerce and Treasury that provide the private sector with information about enforcement actions against those who use money laundering to support violations of U.S. sanctions and export controls.[13]
- The Corporate Transparency Act’s Reporting Requirements to Assist AML Investigations
In January of 2021, the Anti-Money Laundering Act of 2020 became law.[14] One of the provisions in the bill was the Corporate Transparency Act (“CTA”), which established a new regime in the United States requiring many corporate entities to file a form with FinCEN disclosing their beneficial owners.[15]
To implement the CTA, FinCEN has currently issued two rules (with a third in progress). The first rule, the “Reporting Rule,” sets forth which entities need to disclose their beneficial ownership information (“BOI”) to FinCEN and by when. Entities subject to these reporting requirements include both “domestic reporting companies” and “foreign reporting companies.” Domestic reporting companies are defined as corporations, limited liability companies, or any other entity created by the filing of a document with a secretary of state or tribal nation.[16] Foreign reporting companies are corporations, LLCs, or other entities formed under the laws of a foreign country and registered to do business within any U.S. state.[17]
Domestic and foreign reporting companies must file BOI data with FinCEN unless an exemption applies. The CTA affords 23 exemptions for various entities—including public companies, money services businesses, select banks and credit unions, and large operating companies, defined as having more than 20 full time employees, an office space, and $5 million in gross receipts or sales in the United States the prior tax year.[18] There is also an exemption for investment advisers and investment funds, as detailed further in a prior Gibson Dunn client alert.[19] Additionally, subsidiaries of certain exempt entities need not report BOI information in particular circumstances as well.[20] However, pursuant to recent guidance from FinCEN, that exception only applies to subsidiaries that are “fully, 100 percent owned or controlled by an exempt entity.”[21]
If no exemption applies, then select domestic and foreign entities must disclose relevant BOI information. In general, these BOI reports must identify two categories of individuals: (1) the beneficial owners of the entity (defined as those natural persons who own at least 25% of the entity or who exercise “substantial control” over it); and (2) the company applicants of the entity (meaning those directly involved in or responsible for the filing that creates the company).[22] Companies formed before January 1, 2024, however, need only submit the names of their beneficial owners and not the identities of company applicants.[23] FinCEN’s Reporting Rule became operative as of January 1, 2024, with the regulation specifying varying deadlines for submission of BOI data.[24]
The effects of the CTA will continue to unfold in the coming months and years, but it has created significant work for companies as they sort through which of their corporate entities have any reporting obligations.
Notable Corporate AML Resolutions
2023 saw a number of notable AML resolutions. We discuss those which broke new ground below.
- MindGeek: A Novel Application of The Spending Statute, 18 U.S.C. § 1957
In a prototypical case, U.S. prosecutors must prove three things to establish a violation of the general money laundering statute (18 U.S.C. § 1956): (1) the commission of an underlying felony (a “Specified Unlawful Activity” or “SUA”); (2) knowingly engaging in a financial transaction; and (3) specific intent to conceal or further the SUA through the financial transaction.[25] U.S. enforcers, however, have a second powerful tool at their disposal—the money laundering “spending statute” (18 U.S.C. § 1957). In a case involving the spending statute, prosecutors are relieved of the burden to prove specific intent to conceal or commit a further crime. Rather, the spending statute requires only (1) the commission of an SUA; and (2) knowingly engaging in a financial transaction involving $10,000 or more of proceeds from the SUA.[26]
On December 21, 2023, DOJ entered into a Deferred Prosecution Agreement with Aylo Holdings S.A.R.L. and its subsidiaries (collectively known as “MindGeek”) involving a novel and aggressive theory using the money laundering spending statute. MindGeek is the parent company of Pornhub and similar websites.[27] DOJ charged MindGeek with violating the spending statute for knowingly engaging in monetary transactions related to sex trafficking activity. DOJ’s theory centered on MindGeek’s relationship with two of its content partners, GirlsDoPorn.com (“GDP”) and GirlsDoToys.com (“GDT”) and the operators of those sites (referred to in the DPA as “the GDP Operators”).[28] According to the resolution documents, both GDP and GDT had specialized channels on MindGeek’s platforms, including Pornhub. Between mid-2017 and mid-2019, MindGeek allegedly received over $100,000 in payments from the GDP Operators.[29] DOJ also alleged that MindGeek “received payments from advertisers attributable to GDP and GDT content” totaling approximately $763,000.[30]
In order to establish that MindGeek had knowledge that the proceeds were from illicit origins, DOJ relied on a mosaic of sources to purportedly establish knowledge, including civil and criminal legal filings, news stories about these cases, takedown requests, and a business records subpoena.[31] Specifically, DOJ alleged that MindGeek’s knowledge derived from:
- MindGeek’s receipt of a subpoena for production of business records from plaintiffs’ counsel in a lawsuit filed against GDP in 2016. The complaint in that lawsuit alleged that the GDP Operators had tricked the plaintiffs into appearing in pornographic videos posted to GDP by promising them that their videos would not be posted online;[32]
- MindGeek’s receipt of content removal requests from plaintiffs in the lawsuit,[33] plaintiffs’ counsel, and other individuals;[34]
- Publicly available criminal filings announcing the sex trafficking charges against GDP operators;[35] and
- MindGeek executives’ receipt and internal discussion of news articles about the stages of the civil and criminal proceedings against GDP operators.[36]
On the basis of these allegations, MindGeek entered into a DPA asserting a violation of 18 U.S.C. § 1957.[37] MindGeek agreed to submit to a monitorship for three years[38] and pay a total fine of $974,692.06.[39] Notably, MindGeek agreed to compensate victims in the “full amount of [their] losses” caused by publication of their images on MindGeek’s websites, not including losses for pain and suffering, including a minimum of $3,000 per victim who can demonstrate harm.[40] Also, the DPA contained a stipulation that MindGeek “did not commit, conspire to commit, or aid and abet the commission of sex trafficking.”[41]
This is a novel and aggressive use of § 1957 because DOJ relied on sources such as the public allegations of wrongdoing and a business records subpoena to establish knowledge. Although the resolution may be explained in part by the nature of the industry involved, the resolution nevertheless suggests that public allegations of wrongdoing, the receipt of a business records subpoena, take down requests, and receipt and discussion of news articles about allegations can serve as ways that DOJ may try to establish knowledge under § 1957 against companies.
- U.S. Enforcers Extend Reach of BSA and Sanctions to Non-U.S. Crypto Company
Binance is the world’s largest crypto currency exchange by trading volume and it is an overseas, non-U.S. company. On November 21, 2023, Binance reached a settlement to resolve a multi-year investigation with DOJ, the Commodity Futures Trading Commission (“CFTC”), the U.S. Department of Treasury’s Office of Foreign Assets Control (“OFAC”), and FinCEN.[42] Gibson Dunn represented Binance in this resolution.
Although Binance is a non-U.S. company, the enforcers alleged that it historically had U.S. users on its platform. As a result, the enforcers alleged that Binance needed to register as a foreign-located money services business and maintain an adequate AML program under U.S. law because it did business “wholly or in substantial part” within the United States.[43]
Prior to the Binance resolution, sanctions resolutions with cryptocurrency exchanges generally involved U.S. exchanges, which are prohibited from providing financial services to persons in jurisdictions subject to sanctions regulated by OFAC.[44] As a non-U.S. person, Binance could do business in sanctioned jurisdictions.[45] However, because Binance’s platform historically had both U.S. users and users from sanctioned jurisdictions, enforcers alleged that Binance used a “matching engine [. . .] that matched customer bids and offers to execute cryptocurrency trades.”[46] The failure to have sufficient controls on the matching engine, which operated randomly in matching users for trades, meant that it would “necessarily cause” transactions between U.S. users and users targeted by U.S. sanctions.[47] Enforcers took the position that these transactions violated U.S. civil and criminal sanctions law because the International Emergency Economic Powers Act (“IEEPA”) prohibits, among other things, “causing” a violation of sanctions by another party.[48] In other words, by randomly pairing trades between a historical U.S. user and person from a sanctioned jurisdiction, Binance was causing the U.S. person to violate their sanctions obligations. This resolution illustrates the breadth of U.S. jurisdiction to police sanctions offenses, even against non-U.S. companies.
Criminally, Binance pled guilty to (1) conspiracy to conduct an unlicensed money transmitting business, in violation of 18 U.S.C. § 1960 and 31 U.S.C. § 5330 for failure to register,[49] (2) failure to maintain an effective anti-money laundering program, in violation of 31 U.S.C. §§ 5318(h), 5322,[50] and (3) violating IEEPA, 50 U.S.C. § 1701 et seq.[51] Binance also entered into parallel civil settlements with FinCEN (failure to register, AML program) and OFAC (sanctions).[52] Further, Binance also entered into a settlement with the CFTC for violating various sections of the Commodities Exchange Act and related provisions.[53]
As part of the resolution, Binance agreed to pay $4.3 billion to the U.S. government over an approximately 18-month period.[54] Binance also agreed to continue with certain compliance enhancements and agreed to a three-year DOJ monitorship.[55]
- FinCEN Designates Bitzlato as a “Primary Money-Laundering Concern” Pursuant to New Powers Designed to Target Russian Money Laundering
On January 18, 2023, FinCEN issued an order identifying Bitzlato Limited, a Hong Kong based cryptocurrency exchange, as a “primary money laundering concern.”[56] It issued this designation because Bitzlato was allegedly “repeatedly facilitating transactions for Russian-affiliated ransomware groups, including Conti, a Ransomware-as-a-Service group that has links to the Russian government and to Russian-connected darknet markets.”[57] The Bitzlato order is the first order issued pursuant to FinCEN’s powers under the Combatting Russian Money Laundering Act.[58]
In 2021, Congress passed the Combatting Russian Money Laundering Act (“Section 9714(a)”), which expanded the actions that FinCEN can take whenever it designates an entity as a “primary money laundering concern.”[59] Previously, whenever the Treasury Secretary had “reasonable grounds” for concluding that an entity is of “primary money laundering concern,”[60] then the Treasury Secretary could impose special measures that would limit the entity’s access to the global financial system.[61] Section 9714(a) provides additional powers to FinCEN to “prohibit, or impose conditions upon, certain transmittals of funds (to be defined by the Secretary) by any domestic financial institution or domestic financial agency.”
Under the terms of the Bitzlato order, FinCEN prohibits financial institutions (as defined in 31 C.F.R. § 1010.100(t)) from engaging in the transmittal of funds from or to Bitzlato. In remarks addressing the order, Deputy Secretary Adeyemo remarked that designating Bitzlato as a primary money laundering concern was a “unique step” that has only been taken a handful of times.[62]
DOJ also brought a parallel criminal proceeding against Bitzlato co-founder and Russian national Anatoly Legkodymov, who pleaded guilty to operating an unlicensed money transmitter and agreed to dissolve Bitzlato.[63]
Looking ahead, FinCEN will likely continue to be aggressive in using its authorities in the digital assets space. On October 19, 2023, for instance, FinCEN issued a Notice of Proposed Rulemaking which proposed to designate cryptocurrency mixers as a primary money laundering concern under Section 311 of the Patriot Act.[64] This is FinCEN’s first proposed Section 311 action involving a class of transactions.
- FinCEN Imposes Civil Penalty on Shinhan, Reflecting Increased Scrutiny of Customer Due Diligence and Transaction Monitoring Systems
On September 29, 2023, FinCEN imposed a $15 million civil penalty on Shinhan Bank America for willful violation of the BSA.[65] The Consent Order reflects FinCEN’s growing scrutiny of—and increasingly granular expectations for—customer due diligence and transaction monitoring systems.
Notably, FinCEN criticized Shinhan’s overly “rigid” methodology for calculating customer risk rating scores and emphasized that banks should maintain formal customer risk rating procedures.[66] Risk ratings should not be solely based on customer type (e.g., individual vs. corporate entity) or the type of product (e.g., home mortgage vs. letter of credit). Rather, they should be individually assessed—both at onboarding and throughout the customer relationship—and be based on the customer’s activity and any new information learned about the customer.[67]
The Shinhan Order also makes clear that customers’ risk ratings should inform financial institutions’ monitoring of transactions. The Order notes that Shinhan’s transaction monitoring system did not cluster accounts belonging to the same customer relationship or aggregate transaction activity across different transaction types, undermining its ability to identify suspicious activity. It also includes examples of scenarios that banks should consider incorporating into their transaction monitoring systems, including:
- wire transfers sent to several beneficiaries from a single originator, or sent from several originators to a single beneficiary;
- transactions passing through a large number of jurisdictions; and
- transactions conducted using Remote Deposit Capture.
Moreover, the Order states that these systems should be regularly and comprehensively tested to ensure all scenarios alert as intended, all relevant data properly feeds into the system, scenarios are sufficient and tailored for each product, and scenarios are appropriately applied to ingested data.[68]
- FinCEN Issues First Action Against Trust Company
On April 26, 2023, FinCEN assessed a $1.5 million civil penalty against South Dakota-chartered Kingdom Trust Company for willful violation of the BSA.[69] This was FinCEN’s first action against a trust company.
FinCEN assessed a penalty against Kingdom Trust after the company opened accounts and provided services for Latin America-based trading companies and financial institutions with virtually no controls to identify or assess suspicious transactions.[70] A consultant referred clients based in Uruguay, Argentina, Panama, and other locations to the Trust.[71] Kingdom Trust then held cash and securities for these customers and initiated a high volume of suspicious transactions worth approximately $4 billion that went unchecked and unreported.[72] Despite providing services to customers who were the subject of prior media reports related to money laundering and securities fraud, the Trust’s AML compliance program consisted of a single individual responsible for manually reviewing daily transactions.[73]
FinCEN’s action against Kingdom Trust reflects the agency’s growing focus on entities beyond traditional financial institutions, including those not historically subject to the BSA, such as real estate businesses and investment advisors.[74] FinCEN’s action against Kingdom Trust reflects the agency’s unwillingness to “tolerate trust companies with weak compliance programs that fail to identify and report suspicious activities, particularly with respect to high-risk customers whose businesses pose an elevated risk of money laundering.”[75]
- FinCEN Issues First Action Under Gap Rule Against Bancrédito for Failing to Report Suspicious Transactions
On September 15, 2023, FinCEN levied a $15 million civil monetary penalty against Bancrédito International Bank and Trust Corporation (Bancrédito).[76] Bancrédito (which held U.S. dollar-denominated accounts on behalf of numerous Central American and Caribbean financial institutions) allegedly failed to both report suspicious transactions (“SARs”) involving movement of U.S. dollars and never established or maintained an AML program, as required by the recently enacted “Gap Rule” (31 C.F.R. § 1020.210).[77]
The enforcement action against Bancrédito is notable in multiple respects. It is the first time that FinCEN took action against a Puerto Rican International Banking Entity (“IBE”). The U.S. Department of the Treasury’s 2022 National Money Laundering Risk Assessment alleged that IBEs pose an elevated risk of money laundering.[78] It is also the first enforcement action under FinCEN’s recently enacted “Gap Rule.” Previously, banks lacking federal functional regulators (such as private banks, non-federally insured credit unions, and certain trust companies) were exempt from select AML program obligations, namely (1) the development of internal policies, procedures, and controls; (2) the designation of a compliance officer; (3) facilitating an ongoing employee training program; and (4) requiring an independent audit function to test programs.[79] However, the “Gap Rule,” effective beginning in 2021, functionally filled that “gap” by requiring the newly covered entities to meet those specific AML requirements (along with also complying with pre-existing BSA obligations such as reporting SARs).[80]
Individual Prosecutions
2023 also featured a number of notable prosecutions of individuals under U.S. money laundering statutes, including in connection with sanctions evasion and in the digital assets industry.
- Money Laundering and Sanctions Evasion
In 2023, federal prosecutors on DOJ’s Task Force KleptoCapture brought several prosecutions against the associates of sanctioned oligarch Viktor Vekselberg. OFAC designated Vekselberg as a Specially Designated National (“SDN”) in March 2018.[81] In 2023, DOJ brought a number of prosecutions which reflect the growing intersection between money laundering and sanctions evasion.[82]
On January, 20, 2023, DOJ announced the indictment of Vladislav Osipov and Richard Masters for facilitating a sanctions evasion and money laundering scheme related to a 255-foot luxury yacht owned by Vekselberg.[83] Osipov and Masters used U.S. companies to manage the operation of the vessel and to obfuscate Vekselberg’s involvement, including using payments through third parties and non-U.S. currencies to do business with U.S. companies.[84]
DOJ also targeted Vekselberg’s property portfolio in the United States and those who helped him manage it. On February 7, 2023, federal prosecutors announced the indictment of Vladimir Voronchenko, an associate of Vekselberg’s, for making more than $4 million in payments to maintain four U.S. properties owned by Vekselberg and for his attempt to sell two of those properties.[85] A few weeks later, on February 24, prosecutors brought a civil forfeiture complaint against six of Vekselberg’s properties in New York City, Southampton, New York, and Fisher Island, Florida, alleging that they were the proceeds of sanctions violations and involved in international money laundering.[86]
Vekselberg’s U.S. associates also faced prosecution for their role in money laundering and evading U.S. sanctions. On April 25, 2023, New York attorney Robert Wise pled guilty to conspiracy to commit international money laundering for unlawfully transferring Russian funds into the United States in violations of U.S. sanctions.[87] Voronchenko had retained Wise to assist him in managing Vekselberg’s U.S. properties.[88] Immediately after Vekselberg’s designation as an SDN, Wise’s IOLTA Account began to receive wires from new sources, a Russian bank account, and a bank account in the Bahamas held in the name of a shell company controlled by Voronchenko.[89] Despite being aware of Vekselberg’s designation as an SDN, Wise received 25 wire transfers totaling nearly $3.8 million in his IOLTA account between June 2018 and March 2022 and used these funds to maintain and service Vekselberg’s properties in defiance of U.S. sanctions.[90]
Collectively, these actions demonstrate the increasing interplay between violations of U.S. sanctions and money laundering laws.
- Money Laundering Prosecutions of Cryptocurrency Executives for Fraud
2023 also included a number of money laundering prosecutions against executives in the digital assets industry. The most significant of 2023’s individual prosecutions sounded in fraud and subsequent laundering of the fraud proceeds.
On November 2, 2023, a New York jury convicted FTX founder Sam Bankman-Fried of stealing billions of dollars’ worth of FTX customer deposits, capping one of the highest-profile criminal fraud trials in recent history.[91] One of the charges against Bankman-Fried was violating 18 U.S.C. § 1956(a)(1)(B)(i), on the basis that he knowingly engaged in a transaction involving proceeds of illegal activity in order hide the illegal origins of the funds; and Section 1957(a), on the basis that he engaged in a transaction involving criminally derived property exceeding $10,000.[92] These charges related to the transfer of customer funds from Bankman-Fried’s centralized exchange, FTX, to FTX’s sister organization, the hedge fund Alameda Research.[93] Bankman-Fried was convicted on all seven counts, including the money laundering charges.[94] Bankman-Fried’s sentencing hearing is scheduled for March 2024.[95]
Earlier in 2023, Nate Chastain, the former Head of Product at NFT Trading Platform OpenSea, was convicted by a jury of wire fraud and money laundering in what is considered the first insider-trading case involving digital assets. Chastain was accused of purchasing NFTs before they were featured on OpenSea’s homepage, where they subsequently rose in price. Perhaps because the question of whether NFTs are subject to securities laws remains open,[96] DOJ prosecuted Chastain under wire fraud and money laundering statutes.[97] DOJ alleged money laundering because, by engaging in insider trading of NFTs, Chastain knowingly conducted a financial transaction involving the proceeds of an unlawful activity (i.e., wire fraud), in violation of 18 U.S.C. § 1956(a)(1)(B)(i).[98]
Another notable fraud-based cryptocurrency executive prosecution of 2023 involved the former SafeMoon executives, who were accused of making a series of fraudulent misrepresentations about the cryptocurrency that they managed and marketed.[99] DOJ charged a violation of 18 U.S.C. § 1956(a)(1)(B)(i) on the theory that the executives knowingly engaged in and covered up transactions involving the proceeds of securities fraud and wire fraud.[100]
Judicial Opinions
- The Implications of Narrowing the Honest Services Wire Fraud Statute
Two judicial decisions in 2023 could affect how prosecutors pursue future money laundering prosecutions. These opinions involve the now highly-publicized FIFA corruption and Varsity Blues scandals—occasions where individuals allegedly made illicit payments to secure lucrative FIFA contracts and favorable college admission decisions, respectively. In both United States v. Full Play Grp., S.A., 2023 WL 5672268 (E.D.N.Y. Sept. 1, 2023) (involving the FIFA corruption matter) and United States United States v. Abdelaziz, 68 F.4th 1 (1st Cir. 2023) (a decision relating to Varsity Blues), federal courts held that certain transactions failed to qualify as unlawful instances of honest services wire fraud—a predicate offense that prosecutors frequently rely on when charging money laundering.[101]
In Full Play, several individuals and companies in the entertainment industry sought to earn media and other related contracts with various sports organizations (including soccer’s FIFA).[102] In an effort to secure these contracts, the media representatives were alleged to have paid FIFA officials significant sums in side payments.[103] Though various individuals were charged with honest services wire fraud for their actions, the district court found that such payments (i.e., those made to private employees of a foreign corporation and labeled as foreign commercial bribery) did not qualify as actionable instances of honest services fraud under 18 U.S.C. §§ 1343 and 1346.[104] In reaching that conclusion, the district court applied two Supreme Court opinions issued last term: Percoco v. United States, 598 U.S. 319 (2023) and Ciminelli v. United States, 598 U.S. 306 (2023). Citing specifically to the Percoco decision, the district court found that honest services fraud “must be defined with the clarity typical of criminal statutes and should not be held to reach an ill-defined category of circumstances simply because of a smattering” of earlier precedents.[105] Applying that standard, the district court vacated the convictions because no applicable precedents precisely addressed (and thus criminalized) comparable instances of foreign commercial bribery.[106] Full Play is currently the subject of an appeal in the Second Circuit.[107]
Similarly, albeit before Percoco and Ciminelli were decided, the Abdelaziz court removed another type of transaction from the range of prosecutable offenses under the honest services fraud provision. In that case, a parent was convicted of making illicit side payments to college admissions personnel—intending that the payments would secure preferential admissions decisions for his child.[108] On appeal, the Abdelaziz court overturned the conviction—finding that such conduct did not amount to honest services wire fraud. In reaching that result, the court specified that the transaction at issue—one where the alleged briber (the convicted parent) actually compensated the alleged victim (the university)—did not fit the conventional understanding of “bribe” or “kickback” under 18 U.S.C. §§ 1343 and 1346.[109] Because no prior decision had specifically barred payments that so clearly benefitted an alleged victim, it could not be considered a criminal deprivation of honest services.
As the courts continue to narrow the scope of the honest services wire fraud statute, prosecutors will be forced to craft different theories of honest services wire fraud and/or rely on different predicate offenses when identifying an SUA required for charging money laundering.
Legislation
2023 also saw an important legislative change in the bribery space, which will also impact money laundering prosecutions.
- The Impact of FEPA for Money Laundering Prosecutions
On December 22, 2023, federal lawmakers passed the Foreign Extortion Prevention Act (“FEPA”). FEPA criminalizes what is colloquially referred to as “demand side” bribery—instances in which foreign officials demand, solicit, seek, or receive bribes from a domestic person or U.S.-located company.[110] Before FEPA’s passage, no particular provision under federal law penalized this particular scheme—with the Foreign Corrupt Practices Act (“FCPA”) focusing instead on the supply side of offering or paying bribes to foreign persons.[111] FEPA arms prosecutors with a new tool to root out alleged instances of foreign bribery or extortion that is focused on foreign public officials.
More than just an anti-corruption mechanism, FEPA will also equip prosecutors with an additional tool to pursue money laundering prosecutions as well. By its terms, any contemplated or actual violation of FEPA would qualify as an SUA under the money laundering statutes.[112] Passage of this law will allow prosecutors to rely on U.S. law (i.e., FEPA) when charging foreign officials with money laundering, as opposed to having to allege that the conduct constituted bribery under the foreign laws of another country, which is also an SUA.
Conclusion
2023 was a notable year in the AML enforcement space. We anticipate that 2024 will also be active, as the impacts of FinCEN’s AML whistleblower program begin to be felt, and the additional prosecutors come online in the Criminal Division’s Bank Integrity Unit and the National Security Division’s Counterintelligence and Export Control Section. Moreover, there are yet-to-be issued rules expected both for regulation of the real estate industry and for registered investment advisors.
__________
[1] See, e.g., Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global (“It is for all of these reasons that the DAG [Deputy Attorney General] has warned that from a compliance standpoint ‘sanctions are the new FCPA.’”).
[2] See Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global (“Even business operations and lines far removed from the defense sector – like cigarettes, cement, and shipping – can pose dire national security risks if companies are not highly sensitive to high-risk actors, high-risk regions, and high-risk activities.”).
[3] Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Ethics and Compliance Initiative IMPACT Conference (May 3, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-ethics-and (“From money laundering and cyber- and crypto-enabled crime to sanctions and export control evasion and even funneled payments to terrorist groups, corporate crime increasingly — now almost routinely — intersects with national security concerns.”).
[4] Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global.
[5] Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime (Mar. 2, 2023), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-american-bar-association-national; Principal Associate Deputy Attorney General Marshall Miller Delivers Remarks at the Global Investigations Review Annual Meeting (Sept. 21, 2023), https://www.justice.gov/opa/speech/principal-associate-deputy-attorney-general-marshall-miller-delivers-remarks-global.
[6] Deputy Assistant Attorney General Eun Young Choi Delivers Keynote Remarks at GIR Live: Sanctions & Anti-Money Laundering Meeting (Nov. 16, 2023), https://www.justice.gov/opa/speech/deputy-assistant-attorney-general-eun-young-choi-delivers-keynote-remarks-gir-.live.
[7] Press Release, U.S. Dep’t of Just., Justice and Commerce Departments Announce Creation of Disruptive Technology Strike Force (May 16, 2023), https://www.justice.gov/opa/pr/justice-and-commerce-departments-announce-creation-disruptive-technology-strike-force; see also Press Release, U.S. Dep’t of Just., Justice Department Announces Five Cases as Part of Recently Launched Disruptive Technology Strike Force (May 16, 2023), https://www.justice.gov/opa/pr/justice-department-announces-five-cases-part-recently-launched-disruptive-technology-strike.
[8] Id.
[9] Press Release, U.S. Dep’t of Just., Russian Elites, Proxies, and Oligarchs Task Force Ministerial Joint Statement (Mar. 17, 2022), https://www.justice.gov/opa/pr/russian-elites-proxies-and-oligarchs-task-force-ministerial-joint-statement.
[10] Press Release, U.S. Dep’t of Just., Russian Elites, Proxies, and Oligarchs Task Force Ministerial Joint Statement (Mar. 17, 2023), https://www.justice.gov/opa/pr/russian-elites-proxies-and-oligarchs-task-force-ministerial-joint-statement; Statement, U.S. Dep’t of Just., Joint Statement from the REPO Task Force (Mar. 9, 2023), https://home.treasury.gov/news/press-releases/jy1329.
[11] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Alert to Financial Institutions to Counter Financing to Hamas and its Terrorist Activities (Oct. 20, 2023), https://www.fincen.gov/sites/default/files/2023-10/FinCEN_Alert_Terrorist_Financing_FINAL508.pdf; Supplemental Alert: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts (May 19, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN%20and%20BIS%20Joint%20Alert%20_FINAL_508C.pdf; FinCEN Alert on Potential U.S. Commercial Real Estate Investments by Sanctioned Russian Elites, Oligarchs, and Their Proxies (Jan. 25, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN%20Alert%20Real%20Estate%20FINAL%20508_1-25-23%20FINAL%20FINAL.pdf.
[12] Supplemental Alert: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Urge Continued Vigilance for Potential Russian Export Control Evasion Attempts (May 19, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN%20and%20BIS%20Joint%20Alert%20_FINAL_508C.pdf; FinCEN & BIS Joint Notice: FinCEN and the U.S. Department of Commerce’s Bureau of Industry and Security Announce New Reporting Key Term and Highlight Red Flags Relating to Global Evasion of U.S. Export Controls (Nov. 6, 2023), https://www.fincen.gov/sites/default/files/shared/FinCEN_Joint_Notice_US_Export_Controls_FINAL508.pdf.
[13] See U.S. Dep’t of Com., U.S. Dep’t of the Treasury, and U.S. Dep’t of Just., Tri-Seal Compliance Note: Cracking Down on Third-Party Intermediaries Used to Evade Russia-Related Sanctions and Export Controls (Mar. 2, 2023), https://www.justice.gov/nsd/file/1277536/dl?inline. See also Deputy Attorney General Lisa Monaco Delivers Remarks at American Bar Association National Institute on White Collar Crime (Mar. 2, 2023), https://www.justice.gov/opa/speech/deputy-attorney-general-lisa-monaco-delivers-remarks-american-bar-association-national.
[14] See William M. (Mac) Thornberry National Defense Authorization Act for Fiscal Year 2021, Pub. L. 116-283, Div. F.
[15] Id., § 6403 (adding 31 U.S.C. § 5336).
[16] 31 C.F.R. § 1010.380(c)(1)(i).
[17] 31 C.F.R. § 1010.380(c)(1)(ii).
[18] 31 C.F.R. § 1010.380(c)(2)(i)-(xxiii).
[19] 31 C.F.R. § 1010.380(c)(2)(x)-(xi); Gibson Dunn, The Impact of FinCEN’s Beneficial Ownership Regulation on Investment Funds (Aug. 10, 2023), https://www.gibsondunn.com/the-impact-of-fincens-beneficial-ownership-regulation-on-investment-funds/.
[20] 31 C.F.R. § 1010.380(c)(2)(xxii).
[21] FinCEN: Beneficial Ownership Information Reporting, Frequently Asked Questions (Jan. 12, 2024), https://www.fincen.gov/boi-faqs.
[22] 31 C.F.R. § 1010.380(b)-(e).
[23] 31 C.F.R. § 1010.380(b)(2)(iv).
[24] 31 C.F.R. § 1010.380(a)(1)(i)(B).
[25] See United States v. Huezo, 546 F.3d 174, 178 (2d Cir. 2008) (“The substantive offense of ‘transaction money laundering’ requires proof of both knowledge and specific intent.”) (citing Cuellar v. United States, 128 S. Ct. 1994 (2008)).
[26] See United States v. Wright, 341 F. App’x 709, 713 (2d Cir. 2009) (“To demonstrate a § 1957 violation, the government must prove, inter alia, that the money Wright used to lease the car exceeded $10,000 and was ‘derived from specified unlawful activity.’”).
[27] Deferred Prosecution Agreement at 1, United States v. Aylo Holdings S.A.R.L., No. 1:23-cr-00463 (E.D.N.Y. Dec. 21, 2023), https://www.justice.gov/d9/2023-12/2023.12.21_dpa_final_court_exhibit_version_0.pdf (hereinafter “DPA”).
[28] Attachment B to Deferred Prosecution Agreement, United States v. Aylo Holdings S.A.R.L., No. 1:23-cr-00463 (E.D.N.Y. Dec. 21, 2023) (hereinafter “MindGeek Information”), https://www.justice.gov/d9/2023-12/2023.12.21_dpa_final_court_exhibit_version_0.pdf, ¶ 8.
[29] Id. ¶ 10.
[30] Id.
[31] Id.
[32] Id. ¶ 16.
[33] Id. ¶ 17.
[34] Id. ¶¶ 20, 27.
[35] Id. ¶ 23.
[36] Id. ¶¶ 18, 22, 29, 30.
[37] See DPA at 1.
[38] Id. at 2.
[39] Id. at 2–3.
[40] Id. at 9–10.
[41] Id. at 5.
[42] See Binance Blog, Binance Announcement: Reaching Resolution with U.S. Regulators (Nov. 21, 2023), https://www.binance.com/en/blog/leadership/binance-announcement-reaching-resolution-with-us-regulators-2904832835382364558.
[43] 31 C.F.R. § 1010.100(ff).
[44] See, e.g., Press Release, U.S. Dep’t of the Treasury, Treasury Announces Two Enforcement Actions for Over $24M and $29M Against Virtual Currency Exchange Bittrex, Inc. (Oct. 11, 2022), https://home.treasury.gov/news/press-releases/jy1006 (announcing an enforcement action against Bittrex, Inc., a virtual currency exchange that was based in Washington state).
[45] See International Emergency Economic Powers Act (IEEPA), 50 U.S.C. § 1701(a)(1)(A) (empowering the President to prohibit transactions by “any person, or with respect to any property, subject to the jurisdiction of the United States.”); see also Office of Foreign Assets Control, Frequently Asked Questions: 11. Who Must Comply with OFAC Regulations?, https://ofac.treasury.gov/faqs/11 (“U.S. persons must comply with OFAC regulations, including all U.S. citizens and permanent resident aliens regardless of where they are located, all persons and entities within the United States, all U.S. incorporated entities and their foreign branches. In the cases of certain programs, foreign subsidiaries owned or controlled by U.S. companies also must comply. Certain programs also require foreign persons in possession of U.S.-origin goods to comply.”).
[46] Attachment A, “Statement of Facts,” to the Plea Agreement in United States v. Binance Holdings Ltd., No. 23-178RAJ (Nov. 21, 2023), https://www.justice.gov/opa/media/1326901/dl?inline (hereinafter “Binance SOF”) at 7, ¶ 22.
[47] Id.
[48] 50 U.S.C. § 1705(a) (“It shall be unlawful for a person to violate, attempt to violate, conspire to violate or cause a violation of any license, order, regulation, or prohibition issued [pursuant to IEEPA].”).
[49] Plea Agreement in United States v. Binance Holdings Ltd., No. 23-178RAJ (Nov. 21, 2023), https://www.justice.gov/opa/media/1326901/dl?inline (hereinafter “Binance Plea Agreement”), at ¶ 2.
[50] Id.
[51] Id.
[52] See Nikhilesh De, Binance to Make ‘Complete Exit’ From U.S., Pay Billions to FinCEN, OFAC on Top of DOJ Settlement, CoinDesk (Nov. 21, 2023), https://www.coindesk.com/policy/2023/11/21/binance-to-make-complete-exit-from-us-pay-billions-to-fincen-ofac-on-top-of-doj-settlement/.
[53] Id.
[54] Binance Plea Agreement ¶ 24.
[55] Id at ¶ 32.
[56] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Identifies Virtual Currency Exchange Bitzlato as a ‘Primary Money Laundering Concern’ in Connection with Russian Illicit Finance (Jan. 18, 2023), https://www.fincen.gov/news/news-releases/fincen-identifies-virtual-currency-exchange-bitzlato-primary-money-laundering.
[57] Press Release, U.S. Dep’t of the Treasury, Remarks by Wally Adeyemo on Action Against Russian Illicit Finance (Jan. 18, 2023), https://home.treasury.gov/news/press-releases/jy1193.
[58] Public Law 116-283, § 9714(a) (Jan. 1, 2021).
[59] See 88 Fed. Reg. 3919, 3920 (Feb. 1, 2023), https://www.federalregister.gov/documents/2023/01/23/2023-01189/imposition-of-special-measure-prohibiting-the-transmittal-of-funds-involving-bitzlato (explaining passage of the Combatting Russian Money Laundering Act).
[60] 31 U.S.C. § 5381A(a)(1).
[61] 31 U.S.C. § 5381A(b) (commonly known as Section 311 of the Patriot Act).
[62] Press Release, U.S. Dep’t of the Treasury, Remarks by Wally Adeyemo on Action Against Russian Illicit Finance (Jan. 18, 2023), https://home.treasury.gov/news/press-releases/jy1193.
[63] Press Release, U.S. Dep’t of Just., Founder and Majority Owner of Bitzlato, a Cryptocurrency Exchange Charged with Unlicensed Money Transmitting (Jan. 18, 2023), https://www.justice.gov/usao-edny/pr/founder-and-majority-owner-bitzlato-cryptocurrency-exchange-charged-unlicensed-money.
[64] 88 Fed. Reg. 72701, 72704 (Oct. 23, 2023), https://www.federalregister.gov/documents/2023/10/23/2023-23449/proposal-of-special-measure-regarding-convertible-virtual-currency-mixing-as-a-class-of-transactions.
[65] In The Matter Of: Shinhan Bank America, No. 2023-03 (Sept. 29, 2023), https://www.fincen.gov/sites/default/files/enforcement_action/2023-09-29/SHBA_9-28_FINAL_508.pdf.
[66] Id.
[67] Id.
[68] Id.
[69] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCEN Assesses $1.5 Million Civil Money Penalty against Kingdom Trust Company for Violations of the Bank Secrecy Act (Apr. 26, 2023), https://www.fincen.gov/news/news-releases/fincen-assesses-15-million-civil-money-penalty-against-kingdom-trust-company.
[70] Id.
[71] Id.
[72] Id.
[73] Id.
[74] See generally Statement of Himamauli Das, Acting Dir., Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, Before the Comm. on Fin. Servs., U.S. House of Representatives (Apr. 27, 2023), https://www.fincen.gov/sites/default/files/2023-04/HHRG-118-HFSC-DasH-20230427.pdf; Remarks by Brian Nelson, Under Sec. for Terrorism and Fin. Intel., U.S. Dep’t of the Treasury, at SIFMA’s Anti-Money Laundering and Financial Crimes Conference (May 25, 2022), https://home.treasury.gov/news/press-releases/jy0800.
[75] Id.
[76] In The Matter Of: Bancrédito International Bank and Trust Corporation, No. 2023-02 (Sept. 15, 2023), https://www.fincen.gov/sites/default/files/enforcement_action/2023-09-15/Bancredito_Consent_FINAL_091523_508C.pdf.
[77] Press Release, Fin. Crimes Enf’t Network, U.S. Dep’t of the Treasury, FinCen Announces $15 Million Civil Money Penalty against Bancrédito International Bank and Trust Corporation for Violations of the Bank Secrecy Act (Sept. 15, 2023), https://www.fincen.gov/news/news-releases/fincen-announces-15-million-civil-money-penalty-against-bancredito-international.
[78] National Money Laundering Risk Assessment (Feb. 2022), https://home.treasury.gov/system/files/136/2022-National-Money-Laundering-Risk-Assessment.pdf.
[79] Id.; see also 31 U.S.C. § 5318(h).
[80] See generally 31 C.F.R. § 1020.210; see also 85 Fed. Reg. 57129 (Nov. 16, 2020), https://www.federalregister.gov/documents/2020/09/15/2020-20325/financial-crimes-enforcement-network-customer-identification-programs-anti-money-laundering-programs.
[81] Press Release, U.S. Dep’t of Just., Associate of Sanctioned Oligarch Indicted for Sanctions Evasion and Money Laundering (Feb. 7, 2023), https://www.justice.gov/opa/pr/associate-sanctioned-oligarch-indicted-sanctions-evasion-and-money-laundering.
[82] Press Release, U.S. Dep’t of Just., New York Attorney Pleads Guilty to Conspiring to Commit Money Laundering to Promote Sanctions Violations by Associate of Sanctioned Russian Oligarch (Apr. 25, 2023), https://www.justice.gov/opa/pr/new-york-attorney-pleads-guilty-conspiring-commit-money-laundering-promote-sanctions.
[83] Press Release, U.S. Dep’t of Just., Arrest and Criminal Charges Against British and Russian Businessmen for Facilitating Sanctions Evasion of Russian Oligarch’s $90 Million Yacht (Jan. 20, 2023), https://www.justice.gov/usao-dc/pr/arrest-and-criminal-charges-against-british-and-russian-businessmen-facilitating.
[84] Id.
[85] Press Release, U.S. Dep’t of Just., Associate of Sanctioned Oligarch Indicted for Sanctions Evasion and Money Laundering (Feb. 7, 2023), https://www.justice.gov/opa/pr/associate-sanctioned-oligarch-indicted-sanctions-evasion-and-money-laundering.
[86] Press Release, U.S. Dep’t of Just., Civil Forfeiture Complaint Filed Against Six Luxury Real Estate Properties Involved In Sanctions Evasion And Money Laundering (Feb. 24, 2023), https://www.justice.gov/usao-sdny/pr/civil-forfeiture-complaint-filed-against-six-luxury-real-estate-properties-involved?utm_medium=email&utm_source=govdelivery.
[87] See Superseding Information, United States v. Wise, No. 1:23-cr-00073, Dkt. 4 (S.D.N.Y. 2023).
[88] Id.
[89] Id.
[90] Press Release, U.S. Dep’t of Just., New York Attorney Pleads Guilty to Conspiring to Commit Money Laundering to Promote Sanctions Violations by Associate of Sanctioned Russian Oligarch (Apr. 25, 2023), https://www.justice.gov/opa/pr/new-york-attorney-pleads-guilty-conspiring-commit-money-laundering-promote-sanctions.
[91] See Gibson Dunn, Gibson Dunn Digital Assets Recent Updates – November 2023 (Nov. 6, 2023), https://www.gibsondunn.com/gibson-dunn-digital-assets-recent-updates-november-2023/.
[92] See Superseding Indictment, United States v. Bankman-Fried, No. 1:22-cr-00673, Dkt. 115 (S.D.N.Y. March 28, 2023), https://www.justice.gov/criminal-fraud/file/1593626/dl at ¶¶ 92–95.
