Decided February 28, 2023

Bittner v. United States, No. 21-1195

Today, in a 5–4 opinion, the Supreme Court held that the Bank Secrecy Act imposes a single penalty for each nonwillful failure to file an annual form disclosing foreign financial accounts, regardless of the number of accounts that were not disclosed.

Background: The Bank Secrecy Act requires U.S. residents and citizens to report all of their foreign financial accounts each year in a report known as an FBAR (for Report of Foreign Bank and Financial Reports). The Act also imposes statutory penalties on those who do not file an accurate, timely report. Nonwillful violations carry a maximum penalty of $10,000, and willful violations trigger a maximum penalty of $100,000 or 50% of the balance of the account at issue.

Alexandru Bittner did not timely file timely FBARs to report his more than 50 foreign bank accounts over a five-year period. The IRS imposed a $10,000 penalty for 272 separate nonwillful violations—in other words, a separate penalty for each account that was not timely reported each year—for a total statutory penalty of $2.72 million. Bittner fought the assessment on the theory that he committed only five violations of the Act—one for each year he did not file a timely FBAR. The Fifth Circuit, departing from a previous decision of the Ninth Circuit, disagreed, holding that the Bank Secrecy Act imposes a separate penalty for each improperly disclosed foreign account.

Issue: Whether a person who nonwillfully fails to report multiple foreign financial accounts faces a single annual penalty for not filing a complete FBAR or separate penalties for each account that was not properly reported.

Court’s Holding:

The Bank Secrecy Act authorizes only a single $10,000 penalty for the nonwillful failure to file an annual FBAR, even if multiple foreign financial accounts are not reported.

“Best read, the [Bank Secrecy Act] treats the failure to file a legally compliant report as one violation carrying a maximum penalty of $10,000, not a cascade of such penalties calculated on a per-account basis.”

Justice Gorsuch, writing for the Court

What It Means:

• The Court’s holding that the Bank Secrecy Act’s penalty provision for nonwillful violations operates on a per-form basis, with one penalty each year there is no timely FBAR, significantly curtails monetary liability under the Act. An FBAR lists ten accounts on average, which means that, had the government prevailed, the average maximum penalty for nonwillful violations would have been $100,000 rather than $10,000.
• According to the Court, its interpretation avoids anomalies that would have been created by reading the Act to impose a separate $10,000 penalty for each foreign account not reported in a timely FBAR. Under the interpretation the government urged, for instance, it would have been possible for penalties for nonwillful violations to exceed those for willful violations.
• The Court distinguished the Act’s provisions authorizing penalties for willful violations from those authorizing penalties for nonwillful violations, emphasizing that the Act permits penalties on a per-account basis for certain willful violations. The Court explained that by expressly allowing per-account penalties for certain willful violations, Congress indicated that per-account penalties were not available for nonwillful violations.
• The Court declined to decide several other issues concerning penalties under the Bank Secrecy Act, including what, if any, mens rea the government must prove to impose a non-willful penalty; whether a person who fails to file a timely report and who later files an inaccurate report would be subject to two penalties or one; and whether violations of the Act’s separate recordkeeping requirements accrue on a per-account basis.

---

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Allyson N. Ho +1 214.698.3233 [email protected]	Thomas H. Dupree Jr. +1 202.955.8547 [email protected]	Julian W. Poon +1 213.229.7758 [email protected]
Bradley J. Hamburger +1 213.229.7658 [email protected]	Lucas C. Townsend +1 202.887.3731 [email protected]	Brad G. Hubbard +1 214.698.3326 [email protected]

Related Practice: Tax

Michael J. Desmond +1 213.229.7531 [email protected]

Saul Mezei +1 202.955.8693 [email protected]

Eric B. Sloan +1 212.351.2340 [email protected]

Munich partner Lutz Englisch, of counsel Birgit Friedl and associates Marcus Geiss and Sonja Ruttmann are the authors of “Deutsches Gesellschaftsrecht 2023: Ein turbulentes Jahr” [PDF], published in the 1-2/2023 issue of M&A Review. The article summarizes selected important developments in German transactional law with specific focus on M&A activities and provides an outlook for the year 2023.

In this webcast, Gibson Dunn professionals and the current and former Executive Directors of the Federal Permitting Improvement Steering Council discuss how the FAST-41 program can help major infrastructure projects cut through red tape and get shovels in the ground faster. For certain “covered projects,” FAST-41 requires all of the major agencies involved in the permitting process to coordinate their reviews, stick to a timeline, and be accountable for delays. It also reduces the NEPA statute of limitations to two years, down from six, for covered projects. We discuss the recent successes of FAST-41 and how more projects can take advantage of the program’s benefits. We also review recent legislative efforts to improve the federal permitting process and discuss opportunities for permitting process improvements in the 118th Congress.

---

---

PANELISTS:

On February 15, 2023, the Securities and Exchange Commission (the “SEC”) adopted final rule changes intended to reduce risk in clearance and settlement for most broker-dealer securities transactions and proposed new rules designed to enhance safeguards for customer assets managed by investment advisers.

The new final rules amend Rule 15c6-1 under the Securities Exchange Act of 1934 (the “Exchange Act”) to shorten the standard settlement cycle for broker-dealer transactions from two business days after the trade (“T+2”) to one business day (“T+1”).  The new rules also shorten the separate settlement cycle for firm commitment offerings, including initial public offerings, from T+4 to T+2, although most market participants already employ a T+2 settlement cycle for these offerings.

The rule amendments also adopt Rule 15c6-2, requiring a broker or dealer to establish, maintain and enforce written policies or enter into written agreements that ensure prompt completion of applicable allocation, confirmation or affirmation processes. To comply with the new rule, such agreements or policies must ensure that allocation, confirmation or affirmation processes be completed as soon as technologically practicable but in no case later than end of day on the trade date. Additionally, the new rules amend Rule 204-2 under the Investment Advisers Act of 1940 (the “Investment Advisers Act”) to require investment advisers to keep records for transactions subject to Rule 15c6-2 above. Finally, the new final rules adopt Rule 17Ad-27 under the Exchange Act and amend Regulation S-T to require clearing agencies that provide a central matching service to facilitate straight-through processing and submit to the SEC via EDGAR an annual report regarding straight-through processing implementation. The compliance date for these rule changes is set for May 28, 2024.

These changes come in part as a response to the unprecedented volatility associated with the so-called “meme stock craze” of 2021. Commissioner Jaime Lizárraga supported the adoption of new rules, opining that it “helps mitigate some of the risks that drove stock price volatility and significant margin calls” during that event. SEC Chair Gary Gensler also supported the rule amendments, stating: “Cosmo might say this adoption will take our plumbing from bronze to copper. I say that, taken together, these amendments will make our market plumbing more resilient, timely, orderly, and efficient.” Regarding the compliance date, he offered: “This implementation comes more than three years after key industry members first proposed shortening the settlement cycle, and a year and a quarter from now, providing sufficient time in my view for the transition.” Other commissioners pushed back on the May 2024 implementation timeline. Commissioner Mark T. Uyeda did not support the final rules, saying that that in his view the SEC is “in an imprudent rush away from a sensible transition date[.]” Along with Commissioner Uyeda, Commissioner Hester M. Pierce also advocated for a compliance date in September 2024. The changes also came with discussion that the SEC may eventually look to further reduce the settlement window. Via a statement, Commissioner Caroline A. Crenshaw said that moving to instantaneous trade processing (“T+0”) “may be both desirable and feasible in the future.”

The SEC’s proposed changes to Rule 206(4)-2 under the Investment Advisers Act would rely on authority granted by section 411 of the Dodd-Frank Act to broaden the scope of, and protections for, assets protected by the rule. While the current rule protects client “funds and securities” under the care of an investment adviser, the proposed rule would encompass any client asset in the possession of the investment adviser and any client asset that the investment adviser has authority to obtain. This move would bring numerous kinds of physical assets and all crypto-assets into the scope of the rule’s protection. Under the current rule, protected assets are covered when they are in the “custody” of an investment adviser, and the proposed changes would expand the definition of such custody to include situations where the adviser has discretion to trade those assets. While the current rule requires investment advisers to maintain client assets with a qualified custodian unless those assets are privately offered securities, the new rule would narrow that exception to situations where a qualified custodian is unavailable. Additionally, a qualified custodian would not include platforms used to trade assets like crypto, a move seemingly made to address the recent failures and struggles of major crypto-asset trading platforms. The proposed rule also requires that investment advisers title or register assets in the client’s name and avoid asset commingling and prohibits investment advisers or related persons from taking certain interests in client assets under the adviser’s custody without written consent. Finally, the proposed changes would further amend Rule 204-2 to enhance recordkeeping requirements related to covered client assets under the custody of an investment adviser.  The proposed rule changes will be subject to a 60 day comment period after publication in the Federal Register.

Chair Gensler said in support of the rule that “investors working with advisers would receive the time-tested protections that they deserve for all of their assets, including crypto assets, consistent with what Congress envisioned.” Commissioner Pierce, who was the only commissioner to vote against the proposal, raised a number of objections, concluding that “[w]hile our intent is good, the result may impose costs on investors that outweigh the benefits.” Commissioner Uyeda added that the proposal “appears to mask a policy decision to block access to crypto as an asset class,” which “deviates from the Commission’s long-standing position of neutrality on the merits of investments,” even though he voted in favor of the proposal as a means to gauge the public’s reaction.

---

The following Gibson Dunn attorneys assisted in preparing this client update: Hillary Holmes, Harrison Tucker, Peter Wardle, and Kyle Clendenon.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any of the following leaders of the firm’s Capital Markets or Securities Regulation and Corporate Governance practice groups, or the following authors:

Hillary H. Holmes – Houston (+1 346-718-6602, [email protected])
Harrison Tucker – Houston (+1 346-718-6643, [email protected])
Peter W. Wardle – Los Angeles (+1 213-229-7242, [email protected])

Capital Markets Group:
Andrew L. Fabens – New York (+1 212-351-4034, [email protected])
Hillary H. Holmes – Houston (+1 346-718-6602, [email protected])
Stewart L. McDowell – San Francisco (+1 415-393-8322, [email protected])
Peter W. Wardle – Los Angeles (+1 213-229-7242, [email protected])

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
James J. Moloney – Orange County (+1 949-451-4343, [email protected])
Lori Zyskowski – New York (+1 212-351-2309, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

Decided February 22, 2023

Helix Energy Solutions Group, Inc. v. Hewitt, No. 21-984

Today, the Supreme Court held that an offshore oil rig supervisor who was paid nearly $1,000 for each day he worked was not exempt from the Fair Labor Standards Act because he was not paid a predetermined amount per week and thus was not compensated on a “salary basis” in accordance with applicable regulations.

Background: The Fair Labor Standards Act (“FLSA”) generally requires employers to pay time and a half to employees who work more than 40 hours in a week, but exempts certain bona fide executive, administrative, and professional employees from its overtime pay requirement. Implementing regulations specify that the exemption requires, among other things, that exempt employees be paid on a “salary basis,” meaning that they are paid on a weekly or less frequent basis and receive a predetermined amount for each pay period in which they perform any work. Michael Hewitt was employed as a supervisor on an offshore oil rig and worked 84-hour weeks for 28 days at a time, for which he was paid on a daily basis. He later sued his employer for overtime pay under the FLSA. The Fifth Circuit, sitting en banc, held that Hewitt was not paid on a “salary basis” and thus was entitled to overtime pay because he was not exempt under 29 C.F.R. § 541.602(a).

Issue: Whether highly compensated executive employees who are paid at daily rates are paid on a “salary basis.”

Court’s Holding:

A highly compensated executive employee who is paid at a daily rate is not paid on a “salary basis” and thus is not exempt from the FLSA under 29 C.F.R. § 541.602(a).

“The question here is whether a high-earning employee is compensated on a ‘salary basis’ when his paycheck is based solely on a daily rate…We hold that such an employee is not paid on a salary basis, and thus is entitled to overtime pay.”

Justice Kagan, writing for the Court

What It Means:

• The Court held that under the regulations, an employee is paid on a “salary basis” if the employee receives a fixed amount per week no matter how many days he has worked. The Court rejected the employer’s argument that Hewitt was paid on a salary basis because he was paid at least $963 (the daily rate) in any week in which he worked, because this was not a flat, predetermined amount fixed independently of the number of days Hewitt worked.
• The Court stated that employees paid on a daily or hourly basis can still be exempt from the FLSA’s overtime pay requirement if their employers also guarantee a weekly amount of pay that is more than $455 “regardless of the number of hours, days or shifts worked,” and “a reasonable relationship exists between the guaranteed amount and the amount actually earned.”  29 C.F.R. § 541.604(b).
• The impact of the Court’s ruling may be limited because most employees who perform executive duties and who qualify as “highly compensated employees” under the Department of Labor’s regulation are paid a fixed salary, not one based on a daily rate.  The Court’s decision addressed only executive employees, but the regulation also covers administrative and professional employees.
• The Court declined to reach an argument, first raised on appeal and endorsed by Justice Kavanaugh in dissent, that the Department of Labor’s regulations were inconsistent with the FLSA’s statutory exemption for workers “employed in a bona fide executive . . . capacity.”  29 U.S.C. § 213(a)(1).  In dissent, Justice Kavanaugh explained that the FLSA’s exemption “focuses on whether the employee performs executive duties,” so “it is questionable whether the Department’s regulations—which look not only at an employee’s duties but also at how much an employee is paid and how an employee is paid—will survive if and when the regulations are challenged as inconsistent with the Act.”  This issue could be the subject of future litigation.

---

The Court’s opinion is available here.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Supreme Court. Please feel free to contact the following practice leaders:

Appellate and Constitutional Law Practice

Thomas H. Dupree Jr. +1 202.955.8547 [email protected]	Allyson N. Ho +1 214.698.3233 [email protected]	Julian W. Poon +1 213.229.7758 [email protected]
Bradley J. Hamburger +1 213.229.7658 [email protected]	Lucas C. Townsend +1 202.887.3731 [email protected]	Brad G. Hubbard +1 214.698.3326 [email protected]

Related Practice: Labor and Employment

Jason C. Schwartz +1 202.955.8242 [email protected]

Katherine V.A. Smith +1 213.229.7107 [email protected]

Related Practice: Administrative Law and Regulatory Practice

Eugene Scalia +1 202.955.8673 [email protected]

Helgi C. Walker +1 202.887.3599 [email protected]

In a significant ruling for California employers, the Ninth Circuit on February 15, 2023 in Chamber of Commerce v. Bonta held that California’s Assembly Bill 51—a statute that attempted to criminalize the use of arbitration agreements by employers—is preempted by the Federal Arbitration Act.  The Ninth Circuit’s decision affirms a preliminary injunction prohibiting California from enforcing AB 51.  As a result, California employers remain able to require employees to sign arbitration agreements in connection with their employment without the risk of potential criminal liability.

The Ninth Circuit’s opinion reaches the opposite result of a prior opinion issued in September 2021 by the same panel of judges.  In the new opinion, Ninth Circuit Judge William A. Fletcher changed his vote and joined Judge Sandra S. Ikuta’s opinion affirming the district court’s order.

California’s Assembly Bill 51, enacted with an effective date of January 1, 2020, makes it a criminal misdemeanor for an employer to require an existing employee or a job applicant to sign an arbitration agreement as a condition of employment.  Specifically, under AB 51 employers are prohibited from requiring employees to waive “any right, forum, or procedure for violation of any provision of the California Fair Employment and Housing Act” or the California Labor Code.  AB 51 criminalizes only the formation of the contract, meaning an employer could be subject to criminal prosecution for requiring an employee to enter into an arbitration agreement, even if the resulting agreement could be enforced.

On December 9, 2019, the United States Chamber of Commerce filed a complaint against the State of California challenging AB 51 as preempted by the Federal Arbitration Act.  A judge in the Eastern District of California granted the Chamber’s motion for a preliminary injunction, finding that the Chamber was likely to succeed on the merits of its claim that the FAA preempted AB 51.  California appealed, challenging only the district court’s holding that AB 51 was likely to be preempted by the FAA.

A divided panel of the Ninth Circuit initially reversed the district court in a September 2021 opinion, but after a rehearing petition was filed, the Ninth Circuit withdrew its opinion and it has now issued a new opinion, affirming the district court’s preliminary injunction order and holding that AB 51 is preempted by the FAA.

The Ninth Circuit began its opinion by explaining that the United States Supreme Court “has made clear that the FAA’s preemptive scope is not limited” to a state rule that affects the enforceability of arbitration agreements, but also extends to a state rule that “discriminate[s] against the formation of arbitration agreements.”  Applying this to AB 51, the Ninth Circuit held that the law’s imposition of civil and criminal penalties for forming an arbitration agreement in violation of the law “stands as an unacceptable obstacle to the accomplishment and execution of the full purpose and objectives of Congress in enacting the FAA.”

The Ninth Circuit explained that this was true despite the fact that AB 51 does not explicitly bar arbitration agreements.  Even though some arbitration agreements (specifically those subject to the FAA) are permissible under AB 51, the Ninth Circuit concluded that the law has the effect of imposing severe burdens on arbitration agreements which do not apply to contracts generally.  Accordingly, the Ninth Circuit held that AB 51’s “deterrence of an employer’s willingness to enter into an arbitration agreement is antithetical to the FAA’s ‘liberal federal policy favoring arbitration agreements.’”

Finally, the Ninth Circuit concluded that AB 51’s severability provision could not save the law from preemption.  The Court reasoned that the provisions of the law that impose criminal and civil penalties were not severable because the Court could not presume that the State would want to keep a statute with no enforcement mechanism.

The Ninth Circuit’s decision is a victory for California employers, who can continue to use arbitration agreements with employees in California.  Absent further review by the en banc Ninth Circuit or the Supreme Court, the Ninth Circuit’s conclusion that the FAA preempts AB 51 likely will lead to the law being permanently enjoined on remand.  The Court’s opinion puts the Ninth Circuit in line with the Fourth and First Circuits in holding that the FAA preempts a state rule that discriminates against arbitration by discouraging or prohibiting the formation of an arbitration agreement.

---

The following Gibson Dunn attorneys assisted in preparing this client update: Jason C. Schwartz, Katherine V.A. Smith, Bradley J. Hamburger, Megan Cooney, Jessica Brostek-Maciel, and Jordan Johnson.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these matters.  Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following authors:

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, [email protected])

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, [email protected])

Bradley J. Hamburger – Los Angeles (+1 213-229-7658, [email protected])

Megan Cooney – Orange County (+1 949-451-4087, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

Join our panelists from Gibson Dunn’s Environmental Litigation and Mass Tort practice group and Environment, Social, and Governance (ESG) practice area as they discuss significant developments in federal and California environmental law and forecast what to expect for 2023. This webcast covers a range of topics of significant interest to regulated industries, including ongoing and anticipated rulemakings, federal enforcement targets and initiatives, recent developments with Supplemental Environment Projects, the evolving ESG landscape, the latest environmental mass tort developments, and more.

---

---

PANELISTS:

David Fotouhi is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher. He practices in the firm’s Litigation Department and is a member of the firm’s Environmental Litigation and Mass Tort practice group. Mr. Fotouhi joined the firm after nearly four years at the U.S. Environmental Protection Agency (EPA), where he served as Acting General Counsel, Principal Deputy General Counsel, and Deputy General Counsel. National Law Journal recognized Mr. Fotouhi as a “Trailblazer” in environmental and energy law, and Law360 named Mr. Fotouhi a “Rising Star” in environmental law for his work “on game-changing regulations and litigation.”

Abbey Hudson is a partner in Gibson Dunn’s Los Angeles office. Her practice focuses on environmental matters and complex trial litigation. She devotes a significant portion of her time to helping clients navigate environmental and emerging regulations and related governmental investigations. Ms. Hudson has handled all aspects of environmental and mass tort litigation and regulatory compliance. She has provided counseling and advice on environmental and regulatory compliance to clients on a wide range of issues, including supply chain transparency requirements, comments on pending regulatory developments, and enforcement counseling.

Rachel Levick is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher. She practices in the firm’s Litigation Department and is a member of the Environmental Litigation and Mass Tort Practice Group. Ms. Levick has represented clients in a wide range of federal and state litigation, agency enforcement actions, cost recovery cases, and administrative rulemaking challenges. She was named by Best Lawyers as “One to Watch” in Environmental Litigation for 2022 and 2023.

Michael Murphy is a partner in Gibson, Dunn & Crutcher’s Washington, D.C. office. He is a leader of the firm’s Environmental, Social and Governance (ESG) practice area, and is a member of the firm’s Environmental Litigation and Mass Tort and Administrative Law and Regulatory Practice Groups. Mr. Murphy counsels clients on environmental and ESG issues related to corporate transactions and compliance. He also represents clients in a wide variety of investigation and litigation matters. Mr. Murphy was previously recognized by Law360 as one of its ‘Rising Star’ environmental attorneys under 40 to watch. Law360 named Gibson Dunn one of its five Environmental Groups of the Year for its high-profile victories in 2018.

Deena Klaber is of counsel in the San Francisco office of Gibson, Dunn & Crutcher. She practices in the firm’s Litigation Department, where she focuses on environmental and mass tort litigation, complex civil/business litigation, and administrative and regulatory law. She represents clients across numerous industries and has significant experience in the energy and health care sectors. Ms. Klaber is a member of the firm’s Ethics Committee, and she served on the firm’s Hiring Committee from 2015 to 2022. Ms. Klaber has litigated a broad range of matters in state and federal courts throughout California and across the country.

Joseph Edmonds is an associate in the Orange County office of Gibson, Dunn & Crutcher where he is a member of the firm’s Litigation Practice Group. Mr. Edmonds’ practice focuses on complex litigation at both the trial and appellate levels, with a special emphasis on mass torts, environmental litigation, product liability, and transnational litigation.

---

MCLE CREDIT INFORMATION:

This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement. This course is approved for transitional/non-transitional credit.

Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.

Gibson, Dunn & Crutcher LLP is authorized by the Solicitors Regulation Authority to provide in-house CPD training. This program is approved for CPD credit in the amount of 1.0 hour. Regulated by the Solicitors Regulation Authority (Number 324652).

Neither the Connecticut Judicial Branch nor the Commission on Minimum Continuing Legal Education approve or accredit CLE providers or activities. It is the opinion of this provider that this activity qualifies for up to 1 hour toward your annual CLE requirement in Connecticut, including 0 hour(s) of ethics/professionalism.

Application for approval is pending with the Colorado, Virginia, Texas and Washington State Bars.

Los Angeles partner Kahn Scolnick and associates Daniel Adler, Matt Aidan Getz, Patrick Fuster and Emily Sauer are the authors of “Ties to U.S. must be considered in criminal-related deportations,” [PDF] published by the Daily Journal on February 8, 2023.

For the fifth consecutive year, and following the publication of Gibson Dunn’s tenth annual U.S. Cybersecurity and Data Privacy Outlook and Review on Data Privacy Day in 2023, we offer this separate International Outlook and Review.

The European Union (“EU”) supervisory authorities continued to apply and enforce the General Data Protection Regulation (“GDPR”) vigorously, imposing record-setting fines up to €405 million[1] and with a total amount of approximately €2.92 billion in fines. We can expect that trend to continue in 2023.

There was also a significant number of developments in the evolution of the regulatory landscape for digital services, data sharing and cybersecurity in the EU:

• The European Parliament adopted a set of comprehensive standards to regulate the digital space through the Regulation (EU) 2022/2065 of 19 October 2022 on a Single Market For Digital Services (“Digital Services Act” or “DSA”)[2] and Regulation (EU) 2022/1925 of 14 September 2022 on contestable and fair markets in the digital sector (“Digital Markets Act” or “DMA”).[3]
• Furthermore, the Regulation (EU) 2022/868 of 30 May 2022 on European data governance (“Data Governance Act”)[4] and the Proposal for a Regulation of 23 February 2022 on harmonised rules on fair access to and use of data (“Data Act”)[5] are part of the European strategy for data, which aims to develop a single market for data by supporting responsible access, sharing and re-use, while respecting the values of the EU and in particular the protection of personal data.[6]
• In terms of cybersecurity, the adoption of the Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (“NIS 2 Directive”)[7] enables to achieve a high common level of cybersecurity across Member States. It is complemented by the Proposal for a Regulation of 15 September 2022 on horizontal cybersecurity requirements for products with digital elements (“Cyber Resilience Act”),[8] which strengthens cybersecurity rules to protect consumers and businesses from products with inadequate security features. The European Union Agency for Cybersecurity (“ENISA”) published a Threat Landscape 2022 which describes top threats (e.g., ransomware, malware, social engineering threats, supply-chain attacks), relevant trends, threat actors and attack techniques, as well as impact and motivation analysis.[9]
• In the aftermath of the Schrems II ruling, supervisory authorities challenged several companies for using tools leading to illegal data transfers, such as Google Analytics, and released guidance on international transfers.

International authorities have also been actively involved in terms of guidance published, including on the processing of cookies and calculation of administrative fines. In addition, data protection laws continue to be adopted, such as in Indonesia, Tanzania and Oman. International authorities have also issued significant fines, such as the fine imposed by the Cyberspace Administration of China on a Chinese leading mobile transportation platform of RMB 8.000.000.000 (approx. US$1.2 billion) for violations of the PIPL, Cyber Security Law and Data Security Law.[10]

We cover these topics and many more in this year’s International Cybersecurity and Data Privacy Outlook and Review.

I.  European Union

A.  International Data Transfers

1.  EU-U.S. Data Transfers

As we indicated in the 2021 International Outlook and Review, the EU-U.S. Privacy Shield was struck down on 16 July 2020, by the Schrems II ruling of the Court of Justice of the EU (“CJEU”).[11] In order to replace the Privacy Shield and to safeguard cross-border data flows, the European Commission launched the process to adopt an adequacy decision for the EU-U.S. Data Privacy Framework. It will notably provide binding safeguards to limit U.S. intelligence authorities access to data to what is necessary and proportionate to protect national security. A Data Protection Review Court will also be created to investigate and resolve complaints of Europeans on access of data by U.S. intelligence authorities.[12]

The draft adequacy decision, which reflects the assessment by the European Commission of the EU-U.S. Data Privacy Framework and concludes that it provides comparable safeguards to those of the EU, has now been published and transmitted to the European Data Protection Board (“EDPB”) for its opinion. Then, it will seek approval from a committee composed of representatives of the EU Member States before proceeding to the adoption of the final adequacy decision.[13]

In parallel, it should be noted that the transition period to replace the old standard contractual clauses with the new sets of standard contractual clauses, adopted by the European Commission on 4 June 2021 to take into account the Schrems II ruling, expired on December 27, 2022.[14] In addition, the European Commission published a Q&A[15] to provide practical guidance on the use of the new standard contractual clauses to assist stakeholders with their compliance efforts. The content of the document will be updated as new questions arise.[16]

In addition, the UK International Data Transfer Agreement (“IDTA”) and Addendum came into force on 21 March 2022 and replaced standard contractual clauses for international transfers to take into account the Schrems II ruling.[17]

In this respect, the European Data Protection Board (“EDPB”) updated its guidance on international transfers of personal data, namely:

Guidelines 04/2021 on codes of conduct as tools for transfers,[18] which aim to clarify the role of the different actors involved for the setting of a Code that can be used as a tool for transfers.

Recommendations 1/2022 on the application for approval and on the elements and principles to be found in Controller Binding Corporate Rules,[19] which aim to update the former Article 29 documents (WP 256 rev.01), in particular to include Schrems II requirements such as transfer impact assessment and government access requests. The Recommendations are open for public consultation until 10 January 2023.

In light of these developments, several Member State supervisory authorities issued sanctions, statements, and guidance in relation to matters concerning international data transfers:[20]

1. Several Supervisory Authorities[21] found that Google Analytics’ transfers of personal data to the U.S. did not comply with the GDPR. In this regard, the French Supervisory Authority published guidance[22] on how to use Google Analytics’ in a compliant manner, as well as a Q&A[23] on the same topic. The guidance clarifies that the sole modification of Google Analytics’ settings, or the encryption of generated identifiers, is not enough to satisfy the requirements of the Schrems II ruling, in particular since it does not prevent transfers to the U.S. nor re-identification of data subjects. The Authority assesses that a solution could be the use of a proxy in order to avoid any direct contact between individuals’ terminal and Google servers, provided that certain requirements are met;
2. The Spanish Supervisory Authority[24] fined a U.S.-based company €10 million for transferring data to third parties without legal basis and for failure to comply with data subjects’ rights;
3. The Danish Supervisory Authority[25] upheld the ban on a municipality’s use of a cloud-based workspace until the municipality brings its processing activities in line with the GDPR and carries out a data protection impact assessment that meets GDPR requirements;
4. The Regional Court of Munich[26] ruled that as Google Fonts could be used without submitting IP-addresses to Google by self-hosting the font-embedding service, the transfer of IP-addresses cannot be based on legitimate interest and users’ consent was required. In this regard, the Thuringia Data Protection Authority[27] recommended hosting these fonts locally to avoid any link to U.S. servers.

B.  Network Information Security (“NIS 2”) Directive

The NIS 2 Directive (EU) 2022/2555 of 14 December 2022[28] will set the baseline for cybersecurity risk management measures and reporting obligations across all sectors that are covered by the directive, such as energy, transport, health and digital infrastructure (e.g., cloud computing service providers, data center service providers, providers of public electronic communications networks or services) and digital providers (e.g., providers of online marketplaces, providers of social networking services platforms).

In particular, if an incident has a significant impact on the provision of services covered by the NIS 2 Directive, an authority must be notified without undue delay.

As a reminder, the NIS 2 Directive replaced the Network and Information Security (“NIS”) to respond to the growth of digitalisation and cyber-attacks. The Member States will have to adopt and publish the measures necessary to comply with the NIS 2 Directive by 17 October 2024.[29]

C.  Data Governance Act

The Data Governance Act Regulation (EU) 2022/868 of 30 May 2022 is due to apply from 24 September 2023.[30] The Data Governance Act aims to make more data available by regulating the re-use of publicly held, protected data, by boosting data sharing through the regulation of novel data intermediaries and by encouraging the sharing of data for altruistic purposes. It also creates a European Data Innovation Board tasked with advising the Commission on data governance.[31]

D.  Digital Services Act (“DSA”)

The DSA Regulation (EU) 2022/2065 of 19 October 2022 sets obligations for digital service providers, such as social media or marketplaces, to tackle the spread of illegal content, online disinformation and other societal risks. These requirements aim to be proportionate to the size and risks platforms pose to society, and their violations can be sanctioned by a fine of up to 6% of the provider’s worldwide turnover.[32]

Most provisions of the DSA will apply from 17 February 2024, however some apply from 16 November 2022 and online platforms have until 17 February 2023 to publish the number of average monthly active recipients of their service. The European Commission will then assess whether a platform should be designated a very large online platform or search engine, which will increase its obligations. Following the European Commission’s designation, the entity in question will have four months to comply with the obligations under the DSA.[33]

E.  Digital Markets Act (“DMA”)

The DMA Regulation (EU) 2022/1925 of 14 September 2022 sets obligations for large online platforms acting as “gatekeepers” (platforms whose dominant online position make them hard for consumers to avoid). DMA requirements include allowing third parties to inter-operate with a gatekeeper’s own services, a prohibition to rank its own services or products more favorably, and an obligation to collect consent to process users’ personal data for targeted advertising. Fines will be up 10% of the gatekeeper’s total worldwide turnover, or up to 20% in case of repeated non-compliance.[34]

Most of the provisions of the DMA shall apply from 2 May 2023. After that, within two months and at the latest by 3 July 2023, potential gatekeepers will have to notify their core platform services to the Commission if they meet the thresholds established by the DMA.[35]

F.  The Digital Operational Resilience Act (“DORA”)

The DORA Regulation (EU) 2022/2554 of 14 December 2022 focuses on preventing and mitigating cyber threats. It will apply to financial entities (including credit and payment institutions, electronic money institutions, crypto-asset service providers) as well as information and communication technology (ICT) third-party service providers. In particular, financial entities’ management body will be responsible to define, approve and oversee the management of ICT risks. Financial entities will also have requirements on reporting major ICT-related incidents to the competent authorities. In addition, DORA contains requirements in relation to the contractual arrangements concluded between ICT third-party service providers and financial entities. DORA was published in the EU’s Official Journal, on 27 December 2022, it shall enter into force on the 20th day following that of its publication and will apply from 17 January 2025.[36]

G.  Data Act

The Data Act Proposal of 23 February 2022 of the European Commission[37] aims at enabling the sharing of industrial data. The Proposal especially includes provisions to (i) allow users of connected devices to access data generated by them, (ii) prevent abuse of contractual imbalances in data sharing contracts, (iii) enable public sector bodies to access and use data held by the private sector that is necessary for exceptional circumstances, and (iv) facilitate user data portability between providers.[38]

On 4 May 2022, the EDPB and European Data Protection Supervisor (“EDPS”) issued a Joint Opinion on the Proposal for a Data Act.[39] Both Authorities noted that highly sensitive data could be revealed through sharing mechanisms and that additional safeguards are required to ensure that data sharing does not lower the protection of individuals’ right to privacy. The authorities pointed out their concerns regarding the oversight mechanism established by the Proposal which may lead to fragmented and incoherent supervision.

H.  Cyber Resilience Act

The Cyber Resilience Act Proposal of 15 September 2022 of the European Commission aims to protect both consumers and businesses from products with inadequate security features and thereby ensure a better level of cybersecurity.[40]

In particular, the Proposal introduces mandatory cybersecurity requirements and obligations for manufacturers, as well as importers and distributors, of products with digital elements (i.e., software or hardware product and its remote data processing solutions, defined as any data processing at a distance for which the software is designed and developed by the manufacturer or under its responsibility and the absence of which would prevent the product from performing one of its functions) within the European Union. Any vulnerability contained in the product or any incident impacting its security will have to be reported by the manufacturer to the EU Agency for Cybersecurity (“ENISA”). The “critical products” (e.g., operating systems, firewalls or network interfaces) would be subject to a specific compliance procedure.[41]

This Proposal, if adopted, will be directly applicable in all Member States. Sanctions for violation will depend on the concerned breach (up to €15 million or 2.5% of the company’s total worldwide annual turnover of the preceding financial year, whichever is the higher). In terms of timeline, it still has to be examined by the European Parliament and the Council and, once adopted, companies will have two years to adapt to the new requirements (one year for reporting obligations of manufacturers of incidents/vulnerabilities—if not modified in the final version of the Regulation).[42]

I.  Artificial Intelligence Act

The Proposal for a Regulation laying down harmonised rules on Artificial Intelligence (Artificial Intelligence Act) of 21 April 2021, aims to ensure that artificial intelligence systems placed on the EU market and used in the EU are safe and respect existing law on fundamental rights and EU values.[43]

The Council of the EU published, on 3 November  2022, the final version of the compromise text on the Proposal for the AI Act and adopted, on 6 December 2022, its general approach on the Artificial Intelligence Act.[44]

J.  EDPB Guidance

Aside from its guidance on international data transfers, the EDPB issued Guidelines on various topics, including:

1. Guidelines 01/2022 on the right of access,[45] which aim to provide guidance on how the right of access has to be implemented in practice;
2. Guidelines 02/2022 on the application of Article 60 GDPR,[46] which aim to assist supervisory authorities to interpret and apply their own national procedures in such a way that it conforms to and fits in the cooperation under the one-stop-shop mechanism;
3. Guidelines 3/2022 on Dark patterns in social media platform interfaces,[47] which offer practical recommendations to designers and users of social media platforms on how to assess and avoid so-called “dark patterns” in social media interfaces that infringe on GDPR requirements;
4. Guidelines 04/2022 on the calculation of administrative fines under the GDPR,[48] which aim to harmonize the methodology supervisory authorities use when calculating the amount of fines;
5. Guidelines 06/2022 on the practical implementation of amicable settlements,[49] which address inconsistencies in Member States’ approach of amicable settlements sought following cross-border complaints;
6. Guidelines 07/2022 on certification as a tool for transfers,[50] which aim to provide further clarification on the practical use of this transfer tool;
7. Guidelines 8/2022 on identifying a controller or processor’s lead supervisory authority,[51] which aim to clarify the notion of main establishment in the context of joint controllership and take into account the EDPB Guidelines 07/2020 on the concepts of controller and processor in the GDPR;
8. Guidelines 9/2022 on personal data breach notification under GDPR,[52] which aim to clarify the notification requirements concerning the personal data breaches at non-EU establishments.

On 12 July 2022, the EDPB and the EDPS adopted a Joint Opinion 03/2022 on the European Commission’s proposal for a regulation on the European Health Data Space.[53] The Opinion aims to draw attention to a number of overarching concerns such as the clarification of the interplay between the proposal and the GDPR or Member State laws.

On 14 July 2022, the EDPB issued a document[54] to enhance cooperation between European supervisory authorities, which contains a set of criteria for identifying cross-border cases of strategic importance in different Member States, as well as the process followed by the EDPB to select these cases. The Commission recalls that cases of strategic importance are primarily one-stop-shop cases which are likely to involve a high risk to the rights and freedoms of individuals in several Member States. In particular, several criteria have been defined by the EDPB (e.g., cases related to the intersection of data protection and other legal fields, where a high risk can be assumed, where a data protection impact assessment is required or where there is a large number of complaints in several Member States). Supervisory authorities can propose any case that meets at least one of the criteria listed below to the other supervisory authorities within the framework of the EDPB, in order to be identified as a case of strategic importance for which cooperation will be prioritised and supported by EDPB. The EDPB already agreed on three (undisclosed) cases to start the project.

II.  Enforcement by Supervisory Authorities

In 2022, the Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (“e-Privacy Directive”)[55] and the GDPR continued to be applied and enforced by Member States’ supervisory authorities which imposed substantial fines. We have gathered below a list of the highest fines published in 2022:

On 6 January 2022, the French Supervisory Authority published a decision issued on 31 December 2021 to fine an American search engine company €150 million (€90 million for one entity and €60 million for another)[56] for not enabling its users to refuse cookies as easily as to accept them. The authority also issued an injunction for the company to enable users located in France to reject cookies as easily as to accept them under three months, subject to a daily penalty of €100,000 in case of delay. On 28 January 2022, the French Conseil d’Etat confirmed the €100 million fine imposed by the French Supervisory Authority on two entities of an American search engine company on 7 December 2020.[57] The French Conseil d’Etat also held that the one-stop-shop procedure introduced by the GDPR was inapplicable because cookies practices are regulated by the local data protection legislation (the French “Loi informatique et libertés”).

On 15 March 2022, the Irish Supervisory Authority adopted a decision, imposing a fine of €17 million on a social media company,[58] notably for failing to put in place appropriate technical and organizational measures.

Several supervisory authorities pronounced sanctions against an American facial recognition company, including:

• On 10 February 2022, the Italian Supervisory Authority fined the company €20 million for unlawful biometric profiling of data subjects.[59] The authority found that the company, which maintains a database of more than 10 billion faces scrapped from public internet sources (including public social media), did not have a legal basis to do so and failed to comply with a number of GDPR requirements such as transparency and storage limitation.
• On 18 May 2022, the UK Supervisory Authority fined the company over £7.5 million for failing to provide adequate information to data subjects, failing to meet data protection standards for biometric data, the absence of legal basis and a clear data retention policy. Aside from a fine, the ICO also ordered the company to stop obtaining and processing publicly available personal data of UK residents and to delete all UK residents’ data from its systems.[60]
• On 13 July 2022, the Hellenic Supervisory Authority fined the company €20 million for multiple breaches of the GDPR[61] and notably highlights that the company failed to name a representative since the company is not established in the European Union, to lawfully process personal data, to inform the data subject and to ensure the right of access of data subjects.
• On 17 October 2022, the French Supervisory Authority fined the company €20 million for several breaches of the GDPR.[62] The authority also ordered the company to stop collecting and processing data of individuals residing in France without a legal basis and to delete the data of these persons that it had already collected, within a period of two months. The Authority added a penalty of €000 euros per day of delay beyond these two months.
• On 15 September 2022, the Irish Supervisory Authority fined a social media company €405 million for breaches relating to the public disclosure of children’s personal data using the social media’s business features and a public-by-default setting for personal accounts of children.[63] As the Authority was unable to reach consensus with the concerned supervisory authorities, the EDPB issued a binding decision[64] in accordance with the GDPR dispute resolution process. In addition to the fine, the authority imposed a range of corrective measures, including an order to bring the processing into compliance by taking a range of specified remedial actions.
• On 25 November 2022, the Irish Supervisory Authority fined a social media company €265 million for breaches relating to the public disclosure of collated dataset of data subjects using its services.[65] The authority began this inquiry following media reports about the discovery of a collated dataset of the social media’s personal data that had been made available on the internet. The material issues in this inquiry related to compliance to data protection by design and default obligations. In addition to the fine, the Irish Supervisory Authority issued a reprimand and ordered the company to take specified remedial actions.
• On 19 December 2022 the French Supervisory Authority imposed a €60 million fine, against a company which operates and develops a search engine, in particular for not allowing its users to refuse cookies as easily as accepting them.[66] The authority considered that the company had breached the French Data Protection Act as cookies were set without prior consent of the user, including cookies with an advertising purpose. Also, while the search engine offered a button to accept cookies immediately, it did not offer an equivalent solution to allow the internet user to refuse them as easily. The authority specified that two clicks were needed to refuse all cookies, while only one was needed to accept them.
• In a decision dated 31 December 2022, the Irish Supervisory Authority announced the conclusion of two inquiries related to the data processing operations of a social media company.[67] The authority fined the company a total of €390 million. Following the consultation of concerned supervisory authorities and the EDPB, the authority found that the company was not entitled to rely on the newly changed contractual legal basis in connection with the delivery of behavioral advertising as part of its services, and that its processing of users’ data to date, in purported reliance on the contractual legal basis, amounted to a contravention of article 6 of the GDPR. The company has also been directed to bring its data processing operations into compliance within a period of three months.

III.  Developments in Other European Jurisdictions: UK, Switzerland, and Turkey

A.  UK

1.  Data Protection and Digital Information Bill

The UK Government published its Data Protection and Digital Information Bill[68] on 18 July 2022, following the Government’s response in June to its consultation on reform of the UK’s data protection regime. The Bill would make a number of changes to UK data protection law, including: clarifying the circumstances in which an individual is treated as identifiable; removing the requirement for controllers and processors subject to the extraterritorial scope of UK GDPR to appoint a UK representative; replacing the role of Data Protection Officer with designation of a senior responsible individual; changing the requirements for records of processing activities; and amending the provisions dealing with data protection impact assessments and prior consultation with the UK Supervisory Authority (“ICO”) on high-risk processing.[69]

The Bill would also make a number of changes to the regulation of cookies and similar technologies, notably by expanding the types of cookies for which consent will no longer be required.[70]

Progress on the Bill was paused in September, with the Government claiming that this was “to allow Ministers to consider the legislation further”—the Government has not made clear precisely when, or in what form, the Bill will return to Parliament.[71]

2.  International Data Transfers – New Standard Contractual Clauses

On 2 February 2022, the ICO published its new International Data Transfer Agreement (“IDTA”), along with an International Data Transfer Addendum to the European Commission’s new standard contractual clauses (UK Addendum).[72] The IDTA and UK Addendum provide organisations carrying out processing subject to UK GDPR with two options for making international transfers of personal data to countries that are not subject to UK adequacy regulations.

The IDTA and UK Addendum entered into force on 21 March 2022. Under transitional provisions made by the ICO, organisations can continue to rely on the old (pre-June 2021) standard contractual clauses published by the European Commission for contracts entered into on or before 21 September 2022; these transitional provisions will expire on 21 March 2024.[73]

3.  International Data Transfers – ICO Guidance and TRA Tool

On 17 November 2022, the ICO published new guidance on international data transfers under UK GDPR.[74] The new guidance includes a section on carrying out transfer risk assessments (“TRAs”), including a TRA tool.

The ICO’s guidance states that an organisation must carry out a TRA when carrying out a transfer of personal data on the basis of safeguards under Article 46 of UK GDPR.[75] The ICO provides organisations with two permitted approaches: the ICO’s approach in the TRA tool (which is focused on the risks to individuals’ rights arising from the transfer) or the approach adopted by the EDPB in its Recommendations 01/2020.[76]

4.  International Data Transfers – UK’s first ‘Data Bridge’

In November 2022, the UK Government formalised its first post-Brexit adequacy decision, with the Republic of Korea.[77]

The ‘data bridge’ (the UK Government’s new term for adequacy decisions), which entered into force on 19 December 2022, has a broader scope than the existing EU adequacy decision recognising South Korea.[78]

5.  ICO Guidance for Employers

On 12 October 2022, the ICO launched a consultation on its proposed new guidance on monitoring in the workplace.[79] The consultation followed a call for views between August and October 2021. The ICO also published an impact scoping document, outlining some of the potential benefits and costs associated with its proposed guidance.[80]

The ICO’s proposed guidance provides organisations with advice on a number of general issues arising in relation to workplace monitoring, as well as advice and compliance checklists covering a range of specific monitoring scenarios.

The ICO also launched a separate consultation in October on its proposed new guidance for employers handling workers’ health information.[81]

6.  Reform of the UK’s cybersecurity regime

In January 2022, the UK Government launched a consultation on proposed legislation to improve the UK’s cyber resilience. The Government’s proposals covered seven policy measures, split across two Pillars: Pillar I (proposals to amend provisions relating to digital service providers) and Pillar II (proposals to future-proof the UK’s NIS Regulations).[82]

In November 2022, the Government confirmed that it would be moving ahead with one of its key proposals, expanding the scope of digital services under the UK’s cybersecurity legislation to include ‘managed services’. This change, which is intended to address growing concerns around supply chain risks, will bring into scope a wide range of providers of technology-related services.[83]

7.  AI Action Plan

On 18 July 2022, the UK Government published its AI Action Plan, outlining the steps the Government plans to take to deliver the UK’s National AI Strategy.[84] The Government also published a policy paper setting out its proposed approach to the regulation of AI—in particular, the Government proposes to adopt a context-specific approach, regulating AI based on its use and the impact it has on individuals, groups and businesses within a particular context.

Elsewhere, the ICO launched an updated version of its AI and data protection risk toolkit in May 2022, following comments on the beta version released in 2021. The toolkit is designed to provide support to organisations to help them mitigate risks to individuals resulting from use of AI systems.[85]

B.  Switzerland

On 31 August 2022, the Swiss Federal Council confirmed that the revised Federal Act on Data Protection of 1992, alongside two new ordinances on data protection and on data protection certifications, will enter into force on 1 September 2023.[86]

The legislation is adapted and incorporates the responses from the public consultation, including the withdrawal of certain obligations relating to controllers’ obligation to inform when personal data is disclosed, and the terms of the right of access are simplified by removing the requirement to document the reasons for refusing, restricting or delaying access.[87]

With regard to data transfers, the Federal Data Protection and Information Commissioner (“FDPIC”) has taken note of the factsheet released by the U.S. regarding the « Data Privacy Framework » and is analysing it.[88]

C.  Russia

The Russian Federation (Russia) has been in a state of war against Ukraine since 24 February 2022. As a consequence, the EDPB adopted a Statement 02/2022 on personal data transfers to the Russian Federation, which recalls that data exporters who transfer personal data to Russia should assess and identify appropriate safeguards and the necessity for supplementary measures to ensure that data subjects are afforded a level of protection that is essentially equivalent to that guaranteed within the EU. [89]

In this regard, the Norwegian Authority also issued a press release[90] encouraging companies which export personal data to Ukraine and Russia to reassess the impact of such transfers. In particular, the Authority advised to reconsider the legal basis of the transfers and recalls that security measures should be reviewed and updated if necessary.

Regarding the legislative framework of Russia, the Federal Service for Supervision of Communications, Information Technology, and Mass Media (“Roskomnadzor”) announced, on 1 September 2022, the entry into effect of the Federal Law of 14 July 2022 No. 266-FZ on Amending the Federal Law on Personal Data (“the Amendment Law”) which provides significant changes to the Federal Law of 27 July 2006 No. 152-FZ on Personal Data (“the Law on Personal Data”), such as regarding minimum standards applicable to contracts concluded with data subjects for processing of personal data and, the extraterritorial application of the Law on Personal Data in cases where the personal data of Russian subjects is processed by a foreign entity on the basis of an agreement or consent.[91]

In addition, the Federal Law of 14 July 2022 No. 259-FZ on Amendments to the Code of Administrative Offenses of the Russian Federation entered into force on 14 July 2022. In particular, it provides that where a foreign internet operator, with a daily audience of more than 500,000 users, fails to open a branch, representative office, or authorised legal entity in Russia, such operator may be subject to a fine of up to 10% of its annual revenue or, in the case of repeated offences, 20% of its annual revenue.[92]

D.  Turkey

The Personal Data Protection Authority (“KVKK”) published guidance including:

• on 3 January 2022, the second part of its guidance addressing common mistakes in relation to the Law on Protection of Personal Data No., which aims to raise public awareness on some basic issues around the protection of personal data;[93]
• on 11 January 2022, draft guidelines on the Protection of Personal Data for web site operators processing personal data through cookies;[94]
• on 5 August 2022, the banking sector good practices guide on protection of personal data, which provides guidance to data controllers in relation to personal data processing activities carried out by banks, as well as practice examples in this context.[95]

In addition, the Official Gazette of Turkey published, on 19 February 2022, the Regulation on the Protection and Processing of Data at the Social Security Institution (“SSI”), to establish the procedures to be followed in the processing of data obtained fully or partially automatically or non-automatically provided that it is a part of any data recording system, within the scope of the duties and relevant authorities.[96]

IV.  Developments in Asia-Pacific

A.  Australia

As explained in the 2021 and 2022 editions of the International Outlook and Review, the Australian government has undertaken a wholesale review of the Privacy Act 1988 (“Privacy Act”) commencing in 2020, with a view to implementing significant reforms to the country’s privacy regime. The Attorney-General’s Department released a discussion paper in October 2021[97] which, along with submissions of the public, ultimately formed the basis of a final report submitted to government in December 2022.[98] Reaching this milestone was scheduled 12 months earlier, however the Attorney General will now consider the report and is expected to publicly release it in the first half of 2023, along with its proposed response.[99]

The 2021 public discussion paper proposed wide-ranging reforms to align Australia’s privacy regime more closely with global equivalents (such as the GDPR) in order to reflect recent developments in the digital economy, including to expand the definition of personal information, impose stricter anonymisation requirements on organisations subject to the laws, increase maximum civil penalties for non-compliance, strengthen the rights of individuals to object to the collection and use of disclosure of their information and to require its erasure, in addition to modifying the framework for international data transfers.

As referred to in the 2022 International Outlook and Review, the government’s review was initially conducted concurrently with a public consultation process on the exposure draft of the Privacy Legislation Amendment (Enhancing Online Privacy and Other Measures) Bill 2021 (“Online Privacy Bill”), which was released in October 2021.[100] The Online Privacy Bill proposed to establish a binding privacy code for social media platforms, data brokerage services and large online platforms, expand the enforcement options available to the regulator, increase the penalties for serious or repeated privacy breaches and significantly broaden the extraterritorial reach of the Privacy Act. While the government ultimately decided not to pursue the Online Privacy Bill, it nonetheless tabled and passed the Privacy Legislation Amendment (Enforcement and Other Measures) Bill 2022 (“Privacy Enforcement Bill”) in November 2022, amending the Privacy Act.[101] The Privacy Enforcement Bill retained the amendments to the enforcement and penalty regime as well as the expansion of the Privacy Act’s extraterritorial reach proposed in the Online Privacy Bill, however it omitted the privacy code. It remains to be seen whether the government will include the code in the broader set of amendments to the Privacy Act which are expected in 2023.

Notably, the Privacy Enforcement Bill was fast-tracked through parliament in the wake of two large scale, and widely publicised, data breaches involving a major domestic telecommunications provider in September 2022,[102] and a major domestic private health insurer in October 2022.[103] These data breaches put privacy reform into the spotlight in Australia in 2022 and it is likely that this will continue to be a focus area for the newly elected government in 2023. Accordingly, we expect the Office of the Australian Information Commissioner (“OAIC”)—which is tasked with enforcing the provisions of the Privacy Act—to be increasingly focussed on compliance and utilise its broadened suite of enforcement tools.[104]

In this regard, clients should note the revisions to the extraterritorial reach of the Privacy Act in particular. The amendments implemented by the Privacy Enforcement Bill repeal the previous requirement that a foreign organisation must have collected or held personal information in Australia in order for the organisation to have an “Australian link” and render its subsequent acts or practices outside of Australia subject to the Privacy Act. This amendment was widely criticised following the release of the exposure draft of the Privacy Enforcement Bill, primarily on the basis that the amendment potentially results in the application of the Privacy Act to acts or practices of a foreign organisation which do not otherwise have any relevance to Australia or Australian data subjects. The government ultimately determined that these concerns were not sufficient to delay the passing of the Privacy Enforcement Bill but flagged that they would instead consider them as part of the forthcoming set of amendments in 2023.[105]

In addition, as mentioned in the 2022 International Outlook and Review, the US and Australian governments signed an agreement in December 2021 to facilitate access to electronic data for investigations authorised by the Clarifying Lawful Overseas Use of Data (“CLOUD”) Act of 2018.[106] This agreement allows authorities from either country to access certain data directly from providers operating in the other jurisdiction to mitigate, detect and investigate serious crimes, including ransomware attacks and terrorism, as well as crimes that sabotage critical infrastructure over the internet. Following a parliamentary inquiry in 2022, the Joint Standing Committee on Treaties recommended that the Australian government ratify the agreement, which will now replace the mutual legal assistance mechanism currently used to access data from such providers.[107]

B.  China

The Personal Information Protection Law (“PIPL”) took effect in 2021[108] but continued to take shape in 2022 as the Cyberspace Administration of China (“CAC”) issued a wide range of implementing regulations to provide further colour to the law. Notably these regulations included the following:

• Cybersecurity Review Measures – In January 2022, the CAC (in conjunction with various other Chinese authorities) issued new Cybersecurity Review Measures.[109] The Measures broaden the scope of circumstances triggering a cybersecurity review, including where Critical Information Infrastructure Operators (“CIIOs”) procure network products or services which affect or may affect China’s national security or where internet platform operators carry out data processing activities which affect or may affect China’s national security. The Measures also specify the proposed focus and procedures for the conduct of cybersecurity reviews.
• Technical Specification for Certification of Cross-Border Transfers of Personal Information – In June 2022, the Secretariat of the National Information Security Standardization Technical Committee (“TC260”) issued the Technical Specification for Certification of Cross-Border Transfers of Personal Information, which was then further revised in December.[110] The Specification supplements Article 38(2) of the PIPL, which provides for one of the mechanisms that data controllers can utilize in order to transfer personal information outside of China between related entities, namely application for certification.
• Measures for Security Assessment for Cross-Border Data Transfers – In July 2022, the CAC finalized the Measures for Security Assessment for Cross-Border Data Transfers.[111] These Measures supplement Article 40 of the PIPL, which provides that certain CIIOs and data controllers are to store personal information collected and produced within China domestically and must pass a security assessment by the CAC before exporting such personal information overseas. The assessment is only required if a CIIO or data controller meets one of the following criteria and/or thresholds: (i) data controllers exporting “important data”; (ii) CIIOs exporting personal information, or data controllers processing the personal information of 1 million people or more; (iii) data controllers who have exported (A) the personal information of 100.000 people or more or (B) the sensitive personal information of 10.000 people or more, since 1 January of the previous year; or (iv) in any other situations provided for by the CAC. To the extent that they apply, the Measures require data controllers to carry out a self-assessment of data export risks, enter into a data processing agreement with the data recipient and apply to CAC for a security assessment.
• Administrative Provisions on Internet Pop-up Push Notifications – In September 2022, the CAC finalized the Administrative Provisions on Internet Pop-up Push Notifications.[112] These regulations apply to all owners and operators of operating systems, terminal devices, application software, websites and other such services that provide push notification services in China. The regulations impose restrictions on the inclusion of certain categories of information in push notifications.

The CAC also released a number of draft regulations in 2022, including the following:

• Draft Provisions on Standard Contracts for the Export of Personal Information – these draft provisions supplement Article 38(3) of the PIPL, which provides that data controllers may use a standard contract in order to transfer personal information outside of China. The draft provisions specify the triggers and conditions for when data controllers may rely on the SCC mechanism, and provide the framework for that mechanism. The draft SCCs contain a standard contract akin to the GDPR and establish requirements for personal information processors as well as overseas recipients, which also include the obligation to carry out an impact assessment of data export risks prior to exporting any personal information.[113]
• Mobile Internet Application Program Information Service Management Regulations – these draft regulations establish general requirements for app providers to publish privacy notices and deploy technical measures to ensure data security and establish a full-process data security management system, in addition to prohibiting providers from making consent to the collection and processing of users’ personal data conditional for use of an app where such collection and processing is not essential for the functioning of the app.[114]

Notwithstanding the legislative activity of the CAC described above, arguably the most significant event to occur in China in 2022 was the fine imposed on a Chinese leading mobile transportation platform. In July, the regulator announced that it had fined the ride hailing platform RMB 8.000.000.000 (approx. US$1.2 billion) for violations of the PIPL, Cyber Security Law and Data Security Law.[115] Following an investigation, the CAC found that the mobile transportation platform had: (i) collected illegal and excessive personal information from users; (ii) failed to clearly and accurately explain the processing purposes of personal information collected; and (iii) failed to fulfil its obligations of cybersecurity, data security, and personal information protection. The severity of the CAC’s sanctions suggests that it is now prepared to utilise its broad investigatory and enforcement powers regardless of the potential business impact to companies, particularly those in the technology sector and with overseas (especially U.S.) operations. Further, the classification of the ride hailing platform as a CIIO indicates that the CAC and other Chinese regulators intend to adopt a broad interpretation of the otherwise vaguely defined concept of “critical information infrastructure” under the Cyber Security Law as well as to link mobility data, including location data, with national security.

C.  India

In August 2022, the Indian government withdrew the Personal Data Protection (“PDP”) Bill, which had been pending before parliament since 2019.[116] In its place, India’s Ministry of Electronics and Information proposed a new draft bill, titled the Digital Personal Data Protection Bill, 2022 (the “DPDP”).[117] The DPDP applies extraterritorially to organizations processing personal data outside India if such processing involves the profiling of data principals in India or offering of goods and services to individuals in India. The latest DPDP changes the previous version of the bill, including removing the data localization requirement and changing penalties for non-compliance.

The DPDP removed the previous bill’s data localization requirement, and states that “the central government may, after an assessment of such factors as it may consider necessary, notify such countries or territories outside India to which a data fiduciary may transfer personal data”. Instead of requiring entities to store data in India, the government may assess different countries’ data protection regimes and confirm whether personal data can be transferred to such countries.[118]

The DPDP also changed the previous bill’s penalty for noncompliance. The previous bill imposed fines with a cap of 4% of the data fiduciary’s worldwide turnover. The DPDP limits fines on a data fiduciary to approximately US$62 million.[119]

The DPDP underwent public consultation up to 2 January 2023 and will now follow the same legislative process as the previous bill.[120]

D.  Indonesia

2022 was a landmark year for data protection in Indonesia. In September, the House of Representatives approved the Personal Data Protection Bill, which was then enacted in October as Law No.27 of 2022 on Personal Data Protection (“PDP Law”).[121] Years in the making, the PDP Law consolidates the rules related to personal data protection in Indonesia and establishes data sovereignty and security as the keystone of Indonesia’s data protection regime. Key features of the PDP Law are set out below:

• Transitional Period – Personal data controllers, personal data processors and other parties relevant to the processing of personal data have up to two years from the date of enactment of the PDP Law to comply with its terms. As is typical in Indonesia, implementing regulations for the PDP Law will follow its enactment and are expected to be issued throughout 2023.
• Extraterritorial Application – Consistent with the reforms in other international jurisdictions, the PDP Law applies extraterritorially to organisation outside of Indonesia so long as the processing of personal data has legal consequences (i) in Indonesia; or (ii) for personal data subjects of Indonesian citizens outside of Indonesia.
• Consent to Processing of Personal Data – The PDP Law requires personal data controllers to obtain the valid and explicit consent from personal data subjects for one or more specific purposes which it has informed to those personal data subjects. Such consent can be either written or recorded and personal data controllers must be able to show proof of the data subjects’ consent. The request of a personal data controller for consent must also fulfil certain formalities, including that it is made in an understandable and accessible format.
• Notification in Corporate Restructuring – The PDP Law requires personal data controllers to notify data subjects prior to and after carrying out a merger, spin-off, acquisition, consolidation, or dissolution. However the applicable notification procedures (including the thresholds for their application) will not be defined until the release of the forthcoming implementing regulations.
• Obligations of Personal Data Controllers and Processors – The PDP Law imposes additional obligations on personal data controllers and personal data processors, including (i) ensuring the accuracy, completeness, and consistency of personal data; (ii) supervising each party that is involved in the personal data processing under the control of the personal data controller; and (iii) recording all personal data processing activities.
• Transfer of Personal Data to Outside of Indonesia – The PDP Law requires that, where a personal data controller seeks to transfer personal data outside of Indonesia, the personal data controller: (i) obtains prior approval from the data subject; and (ii) ensures that the country of domicile of the personal data controller and/or the personal data processor that receives the transfer of personal data has a personal data protection level that is equal to or higher than those that are regulated under the PDP Law. As above, the practical operation of these overseas transfer rules will be further defined through the forthcoming regulations.
• Enforceability of Existing Laws – The PDP Law provides that following its enactment, all provisions of laws and regulations governing the protection of personal data in Indonesia shall remain valid, provided that they do not conflict with the provisions of the PDP Law. Hence, the PDP Law will not revoke the previous regulations on personal data in Indonesia including, among others, the MOCI Regulation No. 20/2016.[122]
• Sanctions – The PDP Law imposes criminal sanctions for certain violations of prohibitions on the use of personal data, including unlawfully obtaining or collecting, disclosing or using personal data that is not a person’s own. Corporations may face fines of up to 2% of their annual revenues, in addition to seizure and/or freezing of the profits or assets derived from the crime and deregistration at an entity level. The PDP Law also provides that members of management (i.e., board of directors), controllers, those giving orders (“pemberi perintah”) and beneficial owners (among others) may be subject to prison sentences subject to the nature of the violation.

E.  Hong Kong

The Personal Data (Privacy) Ordinance (“PDPO”), passed in 1995, is one of Asia’s longest standing data protection laws. As identified in the 2021 and 2022 editions of the International Outlook and Review, the PDPO was amended in 2021 to combat doxxing acts which intrude on personal data privacy however has not since undergone any substantive amendment.[123]

While the Privacy Commissioner for Personal Data (“PCPD”) issued two investigation reports against EC Healthcare and Fotomax in November 2022 for respective violations of provisions of the PDPO, it remains to be seen whether this indicates a renewed enforcement focus by the PCPD which has historically been seen as permissive in this space.[124]

F.  Japan

The latest amendments to Japan’s Act on the Protection of Personal Information (“APPI”) took effect in April 2022.[125] As a consequence, the APPI now has extraterritorial applicability insofar as it applies to organizations collecting personal data outside Japan if such processing involves offering goods and services to individuals in Japan. The APPI includes, but is not limited to, requirements related to cross border data transfers and data breach notifications.

With respect to cross border data transfers, the APPI requires a business to (i) obtain opt-in consent before transferring personal information outside of Japan (i.e., through email, written or verbal explanations, or website publications) or (ii) execute contracts with foreign third-party processors with contractual safeguards to handle data in accordance with the APPI.

The APPI also now imposes data breach notification requirements on entities. Data breaches involving (i) sensitive data, (ii) data which may result in economic loss (e.g., credit cards), (iii) unjust purposes (e.g., ransomware), or (iv) over 1.000 data subjects must be reported to the Personal Information Protection Commission.

G.  New Zealand

As mentioned in the 2022 International Outlook and Review, the New Zealand Privacy Act 2020 (“NZ Privacy Act”) came into force on 1 December 2020, repealing and replacing an existing 1993 act.[126] In implementing the new act, the New Zealand government sought to modernise the privacy regime in New Zealand and reflect global trends in international privacy standards and the digital economy.

Despite the recommendation of the Office of the Privacy Commissioner in 2021 that “further changes [were] desirable” in response to fast-changing technologies,  no amendments have been forthcoming in 2022.[127] The proposed changes are nonetheless slated to broaden the NZ Privacy Act’s notification requirements (see below), introduce a right of personal information portability and a right to be forgotten, protect data subjects against the risk of re-identification from de-identified information, limit the harm caused by automated decision making algorithms, increase civil penalties for non-compliance and expand powers of the regulator to require compliance reporting by organisations subject to the NZ Privacy Act.

Despite this lack of substantive reform, New Zealand’s Ministry of Justice released its consultation paper on possible changes to data collection notification requirements in the Privacy Act 2020. In his comments, New Zealand’s Privacy Commissioner noted the lack of notification requirements related to indirect collection (i.e., if an agency collects information indirectly from a data subject).[128]

H.  Philippines

On 4 February 2021, the National Privacy Commission of the Philippines (“NPC”) announced the approval of a substitute bill to amend the Data Privacy Act of 2012 (“PDPA”). As noted in the 2022 International Outlook and Review, the substitute bill seeks to implement wide-ranging reforms to the Philippines privacy regime, including to redefine “sensitive personal information” to include biometric and genetic data, clarify the extraterritorial application of the PDPA (including in circumstances where an organisation offers goods or services, or monitors the behaviour of individuals within the Philippines or where it has a link with the country), render performance of a contract as a lawful basis for processing of personal information, allow controllers outside of the Philippines to authorise processors within the Philippines to notify the NPC of a data breach, widen the enforcement powers of the NPC and modify the criminal penalties for non-compliance.[129] Despite the substantial passage of time since the NPC approved the substitute bill, it remains before the Senate and is yet to pass into law. In light of the election of the Marcos administration in the intervening period, it is still unclear when this will occur.

The NPC nonetheless introduced Circular No. 2022-01 on the Guidelines on Administrative Fines in June which categorises infractions under the PDPA as “grave”, “major” or “other” based on the number of data subjects affected, the frequency of the infractions and the reason for non-compliance. The different categories correspond to the threshold of and basis for calculation of potential fines.[130]

The NPC also announced in March that it is in the process of developing guidelines for the processing of personal and sensitive personal information based on consent, contract, and legitimate interests. The NPC is currently seeking public submissions for this purpose.[131]

I.  Singapore

Further amendments to the Personal Data Protection Act 2012 (“PDPA”) based on the Personal Data Protection (Amendment) Act 2020 (No. 40 of 2020) took effect on 1 October 2022.[132] Notably, these amendments enhance the power of the Personal Data Protection Commission (“PDPC”) to accept voluntary undertakings as part of its enforcement regime, as well as increasing the financial penalty cap for breaches of the PDPA by organisations with annual local turnover exceeding US$10 million from the previously fixed US$1 million to 10% of the organisation’s annual local turnover.

In a case which required a determination as to whether emotional distress is a form of loss or damage, the Singapore Court of Appeal found that the PDPA should be interpreted widely in order to further its purpose of enabling individuals to enforce their rights to protect their personal data. However, the Court imposed limits on this broad interpretation, insofar as it held that the loss of control of personal data would not constitute loss or damage for the purposes of the PDPA.[133].

J.  South Korea

As explained in the 2022 International Outlook and Review, data protection in South Korea is currently governed by the Personal Information Protection Act (“PIPA”),[134] with the Personal Information Protection Commission (“PIPC”) being the authorised body.

In September 2022, the PIPC imposed its largest ever sanction for violations of the PIPA against an American search engine and social media platform. The regulator fined the digital platforms a total of 100 billion won (about US$78.4 million), alongside issuing corrective orders, following an 18-month inquiry in which it found that the companies had failed to clearly inform users and secure their consent prior to using behavioral data for targeted ads.[135]

The fines were the first time that the PIPC has taken action against digital platforms over their data collection practices, and suggests a renewed enforcement focus by the agency in this area. Indeed consistent with other regulators internationally, the PIPC Chairman Ko Hak-soo indicated in his announcement of the PIPC’s policy agenda for 2023[136] that he would ensure that the agency plays a vital role in safely managing privacy in the digital economy. Additional policy goals for 2023 include the inspection of cross-border data-transfer practices of around 5,000 mobile apps in gaming, finance, shopping, education, social media and entertainment, as well as an industry-wide inspection to detect potential privacy risks involving dark patterns, ad tech, virtual platforms, super apps and smart gadgets. The PIPC is also planning to strengthen requirements for global companies to designate their local business operations as legal representatives.

An update to the PIPA which would grant the PIPC the power to impose severe fines on anyone found to have violated the law is also tabled for approval in 2023. If the amendments are pursued, digital platforms could potentially be subject to fines of as much as 3% of the “total annual turnover” for a privacy breach, in contrast to the “relevant turnover” defined under current rules. The legislative proposal was presented in 2022, recently passed the National Policy Committee and is now up for review by the Legislation and Judiciary Committee and a vote in the plenary.

K.  Sri Lanka

Sri Lanka’s official gazette published the Regulation of Processing of Personal Data (2021) on 25 November 2021 to be considered by the Parliament of Sri Lanka.[137] The Parliament of Sri Lanka has since enacted the Personal Data Protection Act No. 9 of 2022 (“Sri Lanka PDPA”) which was adopted on 19 March 2022. In line with other international standards, the PDPA applies to all businesses, regardless of size, and requires that the processing of personal information must be for a “specified, explicit and legitimate” purpose. Controllers and processors are also required to implement internal controls and procedures, referred to as the “Data Protection Management Programme”. Businesses will only be able to process Sri Lankan personal data abroad if the business is located in a country that has been deemed to have adequate data privacy laws, however, various exceptions to the rule exist including where the data subject has given consent. The Act will enter into force at the start of 2023.

L.  Thailand

Thailand’s Personal Data Protection Act (the “PDPA”) took effect on June 1, 2022.[138] The PDPA, initially enacted in May 2019, overcame a delay of three years due to the COVID-19 pandemic and is the first comprehensive data protection regulation in Thailand. The PDPA has extraterritorial applicability, as it applies to organizations collecting personal data outside Thailand if such processing involves offering goods and services to individuals in Thailand. Similar to the GDPR, the PDPA requires a legal basis for the processing of data and details data subject rights (e.g., the right to be informed, right to access, right to rectification, right to erasure, right to opt-out, right to portability, right to complain, and right to withdraw consent). The PDPA’s penalty for noncompliance includes an administrative fine up to approximately US$150.000 and a criminal fine up to approximately US$30.000 or imprisonment.

M.  Vietnam

As explained in the 2022 International Outlook and Review, the data protection framework in Vietnam is fragmented, and relevant provisions can be found in numerous laws. In February 2020, however, a draft personal data protection decree (“Draft PDPD”) was released. The Draft PDPD sets out principles of data protection, including purpose limitation, data security, data subject rights and the regulation of cross-border data transfers, in addition to provisions on obtaining consent of data subjects, the technical measures needed to protect personal data, the creation of a data protection authority and the introduction of penalties for non-compliance, ranging between VDN 50 million to VDN 100 million.

From February to April 2021, the Ministry of Public Security sought public comments on the Draft PDPD with a view to the final decree coming into effect on 1 December 2021. As of the date of this publication, the Draft PDPD is still pending declaration in Vietnam, while a new Decree No. 53/2022/ND-CP (“Decree 53”)[139] has been issued to provide guidance on the Law on Cyber Security No. 24/2018/QH14 (“Cybersecurity Law”).[140]

Decree 53, which took effect on 1 October 2022, clarifies some important aspects of the Cybersecurity Law, including the application of the data localisation requirements to Vietnam domiciled entities and foreign enterprises. The criteria under the Cybersecurity Law and Decree 53 together provide that the data localisation requirements only apply to Vietnam domiciled entities that: (i) are service providers in the telecommunications network, internet or providing value added services in cyberspace; and (ii) process the personal data of Vietnam users, data about the relationship of users in Vietnam or data created by users in Vietnam.

Domestic entities to which Decree 53 applies must retain such specified categories of data in Vietnam indefinitely. However, Decree 53 clarifies that foreign entities will only need to store relevant data in Vietnam and establish a local presence where all of the following conditions are met:

• the company operates in a prescribed sector related to the cyberspace, which means, amongst other things, telecom services, services for storing and sharing data in cyberspace, e-commerce and online payment services (“Specified Services”);
• the company violates Cybersecurity Law in performing the Specified Services;
• the company fails to comply with a notice or request from the Department for Cybersecurity and Prevention of High-Tech Crime (“DCPHC”); and
• the DCPHC issues a request for data localisation and local presence establishment.

While Decree 53 is helpful in clarifying aspects of the Cybersecurity Law related to data localisation, it relevantly does not provide for any alternative legal bases for processing personal data nor contain any thresholds for notifiable data breaches—both of which represent gaps in the current legislation.

V.  Developments in Africa

A.  Kenya

On 21 December 2022, the Office of the Data Protection Commission (“ODPC”) issued a penalty notice of KES 5 million (approx. €38.237) against a mobile manufacturer for failure to comply with an enforcement notice.[141] The mobile manufacturer had made use of the complainant’s photograph on its Instagram account without obtaining the data subject’s consent. In response, the ODPC issued an order requesting that the company develops a) a policy for compliance with Section 37 of the Data Protection Act 2019—requiring data controllers to obtain consent prior to the use of personal data for commercial purposes—and b) an internal complaints mechanism to address such complaints made by data subjects. The mobile manufacturer failed to comply with the orders and was fined.

B.  Mozambique

On 22 November 2022, the National Institute of Information and Communication Technologies (“INTIC”) published a draft Cybersecurity Bill. The draft legislation aims to ensure the security of all citizens and institutions by protecting digital networks, information systems and critical infrastructure in cyberspace.[142] The Bill also provides for the creation of the National Cyber Security Council—a body that will work towards the alignment of policies on cybersecurity. The new agency will be chaired by the Minister of Information and Communication Technology.

C.  Nigeria

On 4 October 2022, the National Data Protection Bureau (“NDPB”) released the Draft Data Protection Bill 2022.[143] The Bill affords data subjects a number of rights (similar to those afforded under the GDPR), provides for the designation of data protection officers (“DPO”) and outlines the legal bases for the processing of personal information. To oversee the enforcement and regulation of the above provisions, the draft legislation creates the Nigerian Data Protection Commission. The maximum fine that can be levied on transgressors is set at NGN 10 million (approx. €23.540) and 2% of the transgressor’s annual gross revenue derived from Nigeria in the preceding financial year.

D.  Tanzania

On 1 November 2022, Tanzania’s legislative body voted in favour of the Personal Information Protection Bill—a notable development considering this is Tanzania’s first law on data protection.[144] The Bill will establish a Commission responsible for the protection of personal data. In addition, the Bill introduces a requirement that controllers and processors of personal data be registered with the Commission. On the enforcement side, the Bill provides that the Commission may issue an enforcement notice against a person who has failed to comply with the law. The maximum fine that can be levied against the transgressor is set at TZS 100 million (approx. €41.320). The Ministry of Information, Communication, and Information Technology has not yet announced when the Bill will come into force.

E.  Zimbabwe

On 16 November 2022, the Postal and Telecommunications Regulatory Authority of Zimbabwe (“POTRAZ”) published the Draft Cyber and Data Protection Regulations 2022. The Draft provides for the designation of a DPO in certain cases (e.g., when the data processing is carried out by a public authority or body). Furthermore, the Draft introduces a number of data security provisions, most notable of which is that if a controller decides to rely on a legitimate interest for processing data, a Legitimate Interest Assessment (“LIA”) must be conducted first, a record of which must be kept in order to demonstrate compliance. As a general overview, the Draft Regulations aim to ensure that data is processed securely and that the appropriate organizational measures are adopted.[145]

VI.  Other Developments in the Middle East

A.  Israel

On 29 November 2022, the Ministry of Justice published the Draft Privacy Protection Regulations (Provisions Regarding Information Transferred to Israel from the European Economic Area). The draft legislation requires that Israeli data controllers abide by a series of obligations in relation to the handling and processing of personal data transferred from the European Economic Area (“EEA”) to Israel.[146] Israel was granted adequacy in 2011 (i.e., providing equivalent level of protection as that provided within the EU).[147] Since then, the EU has introduced the GDPR and Israel’s status is expected to be reviewed.

Through the draft legislation, Israel aims to satisfy the EU’s demands and retain its status as an adequate country. The new provisions are the following: a) obligation to delete information upon request, b) deletion of excess personal information, c) obligation to maintain accurate personal information and, d) obligation to notify EEA data subjects that their personal information is being processed. It should be noted that the new law will only apply to EEA data subjects. The protection of Israeli data subjects will remain unchanged.