[93] Press Release, U.S. Dep’t of Just., United States Attorney Announces Charges Against FTX Founder Sam Bankman-Fried (Dec. 13, 2022), https://www.justice.gov/usao-sdny/pr/united-states-attorney-announces-charges-against-ftx-founder-samuel-bankman-fried.
[94] James Fanelli and Corinne Ramey, Sam Bankman-Fried Is Convicted of Fraud in FTX Collapse, Wall St. J. (Nov. 2, 2023), https://www.wsj.com/finance/currencies/verdict-sam-bankman-fried-trial-ftx-guilty-4a54dbfe.
[95] Id.
[96] Id.
[97] See Chris Dolmestch and Bob Van Voris, First NFT Insider-Trading Trial Leads to Criminal Conviction, Wall St. J. (May 3, 2023), https://www.bloomberg.com/news/articles/2023-05-03/first-nft-insider-trading-trial-leads-to-criminal-conviction.
[98] See Jody Godoy, Ex-OpenSea manager sentenced to 3 months in prison for NFT insider trading (Aug. 22, 2023), https://www.reuters.com/legal/ex-opensea-manager-sentenced-3-months-prison-nft-insider-trading-2023-08-22/.
[99] Press Release, U.S. Dep’t of Just., Founders and Executives of Digital-Asset Company Charged in Multi-Million Dollar International Fraud Scheme (Nov. 1, 2023), https://www.justice.gov/usao-edny/pr/founders-and-executives-digital-asset-company-charged-multi-million-dollar.
[100] United States v. Karony, No. CR-23-433 (E.D.N.Y Oct. 31, 2023), https://www.justice.gov/media/1334306/dl.
[101] See 18 U.S.C. § 1956(c)(7).
[102] United States v. Full Play Grp., S.A., No. 15-CR-252S3PKC, 2023 WL 5672268, at *1-9 (E.D.N.Y. Sept. 1, 2023).
[103] Id.
[104] Id. at *23.
[105] Id. at *20 (internal quotation omitted).
[106] Id. at *23 n.26.
[107] U.S. v. Webb, No. 23-7183 (2d. Cir. 2024).
[108] Abdelaziz, 68 F.4th at 13.
[109] Id. at 29.
[110] National Defense Authorization Act for Fiscal Year 2024, S. 2226, 118th Cong. § 5101(2), codified at 18 U.S.C. § 201(f).
[111] See generally 15 U.S.C. § 78dd-1.
[112] Defining specified unlawful activities to include violations of 18 U.S.C. § 201—the subsection of the federal code wherein FEPA will be codified.
Gibson Dunn has deep experience with issues relating to the Bank Secrecy Act, other AML and sanctions laws and regulations, and the defense of financial institutions more broadly. For assistance navigating white collar or regulatory enforcement issues involving financial institutions, please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Anti-Money Laundering / Financial Institutions, White Collar Defense & Investigations, or International Trade practice groups, the authors, or any of the following practice group leaders:
Anti-Money Laundering / Financial Institutions:
Stephanie Brooker – Washington, D.C.(+1 202.887.3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202.955.8220, [email protected])
White Collar Defense and Investigations:
Stephanie Brooker – Washington, D.C. (+1 202.887.3502, [email protected])
Winston Y. Chan – San Francisco (+1 415.393.8362, [email protected])
Nicola T. Hanna – Los Angeles (+1 213.229.7269, [email protected])
F. Joseph Warin – Washington, D.C. (+1 202.887.3609, [email protected])
Global Fintech and Digital Assets:
M. Kendall Day – Washington, D.C. (+1 202.955.8220, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, [email protected])
Sara K. Weed – Washington, D.C. (+1 202.955.8507, [email protected])
Global Financial Regulatory:
William R. Hallatt – Hong Kong (+852 2214 3836, [email protected])
Michelle M. Kirschner – London (:+44 20 7071 4212, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202.887.3632, [email protected])
International Trade:
Ronald Kirk – Dallas (+1 214.698.3295, [email protected])
Adam M. Smith – Washington, D.C. (+1 202.887.3547, [email protected])
*Maura Carey and Justin duRivage are associates practicing in the firm’s Palo Alto office who are not yet admitted to practice law.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
San Francisco of counsel Todd Trattner and partner Ryan Murr are the authors of “How Biotech Cos. Can Utilize Synthetic Royalty Financing” [PDF] published by Law360 on February 1, 2024.
This briefing examines in depth the circulars and consultation paper issued by the SFC and HKMA in December 2023.
Throughout the course of 2023, the Hong Kong Securities and Futures Commission (“SFC”) and the Hong Kong Monetary Authority (“HKMA”) showed clear indications of their increased openness to virtual assets (“VA”), including through the implementation of the SFC’s Hong Kong virtual asset trading platform (“VATP”) regime,[1] and the release of multiple circulars liberalising the regulatory approach to this area.[2] This trend continued through until the very end of 2023, with the SFC and HKMA being very active in this space in late December. In particular, the SFC on December 22, 2023 issued a circular significantly relaxing the approach to virtual asset exchange traded funds (“VA ETFS”) and other funds with exposure to VA, followed by a joint SFC-HKMA circular in relation to intermediaries’ virtual asset-related activities and an HKMA consultation paper setting out a proposed legislative regime for the issuance of stablecoins. This client briefing examines the two circulars and consultation paper in further depth.
I. SFC Circular on SFC-Authorised Funds With Exposure to Virtual Assets
On December 22, 2023, the SFC published a circular on SFC-authorised funds with exposure to virtual assets (“SFC Circular”), and sets out the requirements under which the SFC will consider authorising funds with exposure to VA of more than 10% of their net asset value (“NAV”) (“SFC-authorised VA Funds”).[3] The SFC Circular supersedes an earlier circular on VA futures ETFs issued on October 31, 2022 (“October 2022 Circular”).[4] The key practical effect of the replacement of the October 2022 Circular is to expand the scope of VA ETFs that may be authorised by the SFC, as the October 2022 Circular only provided for the authorisation of VA ETFs with Bitcoin futures and Ether futures traded on the Chicago Mercantile Exchange (“CME”) as the underlying assets. The SFC Circular removes this requirement.
However, all funds with either direct (i.e. as a result of purchasing of tokens directly by the fund) or indirect investment exposure to VA seeking SFC authorisation must comply with a range of requirements, as summarised in the table below.[5] Further, (i) funds having or intending to have VA exposure of more than 10% of NAV that wish to seek the SFC’s authorisation or (ii) existing SFC-authorised funds that plan to obtain VA exposure of more than 10% of their NAV should consult and seek prior approval from the SFC by contacting the relevant case officer of the Investment Products Division.
|
Area |
Key changes from the October 2022 Circular and/or key requirements |
|
Eligible underlying VA |
|
|
Investment strategy |
|
|
Transactions and direct acquisitions of spot VA |
|
|
Custody |
|
|
Management companies |
|
|
Valuation |
|
|
Service providers |
|
|
Disclosure and investor education |
|
|
Distribution |
|
II. SFC and HKMA Joint Circular on Intermediaries’ Virtual Asset-Related Activities
On December 22, 2023, the SFC and HKMA issued a joint circular on intermediaries’ virtual asset-related activities (“Joint Circular”) which provides updated guidance to intermediaries carrying on VA-related activities, in respect of (i) the distribution of investment products with exposure to VAs; (ii) the provision of VA dealing services; (iii) the provision of VA advisory services; and (iv) the management of portfolios investing into VAs.[6] The Joint Circular supersedes an earlier joint circular published on October 20, 2023.[7]
The Joint Circular emphasises that VA-related products[8] will very likely be considered complex products and that intermediaries distributing VA-related products considered to be complex products will generally be required to comply with the SFC’s requirements on the sale of complex products (including most notably ensuring suitability of VA-related products, regardless of whether the intermediary has solicited or recommended that its clients invest in the product in question).
However, the SFC and HKMA have also imposed two additional investor protection measures on the distribution of VA-related products to address specific risks related to these products:
- Restrictions on sale: Subject to certain exceptions (as discussed further below), the SFC and HKMA have indicated that VA-related complex products should only be offered to professional investors (“PIs”); and
- VA knowledge test: Intermediaries must assess whether clients (other than institutional PIs and qualified corporate PIs) have knowledge of investing in virtual assets or VA-related products prior to effecting a transaction in VA-related products on their behalf. Where a client does not have the requisite knowledge, the intermediary may only proceed if it has provided sufficient training to the client on the nature and risks of VAs and the clients have sufficient net worth to bear potential losses from trading VA-related products.[9]
However, while the above investor protection measures appeared in the earlier joint circular dated October 20, 2023, the SFC and HKMA have in the Joint Circular stated that the selling restrictions above will not apply to SFC-authorised VA Funds (i.e. funds approved for public offering), subject to intermediaries complying with the following additional safeguards:
- For SFC-authorised VA Funds listed and traded on the Hong Kong Stock Exchange (“SEHK”), client orders can be executed on exchange without the need to comply with the suitability requirement or minimum information and warning statements requirements,[10] providing there has been no solicitation or recommendation by the intermediary.
- For SFC-authorised VA Funds that are not listed, or for listed funds where trading occurs off exchange, intermediaries will still have to comply with the abovementioned requirements, as well as undertaking the VA knowledge test set out above on the clients concerned.
Further, the SFC and HKMA have also reminded intermediaries that where these SFC-authorised VA funds are also VA derivative funds, intermediaries also need to comply with the requirements for derivative products set out in the Joint Circular.
To assist intermediaries in determining whether an investment product with exposure to VA is complex and the corresponding selling requirements that may apply to the product, the Joint Circular also includes a flowchart which sets out the relevant factors and the corresponding selling requirements.[11]
III. Legislative Proposal on Issuance of Stablecoins
On December 27, 2023, the Financial Services and the Treasury Bureau (“FSTB”) and the HKMA jointly issued a public consultation paper regarding their proposed legislative regime for the regulation of stablecoins (“Legislative Proposal”).[12] This followed the HKMA’s January 2022 discussion paper inviting feedback on its proposed regulatory approach towards crypto-assets and stablecoins (“Discussion Paper”) (as covered in our previous client alert)[13] and its January 2023 consultation conclusions (“Consultation Conclusions”)[14] (as covered in a subsequent client alert).
The introduction of the Legislative Proposal is driven by the potential interconnectedness between the virtual assets (“VA”) market and the traditional financial system. Specifically, the FSTB and HKMA view stablecoins, especially fiat-referenced stablecoin (“FRS”) as a key monetary and financial stability risk area which could lead to a spill-over from the VA sector to the traditional financial system, and vice versa.
A. Legislative Scope and Approach
The FSTB and HKMA have proposed that, rather than amending existing legislation (including the Payment Systems and Stored Value Facilities Ordinance (“PSSVFO”)), their intention is to introduce a new piece of legislation which will address specific features of stablecoins and could more readily serve as the foundation for the extension of the regulatory regime to other forms of VAs down the track. The FSTB and HKMA have also proposed that the issuance of an FRS by an FRS licensee would be excluded from the scope of existing regulatory regimes, including those applicable to securities (e.g. collective investment schemes) and SVFs.
The FSTB and HKMA have proposed that initially, the licensing regime will apply only to issuers of fiat-referenced stablecoins (“FRS”) – that is, stablecoins which have as their specified asset one or more fiat currencies.[15] The FSTB and HKMA have noted that while a FRS which derives value from arbitrage or algorithm will be caught by the regulatory regime, it is highly unlikely (as explained further below) that such FRS will be able to meet the HKMA’s licensing requirements.
That said, the FSTB and HKMA have left the door open to extend the regulatory regime to other forms of VAs (presumably including other types of stablecoins) by describing the proposed FRS issuance regime as a “first step” in the regulation of virtual assets. Notably, the FSTSB and HKMA have proposed that the legislative regime should empower the “authorities” to modify the parameters of in-scope stablecoins and activities, but have not specified if this power would be reserved to the HKMA specifically or to the HKMA in consultation with the FSTB (for example). In exercising any such power to modify the regime, the “authorities” would be required to consider a number of factors (such as the risks posed to the monetary and financial stability of Hong Kong), and the materiality of the case (such as the market share and the value in circulation) before exercising this power.
B. Licensing Requirements for FRS Issuers
Under the Legislative Proposal, an FRS issuer will have to be licensed with the HKMA before it can:
Issue, or hold itself out as issuing, an FRS in Hong Kong;
- Issue, or hold itself out as, issuing a stablecoin that purports to maintain a stable value with reference to the value of the Hong Kong dollar; or
- Actively market its issuance of FRS to the Hong Kong public.
In order to be licensed, the FRS issuer must demonstrate that it could meet the following licensing requirements, as summarised below:
|
Licensing Requirements |
Description |
|
|
Management of reserves and stabilisation mechanism |
Full backing |
|
|
Investment limitations |
|
|
|
Segregation and safekeeping of reserve assets |
|
|
|
Risk management and controls |
|
|
|
Disclosure and reporting |
|
|
|
Prohibition on paying interest |
|
|
|
Effective stabilisation |
|
|
|
Redemption requirements |
|
|
|
Restrictions on business activities[16] |
|
|
|
Physical presence in Hong Kong[17] |
|
|
|
Financial resources requirements[18] |
|
|
|
Disclosure requirements |
|
|
|
Governance, knowledge and experience |
|
|
|
Risk management requirements |
|
|
|
Audit requirements |
|
|
|
Anti-money laundering and counter-financing of terrorism requirements |
|
|
Notwithstanding the above, the HKMA will have the power to impose, amend and cancel ongoing licensing conditions on an FRS issuer, where necessary. These additional conditions can include requirements on reserve assets and restrictions on the types of services that could be undertaken by the FRS issuer.
Licenses granted under the FRS issuer licensing regime will be open-ended, i.e. licences will remain valid until or unless revoked by the HKMA or the FRS issuer ceases to operate. However, the issue of any new FRS (i.e. other than that which the FRS issuer received a licence to issue) will require the consent of the HKMA before it can issue any new FRS under its license. Further, all licensed FRS issuers must display their licence number on any advertising materials and consumer facing materials or software applications.
C. Custody and offering of FRS
With regard to offering of FRS, the FSTB and HKMA have indicated that they consider that FRS issued by unlicensed entities are unsuitable for use by the public. As a result, their intention is that only licensed FRS issuers, authorized institutions, licensed corporations and licensed VATPs can offer FRS in Hong Kong or actively market such offerings in Hong Kong. Meanwhile, authorized institutions, licensed corporations and licensed VATPs can offer FRS issued by unlicensed entities to professional investors only.
With regard to custody, we understand that the FSTB, HKMA and the SFC are continuing to examine the appropriate regulatory approach for such activities. Further regulatory guidance on this topic (including guidance from the HKMA on the provision of VA custodial services by authorised institutions) is expected in the short to medium term.
D. Supervisory Powers of the HKMA
Mirroring similar provisions under the Banking Ordinance, the Legislative Proposal confers supervisory powers on the HKMA to act in the event that a licensee (i) has become or is likely to become insolvent or unable to meet its obligations; (ii) is carrying on its business in a manner detrimental to the interests of its users or its creditors; or (iii) has contravened any of its licensing conditions or provisions of the proposed regulatory regime. In these circumstances, the HKMA will have the power to:
- Require a licensee to implement any action relating to the licensee’s affairs, business or property that the HKMA considers as necessary, including restricting the licensee’s business of FRS issuance;
- Direct a licensee to seek advice on the management of its affairs, business and property from an advisor appointed by the HKMA; and
- Require a licensee’s affairs, business and property to be managed by a HKMA-appointed manager.
The HKMA’s consent will also be required for changes in ownership or management of FRS issuers, including with regard to any proposed amalgamation, sale or disposal of all or part of the business of an FRS issuer, change of control (including change of majority or minority shareholder controller, or indirect controller) and the appointment of chief executives and directors.
Additionally, the HKMA will also have the power to gather information, including request information or documents from licensees, or to conduct on-site examinations at the licensee’s premises. Where the HKMA has reasonable cause to suspect non-compliance, the HKMA will have the power to conduct investigations into the licensee and persons relevant to the suspected contravention. The HKMA will also have the power to give directions to bring an FRS issuer into compliance with its statutory obligation to ensure the protection of the FRS issuer. Finally, the HKMA will also have the power to make regulations to operationalise the FRS regulatory regime and issue guidelines regarding the way in which it expects to perform its functions with regards to this new regime.
E. Disciplinary Framework
The Legislative Proposal contemplates the creation of both a criminal and a civil framework. It will be a criminal offence to:
- Issue an FRS in Hong Kong without a licence;
- Advertise the issuance of FRS by an unlicensed issuer;
- Fail to produce documents or information as required by the HKMA;
- Provide false information to the HKMA; and
- Contravene other conditions imposed by the HKMA in connection with the FRS licensing regime.
Separately, the HKMA will also have the power to impose civil and supervisory sanctions, including:
- Issuing a caution, warning, reprimand or order to take specified action(s);
- Issuing a temporary suspension, suspension or revocation of an FRS issuer’s license;
- A pecuniary penalty not exceeding HK$10,000,000 or 3 times the amount of profit gained or loss avoided as a result of the contravention, whichever is higher; and
- Any combination of the above.
As a check and balance, an appeal tribunal mechanism will be set up to address appeals against the HKMA’s disciplinary decisions. A person dissatisfied with the decision of the appeal tribunal will be able to appeal to the Court of Appeal against the determination on a point of law.
F. Transitional Arrangements
The FRS Issuer Licensing Regime is proposed to commence one month upon gazettal of the proposed new ordinance. However, the FSTB and HKMA have proposed a transitional arrangement to ensure the smooth transition into the new regime. Under this transitional regime, pre-existing FRS issuers conducting FRS issuance with a meaningful and substantial presence in Hong Kong prior to the commencement of the regime can continue to operate under a non-contravention period of six months, subject to submitting a licence application to the HKMA within the first three months of the commencement of the regime. This comparatively short transitional period (if not extended in the final version of the legislative regime) means that stablecoin issuers will need to take steps to quickly prepare licence applications (and establish a meaningful and substantial presence in Hong Kong if they do not already have one) following the gazettal of the new ordinance. Those pre-existing FRS issuers which fail to submit a licence application to the HKMA within the first three months will need to wind down its business by the end of the fourth month of the commencement of the regime.
__________
[1] See “Hong Kong SFC Consults On Licensing Regime For Virtual Asset Trading Platform Operators”, published by Gibson, Dunn & Crutcher (March 2, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-consults-on-licensing-regime-for-virtual-asset-trading-platform-operators/; and “New Hong Kong Regulatory Requirements and Licensing Regime for Virtual Asset Trading Platforms Finalised as Legislation Takes Effect”, published by Gibson, Dunn & Crutcher (June 7, 2023), available at https://www.gibsondunn.com/new-hong-kong-regulatory-requirements-and-licensing-regime-for-virtual-asset-trading-platforms-finalised-as-legislation-takes-effect/.
[2] “Hong Kong’s SFC Updates Guidance on Tokenised Securities-Related Activities”, published by Gibson, Dunn & Crutcher (November 10, 2023), available at https://www.gibsondunn.com/hong-kong-sfc-updates-guidance-on-tokenised-securities-related-activities/.
[3] “Circular on SFC-Authorised Funds With Exposure to Virtual Assets”, published by the Securities and Futures Commission (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/products/product-authorization/doc?refNo=23EC65.
[4] “Circular on Virtual Asset Futures Exchange Traded Funds”, published by the Securities and Futures Commission (October 31, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=22EC60.
[5] These requirements are in addition to meeting the applicable requirements in the Overarching Principles Section and the Code on Unit Trusts and Mutual Funds in the SFC Handbook for Unit Trusts and Mutual Funds, Investment-Linked Assurance Schemes and Unlisted Structured Investment Products.
[6] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (December 22, 2023), available at https://apps.sfc.hk/edistributionWeb/gateway/EN/circular/doc?refNo=23EC67.
[7] “Joint Circular on Intermediaries’ Virtual Asset-Related Activities”, jointly published by the Securities and Futures Commission and the Hong Kong Monetary Authority (October 20, 2023), available here.
[8] “VA-related products” are defined as products which (a) have a principal investment objective or strategy to invest in virtual assets; (b) derive their value principally from the value and characteristics of virtual assets; or (c) track or replicate the investment results or returns which closely match or correspond to virtual assets.
[9] See Appendix 1 of the Joint Circular for the non-exhaustive criteria for assessing whether a client can be regarded as having knowledge of virtual assets.
[10] The minimum information and warning statements requirements require intermediaries to provide clear and easily comprehensible information and warning statements to clients in relation to VA-related products and information on the underlying VA investments; and provide to clients risk disclosure statements (which can be a one-off disclosure) specific to VAs.
[11] See Appendix 3 of the Joint Circular.
[12] “Legislative Proposal to Implement the Regulatory Regime for Stablecoin Issuers in Hong Kong Consultation Paper”, jointly published by the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (December 27, 2023), available at https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2023/20231227e4a1.pdf.
[13] “Another Step Towards the Regulation of Cryptocurrency in Hong Kong: HKMA Releases Discussion Paper on Stablecoins”, published by Gibson, Dunn & Crutcher (September 19, 2022), available at https://www.gibsondunn.com/another-step-towards-the-regulation-of-cryptocurrency-in-hong-kong-hkma-releases-discussion-paper-on-stablecoins/.
[14] “Hong Kong Monetary Authority Introduces Plans To Regulate Stablecoins”, published by Gibson, Dunn & Crutcher (February 7, 2023), available at https://www.gibsondunn.com/hong-kong-monetary-authority-introduces-plans-to-regulate-stablecoins/.
[15] For completeness, the Legislative Proposal defines “stablecoin” to mean “a cryptographically secured digital representation of value that, among other things – (a) is expressed as a unit of account or a store of economic value; (b) is used, or is intended to be used, as a medium of exchange accepted by the public, for the purpose of payment for goods or services; discharge of a debt; and/or investment; (c) can be transferred, stored or traded electronically; (d) uses a distributed ledger or similar technology that is not controlled solely by the issuer; and (e) purports to maintain a stable value with reference to a specified asset, or a pool or basket of assets.” To avoid overlap with the SVF regulatory regime, the FSTB and HKMA have expressly carved out “deposits, including its tokenized or digitally represented form; certain securities or future contracts (mainly authorized collective investment schemes and authorized structured products); float stored in SVFs or SVF banks; and certain digital representations of fiat currencies issued by or on behalf of central banks; and certain digital representation of value that has a limited purpose” from the definition of “stablecoins”.
[16] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.
[17] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.
[18] This licensing requirement will not apply to FRS issuers which are authorized institutions, considering that these authorized institutions are already subject to relevant requirements under banking regulation.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Global Financial Regulatory team, including the following members in Hong Kong and Singapore:
William R. Hallatt – Hong Kong (+852 2214 3836, [email protected])
Grace Chong – Singapore (+65 6507 3608, [email protected])
Emily Rumble – Hong Kong (+852 2214 3839, [email protected])
Arnold Pun – Hong Kong (+852 2214 3838, [email protected])
Becky Chung – Hong Kong (+852 2214 3837, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Brussels Managing Director Nicholas Banasevic, London and Paris partner Robert Spano, and Brussels associate Ciara O’Gara are the authors of “Cos. Should Plan Now For Extensive EU Data Act Obligations” [PDF] published by Law360 on February 1, 2024.
Brussels associate Jan Przerwa contributed to this article.
This update provides an overview of key class action-related developments during the fourth quarter of 2023 (October to December).
Table of Contents
- Part I reviews decisions from the Sixth and Tenth Circuits reaffirming the importance of courts conducting a “rigorous” analysis of each Rule 23 factor before certifying a class;
- Part II provides an update on cases analyzing the need for plaintiffs to demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3); and
- Part III discuses a Ninth Circuit decision scrutinizing the adequacy of a lead plaintiff in a class settlement.
I. Circuit Courts Continue to Emphasize the Importance of “Rigorously” Analyzing Each Rule 23 Class Certification Factor
In its landmark decision in Wal-Mart Stores, Inc. v. Dukes, 564 U.S. 338 (2011), the Supreme Court held (among other things) that before certifying a class, district courts must conduct a “rigorous analysis” of the Rule 23 factors. Id. at 351. This critical requirement remains alive and well, as we’ve covered in previous updates, including here and here. And this past quarter, circuit courts have continued to emphasize that district courts cannot grant class certification with a rubber stamp.
In Brayman v. KeyPoint Government Solutions, Inc., 83 F.4th 823 (10th Cir. 2023), the Tenth Circuit vacated an order granting class certification because “[a] rigorous analysis requires more” than a one-paragraph discussion of predominance. Id. at 838–39. The district court had certified a class of employees who alleged their employer required them to work uncompensated overtime. Although the Tenth Circuit declined to conduct the commonality or predominance analyses itself in the first instance, it provided suggestions about “some of the questions that the district court would need to consider when determining what issues in the class action were common issues, what issues were individual issues, and which predominate.” Id. at 839–41.
As one example, the Tenth Circuit considered how the plaintiffs would prove that an employee worked uncompensated overtime. The plaintiffs contended that each class member would testify about how many hours they worked per week, yet they failed to present any “expert testimony, statistical data, or representative evidence” showing how this was a common, rather than an individual, issue. Id. at 839. As another example, the Tenth Circuit noted that to succeed on their claims, the plaintiffs had to establish that their employer knew of this overtime work, but the plaintiffs’ “unelaborated” interrogatory answers and deposition testimony were not “sufficiently specific and representative to be ‘common’ evidence that would be admissible in each [putative class member]’s individual case” about the employer’s knowledge for that particular individual. Id. at 840.
Similarly, in In re Ford Motor Co., 86 F.4th 723 (6th Cir. 2023), the Sixth Circuit concluded the district court did not conduct a rigorous analysis of commonality, cautioning that Rule 23 “requires a named plaintiff to offer ‘[s]ignificant’ evidentiary proof that he can meet all four of [its] criteria.” Id. at 726 (emphasis added). In re Ford involved allegations about alleged brake design defects in pickup trucks over a five-year period. Id. Although the district court certified Rule 23(c)(4) “issue” classes to resolve three primary issues related to the purported defects, it did so with “cursory treatment of commonality.” Id. In particular, the district court’s analysis did “not make clear that the three certified issues can each be answered ‘in one stroke.’” Id. at 727 (quoting Dukes, 564 U.S. at 350). For instance, one certified issue concerned whether the brakes in the pickup trucks were defective. Although the plaintiffs alleged this was a common issue, the district court failed to “grapple” with the evidence that certain redesigns and manufacturing changes over the class period made a material difference to the alleged defect. Id. at 728. The Sixth Circuit reminded trial judges that they “must evaluate whether each of the four Rule 23(a) factors is actually satisfied, not merely that the factors are properly alleged.” Id. at 729 (citations omitted) (emphases added).
II. Circuit Courts Continue to Require Classwide Method of Proving Injury Before Certifying Rule 23(b) Classes
Two decisions from this quarter, Huber v. Simon’s Agency, Inc., 84 F.4th 132 (3d Cir. 2023), and Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), reaffirmed the principle that plaintiffs must demonstrate a classwide method of proving injury to meet the predominance requirement of Rule 23(b)(3).
Huber concerned a putative class action against a medical debt collection agency that allegedly provided misleading and confusing notices to debtors. See 84 F.4th at 141. The named plaintiff claimed she incurred extensive financial costs as a result of the misleading information. See id. at 143. The district court certified a class of individuals who received the same information from the defendant. Id. at 142.
On appeal, the Third Circuit held that under TransUnion LLC v. Ramirez, 594 U.S. 413 (2021), and circuit precedent, merely receiving a misleading notice, without allegations of financial loss, was insufficient to establish Article III standing. Huber, 84 F.4th at 148–49. While the Third Circuit ruled that the class action was justiciable because the named plaintiff herself had standing, it reasoned that unnamed class members would need to put forward specific information about their financial circumstances to meet the justiciability requirement. Id. at 147–54. The Third Circuit therefore vacated the certification order and remanded to the district court to assess “the implications of [the] individualized showings [the unnamed class members need to make] for the predominance requirement.” Id. at 157.
In remanding, the Third Circuit offered guidance as to how the predominance inquiry should unfold: if few class members are able to show that they suffered concrete financial injuries, then the class should not be considered sufficiently cohesive to warrant certification. Id. at 157–58. On the other hand, if many class members appear likely to have standing or “if there is a plausible straightforward method to sort them out at the back end of the case,” then the case may be able to proceed on behalf of the class. Id.
In a similar case, Sampson v. United Services Automobile Ass’n, 83 F.4th 414 (5th Cir. 2023), the Fifth Circuit vacated a class certification order because the plaintiffs failed to identify a classwide way of establishing the defendant’s liability. Sampson was a breach of contract action against an insurance company based on its use of a particular method of vehicle valuation. See id. at 417. The plaintiffs-insureds claimed that if the defendant had used a different valuation method, they would have gotten bigger payouts when they totaled their cars. Id.
One of the questions on appeal was whether the plaintiffs could establish classwide injury—an essential element of the claims at issue—by relying on their preferred vehicle-valuation standard. Id. at 421. According to the plaintiffs, the choice of the appropriate vehicle-valuation standard was only a damages question, and district courts have wide discretion to choose among damages models at the class-certification stage. Id. The Fifth Circuit acknowledged that district courts generally do have such discretion, but the purported damages issue was actually entwined with the question of injury. Id. at 421–22. Because the selection of the appropriate vehicle-valuation standard was not just a choice between “imperfect damages models,” but rather went to the question of liability, the Fifth Circuit concluded that “a district court’s wide discretion to choose an imperfect estimative-damages model at the certification stage” had no application. Id. at 422–23.
III. The Ninth Circuit Vacates Approval of Class Settlement, Holding that Class Representative Who Was Subject to Arbitration Agreement Could Not Adequately Represent Class Members Who Were Not
As reported in several previous updates (including here and here), circuit courts have continued the trend of taking more active roles in scrutinizing class settlements. This past quarter, the Ninth Circuit vacated the approval of a class settlement in a case against a dating app, holding that the lead plaintiff was not an adequate representative of the class due to her conflict of interest and failure to vigorously litigate on behalf of all 240,000 class members. See Kim v. Allison, 87 F.4th 994 (9th Cir. 2023).
In Kim, the plaintiff alleged a dating app’s age-based pricing scheme violated California law. Id. at 999. The defendant successfully moved to compel arbitration as to the lead plaintiff because she had agreed to a version of the app’s terms of use that included an arbitration clause. Id. While the plaintiff was appealing the order compelling arbitration, she negotiated a class settlement.
In this second appeal from the settlement approval, objectors focused their arguments on the lead plaintiff’s lack of adequacy, arguing that “unlike the remainder of the class, [the plaintiff] was subject to a binding arbitration order” and the class definition did not account for that important difference. 87 F.4th at 999. The Ninth Circuit agreed that the plaintiff was an inadequate representative and vacated the settlement.
With respect to the plaintiff’s conflict of interest, the Ninth Circuit emphasized that she was subject to an agreement to arbitrate, while potentially 7,000 other class members were not. Id. at 1001. The court reasoned that the plaintiff had a strong interest in settling her claims since she has “no chance of going to trial,” even “at the cost of a broad release of other claims that are not subject to arbitration.” Id. The conflict was “exacerbated” by other provisions in the version of the terms of use that she accepted, including a Texas choice-of-law provision and limitation on liability that did not bind other class members. Id. The court also faulted the plaintiff for making inadequate efforts to conduct discovery before reaching a settlement, and said her “approach to opposing [the defendant]’s motion to compel [arbitration was] not suggestive of vigor” because she “belatedly raised formation challenges” when opposing that motion and failed to make “obvious arguments until after they were forfeited.” Id. at 1002–03.
Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions, Litigation, or Appellate and Constitutional Law practice groups, or any of the following lawyers:
Theodore J. Boutrous, Jr. – Los Angeles (+1 213.229.7000, [email protected])
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7396, [email protected])
Theane Evangelis – Co-Chair, Litigation Practice Group, Los Angeles (+1 213.229.7726, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Kahn A. Scolnick – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213.229.7656, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213.229.7658, [email protected])
Michael Holecek – Los Angeles (+1 213.229.7018, [email protected])
Lauren M. Blas – Los Angeles (+1 213.229.7503, [email protected])
*Maura Carey is an associate practicing in the firm’s Palo Alto office who is not yet admitted to practice law.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
In contrast to previous years, the 2023 privacy and cybersecurity landscape in the United States was not shaped by an overarching event like the COVID-19 pandemic or Russia’s invasion of Ukraine. 2023 was nonetheless another groundbreaking year for privacy and cybersecurity on the regulatory and enforcement fronts.
Congress’s failure to pass a comprehensive privacy bill left the White House and federal agencies—along with state legislators and agencies—to lead the charge in regulating privacy and cybersecurity in the United States. The White House doubled down on its push to implement a national strategy on cybersecurity, with important implications for federal, state, and private entities. Numerous federal agencies—including the FTC, SEC, CFPB, and HHS—promulgated privacy and data protection regulations and guidance on a range of issues, including cyber-incident disclosure, children’s online privacy, biometric and genetic data, artificial intelligence (“AI”), and algorithmic decision making. Many agencies also brought enforcement actions against companies and (increasingly) individuals for privacy, data security, and related violations.
States were similarly active in 2023, passing and enforcing a flurry of new comprehensive state privacy laws. State agencies like the New York Department of Financial Services took aggressive steps to tighten data protection regulations for entities under their umbrella. And, while this publication does not focus on AI (a topic which will be covered in detail by Gibson Dunn’s forthcoming Artificial Intelligence Legal Review), the rapid rise and proliferation of AI technology was a defining feature of the privacy and cybersecurity landscape in 2023. Litigation likewise remained active, with notable upticks in claims by private litigants and government entities related to data breaches, federal and state wiretapping laws, and state biometrics laws. We expect these trends to accelerate in 2024 and beyond, as the body of privacy and cybersecurity regulation matures and expands.
This Review contextualizes these and other 2023 developments by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, digital, telecommunications, wiretapping, and biometric information privacy laws; and (3) trends related to data innovations and governmental data collection. Information on developments outside the United States—which are relevant to domestic and international companies alike—will be covered in detail by Gibson Dunn’s forthcoming International Cybersecurity and Data Privacy Outlook and Review.
Table of Contents
II. REGULATION OF PRIVACY AND DATA SECURITY
A. Regulation of Privacy and Data Security
1. State Legislation and Related Regulations
a. Comprehensive State Privacy Laws
i. Applicability
ii. Exemptions
iii. Data Subject Rights
iv. Data Controller Obligations
v. Enforcement
i. Washington’s My Health My Data Act
ii. Montana’s Genetic Information Privacy Act
iii. California’s Delete Act
iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules
v. New Child Social Media Laws
a. Comprehensive Federal Privacy Legislation
b. Other Introduced Legislation
a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security
i. FTC’s Approach to Data Security
ii. Rulemaking on Commercial Surveillance and Data Security
d. Notable FTC Enforcement Actions
e, Financial Privacy
f. Children’s and Teens’ Privacy
g. Biometric Information
2. Consumer Financial Protection Bureau
a. Personal Financial Data Rights Rulemaking
b. Increased Oversight of Non-bank Entities
c. Increased Scrutiny of Data Brokers
d. Artificial Intelligence and Algorithmic Bias
3. Securities and Exchange Commission
4. Department of Health and Human Services and HIPAA
a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions
a. Department of Homeland Security
b. Department of Justice
c. Department of Commerce
d. Department of Energy
e. Department of Defense
f. Federal Communications Commission
a. California
b. Other State Agencies
c. Major Data Breach Settlements
III. CIVIL LITIGATION REGARDING PRIVACY AND DATA SECURITY
1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions
2. Cybersecurity Related Securities Litigation
B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
C. Anti-Hacking and Computer Intrusion Statutes
D. Telephone Consumer Protection Act Litigation
E. State Law Litigation
1. California Consumer Privacy Act Litigation
a. Potential Anchoring Effect of CCPA Statutory Damages
b. Requirements for Adequately Stating a CCPA Claim
c. CCPA Violations Under the UCL
d. The CCPA’s 30-Day Notice Requirement
e. Guidance on Reasonable Security Measures in Connection with the CCPA
2. State Biometric Information Litigation
a. Illinois Biometric Information Privacy Act
i. Expansion of BIPA’s Scope
ii. New Recognized Limitations Under BIPA
b. Texas Biometric Privacy Law Litigation
c. New York Biometric Privacy Law Litigation
F. Other Noteworthy Litigation
IV. TRENDS RELATED TO DATA INNOVATIONS AND GOVERNMENTAL DATA COLLECTION
A. Data-Intensive Technologies—Privacy Implications and Trends
B. Emerging Privacy Enhancing Technologies (PETs)
C. Governmental Data Collection
II. Regulation of Privacy and Data Security
Since 2018, 14 states have enacted comprehensive data privacy legislation. Five of these are currently effective, and the remaining nine will go into effect between 2024 and 2026. A number of additional state legislatures considered comprehensive consumer privacy laws this past year but have yet to enact them. In addition, several states have passed narrower data privacy laws governing the use of specific categories of information, such as health and genetic information. These laws demonstrate the states’ efforts to ensure the protection of consumers’ data in the absence of a comprehensive federal data privacy law. We highlight several of these state privacy laws below and provide an overview of key similarities and differences.
A. Regulation of Privacy and Data Security
1. State Legislation and Related Regulations
a. Comprehensive State Privacy Laws
California was the first state to adopt a comprehensive data privacy law with the enactment of the California Consumer Privacy Act (“CCPA”) in 2018. The California Privacy Rights Act (“CPRA”) amended the CCPA in 2020. Since then, 13 other states—Colorado, Connecticut, Delaware, Florida, Indiana, Iowa, Montana, New Jersey, Oregon, Tennessee, Texas, Utah, and Virginia—have followed California in enacting comprehensive privacy laws. As shown in the below list of comprehensive state privacy laws enacted to date, five went into effect in 2023, an additional four will go into effect in 2024, four in 2025, and one in 2026. Most of these generally align with the standard template created by the comprehensive state privacy laws in Virginia, Colorado, Connecticut, and Utah, with a few having unique features, which are highlighted below. Please see last year’s Review for a more detailed assessment of the comprehensive data privacy laws in California, Virginia, Colorado, Connecticut, and Utah, which have all now gone into effect.
Table 1: Comprehensive State Privacy Laws
| Law | Enacted Date | Effective Date |
| California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA)[1] | CCPA: June 28, 2018 CPRA: November 3, 2020 |
CCPA: January 1, 2020 CPRA: January 1, 2023 |
| Virginia Consumer Data Protection Act (VCDPA)[2] | March 2, 2021 | January 1, 2023 |
| Colorado Privacy Act (CPA)[3] | July 7, 2021 | July 1, 2023 |
| Connecticut Data Privacy Act (CTDPA)[4] | May 10, 2022 | July 1, 2023 |
| Utah Consumer Privacy Act (UCPA)[5] | March 24, 2022 | December 31, 2023 |
| Florida Digital Bill of Rights (FDBR)[6] | June 6, 2023 | July 1, 2024 |
| Texas Data Privacy and Security Act (TDPSA)[7] | June 18, 2023 | July 1, 2024 |
| Oregon Consumer Privacy Act (OCPA)[8] | July 18, 2023 | July 1, 2024 |
| Montana Consumer Data Privacy Act (MTCDPA)[9] | May 19, 2023 | October 1, 2024 |
| Iowa Consumer Data Protection Act (ICDPA)[10] | March 29, 2023 | January 1, 2025 |
| Delaware Personal Data Privacy Act (DPDPA)[11] | September 11, 2023 | January 1, 2025 |
| New Jersey Data Privacy Act (NJDPA)[12] |
January 16, 2024 | January 15, 2025 |
| Tennessee Information Protection Act (TIPA)[13] | May 11, 2023 | July 1, 2025 |
| Indiana Consumer Data Protection Act (INCDPA)[14] | May 1, 2023 | January 1, 2026 |
The tables below review core aspects of these laws, including applicability, exemptions, data subject rights, data controller obligations, and enforcement.
Each comprehensive state privacy law applies to entities that conduct business in that state or provide products and services to residents of that state, and that meet certain applicability thresholds. As shown in Table 2 below, these thresholds typically relate to a company’s annual gross revenue and/or the number of individuals whose personal information the business processes or controls. California is unique in applying its comprehensive privacy law to companies that derive 50% or more of their revenue from selling California residents’ personal information, without pairing that requirement with a minimum number of consumers whose data is processed. Florida and Texas also have distinct requirements: Florida’s statutory thresholds are designed to limit the application of the law to large companies, and Texas’s law does not carry any fixed numerical thresholds with respect to gross revenue or number of consumers’ whose data is processed. Unless otherwise indicated, all thresholds listed below are disjunctive requirements.