B.  Saudi Arabia

On 20 November 2022, the Saudi Data and Artificial Intelligence Authority (“SDAIA”) published its proposed amendments to the Personal Data Protection Law. The SDAIA has invited the public to express their comments. The draft legislation introduces, inter alia, a) the right to data portability, pursuant to which data subjects may request that their personal data be transferred to another controller, b) an obligation that the controller keeps records of the operations performed on personal data and c) the ability to apply to a competent court for compensation in case one suffers damage as a result of a violation of the Personal Data Protection Law.[148]

On 8 August 2022, the Saudi National Cybersecurity Authority (“NCA”) launched a programme which aims to develop the cybersecurity sector in the country. Specifically, the programme will look to foster the development of national cybersecurity products, services and solutions.[149]

C.  Other Middle East Jurisdictions

On 17 March 2022, the Ministry of Justice, Islamic Affairs and Endowments of Bahrain announced several executive decisions supplementing the Personal Data Protection Law 2018.[150]

On 9 February 2022, Oman enacted its first data protection legislation (Law on the Protection of Personal Data) which is due to come into force on 9 February 2023.[151]

VII.  Developments in Latin America and in the Caribbean Area

A.  Argentina

On 10 November 2022, the Argentinian data protection authority (“AAIP”) published a draft bill to update the Personal Data Protection Act, Act No. 25.326 of 2000, following a public consultation on the act during September 2022.[152] In particular, the draft bill includes data minimisation, an obligation of information for the data controller before collection of personal data, the burden on the exporter to demonstrate that the international transfer is carried out in accordance to the draft bill. A web form has also been set up for the registration of data controllers who do not reside in Argentina to enable Argentinian data subjects to exercise their data subject rights before the foreign data controllers.[153]

B.  Brazil

On 8 November 2022, the Brazilian Data Protection Authority (“ANDP”) approved its regulatory agenda for 2023-2024 which includes as priorities the rights of children and adolescents whose personal data is being processed and the establishment of criteria to guide the calculation of fines.[154]

The ANPD also published Guidance on Cookies and Personal Data Protection, which outlines requirements and best practices associated with cookie policies and cookie banners.[155]

On 23 August 2022, Brazil’s National Consumer Secretariat (“Senacon”) issued a fine against a U.S. social media company amounting to BRL 6.6 million (approx. €1,290,000) for the unlawful sharing of personal data of Brazilian citizens.[156]

It should also be noted that an amendment included the protection of personal data as a fundamental right and guarantee in the Brazilian Constitution.[157]

C.  Chile

On 7 June 2022, the Information Security Incident Response Team (“CSIRT”) released guidance for organisations on cyberattacks and the best practice capabilities to have in place.[158]

D.  Mexico

On 31 May 2022, the National Institute for Access to Information and Protection of Personal Data (“INAI”) released its Recommendations for the Processing of Personal Data derived from the Use of Artificial Intelligence.[159]

E.  Peru

On 25 October 2022, the National Authority for the Protection of Personal Data (“ANPD”) approved the “Guide for the Implementation of Model Contractual Clauses for the International Transfer of Personal Data” which aims to ensure the compliance of international data transfers.[160]

F.  Uruguay

On 3 November 2022, the Official Information Center of Uruguay (“IMPO”) published the Law No. 20075 of 20 October 2022 reforming the country’s data protection law. The reforms intend to increase transparency in data processing, especially when algorithms are utilised for decision-making.[161]

G.  Developments in Other Latin American and Caribbean Jurisdictions

On 4 August 2022, the Congress of the Republic of Guatemala voted in favour of the Law on Prevention and Protection Against Cybercrime which criminalizes cybercrime and intends to protect Guatemalans from the unlawful use of their personal data.[162]

On 22 May 2022, the Presidency of Peru’s Council of Ministers (“PCM”) announced the establishment of the National Centre for Digital Security. The agency will work with both public and private sector companies to identify, detect and respond to digital security incidents in the country.[163]

____________________________

[1]  See Irish Supervisory Authority decision.

[2]  See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32022R2065.

[3]  See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925.

[4]  See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32022R0868.

[5]  See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN.

[6]  See https://www.cnil.fr/en/european-strategy-data-cnil-and-its-counterparts-comment-data-governance-act-and-data-act.

[7]    See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555.

[8]    See https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act.

[9]    See https://www.enisa.europa.eu/publications/enisa-threat-landscape-2022.

[10]   See CAC decision.

[11]    See http://curia.europa.eu/juris/document/document.jsf;jsessionid=2BDC80771D0FB7EA8B6F60B9A3C4F572?text=&docid=228677&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=20032710.

[12]   See https://ec.europa.eu/commission/presscorner/detail/en/ip_22_7631.

[13]   Id.

[14]   See https://www.cnil.fr/en/transfer-data-outside-eu-old-standard-contractual-clauses-scc-are-no-longer-valid#:~:text=A%20transition%20period%20of%20three,%E2%80%9Cold%E2%80%9D%20standard%20contractual%20clauses.

[15]   See https://commission.europa.eu/select-language?destination=/node/9; https://commission.europa.eu/system/files/2022-05/questions_answers_on_sccs_en.pdf.

[16]   Id.

[17]   See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/?_sm_au_=iHVNDSq41vR3q5QMFcVTvKQkcK8MG.

[18]    See https://edpb.europa.eu/system/files/2022-03/edpb_guidelines_codes_conduct_transfers_after_public_consultation_en_1.pdf.

[19]   See https://edpb.europa.eu/system/files/2022-11/edpb_recommendations_20221_bcr-c_referentialapplicationform_en.pdf.

[20]   See, e.g., the UK Supervisory Authority published an update to its guidance on international transfers, including a new section on transfer risk assessments (TRAs) and a TRA tool. The Danish Authority released guidance on Cloud service usage which provides specific recommendations for transferring data to third countries like the U.S. and examples of how data transfers should be implemented. The Hamburg Commissioner for Data Protection and Freedom of Information issued a press release regarding the impact of the Executive Order signed by President Biden to implement the EU-U.S. Data Privacy Framework. 10/07/2022. The Berlin Supervisory Authority issued guidance to outline the requirements for cross-border data transfers and clarifies the current legal situation regarding international data transfers while examining the U.S. surveillance framework, the Schrems II ruling and their implications.

[21]  See, e.g., the French CNIL ordered companies using Google Analytics to comply with the GDPR and if needed to stop using this tool. The Liechtenstein Authority issued a press release, recommending website operators to deactivate Google Analytics and implement alternative tools. The Austrian Supervisory Authority reaffirmed that Google Analytics cannot be used in accordance with the GDPR. The Italian Supervisory Authority issued a reprimand against a website operator, to be followed by others and banned the use of Google Analytics. The Danish Supervisory Authority issued a decision against a company using the analytics tool of an American company.

[22]   See https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/google-analytics-et-transferts-de-donnees-comment-mettre-son-outil-de-mesure-daudience-en-conformite.

[23]   See https://www.cnil.fr/fr/cookies-et-autres-traceurs/regles/questions-reponses-sur-les-mises-en-demeure-de-la-cnil-concernant-lutilisation-de-google-analytics.

[24]  See Spanish Supervisory Authority decision.

[25]   See Danish Supervisory Authority decision.

[26]  See Regional Court of Munich decision.

[27]  See Thuringia Data Protection Authority recommendation.

[28]  See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022L2555.

[29]  Id.

[30]  See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32022R0868.

[31]  See https://digital-strategy.ec.europa.eu/en/policies/data-governance-act-explained.

[32]   See https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2022:277:FULL&from=EN.

[33]   See https://ec.europa.eu/commission/presscorner/detail/en/IP_22_6906.

[34]   See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32022R1925; https://ec.europa.eu/commission/presscorner/detail/en/qanda_20_2349.

[35]   Id.

[36]  See https://eur-lex.europa.eu/eli/reg/2022/2554/oj.

[37]   See https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=COM%3A2022%3A68%3AFIN.

[38]   See https://ec.europa.eu/commission/presscorner/detail/en/ip_22_1113.

[39] See https://edpb.europa.eu/our-work-tools/our-documents/edpbedps-joint-opinion/edpb-edps-joint-opinion-22022-proposal-european_en.

[40]  See https://digital-strategy.ec.europa.eu/en/library/cyber-resilience-act; https://digital-strategy.ec.europa.eu/en/news/new-eu-cybersecurity-rules-ensure-more-secure-hardware-and-software-products.

[41]   Id.

[42]  Id.

[43]  See https://eur-lex.europa.eu/resource.html?uri=cellar:e0649735-a372-11eb-9585-01aa75ed71a1.0001.02/DOC_1&format=PDF.

[44]  See https://www.consilium.europa.eu/en/press/press-releases/2022/12/06/artificial-intelligence-act-council-calls-for-promoting-safe-ai-that-respects-fundamental-rights/#:~:text=The%20Council%20has%20adopted%20its,fundamental%20rights%20and%20Union%20values.

[45]  See https://edpb.europa.eu/system/files/2022-01/edpb_guidelines_012022_right-of-access_0.pdf.

[46]  See https://edpb.europa.eu/system/files/2022-03/guidelines_202202_on_the_application_of_article_60_gdpr_en.pdf.

[47]  See https://edpb.europa.eu/system/files/2022-03/edpb_03-2022_guidelines_on_dark_patterns_in_social_media_platform_interfaces_en.pdf.

[48]  See https://edpb.europa.eu/system/files/2022-05/edpb_guidelines_042022_calculationofadministrativefines_en.pdf.

[49]  See https://edpb.europa.eu/system/files/2022-06/edpb_guidelines_202206_on_the_practical_implementation_of_amicable_settlements_en.pdf.

[50]   See https://edpb.europa.eu/system/files/2022-06/edpb_guidelines_202207_certificationfortransfers_en_1.pdf.

[51]   See

       https://edpb.europa.eu/system/files/2022-10/edpb_guidelines_202208_identifyinglsa_targetedupdate_en.pdf.

[52]   See https://edpb.europa.eu/system/files/2022-10/edpb_guidelines_202209_personal_data_breach_notification_targetedupdate_en.pdf.

[53]   See https://edpb.europa.eu/system/files/2022-07/edpb_edps_jointopinion_202203_europeanhealthdataspace_en.pdf.

[54]   See https://edpb.europa.eu/system/files/2022-07/edpb_document_20220712_selectionofstrategiccases_en.pdf.

[55]  See https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32002L0058&from=FR.

[56]  See French Supervisory Authority decision.

[57]  See French Conseil d’Etat decision.

[58]  See Irish Supervisory Authority decision.

[59]  See Italian Supervisory Authority decision.

[60]  See UK Supervisory Authority decision.

[61]  See Hellenic Supervisory Authority decision.

[62]  See French Supervisory Authority decision.

[63]  See Irish Supervisory Authority decision.

[64]  See EDPB binding decision.

[65]  See Irish Supervisory Authority decision.

[66]  See French Supervisory Authority decision.

[67]  See Irish Supervisory Authority decision.

[68]  See https://bills.parliament.uk/bills/3322.

[69]  See https://publications.parliament.uk/pa/bills/cbill/58-03/0143/en/220143en.pdf.

[70]  Id.

[71]   See https://hansard.parliament.uk/commons/2022-09-05/debates/FB4997E6-14A2-4F25-9472-E2EE7F00778A/BusinessStatement.

[72]  See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.

[73]  See https://ico.org.uk/media/for-organisations/documents/4019534/scc-transitional-provisions.pdf.

[74]  See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/transfer-risk-assessments/#TRA-tool.

[75]  See https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/.

[76] See https://edpb.europa.eu/our-work-tools/our-documents/recommendations/recommendations-012020-measures-supplement-transfer_en.

[77] See https://www.gov.uk/government/news/uk-finalises-landmark-data-decision-with-south-korea-to-help-unlock-millions-in-economic-growth.

[78]   Id.

[79]   See https://ico.org.uk/media/about-the-ico/consultations/4021868/draft-monitoring-at-work-20221011.pdf.

[80]   See https://ico.org.uk/media/about-the-ico/consultations/4021867/monitoring-at-work-impact-scoping-20221011.pdf.

[81]  See https://ico.org.uk/media/about-the-ico/consultations/4022057/employment-practices-workers-health-draft.pdf.

[82]  See https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience.

[83]  See https://www.gov.uk/government/consultations/proposal-for-legislation-to-improve-the-uks-cyber-resilience/proposal-for-legislation-to-improve-the-uks-cyber-resilience.

[84]  See https://www.gov.uk/government/publications/national-ai-strategy-ai-action-plan#:~:text=The%20AI%20Action%20Plan%20outlines,position%20as%20an%20AI%20leader.

[85]   See https://ico.org.uk/for-organisations/guide-to-data-protection/key-dp-themes/guidance-on-ai-and-data-protection/ai-and-data-protection-risk-toolkit/.

[86]  See https://www.fedlex.admin.ch/eli/fga/2020/1998/fr; https://www.admin.ch/gov/fr/accueil/documentation/communiques.msg-id-90134.html.

[87]  Id.

[88] See https://www.edoeb.admin.ch/edoeb/en/home/latest-news/aktuell_news.html.

[89]  See https://edpb.europa.eu/system/files/2022-07/edpb_statement_20220712_transferstorussia_en.pdf.

[90]  See https://www.datatilsynet.no/aktuelt/aktuelle-nyheter-2022/overforing-av-data-til-russland-og-ukraina/.

[91]  See https://rkn.gov.ru/news/rsoc/news74484.htm; http://publication.pravo.gov.ru/Document/View/0001202207140080.

[92]  See http://publication.pravo.gov.ru/Document/View/0001202207140022.

[93]  See https://kvkk.gov.tr/SharedFolderServer/CMSFiles/d077b665-66b6-4615-975a-249f93e084ba.pdf.

[94]  See https://kvkk.gov.tr/SharedFolderServer/CMSFiles/fb193dbb-b159-4221-8a7b-3addc083d33f.pdf.

[95]  See https://kvkk.gov.tr/SharedFolderServer/CMSFiles/12236bad-8de1-4c94-aad6-bb93f53271fb.pdf.

[96]  See https://www.resmigazete.gov.tr/eskiler/2022/02/20220219-4.htm.

[97]  See https://www.oaic.gov.au/engage-with-us/submissions/privacy-act-review-discussion-paper-submission.

[98]  See https://consultations.ag.gov.au/rights-and-protections/privacy-act-review-discussion-paper/.

[99]  See https://www.innovationaus.com/privacy-act-review-complete-after-three-years/.

[100] See https://consultations.ag.gov.au/rights-and-protections/online-privacy-bill-exposure-draft/.

[101] See https://www.aph.gov.au/Parliamentary_Business/Bills_Legislation/bd/bd2223a/23bd030.

[102] See https://www.oaic.gov.au/updates/news-and-media/oaic-opens-investigation-into-medibank-over-data-breach.

[103] See https://www.oaic.gov.au/updates/news-and-media/oaic-opens-investigation-into-optus-over-data-breach.

[104] See https://www.oaic.gov.au/updates/news-and-media/oaic-welcomes-passing-of-privacy-bill.

[105] See https://parlinfo.aph.gov.au/parlInfo/download/committees/reportsen/025001/toc_pdf/PrivacyLegislationAmendment(EnforcementandOtherMeasures)Bill2022[Provisions].pdf;fileType=application%2Fpdf.

[106]  See https://www.justice.gov/opa/pr/united-states-and-australia-enter-cloud-act-agreement-facilitate-investigations-serious-crime.

[107]  See https://www.aph.gov.au/About_Parliament/House_of_Representatives/About_the_House_News/Media_Releases/Treaties_Committee_supports_ratification_of_CLOUD_Act_Agreement.

[108]  See an unofficial translation of the PIPL available here and the Mandarin version of the PIPL available here.

[109]  See http://www.cac.gov.cn/2022-01/04/c_1642894602182845.htm.

[110]  See https://www.china-briefing.com/news/new-certification-standards-for-cross-border-processing-of-personal-information-offer-more-clarity-for-foreign-companies/.

[111] See https://www.china-briefing.com/news/cross-border-data-transfer-new-measures-offer-clarification-on-security-review/.

[112] See http://www.pkulaw.cn/fulltext_form.aspx?Db=chl&Gid=5134466.

[113] See https://www.china-briefing.com/news/cross-border-data-transfer-new-provisions-clarify-contract-procedure-for-personal-information-export/.

[114] See https://digichina.stanford.edu/work/translation-mobile-internet-application-program-information-service-management-regulations-opinion-seeking-draft-jan-2022/.

[115] See CAC decision.

[116] See http://164.100.47.4/BillsTexts/LSBillTexts/Asintroduced/373_2019_LS_Eng.pdf.

[117] See https://www.meity.gov.in/writereaddata/files/The%20Digital%20Personal%20Data%20Potection%20Bill%2C%202022_0.pdf.

[118] Id.

[119] Id.

[120] See https://pib.gov.in/PressReleasePage.aspx?PRID=1886126.

[121] See the final bill (in Bahasa): https://www.dpr.go.id/dokakd/dokumen/K1-RJ-20220920-123712-3183.pdf.

[122] See http://makna.co/wp-content/uploads/2018/01/MOCI-Regulation-No-20-of-2016-Makna-Eng.pdf.

[123] See https://www.gld.gov.hk/egazette/pdf/20212540/es12021254032.pdf.

[124] See https://www.pcpd.org.hk/english/news_events/media_statements/press_20221114.html#:~:text=The%20Office%20of%20the%20Privacy,Limited%20(Fotomax).

[125] See https://www.ppc.go.jp/personalinfo/legal/kaiseihogohou/.

[126] See https://www.natlawreview.com/article/less-two-weeks-to-go-new-zealand-privacy-act-commences-1-december-2020.

[127] See https://www.privacy.org.nz/publications/reports-to-parliament-and-government/2020-briefing-to-the-incoming-minister-of-justice/.

[128] See https://www.justice.govt.nz/justice-sector-policy/key-initiatives/broadening-the-privacy-acts-notification-rules/.

[129] See https://www.privacy.gov.ph/2021/06/a-stronger-data-privacy-law-sought-in-proposed-amendments/.

[130] See https://www.privacy.gov.ph/wp-content/uploads/2022/08/NPC-CIRCULAR-NO.-2022-01-GUIDELINES-ON-ADMINISTRATIVE-FINES-dated-08-AUGUST-2022-w-SGD.pdf.

[131] See https://www.privacy.gov.ph/2022/03/guidelines-on-the-lawful-processing-of-personal-and-or-sensitive-personal-information-based-on-consent-contract-and-or-legitimate-interests/.

[132]  See https://www.pdpc.gov.sg/news-and-events/announcements/2022/09/amendments-to-enforcement-under-the-personal-data-protection-act-in-updated-advisory-guidelines-and-guide.

[133]  SeeReed, Michael v Bellingham, Alex (Attorney-General, intervener) [2022] SGCA 60.

[134] See https://www.pipc.go.kr/cmt/main/english.do.

[135] See PIPC Decision.

[136] Id.

[137] See http://documents.gov.lk/files/bill/2021/11/152-2021_E.pdf.

[138] See https://cyrilla.org/es/entity/sl9175g71u?page=1.

[139] See https://lawnet.vn/en/vb/Decree-53-2022-ND-CP-elaborating-the-Law-on-cybersecurity-of-Vietnam-80D86.html.

[140] See https://www.economica.vn/Content/files/LAW%20%26%20REG/Law%20on%20Cyber%20Security‌%202018.pdf.

[141] See ODPC Decision.

[142] See https://www.intic.gov.mz/wp-content/uploads/2022/11/Proposta-de-Lei-de-Seguranca-Cibernetica‌-assinado.pdf.

[143] See https://ndpb.gov.ng/Files/Nigeria_Data_Protection_Bill.pdf.

[144] See http://www.parliament.go.tz/polis/uploads/bills/1664436755-document%20(38).pdf.

[145] See https://www.potraz.gov.zw/wp-content/uploads/2022/11/Draft-Cyber-and-Data-Protection-Regulations-.pdf.

[146] See Draft legislation.

[147] See https://eur-lex.europa.eu/LexUriServ/LexUriServ.do?uri=OJ:L:2011:027:0039:0042:EN:PDF.

[148] See https://istitlaa.ncc.gov.sa/en/Transportation/NDMO/PDPL22/Pages/default.aspx.

[149] See https://nca.gov.sa/en/news?item=234.

[150] See for instance, the Data Subject Rights Decision only available in Arabic: http://www.pdp.gov.bh/assets/pdf/executive-decisions/rights_of_the_data_subject.pdf.

[151] See https://omaninfo.om/topics/85/show/413540.

[152] See https://www.argentina.gob.ar/noticias/presentacion-del-proyecto-de-ley-de-proteccion-de-datos-personales.

[153] See https://www.argentina.gob.ar/noticias/registro-de-bases-de-datos-personales-para-responsables-extranjeros.

[154] See https://www.gov.br/anpd/pt-br/assuntos/noticias/anpd-publica-agenda-regulatoria-2023-2024.

[155] See https://www.gov.br/anpd/pt-br/assuntos/noticias-periodo-eleitoral/anpd-lanca-guia-orientativo-201ccookies-e-protecao-de-dados-pessoais201d.

[156] See Senacom decision.

[157] See https://www.camara.leg.br/noticias/850028-promulgada-pec-que-inclui-a-protecao-de-dados-pessoais-entre-direitos-fundamentais-do-cidadao/.

[158] See https://www.ciberseguridad.gob.cl/recomendaciones/capacidades-ciberataque/.

[159] See https://home.inai.org.mx/wp-content/documentos/DocumentosSectorPublico/RecomendacionesPDP-IA.pdf.

[160] See https://www.gob.pe/institucion/minjus/noticias/663844-peru-aprueba-guia-de-implementacion-para-la-transferencia-internacional-de-datos-personales-en-linea-con-estandares-internacionales.

[161] See https://www.impo.com.uy/bases/leyes/20075-2022/62.

[162] See https://www.congreso.gob.gt/noticias_congreso/8867/2022/4#gsc.tab=0.

[163] See https://www.gob.pe/institucion/pcm/noticias/608641-pcm-anuncia-creacion-de-unidad-funcional-de-confianza-digital-para-fortalecer-estrategia-de-prevencion-y-mitigacion-de-riesgos-digitales.

---

The following Gibson Dunn lawyers assisted in the preparation of this article: Ahmed Baladi, Vera Lukic, Joel Harrison, Connell O’Neill, Clémence Pugnet, Roxane Chrétien, Thomas Baculard, Anastasia Katsari, Nick Hay, and Jocelyn Shih.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Joel Harrison – London (+44(0) 20 7071 4289, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])

Asia
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

United States
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Jane C. Horvath – Co-Chair, PCDI Practice, Washington, D.C. (+1 202-955-8505, [email protected])
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202-955-8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, [email protected])
Lauren R. Goldman – New York (+1 212-351-2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
Vivek Mohan – Palo Alto (+1 650-849-5345, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Rosemarie T. Ring – San Francisco (+1 415-393-8247, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

New York partner David M. Feldman, Los Angeles partner Michael S. Neumeister and New York associate Stephen D. Silverman are the authors of “The Need for Speed: Accelerating the Chapter 11 Process” [PDF] published in February 2023 in Navigating Today’s Environment | The Directors’ and Officers’ Guide to Restructuring (Second Edition), which examines key topics and challenges facing directors and officers during a restructuring in today’s environment.

On February 2, 2023, DOJ announced the withdrawal of three policy statements concerning healthcare markets[1]:

1. the 1993 Department of Justice and FTC Antitrust Enforcement Policy Statements in the Health Care Area (“1993 Statement”);
2. the 1996 Statements of Antitrust Enforcement Policy in Health Care (“1996 Statement”) (which revised and expanded the 1993 statement); and
3. the 2011 Statement of Antitrust Enforcement Policy Regarding Accountable Care Organizations Participating in the Medicare Shared Savings Program (“2011 Statement”).[2]

Taken together, these statements provided guidance and safe harbors for information exchanges and other conduct governed by federal antitrust laws.  The withdrawal of the statements is effective immediately.  In lieu of the guidance, DOJ is evaluating conduct on a “case-by-case enforcement approach.”

The withdrawal creates uncertainty as to the kinds of information exchanges that may attract antitrust scrutiny.  While the withdrawal likely does not change the ultimate competitive implication for conduct covered by the statements—in that conformance to the safe harbor requirements would mitigate any potential competitive harm—trade associations and participants in industry surveys or other aggregations of sensitive information should review their existing procedures to confirm they do not raise competitive questions.  Looking forward, these same entities should consider the competitive ramifications of proposed information exchanges rather than relying solely on safety zones set out in the withdrawn policy statements.

The Previous Statements Provided Safe Harbor for Information Exchanges Meeting Specified Criteria.

The 1993 Statement set out safety zones in which DOJ and the Federal Trade Commission (FTC) would not challenge, inter alia, physicians’ provision of information to purchasers of health care services, and hospitals’ participation in exchanges of price and cost information.[3]

One of these safety zones permitted physicians to provide “non-price” information, including the collective provision of underlying medical data, and the development of suggested practice parameters to purchasers of healthcare services (such as insurance companies).[4]  The statement also specified that although the safety zone did not cover the collective provision of “fee-related information,” it did not consider sharing this information to be “necessarily illegal.”[5]

Taken together, the 1993 and 1996 Statements also set out three conditions to qualify for a safety zone when sharing pricing or cost related information[6]:

1. the information must be collected and managed by a third party (such as a survey or similar program);
2. the information collected must be at least three months old; and
3. there must be at least five participants reporting data upon which each disseminated statistic is based, no individual provider’s data may represent more than 25 percent on a weighted basis of that statistic, and any information disseminated must be sufficiently aggregated such so that prices charged or compensation paid by particular participants cannot be identified.[7]

Finally, the 2011 Statement established a safety zone for sharing competitively sensitive information between participants in Accountable Care Organizations (ACOs).[8]  The Affordable Care Act enables groups of medical service providers and suppliers to work together to manage and coordinate care for Medicare fee-for-service beneficiaries through an ACO.[9]  The 2011 Statement permits ACO participants to share information if the independent ACO participants that provide the same service (a “common service”) have a combined share of 30 percent or less of each common service in each participant’s Primary Service Area (PSA).[10]  The PSA for each participant is defined as “the lowest number of postal zip codes from which the ACO participant draws at least 75 percent of its patients, separately for all physician, inpatient, or outpatient services.”[11]  DOJ’s remarks did not specifically address this safety zone.

The Withdrawal of the Healthcare Industry Statements Creates Uncertainty about the Agencies’ Human Resources Guidance.

The withdrawal of the Healthcare Industry Statements also casts doubt on safe harbors in related human resources guidance.  DOJ and FTC’s 2016 “Guidance For Human Resource Professionals” advises H.R. professionals that information exchanges of compensation and other information may be lawful if they satisfy the conditions articulated by the now-withdrawn 1996 Statement.[12]  The withdrawal of the 1996 Statement creates uncertainty about the conditions under which compensation and other human resources-related information can be safely shared between potential competitors for labor.

The Competitor Collaboration Guidelines Remain in Effect and will Serve as Guideposts for Proposed Information Exchanges.

The Competitor Collaboration Guidelines issued by DOJ and FTC in 2000 demonstrate that information exchanges are less likely to raise concerns if they adhere to the conditions that would have qualified them for safety zones under the Healthcare Industry Statements.[13]  First, the Guidelines advise that parties may reduce antitrust concerns by sharing sensitive information through independent third parties as opposed to sharing this information directly with competitors.[14]   Further, sharing historical information is less likely to raise competitive concerns than sharing information on current or future operations.[15]  Finally, the sharing of aggregated data which does not permit recipients to identify individual firm data will be subject to less antitrust scrutiny than the sharing of individual company data.[16]  These principles underlaid the safety zones from the Health Industry Statements.  As the Guidelines remain in effect even after the Statements’ withdrawal, conformance to these conditions should mitigate antitrust exposure.

Moreover, the Competitor Collaboration Guidelines make clear that conduct falling outside of safety zones can be competitively neutral or even procompetitive.[17]  The withdrawal of the safety zones does not necessarily raise heightened concerns about this conduct.

The Withdrawal of the Healthcare Industry Statements May Signal Criminal Enforcement by DOJ of Anticompetitive Information Sharing.

DOJ’s remarks that “information exchanges can facilitate full-blown criminal conspiracies” when they lead to conduct that is per se illegal, and, in other instances, may be evaluated under the rule of reason, suggest that DOJ may seek to pursue anticompetitive information sharing criminally.

DOJ Will Closely Scrutinize Mergers when There is a Prior History of Collusion.

DOJ also remarked that its investigations into anticompetitive information exchanges are not limited to Section 1 of the Sherman Act, and a history of collusion within an industry will serve as important context for the evaluations of mergers under Section 7 of the Clayton Act.[18]  In particular, when one or more merging parties has previously engaged in anticompetitive information exchange, DOJ may treat any past harm resulting from such exchanges as evidence of the potential harmful effects of the merger in the future.[19]

Takeaways.

The withdrawal of DOJ’s prior statements establishing information sharing safety zones creates uncertainty around whether DOJ will now treat exchanges of information that were encompassed by these safety zones as problematic.  Moreover, there is considerable doubt about what conditions must be satisfied for information sharing to be considered lawful by DOJ and the FTC, in the healthcare industry and other industries.  This includes heightened uncertainty around a range of previously presumptively lawful benchmarking related practices in the H.R. space and beyond.  Finally, it remains to be seen whether DOJ will seek to prosecute anticompetitive information sharing criminally.

Gibson Dunn attorneys are closely monitoring these developments and available to discuss these issues as applied to your particular business.

___________________________

[1] Doha Mekki, Principal Deputy Assistant Attorney General, Dept. of Justice, Keynote Address at GCR Live: Law Leaders Global (Feb. 2, 2023), https://www.justice.gov/opa/speech/principal-deputy-assistant-attorney-general-doha-mekki-antitrust-division-delivers-0#_ftnref19.

[2] Id.

[3] U.S. Dep’t of Justice, Department of Justice and FTC Antitrust Enforcement Policy Statements in the Health Care Area (Sept. 15, 1993), at 3, https://www.justice.gov/archive/atr/public/press_releases/1993/211661.htm.

[4] Id.

[5] Id. at 3-4.

[6] U.S. Dep’t of Justice & Fed. Trade Comm’n, Statements of Antitrust Enforcement Policy in Health Care (Aug. 1996), at 44, https://www.justice.gov/atr/page/file/1197731/download.

[7] Id. at 44-45.

[8] U.S. Dep’t of Justice & Fed. Trade Comm’n, Statement of Antitrust Enforcement Policy Regarding Accountable Care Organizations Participating in the Medicare Shared Savings Program (Oct. 28, 2011), at 2, https://www.justice.gov/‌sites/default/‌files/atr/legacy/2011/10/20/276458.pdf.

[9] Id.

[10] Id. at 7.

[11] Id.

[12] U.S. Dep’t of Justice & Fed. Trade Comm’n, Antitrust Guidance For Human Resource Professionals (Oct. 2016), at 5, https://www.justice.gov/atr/file/903511/download

[13] U.S. Dep’t of Justice, Department of Justice and Fed. Trade Comm’n, Antitrust Guidelines for Collaborations Among Competitors (Apr. 2000), at 15-16, https://www.ftc.gov/sites/default/files/documents/public_events/joint-venture-hearings-antitrust-guidelines-collaboration-among-competitors/ftcdojguidelines-2.pdf.

[14] Id. at 21.

[15] Id. at 14.

[16] Id. at 15.

[17] Id. at 25.

---

The following Gibson Dunn lawyers prepared this client alert:  Daniel Swanson, Chris Wilson, Caroline Ziser Smith, and Hadhy Ayaz.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding the issues discussed in this update. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition practice group, or the following:

Daniel G. Swanson – Los Angeles (+1 213-229-7430, [email protected])
Chris Wilson – Washington, D.C. (+1 202-955-8520, [email protected])
Rachel S. Brass – Co-Chair, San Francisco (+1 415-393-8293, [email protected])
Stephen Weissman – Co-Chair, Washington, D.C. (+1 202-955-8678, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

Gibson Dunn is pleased to present the next edition of the “Federal Circuit Year In Review,” providing a statistical overview and substantive summaries of the precedential patent opinions issued by the Federal Circuit between August 1, 2021, and July 31, 2022, in the Federal Circuit’s 2021-2022 term. The easy-to-use Table of Contents is organized by substantive issue, so that the reader can easily identify all of the relevant cases bearing on the issue of choice.

Use the Federal Circuit Year In Review to find out:

• which issues may have a better chance (or risk) on appeal based on the Federal Circuit’s history of affirming or reversing on those issues in the past;
• what the success rate has been at the Federal Circuit if you are a patentee or the opponent based on the issue being appealed;
• the Federal Circuit’s history of affirming or reversing cases from a specific district court;
• the Federal Circuit’s affirmance/reversal rate in cases from the district court, ITC, and the PTO;
• and much more.

The Year In Review provides statistical analyses of how the Federal Circuit has been deciding precedential patent cases, such as affirmance and reversal rates (overall, by issue, and by District Court), win rate for patentee versus opponent (overall, by issue, and by District Court), decision rate by Judge (number of unanimous, majority, plurality, concurring, or dissenting opinions), and other helpful metrics. The Year In Review is an ideal resource for participants in intellectual property litigation seeking an objective report on the Court’s decisions.

We hope this information serves you well in this coming year and in the future. We are available to answer any questions you may have on the information in the Year In Review.

Gibson Dunn is nationally recognized for its premier practices in both Intellectual Property and Appellate litigation.  Our lawyers work seamlessly together on all aspects of patent litigation, including appeals to the Federal Circuit from both district courts and the agencies.

Please click here to view the FEDERAL CIRCUIT YEAR IN REVIEW

---

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit. Please contact the Gibson Dunn lawyer with whom you usually work or the authors of this alert:

Brian M. Buroker – Washington, D.C. (+1 202-955-8541, [email protected])
Kate Dominguez – New York (+1 212-351-2338, [email protected])
Thomas G. Hungar – Washington, D.C. (+1 202-887-3784, [email protected])
Nathan R. Curtis – Dallas (+1 214-698-3423, [email protected])

Please also feel free to contact any of the following practice group co-chairs or any member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:

Appellate and Constitutional Law Group:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202-955-8547, [email protected])
Allyson N. Ho – Dallas (+1 214-698-3233, [email protected])
Julian W. Poon – Los Angeles (+ 213-229-7758, [email protected])

Intellectual Property Group:
Kate Dominguez – New York (+1 212-351-2338, [email protected])
Y. Ernest Hsin – San Francisco (+1 415-393-8224, [email protected])
Josh Krevitt – New York (+1 212-351-4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212-351-3922, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

A dull year is rare when it comes to the False Claims Act (FCA), but this last year was exceptional by any standard. In the last twelve months, the Supreme Court decided to take up two different issues under the FCA, while the Department of Justice (DOJ) announced, yet again, billions in recoveries and nearly a thousand new FCA cases, a new record.

DOJ’s $2.2 billion in recoveries during FY 2022 marked the fourteenth straight year where recoveries exceeded $2 billion, dating back to 2008. But even more notable than the dollar amount was the sheer volume of FCA activity. DOJ obtained its recoveries from the second-highest number of settlements in history, and there were more new FCA matters initiated in FY 2022 than in any prior year, meaning the pipeline of FCA lawsuits is very full.

As in past years, FCA recoveries in the healthcare and life sciences industries continued to dominate enforcement activity in terms of the number and value of settlements, including several seven- and eight-figure settlements for alleged kickback schemes during the second half of the year. Meanwhile, notwithstanding the relatively few FCA enforcement actions related to COVID-19 in 2022, the government also signaled that it continues to take pandemic-related fraud seriously, and we expect to see increasing FCA enforcement in response to conduct arising out of the pandemic.

If there was one quiet area this year, it was on the legislative front. The FCA Amendments Act of 2021—which briefly gained momentum last year as Senator Chuck Grassley (R-IA) pushed to overhaul the FCA—remained at a standstill in Congress, and there were no other major developments in FCA legislation (federal or state).

But activity in the courts more than made up for the lack of legislation. As noted above, the Supreme Court took up two critical issues under the FCA. In December, the Supreme Court heard argument about the level of scrutiny that applies when DOJ seeks to dismiss an FCA case over the whistleblower’s objection. And just last month, the Supreme Court agreed to hear a case concerning the scienter standard under the FCA, which will have important implications for the scope of FCA liability in cases premised on alleged statutory or regulatory violations in ambiguous areas of law. Meanwhile, federal circuit courts also continued to consider the FCA’s pleading standards under Rule 9(b); the relationship between the anti-kickback statute and the FCA; and the FCA’s materiality standard, among other FCA issues.

* * *

We cover all of this, and more, below. We begin by summarizing recent enforcement activity, then provide an overview of notable legislative and policy developments at the federal and state levels, and finally analyze significant court decisions from the past six months.

As always, Gibson Dunn’s recent publications regarding the FCA may be found on our website, including in-depth discussions of the FCA’s framework and operation, industry-specific presentations, and practical guidance to help companies avoid or limit liability under the FCA. And, of course, we would be happy to discuss these developments—and their implications for your business—with you.

I. FCA ENFORCEMENT ACTIVITY

A. NEW FCA ACTIVITY

There were more new FCA cases filed in 2022 than in any year in history.[1] The government and qui tam relators filed 948 new cases, surpassing the previous record set in 2020, when there were 922 new cases. This new high-water mark shows that the volume of FCA activity is only accelerating.

Of the new cases, the government itself initiated 296 cases (referrals and investigations) outside of the qui tam setting, which is also a new record, both in terms of the total number of FCA cases initiated by the government, and as a percentage of the total number of new FCA cases.[2] In other words, the Department of Justice is bringing FCA cases on its own accord at an unprecedented pace.

This is extremely important because, historically, the vast majority of FCA recoveries come in cases where the government either brings the case or later intervenes. The relatively high level of activity from the government, therefore, suggests that recoveries in future years could be on the rise.

Number of FCA New Matters, Including Qui Tam Actions

Source: DOJ “Fraud Statistics – Overview” (Feb. 7, 2023)

B. TOTAL RECOVERY AMOUNTS: 2022 RECOVERIES EXCEED $2.2 BILLION

While most metrics point to a banner year, the total dollars recovered in FY 2022 ($2.2 billion) was down considerably from 2021 (when DOJ announced more than $5.6 billion), and the lowest more than a decade. This appears to reflect a relatively low number of blockbuster settlements (e.g., those in the nine-figure range). Nonetheless, it was the fourteenth consecutive year, dating back to 2008, that DOJ announced more than $2 billion in recoveries.[3]

Although the dollar value of recoveries is the lowest in more than a decade, the FCA enforcement activity is as high as ever. Indeed, DOJ touted that “[t]he government and whistleblowers were party to 351 settlements and judgments, the second-highest number of settlements and judgments in a single year.”[4] In other words, even if the dollar figures were not record setting, the number of successful DOJ cases was.

Whistleblower activity also remains a critical part of the FCA. Of the $2.2 billion in recoveries DOJ reported, more than $1.9 billion came from lawsuits that were initially filed under the qui tam provisions of the FCA (and then pursued by either the government or whistleblowers).[5] This is consistent with historical trends.

A more unusual datapoint this year was the percentage obtained in cases where the U.S. declined to intervene. Historically, DOJ’s decision on whether to intervene is a critical inflection point that strongly predicts whether a case will be successful: this makes sense, as DOJ is more likely to intervene in cases that it believes are “winners.” But this year, a remarkable 54% of recoveries were in non-intervened cases. This number is strongly skewed, however, by a single case against a pharmaceutical company where DOJ did not intervene and the Relator obtained a settlement of nearly $900 million. If that case is removed, then the data looks much more consistent with historical trends—suggesting the continued importance of DOJ intervention decisions.

Settlements or Judgments in Cases Where the Government Declined Intervention as a Percentage of Total FCA Recoveries

Source: DOJ “Fraud Statistics – Overview” (Feb. 7, 2023)

C. FCA Recoveries by Industry

The relative breakdown of FCA recoveries across industries remained relatively consistent with past years. Healthcare cases comprised 80% of total recoveries, Department of Defense procurement issues made up 5%, and the remaining 15% was split among other industries.[6]

Within the healthcare industry, DOJ announced significant recoveries across a range of theories, including Medicaid fraud, unnecessary and substandard care, kickbacks, and Medicare Advantage fraud. DOJ also announced significant recoveries from Department of Defense contractors, and, as discussed further below, the beginnings of significant COVID-19 related activity.[7]

FCA Recoveries by Industry

Source: DOJ “Fraud Statistics – Overview” (Feb. 7, 2023)

II. NOTEWORTHY DOJ ENFORCEMENT ACTIVITY DURING THE SECOND HALF OF 2022

We summarize below the most notable FCA settlements in the second half of calendar year 2022, with a focus on the industries and theories of liability involved. We covered settlements from the first half of the year in our 2022 Mid-Year Update.

FCA recoveries in the healthcare and life sciences industries continued to dominate enforcement activity during the second half of the year in terms of the number and value of settlements.

• On June 28, 15 Texas-based doctors agreed to pay a total of $2.83 million to settle allegations that they violated the FCA by accepting illegal kickbacks in exchange for patient referrals to three companies providing laboratory testing services. The government alleged that one of the testing companies paid “volume-based commissions” to independent recruiters, who, in turn, used management service organizations (MSOs) to pay the doctors for their referrals to the testing companies. The payments from the MSOs to the doctors “were allegedly disguised as investment returns but in fact were based on, and offered in exchange for, the doctors’ referrals.” As of June 28, the United States had reached settlements with 33 physicians, two executives, and a laboratory in the same alleged scheme, and in May 2022, it filed a FCA lawsuit in the Eastern District of Texas against, inter alia, the three chief executive officers of the testing companies. See United States ex rel. STF, LLC v. True Health Diagnostics, LLC, No. 4:16-cv-547 (E.D. Tex.).^[8]
• On June 30, a Florida nursing and assisted living system agreed to pay $1.75 million to resolve allegations that it violated the FCA by providing COVID-19 vaccinations for hundreds of ineligible individuals. The government alleged that the system invited and facilitated vaccines for board members, donors and potential donors, and other ineligible individuals as part of the Centers for Disease Control and Prevention’s (CDC) Pharmacy Partnership for Long-Term Care Program, which was designed to vaccinate long-term care facility residents and staff when doses of COVID-19 vaccine were in limited supply early in the CDC vaccination program.^[9]
• On July 1, a spinal implant devices distributor headquartered in Utah, its two owners, and two of their physician-owned distributorships agreed to pay $1 million to resolve a lawsuit against them alleging that they violated the FCA by paying purported kickbacks to physicians. The government alleged that the distributor’s physician-owned distributorships allowed them to pay physicians to use the distributor’s medical devices in surgeries. The settlement was reached after the first day of trial.[10]
• On July 7, a West Virginia hospital agreed to pay $1.5 million to resolve allegations that it violated the FCA by knowingly submitting or causing the submission of claims to Medicare in violation of the Stark Law. The settlement stems from the hospital’s voluntary self-disclosure of potential violations of the Stark Law by paying compensation to referring physicians that allegedly exceeded fair market value or took into account the volume or value of the physicians’ referrals to the hospital.[11]
• On July 13, a Florida-based pharmacy entered into a deferred prosecution agreement (DPA) and agreed to pay a $1.31 million civil settlement to resolve allegations that it submitted fraudulent claims to Medicare for a high-priced drug used in rapid reversal of opioid overdoses. The government alleged that the pharmacy completed prior authorization forms for the drug in place of the prescribing physicians, including instances in which the pharmacy staff signed the forms without the physician’s authorization and listed the pharmacy’s contact information as if it were the physician’s information. The government further alleged that the pharmacy submitted prior authorization requests for the drug that contained false clinical information to secure approval for the expensive drug. In connection with the settlement, HHS agreed to release its right to exclude the pharmacy and its CEO in exchange for their agreements to enter into a three-year Integrity Agreement with the U.S. Department of Health, Office of Inspector General (HHS OIG) that requires, among other things, the pharmacy to implement measures designed to ensure that its submission of claims for pharmaceutical products complies with applicable law relating to prior authorizations and collection of beneficiary co-payment obligations. The settlement resolves claims brought in a qui tam suit by a former employee of the manufacturer of the drug. As part of this resolution, the relator will receive $262,000 of the settlement amount.[12]
• On July 14, a New Jersey company providing laboratory testing services and its corporate parent agreed to pay $9.85 million to resolve alleged violations of the FCA arising from the company’s payment of above-market rents to physician landlords for office space in exchange for patient referrals from those physicians. The testing company rented office space from several physicians and physicians’ groups for Patient Service Centers (PSCs), where it collected blood samples from patients. In the settlement agreement, the testing company admitted that it artificially inflated its rental payments to physician landlords for the PSCs by (i) “inaccurately measur[ing] the amount of space that [it] would use exclusively,” and (ii) “includ[ing] a disproportionate share of the common spaces” in the calculations of office space for which it made payments. The testing company also admitted that it considered the number of referrals it received from physician landlords “when deciding whether to open, maintain or close” the PSCs, and that both the testing company and its parent entity had conducted internal audits that previously identified some of the above-market lease payments but did not report these findings to the Federal Government. Under the settlement, the testing company and its parent entity will also pay the Commonwealth of Massachusetts and the State of Connecticut $141,041 and $5,001, respectively, to resolve alleged violations of those states’ FCA statutes, and the testing company entered into a separate Corporate Integrity Agreement (CIA) with HHS OIG. The settlement also resolved claims brought under a qui tam suit filed by a former employee of both the testing company and the parent entity; the whistleblower will receive $1.7 million as her share of the recovery.^[13]
• On July 20, a Texas-headquartered clinical laboratory agreed to pay $16 million to resolve allegations that it submitted false claims for payment to federal healthcare programs, including Medicare. The government alleged that the clinical laboratory systematically conducted unnecessary additional testing on biopsy specimens prior to a pathologist’s review and without an individualized determination confirming the legitimate necessity for additional testing. The settlement resolved a qui tam suit filed by a relator who received $2.72 million of the recovery amount.[14]
• On July 22, an Oregon-based medical device manufacturer agreed to pay $12.95 million to settle allegations that it violated the FCA by paying illegal kickbacks to physicians to induce their use of the manufacturer’s pacemakers, defibrillators, and other implantable cardiac devices. The settlement resolved allegations that the manufacturer made excessive payments to physicians it hired to train its new employees, such as “for training events that either never occurred or were of little or no value to the trainees,” to induce or reward the physicians’ use of the manufacturer’s devices. Additionally, the settlement resolved separate allegations that the manufacturer paid physicians illegal kickbacks in the form of “holiday parties, winery tours, lavish meals with no legitimate business purpose and international business class airfare and honoraria in exchange for making brief appearances at international conferences.” The settlement also includes a resolution of claims brought in a qui tam suit by two of the manufacturer’s former sales representatives, who will receive approximately $2.1 million total as their share of the recovery.^[15]
• On July 22, clinical laboratories in Mississippi and Texas and two of their owner/operators agreed to pay $5.7 million to resolve allegations that they caused the submission of false claims to Medicare by paying kickbacks in return for genetic testing samples. The government alleged that the laboratories and their owner/operators participated in a genetic testing fraud scheme with various marketers whereby the marketers solicited genetic testing samples from Medicare beneficiaries and arranged to have a physician fraudulently attest that the genetic testing was medically necessary. The laboratories would then process the tests, receive reimbursement from Medicare, and pay a portion of that reimbursement to the marketers. The owner/operators have each previously pled guilty to one count of conspiracy to defraud the United States in connection with this scheme.[16]
• On August 18, a California organized health system and three medical care providers agreed to pay a total of $70.7 million to settle allegations that they broke federal and state laws by submitting or causing the submission of false claims to Medi-Cal related to Medicaid Adult Expansion under the Patient Protection and Affordable Care Act. The settlements resolve allegations that the parties knowingly submitted or caused the submission of false claims to Medi-Cal for “Additional Services” provided to Adult Expansion Medi-Cal members between January 1, 2014 and May 31, 2015. In addition to the FCA settlement, two of the parties entered into a CIA. The settlements resolve claims brought by qui tam relators under the FCA and the California False Claims Act.[17]
• On August 23, a Texas company that manufactures, markets, and distributes optical lenses agreed to pay $16.4 million to resolve allegations that it violated the FCA by paying illegal kickbacks to eye care providers, such as optometrists and ophthalmologists, to induce them to prescribe the company’s products to patients. The company also entered into a CIA. The settlement also resolved claims brought in two qui tam suits filed by several of the company’s former district sales managers; the whistleblowers’ share of the recovery was not reported.^[18]
• On September 1, a manufacturer of durable medical equipment (DME) agreed to pay $24 million to settle allegations that it misled multiple federal healthcare programs by paying kickbacks to DME suppliers. The government alleged that the manufacturer cased DME suppliers to submit false claims for oxygen concentrators, ventilators, CPAP and BiPAP machines, and other respiratory-related medical equipment because the manufacturer provided illegal inducements to the DME suppliers by providing them with physician prescribing data free of charge that could assist their marketing efforts. The settlement required the manufacturer to pay $22.62 million to the United States, and $2.13 million to various states as a result of the impact to their Medicaid programs, pursuant to the terms of separate settlement agreements entered into with the respective states. Additionally, the manufacturer entered into a CIA. The settlement also resolved a qui tam lawsuit brought by an employee of the manufacturer, who received approximately $4.3 million of the recovery amount.[19]
• On September 2, a pharmaceutical manufacturer agreed to pay $40 million to resolve allegations that the manufacturer paid kickbacks to hospitals and physicians to induce them to utilize certain drugs, marketed these drugs for off-label uses that were not reasonable and necessary, and downplayed the safety risks of a drug used to control bleeding in certain heart surgeries. The government also alleged that the manufacturer downplayed the efficacy and health risks associated with a drug used to treat cholesterol and induced a government agency to renew certain contracts relating to the same drug. The settlement resolved allegations brought in two qui tam suits by a former employee, who will receive approximately $11 million from the proceeds of the settlement.[20]
• On September 13, DOJ announced a settlement with a Texas bank for allegedly processing a Paycheck Protection Program (PPP) loan on behalf of an ineligible borrower. The U.S. Attorney’s Office for the Southern District of Texas, which brought the case, described the settlement as the “first-ever” settlement under the FCA from a PPP “lender”—i.e., the bank that made the loan, not a fraudulent borrower.^[21]
• On September 15, a pharmaceutical company agreed to pay $7.9 million to settle allegations that it violated the FCA by causing the submission of claims to Medicare Part D for several generic drugs that utilized outdated “prescription-only” (“Rx-only”) labeling, even though the drugs had lost their Rx-only status and thus were no longer reimbursable under Medicare Part D. Under federal law, pharmaceuticals that require a prescription to be dispensed (i.e., Rx-only drugs) are reimbursable under Medicare Part D, whereas pharmaceuticals that do not require a prescription—and can be sold to customers over the counter (OTC)—are not eligible for reimbursement. As part of the settlement, the pharmaceutical company admitted that in order to boost profits, it delayed seeking conversion of three generic drugs it manufactures “even after learning that the brand-name drugs for each had converted to OTC status,” and that it continued to sell the drugs under “obsolete Rx-only labeling” rather than taking the drugs off the market. The pharmaceutical company received credit under the DOJ’s prosecution guidelines for disclosure, cooperation, and remediation. The settlement also resolved claims brought by a whistleblower in a qui tam suit; the whistleblower will receive approximately $946,000 as their share of the recovery.^[22]
• On September 26, a pharmaceutical company agreed to pay $900 million to resolve allegations that it caused false claim submissions to Medicare and Medicaid by paying kickbacks to physicians as part of a scheme to induce them to prescribe the pharmaceutical company’s drugs. The allegations stem from a qui tam lawsuit filed by a former employer of the pharmaceutical company; the government declined to intervene in the lawsuit, which the whistleblower pursued individually. The whistleblower’s complaint alleged that the company offered and paid remuneration in various forms to induce physicians to prescribe the company’s drugs, including speaker honoraria and training fees, consulting fees to healthcare professionals who participated in the company’s speaker programs, training meetings, or consultant programs. The whistleblower received 29.6% or approximately $266 million from the settlement proceeds, the largest single whistleblower award on record, according to the whistleblower’s attorney. The $900 million settlement is also the largest recovery ever in a declined case.[23]
• On October 12, several pharmacy companies agreed to pay nearly $6.9 million to settle allegations that they violated the FCA by waiving patient copays, overcharging government health insurance programs, and trading healthcare business after they were removed from networks. Specifically, the government alleged that a compounding pharmacy and a related entity, created to handle the compounding pharmacy’s billing, created a copay-waiver program for patients and misled the government about the price being charged to uninsured, cash-paying patients by stating that that price was higher than it was, resulting in TRICARE beneficiaries being charged more than uninsured, cash-paying patients. The government also alleged that the compounding pharmacy sold its out-of-network prescriptions to other pharmacies after it was removed by some networks and received a portion of proceeds back. The settlement resolved allegations brought in a qui tam suit by a former accountant of the compounding pharmacy. She will receive approximately $1.4 million as her share of the recovery from the settlement.[24]
• On October 17, a healthcare services provider in California agreed to pay approximately $13 million to resolve allegations that it violated the FCA by billing federal insurance programs for urine toxicology tests that it did not actually perform. The United States alleged that under the terms of a contract with another company, urine toxicology specimens from physicians and laboratories were forwarded to the healthcare services provider. The United States contended that the provider sought reimbursement from the federal government for thousands of tests that it did not perform and that “were instead performed by third-party labs.”^[25]
• On October 18, an Oklahoma-based for-profit home health provider, its affiliates, and the President and COO agreed to pay $7.2 million to resolve allegations that they violated the FCA by billing the Medicare program for medically unnecessary therapy provided to patients in Florida. The government alleged that the home health provider billed Medicare knowingly and improperly for home healthcare patients in Florida based on therapy provided without regard to medical necessity and overbilled for therapy by upcoding patients’ diagnoses. Both the President and COO agreed to be excluded from participation in all federal healthcare programs for a period of five years. The home health provider agreed to be bound by the terms of a CIA with HHS OIG. The settlement resolves a qui tam action brought by therapists formerly employed by the home health provider. The relators will together receive $1.3 million as their share of the settlement. Contemporaneous with the settlement, the home health provider agreed to pay an additional $22.9 million to resolve another qui tam action brought in the Western District of Oklahoma which alleged that the home health provider improperly paid remuneration to its home health medical directors in Oklahoma and Texas for the purpose of inducing referrals of Medicare and TRICARE home health patients.[26]
• On November 1, a cloud-based electronic health record (EHR) technology vendor agreed to pay $45 million to settle allegations that it violated the FCA by accepting and paying unlawful remuneration in exchange for referrals through multiple kickback schemes. The government alleged that the EHR technology vendor, who sells EHR systems subscriptions services, petitioned and accepted kickbacks in exchange for recommending and arranging for its users to utilize another company’s pathology laboratory services. Additionally, the EHR technology vendor allegedly conspired with the same third-party laboratory to improperly donate EHR to healthcare providers with the goal to increase lab orders for the third-party laboratory and concurrently increase the EHR technology vendor’s user base. The government further alleged that the EHR technology vendor paid kickbacks to its customers and to other influential parties in the healthcare industry to secure recommendations and referral for its EHR The settlement also resolved, in part, the qui tam lawsuit filed by a former vice president of the EHR technology vendor, who received approximately $9 million from the settlement agreement.[27]
• On November 9, the successor in interest to a Tennessee-based real estate investment trust agreed to pay $3 million to resolve allegations that the trust violated the FCA by submitting false claims to Medicare and Medicaid. The government alleged that the trust paid kickbacks to physicians to induce them to refer patients to a hospital developed by an affiliated party. The government alleged that the trust offered the physicians a low-risk, high-reward investment in a joint venture formed by one of the parties to purchase the hospital and lease it back to the affiliated party. The allegations were initially brought in a qui tam lawsuit by two relators. The qui tam suit remains under seal, subject to an order of the Court permitting the United States to disclose the settlement.[28]
• On November 10, a birth-related injury compensation plan created by the State of Florida and the plan’s administrator agreed to pay $51 million to settle a qui tam lawsuit alleging that it violated the FCA by causing participants in the plan to submit covered claims to Medicaid rather than to the compensation plan, contrary to “Medicaid’s status as the payer of last resort under federal law.” The whistleblowers will receive $12,750,000 as their share of the recovery. While the United States did not intervene in the case, it assisted the whistleblowers with defending against a motion to dismiss filed by the defendants and with negotiating the settlement.^[29]
• On December 5, a New Jersey based opioid abuse treatment facility agreed to pay $3.15 million to settle civil and criminal allegations that it paid kickbacks, obstructed a federal audit, and submitted fraudulent claims to Medicaid. The government alleged that the facility submitted false claims to Medicaid related to a kickback relationship with a methadone mixing company with whom it shared a related ownership and management history. The settlement further resolved allegation that the facility failed to maintain adequate supervision and staffing, relying instead on non-credentialed interns to provide services. Related to the criminal allegations, the facility agreed to enter into a three-year deferred prosecution agreement that requires it to abide by certain measures, including, among other things, creating an independent board of advisors to oversee the company’s compliance relating to federal healthcare laws.[30]
• On December 12, a not-for-profit health system, community hospital, and medical center agreed to pay $22.5 million to resolve allegations that they violated the FCA and California FCA by submitting claims for services that were unallowable medical expenses under the contract between the California’s Department of Health Care Services and a California county organized health system. The settlement also resolved allegations that the reimbursements for services did not reflect the fair market value of services provided and that services were duplicative of services already required to be rendered. Further, the government alleged that the payments were unlawful gifts of public funds in violation of the California Constitution. The settlement also resolved allegations brought in a qui tam suit by a former medical director of a California county organized health system, who will received $3.9 million as his share of the federal recovery.[31]
• On December 13, a Jacksonville-based company and its subsidiary agreed to pay $3 million to resolve allegations that they violated the FCA by paying and receiving kickbacks in connection with genetic testing samples. The government alleged that the companies solicited genetic testing samples from Medicare beneficiaries and paid physicians to falsely attest that the genetic testing was medically necessary and arranged for laboratories to process the tests. The laboratories would pay a portion of the reimbursement to the company. The settlement also resolved allegations brought in a qui tam suit by two individuals who were approached to participate in the scheme. They received approximately $570,000 as their share of the recovery.[32]

III. LEGISLATIVE AND POLICY DEVELOPMENTS

A. FEDERAL POLICY AND LEGISLATIVE DEVELOPMENTS

1. Changes to Rules Regarding Overpayments

On December 14, CMS issued a proposed rule which would, among other things, change the standard for what it means for Medicare program participants to “identify” overpayments.[33] The Affordable Care Act requires any person who has received an overpayment from a federal healthcare program to report and return that overpayment within 60 days after it is “identified.” Under Medicare rules issued in 2014 and 2015, CMS advised that a program participant has “identified” an overpayment when it “has, or should have through the exercise of reasonable diligence, determined” that it received an overpayment.[34] The definition is significant to the FCA because, once an overpayment is “identified,” then an “obligation” may exist under the “reverse false claim” provision of the FCA, which prohibit acts of fraud aimed at avoiding paying money to the United States, if the overpayment is not returned within the required 60-day period.[35]

CMS’s stated rationale behind its interpretation of the term “identified” was that it would align with the FCA’s knowledge requirement, which creates fraud liability if an overpayment is improperly retained with actual knowledge, reckless regard, or deliberate ignorance of that overpayment. In 2018, however, a federal district court ruled that to the contrary, the “should have through the exercise of reasonable diligence” standard created by CMS has the effect of punishing simple negligence instead.[36] In direct response to that opinion, the new proposed rule would eliminate the “reasonable diligence” standard and instead deem an overpayment “identified” when a program participant—consistent with the scienter requirement of the FCA—has actual knowledge of an overpayment, or deliberately ignores or recklessly disregards an overpayment.[37]

In a related development, CMS finalized a rule on January 30, 2023 that enhances the government’s audit powers over Medicare Advantage plans (i.e., Medicare “private” plans).[38] The rule provides that, when seeking to collect overpayments from Medicare Advantage plans via Risk Adjustment Data Validation (RADV) audits, CMS will extrapolate audit findings for the relevant year forward to all payment years; however it will do so starting only with payment year (PY) 2018.[39] This is an important change from the initial proposed rule, which would have called for extrapolation starting in PY 2011.[40] The new RADV rule nevertheless has the potential to significantly expand the universe of risk adjustment data that is subject to audit, as the RADV audits are a primary program integrity tool for CMS in overseeing the Medicare Advantage program. That, in turn, creates additional potential “obligations” under the FCA and the forthcoming new CMS interpretative guidance regarding the 60-Day Rule, as applied to Medicare Advantage plans. Medicare Advantage plans have disputed many other aspects of this audit process and proposed rule, and we anticipate that those disputes will continue to play out in various contexts, including several ongoing FCA cases on related topics and issues. We will be tracking further developments stemming from the new rule as 2023 unfolds.

2. Enforcement Efforts Related to COVID‑19

Based on publicly available settlements, civil FCA enforcement actions related to COVID‑19 spending have been relatively few in number in relation to the Justice Department’s criminal enforcement activity. Indeed, if one were to compare sheer public displays of enforcement activity and resource commitment in the criminal versus civil realms, it would be easy to wonder whether civil enforcement is lagging behind criminal prosecutions. In September, for example, DOJ announced the establishment of three Strike Force teams, which will operate out of U.S. Attorney’s Offices in the Southern District of Florida, in the District of Maryland, and in California as a joint effort between the Central and Eastern Districts of California.^[41] The prosecutor-driven Strike Force teams will “accelerate the process of turning data analytics into criminal investigations,” according to DOJ.^[42]

As discussed in our 2021 Year-End Update, however, early civil enforcement activity is likely only the start of a years-long effort by DOJ to wield the FCA to combat fraud related to pandemic relief funds. Because FCA cases are filed under seal, and often take years to investigate, we may not see the full extent of pandemic-related FCA activity for years to come. But developments in the second half of 2022 lend support to the idea that DOJ is playing a long game when it comes to civil enforcement in areas affected by the pandemic.

We see this in part in developments at HHS OIG, one of DOJ’s most frequent partner agencies in FCA enforcement. In September, HHS OIG released the results of a study into telehealth services provided during the first year of the pandemic, including a description of “providers’ billing for telehealth services and [ ] ways to safeguard Medicare from fraud, waste, and abuse related to telehealth.”^[43] According to HHS OIG, at the outset of the COVID-19 pandemic, the use of telehealth—which preceded the pandemic—increased dramatically while, at the same time, the government temporarily paused program integrity efforts for Medicare, such as claims reviews. The study’s focus was on providers that billed for telehealth services and particularly those providers “whose billing for telehealth services poses a high risk to Medicare.”

The study established a number of criteria suggesting fraud, waste, or abuse, which HHS OIG used to determine providers that posed a high risk to the Medicare program and “warrant further scrutiny.” The seven criteria are: (1) “billing both a telehealth service and a facility fee for most visits”; (2) “billing telehealth services at the highest, most expensive level every time”; (3) “billing telehealth services for a high number of days in a year”; (4) “billing both Medicare fee-for-service and a Medicare Advantage plan for the same service for a high proportion of services”; (5) “billing a high average number of hours of telehealth services per visit”; (6) “billing telehealth services for a high number of beneficiaries”; and (7) “billing for a telehealth service and ordering medical equipment for a high proportion of beneficiaries.” According to the report, the Centers for Medicare and Medicaid Services (CMS) will “follow up on the providers identified in [the] report.”

Similarly, a December 2022 report by HHS OIG focused on laboratory testing for “add-on tests” in conjunction with COVID‑19 tests, and “found that 378 labs billed Medicare Part B for add‑on tests at questionably high levels . . . compared to the 19,199 other labs [studied].”[44] The report details specific types of “add-on” tests and dollar figures associated with Medicare payments for them.[45]

Studies such as these serve several functions. On one level, they signal to the public that the government is serious about fraud, waste, and abuse enforcement in industries affected by the pandemic, and they leverage partner agency investigative and analytical resources to provide DOJ (and the private relator’s bar) with insights for aligning enforcement efforts with agency programmatic priorities. They also demonstrate that the development of data-driven enforcement actions requires significant commitments of time and resources at the client agency level—a reality that helps explain why civil enforcement has publicly seemed slower compared to criminal prosecutions. And they serve as a reminder that DOJ does not view pandemic-related stimulus programs as the limit of its enforcement efforts; rather, we can expect DOJ to wield the FCA in response to industry developments prompted by the pandemic, beyond simply using the statute to recover fraudulently obtained stimulus funds.

Meanwhile, public signs of DOJ’s FCA enforcement efforts related to pandemic relief have continued to appear. In September, as discussed above, DOJ announced a settlement with a bank for allegedly processing a Paycheck Protection Program (PPP) loan on behalf of an ineligible borrower.^[46] The announcement is significant because PPP FCA cases have typically been brought against borrowers who submitted false information. This is the first public settlement with a PPP lender, signaling that DOJ’s investigations have not been limited to borrowers (and that this case may not be the last one against a lender).

3. FCA Amendments Act of 2021 Still Pending Floor Vote

The FCA Amendments Act of 2021 (S. 2428) reached the end of the legislative session without a vote, having stalled continuously since it was reported out of the Senate Judiciary Committee in November 2021. The bill, introduced in July 2021 by Senator Chuck Grassley (R-IA) and a bipartisan group of co-sponsors, proposed two significant changes to the FCA.^[47] First, it would amend the materiality requirement by providing that the government’s continued payment of funds to a defendant after discovery of fraud is not determinative of a lack of materiality “if other reasons exist for the decision of the government with respect to such refund or repayment.” Second, the bill would change the standard of review for evaluating a relator’s objection to the government’s decision to dismiss an FCA action.

In July 2022, the Congressional Budget Office (CBO) issued a lukewarm score on the proposed amendments.^[48] With respect to the materiality amendment, the CBO estimated that DOJ would “succeed in about three FCA cases each year that would not otherwise have been won,” which would result in increasing collections by about $145 million over the decade of 2022-2032. However, the CBO did not indicate whether it factored in the potential for prolonged litigation and discovery costs arising from the need for the government to prove other reasons for having continued payment of claims despite knowledge of fraudulent activity. The predicted increase in collections must also be viewed in light of the CBO’s estimates regarding the increased costs likely to result from the bill’s imposition of a heightened burden on the government when it decides to dismiss an FCA action over a relator’s objection. The CBO estimated costs of $15 million to implement the amended dismissal requirements over the next five years, assuming an “additional month of work” for each case. While the CBO stated that its conclusions were “subject to considerable uncertainty,” the report is far from a clear endorsement of the proposed legislation, and may help explain its failure to progress in the Senate.

It is possible that the Senate also is waiting to see how the Supreme Court will rule in United States ex rel. Polansky v. Executive Health Resources, Inc. (discussed in our Case Law Developments update below). Polansky presents a challenge to the government’s right to seek dismissal, over a relator’s objection, of an FCA action in which the government has declined to intervene. During oral argument in December, the Justices appeared supportive of the government’s dismissal authority and seemed likely to set a low threshold for dismissal. The Senate also may also now be looking beyond Polansky to the Supreme Court’s grant of certiorari in United States ex rel. Schutte v. SuperValu Inc. et al. As discussed below, that case challenges the relevance of a defendant’s subjective beliefs to the FCA’s scienter requirement. Although Schutte does not directly involve the FCA provisions at issue in the Grassley amendments, the interrelated nature of the statute’s materiality and scienter requirements means that the decision in Schutte still could affect the trajectory of the Grassley amendments and the extent to which the materiality related amendment in particular is viewed as a necessity.

4. Congress Extends Limitations Period on CARES Act Fraud Prosecutions to 10 Years

On August 5, 2022, President Biden signed into law two bills extending the statute of limitations for CARES Act anti-fraud actions.^[49] The laws establish a 10-year statute of limitations period for “any criminal charge or civil enforcement action” alleging fraud related to the Economic Injury Disaster Loan (EIDL) program or the Paycheck Protection Program (PPP). The EIDL and PPP programs both sprung from the Coronavirus Air, Relief, and Economic Security Act (CARES Act) and provided loans and emergency grants during the pandemic.^[50] With respect to PPP loans, the legislation appears aimed at financial technology firms and their lenders, which the House Committee on Small Business calculated account for up to 75% of loans connected to fraud.^[51] Unlike bank-related fraud, which carries a 10-year statute of limitations, see 18 U.S.C. § 3282, loan fraud connected to financial technology carries the 5-year limitations period for wire fraud, see 18 U.S.C. § 3293. The new laws aim to reconcile that discrepancy.

While the amendments are styled as changes to the Small Business Act in particular, they could have an effect on uses of the FCA to combat COVID relief fraud—if, for example, DOJ succeeds in arguing that the amendments actually do operate to extend the FCA’s statute of limitations, or if in practical terms the amendments make it easier for DOJ to rely on SBA-led enforcement actions rather than use the FCA itself. While the FCA also permits actions up to 10 years after the date of the violation, that outer limit only applies where the government or a relator utilizes the provision that tolls the default 6-year statute of limitations for 3 years from the date on which the government learns of the alleged violation.

B. STATE LEGISLATIVE DEVELOPMENTS

There were no major developments with respect to state FCA legislation in the second half of 2022. HHS OIG provides incentives for states to enact false claims statutes in keeping with the federal FCA. HHS OIG approval for a state’s FCA confers an increase of 10 percentage points in that state’s share of any recoveries in cases involving Medicaid.^[52] Such approval requires, among other things, that the state FCA in question “contain provisions that are at least as effective in rewarding and facilitating qui tam actions for false or fraudulent claims” as are the federal FCA’s provisions.^[53] Approval also requires a 60-day sealing provision and civil penalties that match those available under the federal FCA.^[54] Consistent with our reporting in prior alerts, the lists of “approved” and “not approved” state false claims statutes remain at 22 and 7, respectively.^[55]

IV. CASE LAW DEVELOPMENTS

A. SUPREME COURT WEIGHS GOVERNMENT’S AUTHORITY TO DISMISS QUI TAM LAWSUITS AND AGREES TO HEAR CRITICAL SCIENTER ISSUE

The Supreme Court granted certiorari this month on a petition regarding the question of whether a defendant who adopts an objectively reasonable interpretation of a legal obligation runs afoul of the FCA’s requirement that the defendant act “knowingly.” United States ex rel. Schutte v. SuperValu Inc., 9 F.4th 455 (7th Cir. 2021), cert. granted, 2023 WL 178398 (U.S. Jan. 13, 2023); United States ex rel. Proctor v. Safeway, Inc., 30 F.4th 649 (7th Cir. 2022), cert. granted, 2023 WL 178393 (U.S. Jan. 13, 2023). As noted above, the FCA defines “knowingly” to mean that a person “(i) has actual knowledge of the information; (ii) acts in deliberate ignorance of the truth or falsity of the information; or (iii) acts in reckless disregard of the truth or falsity of the information.” 31 U.S.C. § 3729(b)(1)(A). In Safeco Insurance Co. of America v. Burr, 551 U.S. 47 (2007), which addressed the Fair Credit Reporting Act’s nearly identical scienter requirement, the Supreme Court determined that a person who acts under an incorrect interpretation of a relevant statute or regulation does not act with “reckless disregard” if the interpretation is objectively reasonable and no authoritative guidance cautioned the person against it. Safeco, 551 U.S. at 70.

The relators in SuperValu alleged that when defendant SuperValu sought Medicare and Medicaid reimbursements, it misrepresented its “usual and customary” drug prices to government health programs that use that information to set reimbursement rates. See 9 F.4th at 459. After interpreting the relevant regulations, SuperValu reported its retail cash prices as its usual and customary drug prices rather than the lower, price-matched amounts that it charged customers under its price-match discount drug program, through which SuperValu would match discounted prices of local competitors upon request from anyone purchasing. Id. While the court agreed with the relator that SuperValu should have reported its discounted prices, the court applied the Safeco approach and determined that SuperValu’s interpretation of the regulations was objectively reasonable and that there was no authoritative guidance that warned SuperValu away from its interpretation. Id. at 472. According to the Seventh Circuit, whether SuperValu believed that its interpretation of “usual and customary” drug prices was the correct interpretation of the regulation did not bear on the objectively reasonable analysis. Instead, the court explained that “[a] defendant might suspect, believe, or intend to file a false claim, but it cannot know that its claim is false if the requirements for that claim are unknown.” Id. at 468. In other words, the focus should be on whether the interpretation was objectively reasonable, not on the defendant’s subjective intent. See id. at 466. The court therefore found that SuperValu faced no liability under the FCA. Id. at 472. This decision aligns with every other circuit that has considered Safeco’s application to the FCA (i.e., the Third, Eighth, Ninth, and D.C. Circuits).

The Supreme Court also granted a petition for certiorari in Safeway, which the Court then consolidated with SuperValu. Safeway dealt with substantially the same issue and outcome: applying the Safeco approach to Safeway’s interpretation of “usual and customary” drug prices to determine whether Safeway had violated the FCA. 30 4th at 658–59. Applying its decision from SuperValu, the Seventh Circuit in Safeway also found no liability for Safeway under the FCA because it had adopted an objectively reasonable interpretation of the relevant regulations and there was no authoritative guidance. Id. at 660, 663.

After the relators petitioned for a writ of certiorari, the Supreme Court asked the federal government to weigh in. The Solicitor General’s office disagreed with the position adopted by the Seventh Circuit, insisting that it opens up the possibility that defendants may be aware that their interpretation of a regulatory provision is wrong, but still proceed with the noncompliant action as long as they can later assert a reasonable justification for their preferred interpretation of the regulation after the fact. See United States ex rel. Schutte v. Supervalu Inc., No. 21-1326, Brief for the United States as Amicus Curiae, at 11–12 (Dec. 6, 2022). Senator Grassley, one of the chief proponents of the FCA in Congress, had filed an amicus brief as well, claiming that the Seventh Circuit opens a “gaping hole” in the FCA and urging the Supreme Court to grant certiorari and overturn the decision. See United States ex rel. Schutte v. Supervalu Inc., No. 21-1326, Brief for Senator Charles E. Grassley as Amicus Curiae, at 23 (May 19, 2022).

The Supreme Court’s resolution of this issue in SuperValu will have significant consequences going forward for FCA defendants, like SuperValu, who often are accused of certifying compliance with complex regulatory schemes. Defendants frequently argue the so-called Safeco defense, and the Supreme Court’s treatment of that issue could clarify the strength and scope of that defense. The Court’s decision will provide necessary guidance on whether a defendant can be “reckless” toward a statute or regulation that is amenable to multiple interpretations, even if the defendant allegedly doesn’t subjectively believe that interpretation to be correct. Coming on the heels of the Supreme Court’s seminal 2016 decision in Universal Health Services v. United States ex rel. Escobar, 579 U.S. 176 (2016), which clarified and strengthened the FCA’s materiality standard, this will be an opportunity for the Court to round out its jurisprudence on key elements of the FCA by addressing the statute’s scienter standard. We will be watching closely as this critical case gets its day at the Supreme Court.

In December, the Supreme Court heard oral argument in United States ex rel. Polansky v. Executive Health Resources, Inc., 17 F.4th 376 (3d Cir. 2021), cert. granted, 142 S. Ct. 2834 (2022). As we noted in the 2022 Mid-Year Update, the Supreme Court’s rather unexpected decision to grant certiorari in this case should at least result in a clarified standard for district courts to apply to government requests to dismiss qui tam complaints.

Until the Court issues its ruling on Polansky, the circuits remain split as to the standard under which a district court may evaluate the government’s decision to dismiss relators’ cases over their objection. Some courts have concluded that the government may dismiss virtually any action brought on behalf of the government, with very little scrutiny. Polansky, 17 F.4th at 384–88. Other courts have determined that if the government does not intervene in a relator’s case, the government must first intervene in the lawsuit before seeking to dismiss it under Federal Rule of Civil Procedure 41(a)’s standard. Id. Yet another subset of courts have indicated that the government must have some reasonable basis for the decision to dismiss, and ostensibly apply a degree of scrutiny to dismissal decisions. Id.

At oral argument, the Justices seemed inclined to grant DOJ broad discretion to dismiss cases, which is both a necessary check on runaway whistleblower litigation brought in the government’s name and a constitutional prerequisite to ensure the qui tam provision does not run afoul of constitutional limits on the executive branch’s ability to delegate its authority.

Regardless of how the Court resolves Polansky, however, the outcome is unlikely to have any immediate or substantial impact on the routine course of qui tam actions. In practice, district courts almost always agree to dismiss cases when DOJ seeks dismissal, regardless of what jurisdiction they are in and what standard they apply. In any event, we will be watching carefully to see whether the Supreme Court strengthens—or weakens—DOJ’s ability to reign-in qui tam lawsuits.

B. SUPREME COURT LEAVES IT TO CIRCUIT COURTS TO DEVELOP PLEADING STANDARDS

1. Supreme Court Denial of Cert Regarding Circuit Split on Rule 9(b)

Another important Supreme Court decision regarding the FCA in the past six months was a decision not to act, as it denied petitions for certiorari in three cases addressing similar questions that the petitioner claimed would have provided clarity on the appropriate pleading standard under Rule 9(b) of the Federal Rules of Civil Procedure for claims brought under the FCA. See Johnson v. Bethany Hospice and Palliative Care LLC, 143 S. Ct. 351 (2022); Molina Healthcare of Illinois, Inc. v. Prose, 143 S. Ct. 352 (2022); United States ex rel. Owsley v. Fazzi Assocs., Inc., 143 S. Ct. 362 (2022).

Bethany Hospice, Molina, and Owsley all dealt with a similar issue: how much specificity must a plaintiff provide in a complaint in an FCA case to meet the standards for alleging fraud under Rule 9(b)? In Bethany Hospice, the Eleventh Circuit made clear that to satisfy Rule 9(b) “a complaint must allege actual submission of a false claim, and . . . it must do so with some indicia of reliability.” 853 F. App’x 496, 501 (11th Cir. 2021) (internal quotation marks omitted). The relators had alleged that the defendant—a company providing for-profit hospice care—ran an illegal referral scheme, paying remuneration to physicians who referred Medicare patients to the defendant’s facilities. Id. at 496. The Eleventh Circuit determined that the relators had not adequately alleged an FCA violation because they failed to allege any details about specific representative false claims. Id. at 501–03.