Table 2: Applicability of Comprehensive State Privacy Laws
| Law | Annual Gross Revenue | Annual Processing of Consumers’ Data | Other Thresholds |
| CCPA/CPRA (California) |
$25 million or more. | Buys, sells, or shares the personal information of 100,000 or more California residents, households, or devices. | Derives 50% or more of their annual revenue from selling California residents’ personal information. |
| VCDPA (Virginia) |
N/A | Controls or processes the personal data of at least 100,000 Virginia consumers. | Controls or processes the personal data of at least 25,000 consumers and derives over 50% of gross revenue from the sale of personal data. |
| CPA (Colorado) |
N/A | Processes the personal data of more than 100,000 Colorado individuals. | Derives revenue or receives discounts on goods or services in exchange for the sale of personal data of 25,000 or more individuals. |
| CTDPA (Connecticut) |
N/A | Controls or processes the personal data of at least 100,000 Connecticut consumers. | Controls or processes the personal data of at least 25,000 consumers and derives over 25% of gross revenue from the sale of personal information. |
| UCPA (Utah) |
$25 million or more. | Controls or processes the personal data of 100,000 or more Utah consumers. | Controls or processes the personal data of 25,000 or more Utah consumers and derives 50% or more of gross annual revenue from sale of personal data. |
| FDBR (Florida) |
$1 billion or more. | N/A | (i) Derives 50% or more of its global annual revenues from targeted advertising or the sale of ads online; (ii) operates a consumer smart speaker and voice command service with an integrated virtual assistant through a cloud service and hands-free verbal activation; or (iii) operates an app store that offers at least 250,000 software applications for consumers to download. |
| TDPSA (Texas) |
N/A | N/A | (i) Conducts business in Texas or produces products/provides services consumed by residents of Texas; (ii) processes or engages in the sale of personal data; and (iii) does not qualify as a small business as defined by the United States Small Business Administration (with limited exceptions). |
| OCPA (Oregon) |
N/A | Controls or processes the personal data of 100,000 or more Oregon consumers, other than for completing a payment transaction. | Controls or processes the personal data of 25,000 or more Oregon consumers and derives 25% or more of gross revenue from sale of personal data. |
| MTCDPA (Montana) |
N/A | Controls or processes the personal data of 50,000 or more Montana consumers, excluding for the purpose of completing payment transactions. | Controls or processes the personal data of 25,000 or more Montana consumers and derives more than 25% of gross revenue from sale of personal data. |
| ICDPA (Iowa) |
N/A | Controls or processes the personal data of 100,000 or more Iowa consumers. | Controls or processes the personal data of 25,000 or more Iowa consumers and derives more than 50% of gross revenue from the sale of personal data. |
| DPDPA (Delaware) |
N/A | Controls or processes the personal data of at least 35,000 Delaware residents, excluding for the purpose of completing payment transactions. | Controls or processes the personal data of at least 10,000 Delaware residents and derives more than 20% of its gross revenue from the sale of personal data. |
| NJDPA (New Jersey) |
N/A | Controls or processes the personal data of at least 100,000 New Jersey consumers. | Controls or processes the data of at least 25,000 New Jersey consumers and derives revenue or receives a financial benefit from the sale of the data. |
| TIPA (Tennessee) |
$25 million or more. | Controls or processes the personal data of 170,000 or more Tennessee consumers. | Controls or processes the personal data of 25,000 or more Tennessee consumers and derives more than 50% of gross revenue from sale of personal information. |
| INCDPA (Indiana) |
N/A | Controls or processes the personal data of 100,000 or more Indiana residents. | Controls or processes the personal data of 25,000 or more Indiana consumers who are residents and derives more than 50% of gross revenue from the sale of personal data. |
All comprehensive state privacy laws also have exemptions for certain entities and categories of data. For example, non-profit entities and entities subject to the GLBA are exempt under most comprehensive state privacy laws. HIPAA-regulated data (but not necessarily entities regulated by HIPAA generally), employee data, and business contact data are likewise typically exempt under all comprehensive state privacy laws, except for in California. California is the only state whose GLBA exemption applies only at the data level, but not the entity level. Other exemptions not included below might include entities or data regulated by other laws, such as the Fair Credit Reporting Act, Driver’s Privacy Protection Act, Children’s Online Privacy Protection Act, the Family Educational Rights and Privacy Act, the Farm Credit Act, and the Airline Deregulation Act. Table 3 below provides a non-exhaustive list of common exemptions.
Table 3: Exemptions in Comprehensive State Privacy Laws
| Law | Non-Profits (generally) | Consumers Engaged in a Commercial or Employment Context (i.e., employees and business contacts) | HIPAA Exemption (at the data level, entity level, or both) | GLBA Exemption (at the data level, entity level, or both) |
| CCPA/CPRA (California) |
N | N | Data | Data |
| VCDPA (Virginia) |
N | Y | Both | Both |
| CPA (Colorado) |
Y | Y | Data | Both |
| CTDPA (Connecticut) |
N | Y | Both | Both |
| UCPA (Utah) |
N | Y | Both | Both |
| FDBR (Florida) |
N | Y | Both | Both |
| TDPSA (Texas) |
N | Y | Both | Both |
| OCPA (Oregon) |
Y | Y | Data | Data |
| MTCDPA (Montana) |
N | Y | Both | Both |
| ICDPA (Iowa) |
N | Y | Both | Both |
| DPDPA (Delaware) |
Y | Y | Data | Both |
| NJDPA (New Jersey) |
N | Y | Data | Both |
| TIPA (Tennessee) |
N | Y | Both | Both |
| INCDPA (Indiana) |
N | Y | Both | Both |
All comprehensive state privacy laws that have been enacted or are in effect provide consumers with the right to access their data, data portability, opt-out of the sale of their data and use of certain data in connection with targeted advertising, and the right to not be discriminated against for exercising their rights. They also provide covered entities with the ability to verify or authenticate the identity of a consumer looking to exercise her rights. However, there are additional rights that are provided by some, but not all, comprehensive state privacy laws. These are outlined in Table 4 below.
Table 4: Data Subject Rights in Comprehensive State Privacy Laws
| Law | Correct Inaccurate Data | Request a List of Third Parties with Whom Data Has Been Disclosed | Opt-Out of the Use of Data for Certain Profiling | Limit the Use and Disclosure of Sensitive Data | Appeal the Denial of Data Subject Rights Requests | Right to Appoint Authorized Agents to Submit Data Subject Rights Requests | Have Opt-Out Signals Recognized | Days to Respond to Requests |
| CCPA/CPRA (California) |
Y | N | Y | Limit use | N | Y | Y | 15 business days for requests to opt-out and limit use; 45 calendar days for other requests |
| VCDPA (Virginia) |
Y | N | Y | Opt-in | Y | N | N | 45 calendar days |
| CPA (Colorado) |
Y | N | Y | Opt-in | Y | Y | Y | 45 calendar days |
| CTDPA (Connecticut) |
Y | N | Y | Opt-in | Y | Y | Y | 45 calendar days |
| UCPA (Utah) |
N | N | N | Opt-out | N | N | N | 45 calendar days |
| FDBR (Florida) |
Y | N | Y | Opt-in | Y | N | N | 45 calendar days |
| TDPSA (Texas) |
Y | N | Y | Opt-in | Y | Y | Y | 45 calendar days |
| OCPA (Oregon) |
Y | Y | Y | Opt-in | Y | Y | Y | 45 calendar days |
| MTCDPA (Montana) |
Y | N | Y | Opt-in | Y | N | N | 45 calendar days |
| ICDPA (Iowa) |
N | N | N | Opt-out | Y | N | N | 90 calendar days |
| DPDPA (Delaware) |
Y | N | Y | Opt-in | Y | Y | Y | 45 calendar days |
| NJDPA (New Jersey) |
Y | N | Y | Opt-in[15] | Y | Y | Y | 45 calendar days |
| TIPA (Tennessee) |
Y | N | Y | Opt-in | Y | N | N | 45 calendar days |
| INCDPA (Indiana) |
Y | N | Y | Opt-in | Y | N | N | 45 calendar days |
iv. Data Controller Obligations
All comprehensive state privacy laws impose certain obligations on data controllers (entities that determine the purposes and means of processing of personal data). These include: data minimization; purpose limitations; maintaining privacy policies; maintaining reasonable administrative, technical, and physical data security controls; and contractually obligating personal data processors or service providers to comply with the applicable law. Data minimization in particular may be a significant requirement, as it requires companies to only keep data as long as they have a business need and promptly delete it thereafter. Some of the privacy laws impose additional obligations, which are outlined in Table 5 below. Specifically, some laws require (a) data protection impact assessments, which are designed to identify and minimize data protection risks, (b) financial incentive notices, which disclose discounts or other incentives that are provided in exchange for providing personal information, and (c) specific contractual requirements that set forth how vendors that process data on a business’s behalf will act.
Table 5: Data Controller Obligations in Comprehensive State Privacy Laws
| Law | Data Protection Impact Assessment | Financial Incentive Notice | Third-Party/Contractor Contract Requirement |
| CCPA/CPRA (California) |
Y (not finalized) | Y | Y |
| VCDPA (Virginia) |
Y | N | N |
| CPA (Colorado) |
Y | Y | N |
| CTDPA (Connecticut) |
Y | N | N |
| UCPA (Utah) |
N | N | N |
| FDBR (Florida) |
Y | N | N |
| TDPSA (Texas) |
Y | N | N |
| OCPA (Oregon) |
Y | N | N |
| MTCDPA (Montana) |
Y | N | N |
| ICDPA (Iowa) |
N | N | N |
| DPDPA (Delaware) |
Y | N | N |
| NJDPA (New Jersey) |
Y | N | Y |
| TIPA (Tennessee) |
Y | N | N |
| INCDPA (Indiana) |
Y | N | N |
Finally, there are differences between how each of these comprehensive state privacy laws are enforced and the penalties for noncompliance. As a general matter, comprehensive state privacy laws provide state attorneys general with sole enforcement authority. To date, the state laws have notably not provided for a private right of action. The only outlier is the CCPA/CPRA, which provides a limited private right of action for consumers affected by data breaches, under certain circumstances. Many states also provide for a right to cure, meaning that a plaintiff must provide a putative defendant with notice and an opportunity to cure the violation prior to bringing suit. The enforcement mechanisms provided for by each comprehensive state privacy law are outlined in Table 6 below.
Table 6: Enforcement of Comprehensive State Privacy Laws
| Law | Private Right of Action | Enforcement Authority | Right to Cure | Financial Penalties |
| CCPA/CPRA (California) |
Y[16] | California Attorney General and California Privacy Protection Agency | N/A | Up to $2,500 per violation or $7,500 per intentional violation or violation involving the personal information of minors. |
| VCDPA (Virginia) |
N | Virginia Attorney General | 30 days | Up to $7,500 per violation. |
| CPA (Colorado) |
N | Colorado Attorney General and local district attorneys | 60 days (provision expires January 1, 2025) | Up to $20,000 per violation, with a total maximum penalty of $500,000. |
| CTDPA (Connecticut) |
N | Connecticut Attorney General | 60 days (provision expires January 1, 2025) | Up to $5,000 per violation. |
| UCPA (Utah) |
N | Utah Attorney General and Utah Division of Consumer Protection | 30 days | Up to $7,500 per violation. |
| FDBR (Florida) |
N | Florida Department of Legal Affairs | 45 days (except for violations involving a known child) | Up to $50,000 per violation, or triple that where the violation involves a FL consumer under 18 years old, failure to delete or correct applicable personal information, or the continuing to sell or share the personal information after a consumer opts out of such sale or sharing. |
| TDPSA (Texas) |
N | Texas Attorney General | 30 days | Up to $7,500 per violation. |
| OCPA (Oregon) |
N | Oregon Attorney General | 30 days (provision expires January 1, 2026) | Up to $7,500 per violation. |
| MTCDPA (Montana) |
N | Montana Attorney General | 60 days (provision expires April 1, 2026) | Up to $7,500 per violation. |
| ICDPA (Iowa) |
N | Iowa Attorney General | 90 days | Up to $7,500 per violation. |
| DPDPA (Delaware) |
N | Delaware Department of Justice | 60 days (provision expires January 1, 2026) | Up to $10,000 per willful violation. |
| NJDPA (New Jersey) |
N | New Jersey Attorney General | 30 days (provision expires 18 months after enactment) | Up to $10,000 for the first violation and $20,000 for subsequent violations. |
| TIPA (Tennessee) |
N | Tennessee Attorney General | 60 days | Up to $7,500 per violation. |
| INCDPA (Indiana) |
N | Indiana Attorney General | 30 days | Up to $7,500 per violation. |
In addition to the comprehensive state privacy laws discussed above, states have continued to legislate in narrower areas, particularly with relation to health or genetic information.
i. Washington’s My Health My Data Act
On April 27, 2023, Washington Governor Jay Inslee signed the “My Health My Data Act” (“MHMDA”) into law, modifying the legal landscape with respect to health-related data for certain Washington entities.[17] The MHMDA creates a privacy regime focused on personal health data.
Covered Entities. The MHMDA applies to “regulated entities” that process “consumer health data.” The law defines “regulated entity” as any “legal entity” that: (1) “[c]onducts business in Washington or produces or provides products or services that are targeted to consumers in Washington”; and (2) “determines the purpose and means of collecting, processing, sharing, or selling of consumer health data,” whether “alone or jointly with others.”[18] Practically, the law applies to any entity that does business in Washington and collects or processes consumer health data. Government agencies, tribal nations, and service providers that are contracted to process consumer health data on behalf of a government agency are exempt from this definition and not considered regulated entities.[19] “Small businesses” are not exempt from the MHMDA, but are given an extra three months to comply.[20]
Covered Data. The law defines “consumer health data” as “personal information that is linked or reasonably linkable to a consumer and that identifies the consumer’s past, present, or future physical or mental health status.”[21] Examples of this type of data include surgeries or other health-related procedures, reproductive or sexual health information, and genetic data.[22] The primary statutory carveout from the definition of “consumer health data” is information “used to engage in public or peer-reviewed scientific, historical, or statistical research.”[23] However, the research must be monitored by an independent oversight entity that implements safeguards to mitigate privacy risks, including the risk associated with the reidentification of consumer data.[24] The Washington Attorney General, who is charged with enforcing the MHMDA, has explained that purchases of “toiletry products (such as deodorant, mouthwash, and toilet paper)” do not qualify as “consumer health data,” even though they relate to “bodily functions,” whereas “an app that tracks someone’s digestion or perspiration is collecting consumer health data.”[25]
Key Requirements. The MHMDA prohibits regulated entities from collecting or sharing consumer health data without first satisfying certain notice and consent requirements, including: requiring regulated entities to maintain a “consumer health data privacy policy” linked to on their homepage that discloses:
- the categories of consumer health data collected and the purpose for which the data is collected;
- the categories of sources from which the consumer health data is collected;
- the categories of consumer health data shared; and
- a list of the categories of third parties and specific affiliates with whom the regulated entity shares the consumer health data.[26]
Regulated entities may only collect or share consumer health data if a consumer provides a prior “clear affirmative act” expressing consent, or if the collection is “necessary to provide a product or service that the consumer . . . has requested.”[27]
Consumer Rights. The MHMDA also provides consumers with a number of protections, including the right to: (1) confirm whether a regulated entity is collecting, sharing, or selling their consumer health data; (2) access that data; (3) withdraw consent for the collection and sharing of their consumer health data; and (4) delete their data.[28]
Enforcement. A violation of the MHMDA is considered a violation of the Washington Consumer Protection Act.[29] The Washington Attorney General may enforce the law.[30] Consumers may also pursue private actions for violations of the MHMDA.[31]
ii. Montana’s Genetic Information Privacy Act
On June 7, 2023, Montana Governor Greg Gianforte signed into law the “Montana Genetic Information Privacy Act” (“MTGIPA”). The MTGIPA applies to any entity that offers consumer genetic testing products or services directly to a consumer, or collects, uses, or analyzes genetic data.[32] “Genetic data” is defined as “any data, regardless of format, concerning a consumer’s genetic characteristics.”[33] The MTGIPA requires covered entities to provide a privacy policy and notice regarding their use of genetic data and to obtain a consumer’s “express consent” in order to collect, use, or disclose a consumer’s genetic data.[34] The MTGIPA also requires an entity to “develop, implement, and maintain a comprehensive security program to protect a consumer’s genetic data against unauthorized access, use, or disclosure.”[35] The Montana Attorney General has sole authority to enforce the MTGIPA.[36]
On October 10, 2023, California Governor Gavin Newson signed the “Delete Act” into law.[37] The law revises California’s data broker registration law and gives consumers the right to manage data held by data brokers free of charge by submitting a single deletion request to a centralized website.[38] After a deletion request is submitted, a data broker is required to delete data within 45 days, and continue deleting any personal information collected about that consumer at least every 45 days thereafter.[39] After a consumer has submitted a deletion request, data brokers are also prohibited from selling or sharing new personal information about the consumer in the future.[40] Consumers will have the option to “selectively exclude” data brokers when submitting a deletion request.[41] The law also requires data brokers to “undergo an audit by an independent third party to determine compliance” with the law.[42]
Under the law, a “data broker” is defined as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.”[43] But the law includes exemptions for entities covered by the Fair Credit Reporting Act, the Gramm-Leach-Bliley Act, the Insurance Information and Privacy Protection Act, the Confidentiality of Medical Information Act, or HIPAA, and business associates of covered entities under the Confidentiality of Medical Information Act or HIPAA.[44]
iv. New York Department of Financial Services’ Amendments to Part 500 Cybersecurity Rules
On November 1, 2023, the New York State Department of Financial Services (“NYDFS”) issued its Second Amendment to 23 NYCRR Part 500 (“Part 500”), which establishes numerous cybersecurity requirements for regulated entities.[45] As discussed in more depth in our recent client alert, the amendments to Part 500 include: expanded responsibility for senior governing bodies, obligations to implement additional safeguards, new requirements for larger companies, new and increased obligations related to written policies and procedures, heightened requirements around audits and risk assessments, and additional reporting requirements for cybersecurity incidents. NYDFS is responsible for enforcing Part 500 and has brought several enforcement actions against various financial entities, including banks, money transfer service providers, and cryptocurrency service providers.[46]
v. New Child Social Media Laws
Several states passed laws restricting social media apps, but those laws have been challenged in the courts. For example, Utah’s Social Media Regulation Act[47] requires social media companies with at least 5,000,000 account holders worldwide to verify the age of adults seeking to maintain or open social media accounts; obtain parental consent for users under the age of 18 to open an account; imposes restrictions on children’s accounts; and prohibits collections of certain data and targeted advertising.[48] The law may be enforced by either the Division of Consumer Protection or through a private right of action.[49] Plaintiffs may obtain up to $2,500 in statutory damages per violation, in addition to attorney’s fees and costs.[50] The law has been challenged in two different suits that are ongoing.[51]
A similar law in Arkansas that would require parental permission for children to create certain social media accounts was blocked by a federal judge.[52] The judge concluded in granting the preliminary injunction that the law, as written, was unconstitutionally vague because it failed to adequately define “social media company,” and therefore which entities were subject to its requirements.[53] The judge also agreed that the law likely violates the First Amendment because the age verification process would chill speech by deterring adults from signing up for social media accounts and that the law is unnecessarily overbroad insofar as it attempts to protect minors from harmful or obscene content.[54] And a Montana federal judge blocked a law in that state that would prohibit mobile application stores from offering TikTok to Montana users.[55] The court, in granting the preliminary injunction, found that plaintiffs were likely to succeed on the merits of their arguments—namely, that an outright ban on a specific app likely violates the First Amendment, the Commerce Clause, and is preempted by federal national security law, among other reasons.[56]
a. Comprehensive Federal Privacy Legislation
Comprehensive federal privacy legislation remains a popular, yet unrealized, objective despite recent congressional efforts.
The American Data Privacy and Protection Act (“ADPPA”) introduced in 2022 was the most advanced attempt to-date at enacting a comprehensive federal privacy bill. However, the bill died when it failed to advance to the House or Senate floors before the last Congress adjourned in January 2023.[57] As proposed, the ADPPA bill required covered companies to engage in “data minimization” and adopt “privacy by design” principles.[58] The ADPPA also prohibited covered entities from designing and employing discriminatory algorithms, and required them to study the impacts of their algorithms.[59]
Government enforcement of the ADPPA would have been left largely to the FTC at the federal level, alongside state attorneys general and other key state officials.[60] But the ADPPA’s addition of a private right of action was a source for serious concern due to the burden and cost of class action lawsuits.[61] The bill also explicitly preempted most state privacy laws—a fact that some believe was largely responsible for the bill’s demise.[62]
Calls for comprehensive federal privacy legislation continued throughout 2023 despite the ADPPA’s failure. In the spring, Congress held hearings on the continuing need for such legislation.[63] President Biden echoed these calls in an executive order (which also enacted AI safety measures).[64] In his 2023 State of the Union address, the President likewise called for stronger online privacy protections for children.[65]
b. Other Introduced Legislation
Congress did not pass any privacy laws in 2023, although a significant number of consumer and individual privacy-related legislation was introduced.[66] This proposed privacy legislation covered a range of topics, including surveillance technologies, health privacy, privacy for children online, facial recognition, AI, and cybersecurity.
Many of the measures attracted significant bipartisan support, but lawmakers remained divided over the same two issues that sunk more comprehensive federal privacy legislation: (1) whether federal privacy laws should preempt state laws (a position attracting more Republican support) and (2) whether it should include a private right of action (which more Democrats favor). Nevertheless, in the absence of comprehensive federal privacy legislation, Congress may still be more likely to enact legislation on a narrower topic that draws more bipartisan support, such as children’s online safety, in the future.[67]
Lawmakers focused in particular on digital privacy and safety in 2023, especially for children on social media. They held widely publicized hearings on the topic, bringing in social media executives for questioning, with more hearings to come in 2024.[68] In July 2023, the U.S. Senate Commerce Committee advanced a pair of measures seeking to put more responsibility on social media platforms to ensure child safety online: the Kids Online Safety Act, which would require platforms to enact measures to prevent harms to minors and to restrict targeted advertising for children under 13;[69] and COPPA 2.0, which would upgrade and expand the original children’s online privacy law, including by adding protections for teens ages 13 to 16.[70]
Other privacy bills introduced in 2023 include: the Informing Consumers about Smart Devices Act (requiring manufacturers to disclose that a camera or microphone is part of a device before purchase),[71] the Stop Spying Bosses Act (requiring disclosure of or prohibiting surveillance, monitoring, and collection of worker data),[72] the UPHOLD Privacy Act (establishing protection for personally identifiable health and location data),[73] the DELETE Act (requiring the FTC to establish a system allowing individuals to request that data brokers delete their personal information),[74] the Data Care Act of 2023 (imposing duty of care, loyalty, and confidentiality on online service providers),[75] the Online Privacy Act of 2023 (establishing individual privacy rights and creating a private right of action and Digital Privacy Agency),[76] and others described in this Review.
Congress also considered cybersecurity-related legislation: the Federal Cybersecurity Vulnerability Reduction Act of 2023 (requiring certain government contractors to adopt vulnerability disclosure policies),[77] the Modernizing the Acquisition of Cybersecurity Experts Act of 2023 (generally barring agencies from setting minimum educational requirements for cybersecurity workers),[78] and the Federal Cybersecurity Workforce Expansion Act (providing training and apprenticeships for cybersecurity workers).[79]
In 2023, government regulators remained active in enforcement and regulatory efforts related to data privacy, cybersecurity, and new technology. This section summarizes notable regulatory and enforcement efforts by the Federal Trade Commission (“FTC”), Consumer Financial Protection Bureau (“CFBP”), Securities and Exchange Commission (“SEC”), Department of Health and Human Services (“HHS”), and other federal and state agencies.
The FTC remained active in the regulation and enforcement of cybersecurity and data privacy in 2023—and continued to aggressively pursue new regulatory, enforcement, and litigation matters in other areas as well. Several actions, such as its rulemaking on junk fees, have had important impacts on online businesses. For example, the proposed junk fees rule was introduced in direct response to President Biden’s announced priorities for consumer protection’ and following his call for transparency in consumer pricing.[80] The FTC extended the comment period for the rule through February 7, 2024.[81] As currently drafted, the rule would ban “hidden fees”—or fees that are mandatory, even if provided by a different entity. It would also ban “misleading fees,” essentially requiring disclosure of the purpose and refundability of any fees charged.
The FTC also continued to prioritize algorithmic bias and AI, commercial surveillance, data security, and children’s privacy. Further, the FTC expanded its regulatory and enforcement scope related to biometric information. This section discusses the FTC’s notable actions on these topics in 2023.
In March 2023, Republican Commissioner Christine Wilson resigned abruptly from the FTC, publicly citing her disagreements with Chair Lina Khan’s vision and management of the FTC.[82] This created an additional vacancy on the five-member commission, following the departure of Commissioner Noah Phillips in October 2022.
In July 2023, President Joe Biden nominated two Republican replacements: Virginia Solicitor General Andrew Ferguson and Utah Solicitor General Melissa Holyoak.[83] Prior to his current appointment as Virginia Solicitor General, Ferguson served in numerous roles on the Hill, including as Chief Counsel to Senate Minority Leader Mitch McConnell, as Chief Counsel for Nominations and the Constitution to then-Judiciary Committee Chairman Lindsey Graham, and as Senior Special Counsel to then-Judiciary Committee Chairman Chuck Grassley. Holyoak previously served as President and General Counsel of a nonprofit public-interest law firm that advocates for free markets, free speech, and limited government. In their confirmation hearing, both Holyoak and Ferguson demonstrated interest in regulating big technology companies. Holyoak specifically called out the importance of protecting children online.[84]
Both nominations are currently held up in the Senate.[85] If confirmed, the new Commissioners will not change the Republican-Democrat balance of power at the FTC, which has been led by a Democratic majority since Commissioner Bedoya was confirmed in 2022.
b. Algorithmic Bias and Artificial Intelligence
The FTC continues to signal that AI and algorithms are an enforcement priority. In a mid-year public editorial, for instance, FTC Chair Lina Kahn warned of the risks AI poses, including producing discriminatory outcomes and potential privacy violations.[86]
As reflected in Chair Khan’s editorial, the FTC is particularly concerned about the effects algorithms may have on consumer privacy, including the use of consumer data to train large language models and inadvertent disclosure of personally identifiable information (“PII”) through chatbots. In a series of AI-focused blog posts published from February to August 2023, the FTC warned businesses that they should avoid using automated tools that result in biased or discriminatory impacts. One post further noted that businesses “can’t just blame a third-party developer of the technology” when reasonably foreseeable failures occur; instead, businesses should investigate and identify the foreseeable risks and impact of AI before using it in a consumer-facing setting.[87] In March 2023, the FTC also specifically called out AI technology that simulates human activity and can be used by third-party bad actors to, among other things, target communities of color with fraudulent schemes.”[88] It warned that businesses considering launching tools with such risks must employ deterrents that go beyond “bug corrections or optional features that third parties can undermine via modification or removal.”[89] Other use cases highlighted by the FTC as targets for enforcement include: technology that enables “deepfakes” and “voice cloning,”[90] customizing ads to specific people or groups in a manner that “trick[s] people into making harmful choices[,]”[91] and tools that purport to detect generative AI content.[92]
For a more detailed discussion of regulatory developments in AI, please see Gibson Dunn’s forthcoming Artificial Intelligence Legal Review.
c. Commercial Surveillance and Data Security
i. FTC’s Approach to Data Security
In a February 2023 blog post, the FTC’s Deputy Chief Technology Officer Alex Gaynor highlighted three best practices for effectively protecting user data drawn from recent FTC orders: (i) requiring multi-factor authentication (for consumers and employees); (ii) requiring a company’s systems connections to be encrypted and authenticated; and (iii) requiring data retention schedules to be published and followed.[93] Gaynor warns that these practices alone “are not the sum-total of everything the FTC expects from an effective security program.”[94] He nevertheless suggests a security program is highly likely to be effective if it incorporates these practices.[95]
ii. Rulemaking on Commercial Surveillance and Data Security
As described in Gibson Dunn’s prior alert, the FTC’s Advance Notice of Proposed Rulemaking on commercial surveillance and data security would overhaul the regulatory landscape for corporate internet use. FTC Consumer Protection Chief Samuel Levine noted in a speech in September 2023 that the FTC is currently reviewing over 11,000 comments received in response to the request for comment, which closed on November 21, 2022.[96] If adopted, the rule will have widespread impact, implicating every facet of the internet from advertising to algorithmic decision-making. The advanced notice for the proposed rule, for instance, seeks comment on issues as wide ranging as whether consumer consent is still an effective gatekeeper for corporate data practices, whether the FTC should forbid or limit the development, design, and use of certain automated decision-making systems, and whether the FTC should adopt workplace, teen, or industry-specific (e.g., health- or finance-related) rules around data collection and use. The FTC is expected to take final action on the proposed rule in 2024.[97]
d. Notable FTC Enforcement Actions
In 2023, the FTC maintained its aggressive stance on privacy enforcement, which has been a hallmark of Chair Khan’s tenure. In addition to enforcement actions that hold companies responsible for the activities discussed, there has also been a rise in actions brought against individuals. Below we discuss some of the FTC’s most notable enforcement actions in 2023.
Video Game and Software Developer. In March 2023, the FTC finalized an order in an action originally described in last year’s Review, which will require a large video game and software developer to pay $245 million to refund affected consumers and bans the company from charging consumers through the use of “dark patterns” or otherwise charging consumers without obtaining their affirmative consent.[98] The order also bars the company from blocking consumers’ access to their accounts if the consumer is disputing unauthorized charges.
Home Security Camera Company. The FTC brought an action under Section 5(a) of the FTC Act,[99] challenging a security camera company’s representations regarding security, and alleging that employees and contractors were able to access private videos.[100] A proposed settlement would require deletion of certain data and affected data products “such as data, models, and algorithms derived from videos it unlawfully reviewed,” establishment of a privacy and data security program, obtaining assessments by a third party, and cooperation with a third-party assessor.[101]
Tax Preparation Firms. The FTC issued Notices of Penalty Offenses to five tax preparation firms about the use of information collected for tax preparation services to solicit loan borrowers. A Notice of Penalty Offense is intended to put companies on notice of prior successful enforcement actions against other companies, but does not mean the FTC has found the recipients are violating the law.[102] However, the FTC’s Notice warned that the companies could face civil penalties of up to $50,120 per violation if they use or disclose consumer confidential data collected for tax preparation for other purportedly unrelated purposes, such as advertising, without express consumer consent.[103]
Voice Assistant. In May, DOJ brought an action on behalf of the FTC against a major technology company that includes, among its products, a voice assistant.[104] The FTC alleged that the company improperly prevented parents from deleting their children’s data and retained and risked exposure of sensitive data. The FTC’s settlement with the company, approved in July 2023, requires the company to overhaul its deletion practices, as well as implement stronger privacy safeguards to settle Children’s Online Privacy Protection Act Rule (“COPPA Rule”) claims and deception claims about its data deletion practices.[105]
Telehealth and Prescription Drug Provider. The FTC brought its first enforcement action under the Health Breach Notification Rule, which was originally adopted in 2009 and requires vendors of personal health records and related entities to notify consumers, the FTC, and, in some cases, the media, when such data is disclosed or acquired without consumers’ authorization.[106] The FTC alleged that the company failed to notify consumers, the FTC, and the media about its disclosure of individually identifiable health information to certain online services. This enforcement action followed a 2021 FTC policy statement that purported to require health apps and other online services to comply with the Health Breach Notification Rule.[107] The company agreed to pay a $1.5 million civil penalty and is barred from sharing user health data with third parties for advertising.[108] The FTC also proposed amendments to the Health Breach Notification Rule, with a public comment period that ended on August 8, 2023.[109]
Genetic Testing Firm. The FTC settled allegations against a genetic testing firm for allegedly leaving user data unprotected, misleading users about their ability to delete their data, and retroactively changing its privacy policy without proper notice to consumers. In addition to monetary penalties of $75,000, as part of the final order, the company is required to take remedial actions including instructing third-party contractors to destroy all DNA samples retained beyond a specified timeframe, notifying the FTC of any unauthorized disclosure of consumer personal health data, and implementing a comprehensive information security program.[110]
In-Store Surveillance and Facial Recognition. For the first time, the FTC alleged that the use of facial recognition technology may be an unfair practice or deceptive under Section 5 of the FTC Act.[111] The FTC alleged that a national pharmacy chain deployed AI-facial recognition technology to identify shoplifters and other problematic shoppers. The FTC’s complaint alleged that the company failed to take reasonable measures to prevent harm to consumers who were erroneously accused by employees of wrongdoing because the technology incorrectly flagged the consumers as matching the profile of a known shoplifter or troublemaker. The FTC banned the retailer’s use of facial recognition technology for five years. While the FTC also alleged the company violated the terms of a 2010 consent decree by failing to comply with its own information security program’s policies and contractual requirements for facial technology vendors, the FTC did not seek civil penalties, and imposed a no-money, no-fault order. The case helpfully articulates what the FTC deems as “best practices” for the use of facial recognition technologies, including the usage of cameras and smartphones by retailers to detect and stop shoplifting and to mitigate risks of misidentification.
The FTC approved further changes to its Standards for Safeguarding Customer Information Rule (“Safeguards Rule”) in 2023. The Safeguards Rule requires non-banking financial institutions, such as mortgage brokers, motor vehicle dealers, and payday lenders, to develop, implement, and maintain a comprehensive security program to keep their customers’ information safe. The rule was initially amended in October 2021 in response to “widespread data breaches and cyberattacks” by introducing more robust data security requirements for financial institutions to protect their customers’ data.[112] In 2023, the FTC further amended the rule to require financial institutions to report certain data breaches directly to the FTC.[113] Many provisions of the 2021 rule changes went into effect on January 10, 2022, but certain provisions of the Safeguards Rule did not take effect until June 9, 2023.[114] These sections require financial institutions to:
- Designate a qualified individual to oversee their information security program;
- Develop a written risk assessment;
- Limit and monitor who can access sensitive customer information;
- Encrypt all sensitive information;
- Train security personnel;
- Develop an incident response plan;
- Periodically assess the security practices of service providers; and
- Implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.[115]
The FTC’s 2023 amendments include more specific criteria for what safeguards financial institutions must implement as part of their information security program, and requirements to explain their information-sharing practices and designate a single qualified individual to oversee their information security program and report periodically to an organization’s board of directors, or a senior officer in charge of information security.[116] These amendments will not take effect until mid-2024.
f. Children’s and Teens’ Privacy
On December 20, 2023, the FTC announced long-awaited proposed amendments to the Children’s Online Privacy Protection Rule (“COPPA Rule”).[117] If adopted, the proposed amendments would be the first changes to the COPPA Rule in a decade.[118] The amendments aim to modernize the COPPA framework and shift the burden for protecting children’s privacy and security from parents to service providers.[119] The proposed changes include:
- Requiring separate opt-in for targeted advertising;
- Prohibiting conditioning a child’s participation on collection of personal information;
- Limiting the support for the internal operations exception, which allows operators to collect persistent identifiers without first obtaining verifiable parental consent as long as the operator does not collect any other personal information;
- Imposing restrictions on educational technology companies, including prohibiting these companies’ use of students’ data for commercial purposes;
- Increasing accountability for Safe Harbor programs, including by requiring each program to publicly disclose its membership list and report additional information to the Commission;
- Strengthening data security requirements; and
- Limiting data retention.[120]
The FTC also recently sought comments from the Entertainment Software Rating Board and others for a new mechanism for obtaining parental consent under the COPPA Rule: “Privacy-Protective Facial Age Estimation” technology, which analyzes the geometry of a user’s face to accurately confirm a user’s age.[121] The FTC’s request for comments focused on whether such age verification methods would satisfy the COPPA Rule’s requirements and whether it poses a privacy risk to children’s biometric and other personal information.[122]
In 2023, the FTC pursued enforcement action against major technology companies in relation to children’s and teen’s’ privacy. For example, the FTC alleged a technology company violated the COPPA Rule by collecting and illegally retaining personal information from children who signed up for a gaming service without parental consent.[123] The company agreed to pay $20 million and take steps to increase privacy protection for children users to settle the case.[124] The FTC has also proposed changes to its 2020 order with another technology company, alleging in part that the company has not fully complied with the order because it misled parents about their ability to control with whom their children communicated.[125] Among other things, the proposed changes would prohibit the company from monetizing data it collects from users under 18.[126]
On May 18, 2022, the FTC signaled an increased focus on preventing the misuse of biometric information in a policy statement.[127] The policy statement is a first-of-its-kind comprehensive breakdown of the FTC’s view that the commercial use of biometric information poses certain privacy risks to consumers, and it builds on prior workshops and statements analyzing consumer protection issues related to specific technologies that can implicate biometric information.[128]
In the policy statement, the FTC broadly defines biometric information as data depicting or describing a person’s physical, biological, or behavioral traits, characteristics, or measurements, including facial features, iris or retina, fingerprints or handprints, voice, genetics, or characteristic movements or gestures.[129] The FTC warned that certain conduct relating to the use of biometric information and biometric information technologies constitutes an unfair or deceptive practice under Section 5 of the FTC Act, including:
- Making false or unsubstantiated marketing claims regarding the validity, reliability, accuracy, performance, fairness, or efficacy of technologies relying on biometric information;
- Making deceptive statements about the collection and use of biometric information;
- Failing to protect consumers’ biometric information using reasonable data security practices;
- Collecting biometric information that consumers meant to conceal or keep private (including by implementing “privacy-invasive default settings”);
- Selling technologies that permit harmful or illegal conduct, such as covert tracking; and
- Using or selling discriminatory technologies.[130]
To avoid liability under the FTC Act, the FTC recommends that businesses communicate the use and capabilities of biometric information technologies to consumers, ensure biometric information technologies operate fairly and accurately, and implement safeguards to prevent unauthorized access to biometric information. Relying on the policy statement for the first time, the FTC filed a complaint in December 2023 alleging that a drugstore chain surreptitiously used facial recognition technology to identify—sometimes falsely—shoplifters and other customers it deemed problematic, as described above.[131]
2. Consumer Financial Protection Bureau
Notwithstanding increasing congressional antagonism directed at the Consumer Financial Protection Bureau (“CFPB”), the CFPB did not decrease its attention on privacy issues in 2023. Last year, the CFPB issued a long-awaited proposed rule regarding consumer personal financial data rights and signaled an intent to increase its oversight of non-bank entities providing digital wallets and peer-to-peer apps, as well as data brokers that sell certain types of consumer data. The CFPB also parroted the FTC’s concerns with privacy risks associated with AI.
a. Personal Financial Data Rights Rulemaking
On October 19, 2023, the CFPB released a long-awaited Notice of Proposed Rulemaking on Personal Financial Data Rights.[132] If adopted, this rule would establish a regulatory framework where consumers have the power “to break up with banks that provide bad service and would forbid companies that receive data from misusing or wrongfully monetizing the sensitive personal financial data.”[133] The proposed rule would also require covered financial entities to share a consumer’s financial data with authorized third parties upon the consumer’s request.[134] The proposed rule is the first proposal to implement Section 1033 of the Dodd-Frank Wall Street Reform and Consumer Protection Act (“Dodd-Frank Act”), which authorizes the CFPB to prescribe rules under which consumers may access information about themselves from their financial service providers.[135]
Although Section 1033 applies to all consumer financial products or services covered under the Dodd-Frank Act,[136] the proposed rule would limit the scope of covered entities, or “data providers,” to Regulation Z card issuers, Regulation E financial institutions, and other payment facilitation providers, while generally exempting data providers that do not have a consumer interface.[137] Under the proposed rule, data providers must provide consumers and authorized third parties with “covered data,” such as transaction information, account balance, and upcoming bill information, “in an electronic form usable by consumers and authorized third parties,” as provided by Section 1033 of the Dodd-Frank Act.[138]
In addition to requiring third parties to obtain “express informed consent” from the consumer to become authorized to access covered data, the proposed rule would also prohibit such authorized third parties from collecting, using, or retaining the consumer’s relevant data beyond what is “reasonably necessary” to provide the requested product or service to a consumer.[139] The proposal does not define what is “reasonably necessary,” but instead enumerates activities that do not qualify: (i) targeted advertising; (ii) cross-selling of other products or services; or (iii) the sale of covered data.[140] The proposed rule also imposes data accuracy and data security obligations, among other obligations, on authorized third parties.[141]
The comment period for the proposed rule closed on December 29, 2023; CFPB Director Rohit Chopra said that the agency intends to finalize the rule by fall 2024.[142]
b. Increased Oversight of Non-bank Entities
On November 7, 2023, the CFPB issued a proposed rule that, if adopted, would establish supervisory power over big technology firms and other nonbank entities that offer services allowing consumers to digitally transfer money.[143] The proposed rule would apply to “larger participant” nonbank entities that handle more than five million payment transactions per year through digital wallets, peer-to-peer apps, payment apps, and other “covered payment functionalities.”[144] This oversight authority would allow the CFPB to conduct examinations to ensure that these nonbank entities are adhering to applicable laws governing funds transfer, privacy, and consumer protection.[145] The comment period for this proposed rule closed on January 8, 2024.[146]
c. Increased Scrutiny of Data Brokers
In March 2023, the CFPB launched an inquiry into data brokers to inform whether existing Fair Credit Reporting Act (“FCRA”) rules reflect the market realities of “[m]odern data surveillance practices [that] have allowed companies to hover over our digital lives and monetize our most sensitive data.”[147] The agency’s request for information defined “data brokers” broadly as “an umbrella term to describe firms that collect, aggregate, sell, resell, license, or otherwise share consumers’ personal information with other parties.”[148] That definition could sweep in companies, like credit unions and banks, that are not typically considered data brokers.