In Owsley, the Sixth Circuit likewise dismissed a complaint from a relator that the defendants had submitted false data to the government in relation to Medicare claims for home-healthcare because the relator had provided insufficient details to allow the defendants to discern which claims they submitted were allegedly false. 16 F.4th 192, 194 (6th Cir. 2021). In doing so, the Sixth Circuit articulated a similar standard as in Bethany Hospice, explaining that “under Rule 9(b), ‘[t]he identification of at least one false claim with specificity is an indispensable element of a complaint that alleges a False Claims Act violation.’” Id. at 196 (alteration in original) (citation omitted).

In Molina, the relator alleged that Molina—who contracted with Illinois’s state Medicaid program—submitted false claims to receive capitation payments from the state for skilled nursing facility services under an implied false certification theory. 17 F.4th 732, 736–39 (7th Cir. 2021). There, the Seventh Circuit set forth a different standard for satisfying Rule 9(b), allowing the relator to proceed past a motion to dismiss where the relator “provide[d] information that plausibly support[ed] the inference that” the defendant submitted a false claim, even without the details of a specific false claim. Id. at 741. Even without allegations about a specific false claim, the Seventh Circuit determined that the circumstantial evidence the relator alleged created an inference that the defendants had submitted false claims. Id.

The standards adopted by the various circuits under Rule 9(b) exist on a spectrum, ranging from the Eleventh Circuit and Sixth Circuit—which have held that details of a specific false claim are required (i.e., the who, what, when, where, and how of the alleged fraudulent submissions to the government)—to the Seventh Circuit (and others such as the Third, Fifth, Ninth, Tenth, and D.C. Circuits) which have held that Rule 9(b) may be satisfied if the relator makes specific factual allegations as to a scheme to defraud and facts constituting reliable indicia that false claims resulted from the scheme. In Bethany Hospice, Prose, and Owsley, the petitioners sought guidance from the Supreme Court on the proper standard courts should apply when evaluating FCA claims under Rule 9(b). By denying the petitions for writ of certiorari in Bethany Hospice, Prose, and Owsley, the Supreme Court has effectively declined to resolve this circuit split at the present juncture and as a result has left open the possibility that plaintiffs will forum‑shop for the most favorable pleading standard when pursuing FCA cases.

2. Circuit Courts Continue to Craft Pleading Standards Under Rule 9(b)

Absent guidance from the Supreme Court, circuit courts continue to craft their own standard under Rule 9(b) in FCA cases. Three recent examples are illustrative.

In Lanahan v. County of Cook, 41 F.4th 854 (7th Cir. 2022), the Seventh Circuit was tasked with applying Rule 9(b) to various allegations by a former employee of the Cook County Department of Public Health (CCDPH). Id. at 858. After the government declined to intervene, the relator alleged in a complaint that the CCDPH had received federal grants to implement various federal initiatives in Cook County. See id. at 858–60. The relator further alleged that in distributing and accounting for the funds, the CCDPH had failed to follow federal guidelines and regulations. Id. The district court dismissed a first amended complaint and second amended complaint from the relator, determining that the relator had failed to adequately allege that the CCDPH had made any false claims to the federal government and failed to adequately connect any allegedly false statements to government payments. Id. at 860–61.

The Seventh Circuit affirmed the district court’s dismissal with prejudice, explaining that the relator had provided no more than conclusory assertions that the CCDPH submitted false claims to the government. Id. at 862–64. According to the Seventh Circuit, a major flaw in the relator’s claims was that for each of the payments she alleges violated the FCA, she “object[ed] only to Cook County’s treatment of the funds after they were disbursed. The Second Amended Complaint is utterly silent as to the events leading up to Cook County’s receipt of these funds.” Id. at 862. And while the relator had provided slightly more detail as to CCDPH’s alleged misuse of one category of funds set to be used to support providing H1N1 vaccinations—by specifically alleging that CCDPH submitted falsified expense reports—these additional details were still not enough to satisfy Rule 9(b) because the relator did “not support this claim with particularized information about how . . . the expense reports [were] prepared.” Id. at 863. The Seventh Circuit further determined that the Relator had failed to allege adequate facts under Rule 9(b) to connect the allegedly false statements to the government payments. Id. at 864.

The Seventh Circuit had a further opportunity to provide guidance on the application of Rule 9(b) in United States ex rel. Sibley v. University of Chicago Medical Center, 44 F.4th 646 (7th Cir. 2022). While the federal and state governments elected not to intervene, the relators—former employees of jointly owned companies that deliver medical billing and debt collection services to healthcare providers—claimed their former employers (debt collection companies) and the healthcare provider those debt collection companies serviced had failed to follow federal regulations governing “bad debt.” Id. at 651. “Bad debts” are incurred when a Medicare patient fails to make required deductible or coinsurance payments and the provider makes sufficient efforts to collect the debt. Id. at 652 (citing 42 C.F.R. § 413.89). The provider may seek reimbursement from the Center for Medicare and Medicaid Services (CMS) for those bad debts. 44 F.4th at 652. The relators alleged that the debt collection agencies and the healthcare provider had failed to follow the federal regulations for what constitutes bad debt in seeking reimbursements from CMS, and thus violated the FCA by failing to repay the government excess reimbursements received for bad debt. See id. at 652–655 The relators also alleged they had been retaliated against by the companies for reporting the alleged FCA violations. Id.

The district court dismissed all of the relators’ claims against the former employers and the healthcare provider for failure to adequately state a claim under Rule 9(b). Id. at 655. The Seventh Circuit affirmed the dismissal of most of the claims. The Seventh Circuit first explained that the complaint failed to allege that the healthcare provider had direct knowledge of the alleged excessive reimbursements—mere inferences and assumptions did not suffice to show knowledge. Id. at 657–58. Next, the court explained that for claims premised on the failure to repay the government for excessive bad debt reimbursements, the relators must provide “specific representative examples” of false claims. Id. at 659. According to the Sibley court, the relator failed to provide such representative examples for one of the debt collection companies and thus dismissal as to that company was appropriate. Id. In reaching this conclusion, the Sibley court appears to be at odds with the Seventh Circuit’s decision in Molina, in which the court noted that the plaintiff “provide[d] information that plausibly supports the inference that [the defendant] included false information” in submissions to the government, even without specific details of the submissions. 17 F.4th at 741. In Sibley, the Seventh Circuit went on to reverse the district court’s decision to dismiss the complaint against the other debt collection company because the relators had provided three specific examples of bad debt that was allegedly improperly reimbursed. 44 F.4th at 660. Finally, the Seventh Circuit also allowed the relators’ retaliation claims to proceed, making clear that those claims were governed by Rule 12(b)(6)’s pleading standard rather than the more stringent Rule 9(b) standard. Id. at 661–62.

The Fourth Circuit also addressed Rule 9(b)’s pleading standard in United States ex rel. Nicholson v. MedCom Carolinas, Inc., 42 F.4th 185 (4th Cir. 2022). In Nicholson, the federal government declined to intervene in a case involving allegations that the defendant—who contracted with the manufacturer of skin grafts to sell them to hospitals—paid its salespeople a commission for the skin grafts sold to federal healthcare providers, including Veterans Administration (VA) hospitals. Id. at 189. The relator then prosecuted the case. Id. According to the relator, selling the skin grafts to VA hospitals on commission resulted in a violation of the Anti-Kickback Scheme (AKS), which in turn led to a violation of the FCA. Id. The district court dismissed the relator’s complaint under Rule 9(b), determining it was almost entirely conclusory and provided no meaningful details to support the claims. Id.

The Fourth Circuit affirmed the district court’s dismissal. Id. at 200. The court explained that under Rule 9(b), the relator either had to provide a representative example of an alleged false claim (including the “time, place, and contents of the misrepresentation”) or make allegations sufficient to show that the defendant was engaged in “a pattern of conduct that would necessarily have led to the submission of false claims.” Id. at 194 (citations and internal quotation marks omitted). The Fourth Circuit concluded that the relator had not alleged either. Id. at 196. Specifically, while the relator had pled a specific false claim, the complaint lacked any details: “The patient is unknown . . ., who submitted the claim is unknown . . ., what VA hospital in what state is unknown . . . . The unknowns swamp the knowns.” Id. Given the bare‑bones details included in the complaint, the Court concluded it lacked the particularity required under Rule 9(b).

C. THE D.C. CIRCUIT APPLIES PRO TANTO APPROACH TO MULTI-DEFENDANT FCA CASE

In United States v. Honeywell International Inc., 47 F.4th 805 (D.C. Cir. 2022), the D.C. Circuit was faced with an unresolved damages-related question under the FCA, namely whether the statute provides, in multi-defendant cases, for an offset of previous settlement recoveries against a non-settling joint tortfeasor’s liability. Many FCA cases involve multiple defendants, in which those defendants are subject to joint and several liability. Honeywell clarified that in such cases, the pro tanto rule applies: proceeds from settlements with joint tortfeasor defendants should reduce the amounts owed by other, non-settling defendants—at least in regard to compensatory damages. However, the case left open whether civil penalties could qualify for such an off-set between joint tortfeasors in FCA cases.

The Honeywell appeal stemmed from a suit brought by the federal government against Honeywell, based on alleged FCA violations. According to the government, Honeywell had misrepresented the quality of a material it manufactured and provided to bulletproof vest manufacturers who eventually sold them to the government. According to the government, Honeywell had improperly represented that the material it sold to the manufacturers was the “best ballistic product in the market for ballistic resistance,” despite the fact that the materials degraded at high temperatures. Id. at 810. While the government’s suit against Honeywell was ongoing, the government settled with several other parties involved in manufacturing and supplying the vests to the federal government. Honeywell moved for summary judgment on the issue of damages, claiming that any damages assessed against it should be offset based on the settlements with the other parties. Honeywell “maintained the court should apply a pro tanto approach, reducing any common damages Honeywell owed by the amount of the settlements.” Id. at 811. The district court, however, adopted the proportionate share method for calculating damages advocated for by the government, which meant that “Honeywell would still be responsible for its proportionate share of the $35 million” in claimed damages. Id.

On appeal, the D.C. Circuit acknowledged that “[t]he FCA says nothing at all about how to address indivisible harms or whether joint and several liability is appropriate.” Id. at 813. Faced with crafting a common law rule, the D.C. Circuit determined that the “pro tanto rule . . . is not just compatible with the FCA; it is a better fit with the statute and the liability rules that have been partnered with it.” Id. at 817. The D.C. Circuit recognized that allowing for the pro tanto rule to be applied in FCA cases would mean that if settlements exceeded the damages claimed by the government, a defendant—like Honeywell—would potentially face no damages. But the D.C. Circuit still believed the pro tanto rule was “consistent with the FCA” because it left the “government in the driver’s seat to pursue and punish false claims according to its priorities.” Id. at 818. The D.C. Circuit’s decision represents the first circuit court decision on this issue and provides important reasoning for later courts that may be faced with determining how much settlements with third parties may offset damages against defendants in FCA cases. The case also will affect how defendants and the government answer the difficult question of how an individual defendant should value a potential settlement in a multi-defendant case. Defendants will have to decide whether to wait out resolutions with others that could reduce their own exposure, while the government will need to decide whether to reduce its settlement demands of earlier-settling parties in order to leave some amount of damages on the table to incentive later-in-time defendants to settle.

D. THE EIGHTH CIRCUIT CREATES A CIRCUIT SPLIT ON CAUSATION FOR AKS-PREDICATED FCA CLAIMS

The AKS imposes criminal liability on a person who knowingly and willfully pays, offers, solicits, or receives remuneration in return for referrals or orders of items or services reimbursed by federal health programs.[56] In 2010, Congress amended the AKS to provide that “a claim that includes items or services resulting from a violation of [the AKS] constitutes a false or fraudulent claim for purposes of [the FCA].” DOJ has long asserted the position that the term “resulting from” does not require a showing of causation; instead, DOJ asserts in AKS-based FCA cases that every claim that came later in time than the receipt of a kickback is “tainted” by the kickback and therefore is a false claim. In United States ex rel. Cairns v. D.S. Medical LLC, 2022 WL 2930946 (8th Cir. July 26, 2022), however, the Eighth Circuit held that the appropriate causation standard for AKS‑based FCA liability was “but for” causation. Cairns created a growing circuit split on the question of which claims “result from” an AKS violation. For example, in United States ex rel. Greenfield v. Medco Health Solutions, Inc., 880 F.3d 89, 98 (3d Cir. 2018), the Third Circuit, rejected both the “but for” causation standard and DOJ’s preferred “taint” theory, instead findings that the FCA and AKS “require[] the much looser standard of showing a link in the causal chain.” In Cairns, relators brought a qui tam action against a neurosurgeon, his practice, his fiancée, and the spinal implant company his fiancée owned, alleging a kickback scheme between the couple resulting in FCA violations. The relator alleged that a physician ordered spinal implants from his fiancée’s company—which allegedly received large commissions from the implant manufacturers—in exchange for an offer to purchase that company’s stock. The United States filed its own complaint as an intervenor. Cairns, 42 F.4th at 831–33. In a jury trial before the district court, the government argued that the 2010 amendment to the AKS created a loose FCA causation standard such that the alleged kickbacks would “taint” the claims and cause an FCA violation. See id. at 833–35. The district court issued jury instructions that the government could establish falsity if it showed “that the claim failed to disclose the Anti-Kickback Statute violation.” Id. at 834 (modifications omitted). The jury found for the government and the district court awarded damages and penalties in excess of five million dollars. Id. at 832. Defendants appealed, and the Eighth Circuit remanded. Id. On remand, the district court granted the government’s motion to dismiss its remaining claims without prejudice. Id. Defendants appealed again, arguing the lower court’s jury instructions were defective in failing to instruct the jury on but for causation. Id.

The Eighth Circuit agreed. In a noteworthy rejection of the government’s position, the Eighth Circuit held the plain meaning of the AKS required a showing of but for AKS-to-FCA causation— essentially, a showing that but for the alleged kickback, the FCA claim at issue would not have included the alleged kickback’s “items or services.” Id. at 836. The Eighth Circuit chiefly based its reasoning on the Supreme Court’s analysis of similar “results from” statutory language in the Controlled Substances Act in Burrage v. United States, 571 U.S. 204, 210–11 (2014). In Burrage, the Court reasoned that “results from” in the phrase “death or serious bodily injury results from the use of [the] substance” requires a showing of actual causality, or but for causation. Id. at 209 (citing 21 U.S.C. § 841(b)(1)(A)-(C)). Likewise, the Eighth Circuit reasoned in Cairns that the plain meaning of “resulting from” was “unambiguously causal,” rejecting the government’s arguments that causation could be shown where the kickback “tainted” the claim or was a “contributing factor.” Cairns, 42 F.4th at 835–36. The alternative standards were “hardly causal at all” – a “‘taint’ could occur without the illegal kickbacks motivating the inclusion of any of the ‘items or services’” and “asking the jury if a violation ‘may have been a contributing factor’ does not establish anything more than a mere possibility.” Id. at 835. Worst of all, the Eighth Circuit added, was the district court’s instruction that “may have been the least causal of all: just because a claim fails to disclose an anti-kickback violation does not mean that there is a connection between the violation and the included ‘items or services.’” Id. The Eighth Circuit explained that, “[w]here there is no textual or contextual indication to the contrary, courts regularly read phrases like ‘results from’ to require but-for causality.” Id. (citation omitted).

E. THE FOURTH AND NINTH CIRCUITS ISSUE DECISIONS ON THE SCIENTER REQUIRED UNDER THE FCA

In United States ex rel. Hartpence v. Kinetic Concepts, Inc., 44 F. 4th 838 (9th Cir. 2022), the Ninth Circuit confronted the FCA’s scienter requirement. A relator alleged that a wound care medical device manufacturer and its subsidiary falsely certified compliance with Medicare payment rules about the use of the medical devices. Id. at 841, 844–45. The United States declined to intervene. Id. at 844–45. The relator claimed that the defendants fraudulently certified compliance with Medicare reimbursement criteria that required that the medical records of patients who used the devices reflect “progressive wound healing” for each month for which claims were submitted. Id. at 841. The relator alleged that the defendants manipulated their billing codes to falsely certify compliance during “stalled cycles” of months without healing, where healing resumed the next month. Id. at 844–45.

The district court granted summary judgment in favor of the defendants, holding that relator had not brought sufficient evidence that the defendants’ false certifications were material to the Medicare reimbursements or that the defendants had knowingly used the billing codes as alleged. Id. at 845. The relator appealed. Id.

The Ninth Circuit reversed, holding that the district court erred in so ruling because the relator produced enough evidence to raise a triable issue of fact regarding the requisite scienter. Id. at 850–53. The court explained that based on the relator’s evidence, a jury could find that the defendants deliberately miscoded claims to conceal them and knew those coded certifications were false for two reasons. Id. at 851. First, the relator put forth evidence, in the form of the defendants’ internal communications, that suggested the defendants deliberately used the codes fraudulently to skirt claim appeals and denials. Second, the relator brought evidence both of the defendants’ employees raising concerns internally about the billing and of Medicare contractors correcting defendants’ application of the billing codes. Id. Although the defendants did not automatically accept coded claims as true, there was email communication evidence in the record that they were “plainly aware that using the [] modifier avoided a costly review and appeals process that it would sometimes win and sometimes lose.” Id. That evidence – which the court suggested showed the defendants deliberately avoided digging into the validity of claim modifiers – provided “ample evidence to permit a rational trier of fact to conclude that [the defendants] knew that it was a false statement . . . and that [the defendants] did so knowing that it might thereby escape case-specific scrutiny.” Id. at 851–52.

An en banc Fourth Circuit examined the FCA’s scienter element in United States ex rel. Sheldon v. Allergan Sales, LLC, 24 F.4th 340 (4th Cir. 2022), vacated en banc, 49 F.4th 873 (4th Cir. 2022). The relator alleged that the drug manufacturer falsely represented its drugs’ “best price” under the Medicaid drug rebate program by purportedly failing to aggregate discounts given to separate customers. Id. at 346. The government declined to intervene. Id. The district court granted the manufacturer’s motion to dismiss, holding that the relator had “failed to plead both that the claims at issue were false and that [the manufacturer] had made them knowingly.” Id. at 346–47.

In Sheldon, the divided Fourth Circuit panel joined the growing number of circuits to address the Supreme Court’s Safeco scienter standard in FCA cases. Id. at 347. The court noted the difficulty of applying the vague “knowledge” standard set forth in the FCA. The court held that “a defendant cannot act ‘knowingly’ if it bases its actions on an objectively reasonable interpretation of the relevant statute when it has not been warned away from that interpretation by authoritative guidance” – an “objective standard” that precludes inquiry into a defendant’s subjective intent. Id. at 348. However, shortly after oral argument and in a per curiam order on rehearing en banc, the full Fourth Circuit vacated the panel opinion and affirmed the district court. United States ex rel. Sheldon v. Allergan Sales, LLC, 49 F.4th 873, 874 (4th Cir. 2022).

F. THE NINTH AND FOURTH CIRCUITS ADDRESS THE BOUNDS OF THE PUBLIC DISCLOSURE BAR

In United States ex rel. Silbersher v. Allergan, Inc. et al., 46 F.4th 991 (9th Cir. 2022), the Ninth Circuit considered the FCA’s “public disclosure bar,” which directs a district court to dismiss an action under the FCA when “substantially the same allegations or transactions” have previously been publicly disclosed, unless the relator is an “original source of the information.” 31 U.S.C. § 3730(e)(4)(A). In a qui tam action, a patent attorney alleged that the defendant drug companies had improperly obtained patents to protect two of their drugs from generic competition. Id. at 993. The government declined to intervene. Id. The district court denied the defendants’ motion to dismiss, and Defendants appealed.

On appeal, the Ninth Circuit—interpreting the revised 2010 public disclosure bar for the first time—reversed and remanded, holding that the district court erred in concluding that the relator’s case did not trigger the FCA’s public disclosure bar. The Ninth Circuit re-emphasized that its public disclosure bar test has three elements: “‘(1) the disclosure at issue occurred through one of the channels specified in the statute; (2) the disclosure was “public”; and (3) the relator’s action’ is substantially the same as the allegation or transaction publicly disclosed.” Id. at 996 (citation omitted). The court explained that only the first element, what constitutes a channel for disclosure under the FCA, was at issue in the case. Id. The court agreed with the defendants that the relator’s claims were barred because the underlying information came from a public patent prosecution, which is an “other Federal . . . hearing.” Id. at 999 (internal quotation marks omitted). Because the district court had not decided whether the relator was an “original source” such that he fell under that exception to the public disclosure bar, the Ninth Circuit remanded the case to the district court. Id. at 1000 (internal quotation marks omitted).

The Second Circuit came to a similar conclusion in United States ex rel. CKD Project, LLC v. Fresenius Medical Care Holdings, Inc., 2022 WL 17818587 (2d Cir. Dec. 20, 2022), finding the public disclosure rule barred a relator’s suit because the material information of the relator’s claim had been publicly disclosed in the defendant’s securities filings and because the relator did not fall into the original source exception. The relator alleged that the company performed unnecessary procedures on dialysis patients and fraudulently submitted claims to Medicare, Medicaid, and state health programs. Id. at *1–3. The United States declined to intervene. Id. at *1. The district court dismissed relator’s claims without leave to amend. Id. at *2.

The Second Circuit affirmed, explaining both that (1) the relator’s claims fell under the public disclosure bar because the “critical or material elements” of the transactions were already publicly disclosed and (2) the relator did not fall under the original source exception because it “d[id] not possess direct knowledge of the information on which the allegations are based” and was an “entity formed solely for this litigation.” Id. at *3. While the relator argued the defendant’s filings did not contain material information about the details of an acquisition and shell entity scheme alleged in the claim, the court explained that the additional details the relator highlighted were just that—details—and the material elements of the acquisitions were publicly disclosed. Id. at *4. The Second Circuit found that because the core elements of the claim were in Fresenius’ securities filings, they had been publicly disclosed. Id.

G. THE TENTH AND SECOND CIRCUITS APPLY THE APPROACH TO FCA MATERIALITY DESCRIBED BY THE SUPREME COURT IN ESCOBAR

In United States ex rel. Sorenson v. Wadsworth Brothers Construction Co., 48 F.4th 1146 (10th Cir. 2022), a relator alleged that Wadsworth Brothers Construction Company violated the FCA by falsely certifying its compliance with prevailing-wage requirements under the Davis-Bacon Act, 40 U.S.C. §§ 3141–38. The government declined to intervene and the district court dismissed Sorenson’s claims based on his failure to satisfy the “demanding materiality standard” established in Escobar, and the Tenth Circuit affirmed. Id. at 1155.

In 2012, the Salt Lake International Airport received a $9 million federal grant to make improvements. Id. at 1154. It solicited bids for construction of a deicing pad, and noted in its bid-solicitation documents that the winning contractor would be required to certify its compliance with the Davis-Bacon Act. Id. Wadsworth, as the lowest bidder, entered into a contract with the Airport and began construction in 2013. Id.

The relator worked on the project as a truck driver for Wadsworth for just over two months in 2014. He alleged that he was underpaid during that time as his pay “reflected substantial work on non-Davis-Bacon jobsites,” despite having worked “exclusively” on Wadsworth’s “federally funded” projects. Id. at 1154. According to the relator, Wadsworth “represented to the federal government on each of its invoices involving [the relator] that the wages Wadsworth paid [him] complied with the Davis-Bacon Act,” and did so “despite actually knowing it did not pay Sorenson in accord with applicable Davis-Bacon requirements,” thus causing the government to pay Wadsworth more than it was entitled to receive. Id. at 1155. The district court dismissed the claims on grounds that the only basis for a finding of materiality was “that certification of compliance with the Davis-Bacon Act is a prerequisite to the payment” of Wadsworth’s invoices, and as Escobar clarified, “‘minor or insubstantial’ noncompliance with statutory, regulatory, or contractual requirements” is “not enough, standing alone, to render a misrepresentation material,” whether or not the requirement is designated with the terminology of a condition of payment. Id. at 1152 (quoting Escobar, 579 U.S. at 194).

The Tenth Circuit affirmed what it considered to be a relatively ordinary decision after Escobar, noting that the “court need not make any grand pronouncements about the general materiality of Davis-Bacon violations to resolve Sorenson’s appeal.” Id. at 1156. Acknowledging that Davis-Bacon wages are determined by jobsite and task, rather than by project, the court found that the relator had failed to allege any of those context-specific factors that would allow for a finding of materiality. The complaint failed to identify the relevant Davis-Bacon jobsites, establish that relator worked at those jobsites, or even demonstrate that his work as a truck driver was covered under the Davis-Bacon Act. It therefore was “bereft of details from which any estimate of the quantum of alleged underpayments could be made, and thus there is no indication as to whether the amount involved is minor or significant.” Id. at 1157. The court further affirmed the district court’s grant of summary judgment on a retaliation claim brought by the relator. Id. at 1158.

In United States ex rel. Yu v. Grifols USA, LLC, 2022 WL 7785044 (2d Cir. Oct. 14, 2022), a relator alleged that pharmaceutical manufacturer Grifols USA, and associated entities Grifols Biologicals, Grifols, S.A., and Grifols Shared Services (collectively, “Grifols”) fraudulently obtained FDA approval of Gamunex, one of its products designed to treat various autoimmune disorders, and thus submitted false claims to the government for payment of various “Government Healthcare Programs” related to Gamunex. The government declined to intervene and the district court dismissed the action for failing to sufficiently plead materiality, and the Second Circuit affirmed. Id. at *2.

Before producing Gamunex, Grifols was required to obtain a Prior Approval Supplement from the FDA by having the FDA inspect its manufacturing facilities and equipment for compliance with current Good Manufacturing Practices (cGMPs) required by FDA regulations. Id. at *1. Grifols hired the relator to perform regular quality assurance inspections its Gamunex plant. The relator alleged that the plant was not operating in accordance with applicable cGMPs but that Grifols certified otherwise to the FDA, thus fraudulently obtaining approval by the FDA to manufacture and sell Gamunex. Id.

The Second Circuit affirmed the district court by summary opinion. The relator failed to establish any contractual provision expressly conditioning government payment on Grifols’ compliance with specific cGMPs or that the FDA violations he claimed to have witnessed “resulted in ‘significant financial cost to the government,’ or that the violations go to the ‘heart of the bargain.’” Id. at *5. Accordingly, the relator did “not plausibly allege that any misrepresentation by Grifols materially impacted the Government Healthcare Programs’ payment determination.” Id.

In Lee v. Northern Metropolitan Foundation for Healthcare, Inc., 2022 WL 17366627 (2d Cir. Dec. 2, 2022), relators alleged that defendants, state and federally funded operators of an adult day healthcare program, discriminated against its registrants on the basis of national origin and provided them with substandard care. The relators alleged that the defendants thus violated the FCA by impliedly certifying compliance federal and state anti-discrimination laws and medical-care standards when submitting claims to the government for reimbursement. Id. at 2. The state and federal governments declined to intervene and the case proceeded to trial. After a bench trial, the district court entered judgment against relators pursuant to FRCP 52(a) based on the relators’ failure to establish materiality. Id. at *3 n.2. The Second Circuit affirmed by summary order.

The relators argued on appeal that the evidence demonstrated materiality under the Escobar factors, and in the alternative, materiality was evident based on the “common-sense notion that violations of allegedly important statutes and regulations pertaining to discrimination and medical-model facilities would have affected a reasonable administrator’s decision to pay” defendants’ medical claims. Id. at *1-2.

The Second Circuit rejected both arguments. Applying Escobar, the court found that the relators “adduced no evidence that compliance with the anti-discrimination and medical-model statutes and regulations at issue” was a condition of payment, “no evidence concerning the government’s response” to defendants’ alleged noncompliance, and “little evidence from which one could conclude that the discrimination and medical-model infractions at Northern undermined ‘the essence of the bargain’” between defendants and the government. Id. at 2 (emphases in original) (quoting United States ex rel. Foreman v. AECOM, 19 F.4th 85, 116-17 (2d Cir. 2021)). The court also found the relators’ common-sense argument unpersuasive, explaining that while common sense “may have a role” in assessing materiality, this case did not provide such an opportunity, “as here, there is not a tight fit between the implicit misrepresentation and the service provided.” Id.

H. THE ELEVENTH AND THIRD CIRCUITS EVALUATE RETALIATION CLAIMS BROUGHT UNDER THE FCA

In Simon ex rel. Florida Rehabilitation Associates PLLC v. Healthsouth of Sarasota Ltd. Partnership, 2022 WL 3910607 (11th Cir. Aug. 31, 2022), a relator asserted a retaliation claim under the FCA alleging that she suffered various adverse employment actions and was ultimately constructively discharged after complaining to defendants about allegedly false medical diagnoses. After the relator filed a qui tam action in 2012 alleging various acts of fraud against the government, the United States intervened and reached a settlement with HealthSouth, at which point the relator, the government, and defendants stipulated to dismissal with prejudice of all FCA claims except for relator’s retaliation claim. Id. at *3-4. The relator proceeded to litigate her retaliation claim until the district court granted summary judgment to the defendants. Id. at *1. The Eleventh Circuit affirmed.

The relator, a physiatrist, operated an outpatient medical practice through Florida Rehabilitation Associates and worked as an attending physician at defendant HealthSouth Sarasota Hospital. Id. at *2. The relator claimed that defendants directed her and other physicians to diagnose patients with “disuse myopathy,” which she believed was a “fraudulent diagnosis” created by HealthSouth to inflate the number of patients it treated for certain severe conditions so that it could classify as an “inpatient rehabilitation facility” entitled to CMS funding. Id. at *2; see 42 C.F.R. § 412.29(b)(1)–(2). The relator alleged that she was threatened, demoted, and investigated after making numerous verbal complaints about these diagnoses. Id.

The Eleventh Circuit affirmed judgment against the relator and agreed with the district court that she had not engaged in a statutorily protected activity. Id. at *6. Citing to another recent case within its circuit, Hickman v. Spirit of Athens, Ala., Inc., 985 F.3d 1284, 1287 (11th Cir. 2021), the court “assumed without deciding” that the plaintiff in an FCA retaliation case “must at least show that she had an objectively reasonable belief that her employer violated the FCA to establish that she engaged in protected activity,” and determined that the relator here was unable to do so. Id. Although the evidence demonstrated “that [the relator] possessed a sincere, subjective belief that HealthSouth was committing fraud by using a fabricated disuse myopathy diagnosis,” the relator failed to meet the burden of showing that her belief was objectively reasonable. Id. The relator testified to her own belief of the illegitimacy of the diagnosis, but “she offered no evidence that she had an objectively reasonable belief that the doctors who diagnosed their patients with disuse myopathy did so purposefully and wrongly to fraudulently receive money from the government,” and thus she could not establish that she engaged in statutorily protected conduct. Id. at *7.

In United States ex rel. Ascolese v. Shoemaker Constr. Co., 55 F.4th 188 (3d Cir. 2022), a relator asserted an FCA retaliation claim arising out of conduct that took place during a federally funded construction project. The case presented the Third Circuit with its first opportunity to clarify the standard for retaliation under the FCA since 2009-2010 congressional amendments to whistleblower protections under the Act. After the government declined to intervene in the action, relator amended the complaint to remove those claims which applied only to the government, and the court dismissed the amended complaint without prejudice. Id. at 193. The relator moved for leave to file a second amended complaint and the district court denied the motion on grounds that amendment would be futile due to the relator’s failure to show that defendants had adequate notice of his FCA complaints. Id. The Third Circuit disagreed, vacating the judgment and remanding the action to the district court for further proceedings.

The United States Department of Housing and Urban Development granted $30 million to the Philadelphia Housing Authority (PHA) to construct public housing in North Philadelphia. Id. at 191-92. The PHA designated defendants Shoemaker Construction Company and Shoemaker Synterra JV as construction managers for the project, who then subcontracted defendant McDonough Bolyard Peck Inc. (MBP) to perform quality control services and ensure that the project complied with all applicable construction regulations. Id. The relator worked as a Quality Assurance/Quality Control Manager for the project and was responsible for reporting any “deficiencies” in the project, such as design plans, specifications and building codes. Id. According to the relator, the relator noted “dozens” of deficiencies in the project and conveyed those deficiencies to defendants, who took no further action in response to his complaints. Id. The relator “broke his chain of command” and took his complaints directly to the PHA, which the relator alleged caused defendants to take retaliatory measures.

In finding that the relator had sufficiently pled retaliation, the Third Circuit explained that “the amendments to the anti-retaliation provision reflect a congressional intent to expand protection to ‘efforts to stop violations before they happen or recur.’” Id. at 194-95 (emphasis in original) (quoting Singletary v. Howard Univ., 939 F.3d 287, 296 (D.C. Cir. 2019)). The “fact intensive” inquiry into whether the relator did “more than his job responsibilities” to trigger FCA protection should require the district court to “focus on whether [the relator] acted outside of his chain of command or his job duties.” Id. The Third Circuit reasoned that the relator had done so by outlining his “usual job responsibilities” and establishing the “contours of his chain of command” in order to adequately allege that his actions had gone beyond the scope of those responsibilities by reporting his concerns to the PHA. Id. at 196. Thus, the relator sufficiently pled that he engaged in protected conduct. Furthermore, the relator plausibly alleged that MBP was on notice of his protected conduct and retaliated against him as a result, as it “was aware that [the relator] made external reports to the PHA,” and that such conduct was “outside of his reporting chain of command.” Id.

V. CONCLUSION

We will monitor these developments, along with other FCA legislative activity, settlements, and jurisprudence throughout the year and report back in our 2023 False Claims Act Mid-Year Update, which we will publish in July 2023.

________________________

[1] See U.S. Dep’t of Justice, Fraud Statistics Overview (Feb. 7, 2023), https://www.justice.gov/opa/press-release/file/1567691/download [hereinafter DOJ FY 2021 Stats].

[2] Id.

[3] Id.

[4] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, False Claims Act Settlements and Judgments Exceed $2 Billion in Fiscal Year 2022 (Feb. 7, 2022), https://www.justice.gov/opa/pr/false-claims-act-settlements-and-judgments-exceed-2-billion-fiscal-year-2022 [hereinafter DOJ FY 2022 Recoveries Press Release].

[5] Id.

[6] See DOJ FY 2021 Stats.

[7] See DOJ FY 2022 Recoveries Press Release

[8] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Fifteen Texas Doctors Agree to Pay Over $2.8 Million to Settle Kickback Allegations (June 28, 2022), https://www.justice.gov/opa/pr/fifteen-texas-doctors-agree-pay-over-28-million-settle-kickback-allegations.

[9] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, MorseLife Nursing Home Health System Agrees to Pay $1.75 Million to Settle False Claims Act Allegations for Facilitating COVID-19 Vaccinations of Ineligible Donors and Prospective Donors (June 30, 2022), https://www.justice.gov/opa/pr/morselife-nursing-home-health-system-agrees-pay-175-million-settle-false-claims-act.

[10] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Department of Justice Settles Lawsuit Against Spine Device Distributor and its Owners Alleging Illegal Kickbacks to Physicians (July 1, 2022), https://www.justice.gov/opa/pr/department-justice-settles-lawsuit-against-spine-device-distributor-and-its-owners-alleging.

[11] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, West Virginia Hospital to Pay $1.5 Million to Settle Allegations Concerning Impermissible Financial Relationships with Referring Physicians (July 7, 2022), https://www.justice.gov/opa/pr/west-virginia-hospital-pay-15-million-settle-allegations-concerning-impermissible-financial.

[12] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Solera Specialty Pharmacy Agrees to Enter Deferred Prosecution Agreement; Company and CEO to Pay $1.31 Million for Submitting False Claims for Anti-Overdose Drug (July 13, 2022), https://www.justice.gov/opa/pr/solera-specialty-pharmacy-agrees-enter-deferred-prosecution-agreement-company-and-ceo-pay-131.

[13] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, BioReference Laboratories and Parent Company agree to Pay $9.85 Million to Resolve False Claims Act Allegations of Illegal Payments to Referring Physicians (July 14, 2022), https://www.justice.gov/opa/pr/bioreference-laboratories-and-parent-company-agree-pay-985-million-resolve-false-claims-act.

[14] See Press Release, U.S. Atty’s Office for the Dist. of MA, Inform Diagnostics Agrees to Pay $16 Million to Resolve False Claims Act Allegations of Medically Unnecessary Tests (July 20, 2022), https://www.justice.gov/usao-ma/pr/inform-diagnostics-agrees-pay-16-million-resolve-false-claims-act-allegations-medically.

[15] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medical Device Manufacturer Biotronik Inc. Agrees to Pay $12.95 Million to Settle Allegations of Improper Payments to Physicians (July 22, 2022), https://www.justice.gov/opa/pr/medical-device-manufacturer-biotronik-inc-agrees-pay-1295-million-settle-allegations-improper.

[16] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Metric Lab Services, Metric Management Services LLC, Spectrum Diagnostic Labs LLC, and Owners Agree to Pay $5.7 Million to Settle Allegations of False Claims for Unnecessary Genetic Testing (July 22, 2022), https://www.justice.gov/opa/pr/metric-lab-services-metric-management-services-llc-spectrum-diagnostic-labs-llc-and-owners.

[17] See Press Release, U.S. Atty’s Office for Central Dist. of CA, Metric Lab Services, Venture County’s Organized Health System and 3 Medical Providers Agree to Pay $70.7 Million to Settle False Claims Act Allegations (Aug. 18, 2022), https://www.justice.gov/usao-cdca/pr/ventura-county-s-organized-health-system-and-3-medical-providers-agree-pay-707-million#:~:text=August%2018%2C%202022-,Ventura%20County’s%20Organized%20Health%20System%20and%203%20Medical%20Providers%20Agree,Settle%20False%20Claims%20Act%20Allegations.

[18] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Essilor Agrees to Pay $16.4 Million to Resolve Alleged False Claims Act Liability for Paying Kickbacks (Aug. 23, 2022), https://www.justice.gov/opa/pr/essilor-agrees-pay-164-million-resolve-alleged-false-claims-act-liability-paying-kickbacks.

[19] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Philips Subsidiary to Pay Over $24 Million for Alleged False Claims Caused by Respironics for Respiratory-Related Medical Equipment (Sept. 1, 2022), https://www.justice.gov/opa/pr/philips-subsidiary-pay-over-24-million-alleged-false-claims-caused-respironics-respiratory.

[20] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Bayer to Pay $40 Million to Resolve the Alleged Use of Kickbacks and False Statements Relating to Three Drugs (Sept. 15, 2022), https://www.justice.gov/opa/pr/bayer-pay-40-million-resolve-alleged-use-kickbacks-and-false-statements-relating-three-drugs.

[21] See Press Release, U.S. Atty’s Office for the Southern Dist. of TX, First-ever False Claims Act settlement received from Paycheck Protection Program lender (Sept. 13, 2022), https://www.justice.gov/usao-sdtx/pr/first-ever-false-claims-act-settlement-received-paycheck-protection-program-lender.