On August 15, 2023, Director Chopra also announced that the CFPB will be developing new rules that define a data broker that sells certain types of consumer data as a “consumer reporting agency” (“CRA”) under FCRA.[149] Defining data brokers as CRAs would impose new obligations on data brokers to comply with FCRA’s demanding standards for data accuracy and privacy, including consumer access and consent rights.[150] Director Chopra also announced a second proposal under consideration that will clarify the extent to which credit header data, such as name, date of birth, and social security number, constitute a consumer report, and thereby limit the ability of CRAs to impermissibly disclose identifying contact information.[151] The CFPB intends to propose these changes for public comment in 2024.[152]
d. Artificial Intelligence and Algorithmic Bias
In an April 25, 2023 joint statement with the DOJ, FTC, and Equal Employment Opportunity Commission, the CFPB reaffirmed its commitment to enforce consumer financial protection laws to prevent harmful uses of AI and algorithmic bias.[153] Since then, the CFPB has highlighted risks associated with AI in multiple contexts:
Chatbots. In June 2023, the CFPB released an issue spotlight on the risks associated with the use of chatbots by financial institutions, including consumer financial protection compliance risks and failures to protect consumer privacy and data, diminished trust and customer service, and harm to consumers resulting from inaccurate information.[154]
Home Appraisals. In June 2023, the CFPB also proposed a rule that would govern automated home valuations.[155] The rule would require institutions that employ automated valuation models to take certain steps to minimize inaccuracy and bias by adopting policies, practices, procedures, and control systems to ensure that models adhere to quality control standards designed to ensure a high level of confidence in the estimates produced.[156] Under the proposal, institutions would also be required to protect against the manipulation of data, seek to avoid conflicts of interest, require random sample testing and reviews, and comply with applicable nondiscrimination laws.[157] The public comment period ended on August 21, 2023.[158]
Credit Decisions. In September 2023, the CFPB issued a Consumer Protection Circular titled “Adverse Action Notification Requirements and the Proper Use of the CFPB’s Sample Forms Provided in Regulation B,” concerning lenders’ obligations when using AI to make consumer credit decisions.[159] The guidance emphasizes that creditors must provide accurate and specific reasons for adverse decisions made by complex algorithms, and this requirement is not automatically satisfied by use of a sample adverse action checklist.[160]
3. Securities and Exchange Commission
In 2023, the SEC continued to focus on transparency around cybersecurity risk management and incident disclosure, as made evident by the Commission’s rulemaking and enforcement activity. Most notably, the SEC finalized rules requiring public companies to report material cybersecurity incidents within four business days of determining materiality, as well as periodic disclosures relating to cybersecurity risk management, strategy, and governance. The SEC was also active on the enforcement front, pursuing actions against companies and individuals in connection with cyber incidents. In 2024, we expect to see heightened enforcement activity as the newly adopted cyber rules take effect and as the SEC takes final action on proposed rulemaking for registered entities, particularly those implicating personal information or sensitive data.
March 2023 – SEC Proposes Rules to Amend Regulation S-P
On March 15, 2023, the SEC proposed rules that would amend Regulation S-P to update and close certain gaps in the requirements pertaining to the protection of customer information.[161] Most importantly, if adopted, the amendments would require broker-dealers, investment companies, registered investment advisers, and transfer agents (“Covered Institutions”) to adopt written policies and procedures for responding to unauthorized access to or use of customer information.[162] The amendments would also require Covered Institutions to notify individuals of unauthorized use of or access to their sensitive information “as soon as practicable,” but not later than 30 days, after discovery of a data breach.[163]
As explained in the adopting release, the rules would also amend other aspects of Regulation S-P, including:
- Extending the protections of the safeguards and disposal rules to both nonpublic personal information that a Covered Institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions;
- Extending the safeguards rule, as amended, to registered transfer agents, and expanding the disposal rule to include transfer agents registered with another appropriate regulatory agency; and
- Conforming Regulation S-P’s existing provisions relating to the delivery of an annual privacy notice for consistency with a statutory exception created by Congress in 2015.[164]
The public comment period closed on June 5, 2023, but the SEC has not indicated whether and when it will take final action on the proposed amendments.
July 2023 – SEC Adopts New Cybersecurity Disclosure Rules for Public Companies
On July 26, 2023, as reported in Gibson Dunn’s client alert, the SEC adopted a final rule to enhance and standardize disclosures regarding cybersecurity risk management, strategy, governance, and incidents by public companies that are subject to the reporting requirements of the SEC Act of 1934 (the “Exchange Act”).[165] The final rule requires: (i) Form 8-K disclosure of material cybersecurity incidents within four business days of the company’s determination that the cybersecurity incident is material; and (ii) annual disclosures in Form 10-K regarding the company’s cybersecurity risk management, strategy, and governance.[166] For foreign private issuers, the final rule amends Form 20-F to include requirements parallel to Item 106 regarding risk management, strategy, and governance.[167] In addition, the final rule adds “material cybersecurity incidents” to the items that may trigger a current report on Form 6-K.[168] Under the new rule, foreign private issuers will be required to furnish on Form 6-K information about material cybersecurity incidents that the issuers disclose or otherwise publicize in a foreign jurisdiction, to any stock exchange or to security holders.[169]
Compliance Dates
The Form 8-K disclosure requirement went into effect on December 18, 2023 for most registrants (smaller companies will have until June 5, 2024 to comply); all registrants will have to comply with the annual disclosure requirements beginning with their Form 10-K or 20-F filing for the fiscal year ending on or after December 15, 2023.[170]
Reporting Material Cybersecurity Incidents
Under the final rules, when a company experiences a material cybersecurity incident, it must disclose on Form 8-K, the material aspects of the nature, scope, and timing of the incident, and the material impact or “reasonably likely” material impact on the company, including on its financial condition and results of operations.[171] Importantly, this disclosure must be made within four business days of the company determining that it has experienced a material cyber incident, a determination which must be made “without unreasonable delay after discovery of the incident.”[172] In circumstances where a company has determined that a cybersecurity incident is material but does not have all of the information that is required to be disclosed when the Form 8-K filing is due, the company must later update the disclosure through a Form 8-K amendment.[173]
The final rule permits companies to delay reporting material cyber incidents up to an initial period of 30 days, if the U.S. Attorney General notifies the SEC in writing that immediate disclosure would pose a substantial risk to national security or public safety.[174] However, as confirmed by guidelines released by the Department of Justice,[175] the Attorney General will only permit delayed disclosures in very limited circumstances, so public companies should be prepared to disclose virtually all material cyber incidents within four days after determining materiality.[176] The DOJ guidelines also make clear that even where the Attorney General grants a delay, the delay may not delay filing the Form 8-K in its entirety, but may only pertain to some of the information that is required to be disclosed.[177]
Annual Reporting Requirements
The final rule also requires that public companies include on their Form 10-K filings certain disclosures regarding the company’s cybersecurity risk management, strategy and governance.[178] The final rule also includes parallel requirements for a foreign private issuer’s risk management, strategy, and governance disclosures on Form 20-F.[179]
Risk management strategy and governance disclosure. Companies are required to describe their processes for assessing, identifying, and managing material risks from cybersecurity threats in sufficient detail for a reasonable investor to understand those processes, including information regarding:
- Whether and how any such processes have been integrated into the company’s overall risk management system or processes;
- Whether the company engages assessors, consultants, auditors, or other third parties in connection with any such processes; and
- Whether the company has processes to oversee and identify such risks from cybersecurity threats associated with its use of any third-party service provider.[180]
Public companies are also required to describe whether and how any risks from cybersecurity threats, including as a result of any previous cybersecurity incidents, have materially affected or are reasonably likely to materially affect the company, including its business strategy, results of operations, or financial condition.[181] Notably, the final rule requires disclosure of “processes” (as opposed to “policies and procedures”) in order to avoid requiring disclosure of operational details that could be exploited by threat actors and make clear that companies without written policies and procedures need not disclose that fact.
Governance Disclosures. The final rule also requires public companies to describe on Form 10-K how the board of directors oversees the company’s cybersecurity risks. This includes identifying, if applicable, any board committee or subcommittee responsible for the oversight of cybersecurity risks and describing the processes by which the board or such committee is informed about such risks.[182] Additionally, companies must describe management’s role in assessing and managing the company’s material cybersecurity risks from cybersecurity.[183]
September 2023 – SEC Approves Revised Privacy Act Rule
On September 20, 2023, the SEC approved a final rule, adopting amendments to the SEC’s regulations under the Privacy Act of 1974, which governs the federal government’s handling of personal information.[184] The final rule updates and streamlines the SEC’s Privacy Act regulations, including the process for submitting and receiving responses to Privacy Act requests and administrative appeals and provides electronic methods to verify an individual’s identity.[185] Given the extensive nature of the amendments, the final rule replaces entirely the current version of the Privacy Act regulations which was last updated in 2011. The final rule went into effect on October 26, 2023.
Cyber Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies Expected in April 2024.
In February 2022, the SEC proposed cybersecurity rules for registered investment advisers, registered investment companies, and business development companies (the “RIA Rules”).[186] If adopted, the RIA Rules would require covered companies to, among other things, (i) adopt written cybersecurity policies and procedures to address cybersecurity risk, and (ii) report significant cybersecurity incidents, which are those that “significantly affect the critical operations” of a covered company or lead to “unauthorized access or use of information that results in substantial harm” to a covered company, or its clients, funds, or investors.[187] As noted on the SEC’s June 13, 2023 rulemaking agenda, the RIA Rules have entered the final rule stage[188] and are expected to be finalized in April 2024.[189]
Looking ahead, the SEC Division of Examinations announced its priorities for 2024, which stated that it plans to continue focusing on “registrant’s policies and procedures, internal controls, oversight of third-party vendors (where applicable), governance practices, and responses to cyber-related incidents.”[190] SEC Chair Gary Gensler emphasized that the “Division’s efforts, as laid out in the 2024 priorities, enhance trust in our ever-evolving markets.”[191] Information security and cybersecurity will remain a key area of regulation and enforcement for the SEC in 2024.
In addition to new rules, in 2023 the SEC continued to pursue enforcement actions at a historically high level against public companies, investment firms, law firms, and individuals.[192] The SEC obtained orders totaling nearly $5 billion in financial remedies in fiscal year 2023, the second-highest amount in SEC history following a record-setting nearly $6.5 billion in fiscal year 2022.[193] Notably, the SEC continued to focus on individuals, with about two-thirds of the SEC’s cases in fiscal year 2023 involving individuals.[194] The SEC also obtained orders that barred 133 individuals from serving as officers or directors for public companies, the highest such number in a decade.[195]
We expect these trends to continue in 2024, particularly as they relate to cybersecurity when the SEC’s newly adopted cyber rules take effect and additional cyber rules are finalized. Below is a summary of some of the most notable cyber-related enforcement actions brought by the SEC in 2023.
Broker-Dealer Username/Password Handling Litigation. In September, 2023, the SEC alleged that a broker-dealer and its parent company allegedly made materially false and misleading statements and omissions regarding information barriers intended to prevent the misuse of sensitive customer information.[196] The SEC alleged that the broker-dealer operated two businesses that were purportedly walled off from each other by data safeguards: a trade order execution service for institutional customers that typically operated on commission, and a proprietary trading business. However, during a 15-month period from 2018 to 2019, the broker-dealer allegedly failed to adequately safeguard a database of post-trade information regarding customer orders that included customer identifying information and further material nonpublic information.[197] The broker-dealer allegedly rendered the database accessible to virtually anyone at its affiliates by leaving the data accessible via “two sets of widely known and frequently shared generic usernames and passwords.”[198] The SEC asserts that this alleged failure to safeguard the information posed significant risk that proprietary traders could abuse it or distribute it outside the entity.[199] The litigation remains pending.
Settlement for Allegedly Misleading Statements Related to 2020 Ransomware Attack. In March 2023, the SEC imposed a $3 million civil penalty to settle allegations it brought against a public company for making allegedly misleading disclosures concerning a 2020 ransomware attack that had impacted over 13,000 customers.[200]
The SEC alleged that, on July 16, 2020, the company announced a ransomware attacker had not gained access to customer bank account information or Social Security Numbers.[201] Within days of the announcement, however, technology and customer relations personnel allegedly learned that the attacker had accessed and exfiltrated that sensitive information.[202] The employees nonetheless allegedly failed to communicate this information to senior management accountable for its public disclosure because, in the SEC’s view, the company failed to maintain adequate disclosure controls and procedures.[203] As a result, the company’s 10-Q report filed in August 2020 did not include this information about the cyberattack, which the SEC views as an omission of material information. In addition, the SEC alleged that the company’s description of the risk of disclosure of sensitive customer information as a hypothetical risk was misleading.[204]
SEC Alleges Fraud Against Public Company and its CISO. In October 2023, the SEC alleged that a network monitoring software company and its Chief Information Security Officer (“CISO”) engaged in fraud and internal controls violations.[205] The SEC alleges that the company and its CISO overstated its cybersecurity practices and understated or failed to disclose known cybersecurity risks.[206] The SEC’s complaint alleges that the company’s public statements conflicted with its internal assessments.[207] The complaint also alleges that the CISO was aware of the company’s cybersecurity risks, but failed to resolve the issues or sufficiently elevate them.[208] The SEC alleged that the cybersecurity shortfalls rendered the company unable to provide reasonable assurances that its most valuable assets were sufficiently protected.[209] The lapses in cybersecurity practices allegedly resulted in a two-year cyberattack campaign against the software company and some of its customers, including federal and state government agencies.[210] The cyberattack was first disclosed publicly in December 2020, though the SEC alleged that disclosure was incomplete.[211] According to the SEC, the company and CISO allegedly “paint[ed] a false picture of the company’s cyber controls environment.”[212] The SEC alleged that the company and CISO violated antifraud provisions of the securities laws, that the company violated reporting and internal controls provisions, and that the CISO aided and abetted the company’s violations.[213] The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, and an officer-and-director bar against the CISO.[214]
Going forward, we expect to see a significant uptick in enforcement activity, particularly around cybersecurity disclosures, given the adoption of the SEC’s cyber disclosure rules which went into effect in December 2023 and other proposed cyber rules pending finalization, as discussed above.
4. Department of Health and Human Services and HIPAA
On February 27, 2023, the Department of Health and Human Services (“HHS”) announced three new divisions within the Office of Civil Rights (“OCR”): an Enforcement Division, a Policy Division, and a Strategic Planning Division.[215] OCR enforces HIPAA and the Health Information Technology for Economic and Clinical Health Act of 2009, among additional privacy-related and other statutes.[216] OCR explained that its caseload has increased 69 percent from 2017 and 2022.[217] OCR thus created the new divisions to “improve[] OCR’s ability to effectively respond to complaints, put[ting] OCR in line with its peers’ structure and mov[ing] OCR into the future.”[218] The addition of three new divisions in OCR signals and underscores the heightened importance of data privacy and security within HHS.
a. Rulemaking on HIPAA Compliance and Data Breaches
On December 13, 2023, HHS finalized a rule implementing the 21st Century Cures Act that enhances the Office of the National Coordinator for Health Information Technology Certification Program, aimed at advancing interoperability, transparency, and the access, exchange, and use of electronic health information.[219] The final rule is designed to increase algorithm transparency and information sharing for healthcare providers.[220] The provisions of the rule are based on the principles of “fairness, appropriateness, validity, effectiveness and safety,” and include certification criteria for “decision support interventions,” “patient demographics and observations,” “electronic case reporting,” and the “exchange and use” of electronic health information.[221] The final rule goes into effect on February 8, 2024.[222]
b. Telehealth and Data Security Guidance
HHS released a fact sheet in early 2023 identifying what will change as a result of the expiration of the federal Public Health Emergency for COVID-19 on May 11, 2023.[223] HHS stated that the “vast majority” of current Medicare telehealth flexibilities (such as waivers of geographic and originating site restrictions and the allowance of audio-only telehealth services) will remain in place through December 2024.[224] The agency also made some Medicare changes permanent so that they will stay in place now that the public health emergency has ended. These include allowing Federally Qualified Health Centers and Rural Health Centers to “serve as a distant site provider for behavioral/mental telehealth services,” allowing Medicare patients to “receive telehealth services for behavioral/mental health care in their home,” and allowing “behavioral/mental telehealth services” to “be delivered using audio-only communication platforms.”[225]
On July 20, 2023, the FTC and HHS issued a joint letter to 130 hospital systems and telehealth providers, warning them to “exercise extreme caution” with respect to certain online technologies that are incorporated in their websites and apps given the potential privacy risks these technologies may pose to patient data.[226] The letter also reminded healthcare providers about their obligations under HIPAA and the FTC’s Health Breach Notification Rule.[227] Relatedly, on September 15, 2023, the FTC and HHS issued an updated publication addressing businesses’ potential questions related to collecting, using, and sharing consumer health information, and provided links to more detailed guidance.[228]
c. Reproductive and Sexual Health Data
On June 24, 2023, HHS Secretary Xavier Becerra released a statement[229] on the one-year anniversary of Dobbs v. Jackson Women’s Health Org., which reversed Roe v. Wade and ended federal protection for abortion access.[230] The statement highlights HHS’s efforts to protect and expand access to reproductive care, and outlines three “priority areas”:
- “Reaffirming the Department’s commitment to protecting the right to abortion care in emergency settings under the Emergency Medical Treatment and Labor Act (EMTALA)”;
- “Clarifying protections for birth control coverage under the Affordable Care Act”; and
- “Protecting medical privacy – including empowering patients to protect their medical information on smart phones, apps, and other platforms.”[231]
On April 12, 2023, HHS proposed measures to strengthen patient-provider confidentiality related to reproductive health care through a Notice of Proposed Rulemaking for the Privacy Rule.[232] The proposed rule would prohibit the use or disclosure of protected health information (“PHI”) to identify, investigate, sue, or prosecute “patients, providers, and others involved in the provision of legal reproductive health care, including abortion.”[233] The public comment period closed on June 16, 2023; and the proposed rule is expected to be finalized in March 2024.[234]
OCR continued to enforce the HIPAA Privacy Rule throughout 2023, which has been a continued focus of the agency in recent years. For example, OCR settled claims against a New York-based non-profit academic medical center for alleged violations in 2020 of the HIPAA Privacy Rule.[235] A national newspaper published an article about the medical center’s COVID-19 emergency response, “which included photographs and information about the facility’s patients” exposing patient information, including COVID-19 diagnoses, medical statuses and prognoses, vital signs, and treatment plans.[236] OCR alleged that the facility disclosed three patients’ protected health information to the press “without first obtaining written authorization from the patients.”[237] The settlement required the facility to pay $80,000 and agree to implement a corrective action plan “to develop written policies and procedures that [complied] with the HIPAA Privacy Rule.”[238]
HHS also focused its enforcement efforts around the HIPAA Right of Access Initiative, which was launched in 2019 and requires covered entities to provide individuals with “timely access to their health information for a reasonable cost” under the HIPAA Privacy Rule.[239] As of December 15, 2023, OCR had brought 46 cases pursuant to the HIPAA Right of Access Initiative.[240] These actions were largely brought against covered entities for failing to provide individuals with copies of protected health information within the required timeframe and/or in accordance with permitted fees.[241]
Data breaches have been another recent priority. In February 2023, a nonprofit health system in Arizona agreed to pay $1.25 million to resolve alleged HIPAA Security Rule violations arising from a 2016 data breach, which disclosed the protected health information of 2.81 million individuals.[242] In addition to the monetary penalty, the hospital system agreed to implement a corrective action plan, and two years of OCR monitoring, to address alleged deficiencies relating to the protection of electronic PHI, including pertaining to risk assessment, vulnerability management, monitoring, authentication and protection of data transit.[243]
In December 2023, OCR also entered into a settlement with a Louisiana-based medical group for $480,000, stemming from a phishing attack that exposed the personal information of over 34,000 individuals.[244] OCR alleged that the group failed to conduct a risk analysis of potential vulnerabilities, as required under HIPAA.[245] As with Banner Health, Lafourche agreed to implement a corrective action plan that OCR will monitor for two years [246]
a. Department of Homeland Security
In 2023, the Department of Homeland Security (“DHS”) continued to pursue various cybersecurity initiatives aimed at securing critical infrastructure and helping organizations respond to the rapidly evolving cyber threat landscape. The year marked an increased focus on cyber incident information sharing and reporting through public-private and cross-border partnerships. On March 2, 2023, DHS Secretary Alejandro N. Mayorkas released a statement about working to implement President Biden’s National Cybersecurity Strategy and emphasized the role of public-private sector collaboration and work with DHS’s Cyber Safety Review Board and Cybersecurity and Infrastructure Security Agency (“CISA”).[247] As required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”), DHS and the Cyber Incident Reporting Council issued recommendations to Congress for streamlining the reporting of cyber incidents by establishing standard definitions, timelines, and triggers for reporting; creating a model incident reporting form for federal agencies; and creating a central reporting web portal.[248] These recommendations will inform CISA’s ongoing rulemaking process, as it works towards publishing a Notice of Proposed Rulemaking related to CIRCIA’s reporting requirements by March 2024.[249] Secretary Mayorkas also hosted cyber leaders from 21 nations at the Western Hemisphere Cyber Conference to discuss bilateral and multilateral initiatives to respond to, and facilitate increased information sharing about, cybersecurity challenges, including around critical infrastructure and cyber-enabled crimes and ransomware.[250]
DHS also released multiple reports and advisories outlining recommendations to mitigate risks posed by threat actor groups and vulnerabilities affecting critical infrastructure, including malware attacks by the ransomware group CL0P against users of certain file-transfer software;[251] targeting of industry-standard security tools by threat actor group Lapsus$;[252] and a ransomware variant used to exploit a vulnerability that threatened critical infrastructure.[253]
DHS also increased its State and Local Cybersecurity Grant Program funding from $185 million in FY22 to $374.9 million in FY23, signaling the growing importance of protecting communities from cyber threats.[254]
In 2023, DOJ continued to focus on and expand its capacity to address cyber threats, especially those related to national security. In a series of press releases, DOJ touted certain accomplishments in its ongoing fight against organized cybercrime. For example, it publicized actions it had taken against several ransomware groups, including the Hive and Blackcat, as well as the malware code Qakbot. DOJ also announced significant developments regarding its approach to the issue of algorithmic bias, including an innovative resolution reached with a large social media company and the filing of a statement of interest in a case alleging racial discrimination against rental applicants.
As part of its continued and expanding efforts to counter cyber-related national security threats arising from nation-state actors, DOJ created the National Security Cyber Section (“NatSec Cyber”) within the National Security Division (“NSD”).[255] DOJ noted that NatSec Cyber “will allow NSD to increase the scale and speed of disruption campaigns and prosecutions of nation-state threat actors, state-sponsored cybercriminals, associated money launderers, and other cyber-enabled threats to national security.”[256]
DOJ continued its aggressive, multifaceted efforts to disrupt domestic and international organized cybercrime via collaboration between the FBI and foreign law enforcement organizations. For example, in January 2023, DOJ announced that its months-long campaign against a ransomware-as-a-service network called the “Hive” culminated in the seizure of thousands of decryption keys that were then distributed to victims of the Hive’s activities, as well as the shutting down of servers and websites used by the Hive to coordinate attacks.[257] The Hive’s ransomware campaign impacted more than 1,500 victims, “including hospitals, school districts, financial firms, and critical infrastructure,” across more than 80 countries, and sought to extort hundreds of millions of dollars in ransomware payments.[258] In May 2023, DOJ publicized an operation code-named “MEDUSA,” which involved the deployment of an FBI-developed tool named “PERSEUS” to disrupt the ability of the highly sophisticated cyber espionage malware named “Snake” to compromise infected computers.[259] Snake, whose development the U.S. government attributes to a unit in the Federal Security Service of the Russian Federation, has been used and adapted for the last nearly 20 years to steal and covertly transfer sensitive information from computer networks in over 50 countries, often in service of Russian interests.[260] In August 2023, DOJ announced another multinational effort to degrade and avert attacks from Qakbot, a malware code used by cybercriminals to create malicious botnets and perpetrate “ransomware, financial fraud, and other cyber-enabled criminal activity.”[261] Finally, in December 2023, DOJ announced that the FBI had successfully built a decryption tool that allowed victims of the ransomware-as-a-service group Blackcat (also known as ALPHV or Noberus) to regain control of their systems.[262] This was in addition to taking control of websites associated with the group, which had previously carried out attacks targeting “government facilities, emergency services, defense industrial base companies, critical manufacturing, and healthcare and public health facilities—as well as other corporations, government entities, and schools,” costing victims hundreds of millions of dollars in ransom payments, incident response costs, and losses from data damage and theft.[263]
DOJ also waded into issues around algorithmic bias. In January 2023, for example, DOJ announced a resolution reached with a large social media company to address alleged algorithmic bias on its platforms.[264] This development came as part of a settlement stemming from a June 2022 lawsuit filed in the U.S. District Court for the Southern District of New York that asserted the company engaged in discriminatory delivery of housing advertisements based on algorithms partially relying on protected characteristics in violation of the Fair Housing Act (“FHA”).[265] The settlement agreement required the company to create a system (dubbed the Variance Reduction System) to promote the “equitable distribution of ads” across its platforms, subject to certain compliance metrics, oversight by the court, and ongoing monitoring by a third-party reviewer through June 27, 2026.[266] A DOJ official praised the agreement and the company for setting “a new standard for addressing discrimination through machine learning” and called for others to follow the company’s lead.
DOJ also filed a Statement of Interest in an FHA case pending in a Massachusetts federal district court brought by two Black rental applicants alleging unlawful algorithmic tenant screening practices.[267] Plaintiffs alleged that the screening system discriminated “against Black and Hispanic rental applicants in violation of the FHA.”[268] According to DOJ, the Statement confirms its “commitment to ensuring that the Fair Housing Act is appropriately applied in cases involving algorithms and tenant screening software.”[269]
On March 7, 2023, a bipartisan group of senators proposed the Restricting the Emergence of Security Threats that Risk Information and Communications Technology (“RESTRICT”) Act, which would give the Commerce Secretary the power to ban foreign‐owned technologies if they are found to pose national security threats.[270] The bill, which received support from the Department of Commerce,[271] was referred to the Committee on Commerce, Science, and Transportation, and is currently awaiting further action.[272]
On June 14, 2023, Senator Wyden introduced the Protecting Americans’ Data From Foreign Surveillance Act of 2023, which would update the Protecting Americans’ Data From Foreign Surveillance Act of 2022 that was introduced in June 2023 but not passed.[273] This bill would bar exports of sensitive data to high‐risk countries, as determined by the Department of Commerce.[274] The Department of Commerce would also be tasked with defining sensitive data, though the bill broadly covers data, including browsing history and location data.[275] However, the new export rules would not apply to data encrypted with technology approved by the National Institute of Standards and Technology (“NIST”).[276] The bill was referred to the Committee on Banking, Housing, and Urban Affairs, and currently awaits further progress.[277]
Through the Infrastructure Investment and Jobs Act, the Department of Energy (“DOE”) has provided significant funding to a series of new cybersecurity programs.[278] On September 12, 2023, the DOE announced $39 million of funding for nine new “National Laboratory” projects to strengthen the cybersecurity of distributed energy resources (“DER”).[279] The funding is intended to “support targeted research, development, and demonstration related to different elements of the DER landscape.”[280]
Despite investing in improved cybersecurity for DER, the DOE itself continues to attract scrutiny of its cybersecurity practices, especially from the DOE’s Office of Inspector General (“OIG”). Ongoing concerns regarding the department’s cybersecurity capabilities stem in part from three apparent cyberattacks against DOE national laboratories in late 2022, which were serious enough to prompt House lawmakers to seek details concerning them in early 2023.[281] In November 2023, the OIG released a report discussing “management challenges” at the DOE, including numerous cybersecurity-related deficiencies.[282] In discussing these deficiencies, the report noted structural and resource-based challenges to an effective organization-wide cybersecurity program, some of which stemmed from inconsistent and outdated practices by DOE contractors.[283] Thus, contractors/vendors doing business with the DOE should expect a greater emphasis on and scrutiny of their cybersecurity practices going forward.
In December 2023, the Department of Defense (“DoD”) released a proposal designed to implement its Cybersecurity Maturity Model Certification (“CMMC”) program, broadly aimed at increasing the security of controlled, unclassified information across the defense industry.[284] The CMMC will set three “levels” of cybersecurity requirements based on the nature of information held by contractors, while ultimately creating a baseline level of cybersecurity for almost all DoD contract solicitations.[285] The program will be implemented in phases over several years, giving companies time to study and understand its requirements and prepare staff to comply with them.[286]
f. Federal Communications Commission
The Federal Communications Commission (“FCC”) was particularly focused on the Telephone Consumer Protection Act (“TCPA”) and cybersecurity issues in 2023. In June 2023, the FCC unveiled a new Privacy and Data Protection Task Force that will “coordinate across the agency on the rulemaking, enforcement, and public awareness needs in the privacy and data protection sectors.”[287] The task force will address issues such as data breaches of telecommunication providers linked to cyber intrusions and supply chain vulnerabilities.[288]
TCPA Rulemaking. In January 2023, the FCC announced that new rules promulgated under Section 8 of the Telephone Robocall Abuse Criminal Enforcement and Deterrence (“TRACED”) Act[289] would go into effect on July 20, 2023.[290] Among other things, the FCC’s new rules provide additional clarity on exemptions from the TCPA, including establishing limits on the number of exempt calls that can be made to a residence during a 30-day period (for non-commercial, non-advertising, or nonprofit purposes); requiring callers to obtain consent before exceeding the numerical limits on exempt calls; and mandating ways that consumers can opt out of exempted calls to residential lines.[291]
In the last quarter of 2023, the FCC took additional regulatory steps to curb robocalls. On October 23, 2023, FCC Chairwoman Jessica Rosenworcel announced the FCC was opening an inquiry into the impact of artificial intelligence technology on robocalls, particularly for more vulnerable consumers such as seniors and those on fixed incomes.[292] Following that announcement, the FCC sought public input to better understand the impact of emerging AI technologies on unwanted telephone calls and text messages.[293] It seems likely that the FCC will continue to assess AI’s impact in this area.
On December 18, 2023, the FCC also approved new TCPA rules that require lead generators, comparison shopping websites, and similar companies to obtain a consumer’s prior express written consent to receive automated calls from each marketing partner.[294] The rule is intended to end companies’ prior practice of relying on a single consent to receive automated calls from multiple marketing partners. The new rule has closed this loophole, and requires one-to-one consent for each marketing partner.[295] There will be an implementation period of at least 12 months to allow companies to make necessary changes to ensure consent complies with the new rules.[296]
Cyber Trust Mark. In July 2023, the FCC, in coordination with the White House, announced a proposal to create a “U.S. Cyber Trust Mark” label for devices that meet certain cybersecurity and privacy criteria set by the National Institute of Standards and Technology, with voluntary commitments to the standard to be made by manufacturers and retailers.[297] Examples of contemplated features offered by labeled devices include “unique and strong default passwords, data protection, software updates, and incident detection capabilities.”[298] In August 2023, the FCC released a Notice of Proposed Rulemaking regarding the proposal to collect public input, noting that if it votes to establish the program, it could be “up and running” by late 2024.[299]
VoIP and TRS Rules. In December 2023, the FCC approved modifications to data breach notification rules for providers of telecommunications, interconnected Voice over Internet Protocol (“VoIP”), and telecommunications relay services (“TRS”).[300] The modifications expand reportable personally identifiable information and the definition of a “breach,” and require carriers or TRS providers to notify the FCC of breaches, in addition to other existing reporting requirements.[301]
Enforcement. The FCC also levied fines against companies for lax data security standards. In July 2023, the FCC sought a combined $20 million fine against two mobile carriers for alleged violations of FCC rules, which mandate that customer identity be properly authenticated before online access to Customer Proprietary Network Information (“CPNI”) is granted to them.[302] The FCC’s investigation concluded that the companies used “readily available” information to provide online access to CPNI and fell below other compulsory data security standards in violation of multiple parts of the FCC’s rules, thereby placing sensitive customer personal data at risk.[303]
Throughout 2023, state privacy enforcers, particularly in California, wielded their authority to attempt to expand the ambit of existing privacy laws.
California Privacy Protection Agency
On the rulemaking front, the California Privacy Protection Agency (“CPPA”) released draft rules for automated decision-making technology (“ADMT”) on November 27, 2023.[304] The draft focuses on two areas: notice requirements on the use of ADMT and enforcement of two new consumer rights: the right to opt-out of ADMT processing and the right to access information about a business’s use of ADMT.
The draft rules require businesses to provide a “Pre-use Notice” which would allow consumers to exercise these two rights. The notice must inform consumers of the business’s use of ADMT and permit them to opt-out of ADMT processing. It also requires businesses to describe the purpose behind the use of ADMT in specific terms. Consumers may opt-out of ADMT for decisions that produce “legal or similarly significant effects” (1) as an employee, student, job applicant or independent contractor or (2) in publicly accessible places (e.g., via surveillance or facial recognition). Formal rulemaking is expected to begin in early 2024.
The CPPA has also begun to spin up its enforcement division, which began inquiring into manufacturers of connected vehicles, meaning vehicles embedded with features like location sharing, web-based entertainment, smartphone integration, and cameras, in an effort to better understand whether companies in this space are complying with applicable rules.[305]
California Attorney General
The California Attorney General (“CA AG”) has announced several privacy-related enforcement “sweeps” in 2023 in a variety of industries. In early 2023, the CA AG sent out letters to an unspecified number of mobile apps in the retail, travel, and food service industries that purportedly failed to comply with the CCPA, specifically by failing to honor consumer requests to opt out of the sale of their personal data or providing mechanisms for opting out of sale of the personal data.[306] In July 2023, the CA AG announced a separate sweep of large employers’ compliance with CCPA as it related to employee and job applicant information.[307] Businesses are required to provide a way for consumers, workers, and job applicants to be able to access, delete, and opt-out of the sale of their personal information. Despite these regular sweeps, however, the CA AG has not announced any enforcement actions or settlements related to the CCPA.
Although there have not been any CCPA settlements disclosed in 2023, the CA AG did announce a $93 million settlement with a large technology company related to allegations that its location-privacy practices violated California’s Unfair Competition Law, a follow-on to a multistate settlement announced in 2022.[308] The complaint alleged that the company deceived people into consenting to the perpetual collection and use of their location data by asking users if they wanted to “enhance” their “experience.” The complaint also alleged that, even if users turned off their location history, their precise location data was nevertheless collected if other settings remained enabled. Finally, the CA AG alleged that the company continued to use real-time location information to show users ads, even if they turned off ad personalization. Under the terms of the settlement, the company will have to provide a pop-up notification to users who have certain location-tracking toggles enabled, provide additional disclosures to users (including in the account-creation flow) and obtain express affirmative consent prior to sharing precise location information with advertisers, among other requirements. The company will also have to submit an annual compliance report and independent assessor reports.
New York
In January 2023, the New York Attorney General (“NY AG”) sent a letter to a large live-entertainment company about its use of facial recognition technology that allegedly was preventing entry into its venue by attorneys whose firms are engaged in litigation against the company.[309] The NY AG’s letter requests the company provide justifications for its policy, identify efforts to comply with applicable laws, and ensure that its use of this technology will not lead to discrimination.
In November 2023, the New York State Department of Financial Services announced that a title insurer will pay $1 million for allegedly violating state cybersecurity regulations.[310] The insurer allegedly failed to ensure “full and complete implementation” of its cybersecurity policies and procedures prior to a May 2019 data breach that exposed its customers’ nonpublic information.[311]
Washington
The Washington Attorney General (“WA AG”) announced a $39.9 million settlement with a large technology company related to the WA AG’s lawsuit over its location-tracking practices.[312] The WA AG, like the CA AG, filed a separate lawsuit from the multistate effort that had been settled in November 2022. Similar to the California suit, the WA AG alleged that the company collects location data even when consumers had disabled their location history and that it tracked devices even when location access was turned off. In addition to the monetary penalty, the company agreed to disclose additional information to users where they enabled location-related account setting, ensured that users see information about location tracking and gave users detailed information about types of location data that the company collects and how it will be used.
c. Major Data Breach Settlements
While 2023 did not see as many high-profile data breach settlements as in recent years, with the number of data breach-related case filings reaching new records, major settlements are likely on the horizon.
Many of the notable 2023 settlements were reached with state attorneys general. A software provider in the healthcare and education space agreed to a $49.5 million settlement with numerous state attorneys general (led by Indiana and Vermont) to resolve claims stemming from a ransomware attack that impacted the company and nearly 13,000 customers in 2020.[313] In another notable data breach settlement, the attorneys general of New York, Connecticut, Florida, Indiana, New Jersey, and Vermont entered into a $6.5 million settlement with a major financial services provider arising from two instances in which customer data inadvertently left the company’s custody.[314] And a vision insurance company entered a $2.5 million settlement with the attorneys general of New Jersey, Oregon, Florida, and Pennsylvania stemming from a breach which impacted the health care information of 2.1 million individuals.[315]
Class actions have also resulted in significant settlements. A law firm recently announced that it reached a tentative class settlement with plaintiffs whose personal information was allegedly compromised in a data breach.[316] Once finalized, this settlement will resolve four consolidated lawsuits stemming from the firm’s alleged three-month delay in notifying affected individuals of the breach. And in July 2023, the Southern District of Florida approved a $3 million settlement in a class action suit against a health care network and its parent company arising from a 2021 data breach in which over three million individuals were affected.[317]
III. Civil Litigation Regarding Privacy and Data Security
Cybercrimes targeting consumer data have been increasingly pervasive and this trend continued in 2023. The Identity Theft Resource Center, which compiles statistical information on data breaches, reported 2,116 data breaches in the first nine months of 2023.[318] This number surpasses the 2021 record of 1,862 data breaches and represents a nearly 64% increase of the number of data breaches reported over the same nine-month period in 2022.[319] These trends suggest companies will continue to face more widespread and sophisticated attacks by cybercriminals and the risk of litigation remains elevated for companies dealing with the aftermath of a cyberattack.
One of the largest and most significant data breach litigations in history was filed this year. After the developer of a popular file transfer service announced that its service had been exploited by a Russian cybergang in a data breach that exposed the personally identifiable information of more than 55 million people, more than 200 cases were filed.[320] These actions were centralized in an MDL that is now pending in the District of Massachusetts.[321] At the time of publication, the MDL remains in its early stages, but we expect this case will be one that practitioners will watch closely.
This section summarizes key developments in data breach litigation last year.
1. The Impact of TransUnion v. Ramirez on Standing in Data Breach Actions
Many data breach cases are litigated in federal court, given large numbers of potentially affected individuals and jurisdictional provisions of the Class Action Fairness Act. Plaintiffs pursuing claims in federal court must satisfy the standing requirements of Article III of the U.S. Constitution, and data breach actions raise significant questions about whether plaintiffs can satisfy this requirement. In 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, a landmark decision that increased the burden on plaintiffs to demonstrate standing in actions for money damages brought in federal court.[322] The Court held that the mere risk of future harm is insufficient to satisfy the concrete injury that Article III requires, especially where the plaintiff is unaware of the risk of future harm.[323] This holding is especially significant in data breach cases where a plaintiff’s data has been breached but not yet misused.
Although TransUnion went a long way towards clarifying how risks of future harm should be analyzed under Article III, appellate courts have continued to grapple with the bounds of the Court’s holding and divergent approaches to the issue of standing persisted in 2023.
Some courts have interpreted TransUnion narrowly and concluded that notwithstanding its holding, plaintiffs can establish standing even if their data has not yet been misused. For example, in Webb v. Injured Workers Pharmacy, LLC, the First Circuit held that a “material risk of future harm can satisfy the concrete-harm requirement” for standing, reasoning that data compromised in targeted attacks (as opposed to inadvertent disclosures) is more likely to be misused, especially when the data is sensitive and other personal information in the exposed data has already been misused.[324] Moreover, to satisfy TransUnion’s requirement of “alleg[ing] a separate, concrete present harm” to have standing to seek damages, the court held that the plaintiffs’ “time spent responding to a data breach can constitute a concrete injury sufficient to confer standing, at least when that time would otherwise have been put to profitable use.”[325] Similarly, the Second Circuit held that a plaintiff suffered “concrete harms as a result of the risk of future harm occasioned by the exposure” of her personal information, in particular because she incurred expenses attempting to mitigate the consequences of the breach.[326] Moreover, the plaintiff’s name and Social Security number were compromised in the targeted attack, and the court reasoned that the exposure of this type of sensitive data led to concrete present harms due to the increased risk that her identity would be stolen in the future.[327]
Other courts have interpreted TransUnion to mandate a stricter approach to standing. For example, in Holmes v. Elephant Insurance Co., a trial court dismissed for lack of standing claims alleging that the plaintiffs’ personal information was compromised in a 2022 data breach.[328] Despite a potential heightened risk of future identity theft, the court found that this risk alone did not constitute an injury in fact unless it was “certainly impending.”[329] Even though two of the three named plaintiffs had alleged their driver’s license information had appeared on the dark web, the court reasoned that unless combined with additional personal information, a driver’s license number could not be used to create a full identity profile, and therefore only constituted a threat of future identity theft.[330] The court also found there was insufficient support for the contention that the risk of identity theft was “certainly impending” without assuming that the plaintiffs were specifically targeted in the breach, that the perpetrator was actively compiling full profiles of plaintiffs, and that the perpetrator would “imminently and successfully attempt to use th[e] information [at issue] to steal the plaintiffs’ identities.”[331] In reaching this conclusion, the court also diverged from the approach taken by the First Circuit in Webb, finding that absent an imminent threat of identity theft, the cost of mitigative measures, such as time spent monitoring financial information, does not constitute an injury sufficient to support standing.[332]
A California district court in Burns v. Mammoth Media, Inc., appeared to agree with this approach, suggesting that “an increased risk of identity theft may constitute a credible threat of real and immediate harm sufficient to constitute an injury in fact for standing purposes.”[333] However, the court ultimately denied standing and dismissed the claims because there were insufficient allegations to establish an increased threat of identity theft based on the type of data compromised. In particular, the plaintiff alleged only that his name, email address, gender, profile creation date, user name, user ID, password, and access token were exposed, but he failed to explain how the specific data compromised was sufficiently sensitive to create a risk of identity theft.[334]
Questions about standing are also significant to class certification, as putative classes that contain large numbers of uninjured class members are frequently not viable.[335] One case from 2023 illustrating this issue is Attias v. CareFirst, Inc., where the District Court for the District of Columbia denied class certification because “the proposed classes . . . would appear to sweep in significant numbers of people who have suffered no injury in fact in light of TransUnion.”[336] Even though the named plaintiffs had adequately demonstrated standing “because they ha[d] spent at least some amount of time or money protecting against the risk of future identity theft,” there was a “serious predominance problem” because not all the putative class members had done the same, thereby necessitating “individualized proof of injury.”[337] These “logistical hurdles of identifying class members who were injured or determining what kinds of mitigation measures might qualify an individual for class membership” meant the court “[could not] conclude that the common issues predominate over individualized inquiries.”[338]
2. Cybersecurity-Related Securities Litigation
In the aftermath of a cybersecurity incident, companies and their officers also frequently face shareholders suits. Although the pace of data breach-related securities case filings has slowed,[339] the past year still saw a fair share of new litigation. For instance, in March 2023, shareholders filed a securities class action under Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 against a television service provider, alleging that the company overstated its operational efficiency in public statements and SEC filings and maintained deficient cybersecurity infrastructure, leaving the company unable to secure customer data and leaving it vulnerable to cyberattacks and service issues.[340] In another action filed in 2023, shareholders alleged that a financial services technology company violated Sections 12(a)(2) and 15 of the Securities Act of 1933 in connection with the compromise of customer data.[341] The plaintiffs alleged that the company failed to accurately describe its data security capabilities, among other things, in its securities filings. This case remains in the early stages.
Defendants have had success in getting shareholder data-breach claims dismissed on the pleadings, including for failure to plead falsity or scienter with the requisite particularity.[342] For example, the Northern District of California dismissed a shareholder suit related to a January 2022 data security incident.[343] The plaintiffs in that case sued under Section 10(b) and 20(a) of the Securities Exchange Act of 1934, alleging that the company and certain officers made false and misleading statements in the company’s disclosures about its data security practices.[344] The court dismissed these allegations, finding that the plaintiffs failed to allege either falsity or scienter based on the defendants’ general statements about the company’s commitment to data security.[345]
B. Wiretapping and Related Litigation Concerning Online “Tracking” Technologies
Last year’s Review noted a deluge of lawsuits brought under federal and state wiretapping statutes. This trend continued in 2023, with recent lawsuits alleging that various businesses invade consumers’ privacy rights and violate federal and state wiretapping statutes by allegedly failing to obtain sufficient and valid consent when using various online “tracking” technologies, such as session replay, pixels, and chat software. Plaintiffs in these cases generally allege that their interactions with businesses’ websites or apps are “communications” between them and the business, which are being “recorded” and “intercepted” by the business through a third-party pixel, software development kit, chat, or session-replay service provider.[346]
Many of these cases focus on claims for violations of wiretapping statutes. Wiretapping statutes were initially intended to prevent surreptitious recording of, or eavesdropping on, phone calls without the consent of the parties involved, but they have evolved to cover other forms of electronic and digital communications. The federal Wiretap Act of 1968, as amended by the Electronic Communications Privacy Act of 1986,[347] is a “one-party” consent statute that allows communications to be intercepted (with certain exceptions) so long as “one of the parties to the communication has given prior consent[.]”[348] Almost all 50 states also have some form of wiretapping statute; most of them are also one-party consent statutes, but a significant minority require “two-party” (or “all-party”) consent.[349] Many recent lawsuits have brought claims under both the federal Wiretap Act and various state statutes, with litigation heavy in all-party consent states like California (where statutory damages can run as high as $5,000 per violation), Pennsylvania, and Florida.[350]
In addition to alleged violations of wiretapping statutes, lawsuits concerning online tracking technologies frequently raise a host of interrelated legal issues.
For example, a plaintiff in a Northern District of California case alleged that a pixel tool was embedded in a university-owned hospital website where the plaintiff entered private medical information concerning her cardiovascular health.[351] Because this information was allegedly redirected to a third-party company, the plaintiff claimed that the defendant violated the California Invasion of Privacy Act (“CIPA”), three separate sections of the Confidentiality of Medical Information Act (“CMIA”), and the California Constitution. The plaintiff also alleged common law causes of action including breach of contract, unjust enrichment, and the right to privacy. The court allowed the common law privacy and two CMIA claims to move forward and dismissed the remaining claims, largely on the basis that the university is an immune public entity. Similarly, in Jackson v. Fandom Inc.,[352] another Northern District of California judge denied the defendant’s motion to dismiss a proposed class action alleging that the defendant, a hosting service for user-generated wikis, violated the federal Video Privacy Protection Act (“VPPA”) by sharing users’ personally identifiable information (“PII”) through pixels. Specifically, the judge found that associating viewing history with the plaintiff’s unique user ID may have constituted unlawful disclosure of PII.[353]
In yet another notable decision, a federal judge dismissed claims against a technology company alleging it had shared information about the plaintiffs’ online activity with a third party via a pixel without the plaintiffs’ consent.[354] The plaintiffs claimed that the company’s terms of use did not inform users that the platform was sharing information with the third party and that its failure to disclose this information was fraud by omission in violation of both California’s Unfair Competition Law (“UCL”) and its Consumer Legal Remedies Act (“CLRA”). They also asserted claims under VPPA and for unjust enrichment. In granting the company’s motion to dismiss these claims, the court reasoned that Rule 9(b)’s heightened pleading standard applied because the alleged fraud stemmed from alleged misrepresentations in the company’s terms of use.[355] The court therefore granted the company’s motion to dismiss the CLRA and UCL claims. In November 2023, the company moved for summary judgment on that claim, which remains pending.
These cases are representative of many others, and we expect plaintiffs to leverage their mixed outcomes to continue to bring and attempt to extract settlements in similar matters.
C. Anti-Hacking and Computer Intrusion Statutes
The federal Computer Fraud and Abuse Act (“CFAA”) generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[356] In recent years, several high-profile court decisions, including the U.S. Supreme Court’s 2021 decision in Van Buren v. United States, have limited the CFAA’s scope.[357] In 2022, these decisions also prompted the Department of Justice to narrow its CFAA enforcement policies,[358] as described in last year’s Review.
In 2023, courts around the country have continued to grapple with the CFAA’s outer bounds. Summarized below are three cases of particular interest, including a case from the Second Circuit analyzing venue considerations in CFAA actions and a pair of district court cases reaching somewhat different conclusions on whether software constitutes a “computer” under the statute.
Venue in CFAA Criminal Cases. In July 2023, the Second Circuit upheld a criminal CFAA conviction against a venue challenge.[359] The case involved a defendant, a disgruntled former employee, who deleted information from her company’s online database, which was hosted on servers outside of New York.[360] Her deletion of the database prevented some employees in New York from accessing it.[361] A criminal action was brought against the defendant in the Southern District of New York and the defendant argued venue was improper because the data she deleted resided on servers in Virginia and California, and therefore she could not have damaged a computer in New York.[362] The Second Circuit rejected this claim, holding that even though the data was stored on cloud servers elsewhere, the defendant had still “damaged” a computer in New York, because she had “impair[ed] . . . the integrity or availability of data, a program, a system, or information” on a computer there.[363] The Supreme Court denied certiorari.[364] The case is notable not just because of its expansive view of venue in CFAA criminal cases, but also because it raises new questions about the scope of covered harm to “protected computers” in CFAA criminal and civil cases alike—an especially important issue given the interconnectedness of computer networks.
Cloud Computing Systems As Covered “Computers.” In July 2023, an Illinois federal district court held that a “cloud-based system of data storage” constitutes a “computer” under the civil enforcement sections of the CFAA.[365] The defendants in this case allegedly accessed a former employer’s Microsoft Office 365 cloud services after their employer terminated them—by logging in with old and phony credentials.[366] The defendants moved to dismiss the employer’s CFAA claim, arguing a cloud service is not a protected “computer” under the CFAA.[367] The court disagreed.[368] The court reasoned that the CFAA broadly defines a “computer” as “an electronic, magnetic, optical, electrochemical, or other high speed data processing device performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device.”[369] Because a cloud system involves storing data on remote servers, and “[s]ervers fit within the plain language” of a computer under the Act, the plaintiff had sufficiently alleged that the defendants improperly accessed a “computer” under the CFAA.[370] The court also rejected the premise that CFAA liability could attach only if the plaintiff, rather than Microsoft, actually owned the remote servers that supported the cloud service.[371]
Software Not a Covered “Computer.” By contrast, in April 2023, a New Jersey federal district court held that “software” does not constitute a protected computer under the CFAA.[372] In this case, the plaintiff claimed that he was hired to install certain software he created on a bank’s computers, but a dispute arose over whether the bank had paid for a license to use the software.[373] The plaintiff sued, claiming, among other things, that by using the software without permission and by locking him out of his bank computer (which allegedly contained the software), the bank violated the CFAA.[374] The court summarily disagreed, noting that the plaintiff had presented “no authority indicating that software is a ‘computer’ within the meaning of the CFAA,” and dismissed the claim.[375]
Generative AI and the CFAA. Another notable development from this past year was the bevy of lawsuits filed against generative AI companies, challenging the companies’ alleged practice of scraping or otherwise obtaining data to train their AI models. Some of these lawsuits claim that these practices—which involve allegedly harvesting publicly accessible data from the Internet or obtaining user data through the use of “plug-ins” installed on third-party websites—violate the CFAA for exceeding authorized access to plaintiffs’ computers.[376] These cases are still at their early stages and will likely need to grapple with the Ninth Circuit’s 2022 decision in hiQ Labs, Inc. v. LinkedIn,[377] which held that the CFAA’s concept of “without authorization” may not apply “when a computer network generally permits public access to its data”—although the Ninth Circuit noted there may be other common law and statutory claims available for those who believe they have been the victims of data scraping.[378]
The Comprehensive Data Access and Fraud Act (“CDAFA”) is California’s sister statute to the CFAA, and it creates a private right of action against any person who “[k]nowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.”[379] “Access” means to “cause output from” the “logical, arithmetical, or memory function resources of a computer.”[380]
In 2023, several district courts considered the interaction between the CDAFA and the recent wave of litigation related to website tracking technologies, including web pixels. Below are two such cases of interest.
Private Browsing Modes and Online Advertising Technologies. In August 2023, a California district court denied a motion for summary judgment on a CDAFA claim. Plaintiffs alleged that a prominent internet company improperly tracked user activity when users were using “private browsing modes.”[381] Plaintiffs claimed that, when third parties embedded certain advertising technologies into their websites, those technologies sent data about the users’ online activities to the company, even if the users were using a private browsing mode.[382] The company sought summary judgment on plaintiffs’ CDAFA claim, arguing that the company could not have “accessed” plaintiffs’ computers under the CDAFA because “website developers,” not the defendant, embed the code that directs users’ browsers to send requests to the company’s servers.”[383] The court rejected this argument, holding that the fact that “website developers chose to embed [the company’s] services onto their websites at most creates a triable issue as to whether developers and not the company . . . ‘cause output from’ plaintiffs’ computers” under the CDAFA.[384] The company separately argued that plaintiffs had suffered no “damage or loss” under the CDAFA, but the court rejected this argument, too, holding that “plaintiffs [had] proffer[ed] evidence that there is a market” for their browsing history data.[385] On December 26, 2023, the parties announced that they had reached a preliminary settlement agreement.[386]
“Technical Barriers” for First-Party Websites. In October 2023, a California district court dismissed with prejudice a CDAFA claim premised on the theory that a chatbox on a developer’s website transmitted certain user information to third parties.[387] The developer argued that it did not act “without permission” under the CDAFA because it did not overcome any “technical or code-based barriers” to insert the third-party code into its own website and allegedly transmit user information.[388] The district court agreed, holding that there are “no technical barriers blocking Defendant from using its own Website” in the manner alleged.[389] The district court also dismissed the claim on the basis that plaintiff had failed to allege any damage or loss under the CDAFA.[390]
D. Telephone Consumer Protection Act Litigation
Originally enacted in 1991, the Telephone Consumer Protection Act (“TCPA”) regulates certain forms of telemarketing and the use of automatic telephone dialing systems (“ATDS”).[391] Historically, much of TCPA litigation centered on issues concerning the technical definition of an ATDS, but that issue was largely clarified through the Supreme Court’s 2021 opinion in Facebook Inc. v. Duguid, which favored a narrower definition that limited it to devices that store or produce telephone numbers by using a random or sequential number generator. [392] Nonetheless, the TCPA continues to be an area of significant regulatory and litigation activity. 2023 was defined by increased regulation and enforcement by the FCC, as well as ongoing federal litigation addressing the scope of the TCPA.
TCPA cases continue to make their way up to the federal appellate courts, which frequently present the issue of whether receipt of a single unsolicited call is sufficient to confer Article III standing. Some circuits have answered in the affirmative. For example, the Sixth Circuit held that a consumer who had received a ringless voicemail had standing to sue under the TCPA.[393] The plaintiff argued, successfully, that the receipt of the unsolicited ringless voicemail was comparable to the common law tort of intrusion upon seclusion.[394] Similarly, in Drazen v. Pinto, an en banc panel of the Eleventh Circuit held that individuals who received even a single unwanted telemarketing text message had standing to sue under the TCPA, overruling the court’s prior decision that held the opposite.[395]
In another notable decision, Hall v. Smosh Dot Com, Inc., the Ninth Circuit held that a phone line subscriber has standing to sue for TCPA violations, even if the subscriber is not the recipient of the call.[396] Even though the plaintiff’s son in that case had received the unwanted text messages, the Ninth Circuit stated that the TCPA does not require that “the owner of a cell phone must also be the phone’s primary or customary user to be injured by unsolicited phone calls or text messages sent to its number.”[397]
Not all courts have read the TCPA so expansively, and appellate courts continue to find communications not covered by the language of the TCPA. For example, in January 2023, the Third Circuit held that faxes sent by a drug testing laboratory, promoting a free educational seminar about opioid use and medication monitoring, did not qualify as “unsolicited advertisements” under the TCPA.[398] In another notable case, the Ninth Circuit held that text messages did not violate the TCPA’s prohibition on “prerecorded voices,” because text messages are not “voice” messages.[399]
In the face of newly implemented rules, shifting case law, and new communications technology, we expect the TCPA to continue to be an area to watch.
1. California Consumer Privacy Act Litigation
While the regulatory atmosphere around the CCPA evolved in 2023, the litigation landscape remained fairly constant. Consumers, individually or as a class, continued to litigate under the CCPA, making claims for both pecuniary and statutory damages.
a. Potential Anchoring Effect of CCPA Statutory Damages
As discussed in last year’s Review, the CCPA’s provisions for statutory damages have continued to frame settlement negotiations. The CCPA provides that consumers exercising their private right of action for a data breach may recover the greater of statutory damages between $100 and $750 per consumer, per incident, or actual damages.[400] The cases summarized below provide color on how these statutory damages have impacted settlement terms in the CCPA context.
Automobile Manufacturers and Marketing Vendor. In this case, previously discussed in last year’s Review, residents of California and Florida filed class actions alleging that auto manufacturers and a marketing vendor failed to adequately secure customers’ personal information, allowing hackers to steal information such as driver’s license numbers, Social Security numbers, financial account numbers and more.[401] The plaintiffs asserted causes of action for negligence, breach of implied contract, violation of the CCPA, violation of California’s Unfair Competition Law, and breach of contract. The parties agreed to a settlement which was granted final approval on May 31, 2023.[402] The terms of the settlement reflect the potential effects of the CCPA, as California residents whose sensitive personal information was affected received $350, while the non-California residents whose sensitive personal information was exposed would receive only $80 (about 77% less than their California peers).[403]
Ticket Retailer. Consumers who bought tickets from a ticket retailer brought suit after a data breach was disclosed. Plaintiffs alleged that “skimmers” placed on the defendant’s checkout webpage stole their personal sensitive data.[404] Plaintiffs asserted a variety of claims, including negligence, breach of contract, violation of California’s Unfair Competition Law, and violation of the CPPA.[405] The parties reached a $3 million settlement, which was granted final approval on October 30, 2023. The settlement fund provides California sub-class members with an additional $100 “California Statutory Award benefit.”[406]
b. Requirements for Adequately Stating a CCPA Claim
Courts continued to give shape to the requirements to plead a CCPA claim. The decisions below address the facts and allegations required to bring a CCPA action under its limited private right of action, which applies only to data breaches.
Software Company Automatic Renewal Case. The Ninth Circuit recently affirmed the dismissal of a case alleging violations of the CCPA. The plaintiff alleged his data was shared with a credit card processor without his authorization due to the automatic renewal of his subscription. The trial court dismissed his claim because the plaintiff had agreed to the defendant’s End-User License Agreement, which stated his subscription would renew every 12 months unless terminated.[407] The trial court found the disclosure of his personal information was not “without authorization” and was not caused by a failure to implement reasonable security procedures and practices.[408] The Ninth Circuit affirmed.[409]
Online Banking. Plaintiff alleged that the defendant bank violated the CCPA when an unknown individual accessed his bank account, changed his contact information, and obtained new account cards to make purchases. The bank, on a motion to dismiss, argued that the plaintiff had not alleged that a data breach occurred. The court disagreed, finding that plaintiff’s allegations that his account was accessed and personal information obtained because of the failure to implement reasonable security procedures were sufficient to state a claim under the CCPA.[410]
c. CCPA Violations Under the UCL
Violations of the CCPA cannot serve as the predicate for a cause of action under a separate statute including California’s Unfair Competition Law (“UCL”).[411] While there has been no change regarding the inability to use a CCPA violation as the predicate “unlawful” claim under the UCL, one court has found the CCPA may create a property interest upon which a UCL claim may be brought. That decision is summarized below.
Search Engine Company. Originally filed in June 2020, this class action alleges that a large technology company unlawfully collected data from users while using the company’s browser in incognito or private mode.[412] The plaintiffs brought claims, including under the federal Wiretap Act, the California Invasion of Privacy Act (CIPA), and California’s UCL.[413] On summary judgment, the defendant argued that plaintiffs had no economic injury as required for a UCL claim, as they had not lost money or property as a result of the data collection.[414] Plaintiffs argued that their private data has monetary value and they have a property interest in that data “because the [CCPA] affords them the right to exclude Google from selling their data to third parties.”[415] The court agreed with plaintiffs, holding that “plaintiffs have identified an unopposed property interest for at least a portion of the class period under the California Consumer Privacy Act.”[416] The court further found that money damages are not an adequate remedy alone, and that injunctive relief is necessary to address the ongoing data collection.[417]
d. The CCPA’s 30-Day Notice Requirement
The CCPA requires that a “consumer provide[] a business 30 days’ written notice identifying the specific provisions of [the CCPA] the consumer alleges have been or are being violated.”[418] The written notice initiates a 30-day period during which the business may cure any violation. While this cure provision was eliminated by the CPRA, cases addressing the notice-and-cure provisions have continued to move through the courts. Last year’s Review discussed a case dismissing a suit with prejudice where plaintiffs did not comply with the 30-day notice period.[419] The cases below have departed from that decision, illustrating the boundaries of the cure provision as a safeguard.
Consumer Debt Collector. Plaintiffs alleged that their personal information was stolen in a data breach because the information was unencrypted and improperly safeguarded.[420] Plaintiffs brought claims under the CCPA for actual and statutory damages, even though they provided no pre-suit notice for the defendant to cure as required under the CCPA.[421] The court noted that no pre-suit notice is required to the extent plaintiffs sought pecuniary damages, but dismissed the statutory damages claims without prejudice.[422] In dismissing the claim for statutory damages without prejudice, the court expressly declined to follow Griffey, which we discussed in last year’s Review. The Griffey court had dismissed a CCPA claim with prejudice, reasoning that the purpose of the pre-suit notice is to allow the defendant time to cure the violation out of court.[423] Allowing a plaintiff to file a complaint, then send a notice, and then file an amended complaint defeats this remedial purpose of the statutory notice-and-cure provision. The Western District of Washington expressly rejected Griffey’s rationale, concluding that dismissal without prejudice “accords with the remedial nature of the CCPA’s notice provision.”[424]
Money Services Business. After a data breach, plaintiffs brought suit claiming negligence, breach of implied contract, and violation of the CCPA due to the disclosure of their names, Social Security numbers, and driver’s license numbers.[425] Defendant moved to dismiss the CCPA claim, arguing it was barred due to the notice-and-cure provision. Defendant “claimed to have enhanced its security measures” after receiving notice of the alleged violation, and thus “cured all alleged violations within the requisite time period.”[426] The court found this straightforward assertion insufficient because “the implementation and maintenance of reasonable security procedures and practices . . . following a breach does not constitute a cure with respect to that breach.”[427] The court pointed out that the defendant had not provided any additional detail on the nature of its cure, concluding that this was insufficient at the motion-to-dismiss stage.[428]
e. Guidance on Reasonable Security Measures in Connection with the CCPA
In addition to the cases highlighted by last year’s Review,[429] courts have continued to weigh in on what qualifies as reasonable data security measures under the CCPA.
Moving Company. Plaintiffs brought suit after their personal information was stolen by hackers in a cyberattack. Plaintiffs asserted violations of the CCPA for failure to take reasonable precautions to protect their personal information.[430] The court declined to dismiss the CCPA claim, and identified a number of measures the defendants could have taken prior to the breach. Plaintiffs specifically alleged that the defendant’s security measures were inadequate because they failed to implement “adequate filtering software,” “adequate[] training,” “multi-factor authentication,” encryption, and destruction when the personal information was no longer in use.[431] The court also pointed to plaintiff’s complaint, which “identif[ied] fourteen cybersecurity best practices that defendant should have followed but allegedly did not.”[432]
Large National Bank. Plaintiffs brought numerous claims arising out of prepaid benefits payment cards issued by the bank.[433] Plaintiffs alleged that these cards were targeted by bad actors, and the information was easily accessible since the cards had magnetic strips instead of chips. Plaintiffs claimed that erroneous charges and unauthorized transactions resulted in the loss of their funds and alleged violations of the CCPA due to the debit cards’ lack of chip technology, asserting that use of chip technology is a necessary reasonable security measure to protect their personal information. The court agreed, finding that the allegations stated a claim under the CCPA.[434] The court also found that plaintiffs’ allegation that the bank failed to subject its agents to background checks was adequate to state a claim based on failure to implement and maintain reasonable security measures and practices.[435]
2. State Biometric Information Litigation
a. Illinois Biometric Information Privacy Act
2023 was another active year for Illinois’s biometrics law, with courts continuing to expand the scope of the Biometric Information Privacy Act (“BIPA”), but also recognizing new limitations. Perhaps unsurprisingly, Illinois also continued as the leading state with respect to biometrics-related litigation.
BIPA’s Statute of Limitations Under Section 15. The Supreme Court of Illinois found that claims brought under Section 15 of BIPA (which relates to retention, collection, disclosure, storage, and use of biometric information) have a five-year statute of limitations, reversing an appellate court’s ruling that placed a one-year limit on such claims.[436] Under Illinois law, “actions . . . to recover damages for an injury done to property, real or personal . . . and all civil actions not otherwise provided for, shall be commenced within 5 years next after the cause of action accrued.”[437] Part of the court’s justification for finding that the default Illinois statute of limitations five-year catchall applied was because a shorter limit would “thwart [the] legislative intent” of BIPA to provide redress for persons aggrieved and “shorten the amount of time a private entity would be held liable for noncompliance with the Act.”[438] Additionally, upon a certified question from the Seventh Circuit, the Supreme Court of Illinois ruled in a 4-3 decision that BIPA claims “accrue under the Act each time a private entity scans or transmits an individual’s biometric identifier or information in violation of section 15(b) or 15(d).”[439] The court dismissed ongoing policy-based concerns about massive damages by reiterating that the court “has repeatedly recognized the potential for significant damages awards under the Act” and that such high damages operate as an incentive for private entities to conform to state law.[440] While noting trial courts presiding over a class action “possess the discretion to fashion” a fair yet less-deleterious award, the court concluded that the legislature was the best vehicle to address policy concerns and the plain language of the statute authorized accrual of claims.[441]
BIPA Claims Survive Death. Also in 2023, a federal court in Illinois, hearing a class action case where the named plaintiff passed away, held that BIPA created a personal property interest and claims survive the plaintiff’s death.[442]
ii. New Recognized Limitations Under BIPA
Even so, courts recognized limitations to claims brought under BIPA in 2023.
“Active Steps” In Furtherance of Collecting Biometric Data. For example, an Illinois federal judge dismissed two claims in a proposed class action where an employer used third-party timekeeping software that registered and scanned employee fingerprints which were then stored on a vendor’s cloud storage service.[443] The judge held that the cloud storage vendor did not take an “active step” in furtherance of collecting biometric information merely by contracting with the third party to provide access to the vendor’s cloud storage system, but instead was “merely a vendor to the third party that provided the biometric timekeeping technology and services to [the employer].”[444]
Exceptions to Collections of Biometric Data: In some cases, courts found that certain exceptions privileged the collection of biometric data—for example, one trial court held that the “general health care exemption” to BIPA covered a virtual try-on tool for sunglasses, finding sunglasses to be a Class I medical device under the FDA.[445] Another court denied the plaintiff’s motion to strike the defendant’s affirmative defense that “the biometric identifiers it collects fall within [the general health care] exception because they are collected along with medical information provided by a donor,” such as fingerprints taken prior to donating plasma used to identify the patient during each donation.[446] The court noted that BIPA does not define the term “patient” nor does it define the term “health care” and found that the defendant’s arguments as to why the exception applied were sufficient to survive a motion to strike.[447]
b. Texas Biometric Privacy Law Litigation
As discussed in last year’s Review, in February 2022, Texas Attorney General Ken Paxton brought the first enforcement action under the Texas Capture and Use of Biometric Identifier Act (“CUBI”) more than two decades after its passage in 2001.[448] AG Paxton asserted a CUBI claim against a large social media company alleging that the company’s collection of “facial geometries” in connection with its facial recognition and tagging feature that it deprecated in November 2021 violated CUBI, in addition to bringing claims under Texas’ Deceptive Trade Practices Act.[449] The parties continued to conduct discovery in the case throughout 2023.
In late October 2022, Texas filed a similar action against another large technology company for alleged violations of CUBI.[450] The case is still in the early stages of discovery. These two cases remain the only actions brought under CUBI. Given the preliminary enforcement efforts by the state of Texas, companies can continue to expect heightened state-level scrutiny and enforcement in the biometrics arena in 2024.
c. New York Biometric Privacy Law Litigation
2023 also saw challenges under the N.Y.C. Biometric Privacy Law. On May 19, 2023, two plaintiffs filed a class action against a large live-entertainment company for its alleged use of facial recognition software to keep banned individuals out of its venues.[451] The plaintiffs allege that the company collects biometric information from every person who enters its venues, and then compares that information to an internal database of banned individuals.[452] The complaint further alleges that the company shares this biometric information with at least one third-party vendor, and that the company ultimately benefits in the form of reduced litigation costs.[453]
The plaintiffs allege that this undisclosed collection, use, and disclosure of customers’ biometric data violates the 2021 New York City Biometric Identifier Information Law and the right to privacy guaranteed by Article 5 of the New York Civil Rights Law.[454] Plaintiffs also pleaded an unjust enrichment claim, maintaining that the company wrongfully obtained benefits from the proposed plaintiff class in the form of valuable data.[455]
On January 9, 2024, a federal magistrate judge released a report recommending dismissal of the civil rights and unjust enrichment claims.[456] On the civil rights law claim, the court found that the limitations period of one year had already run for one plaintiff.[457] For the other plaintiff, the court found that the defendant’s alleged collection and use of biometric information to remove banned individuals could not plausibly be understood “as seeking to draw trade at its venues”—a necessary element of a claim under the civil rights statute.[458] The magistrate also recommended dismissing the unjust enrichment claim on the ground that “New York courts have long recognized the Civil Rights Law as ‘preempting all common law claims based on unauthorized use of name, image, or personality, including unjust enrichment claims.’”[459] Thus, under New York law, there can be no unjust enrichment claim arising from use of one’s personal image.[460] The magistrate recommended allowing the New York City Biometric Identifier Law claim to proceed, finding that the defendant’s alleged conduct is consistent with the text and legislative history of the statute.[461]
F. Other Noteworthy Litigation
Supreme Court Declines to Address Scope of Section 230. In last year’s Review, we noted that the U.S. Supreme Court granted certiorari in two cases that could affect the scope of Section 230 of the Communications Decency Act of 1996, which protects “interactive computer services” from liability for user-published content. In each case, Twitter, Inc. v. Taamneh[462] and Gonzalez v. Google LLC,[463] plaintiffs alleged that social media companies were liable under the Anti-Terrorism Act (ATA) for aiding and abetting acts of terrorism that resulted in the deaths of plaintiffs’ family members. According to the plaintiffs, ISIS allegedly used the defendants’ websites to fundraise and recruit new members, with little interference by content moderators—and sometimes even active promotion by the defendants’ algorithms. Both cases came from the Ninth Circuit Court of Appeals, which had allowed the Taamneh case to proceed[464] but held that Section 230 barred most of the claims in Gonzalez.[465]
The U.S. Supreme Court unanimously reversed the Ninth Circuit’s decision in Taamneh, holding that the plaintiffs had not stated a claim under the ATA because they failed to show “any concrete nexus between defendants’ services” and the attack.[466] On the same day, the Court declined to address the Ninth Circuit’s holding regarding Section 230 in Gonzalez, instead remanding the case for reconsideration in light of Taamneh.[467] Thus the Court effectively sidestepped the question of whether Section 230 bars platform liability for algorithmic amplification of user-published content by resolving one case on ATA grounds alone and remanding the other.
Large Technology Companies Continue to Face VPPA-Related Litigation. Several lawsuits were filed in 2023 concerning companies’ collection and management of users’ video-related information. For example, with respect to a lawsuit relating to one major technology company’s management of user video history information, a federal district court dismissed with prejudice a claim that the company’s alleged retention of the plaintiff’s video rental history violated the New York Video Consumer Privacy Act and the Minnesota Video Privacy Law.[468] The court observed that, like the VPPA, these state analogue statutes were meant to prevent unauthorized disclosure of video-related data rather than mere retention of it.[469]
In another video-related case,[470] a federal court held that the plaintiff had adequately pleaded a VPPA violation by alleging that a company disclosed information about the plaintiff’s online activity to his school district, which was using the company’s platform for digital learning during the COVID-19 pandemic.[471] The company moved to dismiss this claim on two grounds: First, it argued that the plaintiff was not a “subscriber” within the meaning of the VPPA, since his account with the defendant was a byproduct of his relationship with the school district.[472] Second, the company argued that any disclosure of PII was permitted by the VPPA because it was done “in the regular course of business” with the school district.[473] The court rejected both arguments, finding that the plaintiff, who held an account directly with the defendant, was plausibly a subscriber.[474] The court also said it was not appropriate to decide the second issue at the motion to dismiss stage, as the company’s contract with the district was not part of the court’s record.[475]
Employers May Be Potentially Liable for Failing to Secure Employees’ Personally Identifiable Information. 2023 also saw new lawsuits focusing on employee data privacy and seeking to hold employers liable for failing to secure employees’ PII or failing to implement appropriate safeguards. For example, the United States Court of Appeals for the Eleventh Circuit ruled that a plaintiff had plausibly alleged a negligence claim against a former employer that failed to protect PII in the employer’s possession.[476] The complaint alleges that as a condition of employment, the plaintiff and members of the proposed class were required to give the defendant certain PII like their names and Social Security numbers.[477] However, the employer did not maintain adequate security measures to protect that information, and the PII was subsequently leaked in a ransomware attack on the employer’s system.[478]
The court held that such an attack was reasonably foreseeable for a large employer like the defendant; that the plaintiff adequately pleaded that the former employer owed him a duty of care; and that failure to comply with standard data security practices was plausibly a breach of that duty.[479] Thus, the court allowed the plaintiff’s negligence claim to move forward.
Likewise, a major car manufacturer was sued for allegedly failing to protect the personal information of 75,000 current and former employees that was exposed in a data breach carried out by former employees of the company.[480] The complaint alleges that the company failed to implement or follow reasonable data security procedures as required by law, and failed to protect the sensitive information of class members from unauthorized action.[481] The case is in its early stages, and there has not yet been any dispositive-motion practice.
IV. Trends Related to Data Innovations and Governmental Data Collection
A. Data-Intensive Technologies—Privacy Implications and Trends
With the continued proliferation of data-intensive technologies, big data processing and its privacy implications continued to be an area of great focus in 2023. In addition to innovations and issues pertaining to AI, which are covered in detail in Gibson Dunn’s forthcoming Artificial Intelligence Legal Review, there was a renewed focus on smart cities, edge computing and privacy-enhancing technologies (PETs).
Smart Cities. The trend over the past decade of cities getting “smarter” continued at a rapid clip in 2023. A “smart city” leverages technology, data-driven decision-making, and digitally connected infrastructure to optimize the quality of municipal services, promote safe and sustainable communities, and achieve operational efficiencies.[482] Most of the technologies that smart cities are currently using do not collect or process personal data. For example, smart street-lighting technologies allow cities to turn on, turn off, and dim street lights based on the time of day and weather events and smart water management technologies allow cities to detect chemicals in drinking water and wastewater systems.[483] However, given that smart city technology applications are fueled by and necessitate large scale collection and processing of data as well as government partnership with the private sector, privacy advocates and policy makers are increasingly concerned about the privacy implications of such technology. These concerns largely relate to:
- Data security: Smart cities can be vulnerable to cyberattacks because they rely on internet of things (“IoT”) devices, which are common and often insecure targets.[484] Furthermore, local governments often lack the resources to obtain secure technologies, update them, and employ cybersecurity experts.[485] In fact, a recent survey found that nearly one-third of local governments would be unable to detect whether their systems had been hacked.[486]
- Commercial use of data: Smart city data may be used commercially if a city partners with a private company to pay for technologies and in exchange gives the company access to data the city collects.[487] A privacy concern arises if the city shares sensitive data with private partners.
- Government surveillance: Some privacy advocates are concerned that governments will use smart city technologies to surveil individuals by obtaining data the government could not otherwise compel access to or by pulling data from different sources to build behavior profiles on individual residents.[488] Critics assert that cities are already theoretically able to aggregate enough data from smart city technologies to build detailed behavior profiles on their residents.[489] Ultimately, these debates may be settled by courts, which will decide if these data collection practices violate U.S. privacy laws or the Fourth Amendment.[490]
Although there has not been any legislation seeking to specifically regulate smart city technologies, many of the existing or pending privacy regulations are potentially applicable. However, as smart city technologies, particularly those implicating personal information or sensitive data, continue to grow in number and capability, we expect to see more specific legislation targeting such technology and use cases.
Edge Computing. The enormous volume of data being generated and processed by data-intensive technologies—e.g., IoT devices—has strained traditional computing models. This has led organizations to increasingly embrace “edge computing”—an emerging decentralized computing paradigm where data is processed closer to where it is generated, thus allowing processing of greater data volumes at greater speed.[491] Experts predict that spending on edge technology will continue to soar.[492] Due to deployment of strong internet infrastructures and a growing awareness of the importance of IoT across industries, the edge computing market is estimated to grow at a compound annual growth rate of 21.6% to hit an estimated $132.11 million in 2028.[493] The number of endpoint devices in use is also expected to skyrocket, with estimates of up to 55.7 billion total IoT devices deployed worldwide in the next few years.[494] Telecommunication companies are expected to play a large role in the growth of edge computing, as their widespread infrastructure and expansive reach position them well, literally (based on their close physical proximity to potential customers) and figuratively, to tap the edge computing market.[495]
Although the rise of edge computing is largely a function of the benefits to data processing speed and volume, edge computing has important data privacy and security benefits. For example, edge computing can mitigate some of the privacy risks innate to centralized storage and processing,[496] by diffusing data and thus reducing the scope and impact of a data breach. Edge computing may also reduce the incentives for malicious actors, as an edge device with one or a few users’ data is a less desirable target than a cloud database with millions of users’ data.[497] However, by the same token, storing and processing data on devices outside of a centralized corporate network potentially makes the data less secure, given that personal edge devices are often less secure than corporate devices.[498]
Some commentators have also suggested that edge computing may be an effective compliance tool, particularly with respect to cross-border data transfer laws. For example, one commentator believes that corporations will be able to use edge computing to manage personal data in adherence with local privacy laws by “placing certain locali[z]ed proxy policies that will not allow certain types of data to leave that legal jurisdiction.”[499] Traces of this can be found in the EU’s federated cloud infrastructure model, GAIA-X, which aims to let national governments apply local laws to cloud-hosted data.[500]
Given the rapid proliferation of data-intensive technologies, we expect organizations to continue to focus on alternative computing paradigms like edge computing, which will bring new benefits and challenges for data privacy and security.
B. Emerging Privacy Enhancing Technologies (PETs)
In March 2023, the White House Office of Science and Technology Policy (“OSTP”) published its “National Strategy to Advance Privacy-Preserving Data Sharing and Analytics.” In sum, the report and strategy calls for development and implementation of PETs in order to mitigate the privacy risks inherent in, and thus unlock the innovative and economic benefits of, large-scale data processing.[501] Examples of PETs include:
- Homomorphic encryption: Homomorphic encryption is a differential privacy technique (adding noise to the data to prevent an adversary from determining whether any individual’s data was or was not included in the original dataset)[502] that allows computing over encrypted data to produce results in an encrypted form.[503] In other words, the data retains its relevant statistical characteristics for analysis, while hiding the data itself.[504] Then, only authorized users can extract the result from its encrypted format or see the original data.[505] However, homomorphic encryption is currently somewhat limited by higher computational costs and time.[506]
- Secure multi-party computation: Secure multi-party computation allows several parties to simultaneously perform agreed-upon computations over their data, while permitting each individual entity to learn only the final output.[507] Accordingly, distributed datasets can be computed over without revealing the source data.[508] However, the requirement of joint collaboration can lead to higher communication and computational costs, making it difficult to scale.[509]
- Federated learning: Federated learning allows multiple entities to collaborate and build machine-learning algorithms to process data on edge devices, such as smartphones.[510] Accordingly, the underlying data is not aggregated. Instead, the locally trained models are aggregated in the cloud.[511] In this way, participants do not have to share their raw data, providing inherent privacy protection. However, federated learning has recently been shown to be vulnerable to model inversion attacks.[512] Research into closing these vulnerabilities and creating privacy-preserving federated learning is ongoing.[513]
- Zero-knowledge proof: Zero-knowledge proof allows one party, the “prover,” to offer proof to another party, the “verifier,” that a statement is true without revealing any sensitive information.[514] Some digital assets use this technique to prove statements about transactions without revealing additional metadata,[515] and neural networks are using zero-knowledge proof schemes to show that prediction tasks are being carried out, without disclosing any information about the model itself.[516] However, zero-knowledge proof currently has some cost and scalability limitations.[517]
According to the OSTP report, the impetus for a national strategy on PETs is the White House’s belief that large-scale data processing is crucial for innovation and the economy. However, given the complex domestic and international regulatory landscape, the White House recognizes that inherent in such processing are significant privacy risks for data subjects and organization data subjects and organizations.[518] Accordingly, the strategy calls for the adoption of PETs, which can mitigate the privacy risks of large-scale data processing and thus unlock the benefits of data processing to fuel innovation and the economy.
The OSTP report enumerates 16 recommendations across five strategic priorities to advance the development and use of PETs.[519] Importantly, the report specifically calls for the use of secure multi-party computation and zero-knowledge proofs, as well as increased public and private sector partnership and U.S. partnerships/collaboration with foreign governments.
In the absence of a comprehensive federal privacy law and/or regulations specifically focused on privacy-preserving technologies, the OSTP’s strategy signifies what may be the beginning of a burgeoning national standard for the development and use of PETs.