[22] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Pharmaceutical Company Akorn Agrees to Pay $7.9 Million for Allegedly Causing Medicare to Pay for Invalid Prescription Drugs (Sept. 15, 2022), https://www.justice.gov/opa/pr/pharmaceutical-company-akorn-agrees-pay-79-million-allegedly-causing-medicare-pay-invalid.

[23] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Biogen Inc. Agrees to Pay $900 Million to Settle Allegations Related to Improper Physician Payments (Sept. 26, 2022), https://www.justice.gov/opa/pr/biogen-inc-agrees-pay-900-million-settle-allegations-related-improper-physician-payments; Stacy Cowley, Biogen Agrees to Pay $900 Million to Settle Lawsuit Over Kickbacks, N.Y. Times (Sept. 26, 2022), https://www.nytimes.com/2022/09/26/business/biogen-900-million-lawsuit-kickbacks.html.

[24] See Press Release, U.S. Atty’s Office for the Northern Dist. of GA, DermaTran and three other pharmacies to pay over $6.8 million to settle civil claims (Oct. 17, 2022), https://www.justice.gov/usao-ndga/pr/dermatran-and-three-other-pharmacies-pay-over-68-million-settle-civil-claims.

[25] See Press Release, U.S. Atty’s Office for the Northern Dist. of CA, Sutter Health Agrees to Pay $13 Million to Settle False Claims Act Allegations of Improper Billing for Lab Tests (Oct. 17, 2022), https://www.justice.gov/usao-ndca/pr/sutter-health-agrees-pay-13-million-settle-false-claims-act-allegations-improper.

[26] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Carter Healthcare Affiliates and Two Senior Managers to Pay $7.175 Million to Resolve False Claims Act Allegations for False Florida Home Health Billings (Oct. 18, 2022), https://www.justice.gov/opa/pr/carter-healthcare-affiliates-and-two-senior-managers-pay-7175-million-resolve-false-claims#:~:text=October%2018%2C%202022-,Carter%20Healthcare%20Affiliates%20and%20Two%20Senior%20Managers%20to%20Pay%20%247.175,False%20Florida%20Home%20Health%20Billings

[27] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Modernizing Medicine Agrees to Pay $45 Million to Resolve Allegations of Accepting and Paying Illegal Kickbacks and Causing False Claims (Nov. 1, 2022), https://www.justice.gov/opa/pr/modernizing-medicine-agrees-pay-45-million-resolve-allegations-accepting-and-paying-illegal.

[28] See Press Release, U.S. Atty’s Office for the Western Dist. of TX, Omega Healthcare Investors, Inc. Agrees to Pay $3 Million to Settle Civil False Claims Act Allegations (Nov. 9, 2022), https://www.justice.gov/usao-wdtx/pr/omega-healthcare-investors-inc-agrees-pay-3-million-settle-civil-false-claims-act.

[29] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Florida Birth-Related Neurological Injury Compensation Plan and Association to Pay $51 Million to Resolve False Claims Act Allegations (Nov. 14, 2022), https://www.justice.gov/opa/pr/florida-birth-related-neurological-injury-compensation-plan-and-association-pay-51-million.

[30] See Press Release, U.S. Atty’s Office for the Dist. of NJ, Opioid Abuse Treatment Facility to Pay $3.15 Million for Kickback Violations, Obstructing Federal Audit, and False Claims Submitted to Government Insurance Programs (Dec. 5, 2022), https://www.justice.gov/usao-nj/pr/opioid-abuse-treatment-facility-pay-315-million-kickback-violations-obstructing-federal.

[31] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Three Health Care Providers Agree to Pay $22.5 Million for Alleged False Claims to California’s Medcaid Program (Dec. 7, 2022), https://www.justice.gov/opa/pr/three-health-care-providers-agree-pay-225-million-alleged-false-claims-california-s-medicaid.

[32] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Ocenture LLC and Careluina LLC Settle Allegations of False Claims for Unnecessary Genetic Testing (Dec. 15, 2022), https://www.justice.gov/opa/pr/ocenture-llc-and-carelumina-llc-settle-allegations-false-claims-unnecessary-genetic-testing.

[33] See U.S. Dep’t of Health & Hum. Servs., Centers for Medicare & Medicaid Servs., Medicare Program; Contract Year 2024 Policy and Technical Changes to the Medicare Advantage Program, Medicare Prescription Drug Benefit Program, Medicare Cost Plan Program, Medicare Parts A, B, C, and D Overpayment Provisions of the Affordable Care Act and Programs of All-Inclusive Care for the Elderly; Health Information Technology Standards and Implementation Specifications, 87 FR 79452 (Dec. 14, 2022), https://www.govinfo.gov/content/pkg/FR-2022-12-27/pdf/2022-26956.pdf (hereinafter “Overpayment Proposed Rule”).

[34] E.g., 42 C.F.R. § 401.305(a)(2).

[35] See 42 U.S.C. § 1320a-7k(d); 31 U.S.C. § 3729(a)(1)(G).

[36] See UnitedHealthcare Ins. Co. v. Azar, 330 F. Supp. 3d 173, 191 (D.D.C. 2018), rev’d in part on other grounds sub nom. UnitedHealthcare Ins. Co. v. Becerra, 16 F.4th 867 (D.C. Cir. 2021), cert. denied, 142 S. Ct. 2851 (U.S. June 21, 2022).

[37] See Overpayment Proposed Rule, 87 FR 79452, at 79559.

[38] See U.S. Dep’t of Health & Hum. Servs., Centers for Medicare & Medicaid Servs., Medicare and Medicaid Programs; Policy and Technical Changes to the Medicare Advantage, Medicare Prescription Drug Benefit, Program of All-inclusive Care for the Elderly (PACE), Medicaid Fee-For-Service, and Medicaid Managed Care Programs for Years 2020 and 2021, –– FR –– (Jan. 30, 2023), https://public-inspection.federalregister.gov/2023-01942.pdf.

[39] See id. at 1.

[40] Id. at 2.

[41] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Announces COVID-19 Fraud Strike Force Teams (Sept. 14, 2022), https://www.justice.gov/opa/pr/justice-department-announces-covid-19-fraud-strike-force-teams.

[42] Id.

[43] See Office of Inspector General, U.S. Dep’t of Health & Human Servs., Medicare Telehealth Services During the First Year of the Pandemic: Program Integrity Risks (Sept. 2022), https://oig.hhs.gov/oei/reports/OEI-02-20-00720.pdf.

[44] Office of Inspector General, U.S. Dep’t of Health & Hum. Servs., Labs with Questionably High Billing for Additional Tests Alongside COVID‑19 Tests Warrant Further Scrutiny (Dec. 2022), https://oig.hhs.gov/oei/reports/OEI-09-20-00510.pdf.

[45] See id. at 4–10.

[46] See Press Release, U.S. Atty’s Office for the Southern Dist. of TX, First-ever False Claims Act settlement received from Paycheck Protection Program lender (Sept. 13, 2022), https://www.justice.gov/usao-sdtx/pr/first-ever-false-claims-act-settlement-received-paycheck-protection-program-lender.

[47] See Gibson, Dunn & Crutcher LLP, 2021 Year-End False Claims Act Update (Feb. 3, 2022), https://www.gibsondunn.com/2021-year-end-false-claims-act-update/#_ednref55.

[48] Congressional Budget Office, Cost Estimate: S. 2428, False Claims Amendments Act of 2021 (July 15, 2022), https://www.cbo.gov/system/files?file=2022-07/s2428.pdf.

[49] See PPP and Bank Fraud Enforcement Harmonization Act of 2022, Pub. L. 117-166, 136 Stat. 1365, https://www.congress.gov/117/plaws/publ166/PLAW-117publ166.pdf; COVID-19 EIDL Fraud Statute of Limitations Act of 2022, Pub. L. 117-165, 136 Stat. 1363, https://www.congress.gov/117/plaws/publ165/PLAW-117publ165.pdf.

[50] See Gibson, Dunn & Crutcher LLP, Emergency Federal Measures to Combat Coronavirus (Mar. 18, 2020), https://www.gibsondunn.com/emergency-federal-measures-to-combat-coronavirus/.

[51] See Press Release, House Comm. on Small Business, Chairwoman Velázquez, Ranking Member Luetkemeyer Introduces Bills to Extend Statute of Limitations on COVID Small Business Fraud Cases (Apr. 1, 2022), https://smallbusiness.house.gov/news/documentsingle.aspx?DocumentID=404060.

[52] See HHS-OIG, State False Claims Act Reviews, https://oig.hhs.gov/fraud/state-false-claims-act-reviews/ (last visited Jan. 9, 2023) (FCA Reviews); 42 U.S.C. § 1396h(a).

[53] 42 U.S.C. § 1396h(b)(2).

[54] Id. § 1396h(b)(3).

[55] FCA Reviews, supra n.52.

[56] 42 U.S.C. § 1320a-7b(b).

---

The following Gibson Dunn lawyers assisted in the preparation of this alert: Jonathan Phillips, Winston Chan, John Partridge, James Zelenay, Reid Rector, Michael Dziuban, Chelsea Knudson, Blair Watler, John Turquet Bravard, Ben Gibson, Julien Jabari, Wynne Leahy, Jose Madrid, Nick Perry, Kelsey Stimson, Adrienne Tarver, and Chumma Tum.

Gibson Dunn lawyers regularly counsel clients on the False Claims Act issues. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s False Claims Act/Qui Tam Defense Group:

Washington, D.C.
Jonathan M. Phillips – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 202-887-3546, [email protected])
F. Joseph Warin (+1 202-887-3609, [email protected])
Joseph D. West (+1 202-955-8658, [email protected])
Geoffrey M. Sigler (+1 202-887-3752, [email protected]) 
Lindsay M. Paulin (+1 202-887-3701, [email protected])

San Francisco
Winston Y. Chan – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 415-393-8362, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])

New York
Reed Brodsky (+1 212-351-5334, [email protected])
Mylan Denerstein (+1 212-351-3850, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Brendan Stewart (+1 212-351-6393, [email protected])

Denver
John D.W. Partridge (+1 303-298-5931, [email protected])
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])
Reid Rector (+1 303-298-5923, [email protected])

Dallas
Robert C. Walters (+1 214-698-3114, [email protected])
Andrew LeGrand (+1 214-698-3405, [email protected])

Los Angeles
Nicola T. Hanna (+1 213-229-7269, [email protected])
Timothy J. Hatch (+1 213-229-7368, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
James L. Zelenay Jr. (+1 213-229-7449, [email protected])

Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP. All rights reserved. For contact and other information, please visit us at www.gibsondunn.com.

Attorney Advertising: These materials were prepared for general informational purposes only based on information available at the time of publication and are not intended as, do not constitute, and should not be relied upon as, legal advice or a legal opinion on any specific facts or circumstances. Gibson Dunn (and its affiliates, attorneys, and employees) shall not have any liability in connection with any use of these materials. The sharing of these materials does not establish an attorney-client relationship with the recipient and should not be relied upon as an alternative for advice from qualified counsel. Please note that facts and circumstances may vary, and prior results do not guarantee a similar outcome.

This edition of Gibson Dunn’s Federal Circuit Update summarizes two new petitions for certiorari from cases originating in the Federal Circuit.  We address proposed amendments to the Federal Circuit’s Rules.  We also discuss recent Federal Circuit decisions concerning interference proceedings and personal jurisdiction of foreign defendants.

Federal Circuit News

Supreme Court:

As we summarized in our December 2022 update, the Supreme Court has granted certiorari in Amgen Inc. v. Sanofi (U.S. No. 21-757).  Oral argument has not yet been scheduled.

Noteworthy Petitions for a Writ of Certiorari:

There are two new, potentially impactful petitions currently before the Supreme Court:

• Novartis Pharmaceuticals Corp. v. HEC Pharm Co., Ltd. (US No. 22-671): “1. Whether 28 U.S.C. § 46 and principles of sound judicial administration preclude a court of appeals from adding a new judge to form a new panel and redecide a case after an original three-judge panel has already decided the case and entered its judgment.  Whether 35 U.S.C. § 112 should be interpreted consistent with its plain text as requiring that a patent specification contain a ‘written description of the invention’ in a form that need only be understandable to ‘any person skilled in the art,’ or whether the court of appeals properly read in a heightened requirement that allows it to deem the specification inadequate on de novo review and displaces the perspective of a person skilled in the art.”  The response is due February 21, 2023.  Gibson Dunn partners Thomas G. Hungar, Jacob T. Spencer, Jane M. Love, and Robert Trenchard are counsel for Novartis.

• Arthrex, Inc. v. Smith & Nephew, Inc. (US No. 22-639): “Whether the Commissioner for Patents’ exercise of the Director’s authority pursuant to an internal agency delegation violated the Federal Vacancies Reform Act.”  The response is due February 9, 2023.

Also, as we summarized in our December 2022 update, there are several petitions pending before the Court from cases originating from the Federal Circuit.  The petitions in Interactive Wearables, LLC v. Polar Electro Oy (US No. 21-1281) and Tropp v. Travel Sentry, Inc. (US No. 22-22) are still pending the views of the Solicitor General.  A response has been filed in Jump Rope Systems, LLC v. Coulter Ventures, LLC (US No. 22-298).

Federal Circuit Practice Update

Proposed Amendments to Federal Circuit Rules.  On January 20, 2023, the Federal Circuit proposed several amendments to its Rules of Practice and Practice Notes to the Rules, including amending the definition of “legal holiday” to include the day after Thanksgiving (Rule 26(a)(1)) and requiring service of a paper copy of each brief and appendix on opposing principal counsel (Rules 30(a)(3) and 31(b)).  Also, new Federal Circuit Rule 34(e)(3) has been proposed, requiring all arguing counsel to have a copy of each brief and appendix in the case “close at hand” during oral argument.  All the amendments may be found here.  Public comments must be received on or before February 21, 2023 to [email protected].  If adopted, the amendments would take effect on March 1, 2023.

Upcoming Oral Argument Calendar

The list of upcoming arguments at the Federal Circuit is available on the court’s website.

Key Case Summaries (January 2023)

Dionex Softron GmbH v. Agilent Technologies, Inc., No. 21-2372 (Fed. Cir. Jan. 6, 2023):  The Patent Trial and Appeal Board (“Board”) instituted an interference proceeding between Dionex and Agilent that the parties contrived when Dionex copied Agilent’s patent claims verbatim into its own patent application.  The Board awarded priority to Agilent, concluding under the rule of reason that the testimony of one of the two inventors regarding actual reduction to practice in the form of a successful prototype had been sufficiently corroborated by two of his co-workers.

The Federal Circuit (Stark, J., joined by Reyna and Chen, JJ.) affirmed.  Dionex argued that the Board erred by failing to draw a negative inference against Agilent on the basis that the second of the two inventors did not testify.  The Court disagreed, holding there is no per se requirement to draw a negative inference in this situation.  It was within the Board’s discretion to determine whether a negative inference should apply under the totality of the evidence, and the Court determined that the Board did not abuse its discretion in deciding not to draw a negative inference here.

In re Google LLC, No. 22-1012 (Fed. Cir. Jan. 9, 2023):  Google filed a patent application related to filtering the results of an internet search based upon a “predetermined threshold value” that is “determined based on a number of words included in the search query.”  The examiner finally rejected the claims as obvious over the combination of two references, and Google appealed to the Board.  The Board adopted the examiner’s findings, agreeing with the examiner that it would have been obvious to modify the first reference to take into account the query length taught by the second reference.

The Federal Circuit (Moore, C.J., joined by Lourie and Prost, JJ.) vacated and remanded for further proceedings.  On appeal, the PTO argued that the Board’s decision should be affirmed because there were only two ways to predictably modify the first reference to incorporate the query length taught by the second reference, and both would have been obvious to try.  The Federal Circuit rejected the argument, however, on the basis that the PTO’s arguments did not actually reflect the Board’s reasoning or findings.  The Federal Circuit held that although the Board had concluded that modifying the first reference to take into account query length would have been obvious, the Board failed to discuss how such a modification would be accomplished.  In the absence of these specific findings by the Board, the Court would not adopt the PTO’s fact-based arguments in the first instance on appeal.

In re Stingray IP Solutions, LLC, No. 23-102 (Fed. Cir. Jan. 9, 2023):  Stringray sued three foreign-entity defendants (collectively, “TP-Link”) in the Eastern District of Texas.  The district court determined that personal jurisdiction was not proper in Texas under Federal Rule of Civil Procedure 4(k)(2),[1] because TP-Link consented to suit in California, and transferred the cases to the Central District of California.  Stringray filed for mandamus relief seeking to undo the district court’s transfer.

The Federal Circuit (Stark, J., joined by Lourie and Taranto, JJ.) granted the petition and vacated the transfer order.  The Federal Circuit acknowledged that district courts were deeply split on how to interpret Rule 4(k)(2) and concluded that a defendant may not avoid application of Rule 4(k)(2) by unilaterally consenting to suit in a preferred jurisdiction.  The Federal Circuit therefore vacated the district court’s transfer order and remanded for the district court to determine whether Rule 4(k)(2), under the proper interpretation, applies in this case.  After making that determination, the district court may then consider whether transfer under § 1404(a) would be appropriate.

Grace Instrument Industries, LLC v. Chandler Instruments Company, LLC, No. 21-2370 (Fed. Cir. Jan. 12, 2023):  Grace sued Chandler for infringing a patent related to drilling oil wells.  During claim construction, the district court construed the term “enlarged chamber” as indefinite.

The Federal Circuit (Chen, J., joined by Cunningham and Stark, JJ.) vacated the district court’s opinion with respect to “enlarged chamber” and remanded for further proceedings.  The Court determined that the patent’s specification gave guidance on the term’s meaning, and thus, the district court erred in relying on dictionary definitions of “enlarged” rather than the intrinsic record.  The Court determined that it could not resolve the indefiniteness question based on the current record, however, and remanded for further fact finding.

_________________________

[1] Rule 4(k)(2) states that “serving a summons or filing a waiver of service establishes personal jurisdiction over a defendant if the defendant is not subject to jurisdiction in any state’s courts of general jurisdiction.”  Fed. R. Civ. P. 4(k)(2).

---

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding developments at the Federal Circuit.  Please contact the Gibson Dunn lawyer with whom you usually work or the authors of this update:

Blaine H. Evanson – Orange County (+1 949-451-3805, [email protected])
Audrey Yang – Dallas (+1 214-698-3215, [email protected])

Please also feel free to contact any of the following practice group co-chairs or any member of the firm’s Appellate and Constitutional Law or Intellectual Property practice groups:

Appellate and Constitutional Law Group:
Thomas H. Dupree Jr. – Washington, D.C. (+1 202-955-8547, [email protected])
Allyson N. Ho – Dallas (+1 214-698-3233, [email protected])
Julian W. Poon – Los Angeles (+ 213-229-7758, jpoon@gibsondunn.com)

Intellectual Property Group:
Kate Dominguez – New York (+1 212-351-2338, [email protected])
Y. Ernest Hsin – San Francisco (+1 415-393-8224, [email protected])
Josh Krevitt – New York (+1 212-351-4000, [email protected])
Jane M. Love, Ph.D. – New York (+1 212-351-3922, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

Policymakers in Washington, London, and other allied capitals during 2022 pushed the outer limits of economic statecraft to tackle challenges ranging from Russia’s full-scale invasion of Ukraine to China’s growing military and technological capabilities.  Notably, President Joe Biden continued his predecessor’s approach of weaponizing different tools and executive offices in the economic coercion space—further blurring once clear distinctions between sanctions, export controls, import restrictions, tariffs, and foreign investment reviews.  Breaking down longtime silos between those different policy instruments proved effective at exerting economic pressure on Moscow, Beijing, and other targets over the past year, and these tools will be a durable feature of U.S. and allied policy going forward.

In addition to the breadth of economic tools employed by the United States, one of the year’s most consequential developments was the Biden administration’s emphasis on employing trade restrictions in close coordination with traditional allies and partners.  In a sharp break from the prior administration, President Biden, on the campaign trail and through last year’s comprehensive review of U.S. sanctions, articulated a strong preference for multilateral solutions to global challenges.  That policy approach was put vividly into practice in 2022 following the Kremlin’s further invasion of Ukraine as a coalition of more than 30 democracies—together accounting for more than half of global economic output—clamped severe restrictions on trade with Russia.  Such close coordination magnified the impact of sanctions by making them more challenging to evade, and raised questions regarding whether coalition policymakers can muster a similarly united front in response to other pressing challenges like an increasingly powerful China.  Despite their close alignment, small divergences between the United States, the European Union, and the United Kingdom—with respect to both targets and, more importantly, matters of interpretation such as whether entities controlled by a sanctioned party are restricted—presented daunting compliance challenges for multinational businesses.

Over the past year, policymakers broke new ground by, for the first time ever, imposing sweeping trade controls on a major, globally connected economy—including adding a record-shattering number of (mostly Russian) individuals and entities to sanctions lists:

The past year was also remarkable for its many instances of genuine policy innovation, as officials immobilized Russia’s foreign reserves, introduced a novel price cap on seaborne Russian crude oil and petroleum products, imposed unprecedented controls on China’s access to advanced semiconductors, and laid the groundwork for possible new regimes in the United States and Europe to review outbound foreign investments.  However, U.S. and allied governments were not the only active players.  From Moscow to Beijing, targets of economic coercion have not sat still, imposing their own countermeasures, promulgating regulations to impede domestic compliance with “unfriendly country” actions, and hindering the ability of outside parties to even learn about the ownership or control of certain parties that may be impacted by restrictions.  In addition to governmental action, 2022 was notable for the extreme de-risking seen especially in Russia, with more than a thousand companies deciding to pull back from operations in that country before any regulation demanded it of them.  This “self-sanctioning” was not part of the coalition’s strategy, and its implications for a diminished ability of allied policymakers to effectively calibrate measures going forward—when businesses will undoubtedly remain skittish—makes the entire canon of economic statecraft uncertain.  Multinational enterprises must also contend with the U.S. Department of Justice’s emerging view of sanctions as the “new” Foreign Corrupt Practices Act—portending an uptick in civil and criminal enforcement activity.  By any measure, 2022 was a historically busy period for the imposition of new trade controls, and the pace of policy change shows few signs of slowing during the year ahead.

Contents

I. Global Trade Controls on Russia
A. Comprehensive Sanctions on Covered Regions of Ukraine
B. Sectoral Sanctions
C. Blocking Sanctions
D. Export Controls
E. Import Prohibitions
F. New Investment Prohibitions
G. Services Prohibitions
H. Price Cap on Crude Oil and Petroleum Products
I. Possible Further Trade Controls on Russia
II. U.S. Trade Controls on China
A. Uyghur Forced Labor Prevention Act
B. Technological Competitiveness Legislation
C. Export Controls
D. Defense Department List of Chinese Military Companies
E. Investment Screening
III. U.S. Sanctions
A. Iran
B. Syria
C. Venezuela
D. Nicaragua
E. Afghanistan
F. Myanmar
G. Crypto/Virtual Currencies
H. Other Sanctions Developments
IV. U.S. Export Controls
A. Commerce Department
B. State Department
V. Committee on Foreign Investment in the United States (CFIUS)
A. CFIUS Annual Report
B. National Security Factors
C. Enforcement and Penalty Guidelines
D. Outbound Investment Screening
VI. European Union
A. Trade Controls on China
B. Sanctions Developments
C. Export Controls Developments
D. Foreign Direct Investment Developments
VII. United Kingdom
A. Trade Controls on China
B. Sanctions Developments
C. Export Controls Developments
D. Foreign Direct Investment Developments

I. Global Trade Controls on Russia

Following the Kremlin’s further invasion of Ukraine in February 2022, leading industrial economies—including the United States, the European Union, the United Kingdom, Canada, Australia, and Japan—swiftly imposed aggressive and coordinated trade controls on Russia.  Spurred by global outrage and fierce Ukrainian resistance, 2022 saw the imposition of a cascade of restrictions that would have been unthinkable in even the recent past, including comprehensive sanctions on Russian-occupied regions of Ukraine, wide-ranging sectoral sanctions, blocking sanctions, export controls, import bans, new investment bans, services bans, and an innovative price cap on seaborne Russian crude oil and petroleum products.  Taken together, these measures—which target key pillars of Russia’s economy (and its principal sources of hard currency) such as the country’s financial sector, energy sector, and military-industrial complex—were calculated to deny the Kremlin the resources needed to prosecute the war in Ukraine and degrade Russia’s ability to project power abroad.

As the war in Ukraine nears its first anniversary, allied trade restrictions appear to be exacting a toll on Russia’s economy, which, despite soaring energy prices, contracted during 2022.  Notably, more than a thousand companies have ceased or curtailed their operations in Russia since the start of the war—an exodus that by and large was not mandated by regulation but that nonetheless threatens to further dim Russia’s long-term growth prospects.  Meanwhile, the coalition continues to hold additional policy options in reserve.  Depending upon how events unfold, the allies could potentially further restrict dealings involving Russia by imposing blocking sanctions on additional Russian elites, designating the Government of the Russian Federation, moving to seize Russian assets to fund Ukraine’s reconstruction, or expanding existing sanctions and export controls to include a complete embargo on trade in goods and services.

A. Comprehensive Sanctions on Covered Regions of Ukraine

On February 21 and 22, 2022, the United States and key allies imposed comprehensive sanctions on the Russia-backed separatist regions of Ukraine known as the Donetsk People’s Republic (“DNR”) and the Luhansk People’s Republic (“LNR”).  This initial round of sanctions came as President Putin recognized the two breakaway regions as independent states and quickly ordered Russian troops to enter the regions for an ostensible “peacekeeping” mission.  Just hours after the dramatic Russian announcement, President Biden signed Executive Order (“E.O.”) 14065, which imposes broad, jurisdiction-wide sanctions on the DNR and LNR, plus any other regions of Ukraine as may be determined by the U.S. Secretary of the Treasury (collectively, the “Covered Regions”).  As we wrote in an earlier client alert, that measure by President Biden is nearly identical to Executive Order 13685, which announced President Barack Obama’s imposition of comprehensive sanctions on the Crimea region of Ukraine in 2014.

In particular, E.O. 14065 prohibits:  (1) new investment in the Covered Regions by a U.S. person; (2) the importation into the United States of any goods, services, or technology from these regions; as well as (3) the exportation from the United States, or by a U.S. person, of any goods, services, or technology to these regions.  The Order further authorizes blocking sanctions on any person determined by the Secretary of the Treasury to be a person operating in the Covered Regions.  The European Union and the United Kingdom have adopted similarly broad restrictions, yet these are not total bans on dealings with the regions.  EU restrictions target Donetsk, Luhansk, Kherson, and Zaporizhzhia, while UK restrictions only target Donetsk and Luhansk.

As a practical matter, sanctions on these particular regions of Ukraine present substantial compliance challenges, very similar to those seen in Crimea, as U.S., EU, and UK persons are again prohibited from engaging in transactions involving regions that are not internationally recognized states.  Moreover, the precise boundaries of the sanctioned regions are unsettled.  The U.S. Department of the Treasury’s Office of Foreign Assets Control (“OFAC”) has indicated in published guidance that the DNR and the LNR do not presently encompass the entire Ukrainian oblasts, or provinces, of Donetsk and Luhansk.  Similarly, EU restrictions cover areas of the relevant oblasts which are not under the control of the Ukrainian authorities.  The United Kingdom, on the other hand, relies on the territorial definition outlined in Decree Number 32/2019 issued by the President of Ukraine.  It is also conceivable that the “Covered Regions” could in future be extended to include some or all of the Zaporizhzhia and Kherson regions of Ukraine that Russia purported to annex in September 2022, in line with the European Union’s approach.  For purposes of determining whether a particular location in eastern Ukraine is within the Covered Regions—and is therefore subject to comprehensive U.S. sanctions—OFAC has not yet publicly delineated the borders of those regions, but has offered that “U.S. persons may reasonably rely on vetted information from reliable third parties, such as postal codes and maps.”

Importantly, as of this writing, the Russian Federation is not subject to comprehensive sanctions.  That is, U.S. persons are prohibited from engaging in substantially all transactions involving only a small number of jurisdictions, namely Cuba, Iran, North Korea, Syria, and the Crimea, Donetsk People’s Republic, and Luhansk People’s Republic regions of Ukraine.  The remaining U.S. sanctions programs, and all EU and UK sanctions programs, including sanctions targeting Russia, are generally list-based—meaning that U.S. persons are restricted from engaging in certain transactions involving certain specified parties, as well as those parties’ direct and indirect majority-owned entities (or, in the case of the European Union and United Kingdom, those parties’ direct and indirect majority-owned and/or controlled entities).  That said, as discussed below, the number of Russia-related parties that are subject to list-based sanctions exploded during 2022 and is poised for further growth during the year ahead.

B. Sectoral Sanctions

In addition to the comprehensive sanctions on the DNR and LNR discussed above, an unusual feature of the sanctions programs targeting Russia are the sectoral sanctions, under which it is prohibited to engage in certain narrow types of activities with certain designated entities, as set forth on the Sectoral Sanctions Identifications (“SSI”) List or the Non-SDN Menu-Based Sanctions (“NS-MBS”) List administered by OFAC and the equivalent lists maintained by other key allies, including the European Union and the United Kingdom.  This type of sectoral designation limits the types of interactions a targeted entity is allowed to undertake with U.S., EU, and UK persons pursuant to a series of OFAC “Directives” and EU and UK regulations that for nearly a decade have targeted Russia’s financial, energy, defense, and oil industries.  Underscoring the narrow scope of the sectoral sanctions on Russia, OFAC expressly provides that, absent some other prohibition, all other lawful U.S. nexus dealings involving a targeted entity are permitted.  That same approach in relation to sectoral sanctions has been adopted in the European Union and the United Kingdom.

Immediately following Russia’s invasion of Ukraine, the Biden administration announced four new sectoral sanctions Directives that bar U.S. persons from engaging in certain dealings involving some of the Russian Federation’s most economically consequential institutions.  Those restrictions were paralleled by the European Union and the United Kingdom.  In particular, the measures restrict Russia’s access to capital by:

• Prohibiting U.S. financial institutions from participating in the primary or secondary market for “new” bonds issued by Russia’s central bank, finance ministry, and principal sovereign wealth fund (collectively, the “Russian Sovereign Entities”);
• Prohibiting U.S. financial institutions from opening or maintaining a correspondent or payable-through account for or on behalf of, or processing a transaction involving, Sberbank or any of its majority-owned entities, thereby cutting off Russia’s largest bank from the U.S. financial system;
• Prohibiting U.S. persons from dealing in “new” debt or “new” equity of 13 major Russian state-owned enterprises and financial institutions, further limiting Russia’s ability to raise new capital for its military activities in Ukraine; and
• Prohibiting U.S. persons, except as authorized by OFAC, from engaging in any transaction involving the three named Russian Sovereign Entities, including any transfer of assets to such entities or any foreign exchange transaction for or on behalf of such entities. This novel sectoral sanctions measure, together with similar restrictions by each member of the Group of Seven (“G7”), has proven especially impactful.  While neither the Russian Central Bank, the Russian National Wealth Fund, nor the Russian Ministry of Finance are blocked, using this unique tool the allies effectively immobilized around $300 billion in international reserves that the Russian government had stockpiled to insulate its economy from the effects of sanctions.

During the war’s opening days, the European Union, in another highly impactful move, directed the Belgium-based Society for Worldwide Interbank Financial Telecommunication (“SWIFT”) to deny select Russian banks access to its financial messaging services, which serve as the principal means for global financial institutions to send and receive transaction-related information.

The coalition’s early use of sectoral sanctions, which we discuss in depth in a previous client alert, was animated by a policy interest in imposing tangible costs on the Kremlin for invading Ukraine, while minimizing the collateral consequences of targeting one of the world’s largest and (then) most interconnected economies.  As the war in Ukraine has stretched on, the allies have demonstrated an increasing willingness to impose a variety of severe restrictions on Russia, including the expansive use of blocking sanctions.

C. Blocking Sanctions

Since February 2022, the United States, the European Union, and the United Kingdom, in a historic burst of activity, have each added approximately 1,500 new Russia-related individuals and entities to their respective consolidated lists of sanctioned persons.  While the lists do not always overlap, increasing the compliance burden on multinational companies, the level of coordination among the allies has been particularly impactful.  As an example of the sweeping nature of the new designations, in the United States, of all the parties that have been named to OFAC’s Specially Designated Nationals and Blocked Persons (“SDN”) List over the decades, around one in ten were designated in just the past year for their activities involving Russia.

Blocking sanctions are arguably the most potent tool in a country’s sanctions arsenal, especially for countries such as the United States with an outsized role in the global financial system.  Upon becoming designated an SDN (or other type of blocked person), the targeted individual or entity’s property and interests in property that come within U.S. jurisdiction are blocked (i.e., frozen) and U.S. persons are, except as authorized by OFAC, generally prohibited from engaging in transactions involving the blocked person.  The same applies to persons designated by the European Union or the United Kingdom.  The SDN List, and its EU and UK equivalents, therefore function as the principal sanctions-related restricted party lists.  The effects of blocking sanctions often reach beyond the parties identified by name on these lists.  By operation of OFAC’s Fifty Percent Rule (and in the EU and the UK, the ownership and control test), restrictions generally also extend to entities owned 50 percent or more in the aggregate by one or more blocked persons (or, in the case of the EU and UK, to entities owned more than 50 percent or controlled by a blocked person, with the EU indicating that aggregation is possible), whether or not the entity itself has been explicitly identified.

During 2022, the allies repeatedly used their targeting authorities to block Russian political and business elites, as well as substantial enterprises in sectors such as banking, energy, defense, aerospace, and mining seen as critical to financing and sustaining the Kremlin’s war effort.  Notable designations included:

• Government officials, including President Vladimir Putin, as well as Russia’s foreign minister, defense minister, central bank chief, and 328 members of the Russian State Duma. Belarus’s President Alyaksandr Lukashenka was also re-designated after permitting Russian troops to launch attacks on Ukraine from Belarusian soil;
• Prominent Russian oligarchs such as Alisher Usmanov and Vladimir Potanin and, in the European Union and the United Kingdom, Roman Abramovich;
• Major financial institutions, including VTB Bank and Sberbank, that together represent around 80 percent of Russia’s banking sector by assets;
• Energy firms, including Nord Stream 2 AG, the Swiss company in charge of developing a new gas pipeline between Germany and Russia; while Germany has suspended the approval process for Nord Stream 2 (disallowing its operation), notably the European Union and the United Kingdom have not followed the United States in designating Nord Stream 2 AG;
• Defense and aerospace firms, including the state-owned defense conglomerate Rostec and the mercenary group Private Military Company Wagner, which have been instrumental in equipping and manning Russia’s military operation in Ukraine; and
• Extractive firms such as Alrosa, the world’s largest diamond mining company and a major source of revenue for the Russian state.

Many of those U.S. designations were made under the authority of Executive Order 14024, which we discussed in depth in a previous client alert.  Importantly, E.O. 14024 authorizes blocking sanctions against persons determined to operate in certain sectors of the Russian economy determined by the Secretary of the Treasury.  Underscoring the uncertain business environment in Russia, parties in multiple sectors now operate under the threat of being added to the SDN List, including those operating in the technology, defense and related materiel, financial services, aerospace, electronics, marine, accounting, trust and corporate formation services, management consulting, or quantum computing sectors of Russia’s economy.  Moreover, OFAC has indicated that it is prepared to use its authorities to impose blocking sanctions on any non-U.S. persons otherwise involved in circumventing U.S. sanctions, solidifying Russia’s grasp on occupied regions of eastern Ukraine, or arming, equipping, or materially supporting the Russian military.

D. Export Controls

In addition to economic and financial sanctions, the United States and its allies rapidly expanded their export control regimes targeting Russia and Belarus in response to Moscow’s further invasion of Ukraine and Belarus’s support of the effort.

Significantly, the U.S. Department of Commerce’s Bureau of Industry and Security (“BIS”) imposed a license requirement on all controlled dual-use items subject to its jurisdiction when destined for, reexported to, or transferred within Russia or Belarus.  In tandem with this action, BIS expanded the scope of U.S. licensing requirements on foreign-produced items exported, reexported, or transferred within Russia or Belarus in a range of circumstances, such that:

• Foreign-made items that incorporate more than 25 percent controlled U.S.-origin content are subject to BIS’s export licensing regime under the traditional application of the de minimis rule;
• Foreign-made items that are the “direct product” of controlled U.S.-origin technology or software, or of a manufacturing facility or equipment derived from such controlled U.S. technology or software, and are items of a kind described on the S. Commerce Control List (i.e., not EAR99 items), or are items that could be used in identified industrial sectors, are subject to an export license requirement when destined for any person in Russia or Belarus;
• Foreign-made items that would be designated EAR99 (i.e., generally not controlled) and are a “direct product” of controlled U.S.-origin technology or software, or a manufacturing facility or equipment derived from such controlled technology or software, are subject to an export license requirement when destined for any Russian or Belarusian military end user identified on the Entity List; and
• With respect to both of those new foreign direct product rules, items produced in a partner country that has implemented substantially similar export controls on Russia and Belarus are exempt from the U.S. license requirement in order to avoid duplicate licensing efforts.

Further, BIS expanded the scope of pre-existing prohibitions related to military end users and military end uses in Russia and Belarus to cover any item subject to the U.S. Export Administration Regulations (“EAR”), including items “subject to the EAR” by operation of one of the foreign direct product rules described above.  The controls described above produced immediate impacts as Russia’s military, absent new shipments of advanced technology, reportedly was forced to retrieve low-end semiconductors from household appliances such as dishwashers and refrigerators.  For a more detailed discussion of those controls, please see our February 2022 client alert.

BIS also expanded the scope of its licensing control to include EAR99 items—that is, items that are not described by an Export Control Classification Number (“ECCN”) on the EAR’s Commerce Control List—for Russia and Belarus.  These controls largely parallel EU controls on certain targeted goods, equipment, parts, and materials for use in significant industry sectors, including oil refining (in addition to pre-existing controls on items used in oil and gas exploration and production), industrial and manufacturing activities, production of chemical and biological agents, quantum computing, and advanced manufacturing.  In addition, BIS published rules to implement a ban on “luxury goods” destined for Russia or Belarus or to sanctioned Russian or Belarusian oligarchs, regardless of their location.

The European Union and the United Kingdom have followed a similar approach, though the lists of goods targeted differ between jurisdictions.  In general terms, the EU and UK lists are organized under broad headings such as “goods which may enhance Russia’s military and technological advancement,” “goods that may enhance Russia’s industrial capabilities,” or “critical industry goods.”  The expansive headings allow the European Union and the United Kingdom to include numerous groups of seemingly unrelated items within their restrictions, adding to the complexity of these measures.

The United States has also prohibited the exportation, reexportation, sale, or supply from the United States, or by a U.S. person, of U.S. Dollar-denominated banknotes to the Government of the Russian Federation or any person located in the Russian Federation.  The European Union and the United Kingdom have imposed equivalent restrictions on the export of Euro and Sterling banknotes, respectively.

As a general matter, export license applications under the new export controls on Russia and Belarus will, except in limited circumstances, be reviewed subject to a policy of denial, essentially imposing an embargo on all U.S.-origin dual-use items, items produced with dual-use software and technology, and a broad range of non-dual-use items used in multiple industrial sectors, for Russia and its cooperating neighbor.  EU and UK authorities have taken a similar approach.

Of particular note is BIS’s aggressive use of export controls to target the Russian and Belarusian commercial aviation sectors.  In light of the wide-ranging use of U.S.-origin parts, equipment, and technology in commercial aviation applications, expanded U.S. export controls have cut off many private and commercial aircraft owned, leased, or operated by Russian or Belarusian persons from transiting to or from those countries or receiving parts or services provided by U.S. persons.  In addition, BIS has responded to the Russian government’s effective nationalization of hundreds of U.S. and European aircraft by issuing temporary denial orders against major Russian airlines and by publishing lists of aircraft that have been flown in violation of U.S. export controls, rendering transactions involving either subject to expansive prohibitions.  The EU and UK restrictions on aviation and space goods and technology have added to the logistical complexities facing the aviation sector, and have been further exacerbated by prohibitions on Russian owned, registered, controlled, or chartered aircraft entering or leaving EU and UK airspace.

To encourage compliance and identify potential evasion of the new rules described above, BIS and the U.S. Department of the Treasury’s Financial Crimes Enforcement Network (“FinCEN”) in June 2022 issued a first-of-its-kind joint alert to financial institutions urging them to apply heightened due diligence to transactions with a higher risk of facilitating export control evasion.  The joint alert includes a list of commodities that BIS has identified as presenting special concern because of their potential diversion to military applications in Russia and Belarus, including aircraft parts, cameras, global positioning systems, integrated circuits, oil field equipment, and related items, as well as a list of transshipment hubs that present diversion risks to Russia and Belarus.  It also highlights transactional “red flags” that are useful both to financial institutions and other industry participants.

E. Import Prohibitions

In addition to restricting exports to Russia, starting in March and April 2022 the United States, the European Union, and the United Kingdom banned the importation of certain Russian-origin goods—principally those consisting of items closely associated with Russia or that have the potential to generate hard currency for the Kremlin.

The Biden administration first used this particular policy tool by barring imports into the United States of certain energy products of Russian Federation origin, namely crude oil, petroleum, petroleum fuels, oils, and products of their distillation, liquified natural gas, coal, and coal products.  Intending to limit Russian revenue without driving up global energy prices, OFAC published guidance noting that Russian-origin energy products other than those specified in Executive Order 14066 remain potentially eligible for importation into the United States.  OFAC further indicated that, absent some other prohibition, such as the involvement of a blocked person, non-U.S. persons would not risk U.S. sanctions liability for continuing to import Russian-origin energy products into third countries that have not imposed such an import ban.  As Russia’s war in Ukraine continued, the Biden administration subsequently barred the importation into the United States of Russian Federation origin fish, seafood, alcoholic beverages, non-industrial diamonds, and eventually gold.  As with other Russia-related sanctions authorities, the Secretary of the Treasury has broad discretion under Executive Order 14068 to, at some later date, extend the U.S. import ban to additional Russian-origin products.

While U.S. imports from Russia historically have been minimal, the same is not true for the European Union and the United Kingdom.  Consequently, for the restrictions to be meaningful, the EU and UK import measures have had to be similarly broad—and they are.  The European Union has banned coal, crude oil and petroleum products, iron and steel products, gold and the broad category of “revenue-generating goods,” which is a catch-all for any other items the European Union may want to restrict.  The United Kingdom has prohibited the import of arms and related materiel, iron and steel products, oil and oil products, coal and coal products, liquified natural gas, gold, gold jewelry, and processed gold.  However, there remain significant differences between the transatlantic partners in this regard, reflecting their different ranges of independence from the Russian economy and its energy sector.  Notably, the European Union and the United Kingdom have not yet restricted the import of Russian liquified natural gas.  EU Member States such as Hungary, Bulgaria, Croatia, and Czechia also negotiated exceptions to the prohibitions described above, the most notable of which has the effect of excluding crude oil delivered by pipeline from the import ban.

Furthermore, highlighting the degree of bipartisan support for limiting Russia’s access to the U.S. market, the U.S. Congress in April 2022 enacted legislation codifying into law the Biden administration’s Russian oil import ban, as well as suspending the United States’ permanent normal trade relations with Russia and Belarus, thereby exposing products originating from those two countries to increased U.S. tariffs.  Similarly, the European Union and the United Kingdom have revoked Russia’s most favored nation trading status, triggering higher tariffs.

F. New Investment Prohibitions

In parallel with efforts to restrict Russian imports into the United States, and drawing on many of the same legal authorities, the Biden administration during March and April 2022 also imposed a series of progressively broader prohibitions on new investment in the Russian Federation.

Specifically, President Biden in quick succession signed three separate Executive Orders prohibiting U.S. persons, wherever located, from making a “new investment” in the energy sector in the Russian Federation (E.O. 14066), then in any other sector of the Russian Federation economy as may be determined by the Secretary of the Treasury (E.O. 14068), and eventually on April 6, 2022 in all sectors of the Russian Federation economy (E.O. 14071).  By encompassing the entire Russian economy, the last of those three Executive Orders in effect swallows the other two.  In a sign of the blistering pace at which new trade restrictions on Russia were being rolled out during the war’s earliest phases, the business community had to wait two months after the Biden administration’s banning of all “new investment” for guidance as to what “new investment” entails.  OFAC was operating at a high cadence in rolling out new actions and did not have the bandwidth to immediately provide the guidance, frequently asked questions (“FAQs”), and other documentation that typically accompany such meaningful new measures.

In a set of FAQs released on June 6, 2022, OFAC for the first time detailed how the agency understands what does (and does not) constitute a prohibited new investment in Russia.  Broadly speaking, OFAC considers “new investment“ to mean a U.S. person making a commitment of capital or other assets, on or after the effective date of the relevant Executive Order (in most cases, April 6, 2022), for the purpose of generating returns or appreciation within the Russian Federation.  OFAC interprets Executive Order 14071 as prohibiting U.S. persons from, among other things, purchasing both new and existing debt and equity securities issued by any entity located in the Russian Federation—regardless whether the issuer is subject to blocking or sectoral sanctions and regardless when the debt or equity was issued.  OFAC has further indicated that E.O. 14071 prohibits U.S. persons from purchasing debt and equity securities issued by any entity located outside of Russia that has certain close ties to Russia such as deriving 50 percent or more of its revenues from investments inside the Russian Federation.

Crucially, however, OFAC has advised that the agency generally does not view the new investment prohibition as applying to ordinary course commercial transactions involving Russia, including exports or imports of goods, services, or technology, or related sales or purchases.  Notably for multinational enterprises, U.S. persons may continue to fund, but not expand, their existing subsidiaries and affiliates located in Russia.  U.S. persons may continue to hold previously acquired securities of non-sanctioned Russian issuers and may also divest such securities, subject to certain conditions.  Such divestment transactions are potentially permissible, provided that the transaction does not involve a blocked person, the ultimate buyer is a non-U.S. person, and the transaction is not otherwise prohibited by OFAC.  Notwithstanding those and other exceptions, the U.S. prohibition on new investment in the Russian Federation further complicates an already challenging local business environment and, by barring new or expanded operations, is likely to encourage multinational companies’ continued flight from Russia.  This self-sanctioning by private actors was not a part of the well-laid sanctions plan that the coalition developed in the run-up to the February 2022 attack.  Indeed, in recent weeks, the United States especially has redoubled efforts to emphasize that it desires certain businesses to remain in Russia despite the breadth of sanctions and related restrictions.

The United Kingdom’s approach to investment restrictions has been equally broad, while the European Union has taken a more limited approach of strictly banning investment in the energy sector in Russia, as well as the Russian mining and quarrying sector, while carving out exceptions for certain raw materials.

G. Services Prohibitions

As the Kremlin’s war in Ukraine stretched on, the United States, the European Union, and the United Kingdom in May and September 2022 reached deeper into their respective policy toolkits to ban the exportation to Russia of certain professional and technological services.

Executive Order 14071—the broad and flexible legal authority that underpins many of the U.S. Government’s later trade restrictions on Russia—prohibits the exportation from the United States, or by a U.S. person, of any category of services as may be determined by the Secretary of the Treasury, to any person located in the Russian Federation.  Acting pursuant to that authority, the United States during 2022 barred U.S. exports to Russia of accounting, trust and corporate formation, and management consulting services, as well as quantum computing services.  The rationale for targeting those particular services—the provision of which is also potentially grounds for designation to the SDN List—appears to be a U.S. policy interest in denying Moscow access to services with the potential to enable sanctions evasion or bolster the Russian military.

Although the U.S. services bans contain exceptions, such as permitting the provision of services to entities located in Russia that are owned or controlled by U.S. persons, OFAC otherwise interprets those measures in a very broad manner.  For example, the agency has noted that, for the purposes of E.O. 14071, the term “accounting services“ includes “services related to the measurement, processing, and evaluation of financial data about economic entities.”  The term “management consulting services“ includes, among other activities, “services related to strategic business advice.”  In light of the prohibitions’ seemingly unbounded reach, many leading professional services firms—whose offerings are key to operating a multinational business—have opted to withdraw from the Russian market rather than risk triggering U.S. sanctions.

The European Union and the United Kingdom have imposed equally wide-ranging services prohibitions.  The European Union has restricted the provision of accounting, auditing, bookkeeping and tax consulting, business and management consulting, public relations, information technology consulting, architectural and engineering, legal advisory, market research, public opinion polling, advertising, and technical testing and analysis services.  Both jurisdictions also restricted trust and corporate formation services—which have historically been key tools for wealthy Russians to shield their assets.

Despite core similarities across the three jurisdictions, important different exceptions apply.  Most notably, the European Union allows for these services to be provided to Russian entities that are owned by, or solely or jointly controlled by, an entity incorporated under the laws of an EU or European Economic Area Member State, Switzerland, the United Kingdom, the United States, South Korea, or Japan.  Meanwhile, the United Kingdom allows for certain exceptions in relation to compliance with UK statutory or regulatory obligations.

Within the financial services sector, the United Kingdom prohibited its financial institutions from establishing correspondent banking relationships with designated persons, and proceeded to designate all major Russian banks.  To further tighten access to its financial infrastructure, the European Union implemented restrictions relating to deposits being held by EU credit institutions, such that Russian natural or legal persons and entities directly or indirectly owned more than 50 percent by them cannot make deposits greater than 100,000 Euros.  A prohibition on the provision of crypto-asset wallet, account, or custody services, regardless of the value of the assets, also applies in the European Union.  The United Kingdom has not implemented equivalent measures, but it has subjected crypto-asset exchange providers and custodian wallet providers to strict reporting obligations.

In late 2022 and early 2023, the allies also introduced new and ambitious forms of services bans, discussed more fully below, designed to cap the price of seaborne Russian crude oil and petroleum products.

H. Price Cap on Crude Oil and Petroleum Products

To minimize the Kremlin’s ability to profit from surging energy prices stemming from its invasion of Ukraine, the G7 countries in September 2022 committed to impose a novel measure to squeeze Russia’s chief source of revenue—a price cap on Russian-origin crude oil and petroleum products.

Effective December 5, 2022, the United States, Canada, France, Germany, Italy, Japan, and the United Kingdom, alongside the European Union and Australia (collectively, the “Price Cap Coalition”), prohibited the provision of certain services that support the maritime transport of Russian-origin crude oil from Russia to third countries, or from a third country to other third countries, unless the oil has been purchased at or below a specified price.  A separate price cap with respect to Russian-origin petroleum products became effective on February 5, 2023.  The types of services that are potentially restricted varies modestly among the Price Cap Coalition countries, but generally includes activities such as brokering, financing, and insurance.  A detailed analysis of the price cap, and how it is being implemented by key members of the Price Cap Coalition, can be found in our previous client alert.

From a policy perspective, the price cap is intended to curtail Russia’s ability to generate revenue from the sale of its energy resources, while still maintaining a stable supply of these products on the global market.  The measure is also designed to avoid imposing a blanket ban on the provision of all services relating to the transport of Russian oil and petroleum products, which could have far-reaching and unintended consequences for global energy prices.  Accordingly, the price cap functions as an exception to an otherwise broad services ban.  Best-in-class maritime service providers, which are overwhelmingly based in Price Cap Coalition countries, are permitted to continue supporting the maritime transport of Russian-origin oil and petroleum products, but only if such oil or petroleum products are sold at or below a certain price.

In order to steer clear of a potential enforcement action, service providers from Price Cap Coalition countries that deal in seaborne Russian oil or petroleum products will need to be able to provide certain evidence that the price cap was not breached in regard to the shipment that they are servicing.  For example, the United States, United Kingdom, and European Union have each set forth a detailed attestation process by which maritime transportation industry actors can benefit from a “safe harbor” from prosecution arising out of violations by third parties.  By obtaining price information or an attestation from relevant counterparties, ship owners, charterers, insurers, financial institutions, and others throughout the maritime supply chain may substantially mitigate their risk of non-compliance arising out of misrepresentations or evasive actions taken by third parties in violation of the price cap programs.  Relevant authorities in those three jurisdictions have indicated that compliance with the recordkeeping and attestation framework will generally shield a service provider from the otherwise strict liability regime.

It remains to be seen whether other countries will eventually join the Price Cap Coalition or agree to implement similar restrictions in the future, which could create additional complexity in the global energy supply chain where Russian-origin oil or petroleum products are involved.  As of this writing, the price cap seems to be having a modest impact on Russian oil revenues.  In setting the initial price cap on Russian-origin crude oil at $60 per barrel—above the prevailing market price for Russian Urals—policymakers appear to have offered maritime service providers a gentle introduction to a novel and complex policy instrument.  As market participants become more familiar with the mechanics of the price cap, the Price Cap Coalition may periodically ratchet down the relevant price caps to further squeeze Russian energy revenue.

 I. Possible Further Trade Controls on Russia

Although leading democracies during 2022 introduced a dizzying array of trade restrictions on Russia, the coalition has not yet exhausted its policy toolkit.  The allies could, in coming months, further increase pressure on the Kremlin by imposing blocking sanctions on yet more Russian banks and Russian elites, including especially oligarchs whose vast business interests may offer inviting targets.  In the event of a substantial new provocation by Moscow, it is not out of the question that the Biden administration could follow the model developed in Venezuela by imposing blocking sanctions on the entirety of the Government of the Russian Federation.

Officials in Washington and Brussels have also begun to weigh how to fund Ukraine’s eventual reconstruction.  Building on initiatives such as the U.S. Department of Justice’s Task Force KleptoCapture and the multilateral Russian Elites, Proxies, and Oligarchs Task Force, which are pursuing seizure and forfeiture of certain assets belonging to sanctioned parties if they meet legal standards beyond the fact that they are sanctioned, the United States could potentially move to deploy forfeited Russian assets to aid Kyiv.  Similarly, the European Commission has been exploring options to pay for the reconstruction of Ukraine with investment proceeds derived from Russian assets currently frozen in the European Union.  As we have noted elsewhere, in the United States any effort to redirect private assets—or, more controversially, Russian sovereign assets—would likely require an act of Congress to reduce the not insignificant legal difference and distance between sanctions and seizures, suggesting that any such initiative is unlikely to materialize in the near term.

Finally, the United States, the European Union, and the United Kingdom have so far resisted calls to label Russia a state sponsor of terrorism, or, in the case of the United States, to impose secondary sanctions, citing the risk of fracturing the coalition by penalizing companies based in allied jurisdictions for their dealings involving Russia.  The European Parliament has called on EU Member States to work toward the introduction of a legal framework to designate state sponsors of terrorism, so that Russia can be so designated.  As noted above, the United States and its allies, while imposing extensive restrictions on Moscow, have also stopped short of comprehensive sanctions and export controls like the U.S. measures that presently apply to Cuba, Iran, North Korea, Syria, and certain Russian-occupied regions of Ukraine.  Although those sorts of draconian restrictions do not appear to be imminent, the United States and its allies could quickly reconsider such measures in the event of a complete breakdown in relations with Moscow—for example, if the Kremlin were to use nuclear weapons in Ukraine.

II. U.S. Trade Controls on China

Russia’s invasion nearly overshadowed what otherwise would have been the principal trade story of the year: continuing high tensions between Washington and Beijing.  During 2022, the Biden administration deployed both traditional and innovative trade restrictions to counter China’s continued troubling activities at home and worrying ambitions abroad.  In the U.S. National Security Strategy released in October 2022, the Biden administration squarely addressed the ongoing geopolitical competition between the United States and China, labeling Beijing “the only competitor with both the intent to reshape the international order and, increasingly, the economic, diplomatic, military, and technological power to advance that objective.”  This stark characterization reflects an emerging bipartisan consensus among top U.S. officials and most members of Congress that China represents a “pacing challenge“ to certain U.S. national interests, particularly technological leadership.

In a sea change from longstanding U.S. aversion to state industrial policy, the United States over the past year embraced a protectionist-leaning “modern industrial and innovation strategy“ to counteract China’s influence on the world stage, including through:

• The promulgation of import restrictions on Chinese goods linked to forced labor;
• The passage of multiple legislative packages to incentivize U.S. technological competitiveness;
• The imposition of sweeping export controls on certain advanced integrated circuits, semiconductor manufacturing equipment, and supercomputers involving China;
• The furthering of multilateral efforts to limit China’s technological capabilities; and
• The continuation and enhancement of scrutiny of proposed Chinese investments in the United States.

A. Uyghur Forced Labor Prevention Act

The Uyghur Forced Labor Prevention Act (“UFLPA”) was enacted in December 2021 to deny certain goods produced in China’s Xinjiang Uyghur Autonomous Region (“Xinjiang”) access to the U.S. market, primarily through the imposition of a rebuttable presumption that all goods mined, produced, or manufactured even partially within Xinjiang are the product of forced labor and are therefore not entitled to entry at U.S. ports.  This rebuttable presumption took effect on June 21, 2022.  Throughout the second half of 2022, vigorous enforcement of the UFLPA by U.S. Customs and Border Protection (“CBP”)—which is a unit of the U.S. Department of Homeland Security—led to a substantial volume of goods being denied clearance at various U.S. ports as many suppliers scrambled to trace complete supply chains to ensure compliance.

Guidance released by CBP in June 2022 highlighted cotton, tomatoes, and polysilicon as high-priority sectors for enforcement, but CBP’s targeting has since expanded to include products that incorporate polyvinyl chloride (commonly known as PVC) and aluminum—with the latter a precursor to potentially restricting the import of automobile parts.  The U.S. Department of Homeland Security has also named over 30 entities to its UFLPA Entity List, as a result of which those entities’ products and services are presumed to be made with forced labor and are prohibited from entry into the United States.

As described in more detail in our 2021 Year-End Sanctions and Export Controls Update, as well as a separate June 2022 client alert, importers of any products that may be suspected to incorporate inputs sourced from Xinjiang, from any entity listed on the UFLPA Entity List, or from companies participating in any one of several of China’s “anti-poverty alleviation” programs should be aware of the new supply chain tracing requirements necessary to demonstrate that the imports are not subject to the rebuttable presumption.

B. Technological Competitiveness Legislation

Alongside efforts to restrict imports that present potential human rights concerns, a key pillar of the Biden administration’s trade policy with respect to China has involved a turn inward by the United States and toward a nationalist industrial policy, including directly subsidizing industries critical to U.S. supply chains and national security.  Consistent with the White House’s National Security Strategy—which describes strategic public investment as “the backbone of a strong industrial and innovation base in the 21st century global economy”—the U.S. Congress during 2022 adopted two massive legislative packages that, among other things, direct billions of dollars toward boosting domestic manufacturing.

The CHIPS and Science Act (the “CHIPS Act”), signed into law by President Biden in August 2022, took significant steps—including authorizing $280 billion in spending—to address underlying national security concerns regarding the longstanding offshoring of critical technological capabilities, a situation that was highlighted during the pandemic which saw significant supply chain disruptions (in part because of China’s “Zero COVID” policy), and which exacerbated the fact that almost all personal protective equipment the United States needed was made in China.  In addition to incentivizing investment in U.S. semiconductor manufacturing through more than $50 billion of direct government subsidies, the CHIPS Act also includes guardrails to prevent U.S. companies that receive subsidies under the Act from engaging in significant transactions involving “the material expansion of semiconductor manufacturing capacity in the People’s Republic of China or any other foreign country of concern.”  This legislation marked a historic departure for the U.S. Government, which until recently had not significantly restricted private companies’ strategies for offshoring and outsourcing technology outside traditional export control regimes.  Following passage of the CHIPS Act, major semiconductor makers quickly broke ground on new facilities located in the United States.

That same month, President Biden signed into law the Inflation Reduction Act of 2022 to boost domestic energy production and manufacturing, as well as to provide direct funding to support the transition to renewable energy sources and to secure domestic energy supply chains.  In an effort to relocate electric-vehicle supply chains from China to the United States, the Inflation Reduction Act includes billions of dollars in subsidies for electric vehicles assembled in North America—a move that has rankled close U.S. allies in Europe who roundly have criticized the measure as protectionist and discriminatory against European goods.  The European Commission in January 2023 released its Green Deal Industrial Plan, building on the pre-existing RePowerEU initiative and the European Green Deal, to enhance the competitiveness of Europe’s net-zero industry.  We expect that the EU response to the Inflation Reduction Act will be further developed during 2023.

In September 2022, President Biden signed an Executive Order directing the investment of another $2 billion into strengthening domestic biotechnology and biomanufacturing supply chains through the National Biotechnology and Biomanufacturing Initiative, further exemplifying the current administration’s approach to identifying and directly supporting supply chains across various industries deemed critical for national security.

C. Export Controls

1. Controls on Advanced Computer Chips

Controlling the manufacture, supply, and export of certain advanced technologies has become a core feature of the U.S. Government’s evolving trade policy toward Beijing.  As we discuss in a recent article, the U.S. Government has over the past year employed a variety of methods to strengthen control over strategic supply chains and to limit the export of these key technologies to strategic competitors, including China.

Consistent with its traditional authorities, BIS on August 15, 2022 issued an interim rule to implement new controls on four so-called Section 1758 technologies—named after the section of the Export Control Reform Act of 2018 that tasked the agency with regulating emerging and foundational technologies.  As discussed in Section IV.A, below, that measure imposes new restrictions on certain ultra-wide bandgap semiconductors and certain emerging electronic computer aided design software.  Both of these restrictions were imposed in a clear effort to limit the ability of U.S. adversaries to produce advanced technologies.

Also in August 2022, BIS used the “is informed“ provision of the Military End Use / User (“MEU”) Rule to, without any formal rulemaking process, privately inform parties that a license is required for exports of specified items due to an “unacceptable risk of use in or diversion to a ‘military end use’ or a ‘military end user.’”  A party that receives such a notice is prohibited from exporting the specified items to destination countries identified in the notice without BIS licensing, and such export license applications are subject to a presumption of denial.  News reports indicate that BIS leveraged that little-used regulatory provision to, on short notice, restrict at least two U.S.-based semiconductor companies from exporting to China and Russia certain advanced integrated circuits and associated technology commonly used in sophisticated artificial intelligence applications over concerns that the chips could be diverted to a military end use or end user.  Although BIS maintains a policy of not publicly commenting on such restrictions on private parties, these sudden and closely targeted controls led observers to speculate that further restrictions were close at hand.

2. Controls on Advanced Computing Integrated Circuits, Semiconductor Manufacturing Equipment, and Certain Items Used to Develop Supercomputers

On October 13, 2022, BIS announced groundbreaking and far-reaching controls on advanced computing integrated circuits (“ICs”), computer commodities that contain such ICs, and certain semiconductor manufacturing items destined for China.

As discussed at length in our recent client alert, these new regulations appear calculated to create an effective embargo against providing to China the technology, software, manufacturing equipment, and commodities that are used to make certain advanced computing ICs and supercomputers; to curtail China’s use of these targeted items in the development of weapons of mass destruction, artificial intelligence, supercomputing-enhanced war fighting, and technologies that enable violations of human rights; and to combat China’s “military-civil fusion” development strategy.  These complex regulations caused significant upheaval in the affected industries as they were implemented over a two-week period in October 2022 and increased the prospect of other potential efforts to decouple advanced technology supply chains that still link the United States and China.

At the heart of these new export controls is BIS’s addition to the Commerce Control List of new and revised Export Control Classification Numbers.  These new ECCNs control certain semiconductor manufacturing equipment and specially designed parts, components, and accessories; specified high-performance ICs; certain computers, electronic assemblies, and components containing such ICs; and associated software and technology.  The accompanying new Regional Stability (“RS”) controls apply specifically to these goods when they are destined for the People’s Republic of China (“PRC”)—a destination control that now also includes Hong Kong and, as of January 17, 2023, Macau.  Separately, new Antiterrorism (“AT”) controls were also announced at the same time, which further restrict the export of these commodities and associated technology to such highly controlled destinations as Iran, North Korea, and Syria.

BIS also introduced two new foreign direct product (“FDP”) rules and expanded another.  Foreign direct product rules expand the scope of U.S. export controls to certain foreign-produced items that are derivative of specified U.S. software and technology.  The contours of each FDP rule are unique, but in the case of the new rules targeting China, the FDP rules have been expanded to effectively cut off China’s access to certain foreign-produced advanced ICs, semiconductor manufacturing equipment, and items used to develop and maintain supercomputers.  The new advanced computing FDP rule brings within the scope of U.S. export controls certain foreign-produced advanced computing items destined for the PRC, as well as certain technology developed by an entity headquartered in the PRC for the production of a mask or an IC wafer or die.  Similarly, the new supercomputer FDP rule expands U.S. export controls to certain foreign-produced items used in the design, development, production, operation, installation (including on-site installation), maintenance (checking), repair, overhaul, or refurbishing of a “supercomputer“ (as specifically defined within the regulations) located in or destined for the PRC, in addition to any such items that will be incorporated into or used in the development or production of parts, components, or equipment that will eventually be used in a supercomputer located in or destined for the PRC.  Importantly, the current definition of “supercomputer” captures certain data centers that meet the definitional parameters, exemplifying the broad scope of these new controls.  Finally, the new controls expand the pre-existing Entity List FDP rule—originally aimed at restricting the flow of certain foreign-produced items to Huawei and its affiliates—to restrict certain foreign-produced items to an additional 28 China-based entities already designated to the Entity List over the past several years for their alleged participation in nuclear and other weapons of mass destruction proliferation, as well as surveillance and other human rights abuses.

New license requirements are also in place for certain items that fall under U.S. export controls for which the exporter has knowledge (defined to cover actual knowledge and an awareness of a high probability, which can be inferred from acts constituting willful blindness) that the item will be used in certain activities (1) associated with the development or maintenance of a “supercomputer” in or destined for China, or associated components or equipment, or (2) destined for end use in semiconductor fabrication facilities in China that fabricate certain ICs (or for which the exporter does not know if the facility manufactures the specified ICs).  The ICs specifically targeted by these new restrictions are some of the most advanced ICs presently in existence, including:  (1) logic integrated circuits using a non-planar transistor architecture or with a production technology node of 16/14 nanometers or less; (2) NOT AND (“NAND”) memory integrated circuits with 128 layers or more; and (3) dynamic random-access memory (“DRAM”) integrated circuits using a production technology node of 18 nanometer half-pitch or less.

Perhaps the most far-reaching feature of these new export controls are the restrictions BIS has placed on the activities of U.S. persons, even when their activities do not involve controlled U.S.-origin items.  Broadly speaking, U.S. persons, including dual nationals and lawful permanent residents of the United States, wherever located, must now apply for licenses to facilitate or engage in shipping, transmitting, or transferring to or within China certain items that are not otherwise captured under U.S. export controls as follows:

• Prohibition Category 1: Any item not “subject to the EAR” that the individual or entity knows will be used in the development or production of ICs at a semiconductor fabrication facility located in China that fabricates certain ICs such as advanced logic, NAND, and DRAM ICs; or in the servicing of any such items;
• Prohibition Category 2: Any item not subject to the EAR and meeting the parameters of any ECCN in Product Groups B, C, D, or E in Category 3 of the Commerce Control List that the individual or entity knows will be used in the development or production of ICs at any semiconductor fabrication facility located in China, but for which the individual or entity does not know whether such semiconductor fabrication facility fabricates certain ICs such as advanced logic, NAND, and DRAM ICs; or in the servicing of any such items; and
• Prohibition Category 3: Any item not subject to the EAR and meeting the parameters of ECCNs 3B090, 3D001 (for 3B090), or 3E001 (for 3B090) regardless of the end use or end user; or in the servicing of any such items.  Notably, there is no accompanying knowledge qualifier associated with this prohibition.

BIS subsequently released limited guidance concerning the application of these new rules, including important clarifications such as the definition of “facility” and excluding certain administrative and clerical activities from the new licensing requirement.  Additionally, to minimize supply chain disruptions, BIS issued a temporary general license to permit companies headquartered in the United States or in a subset of other countries to continue exporting certain ICs and associated software and technology for specified purposes to their affiliates and subsidiaries located in China through April 7, 2023.

BIS is expected to review the need to impose this range of new export control restrictions on other sector supply chains, including those supporting quantum computing and certain kinds of biotechnology.  Although White House National Security Advisor Jake Sullivan famously summarized the U.S. approach to protecting critical technologies as “small yard, high fence,” as a practical matter, the complex global supply chains involved in producing the most advanced chips and quantum computers will necessitate multilateral coordination to erect any such barrier.

3. Multilateral Controls

In an effort to further restrict China’s access to such critical technologies, the Biden administration has engaged in extensive diplomatic efforts to encourage closely allied countries to adopt similar controls on chip-making equipment.  News reports of an agreement among the United States, the Netherlands, and Japan—countries that are homes to some of the world’s most advanced semiconductor equipment manufacturers—suggest that such multilateral controls are imminent.  While sweeping, the new export controls on China can only extend so far under U.S. law, and the Biden administration has made clear that multilateral coordination is necessary to counter Chinese technological advances in critical technological fields.

4. China-Related Entity List and Unverified List Designations

While new tools received much of the attention, in 2022 traditional export controls remained a core element of U.S. efforts to counter Beijing as a strategic competitor as the Biden administration again made frequent use of the longstanding Entity List and Unverified List to target China-based entities.  As noted in our 2021 Year-End Sanctions and Export Controls Update, the expanding size, scope, and profile of the Entity List has begun to rival OFAC’s SDN List as a tool of first resort when U.S. policymakers seek to wield coercive authority, especially against significant economic actors in major economies.  Indeed, in a break from past practice, in 2022 the Biden administration often looked first to BIS to effect its China policy rather than OFAC and its SDN List.  Among the more than 60 Chinese entities added to the Entity List during 2022 were numerous organizations associated with advanced ICs and semiconductors such as Yangtze Memory Technologies (“Yangtze Memory”) and Hefei Core Storage Electronic Limited.

Entities can be designated to the Entity List upon a determination by the End-User Review Committee (“ERC”)—which is composed of representatives of the U.S. Departments of Commerce, State, Defense, Energy and, where appropriate, the Treasury—that the entities pose a significant risk of involvement in activities contrary to the national security or foreign policy interests of the United States.  Much like being added to the SDN List, the level of evidence needed to be included on the Entity List is minimal and far less than the “beyond a reasonable doubt” standard that U.S. courts use when assessing guilt or innocence.  Despite this, the impact of being included on the Entity List can be catastrophic.  Through Entity List designations, BIS prohibits the export of specified U.S.-origin items to designated entities without BIS licensing.  BIS will typically announce either a policy of denial or ad hoc evaluation of license requests.  The practical impact of any Entity List designation varies in part on the scope of items BIS defines as subject to the new export licensing requirement, which could include all or only some items that are subject to the EAR.  Those exporting to parties on the Entity List are also precluded from making use of any BIS license exceptions.  However, because the Entity List prohibition applies only to exports of items that are “subject to the EAR,” even U.S. persons are still free to provide many kinds of services and to otherwise continue dealing with those designated in transactions that occur wholly outside of the United States and without items subject to the EAR.

The ERC has over the past several years steadily expanded the bases upon which companies and other organizations may be designated to the Entity List.  In the case of the Chinese entities designated this year, reasons given included engaging in proliferation activities, providing support to Russia’s military and/or defense industrial base, engaging in deceptive practices to supply restricted items to Iran’s military, and attempting to acquire U.S.-origin items in support of prohibited military applications.  Notably, in December 2022, 35 Chinese entities (plus one related entity in Japan) were designated to the Entity List for a variety of reasons, including among them, acquiring or attempting to acquire U.S.-origin items to support China’s military modernization.

Throughout the year, BIS also made extensive use of the Unverified List to motivate named entities to comply with end-use checks.  A foreign person may be added to the Unverified List when BIS (or U.S. Government officials acting on BIS’s behalf) cannot verify that foreign person’s bona fides (i.e., legitimacy and reliability relating to the end use and end user of items subject to the EAR) in the context of a transaction involving items subject to the EAR.  This situation may occur when BIS cannot satisfactorily complete an end-use check, such as a pre-license check or a post-shipment verification, for reasons outside of the U.S. Government’s control.  Any exports, reexports, or in-country transfers to parties named on the Unverified List require the use of an Unverified List statement, and Unverified List parties are not eligible for license exceptions under the EAR that would otherwise be available to those parties but-for their designation to the list.

As discussed in greater detail in Section IV.A, below, BIS has implemented a new two-step process whereby companies that do not complete requested end-use checks within 60 days will be added to the Unverified List, and if those companies are added to the Unverified List due to the host country’s interference, after a subsequent 60 days of the end-use check not being completed, the company on the Unverified List will be transferred to the Entity List.  In conjunction with the announcement of this new policy on October 13, 2022, 31 Chinese entities were added to the Unverified List, including Yangtze Memory, which, as discussed above, was subsequently moved to the Entity List for presenting a risk of diversion of U.S.-origin items to Entity List parties.  Cooperation with end-use checks was also rewarded, with dozens of Chinese entities being removed from the Unverified List throughout the year, including 26 entities on December 16, 2022, after BIS was able to verify their bona fides.  Moving forward, we expect the U.S. Government to continue its use of both the Entity List and Unverified List to target additional China-based entities that it finds pose risks to U.S. national security and foreign policy interests.

D. Defense Department List of Chinese Military Companies

The U.S. Department of Defense is required by Section 1260H of the National Defense Authorization Act for Fiscal Year 2021 to publish, and periodically update, a list of “Chinese military companies” operating directly or indirectly in the United States.  On October 5, 2022, the Defense Department released its most recent update to the Section 1260H List, which identifies 13 additional PRC-based entities, including facial-recognition software developer CloudWalk Technology, as having links to the Chinese military.  Inclusion on the Section 1260H List triggers certain U.S. Government procurement-related restrictions on the listed entities and on contractors that may use certain of their products and services, and can serve as a precursor to designation to other restricted party lists maintained by the U.S. Government such as OFAC’s Non-SDN Chinese Military-Industrial Complex Companies (“NS-CMIC”) List (which restricts U.S. person investments in certain publicly traded securities) or the U.S. Department of Commerce’s Military End User List (which restricts exports of certain U.S.-origin items).  At the very least, companies named by the Defense Department appear to be on the U.S. Government’s radar and may be at elevated risk of becoming subject to such trade restrictions in the future.  Many of our clients also use inclusion on the Section 1260H List as a “red flag” for potential diversion to military end uses and end users.

E. Investment Screening

In conjunction with export controls, the Biden administration, acting through the Committee of Foreign Investment in the United States (“CFIUS” or the “Committee”), continued to closely scrutinize acquisitions of, and investments in, U.S. businesses by Chinese investors.  CFIUS is reliant on its expanded powers provided under the Foreign Investment Risk Review Modernization Act of 2018, which we analyzed in an earlier client alert.  As discussed more fully in Section V.A, below, CFIUS appears to be especially focused on identifying non-notified transactions involving Chinese acquirors (i.e., transactions that have already been completed and which were not brought to CFIUS’s attention), including through use of the Committee’s increased monitoring and enforcement capabilities.

During calendar year 2021, the most recent period for which data is available, Chinese investors largely eschewed the CFIUS short-form declaration process, filing only one declaration with the Committee.  China’s 2021 numbers are also consistent with the period from 2019 to 2021, during which Chinese investors submitted 86 notices, but only 9 declarations.  This apparent preference of Chinese investors to forego the short-form declaration in favor of the prima facia lengthier notice process may indicate a calculus that, amid U.S.-China geopolitical tensions, the likelihood of the Committee clearing a transaction involving a Chinese investor through the scaled-down declaration process is quite low.

In addition to the Committee’s purview over inbound investments, there is growing momentum to establish a new outbound investment screening mechanism to restrict U.S. investments abroad.  As discussed in Section V.D, below, both the White House and the U.S. Congress have advanced proposals to establish such a regime.  Although the scope and contours of an outbound screening mechanism remain uncertain, should one materialize it is highly likely that the Biden administration—whether or not it mentions Beijing by name—would begin by restricting U.S. investments in sectors of China’s economy deemed critical to U.S. national security such as artificial intelligence and semiconductor manufacturing.

III. U.S. Sanctions

A. Iran

Amid continuing advances in Iran’s nuclear program, Washington and Tehran entered 2022 with limited prospects for a return to the Joint Comprehensive Plan of Action (“JCPOA”), the 2015 Iran nuclear agreement which the Trump administration renounced in 2018.  As the year progressed, any hopes for a return to negotiations faded further as Iran shipped arms to Russia in support of the war in Ukraine and cracked down on street protests at home following the September 2022 death of Mahsa Amini at the hands of Iran’s Morality Police.  With a return to the JCPOA seemingly not on the table any time soon, OFAC accelerated the pace of new Iran-related sanctions designations during the second half of 2022, and issued an expanded general license designed to facilitate ordinary Iranians’ ability to access the internet.

In an effort to limit one of Tehran’s key sources of revenue, OFAC in June, July, August, September, and November 2022 added dozens of parties to the SDN List for their involvement in the Iranian petroleum and petrochemicals trade.  Underscoring the extent of the Biden administration’s concerns about Iranian actors supplying unmanned aerial vehicles (“UAVs”) to Russia for use in conducting attacks in Ukraine, including on civilian infrastructure, OFAC announced waves of UAV-related designations in September and November 2022, and again in January and February 2023.  The U.S. Government also warned that “OFAC is prepared to use its broad targeting authorities against non-U.S. persons that provide ammunition or other support to the Russian Federation’s military-industrial complex,” suggesting that additional designations related to shipments of Iranian UAVs to Russia may be on the horizon.