C. Governmental Data Collection
EU-US Data Privacy Framework. In July 2023, the European Commission adopted its adequacy decision for the EU-U.S. Data Privacy Framework, concluding that U.S. protection of cross-border data transfers is comparable to the protection offered by the EU.[520] Speaking during a press conference announcing adoption of the U.S. adequacy decision, EU justice commissioner Didier Reynders said, “[w]ith the adoption of the adequacy decision, personal data can now flow freely and safely from the European Economic Area to the United States without any further conditions or authorizations.”[521]
The decision resolved the legal uncertainty surrounding exports of EU users’ personal data by U.S. companies that had existed since the Court of Justice of the European Union invalidated the EU-U.S. Privacy Shield in 2020.[522] However, legal challenges are expected, with critics claiming that the Data Privacy Framework merely “paper[s] over the same fundamental legal conflict between EU privacy rights and U.S. surveillance powers.”[523] Nonetheless, Reynders emphasized that the “new framework is substantially different than the EU-U.S. Privacy Shield as a result of the Executive Order issued by President Biden [in 2022]” and highlighted the reworked redress mechanism that will boast “an independent and impartial tribunal that is empowered to investigate complaints lodged by Europeans and to issue binding remedial decisions.”[524] Finally, Reynders cautioned U.S. technology giants that “[i]t will be for the companies to show that they’re in full compliance with the GDPR [General Data Protection Regulation].”[525]
On July 17, 2023, the Department of Commerce launched the new Data Privacy Framework program website, dataprivacyframework.gov.[526] The website allows U.S. companies to self-certify their participation in and commitment to the EU-U.S. Data Privacy Framework (“DPF”), and, optionally, the UK Extension or Swiss-U.S. DPF Principles, in order to participate in cross-border transfers of personal data.
Government Surveillance Reform Act (GSRA). In November 2023, a bipartisan group of senators introduced the Government Surveillance Reform Act (“GSRA”), which would reform the Foreign Intelligence Act (“FISA”) and amend the Electronic Communications Privacy Act (“ECPA”). Importantly, the GSRA proposes significant restrictions on government surveillance and access to data—including, among other things, (i) protecting Americans from warrantless backdoor searches, (ii) requiring warrants for Americans’ location data, web browsing and search records, and vehicle data, (iii) restricting government collection of Americans’ information as part of large datasets and prohibiting the government from purchasing Americans’ data from data brokers, and (iv) prohibiting the collection of Americans’ domestic communications.[527]
FISA, Section 702 was set to expire at the end of 2023,[528] but Congress approved a short-term extension in December 2023.[529] Under Section 702, the government could collect communications by non-Americans located abroad, without a warrant.[530] However, the private phone calls, emails, and text messages of U.S. persons were captured by the blanket surveillance techniques deployed under Section 702.[531]
In response, several lawmakers vowed not to reauthorize Section 702 without “significant reforms.”[532] The GSRA would ban officials from conducting searches for Americans’ communications unless they first obtain a warrant in a criminal investigation or a FISA Title I order in a foreign intelligence investigation.[533] The new warrant requirement would provide for narrow exceptions in cases of: (1) consent, (2) exigent circumstances, or (3) a government attempt to identify targets of cyberattacks by searching for malicious code embedded in Americans’ communications.[534]
The GSRA would also significantly overhaul the ECPA—which addresses wiretapping, access to stored electronic communications, and other information-collection devices.[535] These changes would alter the rights and obligations of entities already covered by the ECPA and expand the reach of the ECPA to entities not currently subject to it.[536] The GSRA would:
- Expand the scope of companies subject to the ECPA to include any online service provider.[537] The GSRA would add a new category of service providers—broadly defined as “any information service, system, or access software provider that provides or enables computer access by multiple users to a computer server”[538]—to the Stored Communications Act’s (“SCA”) provision governing compelled disclosures to governmental entities.[539]
- Effectively codify the Sixth Circuit’s decision in Warshak v. United States, 631 F.3d 266 (6th Cir. 2010), which held that law enforcement must obtain a warrant to compel the disclosure of the contents of user communications.[540] Further, the GSRA would effectively codify Carpenter v. United States, 138 S. Ct. 2206 (2018), by requiring law enforcement to obtain a warrant to compel the disclosure of location information, web browsing records, online search queries, and covered vehicle data.[541]
- Prohibit the government from purchasing the personal data of U.S. persons (U.S. citizens and lawful permanent residents) or people reasonably believed to be located inside the United States.[542]
- Exempt congressional subpoenas from the ECPA, allowing political officials to subpoena the communications and personal data of U.S. persons without any statutory protection.[543]
Dueling Surveillance Bills in the U.S. House of Representatives. In December 2023, the House postponed a planned vote on two competing surveillance bills under a procedural rule called “Queen of the Hill,” whereby the bill with the most votes is sent to the Senate.[544] The House Intelligence Committee advanced the first bill, the FISA Reform and Reauthorization Act of 2023, which faced backlash from privacy rights groups.[545] More than 50 organizations signed a letter demanding the bill’s rejection.[546] By contrast, the second bill, proposed by the House Judiciary Committee, entitled The Protect Liberty and End Warrantless Surveillance Act, received support from privacy advocates.[547] Both bills are still pending in the House.
In 2023, the privacy and cybersecurity landscape in the U.S. was defined by an expansion of regulatory and enforcement activity led by federal and state agencies, as well as civil litigation brought by private plaintiffs. This was driven in large part by the rapid development and advances in data-intensive technologies like AI and IoT; the unrelenting cyber threat posed by malicious actors; and related litigation arising from these trends. We expect these trends to continue in 2024 as existing technologies and use cases take hold and new ones emerge. In the absence of comprehensive federal legislation (which is unlikely in an election year), we expect federal and state agencies to continue to lead the charge on the regulatory front and aggressively pursue enforcement actions against companies and individuals. We will continue to track and analyze these developments in the year ahead.
__________
[1] Cal. Civ. Code § 1798.100 et seq.
[2] Va. Code Ann. §§ 59.1-575 to 59.1-585.
[3] Colo. Rev. Stat. Ann. § 6-1-1308.
[4] Conn. Gen. Stat. Ann. § 42-520.
[5] Utah Code §§ 13-61-101 to 13-61-404.
[6] S.B. 262, 125 Reg. Sess. (Fla. 2023) (to be codified in Fla. Stat. § 501.701-22).
[7] H.B. 4, 88 Reg. Sess. (Tex. 2023) (to be codified in Tex. Bus. & Com. Code §§ 541.001 to 541.205).
[8] S.B. 618, 82 Leg. Assemb., Reg. Sess. (Or. 2023) (to be codified in Or. Laws Ch. 369).
[9] S.B. 384, 68 Reg. Sess. (Mont. 2023) (to be codified in Mont. Code § 30-14-2801 to 30-14-2817).
[10] S.F. 262, 89th Gen. Assemb., Reg. Sess. (Iowa 2023) (to be codified in Iowa Code § 715D.1 to 715D.9).
[11] H.B. 154, 152 Gen. Assemb., Reg. Sess. (Del. 2023) (to be codified in 6 Del. Code § 12D).
[12] S.B. 332, 220 Leg. Assemb., Reg. Sess. (N.J. 2023).
[13] H.B. 1181; S.B. 73, 112 Gen. Assemb., Reg. Sess. (Tenn. 2023) (to be codified in Tenn. Code §§ 47-18-3301 to 47-18-3315).
[14] S.B. 5, 123 Gen. Assemb., Reg. Sess. (Ind. 2023) (to be codified in Ind. Code §§ 24-15-1-1 to 24-15-11-2).
[15] Notably, under the NJDPA, “financial information” is included as a form of sensitive data, which is defined as including “a consumer’s account number, account log-in, financial account, or credit or debit number, in combination in combination with any required security code, access code, or password that would permit access to a consumer’s financial account.”
[16] Under Civil Code section 1798.150, the damages available for a private right of action to pursue statutory damages between $100 and $750 per consumer per incident or actual damages, whichever is greater, as well as injunctive or declaratory relief, and “any other relief the court deems proper.” A number of limitations also exist. For example, under Section 1798.150(b), a consumer must give a business an opportunity to “cure” the alleged violation by sending written notice prior to filing suit. If cured within 30 days and the consumer receives “an express written statement” indicating that the violations have been cured and shall not recur, a claim for statutory damages cannot be pursued.
[17] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.
[18] Wash. Rev. Code § 19.373.010(23).
[19] Id. § 19.373.010(23).
[20] Id. §§ 19.373.010(28), 19.373.030(2).
[21] Id. § 19.373.010(8)(a).
[22] Id. § 19.373.010(8)(b).
[23] Id. § 19.373.010(8)(c).
[24] Id.
[25] Protecting Washingtonians’ Personal Health Data and Privacy, Wash. Att’y Gen., https://www.atg.wa.gov/protecting-washingtonians-personal-health-data-and-privacy.
[26] Wash. Rev. Code §§ 19.373.020; 19.373.030.
[27] Id. §§ 19.373.010(6)(a); 19.373.030.
[28] Id. § 19.373.040(a)–(c).
[29] Id. § 19.373.090.
[30] Id. § 19.255.040.
[31] Id.
[32] Mont. Code § 30-23-102(4).
[33] Id. § 30-23-102(6).
[34] Id. § 30-23-104(1)–(2).
[35] Id. § 330-23-104(5).
[36] Id. § 30-23-106.
[37] Press Release, Senator Josh Becker, Governor Newsom Signs First in the Nation Bill to Protect Consumers’ Data from Unknown Third Parties (Oct. 10, 2023), https://sd13.senate.ca.gov/news/press-release/october-10-2023/governor-newsom-signs-first-in-the-nation-bill-to-protect.
[38] Cal. Civ. Code §§ 1798.99.84; 1798.99.86(a)–(b).
[39] Id. § 1798.99.86(c)–(d).
[40] Id. § 1798.99.86(d)(2).
[41] Id. § 1798.99.86(a)(3).
[42] Id. § 1798.99.86(e)(1).
[43] Id. § 1798.99.80(c).
[44] Id. § 1798.99.80(c)(1)(4).
[45] N.Y. Dep’t of Fin. Servs., Cybersecurity Resource Center, https://www.dfs.ny.gov/industry_guidance/cybersecurity.
[46] N.Y. Dep’t of Fin. Servs., Enforcement and Discipline, https://dfs.ny.gov/industry_guidance/enforcement_actions.
[47] Press Release, Utah Governor Spencer J. Cox, Gov. Cox Signs Bills Focused on Social Media and Youth Mental Health in Utah (Mar. 23, 2023), https://governor.utah.gov/2023/03/23/gov-cox-signs-bills-focused-on-social-media-in-utah/.
[48] Utah Code § 13-63-101, et seq.
[49] Id. §§ 13-63-201–301.
[50] Id. § 13-63-301.
[51] NetChoice, LLC v. Reyes, No. 2:23-cv-00911 (D. Utah); Zoulek v. Hass, No. 2:24-cv-00031 (D. Utah).
[52] NetChoice, LLC v. Griffin, No. 5:23-CV-05105, 2023 WL 5660155, at *7 (W.D. Ark. Aug. 31, 2023).
[53] Id. at *13.
[54] Id. at *17, 40–41.
[55] Alario v. Knudsen, No. CV 23-56-M-DWM, 2023 WL 8270811 (D. Mont. Nov. 30, 2023).
[56] Id. at *4.
[57] American Data Privacy and Protection Act (“ADPPA”), H.R. 8152, 117th Cong. (2022).
[58] Id. §§ 101(a)–(b), 103(a).
[59] Id. § 207(a)(1).
[60] Id. §§ 207(b), 401, 402(a).
[61] Id. § 403(a).
[62] Id. § 404(b)(1).
[63] See Innovation, Data, and Commerce Subcommittee Hearing: “Addressing America’s Data Privacy Shortfalls: How a National Standard Fills Gaps to Protect Americans’ Personal Information,” U.S. House Energy & Commerce Comm. (Apr. 27, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-addressing-america-s-data-privacy-shortfalls-how-a-national-standard-fills-gaps-to-protect-americans-personal-information; Innovation, Data, and Commerce Subcommittee Hearing: “Promoting U.S. Innovation and Individual Liberty through a National Standard for Data Privacy,” U.S. House Energy & Commerce Comm. (Mar. 1, 2023), https://energycommerce.house.gov/events/innovation-data-and-commerce-subcommittee-hearing-promoting-u-s-innovation-and-individual-liberty-through-a-national-standard-for-data-privacy.
[64] Exec. Order No. 14,110, 88 Fed. Reg. 75191 (Oct. 30, 2023); see also Press Release, White House, FACT SHEET: President Biden Issues Executive Order on Safe, Secure, and Trustworthy Artificial Intelligence (Oct. 30, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/10/30/fact-sheet-president-biden-issues-executive-order-on-safe-secure-and-trustworthy-artificial-intelligence.
[65] Remarks of President Joe Biden – State of the Union Address as Prepared for Delivery, White House (Feb. 7, 2023), https://www.whitehouse.gov/briefing-room/speeches-remarks/2023/02/07/remarks-of-president-joe-biden-state-of-the-union-address-as-prepared-for-delivery.
[66] See Eric McDaniel, Congress Passed So Few Laws This Year That We Explained Them All in 1,000 Words, NPR (Dec. 22, 2023), https://www.npr.org/2023/12/22/1220111009/congress-passed-so-few-laws-this-year-that-we-explained-them-all-in-1-000-words; Müge Fazlioglu, US Federal Privacy Legislation Tracker: Introduced in the 118th Congress (2023-2024), IAPP (last updated Sept. 2023), https://iapp.org/media/pdf/resource_center/us_federal_privacy_legislation_tracker.pdf.
[67] Müge Fazlioglu, U.S. Privacy Legislation in 2023: Something Old, Something New?, IAPP (July 26, 2023), https://iapp.org/news/a/u-s-federal-privacy-legislation-in-2023-something-old-something-new.
[68] Press Release, U.S. Senate Judiciary Comm., Durbin, Graham Announce January 2024 Hearing with Five Big Tech CEOs on their Failure to Protect Children Online (Nov. 29, 2023), https://www.judiciary.senate.gov/press/releases/durbin-graham-announce-january-2024-hearing-with-five-big-tech-ceos-on-their-failure-to-protect-children-online; Full Committee Hearing: “TikTok: How Congress Can Safeguard American Data Privacy and Protect Children from Online Harms,” U.S. House Energy & Commerce Comm. (Mar. 23, 2023), https://energycommerce.house.gov/events/full-committee-hearing-tik-tok-how-congress-can-safeguard-american-data-privacy-and-protect-children-from-online-harms.
[69] Kids Online Safety Act, S. 1409, 118th Cong. (2023).
[70] Children and Teens’ Online Privacy Protection Act, S. 1418, 118th Cong. (2023).
[71] Informing Consumers about Smart Devices Act, S. 90, 118th Cong. (2023).
[72] Stop Spying Bosses Act, S. 262, 118th Cong. (2023).
[73] UPHOLD Privacy Act of 2023, S. 631, 118th Cong. (2023).
[74] DELETE Act, H.R. 4311, 118th Cong. (2023).
[75] Data Care Act of 2023, S. 744, 118th Cong. (2023).
[76] Online Privacy Act of 2023, H.R. 2701, 118th Cong. (2023).
[77] Federal Cybersecurity Vulnerability Reduction Act of 2023, H.R. 5255, 118th Cong. (2023).
[78] Modernizing the Acquisition of Cybersecurity Experts Act of 2023, H.R. 4502, 118th Cong. (2023).
[79] Federal Cybersecurity Workforce Expansion Act, S. 2256, 118th Cong. (2023).
[80] See Press Release, White House, President Biden Recognizes Actions by Private Sector Ticketing and Travel Companies to Eliminate Hidden Junk Fees and Provide Millions of Customers with Transparent Pricing (June 15, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/06/15/president-biden-recognizes-actions-by-private-sector-ticketing-and-travel-companies-to-eliminate-hidden-junk-fees-and-provide-millions-of-customers-with-transparent-pricing/. See also Press Release, White House, FACT SHEET: Executive Order on Promoting Competition in the American Economy (July 9, 2021), https://www.whitehouse.gov/briefing-room/statements-releases/2021/07/09/fact-sheet-executive-order-on-promoting-competition-in-the-american-economy/.
[81] Trade Regulation Rule on Unfair or Deceptive Fees, 88 Fed. Reg. 77420 (Nov. 9, 2023), https://www.federalregister.gov/documents/2023/11/09/2023-24234/trade-regulation-rule-on-unfair-or-deceptive-fees; Trade Regulation Rule on Unfair or Deceptive Fees, 89 Fed. Reg. 38 (Jan. 2, 2024).
[82] Christine Wilson, Letter to President Joseph R. Biden (Mar. 2, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p180200wilsonresignationletter.pdf.
[83] See Press Release, White House, President Biden Announces Nominees to Bipartisan Boards and Commissions (July 3, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/03/president-biden-announces-nominees-to-bipartisan-boards-and-commissions.
[84] Melissa Holyoak, Statement Before the U.S. Senate Committee on Commerce, Science, and Transportation (Sep. 20, 2023), https://www.commerce.senate.gov/services/files/51CBECA7-1810-4CCD-8046-0AE99CA34CC4.
[85] Hawley Holds Nominees, Calls for Further Evaluation of McConnell Nominees, Senate Office of Josh Hawley (Dec. 20, 2023), https://www.hawley.senate.gov/hawley-holds-nominees-calls-further-evaluation-mcconnell-nominees.
[86] Lina Khan, Lina Khan: We Must Regulate A.I. Here’s How, New York Times (May 3, 2023), https://www.nytimes.com/2023/05/03/opinion/ai-lina-khan-ftc-technology.html.
[87] Michael Atleson, Keep Your AI Claims in Check, Federal Trade Commission (Feb. 27, 2023), https://www.ftc.gov/business-guidance/blog/2023/02/keep-your-ai-claims-check.
[88] Michael Atleson, Chatbots, Deepfakes, and Voice Clones: AI Deception for Sale, Federal Trade Commission (Mar. 20, 2023), https://www.ftc.gov/business-guidance/blog/2023/03/chatbots-deepfakes-voice-clones-ai-deception-sale.
[89] Id.
[90] Id.
[91] Michael Atleson, The Luring Test: AI and the Engineering of Consumer Trust, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/05/luring-test-ai-engineering-consumer-trust.
[92] Michael Atleson, Watching the Detectives: Suspicious Marketing Claims for Tools that Spot AI-Generated Content, Federal Trade Commission (May 1, 2023), https://www.ftc.gov/business-guidance/blog/2023/07/watching-detectives-suspicious-marketing-claims-tools-spot-ai-generated-content.
[93] Alex Gaynor, Security Principles: Addressing Underlying Causes of Risk in Complex Systems, Federal Trade Commission (February 1, 2023), https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/02/security-principles-addressing-underlying-causes-risk-complex-systems.
[94] Id.
[95] Id.
[96] Samuel Levine, Chief, Federal Trade Commission, Remarks of Chief Samual Levine at the Consumer Data Industry Association Law and Industry Conference (September 21, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/cdia-sam-levine-9-21-2023.pdf.
[97] Mike Swift, US FTC still pondering ‘commercial surveillance’ rulemaking, Slaughter tells tech industry, MLex (Jan. 10, 2024), https://content.mlex.com/#/content/1535579.
[98] Press Release, Federal Trade Commission, FTC Finalizes Order Requiring Fortnite maker Epic Games to Pay $245 Million for Tricking Users into Making Unwanted Charges (Mar. 14, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/03/ftc-finalizes-order-requiring-fortnite-maker-epic-games-pay-245-million-tricking-users-making.
[99] 15 U.S.C. § 45(a).
[100] Complaint, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023).
[101] Proposed Stipulated Order, FTC v. Ring LLC, Case No. 1:23-cv-1549 (May 31, 2023); Press Release, Federal Trade Commission, FTC Says Ring Employees Illegally Surveilled Customers, Failed to Stop Hackers from Taking Control of Users’ Cameras (May 31, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-says-ring-employees-illegally-surveilled-customers-failed-stop-hackers-taking-control-users.
[102] Notices of Penalty Offenses, Federal Trade Commission, https://www.ftc.gov/enforcement/penalty-offenses.
[103] Press Release, Federal Trade Commission, FTC Warns Tax Preparation Companies About Misuse of Consumer Data (Sep. 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-warns-tax-preparation-companies-about-misuse-consumer-data.
[104] Complaint, U.S. v. Amazon.com, Inc., and Amazon.com Services LLC, Case No. 2:23-cv-00811 (May 31, 2023).
[105] Amazon Alexa, Federal Trade Commission (July 21, 2023), https://www.ftc.gov/legal-library/browse/cases-proceedings/amazon-alexa.
[106] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.
[107] Press Release, Federal Trade Commission, FTC Warns Health Apps and Connected Device Companies to Comply With Health Breach Notification Rule (Sep. 21, 2023), https://www.ftc.gov/news-events/news/press-releases/2021/09/ftc-warns-health-apps-connected-device-companies-comply-health-breach-notification-rule.
[108] Press Release, Federal Trade Commission, FTC Enforcement Action to Bar GoodRx from Sharing Consumers’ Sensitive Health Info for Advertising (Feb. 1, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/02/ftc-enforcement-action-bar-goodrx-sharing-consumers-sensitive-health-info-advertising.
[109] Health Breach Notification Rule, 88 Fed. Reg. 37819, 37839 (June 9, 2023), https://www.federalregister.gov/documents/2023/06/09/2023-12148/health-breach-notification-rule; see also Press Release, Federal Trade Commission, FTC Proposes Amendments to Strengthen and Modernize the Health Breach Notification Rule (May 18, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-amendments-strengthen-modernize-health-breach-notification-rule.
[110] Press Release, Federal Trade Commission, FTC Finalizes Order with 1Health.io Over Charges it Failed to Protect Privacy and Security of DNA Data and Unfairly Changed its Privacy Policy (Sep. 7, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/09/ftc-finalizes-order-1healthio-over-charges-it-failed-protect-privacy-security-dna-data-unfairly.
[111] FTC v. Rite Aid Corp., No. 2:23-cv-05023 (E.D. Pa. Dec. 19, 2023).
[112] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.
[113] Press Release, Federal Trade Commission, FTC Amends Safeguards Rule to Require Non-Banking Financial Institutions to Report Data Security Breaches (October 27, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.
[114] Press Release, Federal Trade Commission, Compliance deadline for certain revised FTC Safeguards Rule provisions extended to June 2023 (November 15, 2022), https://www.ftc.gov/business-guidance/blog/2022/11/compliance-deadline-certain-revised-ftc-safeguards-rule-provisions-extended-june-2023.
[115] Id.
[116] Press Release, Federal Trade Commission, FTC Strengthens Security Safeguards for Consumer Financial Information Following Widespread Data Breaches (Oct. 27, 2021), https://www.ftc.gov/news-events/news/press-releases/2021/10/ftc-strengthens-security-safeguards-consumer-financial-information-following-widespread-data.
[117] Press Release, Federal Trade Commission, FTC Proposes Strengthening Children’s Privacy Rule to Further Limit Comanies’ Ability to Monetize Children’s Data (December 20, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/ftc-proposes-strengthening-childrens-privacy-rule-further-limit-companies-ability-monetize-childrens.
[118] Id.
[119] Id.
[120] Id.; Children’s Online Privacy Protection Rule, 89 Fed. Reg. 2034 (Jan. 11, 2024). https://www.federalregister.gov/documents/2024/01/11/2023-28569/childrens-online-privacy-protection-rule.
[121] Press Release, Federal Trade Commission, FTC Seeks Comment on New Parental Consent Mechanism Under COPPA (July 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/07/ftc-seeks-comment-new-parental-consent-mechanism-under-coppa.
[122] Id.
[123] Press Release, Federal Trade Commission, FTC Will Require Microsoft to Pay $20 million over Charges it Illegally Collected Personal Information from Children without Their Parents’ Consent (June 5, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/06/ftc-will-require-microsoft-pay-20-million-over-charges-it-illegally-collected-personal-information.
[124] Id.
[125] Press Release, Federal Trade Commission, FTC Proposes Blanket Prohibition Preventing Facebook from Monetizing Youth Data (May 3, 2023) https://www.ftc.gov/news-events/news/press-releases/2023/05/ftc-proposes-blanket-prohibition-preventing-facebook-monetizing-youth-data.
[126] Id.
[127] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
[128] Press Release, Federal Trade Commission, FTC to Host Identity Authentication Workshop (Feb. 21, 2007) https://www.ftc.gov/news-events/news/press-releases/2007/02/ftc-host-identity-authentication-w; You Don’t Say: An FTC Workshop on Voice Cloning Technologies, Federal Trade Commission (Jan. 28, 2020), https://www.ftc.gov/newsevents/events/2020/01/you-dont-say-ftc-workshop-voice-cloning-technologies; Face Facts: A Forum on Facial Recognition Technology, Federal Trade Commission (Dec. 8, 2011), https://www.ftc.gov/newsevents/events/2011/12/face-facts-forum-facial-recognition-technology; Facing Facts: Best Practices for Common Uses of Facial Recognition Technology, Federal Trade Commission (Oct. 2012), https://www.ftc.gov/reports/facing-facts-best-practices-common-uses-facial-recognition-technologies.
[129] Policy Statement of the Federal Trade Commission on Biometric Information and Section 5 of the Federal Trade Commission Act, Federal Trade Commission (May 18, 2023), https://www.ftc.gov/system/files/ftc_gov/pdf/p225402biometricpolicystatement.pdf.
[130] Id.
[131] Press Release, Federal Trade Commission, Rite Aid Banned From Using AI Facial Recognition After FTC Says Retailer Deployed Technology without Reasonable Safeguards (Dec. 19, 2023), https://www.ftc.gov/news-events/news/press-releases/2023/12/rite-aid-banned-using-ai-facial-recognition-after-ftc-says-retailer-deployed-technology-without.
[132] Press Release, Consumer Financial Protection Bureau, CFPB Proposes Rule to Jumpstart Competition and Accelerate Shift to Open Banking (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-rule-to-jumpstart-competition-and-accelerate-shift-to-open-banking/.
[133] Id.
[134] See id.; Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74809 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.
[135] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74796 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.
[136] 12 U.S.C. § 5533(a).
[137] Required Rulemaking on Personal Financial Data Rights, 88 Fed. Reg. 74796, 74803 (Oct. 31, 2023) (to be codified at 12 C.F.R. pts. 1001, 1033), https://www.federalregister.gov/documents/2023/10/31/2023-23576/required-rulemaking-on-personal-financial-data-rights.
[138] Id. at 74809.
[139] Id. at 74832.
[140] Id. at 74833.
[141] Id. at 74874.
[142] Id.; Press Release, Consumer Financial Protection Bureau, Prepared Remarks of CFPB Director Rohit Chopra on the Proposed Personal Financial Data Rights Rule (Oct. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/prepared-remarks-of-cfpb-director-rohit-chopra-on-the-proposed-personal-financial-data-rights-rule/.
[143] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.
[144] Defining Larger Participants of a Market for General-Use Digital Consumer Payment Applications, 88 Fed. Reg. 80197, 80199, 80204 (Nov. 17, 2023) (to be codified at 12 C.F.R. pt. 1090), https://www.federalregister.gov/documents/2023/11/17/2023-24978/defining-larger-participants-of-a-market-for-general-use-digital-consumer-payment-applications.
[145] Press Release, Consumer Financial Protection Bureau, CFPB Proposes New Federal Oversight of Big Tech Companies and Other Providers of Digital Wallets and Payment Apps (Nov. 7, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-proposes-new-federal-oversight-of-big-tech-companies-and-other-providers-of-digital-wallets-and-payment-apps/.
[146] Id.
[147] Press Release, Consumer Financial Protection Bureau, CFPB Launches Inquiry Into the Business Practices of Data Brokers (Mar. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-launches-inquiry-into-the-business-practices-of-data-brokers/.
[148] Request for Information Regarding Data Brokers and Other Business Practices Involving the Collection and Sale of Consumer Information, 88 Fed. Reg. 16951, 16952 (Mar. 21, 2023), https://www.federalregister.gov/documents/2023/03/21/2023-05670/request-for-information-regarding-data-brokers-and-other-business-practices-involving-the-collection.
[149] Press Release, Consumer Financial Protection Bureau, Remarks of CFPB Director Rohit Chopra at White House Roundtable on Protecting Americans from Harmful Data Broker Practices (Aug. 15, 2023), https://www.consumerfinance.gov/about-us/newsroom/remarks-of-cfpb-director-rohit-chopra-at-white-house-roundtable-on-protecting-americans-from-harmful-data-broker-practices/.
[150] Id.; see also 15 U.S.C. § 1681b.
[151] Id.
[152] Id.
[153] Press Release, Consumer Financial Protection Bureau, CFPB and Federal Partners Confirm Automated Systems and Advanced Technology Not an Excuse for Lawbreaking Behavior (Apr. 25, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-federal-partners-confirm-automated-systems-advanced-technology-not-an-excuse-for-lawbreaking-behavior/.
[154] Press Release, Consumer Financial Protection Bureau, CFPB Issue Spotlight Analyzes “Artificial Intelligence” Chatbots in Banking (June 3, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issue-spotlight-analyzes-artificial-intelligence-chatbots-in-banking.
[155] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.
[156] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.
[157] Rohit Chopra, Algorithms, Artificial Intelligence, and Fairness in Home Appraisals, CFPB Blog (June 1, 2023), https://www.consumerfinance.gov/about-us/blog/algorithms-artificial-intelligence-fairness-in-home-appraisals/.
[158] Quality Control Standards for Automated Valuation Models, 88 Fed. Reg. 40638, 40638 (June 21, 2023), https://www.federalregister.gov/documents/2023/06/21/2023-12187/quality-control-standards-for-automated-valuation-models.
[159] Press Release, Consumer Financial Protection Bureau, CFPB Issues Guidance on Credit Denials by Lenders Using Artificial Intelligence (Sept. 19, 2023), https://www.consumerfinance.gov/about-us/newsroom/cfpb-issues-guidance-on-credit-denials-by-lenders-using-artificial-intelligence/.
[160] Id.
[161] Press Release, SEC, SEC Proposes Changes to Reg S-P to Enhance Protection of Customer Information (Mar. 15, 2023), https://www.sec.gov/news/press-release/2023-51.
[162] Id.
[163] Id.
[164] Id.
[165] A Small Entity Compliance Guide, SEC, Cybersecurity Risk Management Strategy, Governance, and Incident Disclosure (Nov. 14, 2023), https://www.sec.gov/corpfin/secg-cybersecurity#_ftn1.
[166] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.
[167] Id.
[168] Id.
[169] Id.
[170] Id. at 51924.
[171] Id. at 51898–51899.
[172] Id. at 51945.
[173] Id. at 51909–51910.
[174] The rule also includes another exemption that only applies to companies subject to the Federal Communications (“FCC”) notification rule for breaches of customer proprietary network information (“CPNI”). A more detailed description of this exception is outlined in Gibson Dunn’s July 31, 2023 update.
[175] Id.
[176] DOJ, Department of Justice Material Cybersecurity Incident Delay Determinations (Dec. 12, 2023), https://www.justice.gov/media/1328226/dl?inline.
[177] Id.
[178] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 88 Fed. Reg. 51896, 51899.
[179] Id.
[180] Id. at 51913.
[181] Id.
[182] Id.
[183] Id. at 51914.
[184] The Commission’s Privacy Act Regulations, 88 Fed. Reg. 65807, 65808.
[185] Id. at 65808–09.
[186] Press Release, SEC, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Feb. 9, 2022), https://www.sec.gov/news/press-release/2022-20.
[187] Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, 87 Fed. Reg. 13524 (published Mar. 9, 2022) (to be codified at 17 C.F.R. pts. 230, 232, 239, 270, 274, 275, 279), https://www.federalregister.gov/documents/2022/03/09/2022-03145/cybersecurity-risk-management-for-investment-advisers-registered-investment-companies-and-business.
[188] SEC, Agency Rule List – Fall 2023, https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST¤tPub=true&agencyCode=&showStage=active&agencyCd=3235&csrf_token=28A8C6498A23E2932F2D7BB0618F4AA9746D20D66D0E1500674B7BEBFD26693EFE119AEDE913D6851EE65F43B418CC81FFA8.
[189] SEC, View Rule (last visited, Jan. 26, 2023), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=3235-AN15.
[190] SEC, 2024 Examination Priorities (Oct. 16, 2023), https://www.sec.gov/files/2024-exam-priorities.pdf.
[191] Press Release, SEC, SEC Division of Examinations Announces 2024 Priorities, https://www.sec.gov/news/press-release/2023-222/.
[192] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.
[193] SEC, SEC Enforcement Results for FY23 (last modified, Jan. 22, 2024), https://www.sec.gov/newsroom/enforcement-results-fy23.
[194] Id.
[195] Id.
[196] Press Release, SEC, SEC Charges Virtu for False and Misleading Disclosures Relating to Information Barriers (September 12, 2023), https://www.sec.gov/news/press-release/2023-176.
[197] Id.
[198] Id.
[199] Id.
[200] Press Release, SEC, SEC Charges Software Company Blackbaud Inc. for Misleading Disclosures About Ransomware Attack That Impacted Charitable Donors (March 9, 2023), https://www.sec.gov/news/press-release/2023-48.
[201] Id.
[202] Id.
[203] Id.
[204] Id.
[205] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227; see also Complaint ¶ 1, SEC v. SolarWinds Corp., No. 1:23-9518 (S.D.N.Y. Oct. 30, 2023), ECF No. 1.
[206] Press Release, SEC, SEC Charges SolarWinds and Chief Information Security Officer with Fraud, Internal Control Failures (Oct. 30, 2023), https://www.sec.gov/news/press-release/2023-227.
[207] Id.
[208] Id.
[209] Id.
[210] Id.
[211] Id.
[212] Id.
[213] Id.
[214] Id.
[215] Press Release, Department of Health and Human Services, HHS Announces New Divisions Within the Office for Civil Rights to Better Address Growing Need of Enforcement in Recent Years (Feb. 27, 2023), https://www.hhs.gov/about/news/2023/02/27/hhs-announces-new-divisions-within-office-civil-rights-better-address-growing-need-enforcement-recent-years.html.
[216] Id.
[217] Id.
[218] Id.
[219] Press Release, Department of Health and Human Services, HHS Finalizes Rule to Advance Health IT Interoperability and Algorithm Transparency (Dec. 13, 2023), https://www.hhs.gov/about/news/2023/12/13/hhs-finalizes-rule-to-advance-health-it-interoperability-and-algorithm-transparency.html; see also Press Release, Department of Health and Human Services, HHS Proposes New Rule to Further Implement the 21st Century Cures Act (Apr. 11, 2023), https://www.hhs.gov/about/news/2023/04/11/hhs-propose-new-rule-to-further-implement-the-21st-century-cures-act.html.
[220] Id.
[221] Office of the National Coordinator for Health Information Technology, Department of Health and Human Services, Health Data, Technology, and Interoperability: Certification Program Updates, Algorithm Transparency, and Information Sharing, 45 C.F.R. § 170, https://www.federalregister.gov/documents/2024/01/09/2023-28857/health-data-technology-and-interoperability-certification-program-updates-algorithm-transparency-and.
[222] Id.; see also Department of Health and Human Services, Telehealth policy updates (Nov. 9, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/telehealth-policy-updates.
[223] Press Release, Department of Health and Human Services, Fact Sheet: End of the COVID-19 Public Health Emergency (May 9, 2023), https://www.hhs.gov/about/news/2023/05/09/fact-sheet-end-of-the-covid-19-public-health-emergency.html.
[224] Id.
[225] Department of Health and Human Services, Telehealth Policy Changes After the COVID-19 Public Health Emergency (Dec. 19, 2023), https://telehealth.hhs.gov/providers/telehealth-policy/policy-changes-after-the-covid-19-public-health-emergency.
[226] Press Release, Department of Health and Human Services, HHS Office for Civil Rights and the Federal Trade Commission Warn Hospital Systems and Telehealth Providers about Privacy and Security Risks from Online Tracking Technologies (July 20, 2023), https://www.hhs.gov/about/news/2023/07/20/hhs-office-civil-rights-federal-trade-commission-warn-hospital-systems-telehealth-providers-privacy-security-risks-online-tracking-technologies.html.
[227] Id.
[228] FTC, Updated FTC-HHS publication outlines privacy and security laws and rules that impact consumer health data (Sept. 15, 2023), https://www.ftc.gov/business-guidance/blog/2023/09/updated-ftc-hhs-publication-outlines-privacy-security-laws-rules-impact-consumer-health-data.
[229] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.
[230] See Dobbs v. Jackson Women’s Health Org., 597 U.S. 215 (2022).
[231] Press Release, Department of Health and Human Services, Statement from Secretary Becerra on the One Year Anniversary of the Dobbs v. Jackson Women’s Health Organization Decision (June 24, 2023), https://www.hhs.gov/about/news/2023/06/24/statement-secretary-becerra-one-year-anniversary-dobbs-v-jackson-womens-health-organization-decision.html.
[232] Press Release, Department of Health and Human Services, HHS Proposes Measures to Bolster Patient-Provider Confidentiality Around Reproductive Health Care (Apr. 12, 2023), https://www.hhs.gov/about/news/2023/04/12/hhs-proposes-measures-bolster-patient-provider-confidentiality-around-reproductive-health-care.html.
[233] Id.; see also Regulatory Initiatives, Department of Health and Human Services, HIPAA Privacy Rule and Reproductive Health Care (Apr. 14, 2023), https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.
[234] HIPAA Privacy Rule To Support Reproductive Health Care Privacy, 88 Fed. Reg. 23506 (proposed Apr. 17, 2023) (to be codified at 45 C.F.R. pts. 160, 164); HHS/OCR, View Rule (last visited Jan. 26, 2024), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202310&RIN=0945-AA20.
[235] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles HIPAA Investigation of St. Joseph’s Medical Center for Disclosure of Patients’ Protected Health Information to a News Reporter (Nov. 20, 2023), https://www.hhs.gov/about/news/2023/11/20/hhs-office-civil-rights-settles-hipaa-investigation-st-josephs-medical-center-disclosure-patients-protected-health-information-news-reporter.html; Department of Health and Human Services, St. Joseph’s Medical Center Resolution Agreement and Corrective Action Plan (Aug. 22, 2023), https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/sjmc-ra-cap/index.html.
[236] Id.
[237] Id.
[238] Id.
[239] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles Multiple HIPAA Complaints With Optum Medical Care Over Patient Access to Records (Dec. 15, 2023), https://www.hhs.gov/about/news/2023/12/15/hhs-office-for-civil-rights-settles-multiple-hipaa-complaints-with-optum-medical-care-over-patient-access-to-records.html.
[240] Id.
[241] See id.
[242] Press Release, Department of Health and Human Services, HHS Office for Civil Rights Settles HIPAA Investigation with Arizona Hospital System Following Cybersecurity Hacking (Feb. 2, 2023), https://www.hhs.gov/about/news/2023/02/02/hhs-office-for-civil-rights-settles-hipaa-investigation-with-arizona-hospital-system.html.
[243] Id.
[244] Press Release, Department of Health and Human Services, HHS’ Office for Civil Rights Settles First Ever Phishing Cyber-Attack Investigation (Dec. 7, 2023), https://www.hhs.gov/about/news/2023/12/07/hhs-office-for-civil-rights-settles-first-ever-phishing-cyber-attack-investigation.html.
[245] Id.
[246] Id.
[247] Press Release, Department of Homeland Security, Statement from Secretary Mayorkas on President Biden’s National Cybersecurity Strategy (Mar. 2, 2023), https://www.dhs.gov/news/2023/03/02/statement-secretary-mayorkas-president-bidens-national-cybersecurity-strategy.
[248] Press Release, Department of Homeland Security, DHS Issues Recommendations to Harmonize Cyber Incident Reporting for Critical Infrastructure Entities (Sept. 19, 2023), https://www.dhs.gov/news/2023/09/19/dhs-issues-recommendations-harmonize-cyber-incident-reporting-critical.
[249] Brandon Wales, CIRCIA at One Year: A Look Behind the Scenes, Cybersecurity & Infrastructure Security Agency (Mar. 24, 2023), https://www.cisa.gov/news-events/news/circia-one-year-look-behind-scenes; see also Gibson Dunn’s client alert on the Cyber Incident Reporting for Critical Infrastructure Act, https://www.gibsondunn.com/president-biden-signs-into-law-the-cyber-incident-reporting-for-critical-infrastructure-act-expanding-cyber-reporting-obligations-for-a-wide-range-of-public-and-private-entities/.
[250] Press Release, Department of Homeland Security, Joint Statement from 21 Countries and the Organization of American States Following the Department of Homeland Security Western Hemisphere Cyber Conference (Sept. 28, 2023), https://www.dhs.gov/news/2023/09/28/joint-statement-21-countries-and-organization-american-states-following-department.
[251] Press Release, Cybersecurity and Infrastructure Security Agency, CISA and FBI Release Advisory on CL0P Ransomware Gang Exploiting MOVEit Vulnerability (June 7, 2023), https://www.cisa.gov/news-events/news/cisa-and-fbi-release-advisory-cl0p-ransomware-gang-exploiting-moveit-vulnerability.
[252] Press Release, Department of Homeland Security, Cyber Safety Review Board Releases Report on Activities of Global Extortion-Focused Hacker Group Lapsus$ (Aug. 10, 2023), https://www.dhs.gov/news/2023/08/10/cyber-safety-review-board-releases-report-activities-global-extortion-focused; Press Release, Department of Homeland Security, Department of Homeland Security’s Cyber Safety Review Board to Conduct Review on Cloud Security (Aug. 11, 2023), https://www.dhs.gov/news/2023/08/11/department-homeland-securitys-cyber-safety-review-board-conduct-review-cloud.
[253] Cybersecurity Advisory, Cybersecurity and Infrastructure Security Agency, #StopRansomware: LockBit 3.0 Ransomware Affiliates Exploit CVE 2023-4966 Citrix Bleed Vulnerability (Nov. 21, 2023), https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-325a.
[254] Press Release, Department of Homeland Security, DHS Announces Additional $374.9 Million in Funding to Boost State, Local Cybersecurity (Aug. 7, 2023), https://www.dhs.gov/news/2023/08/07/dhs-announces-additional-3749-million-funding-boost-state-local-cybersecurity.
[255] Press Release, Department of Justice, Justice Department Announces New National Security Cyber Section Within the National Security Division (June 20, 2023), https://www.justice.gov/opa/pr/justice-department-announces-new-national-security-cyber-section-within-national-security.
[256] Id.
[257] Press Release, Department of Justice, U.S. Department of Justice Disrupts Hive Ransomware Variant (Jan. 26, 2023), https://www.justice.gov/opa/pr/us-department-justice-disrupts-hive-ransomware-variant.
[258] Id.
[259] Press Release, Department of Justice, Justice Department Announces Court-Authorized Disruption of Snake Malware Network Controlled by Russia’s Federal Security Service (May 9, 2023), https://www.justice.gov/opa/pr/justice-department-announces-court-authorized-disruption-snake-malware-network-controlled.
[260] Id.
[261] Press Release, Department of Justice, Qakbot Malware Disrupted in International Cyber Takedown (Aug. 29, 2023), https://www.justice.gov/usao-cdca/pr/qakbot-malware-disrupted-international-cyber-takedown.
[262] Press Release, Department of Justice, Justice Department Disrupts Prolific ALPHV/Blackcat Ransomware Variant (Dec. 19, 2023), https://www.justice.gov/opa/pr/justice-department-disrupts-prolific-alphvblackcat-ransomware-variant.
[263] Id.
[264] Press Release, Department of Justice, Justice Department and Meta Platforms Inc. Reach Key Agreement as They Implement Groundbreaking Resolution to Address Discriminatory Delivery of Housing Advertisements (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-and-meta-platforms-inc-reach-key-agreement-they-implement-groundbreaking.
[265] Id.
[266] Id.; Roy L. Austin, Jr., An Update on Our Ads Fairness Efforts, Meta (Jan. 9, 2023), https://about.fb.com/news/2023/01/an-update-on-our-ads-fairness-efforts/.
[267] Press Release, Department of Justice, Justice Department Files Statement of Interest in Fair Housing Act Case Alleging Unlawful Algorithm-Based Tenant Screening Practices (Jan. 9, 2023), https://www.justice.gov/opa/pr/justice-department-files-statement-interest-fair-housing-act-case-alleging-unlawful-algorithm.
[268] Id.
[269] Id.
[270] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.
[271] Statements and Releases, White House, Statement from National Security Advisor Jake Sullivan on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/03/07/statement-from-national-security-advisor-jake-sullivan-on-the-introduction-of-the-restrict-act/; Press Release, Department of Commerce, Statement from U.S. Secretary of Commerce Gina Raimondo on the Introduction of the RESTRICT Act (Mar. 7, 2023), https://www.commerce.gov/news/press-releases/2023/03/statement-us-secretary-commerce-gina-raimondo-introduction-restrict-act.
[272] RESTRICT Act, S. 686, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/686/text.
[273] Protecting Americans’ Data From Foreign Surveillance Act of 2023, S. 1974, 118th Cong. (2023), https://www.congress.gov/bill/118th-congress/senate-bill/1974/text.
[274] Id.
[275] Id.
[276] Id.
[277] Id.
[278] Press Release, Office of Cybersecurity, Energy Security, and Emergency Response, DOE Announces $39 Million in Research Funding to Enhance Cybersecurity of Clean Distributed Energy Resources (Sept. 12, 2023), https://www.energy.gov/ceser/articles/doe-announces-39-million-research-funding-enhance-cybersecurity-clean-distributed.
[279] Id.
[280] Id.
[281] Alexandra Kelley, Cyberattacks on Energy’s National Labs Draw Lawmaker Scrutiny, Nextgov/FCW (Feb. 2, 2023), https://www.nextgov.com/cybersecurity/2023/02/cyberattacks-energys-national-labs-draw-lawmaker-scrutiny/382503/.
[282] Special Report, Department of Energy, Management Challenges at the Department of Energy — Fiscal Year 2024 (Nov. 17, 2023), https://www.energy.gov/sites/default/files/2023-11/DOE-OIG-24-05.pdf.
[283] Id.
[284] Daniel Wilson, Defense Dept. Proposes Long-Awaited Cybersecurity Rule, Law360 (Dec. 22, 2023), https://www.law360.com/cybersecurity-privacy/articles/1780256/defense-dept-proposes-long-awaited-cybersecurity-rule.
[285] Id.
[286] Id.
[287] Press Release, Federal Communications Commission, Chairwoman Rosenworcel Launches Privacy and Data Protection Task Force (June 14, 2023), https://www.fcc.gov/document/chairwoman-rosenworcel-launches-privacy-and-data-protection-task-force.
[288] Id.
[289] Pallone-Thune Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, Pub. L. No. 116-105, 133 Stat. 3274 (2019); Federal Communications Commission, TRACED Act Implementation (May 1, 2023), https://www.fcc.gov/TRACEDAct.
[290] Limits on Exempted Calls Under the Telephone Consumer Protection Act of 1991, 88 Fed. Reg. 3668 (Jan. 20, 2023) (to be codified at 47 C.F.R. pt. 64).
[291] Id.
[292] Press Release, Federal Communications Commission, Rosenworcel Launches Effort on AI’s Impact on Robocalls and Robotexts (Oct. 23, 2023), https://docs.fcc.gov/public/attachments/DOC-397925A1.pdf.
[293] Federal Communications Commission, FCC Launches Inquiry into AI’s Impact on Robocalls and Robotexts (Nov. 17, 2023), https://www.fcc.gov/consumer-governmental-affairs/fcc-launches-inquiry-ais-impact-robocalls-and-robotexts.
[294] Federal Communications Commission, Second Report and Order, Second Further Notice of Proposed Rulemaking in CG Docket Nos. 02-278 and 21-402, and Waiver Order in CG Docket No. 17-59 (Dec. 18, 2023), https://docs.fcc.gov/public/attachments/FCC-23-107A1.pdf.
[295] Id. at 13–15.
[296] Id. at 20 n.113.
[297] Press Release, White House, Biden-Harris Administration Announces Cybersecurity Labeling Program for Smart Devices to Protect American Consumers (July 18, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/07/18/biden-harris-administration-announces-cybersecurity-labeling-program-for-smart-devices-to-protect-american-consumers/.
[298] Id.
[299] Press Release, Federal Communications Commission, FCC Fact Sheet on Proposed Voluntary Cybersecurity Labeling Program for Internet-Enabled Devices (Aug. 10, 2023), https://docs.fcc.gov/public/attachments/DOC-395909A1.pdf.
[300] Press Release, Federal Communications Commission, FCC Adopts Updated Data Breach Notification Rules To Protect Consumers (Dec. 13, 2023), https://docs.fcc.gov/public/attachments/DOC-399090A1.pdf.
[301] Id.
[302] Press Release, Federal Communications Commission, FCC Proposes $20M Fine for Apparently Failing to Protect Consumer Data (July 28, 2023), https://docs.fcc.gov/public/attachments/DOC-395581A1.pdf.
[303] Id.
[304] A New Landmark for Consumer Control Over Their Personal Information: CPPA Proposes Regulatory Framework for Automated Decisionmaking Technology, Cal. Privacy Protection Agency (Nov. 27, 2023), https://cppa.ca.gov/announcements/2023/20231127.html; see also Draft Automated Decisionmaking Technology Regulations, Cal. Privacy Protection Agency (Dec. 8, 2023), https://cppa.ca.gov/meetings/materials/20231208_item2_draft.pdf.
[305] CPPA to Review Privacy Practices of Connected Vehicles and Related Technologies, Cal. Privacy Protection Agency (July 31, 2023), https://cppa.ca.gov/announcements/2023/20230731.html.
[306] Ahead of Privacy Day, Attorney General Bonta Focuses on Mobile Applications’ Compliance with the California Consumer Privacy Act, Cal. Att’y Gen. (Jan. 27, 2023), https://oag.ca.gov/news/press-releases/ahead-data-privacy-day-attorney-general-bonta-focuses-mobile-applications%E2%80%99.
[307] Attorney General Bonta Seeks Information from California Employers on Compliance with California Consumer Privacy Act, Cal. Att’y Gen. (July 14, 2023), https://oag.ca.gov/news/press-releases/attorney-general-bonta-seeks-information-california-employers-compliance.
[308] Complaint, People v. Google, Case No. 23CV422424 (Santa Clara Cnty. Super. Ct., Sept. 14, 2023), https://oag.ca.gov/system/files/attachments/press-docs/Filed%20stamped%20Google%20Complaint.pdf.
[309] Attorney General James Seeks information from Madison Square garden Regarding Use of Facial Recognition Technology to Deny Entry to Venues, N.Y. Att’y Gen. (Jan. 25, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-seeks-information-madison-square-garden-regarding-use.
[310] DFS Announces $1 million Cybersecurity Settlement with First American Title Insurance Company, N.Y. Dept. of Fin. Servs. (Nov. 28, 2023), https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202311281
[311]Id.
[312] AG Ferguson’s lawsuit forces Google to pay nearly $40M over deceptive location tracking, Wash. Att’y Gen. (May 18, 2023) https://www.atg.wa.gov/news/news-releases/ag-ferguson-s-lawsuit-forces-google-pay-nearly-40m-over-deceptive-location.
[313] Press Release, Office of the Indiana Attorney General, Attorney General Todd Rokita Secures $49.5 Million Multistate Settlement with Blackbaud for Data Breach (Oct. 5, 2023), https://events.in.gov/event/attorney_general_todd_rokita_secures_495_million_multistate_settlement_with_blackbaud_for_data_breach.
[314] Press Release, New York State Office of the Attorney General, Attorney General James and Multistate Coalition Secure $6.5 Million from Morgan Stanley for Failing to Protect Customer Data (Nov. 16, 2023), https://ag.ny.gov/press-release/2023/attorney-general-james-and-multistate-coalition-secure-65-million-morgan-stanley.
[315] Press Release, New Jersey Office of the Attorney General, AG Platkin Co-Leads $2.5-Million Multistate Settlement with EyeMed Over Data Breach that Compromised the Personal Information of Millions of Patients (May 16, 2023), https://www.njoag.gov/ag-platkin-co-leads-2-5-million-multistate-settlement-with-eyemed-over-data-breach-that-compromised-the-personal-information-of-millions-of-patients/.
[316] See Notice of Settlement and Joint Stipulation and [Proposed] Order to Stay Litigation Activities Pending Filing of Mot. for Prelim. Approval, In re Orrick, Herrington & Sutcliffe, LLP Data Breach Litig., No. 3:23-cv-04089 (N.D. Cal. Dec. 21, 2023), ECF No. 50.
[317] See Order Granting Final Approval of Class Action Settlement and Pls.’ Mot. for Att’ys’ Fees and Costs, Desue v. 20/20 Eye Care Network Inc., No. 21-61275 (S.D. Fla. July 8, 2023), ECF No. 100.
[318] Identity Theft Resource Center, Q3 2023 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2023/10/20231011_Q3-2023-Data-Breach-Analysis.pdf.
[319] Identity Theft Resource Center, Q3 2022 Data Breach Analysis, https://www.idtheftcenter.org/wp-content/uploads/2022/10/20221005_One-Pager_Q3-2022-Data-Breach-Analysis.pdf.
[320] See Transfer Order, In re MOVEit Customer Data Sec. Breach Litig., MDL No. 3083 (J.P.M.L. Oct. 4, 2023); Judicial Panel on Multidistrict Litigation, MDL Statistics Report – Distribution of Pending MDL Dockets by Actions Pending (Jan. 2, 2014), https://www.jpml.uscourts.gov/sites/jpml/files/Pending_MDL_Dockets_By_Actions_Pending-January-2-2024.pdf.
[321] See In re MOVEit Customer Data Sec. Breach Litig., No. 23-3083 (D. Mass.).
[322] TransUnion LLC v. Ramirez, 594 U.S. 413 (2021) (holding that plaintiffs who had not suffered concrete harm due to data breach, and instead claimed they are at heightened risk of future harm, lack standing to sue under Article III).
[323] Id. at 437.
[324] 72 F.4th 365, 375 (1st Cir. 2023) (holding that plaintiff adequately alleged standing based on the filing of a fraudulent tax return that likely resulted from information compromised in the data breach).
[325] Id. at 377.
[326] Bohnak v. Marsh & McLennan Cos., Inc., 79 F.4th 276, 286 (2d Cir. 2023) (cleaned up).
[327] Id. at 287.
[328] 2023 WL 4183380, at *4 (E.D. Va. June 26, 2023).
[329] Id.
[330] Id.
[331] Id.
[332] Id. at *5.
[333] 2023 WL 5608389, at *2 (C.D. Cal. Aug. 29, 2023) (acknowledging that while an increased risk of identity theft stemming from a data breach can constitute a threat of imminent harm sufficient for standing purposes, on the facts of the case, the username and password stolen in the breach were not linked to the plaintiff’s financial accounts, and thus did not give rise to the threat of identity theft).
[334] Id.
[335] See TransUnion, 594 U.S. at 431 (“Every class member must have Article III standing in order to recover individual damages. Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not.”).
[336] 344 F.R.D. 38, 52 (D.D.C. 2023).
[337] Id. at 53.
[338] Id. at 55.
[339] See Cornerstone Research, Securities Class Action Trend Cases, https://www.cornerstone.com/insights/research/securities-class-action-trend-cases/.
[340] Complaint ¶ 3, Jaramillo v. Dish Networks Corp., No. 23-734 (D. Colo. Mar. 23, 2023), ECF No. 1.
[341] Complaint ¶ 4, Official Intel. Pty. Ltd., v. Block, Inc., No. 23-2789 (S.D.N.Y. April 3, 2023), ECF No. 1.
[342] 15 U.S.C. § 78u-4(b)(2).
[343] In re Okta, Inc. Securities Litig., 2023 WL 2749193, at *20 (N.D. Cal. Mar. 31, 2023).
[344] Id. at *15.
[345] Id.
[346] See, e.g., Javier v. Assurance IQ, LLC, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).
[347] 18 U.S.C. § 2510 et seq.
[348] Id. § 2511(2)(d).
[349] See Recording Law, All Party (Two Party) Consent States – List and Details, https://recordinglaw.com/party-two-party-consent-states/ (last visited Jan. 26, 2024) (identifying 13 two-party or all-party consent states).
[350] See, e.g., Cal. Penal Code §§ 631, 632 (wiretapping and eavesdropping statutes); id. § 637.2(a) (authorizing a private right of action and statutory damages).
[351] Doe v. Regents of Univ. of California, No. 23-CV-00598-WHO, 2023 WL 3316766 (N.D. Cal. May 8, 2023).
[352] Jackson v. Fandom, Inc., No. 22-CV-04423-JST, 2023 WL 4670285 (N.D. Cal. July 20, 2023).
[353] Id. at *4–5.
[354] Stark v. Patreon, Inc., 656 F. Supp. 3d 1018 (N.D. Cal. 2023).
[355] Id. at 1039–40.
[356] 18 U.S.C. § 1030(a).
[357] Van Buren v. United States, 141 S. Ct. 1648, 1654–55 (2021).
[358] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), https://www.justice.gov/opa/press-release/file/1507126/download.
[359] United States v. Calonge, 74 F.4th 31, 36 (2d Cir. 2023), cert. denied, 2023 WL 7475309 (U.S. Nov. 13, 2023).
[360] Id. at 33–34.
[361] Id. at 33.
[362] Id. at 33–34.
[363] Id. at 35–36 (citing 18 U.S.C. § 1030(e)(8)).
[364] Calonge v. United States, 2023 WL 7475309 (U.S. Nov. 13, 2023).
[365] ACW Flex Pack LLC v. Wrobel, 2023 WL 4762596, at *6–7 (N.D. Ill. July 26, 2023).
[366] Id. at *3, *6.
[367] Id. at *5.
[368] Id. at *6.
[369] Id. (quoting 18 U.S.C. § 1030(e)(1)) (emphasis removed).
[370] Id. at *6–8.
[371] Id. at *7.
[372] iPurusa, LLC v. Bank of New York Mellon Corp., 2023 WL 3072686, at *7 (D.N.J. Apr. 25, 2023).
[373] Id. at *6.
[374] Id. at *7.
[375] Id.
[376] See, e.g., T. et al v. OpenAI LP et al., Case No. 23-cv-04557, Dkt. 1 ¶¶ 317–326 (N.D. Cal.); P.M. et al v. OpenAI LP et al., Case No. 23-cv-03199-TLT, Dkt. 1 ¶¶ 422–431 (N.D. Cal.); see id. Dkt. 38 (notice of voluntary dismissal).
[377] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).
[378] Id. at 1201.
[379] Cal. Penal Code §§ 502(c)(2) & (e)(1).
[380] Id. § 502(b)(1).
[381] Brown v. Google LLC, 2023 WL 5029899, at *1 (N.D. Cal. Aug. 7, 2023).
[382] Id. at *2.
[383] Id. at *18.
[384] Id. at *19 (citing Cal. Penal Code § 502(c)(2)).
[385] Id.
[386] Brown et al. v. Google LLC, Case No. 4:20-cv-03664, Dkt. 1089 (N.D. Cal.).
[387] Nora Gutierrez v. Converse Inc., 2023 WL 8939221, at *1, *5 (C.D. Cal. Oct. 27, 2023).
[388] Id. at *4 (quoting In re iPhone Application Litig., 2011 WL 4403963, at * 12 (N.D. Cal. Sept. 20, 2011)).
[389] Id.
[390] Id. at *5.
[391] 47 U.S.C. § 227.
[392] Facebook, Inc. v. Duguid, 592 U.S. 395 (2021).
[393] Dickson v. Direct Energy, LP, 69 F.4th 338, 348–49 (6th Cir. 2023).
[394] Id. at 345–48.
[395] Drazen v. Pinto, 74 F.4th 1336, 1345–46 (11th Cir. 2023) (reversing Salcedo v. Hanna, 936 F.3d 1162, 1172 (11th Cir. 2019)).
[396] Hall v. Smosh Dot Com, Inc., 72 F.4th 983, 990–91 (9th Cir. 2023).
[397] Id. at 990.
[398] Mauthe v. Millennium Health LLC, 58 F.4th 93, 97 (3d Cir. 2023). The TCPA defines an “unsolicited advertisement” as “any material advertising the commercial availability or quality of any property, goods, or services which is transmitted to any person without that person’s prior express invitation or permission, in writing or otherwise.” 47 U.S.C. § 227(a)(5).
[399] Trim v. Reward Zone USA LLC, 76 F.4th 1157, 1164 (9th Cir. 2023).
[400] Cal. Civ. Code § 1798.150 (West 2023).
[401] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.
[402] Order Granting Final Approval of Class Action Settlement, Service v. Volkswagen Grp. of Am., Inc., No. C22-01841 (Cal. Super. Ct. Contra Costa Cnty. May. 31, 2023), https://odyportal.cc-courts.org/Portal/DocumentViewer/DownloadDocumentFile/Download?d=10C938A76250CE4331774E2C729A0D43&c=EC610BADE930EF833C9117C84F5729FC&l=4C398088907DD05C6D76EE93BC04CDF4&cn=F44FB09A29DC4E11FE28DCC41D39CD99&fileName=C22-01841%20-%20Order%20Filed%20Re%20Granting%20Final%20Approval&docTypeId=3&isVersionId=False.
[403] Id. at 4.
[404] Carter v. Vivendi Ticketing US LLC, No. SACV2201981(DFMx), 2023 WL 8153712 (C.D. Cal. Oct. 30, 2023).
[405] Id.
[406] Id. at *2.
[407] Gershfeld v. Teamviewer US, Inc., No. SACV2100058(ADSx), 2021 WL 3046775 (C.D. Cal. June 24, 2021).
[408] Id. at 2.
[409] Gershfeld v. TeamViewer US, Inc., No. 21-55753, 2023 WL 334015 (9th Cir. Jan. 20, 2023) (mem.).
[410] Alexander v. Wells Fargo Bank, N.A., No. 23-CV-617-DMS-BLM, 2023 WL 5109532 (S.D. Cal. Aug. 9, 2023).
[411] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.
[412] Brown v. Google LLC, No. 4:20-CV-3664, 2023 WL 5029899 (N.D. Cal. Aug. 7, 2023).
[413] Id.
[414] Id. at *21.
[415] Id.
[416] Id. at *21.
[417] Id.
[418] Cal. Civ. Code § 1798.150(b).
[419] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.
[420] Guy v. Convergent Outsourcing, Inc., No. C22-1558, 2023 WL 4637318 (W.D. Wash. July 20, 2023).
[421] Cal. Civ. Code § 1798.150(b).
[422] Guy, 2023 WL 4637318.
[423] Griffey v. Magellan Health Inc., No. CV-20-01282-PHX, 2022 WL 1811165, at *6 (D. Ariz. June 2, 2022).
[424] Guy, 2023 WL 4637318, at *9.
[425] Florence v. Order Express, Inc., No. 22 C 7210, 2023 WL 3602248 (N.D. Ill. May 23, 2023).
[426] Id. at *7 (internal quotations omitted).
[427] Cal. Civ. Code § 1798.150(b).
[428] Florence, 2023 WL 3602248, at *7.
[429] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2023 (Jan. 30, 2023), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2023/.
[430] Durgan v. U-Haul Int’l Inc., No. CV-22-01565-PHX, 2023 WL 7114622 (D. Ariz. Oct. 27, 2023).
[431] Id. at *7.
[432] Id. at *6.
[433] In re Bank of Am. California Unemployment Benefits Litig., No. 21-MD-2992-LAB-MSB, 2023 WL 3668535 (S.D. Cal. May 25, 2023).
[434] Id. at *13–15.
[435] Id. at *15.
[436] Tims v. Black Horse Carriers, Inc., 216 N.E.3d 845 (Ill. 2023).
[437] 735 Ill. Comp. Stat. Ann. 5/13-205 (2022).
[438] Tims, 216 N.E.3d at 854.
[439] Cothron v. White Castle Sys., Inc., 216 N.E.3d 918, 920 (Ill. 2023).
[440] Id. at 928.
[441] Id. at 929.
[442] Minor v. Oldcastle Servs. Inc., No. 21‐CV‐503‐SMY (S.D. Ill. Mar. 22, 2023).
[443] Jones v. Microsoft Corp., No. 1:22‐cv‐03437 (N.D. Ill. Jan. 9, 2023).
[444] Id. at 7–8.
[445] Warmack‐Stillwell v. Christian Dior, Inc., No. 22‐C‐4633 (N.D. Ill. Feb. 10, 2023).
[446] Crumpton v. Octapharma Plasma, Inc., 513 F. Supp. 3d 1006, 1015–17 (N.D. Ill. 2021).
[447] Id.
[448] Tex. Bus. & Com. Code § 503.001.
[449] Tex. v. Meta Platforms, Inc., Cause No. 22-0121 (Tex. Dist. Ct. Feb. 8, 2023).
[450] Press Release, Attorney General of Texas, Paxton Sues Google for its Unauthorized Capture and Use of Biometric Data and Violation of Texans’ Privacy (Oct. 20, 2022), https://texasattorneygeneral.gov/news/releases/paxton-sues-google-its-unauthorized-capture-and-use-biometric-data-and-violation-texans-privacy.
[451] Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. filed Apr. 21, 2023).
[452] Second Amended Complaint at 2–3, Gross v. Madison Square Garden Ent. Corp., No. 1:23-cv-03380 (S.D.N.Y. June 9, 2023).
[453] Id.
[454] Id. at 23–24.
[455] Id. at 25.
[456] Report & Recommendation, Gross v. Madison Square Garden Ent. Corp., No. 23-cv-3380 (S.D.N.Y. Jan. 9, 2024).
[457] Id. at 14.
[458] Id. at 18.
[459] Id. at 20 (quoting Zoll v. Ruder Finn, Inc., No. 01-cv-139 (CSH), 2004 WL 42260, at *4 (S.D.N.Y. Jan. 7, 2004)).
[460] Id. at 21.
[461] Id. at 8–13.
[462] 598 U.S. 471 (2023).
[463] 598 U.S. 617 (2023).
[464] Taamneh, 598 U.S. at 482.
[465] Gonzalez, 598 U.S. at 621.
[466] Taamneh, 598 U.S. at 501–02.
[467] Gonzalez, 598 U.S. at 622.
[468] Minahan v. Google LLC, No. 22-cv-5652, 2023 WL 3605329, at *1 (N.D. Cal. May 1, 2023), appeal filed, No. 23-15775 (9th Cir. May 22, 2023).
[469] Id. at *2.
[470] M.K. v. Google LLC, No. 21-cv-08465, 2023 WL 4937287 (N. D. Cal. filed Oct. 29, 2021).
[471] Id. at *10.
[472] Id. at *3.
[473] Id.
[474] Id. at *5.
[475] Id. at *6–7.
[476] Ramirez v. The Paradies Shops, LLC, 69 F.4th 1213, 1221 (11th Cir. 2023).
[477] Id. at 1216.
[478] Id.
[479] Id. at 1220–21.
[480] Class Action Complaint at 2–3, Pai v. Tesla, Inc., Case 4:23-cv-04550 (N.D. Cal. filed Sept. 5, 2023).
[481] Id.
[482] The Digital Revolution Engineering Smart City Infrastructure, Utilities One (Oct. 27, 2023), https://utilitiesone.com/the-digital-revolution-engineering-smart-city-infrastructure.
[483] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.
[484] Id.
[485] Diana Baker Freeman, Why Local Governments Are a Target for Cyber Attacks and Steps to Prevent It, Governing (May 6, 2022), https://www.governing.com/sponsored/why-local-governments-are-a-target-for-cyber-attacks-and-steps-to-prevent-it.
[486] Richard Forno, Local Governments Are Attractive Targets for Hackers and Are Ill-Prepared, Ctr. for Internet & Soc’y (Mar. 28, 2022), https://cyberlaw.stanford.edu/blog/2022/03/local-governments-are-attractive-targets-hackers-and-are-ill-prepared.
[487] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.
[488] Id.
[489] Maya Shwayder, The Future of Smart Cities May Mean the Death of Privacy, Digit. Trends (Apr. 22, 2020), https://www.digitaltrends.com/news/smart-cities-privacy-security/.
[490] Ashley Johnson, Balancing Privacy and Innovation in Smart Cities and Communities, Info. Tech. & Innovation Found. (Mar. 6, 2023), https://itif.org/publications/2023/03/06/balancing-privacy-and-innovation-in-smart-cities-and-communities/.
[491] What is Edge Computing?, IBM (last visited Jan. 18, 2024), https://www.ibm.com/topics/edge-computing.
[492] Mary K. Pratt, 7 Edge Computing Trends to Watch in 2023 and Beyond, TechTarget (Dec. 8, 2022), https://www.techtarget.com/searchcio/tip/Top-edge-computing-trends-to-watch-in-2020.
[493] Id.
[494] Id.
[495] Id.
[496] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.
[497] Id.
[498] Id.
[499] Id.
[500] Matthew Gooding, Can GAIA-X Solve Europe’s Data Sovereignty Problem?, Tech Monitor (Apr. 8, 2021), https://techmonitor.ai/technology/cloud/what-is-gaia-x-eu-data-sovereignty.
[501] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.
[502] OECD, Emerging Privacy-Enhancing Technologies, Current Regulatory and Policy Approaches, OECD Digital Economy Papers, No. 351, 2 (Mar. 2023), https://www.oecd-ilibrary.org/deliver/bf121be4-en.pdf?itemId=/content/paper/bf121be4-en&mimeType=pdf.
[503]Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.
[504] Id.
[505] Id.
[506] Id.
[507] Id.
[508] Id.
[509] Id.
[510] Id.
[511] Pete Swabey, Why Edge Computing is a Double-Edged Sword for Privacy, Tech Monitor (Mar. 31, 2023), https://techmonitor.ai/focus/privacy-on-the-edge-why-edge-computing-is-a-double-edged-sword-for-privacy.
[512] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.
[513] Id.
[514] Shafi Goldwasser et al., The Knowledge Complexity of Interactive Proof Systems, 18 SIAM J. Computing 186 (1989).
[515] Eli Ben-Sasson et al., Zerocash: Decentralized Anonymous Payments from Bitcoin, Zerocash, (May 18, 2014), http://zerocash-project.org/media/pdf/zerocash-extended-20140518.pdf.
[516] Tianyi Liu et al., zkCNN: Zero Knowledge Proofs for Convolutional Neural Network Predictions and Accuracy, Comput. & Commc’ns Sec. (2021), https://doi.org/10.1145/3460120.3485379.
[517] Executive Office of the President, Office of Science and Technology Policy, National Strategy To Advance Privacy-Preserving Data Sharing and Analytics (Mar. 2023), https://www.whitehouse.gov/wp-content/uploads/2023/03/National-Strategy-to-Advance-Privacy-Preserving-Data-Sharing-and-Analytics.pdf.
[518] Id.
[519] Id.
[520] Jennifer Bryant, European Commission Adopts EU-US Adequacy Decision, Int’l Ass’n Priv. Pros. (July 10, 2023), https://iapp.org/news/a/european-commission-adopts-eu-u-s-adequacy-decision/.
[521] Id.
[522] Natasha Lomas, Europe’s Top Court Strikes Down Flagship EU-US Data Transfer Mechanism, TechCrunch (July 16, 2020), https://techcrunch.com/2020/07/16/europes-top-court-strikes-down-flagship-eu-us-data-transfer-mechanism/.
[523] Natasha Lomas, Europe Adopts US Data Adequacy Decision, TechCrunch (July 10, 2023), https://techcrunch.com/2023/07/10/eu-us-data-privacy-framework-adoption/.
[524] Id.
[525] Id.
[526] Press Release, Department of Commerce, Data Privacy Framework Program Launches New Website Enabling U.S. Companies to Participate in Cross-Border Data Transfers (July 17, 2023), https://www.commerce.gov/news/press-releases/2023/07/data-privacy-framework-program-launches-new-website-enabling-us.
[527] Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.
[528] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just. (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.
[529] On December 22, 2023, President Biden signed the National Defense Authorization Act, which included a Congressional measure extending Section 702 until mid-April 2024. Rebecca Beitsch, Congress Approves Short-Term Extension of Warrantless Surveillance Powers, The Hill (Dec. 12, 2023), https://thehill.com/policy/national-security/4360341-fisa-congress-approves-short-term-extension-warrantless-surveillance-powers; see also Press Release, White House, Joseph R. Biden, Statement from President Biden on H.R. 2670, National Defense Authorization Act for Fiscal Year 2024 (Dec. 22, 2023), https://www.whitehouse.gov/briefing-room/statements-releases/2023/12/22/statement-from-president-joe-biden-on-h-r-2670-national-defense-authorization-act-for-fiscal-year-2024/.
[530] Noah Chauvin & Elizabeth Goitein, Reform Bill Would Protect Americans from Warrantless Surveillance, Brennan Ctr. for Just., (Nov. 7, 2023), https://www.brennancenter.org/our-work/analysis-opinion/reform-bill-would-protect-americans-warrantless-surveillance.
[531] Id.
[532] Id.
[533] Id.
[534] Id.
[535] Electronic Communications Privacy Act (ECPA), Elec. Priv. Info. Ctr. (last visited Jan. 19, 2024), https://epic.org/ecpa/; see also Press Release, Senator Ron Wyden, Wyden, Lee, Davidson and Lofgren Introduce Bipartisan Legislation to Reauthorize and Reform Key Surveillance Law, Secure Protections for Americans’ Rights (Nov. 7, 2023), https://www.wyden.senate.gov/news/press-releases/wyden-lee-davidson-and-lofgren-introduce-bipartisan-legislation-to-reauthorize-and-reform-key-surveillance-law-secure-protections-for-americans-rights.
[536] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. (2023).
[537] Id. § 504.
[538] Id.; 47 U.S.C. § 230(f) (2000).
[539] Government Surveillance Reform Act of 2023, S. 3234, 118th Cong. § 504 (2023).
[540] Id. § 501–11.
[541] Id.
[542] Id. § 508.
[543] Id. § 503.
[544] India McKinney, The House Intelligence Committee’s Surveillance ‘Reform’ Bill is a Farce, Elec. Frontier Found. (Dec. 8, 2023), https://www.eff.org/deeplinks/2023/12/section-702-needs-reform-and-oversight-not-expansion-congress-should-oppose-hpsci; see also Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.
[545] Jules Roscoe, Congress Pulls Bill That Would Massively Expand Surveillance After ‘Dramatic Showdown’, Vice (Dec. 12, 2023), https://www.vice.com/en/article/y3wkdg/fisa-surveillance-bill-congress-pulled.
[546] Id.
[547] Press Release, ACLU, Ahead of House Vote, ACLU Sounds Alarm on Bill Greatly Expanding the Government’s Mass Warrantless Surveillance Authority (Dec. 11, 2023), https://www.aclu.org/press-releases/ahead-of-house-vote-aclu-sounds-alarm-on-bill-greatly-expanding-the-governments-mass-warrantless-surveillance-authority.
Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any leader or member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:
United States:
S. Ashlie Beringer – Co-Chair, Palo Alto (+1 650.849.5327, [email protected])
Jane C. Horvath – Co-Chair, Washington, D.C. (+1 202.955.8505, [email protected])
Ryan T. Bergsieker – Denver (+1 303.298.5774, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202.955.8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650.849.5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Lauren R. Goldman – New York (+1 212.351.2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202.955.8510, [email protected])
Natalie J. Hausknecht – Denver (+1 303.298.5783, [email protected])
Martie Kutscher Clark – Palo Alto (+1 650.849.5348, [email protected])
Kristin A. Linsley – San Francisco (+1 415.393.8395, [email protected])
Timothy W. Loose – Los Angeles (+1 213.229.7746, [email protected])
Vivek Mohan – Palo Alto (+1 650.849.5345, [email protected])
Rosemarie T. Ring – San Francisco (+1 415.393.8247, [email protected])
Ashley Rogers – Dallas (+1 214.698.3316, [email protected])
Alexander H. Southwell – New York (+1 212.351.3981, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213.229.7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650.849.5395, [email protected])
Debra Wong Yang – Los Angeles (+1 213.229.7472, [email protected])
Europe:
Ahmed Baladi – Co-Chair, Paris (+33 (0) 1 56 43 13 00, [email protected])
Nicholas Banasevic* – Managing Director, Brussels (+32 2 554 72 40, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44 20 7071 4289, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Lars Petersen – Frankfurt/Riyadh (+49 69 247 411 525, [email protected])
Robert Spano – London/Paris (+44 20 7071 4000, [email protected])
Asia:
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
*Nicholas Banasevic, Managing Director in the firm’s Brussels office and an economist by background, is not admitted to practice law.
*Jay Mitchell and Samantha Yi are associates in the Washington, D.C. office. Jay is admitted in California and Illinois, and Samantha is admitted in Maryland; both are practicing under supervision of members of the District of Columbia Bar under D.C. App. R. 49.
*Narayan Narasimhan and Christopher Scott, recent law graduates in the New York office, are not admitted to practice law.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: The CFTC cancelled its open meeting this week, but is seeking public comment on a number of issues.
New Developments
- CFTC Cautions the Public to Beware of Artificial Intelligence Scams. On January 25, the CFTC’s Office of Customer Education and Outreach issued a customer advisory warning the public about Artificial Intelligence (AI) scams. Customer Advisory: AI Won’t Turn Trading Bots into Money Machines explains how the scams use the potential of AI technology to defraud investors with false claims that entice them to hand over their money or other assets to fraudsters who misappropriate the funds and deceive investors. The advisory warns investors that claims of high or guaranteed returns are red flags of fraud and that strangers promoting these claims online should be ignored. The CFTC stated that the advisory is intended to help investors identify and avoid potential scams and includes a reminder that AI technology cannot predict the future. It also lists four items investors may consider to avoid such scams: researching the background of a company or trader, researching the history of the trading website, getting a second opinion, and knowing the risks associated with the underlying assets. [NEW]
- CFTC Staff Releases Request for Comment on the Use of Artificial Intelligence in CFTC-Regulated Markets. On January 25, the CFTC’s Divisions of Market Oversight, Clearing and Risk, Market Participants, and Data and the Office of Technology Innovation issued a request for comment (RFC) in an effort to better inform them on the current and potential uses and risks of AI in the derivatives markets that the CFTC regulates. The RFC seeks comment on the definition of AI and its applications, including its use in trading, risk management, compliance, cybersecurity, recordkeeping, data processing and analytics, and customer interactions. The RFC also seeks comment on the risks of AI, including risks related to market manipulation and fraud, governance, explainability, data quality, concentration, bias, privacy and confidentiality and customer protection. The CFTC indicated that staff will consider the responses to the RFC in analyzing possible future actions by the CFTC, such as new or amended guidance, interpretations, policy statements, or regulations. Comments will be accepted until April 24, 2024. [NEW]
- CFTC Seeks Public Comment on Proposed Capital Comparability Determination for Swap Dealers Subject to Supervision by the UK Prudential Regulation Authority. On January 24, the CFTC solicited public comment on a substituted compliance application requesting that the CFTC determine that certain CFTC-registered nonbank swap dealers located in the United Kingdom may satisfy certain Commodity Exchange Act capital and financial reporting requirements by being subject to, and complying with, comparable capital and financial reporting requirements under UK laws and regulations. The Institute of International Bankers, the International Swaps and Derivatives Association, and the Securities Industry and Financial Markets Association submitted the application. In connection with the application, the CFTC also solicited public comment on a proposed comparability determination and related order providing for the conditional availability of substituted compliance to CFTC-registered nonbank swap dealers under the UK Prudential Regulation Authority’s prudential supervision. The comment period will be open until March 24, 2024. [NEW]
- BGC Group Announces Approval for FMX Futures Exchange. On January 22, BGC Group, Inc. (BGC) announced that its FMX Futures Exchange (FMX) received approval from the CFTC to operate an exchange for U.S. Treasury and SOFR futures. BGC will combine their Fenics UST cash Treasury platform and FMX to work across the CME’s U.S. interest rate complex. FMX is party to a clearing agreement with LCH SwapClear, a holder of interest rate collateral, which it indicated will allow for portfolio margining across rates of risk and provide for margin efficiencies and effective risk management. [NEW]
- CFTC Cancels Open Meeting. On January 20, the CFTC cancelled its open meeting scheduled for January 22. According to the CFTC, Tthe following matters will be resolved through the CFTC’s seriatim process:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
- CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs.
- CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France.
- SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
- CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
- SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
New Developments Outside the U.S.
- EC Publishes Amendments to Clearing Obligation Scope in Light of Benchmark Reform. On January 22, the delegated regulation amending the regulatory technical standards (RTS) defining the scope of the clearing obligation (CO) was published in the EU Official Journal, with the amended requirements due to enter into force 20 days after publication. The EC stated that Tthe amendments were introduced in light of the transition to the TONA and SOFR benchmarks referenced in certain over-the-counter derivatives contracts. The amendment to the scope of the CO consists of introducing TONA overnight indexed swaps (OIS) with maturities up to 30 years and extending the SOFR OIS class subject to the CO to maturities up to 50 years. The adoption follows the publication by the European Securities and Markets Authority (ESMA), on February 1, 2023, of its final report on changes to the scope of the CO and the derivatives trading obligations (DTO) in light of the benchmark transition, following a consultation last year, to which ISDA responded on September 30, 2022. This ESMA report included two draft amending RTS: one draft RTS amending the scope of the CO and one draft RTS amending the scope of the DTO. The delegated regulation containing the RTS amending the scope of the CO has now been published. The RTS on the DTO has not yet been adopted. [NEW]
- RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.
New Industry-Led Developments
- ISDA, FIA Respond to MAS Consultation on Amendments to the Capital Framework for Approved Exchanges and Clearing Houses. On January 22, ISDA and the FIA jointly responded to the consultation from the Monetary Authority of Singapore (MAS) on proposed amendments to the capital framework for approved exchanges and approved clearing houses. The scope of the response is limited to the capital framework for approved clearing houses. The associations stated that they welcomed the introduction of a separate liquidity requirement and proposed that MAS consider a more conservative minimum threshold of at least 12 months of operating expenses. They also agreed with the proposed amendments that capital components should only include equity instruments and exclude an approved clearing house’s skin-in-the-game. For total risk requirement, the response suggests the alignment of the operational risk component with the liquidity risk requirement and the inclusion of some clarifications on the investment risk and general counterparty risk components. [NEW]
- ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions.
- BCBS-IOSCO Report Sets Out Recommendations for Good Margin Practices in Non-Centrally Cleared Markets. On January 17, the Basel Committee on Banking Supervision (BCBS) and the International Organization of Securities Commissions (IOSCO) published a report on streamlining VM processes and IM responsiveness of margin models in non-centrally cleared markets, which sets out recommendations for market practices intended to enhance market functioning. The report articulates the policy analyses work carried out by the BCBS-IOSCO in two areas discussed in the September 2022 Review of margining practices: (i) exploring the need to streamline variation margin processes in non-centrally cleared markets and (ii) investigating the responsiveness of initial margin models in non-centrally cleared markets. The consultative report sets out eight recommendations intended to encourage the widespread implementation of good market practices but does not propose any policy changes to the BCBS-IOSCO frameworks. BCBS and IOSCO stated that the first four recommendations aim to address challenges that could inhibit a seamless exchange of variation margin during a period of stress. The other four highlight practices for market participants to implement initiatives in an effort to ensure the calculation of initial margin is consistently adequate for contemporaneous market conditions and proposes that supervisors should monitor whether these developments are sufficient to make this model responsive enough to extreme market shocks. [NEW]
- ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives.
- BCBS, CPMI, and IOSCO Publish Consultative Report on Transparency and Responsiveness of Initial Margin in Centrally Cleared Markets. On January 16, BCBS, the Bank for International Settlements’ Committee on Payments and Market Infrastructures (CPMI) and IOSCO jointly published a consultative report—Transparency and responsiveness of initial margin in centrally cleared markets – review and policy proposals—which interested parties are invited to comment on. BCBS, CPMI, and IOSCO stated that the ten policy proposals in the report aim to increase the resilience of the centrally cleared ecosystem by improving participants’ understanding of central counterparties (CCPs) initial margin calculations and potential future margin requirements. The proposals cover CCP simulation tools, CCP disclosures, measurement of initial margin responsiveness, governance frameworks and margin model overrides, and clearing member transparency.
- ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets.
- ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation.
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Marc Aaron Takagaki, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Darius Mehraban, New York (212.351.2428, [email protected])
Jason J. Cabral, New York (212.351.6267, [email protected])
Adam Lapidus – New York (+1 212.351.3869, [email protected])
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
Roscoe Jones Jr., Washington, D.C. (202.887.3530, [email protected])
William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])
David P. Burns, Washington, D.C. (202.887.3786, [email protected])
Marc Aaron Takagaki, New York (212.351.4028, [email protected])
Hayden K. McGovern, Dallas (214.698.3142, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Throughout 2023, regulators around the world continued to face corruption challenges as part of an increasingly competitive—and politically tense—global market. Economic downturns, continued armed conflict, and rising tensions between global superpowers both drove corruption risk, and complicated cooperative enforcement of anti-corruption laws. This webcast will explore the approach taken by emerging markets in addressing these challenges and examine the trends seen in FCPA and local anti-corruption enforcement actions.
Tensions between China and the United States continue to complicate cross-border cooperation, but have not slowed the pace of global and domestic anti-corruption enforcement in the region. China continues to impose new laws and regulations aimed at both bribe payors and recipients, while expanding its anti-corruption sweep in the finance and healthcare sectors. In India, there have been a slew of legislative and regulatory developments that impact compliance requirements and investigative procedures in the country. Widely heralded reforms in Latin America have failed to result in meaningful enforcement actions to curb corruption. In Africa, while recent years have seen encouraging anti-corruption enforcement trends both through local agencies and prosecuting agencies abroad, these advances are threatened by an uptick in non-democratic political transitions and continuing risks of armed conflict. While Russia-focused sanctions have lead many U.S. and European businesses to discontinue operations there, some of Russia‘s neighboring markets have thrived by creating a new map of trade flows, many with new and challenging risk profiles that require significant attention.
Join our team of experienced international anti-corruption attorneys to learn more about how to do business in Asia, Latin America, Europe, CIS and across Africa without running afoul of anti-corruption laws, including the Foreign Corrupt Practices Act (“FCPA”).
Topics to be discussed:
- An overview of FCPA enforcement statistics and trends for 2023;
- The corruption landscape in key emerging markets, including recent headlines and scandals;
- Lessons learned from local anti-corruption enforcement in Asia, Latin America, Europe, CIS, and across Africa;
- Key anti-corruption legislative changes in Asia, Latin America, Europe, CIS, and Africa; and
- Mitigation strategies for businesses operating in high-risk areas
PANELISTS:
Kelly S. Austin leads Gibson Dunn’s White Collar Defense and Investigations Practice Group in Asia and is a global co-chair of the firm’s Anti-Corruption and FCPA Practice Group. Kelly is ranked annually in the top-tier by Chambers Asia Pacific and Chambers Global in Corporate Investigations/Anti-Corruption: China. Her practice focuses on investigations, regulatory compliance and international disputes. She has extensive expertise in government and corporate internal investigations, including those involving the Foreign Corrupt Practices Act (FCPA) and other anti-corruption laws, and anti-money laundering, securities, and trade control laws.
Kelly is a member of the bars of Colorado, Virginia and the District of Columbia, and is admitted to practice in a variety of district and appellate courts in the United States. She is admitted to practice as a solicitor in Hong Kong.
Patrick Doris is a partner in Gibson Dunn’s Dispute Resolution Group in the London office, where he advises financial sector clients and others on OFAC and EU sanctions violations, responses to major cyber-penetration incidents, and other matters relating to national supervisory and regulatory bodies. Patrick’s practice also includes transnational litigation, cross-border investigations, and compliance advisory for clients including major global investment banks, global corporations, leading U.S. operators in the financial sectors, and global manufacturing companies, among others. Most recently, Patrick was recognised by The Legal 500 UK 2024 in the field of Regulatory Investigations and Corporate Crime.
Patrick speaks English, Spanish, French and Catalan, with recent experience of conducting investigations in each of those languages. He is admitted to practice as a solicitor in England & Wales.
Katharina Humphrey is a partner in Gibson Dunn’s Munich office. She advises clients in Germany and throughout Europe on a wide range of compliance and white collar crime matters. Katharina regularly represents multi-national corporations in connection with cross-border internal corporate investigations and government investigations. She has significant expertise in the areas of anti-bribery compliance – especially regarding the enforcement of German anti-corruption laws and the U.S. Foreign Corrupt Practices Act (FCPA) –, technical compliance, as well as sanctions and anti-money-laundering compliance. She also has many years of experience in advising clients with regard to the implementation and assessment of compliance management systems. The Legal 500 Deutschland 2023 and The Legal 500 EMEA 2023 name her the Rising Star in the field of compliance.
Katharina speaks German, English, French and Italian. She is admitted to practice in Germany (Rechtsanwalt).
Benno Schwarz is a partner in Gibson Dunn’s Munich office and co-chair of the firm’s Anti-Corruption & FCPA Practice Group, where his practice focuses on white collar defense and compliance investigations. Benno is ranked annually as a leading lawyer for Germany in White Collar Investigations/Compliance by Chambers Europe and was named by The Legal 500 Deutschland 2023 and The Legal 500 EMEA 2023 as one of our Leading Individuals in Internal Investigations, and also ranked for Compliance. He is noted for his “special expertise on compliance matters related to the USA and Russia.” Benno advises companies on sensitive cases and investigations involving compliance issues with international aspects, such as the implementation of German or international laws in anti-corruption, money laundering and economic sanctions, and he has exemplary experience advising companies in connection with FCPA and NYDFS monitorships or similar monitor functions under U.S. legal regimes.
Benno speaks German and English and is a state-certified translator (IHK) for Russian, which makes it possible for him to carry out internal investigations and regulatory proceedings in all three languages. He has practiced as an admitted German lawyer (Rechtsanwalt) since 1993.
Patrick F. Stokes is a litigation partner in Gibson Dunn’s Washington, D.C. office, where he is the co-chair of the Anti-Corruption and FCPA Practice Group and a member of the firm’s White Collar Defense and Investigations, Securities Enforcement, and Litigation Practice Groups. Patrick’s practice focuses on internal corporate investigations, government investigations, enforcement actions regarding corruption, securities fraud, and financial institutions fraud, and compliance reviews. He has tried more than 30 federal jury trials as first chair, including high-profile white-collar cases, and handled 16 appeals before the U.S. Court of Appeals for the Fourth Circuit. Patrick regularly represents companies and individuals before DOJ and the SEC, in court proceedings, and in confidential internal investigations. Most recently, Best Lawyers in America® recognized Patrick as a “Best Lawyer” in Criminal Defense: White-Collar (2024).
Patrick is a member of the bars of Maryland and the District of Columbia.
Oliver D. Welch is a resident partner in Gibson Dunn’s Hong Kong office and a partner in the Singapore office. Oliver has extensive experience representing multi-national corporations throughout the Asia region on a wide variety of compliance and anti-corruption issues. He focuses on internal and regulatory investigations, including those involving the Foreign Corrupt Practices Act and regularly counsels clients on their anti-corruption compliance programs and controls, including the drafting of policies, procedures, and training materials designed to foster compliance with global anti-corruption laws. Oliver also frequently advises on anti-corruption due diligence in connection with corporate acquisitions, private equity investments, and other business transactions.
He speaks Korean and is a member of the bars of New York and the District of Columbia.
Ning Ning is an of counsel in the Hong Kong office. Ning’s practice focuses on advising clients on government and internal investigations compliance counseling, and compliance due diligence matters across the Asia-Pacific region. She has represented clients before the U.S. Department of Justice (DOJ) and the U.S. Securities and Exchange Commission (SEC) involving potential violations of the U.S. Foreign Corrupt Practices Act, securities laws, and other white collar defense matters. Ning is a native Mandarin speaker and has extensive experiences in China-related investigations and compliance matters.
Ning is a member of the bar of Illinois. She is admitted to practice as a solicitor in Hong Kong.
Karthik Ashwin Thiagarajan, an of counsel in the Singapore office, assists clients with investigations in the information technology, fin-tech, telecommunications, logistics and fast-moving consumer goods sectors in India and Southeast Asia. He advises clients on internal investigations and anti-corruption reviews in the region. A client praised him for being “on top of his trade” in the India Business Law Journal’s 2019 “Leaders of the pack” report.
Karthik speaks English, Hindi, Tamil and Kannada. He is admitted to practice in India and New York.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.
Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 2.0 hours. Regulated by the Solicitors Regulation Authority (Number 324652).
Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 2 hours toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.
Application for approval is pending with the Colorado, Illinois, Texas, Virginia and Washington State Bars.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
The new thresholds and new filing fees will take effect 30 days after publication in the Federal Register.
On January 22, 2024, the Federal Trade Commission announced its annual update of thresholds for pre-merger notifications of certain M&A transactions under the Hart-Scott-Rodino Antitrust Improvements Act of 1976 (“HSR Act”).[1] Pursuant to the statute, the HSR Act’s jurisdictional thresholds are updated annually to account for changes in the gross national product. The new thresholds will take effect 30 days after publication in the Federal Register and apply to transactions that close on or after that date.
The size-of-transaction threshold for reporting proposed mergers and acquisitions under Section 7A of the Clayton Act will increase by $8.1 million, from $111.4 million in 2023 to $119.5 million for 2024.
|
Original Threshold |
2023 Threshold |
2024 Threshold |
|
$10 million |
$22.3 million |
$23.9 million |
|
$50 million |
$111.4 million |
$119.5 million |
|
$100 million |
$222.7 million |
$239 million |
|
$110 million |
$245 million |
$262.9 million |
|
$200 million |
$445.5 million |
$478 million |
|
$500 million |
$1.1137 billion |
$1.195 billion |
|
$1 billion |
$2.2274 billion |
$2.39 billion |
The HSR filing fees have been revised pursuant to the 2023 Consolidated Appropriations Act. The new filing fees, which will also take effect 30 days after publication in the Federal Register, will be:
|
Fee |
Size of Transaction |
|
$30,000 |
Valued at less than $173.3 million |
|
$105,000 |
Valued at $173.3 million or more but less than $536.5 million |
|
$260,000 |
Valued at $536.5 million or more but less than $1.073 billion |
|
$415,000 |
Valued at $1.073 billion or more but less than $2.146 billion |
|
$830,000 |
Valued at $2.146 billion or more but less than $5.365 billion |
|
$2,335,000 |
$5.365 billion or more |
The 2024 thresholds triggering prohibitions on certain interlocking directorates on corporate boards of directors are $48,559,000 for Section 8(a)(l) (size of corporation) and $4,855,900 for Section 8(a)(2)(A) (competitive sales). The Section 8 thresholds took effect on January 22, 2024.
__________
[1] Press Release, Federal Trade Commission, FTC Announces 2024 Update of Size of Transaction Thresholds for Premerger Notification Filings, January 22, 2024, available at: https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-announces-2024-update-size-transaction-thresholds-premerger-notification-filings?utm_source=govdelivery
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. If you have any questions about the new HSR size of transaction thresholds, or HSR and antitrust/competition regulations and rulemaking more generally, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:
Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, [email protected])
Andrew Cline – Washington, D.C. (+1 202.887.3698, [email protected])
Jamie E. France – Washington, D.C. (+1 202.955.8218, [email protected])
Cynthia Richman – Washington, D.C. (+1 202.955.8234, [email protected])
Stephen Weissman – Washington, D.C. (+1 202.955.8678, [email protected])
Chris Wilson – Washington, D.C. (+1 202.955.8520, [email protected])
Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, [email protected])
Saee Muzumdar – New York (+1 212.351.3966, [email protected])
Private Equity:
Richard J. Birns – New York (+1 212.351.4032, [email protected])
Ari Lanin – Los Angeles (+1 310.552.8581, [email protected])
Michael Piazza – Houston (+1 346.718.6670, [email protected])
John M. Pollack – New York (+1 212.351.3903, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Los Angeles partner Bradley Hamburger, San Francisco associate Ryan Azad and Los Angeles associate Matt Aidan Getz are the authors of “Calif. High Court Ruling Outlines Limits On PAGA Actions” published by Law360 on January 23, 2024.
Los Angeles partner Michael Holecek contributed to the article.
The court’s opinion is quite favorable to government plaintiffs on a number of key fronts, and as a result, likely will be frequently trumpeted by DOJ and FTC in future merger enforcement cases.
On January 8, 2024, Judge Edgardo Ramos of the Southern District of New York issued his ruling in the FTC’s challenge to the proposed acquisition of DeepIntent by IQVIA.[1] The decision, a victory for the FTC, is one likely to be cited early and often by antitrust plaintiffs in Section 7 cases.
BACKGROUND
FTC alleged that IQVIA’s Lasso and Propel Media’s DeepIntent were two leading firms providing programmatic advertising to healthcare professionals.[2] Programmatic advertising is an automated way of presenting targeted advertising, in the form of website-based ads, to a specific cohort, in this case, doctors, nurses, and other health practitioners.[3]
After investigating the proposed acquisition, after which DeepIntent would become part of the IQVIA portfolio, the FTC filed a lawsuit in federal court to temporarily enjoin the transaction pending an in-house administrative proceeding.[4] As discussed below, the court’s opinion reads quite favorably to government plaintiffs on a number of key fronts, and as a result, will likely be frequently trumpeted by DOJ and FTC in future merger enforcement cases.
ANALYSIS
The Court Placed Undue Weight on the 30 Percent Market Share Threshold in Philadelphia National Bank. Perhaps the most concerning aspect of the IQVIA decision is its seeming reinvigoration of the 30 percent market share presumption in Philadelphia National Bank,[5] a case that celebrated its 60th birthday last year.
To refresh on Philadelphia National Bank, one of the earliest cases applying Section 7 of the Clayton Act, the opinion established the structural presumption—a minimum level of market concentration that creates a rebuttable presumption that a merger is anticompetitive. The decision states that, at least as concerns bank mergers, 30 percent market share held by the combined firm is the threshold above which a merger “threaten[s] undue concentration . . .”[6]
The IQVIA court had to consider two competing market share calculations. The FTC’s expert contended the combined firm would comprise 46 percent of the market, while the Defendants’ expert asserted that the combined share would hold 30.6 percent share.[7] Rather than resolving this difference, the court essentially applied Philadelphia National Bank to reduce the dispute largely to irrelevance, concluding that even under the Defendants’ lower market share figures,[8] the transaction satisfies the presumption.
With FTC’s prima facie case established, the remainder of the exercise became largely academic. Even while the court agreed with Defendants that the market was “dynamic and fast-moving,” this nevertheless was an insufficient basis to question whether the “static snapshot of market shares” presented by the FTC was indicative of likely competitive harm.[9] The court disregarded Defendants’ evidence of competitive pressure from other firms. It concluded that the FTC was “not required to establish that DeepIntent and Lasso are exclusive competitors,”[10]—a facile resolution of an otherwise complex question. Concerns pointed out by Defendants about input data used in the FTC expert’s merger simulation were set aside, because per the court, its duty was not to “sift through various models and theories.”[11] So, while the court stated in a footnote that “market shares alone are not dispositive,”[12] the opinion reads functionally the opposite.
To be clear, this article does not contend that Philadelphia National Bank has been overruled or repudiated. Rather, the IQVIA opinion seems to apply, uncritically, the 30 percent market share threshold presented in Philadelphia National Bank without: 1) considering whether this is appropriate given subsequent Supreme Court precedent in General Dynamics[13] and Marine Bancorporation,[14] and 2) carefully evaluating whether concentration figures accurately reflect the competitive dynamic in the marketplace. As noted in the seminal Baker Hughes decision, General Dynamics and Marine Bancorporation, even while not overruling Philadelphia National Bank, caution courts not to impose a practically insurmountable burden on section 7 defendants simply because the government has presented plausible market shares above the threshold.[15] The IQVIA decision appears to do just that.
The Court Applied a More Lenient Preliminary Injunction Standard. The FTC also benefitted from the court’s application of a low bar for obtaining a preliminary injunction. The applicable standard under Section 13(b) of the Clayton Act (which authorizes the FTC to file suit in federal court to seek preliminary injunctive relief pending an administrative hearing) was also a subject of dispute between the parties.
The FTC, citing FTC v. Lancaster Colony Corp.,[16] contended that it need only show “a fair and tenable chance of ultimate success on the merits.”[17] Defendants argued that the FTC must go further and present evidence that “raise[s] questions going to the merits so serious, substantial, difficult and doubtful as to make them fair ground for thorough investigation, study, deliberation and determination by the FTC in the first instance and ultimately by the Court of Appeals.”[18] As it does at other points in the decision, the court declines to resolve the dispute, instead concluding that it doesn’t matter, stating “there is no meaningful difference between the two standards.”[19]
This resolution is at odds with other decisions on the subject. Notably, in FTC v. Staples,[20] the court concluded that there was a difference (and that fair and tenable was the incorrect benchmark), and cited the Second Circuit decision in Fruehauf, which held that “the government must show a reasonable probability that the proposed transaction would substantially lessen competition in the future”[21]—a burden which, however construed, is more onerous than “a fair and tenable chance of ultimate success on the merits.” Here too, it appears the court settled the matter in a manner that made the FTC’s job far easier than Circuit authority requires.
Programmatic Advertising Competes in a Broader Advertising Market. Another key dispute in the IQVIA decision concerned product-market definition and the question whether programmatic advertising directed at healthcare professionals competed with other forms of advertising such as social media and digital advertising on medical websites such as WebMD.[22]
The court, applying Brown Shoe factors, concluded that programmatic advertising qualified as a distinct product market because of some distinct features specific to programmatic advertising such as the availability and granularity of ad performance data.[23] It also highlighted perceived disadvantages of other forms of advertising, such as the limited reach of social media advertising.[24]
However, the court seemed reluctant to fully engage with the evidence presented by Defendants showing that the purchasers of advertising often move their dollars among different advertising channels—including channels that the court concluded are not reasonable substitutes for programmatic advertising.[25] The opinion even credits Defendants’ evidence in this regard, noting “[t]o be clear, social media companies and endemic websites are competing with DSPs in a broad sense. An agency running an advertising campaign will not have an unlimited budget, so it must make decisions about how to allocate the advertising funds it has.”[26] But it is difficult, at best, to square the fact that these channels do compete with the court’s conclusion that they nevertheless are out of the market.
Ultimately, the opinion applies an eye-of-the-needle product-market definition, concluding that other channels are out of the market mainly because they are not identical and perfect substitutes for programmatic advertising—even though purchasers of these products are allocating their money across both programmatic and non-programmatic advertising. Given this plaintiff-friendly conclusion, we should expect to see parties advocating for ultra-narrow product-market definitions frequently citing IQVIA.
CONCLUSIONS AND LOOKING FORWARD
IQVIA is, for now, an unmitigated victory for the FTC, and one that, if affirmed or not appealed, will embolden merger enforcement efforts under the Biden Administration. But the court’s opinion ignores or unwinds formerly well-settled precedent, which may ultimately confuse rather than clarify the resolution of Section 7 actions for years to come.
__________
[1] FTC v. IQVIA Holdings Inc. and Propel Media, Inc., No. 23 Civ. 06188, 2024 WL 81232 (S.D.N.Y. Jan. 8, 2024) (hereinafter, “IQVIA”).
[2] Id. at 1.
[3] Id.
[4] Id.
[5] United States v. Philadelphia National Bank, 374 U.S. 321 (1963).
[6] Id. at 364.
[7] IQVIA, at 34.
[8] Id.
[9] Id. at 43-44.
[10] Id. at 40.
[11] Id. at 42.
[12] Id. at 33 n.24.
[13] United States v. General Dynamics Corp., 415 U.S. 486 (1974).
[14] United States v. Marine Bancorporation, 1073 418 U.S. 602 (1974).
[15] United States v. Baker Hughes, Inc., 908 F.2d 981, 991 (D.C. Cir. 1990).
[16] FTC v. Lancaster Colony Corp., 434 F. Supp. 1088 (S.D.N.Y. 1977).
[17] IQVIA, at 7.
[18] Id.
[19] Id. at 8.
[20] See FTC v. Staples, Inc., 970 F. Supp. 1066, 1072 (D.D.C. 1997).
[21] Fruehauf Corp. v. FTC, 603 F.2d 345, 351 (2d Cir. 1979).
[22] IQVIA, at 2.
[23] Id. at 14.
[24] Id.
[25] Id. at 17.
[26] Id.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition, Mergers and Acquisitions, or Private Equity practice groups, or the following authors and practice leaders:
Antitrust and Competition:
Rachel S. Brass – San Francisco (+1 415.393.8293, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202.955.8657, [email protected])
Cynthia Richman – Washington, D.C. (+1 202.955.8234, [email protected])
Stephen Weissman – Washington, D.C. (+1 202.955.8678, [email protected])
Chris Wilson – Washington, D.C. (+1 202.955.8520, [email protected])
Mergers and Acquisitions:
Robert B. Little – Dallas (+1 214.698.3260, [email protected])
Saee Muzumdar – New York (+1 212.351.3966, [email protected])
Private Equity:
Richard J. Birns – New York (+1 212.351.4032, [email protected])
Ari Lanin – Los Angeles (+1 310.552.8581, [email protected])
Michael Piazza – Houston (+1 346.718.6670, [email protected])
John M. Pollack – New York (+1 212.351.3903, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
HNMC, Inc. v. Chan et al., No. 22-0053 – Decided January 19, 2024
On January 19, 2024, the Texas Supreme Court held 9-0 that a property owner isn’t liable for an accident that occurred on an adjacent roadway when the property owner didn’t control any condition on the roadway that caused the accident.
“[C]ourts should not attempt to craft case-specific duties when recognized duty rules apply to the factual situation at hand.”
Justice Busby, writing for the Court
Background:
Francis Chan worked as a nurse at Houston Northwest Medical Center, and she routinely parked her car across the street from the hospital in a lot the hospital owned. Pedestrians routinely used an abandoned crosswalk controlled by Harris County to cross between the hospital and the parking lot. When Chan did so, a vehicle exiting the parking lot struck and killed her. Chan’s estate filed a negligence suit against the driver and the driver’s employer, which designated the hospital and the County as responsible third parties.
A jury found the hospital 20 percent liable, and the en banc court of appeals affirmed. In doing so, the court acknowledged the longstanding principle that premises owners generally have no duty to ensure the safety of an adjacent roadway. But instead of applying that rule, it used the multi-factor balancing test adopted by the Texas Supreme Court in Greater Houston Transportation Co. v. Phillips, 801 S.W.2d 523 (Tex. 1990), to recognize a new duty specific to the situation presented in this case to hold the hospital negligent.
Issue:
Did the court of appeals correctly recognize a new duty that required a hospital to ensure the safety of pedestrians on a road adjacent to its property?
Court’s Holding:
No. A duty rule already exists that contemplates this case’s factual situation, so assessing the Phillips factors to recognize a new duty is improper. Premises owners generally have no duty to ensure the safety of persons on adjacent properties, and the hospital didn’t control any aspect of the adjacent roadway that caused the accident.
What it Means:
- Texas courts may not create new, case-specific duties “[w]hen a duty or no-duty rule already exists that contemplates a particular case’s factual situation.”
- Even if a property owner is aware of an obvious danger on an adjacent property, the owner has no duty if the owner doesn’t control that property.
- The Texas Supreme Court reserved for future consideration the question whether to reconsider, in light of the U.S. Supreme Court’s intervening decision in Dupree v. Younger, 598 U.S. 729, 735–36 (2023), prior precedent holding that the denial of summary judgment on purely legal grounds can’t be challenged on appeal after a trial. Litigants should be on guard to preserve this issue in post-trial proceedings moving forward.
Appellate and Constitutional Law Practice
| Thomas H. Dupree Jr. +1 202.955.8547 [email protected] |
Allyson N. Ho +1 214.698.3233 [email protected] |
Julian W. Poon +1 213.229.7758 [email protected] |
| Brad G. Hubbard +1 214.698.3326 [email protected] |
Related Practice: Litigation
| Reed Brodsky +1 212.351.5334 [email protected] |
Theane Evangelis +1 213.229.7726 [email protected] |
Veronica S. Moyé +1 214.698.3320 [email protected] |
| Helgi C. Walker +1 202.887.3599 [email protected] |
Related Practice: Texas Litigation
| Trey Cox +1 214.698.3256 [email protected] |
Collin Cox +1 346.718.6604 [email protected] |
Michael Raiff +1 214.698.3350 [email protected] |
| Gregg Costa +1 346.718.6649 [email protected] |
This alert was prepared by Texas associates Elizabeth Kiernan, Stephen Hammer, and Brian Sanders.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
From the Derivatives Practice Group: Read below for global derivatives updates, including ISDA’s response to US Basel III and G-SIB Surcharge.
New Developments
- CFTC Designates IMX Health, LLC as a Contract Market. On January 18, the CFTC announced it has issued an Order of Designation to IMX Health, LLC, granting it designation as a contract market (DCM). IMX Health is a limited liability company registered in Delaware and headquartered in Chicago, Illinois. The CFTC issued the order under Section 5a of the Commodity Exchange Act (CEA) and CFTC Regulation 38.3(a). The CFTC determined IMX Health demonstrated its ability to comply with the CEA provisions and CFTC regulations applicable to DCMs. With the addition of IMX Health, there will be 17 DCMs. [NEW]
- CFTC Issues Staff Letter No. 24-01. On January 16, the CFTC issued Staff Letter No. 24-01, granting an exemption to LCH SA from the requirements of Regulation 1.49(d) to permit LCH SA to hold customer funds at the Banque du France. Additionally, the CFTC confirmed that it would not recommend enforcement action against LCH SA for failing to obtain, or provide the Commission with, an executed version of the template acknowledgment letter set forth in Appendix B to Regulation 1.20 , as required by Regulations 1.20(g)(4) and 22.5, for customer accounts maintained at the Banque de France. [NEW]
- CFTC to Hold a Commission Open Meeting on January 22. CFTC Chairman Rostin Behnam announced on January 12, 2024 that the Commission will hold an open meeting on Monday, January 22 at 9:30 a.m. (EST) at the CFTC’s Washington, D.C. headquarters. The Commission will consider the following:
- Notice of Proposed Order and Request for Comment on an Application for a Capital Comparability Determination Submitted on behalf of Nonbank Swap Dealers subject to Capital and Financial Reporting Requirements of the United Kingdom and Regulated by the United Kingdom Prudential Regulation Authority,
- Proposed Rule: Requirements for Designated Contract Markets and Swap Execution Facilities Regarding Governance and the Mitigation of Conflicts of Interest Impacting Market Regulation Functions. [NEW]
- SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
- CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
- SEC Publishes Risk Alert: Observations Related to Security-Based Swap Dealers. On January 10, the SEC’s Division of Examination published a Risk Alert presenting examination and outreach observations concerning compliance with rules applicable to security-based swap dealers. The SEC stated that in sharing these observations, the Division seeks to remind security-based swap dealers of their obligations under relevant security-based swap rules and encourage security-based swap dealers to consider improvements in their compliance programs, as may be appropriate, to further compliance with Exchange Act requirements. The Risk Alert presents observations in the following areas: (1) reporting of security-based swap transactions and correction of reporting errors; (2) business conduct standards; (3) security-based swap trading relationship documentation and portfolio reconciliation; and (4) recordkeeping.
- CFTC Publishes Decentralized Finance Report. On January 8, the CFTC’s Digital Assets and Blockchain Technology Subcommittee of the Technology Advisory Committee (TAC) released a report entitled “Decentralized Finance.” The report discusses TAC’s view that the benefits and risks of DeFi depend significantly on the design and features of specific systems, and that one of its central concerns related to DeFi systems is the lack of, and some industry designs to avoid, clear lines of responsibility and accountability. TAC opined that this feature of DeFi systems may present the clearest ways in which DeFi poses risks to consumers and investors, as well as to financial stability, market integrity and illicit finance—according to TAC, it implicates no clear route to ensuring victim recourse, defense against illicit exploitation, or the ability to insert necessary changes and controls during periods of crisis and network stress. The report finds that government and industry should take timely action to work together, across regulatory and other strategic initiatives, to better understand DeFi.
New Developments Outside the U.S.
- RBI Issues Circular on Risk Management and Interbank Dealings. On January 5, the Reserve Bank of India (RBI) issued a circular on risk management and interbank dealings. The RBI stated that it has reviewed the foreign exchange risk management facilities based on the feedback received from market participants and experience gained since the revised framework came into force. It has also consolidated the directions in respect of all types of foreign exchange transactions (including cash, tom and spot). The RBI explained that the directions contained in the Currency Futures (Reserve Bank) Directions, 2008 (Notification No. FED.1/DG(SG)-2008 dated August 06, 2008), and Exchange Traded Currency Options (Reserve Bank) Directions, 2010 (Notification No. FED.01/ED(HRK)-2010 dated July 30, 2010), as amended from time to time, are now being incorporated into the Master Direction – Risk Management and Inter-Bank Dealings. These revised directions will come into effect on April 5, 2024, replacing the existing directions in Part A (Section I) of the Master Direction – Risk Management and Inter-Bank Dealings dated July 5, 2016, as amended from time to time, superseding the notifications listed in Annex-II.
- Hong Kong Consults on Regulatory Regime for Stablecoins. On December 27, the Financial Services and the Treasury Bureau and the Hong Kong Monetary Authority (HKMA) jointly issued a public consultation paper on the legislative proposal for implementing the regulatory regime for stablecoin issuers in Hong Kong. Under the proposed regime, an issuer would be required to obtain a license from the HKMA if it issues a stablecoin that references the value of one or more fiat currencies in Hong Kong. The licensed issuer will have to fulfil certain financial resources requirements, and will be required to put in place an effective stabilization mechanism, such as maintaining a pool of high-quality and highly-liquid reserve assets with proper custody arrangement. The proposed regime further imposes governance, risk management and AML/CFT measures on licensees. Interested parties are encouraged to submit written comments on or before February 29, 2024.
- ESAs Propose to Extend Equity Option Margin Exemption by Two Years. On December 21, the European Supervisory Authorities (ESAs) – the European Securities and Markets Authority (ESMA), the European Banking Authority and the European Insurance and Occupational Pensions Authority – published draft regulatory technical standards (RTS) proposing a two-year extension (until January 4, 2026) to the exemption for equity options from bilateral margining under the European Market Infrastructure Regulation (EMIR). These RTS have to be endorsed by the European Commission and are subject to non-objection by the Council of the EU and the European Parliament before they enter into force. The draft RTS are accompanied by a statement from the ESAs that competent authorities “should not priorityse any supervisory or enforcement action” relating to bilateral margining for equity options until the entry into force of these amended RTS or the adoption of a long-term solution under EMIR 3, whichever occurs first.”
New Industry-Led Developments
- ISDA Launches Digital Version of 2002 ISDA Equity Derivatives Definitions. On January 18, ISDA launched a fully digital edition of the 2002 ISDA Equity Derivatives Definitions on the ISDA MyLibrary platform, enabling new versions to be released more efficiently as products and market practices evolve in the future. Following consultation with buy- and sell-side market participants, ISDA identified support to move the definitions to a digital format, develop new product provisions and streamline certain components over time. Publication of the 2002 ISDA Equity Derivatives Definitions in digital form is a first step and enables further changes to be made in future versions. [NEW]
- ISDA Launches Sustainability-linked Derivatives Clause Library. On January 17, ISDA launched a clause library for sustainability-linked derivatives (SLDs), designed to provide standardized drafting options for market participants to use when negotiating SLD transactions with counterparties. SLDs embed a sustainability-linked cashflow in a derivatives structure and use key performance indicators (KPIs) to monitor compliance with environmental, social and governance (ESG) targets, incentivizing parties to meet their sustainability objectives. [NEW]
- ISDA and SIFMA Response to US Basel III NPR. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a joint response on the US Basel III ‘endgame’ notice of proposed rulemaking (NPR). The response focuses on the Fundamental Review of the Trading Book (FRTB), the revised credit valuation adjustment (CVA) framework, the securities financing transactions requirements and elements of the standardized approach to counterparty credit risk rules. In the response, the associations propose a number of calibration changes to ensure the rules are appropriate and risk sensitive and avoid adverse consequences to US capital markets. [NEW]
- ISDA and SIFMA Response to G-SIB Surcharge Framework Consultation. On January 16, ISDA and the Securities Industry and Financial Markets Association (SIFMA) submitted a response to a consultation by the US Federal Reserve on proposed changes to the G-SIB surcharge. The response raises concerns that the revised G-SIB surcharge would lead to inappropriately high capital requirements for banks offering client clearing services, potentially discouraging them from participating in this business and contravening a long-standing policy objective to promote central clearing. Specifically, the response argues that client derivatives transactions cleared under the agency model should not be included in the complexity and interconnectedness categories of the G-SIB surcharge calculation. [NEW]
- ISDA Updates OTC Derivatives Compliance Calendar. On January 3, 2024, ISDA updated its global calendar of compliance deadlines and regulatory dates for the over-the-counter (OTC) derivatives space. The updated calendar can be found on the ISDA website.
- ISDA Submits Response to HMT, FCA and PRA on UK EMIR. On December 20, ISDA and UK Finance submitted a joint response to His Majesty’s Treasury (HMT), the Financial Conduct Authority (FCA) and the Prudential Regulation Authority (PRA) on the reform of the UK EMIR. ISDA stated that ISDA and UK Finance submitted the response in an attempt to inform the next stage of the UK’s smarter regulatory framework reform package. In the response, the associations recommend a small number of clearly defined changes, seek certainty and permanence on current temporary exemptions and request an end to the current dependency on equivalence decisions for certain provisions (for instance, the intragroup exemption).
The following Gibson Dunn attorneys assisted in preparing this update: Jeffrey Steiner, Adam Lapidus, Hayden McGovern, and Karin Thrasher.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Derivatives practice group, or the following practice leaders and authors:
Jeffrey L. Steiner, Washington, D.C. (202.887.3632, [email protected])
Michael D. Bopp, Washington, D.C. (202.955.8256, [email protected])
Michelle M. Kirschner, London (+44 (0)20 7071.4212, [email protected])
Darius Mehraban, New York (212.351.2428, [email protected])
Jason J. Cabral, New York (212.351.6267, [email protected])
Adam Lapidus – New York (+1 212.351.3869, [email protected])
Stephanie L. Brooker, Washington, D.C. (202.887.3502, [email protected])
Roscoe Jones Jr., Washington, D.C. (202.887.3530, [email protected])
William R. Hallatt, Hong Kong (+852 2214 3836, [email protected])
David P. Burns, Washington, D.C. (202.887.3786, [email protected])
Marc Aaron Takagaki, New York (212.351.4028, [email protected])
Hayden K. McGovern, Dallas (214.698.3142, [email protected])
Karin Thrasher, Washington, D.C. (202.887.3712, [email protected])
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
In recent years, regulatory action has been on the upswing in New York, with state and city administrative agencies and officials adopting increasingly aggressive roles in governing virtually every industry across the State. As a result, now more than ever it is essential for those working in regulated industries—whether on the legal or business side—to understand their legal options in challenging New York state and city agency rules, regulations, determinations, and other executive actions and policies. The primary vehicle for mounting such a challenge is the Article 78 action, a type of summary proceeding brought in New York State Supreme Court.
In this one-hour webcast, four of our most experienced attorneys in the field of challenging government action in New York—partners Mylan Denerstein, Gabriel Herrmann, and Akiva Shapiro, and of counsel Paul Kremer—provide practical and strategic guidance for the successful prosecution of Article 78 actions. Drawing on real-world examples from their practice, they will discuss the primary strategic issues that should be considered in deciding whether to bring an Article 78 challenge (versus, for example, a suit in federal court); provide a roadmap for litigating Article 78 proceedings and keys to success; and discuss the procedural hurdles government actors often raise in defending against these actions, and ways of overcoming those hurdles. The program is beneficial to anyone working in a regulated industry or otherwise affected by actions taken by New York city and state agencies and officials, as well as for practitioners.
PANELISTS:
Mylan L. Denerstein is a litigation partner in the New York office of Gibson, Dunn & Crutcher. Mylan is a co-chair of the Public Policy Practice Group and a member of the Crisis Management, White Collar Defense and Investigations, Financial Institutions, Labor and Employment, Securities Litigation, and Appellate Practice Groups. Mylan leads complex litigation and internal investigations, representing companies confronting a wide range of legal issues, in their most critical times. Mylan is known not only for her effective legal advocacy, but also for her problem solving skills. In addition, Mylan is global chair of the firm’s Diversity Committee and co-partner in charge of the New York office. Mylan was previously a member of the firm’s Executive Committee.
In 2022, Mylan was appointed to serve as the independent NYPD Monitor to oversee the court ordered reform process. Previously, Mylan has served in a wide variety of leadership roles in government, including as Counsel to the New York State Governor, as an Executive Deputy Attorney General in the New York Attorney General’s Office, and as Deputy Commissioner for Legal Affairs for the New York City Fire Department. In addition, Mylan served as a federal prosecutor in the U.S. Attorney’s Office for the Southern District of New York, prosecuting complex securities and fraud cases, and then as Deputy Chief of the Criminal Division.
Gabriel Herrmann is a partner in the New York office of Gibson, Dunn & Crutcher, and a member of Gibson Dunn’s Litigation Practice Group. His practice focuses on complex business and financial-services litigation, including disputes concerning commercial breach of contract claims, fraud and business torts, insolvency-related litigation, disputed interests in real property, shareholder derivative and securities litigation, antitrust and competition law, insurance, class actions, and M&A-related litigation. A substantial portion of his experience concerns matters involving cross-border jurisdictional issues, coordination of parallel overseas proceedings, and international choice-of-law and venue considerations. In addition to his commercial practice, Mr. Herrmann has significant experience representing clients in matters relating to the operations of New York State and City governmental entities, including both administrative and judicial review of agency determinations and constitutional challenges to government action and legislation. He practices actively in the federal district and bankruptcy courts, as well as the civil and Commercial Division courts of New York State, and has extensive appellate experience in both the New York State and federal court systems.
Akiva Shapiro is a litigation partner in Gibson, Dunn & Crutcher’s New York office, Chair of the Firm’s New York Administrative Law and Regulatory Practice Group, Co-Chair of its Religious Liberty Working Group, and a member of the Firm’s Appellate and Constitutional Law, Media, Entertainment and Technology, and Securities Litigation Practice Groups, among others. Mr. Shapiro’s practice focuses on a broad range of high-stakes constitutional, administrative, commercial, and appellate litigation matters. He is regularly engaged in front of New York’s trial courts, federal and state courts of appeal, and the U.S. Supreme Court.
Paul J. Kremer is Of Counsel in the New York office of Gibson, Dunn & Crutcher. He is a member of Gibson Dunn’s Litigation, Intellectual Property, and Crisis Management Practice Groups, where he focuses on contract, lease, and license disputes; patent infringement cases; and state and local regulatory challenges.
Paul represents a diverse array of clients engaged in high-stakes commercial litigation, from New York City park trustees and private real estate developers to Fortune 100 technology companies and prestige television networks. His intellectual property clients run the gamut, from garage startups to world-renowned pharmaceutical and consumer electronics makers. He also has extensive experience helping clients of all types navigate the New York State and New York City regulatory spheres.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.
Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
© 2024 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.
Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.
Washington, D.C. partner F. Joseph Warin, San Francisco partner Winston Chan, Los Angeles associate Chris Jones and San Francisco associate Duncan Taylor are the authors of “Self-Reporting to the Authorities and Other Disclosure Obligations: The US Perspective” [PDF], Chapter 4 in The Practitioner’s Guide to Global Investigations 2024, Volume I: Global Investigations in the United Kingdom and the United States, Eighth Edition, published by Global Investigations Review in January 2024.