After widespread street protests erupted in September 2022 following Mahsa Amini’s death, the Biden administration announced nine rounds of sanctions targeting Iranian government officials and entities for their involvement in violence against peaceful demonstrators or restricting Iranians’ internet access.  Among those designated were Iran’s Morality Police, as well as the country’s prosecutor general and interior minister.  More designations of leading members of Iran’s security apparatus are likely in 2023.

As part of its suppression of protests, the Iranian government cut off internet access to the vast majority of its citizens, presumably to limit discussion of the regime’s brutal crackdown and to curtail access to organizing tools.  In the wake of these restrictions by the Islamic Republic, the United States in September 2022 announced the issuance of Iran General License (“GL”) D-‍2, which expands the scope of permitted exports to Iran of certain software, hardware, and services incident to internet-based communications.  As we described in an earlier client alert, GL D-‍2 supersedes and replaces a years-old general license with the aim of expanding internet access for Iranians.  As described by the U.S. Department of State, the expanded flow of information enabled by the license is designed to “counter the Iranian government’s efforts to surveil and censor its citizens” and “make sure the Iranian people are not kept isolated.”

Whereas now-superseded GL D-‍1 only permitted software “necessary to enable” internet communications, GL D-‍2 permits the exportation of software that is “incident to” or “enables” internet communications.  And unlike GL D-‍1, there is no requirement that the internet-based communications are “personal,” which was a sticking point and compliance burden for the private sector.  Among the ways that GL D-‍2 makes it easier for Iranians to get online, U.S. officials have noted that “most importantly [this] expands the access of cloud-based services,” so that virtual private networks, or VPNs, and anti-surveillance tools can be delivered to Iranians via the cloud.  As a practical matter, GL D-‍2 opens the door for technology companies to export tools and technologies that are listed in or covered by the license, which have the potential to enable ordinary Iranians to more easily access information online and use the internet to communicate with others inside and outside the country.

B. Syria

Consistent with OFAC’s longstanding commitment that sanctions should be reversible in response to changes in circumstances or a target’s behavior, OFAC during 2022 modestly eased sanctions under two of its most restrictive programs targeting Syria and Venezuela.

With respect to Syria, in May 2022, OFAC issued a general license authorizing U.S. persons to engage in transactions that are ordinarily incident and necessary to activities in 12 specified economic sectors in four regions of northeast and northwest Syria that are presently outside the control of the regime of Syria’s President Bashar al-Assad.  Sectors covered by the license include, among others, agriculture, telecommunications, power grid infrastructure, construction, manufacturing, and trade—all of which appear to be key to eventually building a sustainable postwar economy.

This policy change aimed to mitigate growing economic instability and to undercut support for Islamic State of Iraq and Syria (“ISIS”) militants.  As described by the U.S. Department of State, economic instability makes non-regime held areas of Syria “vulnerable to exploitation by terrorist groups, especially ISIS.”  Easing sanctions on select industries in those regions is therefore intended to boost “commercial activity and investment” and, as a result, “reduce the likelihood of ISIS’s resurgence by combatting the conditions that enable its recruitment efforts and its support networks.”

Importantly, Syria remains a comprehensively sanctioned jurisdiction.  As such, U.S. persons are, except as authorized by OFAC and BIS, generally prohibited from engaging in transactions involving Syria or its government.  Although Syria General License 22, by virtue of its limitation to particular industries and regions, represents at most an incremental easing of those restrictions, it also potentially hints at the direction of travel of U.S. policy.  In particular, this authorization raises the possibility that OFAC may be amenable to further easing of sanctions on Syria in the future—for example, if the Assad regime were to lose control over additional territory or take meaningful steps toward a political settlement to end the country’s decade-long civil war.

C. Venezuela

On November 26, 2022, the regime of Venezuela’s President Nicolás Maduro resumed negotiations in Mexico City with the country’s democratic opposition, in a move cautiously welcomed by the Biden administration.  As part of the renewed talks, the two sides signed a humanitarian agreement on education, health, food security, flood response, and electricity programs, and agreed to continue negotiations concerning presidential elections scheduled for 2024.

Following the renewed negotiations and the humanitarian agreement, OFAC issued Venezuela General License 41, which represents the first substantial de-escalation in the U.S. pressure campaign on the Maduro regime since 2018, when the former Trump administration prohibited virtually all U.S. nexus dealings involving Venezuela’s crucial oil sector.

In particular, GL 41 authorizes certain transactions related to the operation and management by one named U.S. energy company of its joint ventures in Venezuela involving the state-owned oil company Petróleos de Venezuela, S.A. (“PdVSA”), including:  the production and lifting of petroleum or petroleum products produced by its joint ventures; the importation into the United States of such petroleum or petroleum products, provided they are first sold to the U.S. company or its subsidiaries; and the purchase and importation into Venezuela of goods or inputs related to the above activities such as diluents.  Highlighting OFAC’s limited and incremental approach to Venezuela sanctions relief, GL 41 excludes from its authorization, among other things, sales of petroleum or petroleum products for exportation to any jurisdiction other than the United States, as well as certain payments to the Government of Venezuela.

Following the issuance of GL 41 in late November 2022, new reports indicated that OFAC could soon grant a similar license to a second U.S.-based energy company with substantial claims against the Venezuelan state.  In light of the Biden administration’s apparent success at bringing the Maduro regime to the negotiating table, the United States may further ease sanctions on Venezuela in the coming year.  However, any such policy changes are contingent on the outcome of the Mexico City talks between the Maduro regime and the country’s fractious opposition, as well as on tangible steps by the Maduro regime toward holding free and fair elections and in making good on their commitments to ease the humanitarian situation in Venezuela.

D. Nicaragua

In 2018, OFAC launched a new Nicaragua sanctions program pursuant to Executive Order 13851 in response to President Daniel Ortega’s attacks on democratic institutions and violent responses to civil protests.  After remaining narrowly circumscribed during its early years—involving designations of a small number of government officials, as well as members and close associates of the ruling Ortega family—the Nicaragua sanctions program expanded considerably during 2022 as the Biden administration designated more economically consequential actors and laid the groundwork to potentially impose restrictions on broader segments of Nicaragua’s economy.

In January 2022, following sham elections in which the Ortega regime detained seven rival political candidates and dozens of pro-democracy activists, OFAC designated two telecommunications regulators for state censorship and misinformation, plus three military officials—including Nicaragua’s minister of defense—for state acts of violence.  The United States also responded to the elections by steadily expanding sanctions on the country’s lucrative gold sector, which could be used to generate hard currency to sustain the Ortega regime’s hold on power.

The first action to target Nicaragua’s gold sector occurred in January 2022 with the designation of a director of the state-owned mining company Empresa Nicaraguense de Minas (“ENIMINAS”).  OFAC continued its sanctions against Nicaragua’s gold sector in June 2022 by blacklisting ENIMINAS itself, alongside the head of the company’s board of directors.  Finally, in October 2022, the United States further increased sanctions pressure by designating the Nicaraguan mining authority, the General Directorate of Mines, which largely took over management of the country’s mining operations from ENIMINAS following the company’s June 2022 addition to the SDN List.

Also in October 2022, President Biden signed Executive Order 14088, which expands the legal authorities underpinning the Nicaragua sanctions program in two significant ways.  First, E.O. 14088 specifically identifies operating in the gold sector of Nicaragua’s economy as a potential basis for designation to the SDN List.  Following the model pioneered in the Venezuela program (and later employed in Russia and Belarus), that Executive Order also grants the Secretary of the Treasury broad discretion to expand U.S. sanctions to target any other sector of the Nicaraguan economy as the Secretary may determine.  Second, E.O. 14088 authorizes possible restrictions on imports from, exports to, and new investments in Nicaragua.  Those two grants of authority, together with the designations described above, appear to mark the evolution of the Nicaragua program from one that was initially focused principally on political officials and Ortega regime insiders into a considerably broader program that could soon restrict dealings involving key sectors of Nicaragua’s economy.

If the Venezuela model is any guide, in coming months OFAC could use its new authorities to target additional industries in which Nicaraguan state-owned enterprises play a prominent role such as in the country’s oil or financial services sectors.  Should relations between the United States and Nicaragua continue to deteriorate, OFAC could also look to impose sanctions on additional government officials and regime insiders.

E. Afghanistan

In the wake of the Taliban’s de facto takeover of Afghanistan in August 2021, the United States was faced with a sanctions conundrum.  It needed to facilitate humanitarian flows into Afghanistan, but could not do so while empowering (or enriching) the Taliban and its allies the Haqqani Network, both of which have been long-designated for terrorism.

Within days of the fall of Kabul, the United States froze Afghanistan’s foreign reserves located in the United States to limit the Taliban’s access to capital.  Building on that announcement, President Biden on February 11, 2022 signed Executive Order 14064, which requires that any U.S.-based assets belonging to Da Afghanistan Bank, the country’s central bank, be blocked and transferred to a consolidated account at the Federal Reserve Bank of New York.  Pending a court decision, approximately half of the funds blocked pursuant to E.O. 14064 would be accessible by U.S. victims of terrorism and the remaining half—equal to approximately $3.5 billion—would be used to benefit the Afghan people.  In coordination with international partners, including the Swiss government and Afghan economic experts, the Biden administration subsequently announced the creation of the Switzerland-based Afghan Fund to protect and make targeted disbursements of that $3.5 billion of Afghan sovereign assets.  The Taliban, meanwhile, labeled the Afghan Fund an “illegal venture” and vowed to penalize entities that support its activities.

Efforts by outside aid organizations to deliver humanitarian relief to Afghanistan have been complicated by the fact that much of the Afghan government is subject to two sets of U.S. sanctions.  First, although Afghanistan is not subject to comprehensive U.S. sanctions, the Taliban have been designated since 2001 pursuant to Executive Order 13224, which restricts dealings involving certain named individuals, groups, and entities referred to as Specially Designated Global Terrorists.  Second, various groups closely affiliated with the Taliban, though not the Taliban itself, are designated as Foreign Terrorist Organizations.  The Haqqani Network, members of which now occupy key Afghan government posts, is one such organization.

With the continuing challenges faced by humanitarian agencies and facing a risk of famine and potential state failure, on February 25, 2022, OFAC issued a general license authorizing certain transactions involving Afghanistan and the Afghan government, and published related guidance.  That general license authorizes certain transactions involving Afghanistan or governing institutions in Afghanistan, provided that no funds are transferred to the Taliban, the Haqqani Network, or any of their majority-owned entities, other than in connection with common governmental functions such as payment of taxes and receipt of permits and licenses.  As a practical matter, the license appears to be designed to provide nongovernmental organizations, and their financial institutions, additional comfort to engage in transactions involving the Afghan state.

This general license was very broad, and in line with the Biden administration’s commitment to calibrating sanctions as much as possible so that innocent citizens are not harmed.  As discussed in Section III.H, below, OFAC essentially expanded this policy across almost all of its sanctions programs toward the end of 2022, issuing general licenses and guidance to emphasize that humanitarian, agricultural, medical, and pharmaceutical trade are not the target of U.S. sanctions.

In April 2022, OFAC also published a fact sheet regarding the provision of humanitarian assistance to Afghanistan and support for the Afghan people.  The fact sheet does not provide new guidance, but rather consolidates key authorizations and guidance for humanitarian and other assistance to Afghanistan.  The fact sheet emphasizes that there are no OFAC-administered sanctions that prohibit exports, financial transfers, or activities in Afghanistan, provided that sanctioned parties are not involved.  Additionally, the fact sheet details the various OFAC general licenses that authorize transactions involving the Taliban and the Haqqani Network.

F. Myanmar

As we suggested in our 2021 Year-End Sanctions and Export Controls Update, President Biden has continued to take a calibrated and incremental approach to exerting economic pressure on Myanmar (also called “Burma”) with new waves of sanctions designations under Executive Order 14014, as the situation in the country has failed to improve since a violent military coup overthrew Myanmar’s elected civilian government in February 2021.

In recognition of the one-year anniversary of the coup, on January 31, 2022, OFAC designated to the SDN List three officials serving in Myanmar’s military-controlled government—the Union Attorney General, the Chief Justice of the Supreme Court, and the Chairman of the Anti-Corruption Commission—for their roles in the prosecution of Myanmar’s former civilian leaders and pro-democracy activists.  The sanctions designations ultimately did not deter these prosecutions as Aung San Suu Kyi, Myanmar’s former State Counselor and Nobel Peace Prize laureate, was convicted and sentenced to 33 years in prison.  Win Myint Hlain, Myanmar’s former president, was convicted and sentenced to 148 years in prison.  Four former leaders and activists were convicted and later executed in July 2022.  Jailing and executing political opponents and activists has helped the Myanmar military (called the “Tatmadaw”) maintain its hold over the country, and we expect the Biden administration to continue targeting the people and institutions responsible—as happened on January 31, 2023 when OFAC designated a further round of Myanmar government officials and entities to mark the coup’s second anniversary.

OFAC has also gradually strengthened sanctions against the Tatmadaw’s support system, repeatedly targeting non-U.S. persons for providing the regime in Yangon financial support, arms, and/or military equipment.  In January 2022, a Yangon-based services and logistics company was designated for allegedly paying $3 million a year to sanctioned Myanma Economic Holdings Public Company Limited (“MEHL”) to lease a shipping port.  According to OFAC, these commercial payments amounted to “material support” to a blocked party, one of the designation criteria under E.O. 14014.  In January, March, October, and November 2022, OFAC added various individuals and companies to the SDN List for each playing a significant role in the supply of weapons, armaments, missiles, aircraft, and other defense equipment to the Tatmadaw.  Most of these parties were designated pursuant to E.O. 14014 for “operating in the defense sector of the Burmese economy,” a designation basis that OFAC has frequently relied upon—likely because of its broad scope and the fact that formal ties to a sanctioned party are not required.

In a prior client alert, we discussed how E.O. 14014 affords OFAC considerable flexibility in its sanctions-targeting decisions, and we have seen that play out in practice since then.  Although this past year’s sanctions designations may not have featured the broad collateral consequences of the MEHL and Myanmar Economic Corporation designations announced in March 2021, which we discussed in detail in an additional client alert, they demonstrate the incremental approach that has been a hallmark of Biden-era sanctions on Myanmar.  OFAC’s recent designations are also consistent with the Burma Business Advisory published on January 26, 2022, which warned of the risks of dealing in Myanmar military equipment and real estate.  The Burma Business Advisory, issued jointly by the U.S. Department of the Treasury and five other Executive branch agencies, remains a helpful guide to understanding the areas of Myanmar’s economy on which OFAC appears to be focused and which may present elevated sanctions-related risks going forward.

Additionally, we note that on March 21, 2022, the U.S. Department of State determined that the Tatmadaw committed genocide and crimes against humanity for their violence against the Rohingya, a religious minority group in Myanmar, in 2016 and 2017.  That formal determination, which follows several years of factual and legal assessments by the U.S. Government, likely further diminishes the prospects for an easing of U.S. sanctions on the Tatmadaw or its enablers in the near term.

G. Crypto/Virtual Currencies

OFAC’s designations to the SDN List in 2022 and numerous enforcement actions reveal a continued focus on the virtual currency industry, as well as important linkages between virtual currency enforcement and other agency priorities such as efforts to counter Russian sanctions evasion.  These actions also suggest OFAC’s willingness to take unprecedented action to stay ahead of illicit actors searching for ways to shield their funds behind the unique privacy and obfuscation that virtual currency services can provide.

On April 5, 2022, OFAC added darknet market Hydra Market (“Hydra”) and the virtual currency exchange Garantex to the SDN List.  The designations of Hydra and Garantex came in the wake of Treasury guidance, including both an OFAC FAQ and a FinCEN alert published in March 2022, warning U.S. businesses of the risk that sanctioned Russian persons may attempt to evade U.S. sanctions through virtual currency transactions.

Russia-based Hydra had become infamous as the world’s largest darknet market, facilitating cryptocurrency transactions for a range of illicit goods and services, from narcotics to money laundering services.  The takedown of Hydra was coordinated across several U.S. Government agencies, as well as in concert with international partners.  In parallel with OFAC’s designation, the U.S. Department of Justice announced criminal charges against a Russian national for his alleged role in administering Hydra and the German Federal Criminal Police seized Hydra’s servers in Germany, physically shutting down the operation.

Garantex, a virtual currency exchange operated out of Moscow, was designated by OFAC for its role in over $100 million of transactions associated with illicit actors and darknet markets, including approximately $2.6 million from Hydra.  Garantex’s addition to the SDN List built off of OFAC’s first-ever virtual currency exchange designations last year, described in our 2021 Year-End Sanctions and Export Controls Update, which similarly targeted Russia-based exchanges facilitating transactions involving illicit proceeds.

2022 brought its own firsts with OFAC’s first-ever designation of a virtual currency mixer, Blender.io (“Blender”) in May 2022.  Virtual currency mixers, as the name suggests, operate by mixing funds deposited by many users together before transmitting the funds to their individual recipients, obfuscating the counterparties of the transactions.  The financial privacy advantages motivating the creation of mixers make them attractive to illicit actors, a trend Treasury identified in its 2022 National Money Laundering Risk Assessment.  According to OFAC, Blender was used to process over $20 million of the proceeds stolen in a March 2022 virtual currency heist carried out by the Lazarus Group, the Democratic People’s Republic of Korea (“DPRK” or “North Korea”) state-sponsored cyber hacking group.  OFAC further tied Blender to money-laundering schemes by ransomware groups, an issue that continues to be an OFAC enforcement priority in the virtual currency space.

The Blender designation in May 2022 set the stage for OFAC’s second designation of a virtual currency mixer, Tornado Cash.  Originally designated on August 8, 2022 pursuant to Executive Order 13694 for malicious cyber activity, OFAC asserted that Tornado Cash had been used to launder more than $7 billion worth of virtual currency, including over $455 million stolen by the Lazarus Group.  Although following in the footsteps of the Blender designation, the Tornado Cash blacklisting was novel in its own right.  Unlike Blender’s centralized model (i.e., a single company processing the transactions), Tornado Cash’s decentralized, smart contract model is essentially operated by self-executing code running on public blockchains without the need for human intervention.

Tornado Cash’s August 2022 designation pursuant to E.O. 13694 triggered widespread confusion over the consequences of the action, and even spurred lawsuits against OFAC, claiming the Tornado Cash designation amounted to sanctions against technology which exceeded OFAC’s authority and infringed on First Amendment rights.  OFAC initially responded to this pushback by issuing a series of FAQs to clarify the scope of the designation, including, for example, that a U.S. person would not be prohibited from making Tornado Cash’s open-source code available online to view.

Then, on November 8, 2022, OFAC simultaneously delisted and re-designated Tornado Cash, this time adding Executive Order 13722 as a second basis for the designation based on Tornado Cash’s material support of the Lazarus Group, considered part of the Government of the DPRK under the North Korea Sanctions Regulations.  Still, critics argue that there is no “person” to sanction, as that term is defined in the relevant Executive Orders (as “an individual or entity”), despite OFAC’s reasoning that Tornado Cash falls within the definition of “entity” as a “a partnership, association, trust, joint venture, corporation, group, subgroup, or other organization.”

Even amidst the confusion, what remains clear is that OFAC is continuing to focus on the virtual currency industry as a key battleground in combatting cyber-related crime and other malicious behavior.  Rather than solely targeting the individuals perpetrating hacks and ransomware attacks, OFAC continues to expand its sanctions designations to include services on which bad actors rely to launder illicit funds.  As OFAC continues to link these designations to other enforcement priorities, such as its Russia and North Korea sanctions, the pace of new cyber-related designations and related enforcement actions seems unlikely to slow.

H. Other Sanctions Developments

1. Hostages and Wrongfully Detained U.S. Nationals Sanctions

On July 19, 2022, President Biden issued Executive Order 14078, which creates a new sanctions program focused on hostage-taking and wrongfully detained U.S. nationals.  The Executive Order, which came amid substantial public attention to the plight of Americans detained in Russia such as former Marine Paul Whelan and basketball star Brittney Griner, suggests that the U.S. Government is prepared to use economic coercion to secure the release of such individuals—though no such designations have been announced to date.

Issued pursuant to multiple statutes, including the Robert Levinson Hostage Recovery and Hostage-Taking Accountability Act, E.O. 14078 authorizes the Secretary of State to impose blocking sanctions on any foreign person that the Secretary determines has been involved in the hostage-taking of a U.S. national or the wrongful detention of a U.S. national abroad.  As a practical matter, the Executive Order appears designed to, by brandishing the prospect of sanctions, increase U.S. leverage in negotiations with hostage-takers and deter hostage-taking in the first instance.

2. Humanitarian Trade Authorizations

On December 20, 2022, the United States became the first country to implement United Nations (“UN”) Security Council Resolution 2664, which seeks to facilitate humanitarian aid by creating a “humanitarian carveout” across UN sanctions regimes.  To implement that resolution, OFAC issued or amended numerous general licenses across several sanctions programs to ensure that humanitarian aid can be effectively delivered to vulnerable populations while simultaneously denying resources to sanctioned actors.  These general licenses provide explicit authorization, now standard across all OFAC sanctions programs, for four broad categories of activities, including:  (1) the official business of the U.S. Government; (2) the official business of certain international organizations such as the United Nations and the International Red Cross; (3) certain humanitarian transactions in support of nongovernmental organizations’ activities; and (4) humanitarian trade in agricultural commodities, medicine, and medical devices.  The Biden administration has repeatedly emphasized that it will seek to enforce U.S. sanctions while supporting the flow of legitimate humanitarian aid.  OFAC has now addressed this challenge by permitting humanitarian assistance across multiple U.S. sanctions programs that did not previously provide for such authorizations.

IV. U.S. Export Controls

A. Commerce Department

1. Controls on Emerging and Foundational Technologies

As made evident through U.S. policy toward Russia and China, in 2022 export controls continued their rise as indispensable and central tools to further broader U.S. national security interests.  A key part of this strategy involved controls on newly defined “emerging and foundational technologies.”  Section 1758 of the Export Control Reform Act of 2018 (“ECRA”) requires BIS to establish export controls on “emerging and foundational technologies” essential to the national security of the United States.  Under this authority, between 2018 and 2021, BIS imposed 38 new controls on “emerging” technologies by modifying an existing ECCN or creating a new ECCN.

However, questions persisted around when and how BIS would begin to place controls on “foundational” technologies, as neither ECRA nor BIS regulations provided a precise definition of what would constitute an “emerging” versus “foundational” technology.  Finally resolving this uncertainty, on May 23, 2022 BIS clarified that the agency will no longer “draw[] a distinction between ‘emerging’ or ‘foundational’ technologies” and will instead use the umbrella term “Section 1758 technologies” going forward.  BIS acknowledged that drawing this fine distinction was proving to be inefficient and unrealistic—technology could be simultaneously “emerging” (in that it is new technology not in general use) and “foundational” (in that it constitutes an improvement on existing technology).  And as Assistant Secretary for Export Administration Thea Kendler remarked, BIS is “responsive to national security threats” generally, regardless of the formal identification of technologies.

Following this announcement, BIS imposed new controls in August 2022 and January 2023, covering the following eight Section 1758 technologies:

• Two substrates of ultra-wide bandgap semiconductors (Gallium Oxide (Ga2O3) and diamond), each added to 3C001.e and f, 3C005.a and b, and 3C006;
• Electronic Computer Aided Design software specially designed for the development of integrated circuits with any Gate-All-Around Field-Effect Transistor structure, added as new ECCN 3D006;
• Pressure gain combustion technology for the production and development of gas turbine engine components or systems, added to 9E003.a.2.e; and
• Four marine toxins (brevetoxin, gonyautoxin, nodularin, and palytoxin), each added to 1C351.d.4, d.9, d.13, and d.14.

Between September and October 2022, BIS sought public comments regarding additional Section 1758 controls on automated peptide synthesizers.  In light of the revised approach of BIS to holistically control “emerging and foundational” technologies, we expect to see more Section 1758 controls this year.

2. Controls on Cybersecurity Items

Controls on cybersecurity items endured a decade-long history of multilateral negotiation and domestic rulemaking process.  The Wassenaar Arrangement—the multilateral agreement that underlies much of the EAR—initially decided on new controls on cybersecurity items in 2013, and BIS proposed a rule implementing these controls in 2015.  However, upon receiving public comments about the adverse impact that this rule may have on legitimate cybersecurity research and incident response activities, BIS returned to the Wassenaar Arrangement for renegotiation, which concluded in 2017.  In 2021, BIS solicited comments on an interim final rule that would implement the renegotiated controls on cybersecurity items and create a new License Exception Authorized Cybersecurity Exports (“ACE”).  The effective date of this rule was subsequently delayed to March 7, 2022, however, following public comments.

On May 26, 2022, BIS amended these cybersecurity controls in response to those public comments.  Among others, the amendments included a clearly defined list of “government end users” for purposes of the new License Exception ACE; a parallel end-user restriction in License Exception Encryption Commodities, Software, and Technology (“ENC”) to avoid potential loopholes; and general clarifying revisions to help industry understand and comply with the new controls.  The cybersecurity controls exemplify the importance of industry and public feedback in the export controls rulemaking process.

3. Entity List and Unverified List

As noted above, designations to the Entity List this year most prominently featured actors in Russia, Belarus, and China, but were certainly not limited to those jurisdictions.  Beyond Russia, Belarus, and China, two key themes among this year’s designations were (1) diversion activities and risks to Russia, China, Iran, and Syria (as demonstrated in designations on June 30, December 8, and December 19, 2022) and (2) involvement in unsafeguarded nuclear activities (as demonstrated in designations on February 14, June 30, and December 8, 2022).

Notably, a new and highly aggressive criterion for designation was announced on October 13, 2022, indicating BIS’s willingness to make expansive use of the Entity List.  On the same day that BIS implemented expansive semiconductor controls targeting China, the agency announced that sustained lack of cooperation by a host government to schedule and facilitate the completion of end-use checks may lead to an entity’s designation to the Entity List.  Pursuant to this new guidance, BIS has since moved nine Russian entities from the Unverified List to the Entity List and is expected to pay closer attention to long-term designees on the Unverified List.

4. EAR Enforcement Policy

In conjunction with its fortieth anniversary, BIS’s Office of Export Enforcement engaged in a number of policy updates designed to expand and strengthen its administrative enforcement authorities.  On June 6, 2022, as part of its new Russia and Belarus controls, BIS amended its enforcement regulations to allow BIS charging letters to be made publicly available once issued—not after the case has been concluded.  According to BIS, this rule is intended “to inform interested parties of ongoing enforcement efforts in a more timely way and educate the exporting community, particularly with respect to recent amendments to the EAR that could result in new bases for enforcement action.”  The first public charging letter was issued against Russian oligarch Roman Abramovich on the same day as the regulatory change.  To date, BIS has published five public charging letters, which are accessible on the agency’s website.

On June 30, 2022, BIS further updated its enforcement policy through a memorandum (the “EAR Enforcement Memo”) published by Assistant Secretary for Export Enforcement Matthew Axelrod.  Highlighting the increased threat from the unauthorized release of U.S. technology to China, Russia, Iran, and North Korea, Assistant Secretary Axelrod announced four enhancements to BIS’s enforcement policy:

• Imposition of Significantly Higher Penalties: BIS will more “aggressively and uniformly” categorize appropriate cases as “egregious” and apply aggravating factors to escalate penalty amounts.  Accordingly, we are likely to see increased penalty amounts for export violations.
• Using Non-Monetary Resolutions for Less Serious Violations: At the same time, BIS will increase the use of non-monetary settlement agreements, such as increased training and export compliance requirements, for pending cases in which violations are not egregious and have not resulted in serious national security harm.
• Elimination of “No Admit / No Deny” Settlements: BIS will no longer allow settlements in which parties could resolve allegations against them while neither admitting nor denying their conduct.  Moving forward, in order to reach a settlement agreement with reduced penalty, the party must admit that the underlying conduct in fact occurred.
• Dual-Track Processing of Voluntary Self-Disclosures: BIS will now institute a 60-day “fast track” review for voluntary self-disclosures that involve only minor or technical infractions.  In contrast, for voluntary self-disclosures that involve more serious violations, BIS will conduct a more in-depth review, with a field agent, an Office of Chief Counsel attorney, and as relevant, a Department of Justice attorney.

Except for the use of non-monetary resolutions, each of the enforcement policy changes suggests heightened risks of regulatory scrutiny, penalties, and reputational harm as a result of export violations.  Assistant Secretary Axelrod also signaled that BIS may consider further changes “to maximize the effectiveness of [its] administrative enforcement of export violations.”  More than ever, it will be important for exporters to review the adequacy of their export compliance program and ensure compliance by their employees.

5. Antiboycott Enforcement Policy

Consistent with BIS’s focus on enhanced enforcement of export regulations, BIS also enhanced its enforcement posture with respect to the antiboycott regulations.  The antiboycott regulations prohibit compliance with foreign boycotts that are not sanctioned by the United States, with three categories of violations under Categories A, B, and C.  On October 7, 2022, BIS adjusted these categories, with Category A now reflecting only those violations that are deemed the most serious and that will ordinarily warrant the maximum penalty available under the law, and Category B now reflecting violations that most commonly and currently arise in commercial transactions and subject to enhanced penalties to “promote awareness, accountability and deterrence.”

Together with the category adjustments, Assistant Secretary Axelrod published another memorandum providing updated antiboycott enforcement policies (the “Antiboycott Enforcement Memo”).  Parallel to the EAR Enforcement Memo, the Antiboycott Enforcement Memo also indicated heightened enforcement priorities of BIS:

• Enhanced Penalties: BIS will impose higher penalties across the three categories of antiboycott violations.
• Admissions of Misconduct: BIS will require admissions of misconduct when settling matters involving antiboycott violations.
• Renewed Focus on Foreign Subsidiaries of U.S. Companies: BIS enforcement focus will be on foreign subsidiaries of U.S. companies involved in violations of U.S. antiboycott regulations.

In announcing these policy changes, Assistant Secretary Axelrod highlighted the “symbolic importance” of antiboycott rules in advancing U.S. foreign policy interests and preventing unlawful discrimination and committed to “vigorously enforce” the antiboycott rules.  U.S. firms with potential unsanctioned foreign boycotts exposure should therefore consider implementing robust policies to ensure antiboycott compliance.

B. State Department

1. Regulatory Updates

The U.S. Department of State’s Directorate of Defense Trade Controls (“DDTC”) likewise undertook significant regulatory initiatives this year, paving the way for even more rulemaking efforts in the year to come.

On March 23, 2022, DDTC announced the start of a “multi-year multi-rule project” to comprehensively review and update the International Traffic in Arms Regulations (“ITAR”) for the first time since 1993—dubbed the “ITAR Reorganization” effort.  The project’s first step was implemented through amendments to the ITAR, which went into effect on September 6, 2022.  This first set of amendments was made to better organize the definitions and guidance for regulated parties, and did not change any substantive requirements under the ITAR.

On July 20, 2022, DDTC launched a pilot program for an Open General License (“OGL”) mechanism, pursuant to its authority under Section 126.9(b) of the ITAR.  As an initial action, the agency issued two OGLs effective from August 1, 2022 to July 31, 2023.  OGL No. 1 permits the retransfer of unclassified defense articles to pre-approved parties in Australia, Canada, or the United Kingdom.  OGL No. 2 permits the reexport of unclassified defense articles to pre-approved parties in Australia, Canada, or the United Kingdom.  The OGLs allow regulated parties to reliably benefit from pre-existing general licenses rather than seeking specific authorizations for each transaction, providing much needed flexibility for the regulated parties and U.S. allies that are covered by the OGLs.  According to an FAQ issued by DDTC, more OGLs may be on the horizon depending on the experience of the current pilot program.  To better assess the impact of the pilot program, the OGLs impose certain recordkeeping and information-sharing requirements.

DDTC made other regulatory updates throughout the year, including issuing updated guidance regarding authorization requests for exports of defense services by U.S. persons abroad and the proposed exclusion from its controls of the taking of defense articles by armed forces on a deployment or training exercise or of the export of a foreign defense article that entered the United States and is exported without modification and pursuant to an authorization.  DDTC continues to recalibrate its regulations, and U.S. persons engaging in activities involving defense articles or defense services should remain attentive to DDTC’s planned additional rulemakings in 2023.

2. Compliance Program Guidelines

On December 5, 2022, DDTC issued long-awaited International Traffic in Arms Regulations Compliance Program Guidelines (the “ITAR Guidelines”) that set out DDTC’s expectations for an effective ITAR compliance program.  The ITAR Guidelines revise DDTC’s prior guidance and are now structured similarly to sanctions and export controls compliance program guidelines issued by other agencies, such as the Framework for OFAC Compliance Commitments and BIS’s Export Compliance Guidelines.  Like the expectations announced by those two agencies, an ITAR compliance program should be tailored to each organization’s specific risk profile.  Additionally, regulated parties are encouraged to incorporate the following critical elements into an effective ITAR compliance program:  (1) management commitment; (2) DDTC registration, jurisdiction and classification, authorizations, and other ITAR activities; (3) recordkeeping; (4) detecting, reporting, and disclosing violations; (5) ITAR training; (6) risk assessments; (7) audits and compliance monitoring; and (8) a written ITAR compliance manual.

V. Committee on Foreign Investment in the United States (CFIUS)

In addition to sanctions and export controls, the Committee on Foreign Investment in the United States—the interagency committee tasked with reviewing the national security risks associated with foreign investments in U.S. companies—remained active during 2022 as the Committee reviewed a record number of filings and continued to especially closely scrutinize China-related deals.  Over the past year, CFIUS also grew more institutionally mature as the Committee for the first time ever received explicit guidance from the White House regarding which national security factors to consider when reviewing covered transactions, published its first-ever enforcement and penalty guidelines similar to those long employed by other U.S. national security agencies, and prepared to operate alongside a brand new outbound investment screening mechanism that is widely expected to be unveiled by the United States in coming months.

A. CFIUS Annual Report

On August 2, 2022, CFIUS published its annual report to Congress detailing the Committee’s activity during calendar year 2021 (the “CFIUS Annual Report”).  During that period, there was a record increase in CFIUS filings and the Committee indicated its continued focus on transactions that may pose national security risks.  As noted in our prior client alert, our key takeaways from the CFIUS Annual Report include:

• CFIUS reviewed a record number of filings in 2021 (436 filings, up 39 percent from 2020), reflecting the strong mergers and acquisitions (“M&A”) market in 2021. Of these filings, 164 (38 percent) were declarations and 272 (62 percent) were written notices.  Parties were increasingly filing declarations voluntarily, given that less than one-third of the declarations filed in 2021 were subject to mandatory requirements.
• There was also a significant jump in withdrawn notices in 2021—from 29 in 2020 to 74 in 2021. While the parties filed a new notice following most of the withdrawn notices (85 percent of the total notices filed) in 2021, 11 notices (4 percent of the total notices filed) were withdrawn and the underlying transaction was not consummated either (1) due to CFIUS informing the parties that the Committee could not identify mitigation measures that would resolve national security concerns or the parties rejected CFIUS’s proposed mitigation measures, or (2) for commercial reasons.
• 2021 was the first year since 2016 in which no Presidential decisions were issued blocking proposed transactions.
• Canadian investors accounted for the largest number of declarations in 2021 (13 percent of the total number of declarations filed). Australia, Germany, Japan, South Korea, Singapore, and the United Kingdom, traditionally seen by the U.S. Government as countries that present lower national security risks to the United States, accounted for approximately 38 percent of the total declarations submitted in 2021.  Investors from Canada, Japan, and the United Kingdom submitted the most declarations from 2019 to 2021.  In contrast, Chinese investors generally preferred submitting notices instead of short-form declarations, which may be a result of the ongoing geopolitical tensions between Washington and Beijing and the low likelihood that CFIUS would clear a transaction involving a Chinese acquiror through the short-form declaration process.
• In 2021, the number of critical technologies filings CFIUS reviewed increased by 51 percent from 2020, with countries seen as traditionally allied with the United States accounting for most such acquisitions.
• CFIUS shortened its turnaround times to respond to draft notices (from approximately 9 business days in 2020 to 6 in 2021) and to accept a formal written notice after submission (from, on average, 7.7 business days in 2020 to 6 in 2021).
• CFIUS may identify and initiate unilateral review of an already-completed transaction, and may request the parties submit a filing after the fact—the result of such post-transaction reviews could range from requiring the parties to engage in certain operational and management changes to address the Committee’s national security concerns, or even potentially be mandated to unwind the transaction. CFIUS identified more non-notified/‌non-declared transactions in 2021 (135 in 2021 compared to 117 in 2020), which appears to indicate the Committee’s increased interest in identifying non-notified/‌non-declared transactions, as well as the Committee’s expanded resources for monitoring and enforcement activities.

In light of the Executive Order issued by President Biden directing the Committee to consider additional national security factors when it reviews transactions, as well as the Committee’s release of its new Enforcement and Penalty Guidelines (both of which are discussed below), we expect the trend of increased CFIUS filings and reviews to continue, notwithstanding the impact of global economic uncertainty on M&A activity.

B. National Security Factors

In order “to ensure that the foreign investment review process remains responsive to an evolving national security landscape and the nature of the investments that pose related risks to national security,” in September 2022, President Biden issued the first Executive Order in the history of CFIUS to provide explicit guidance to the Committee in conducting national security reviews of covered transactions.  Elaborating on existing factors that CFIUS is mandated by statute to consider, Executive Order 14083 directs CFIUS to consider five factors that closely parallel the U.S. Government’s broader approach to protect U.S. technological competitiveness and U.S. persons’ personal data, as well as decrease U.S. reliance on foreign supply chains involving critical technologies and mitigate the impact of cybersecurity attacks.

E.O. 14083 directs the Committee to consider the following, as appropriate:

• The resilience of critical U.S. supply chains that may have national security implications, including those outside of the defense industrial base;
• U.S. technological leadership in areas affecting U.S. national security, including but not limited to microelectronics, artificial intelligence, biotechnology and biomanufacturing, quantum computing, advanced clean energy, and climate adaptation technologies;
• Aggregate industry investment trends that may have consequences for a given transaction’s impact on U.S. national security;
• Cybersecurity risks that threaten to impair national security; and
• Risks to U.S. persons’ sensitive data.

For an in-depth analysis of the policy rationale for, and the practical implications of, each of the five national security factors articulated in E.O. 14083, please see our September 2022 client alert.

While E.O. 14083 is groundbreaking as the first-ever Executive Order providing guidance concerning the CFIUS review process, that measure principally builds upon existing policy trendlines.  Indeed, it is no surprise that advanced technologies, cybersecurity risks, supply chains, and sensitive data remain at the forefront of U.S. national security considerations.  That said, this Executive Order directs CFIUS’s national security risk analysis in a way that, as a practical matter, will continue to expand the Committee’s review authority.  Given the breadth of the five factors elucidated in the Executive Order, combined with the Biden administration’s goals of prioritizing U.S. competitiveness in certain critical technology sectors, we expect that the number of transactions reviewed by the Committee will continue to grow.  Prior to engaging in any M&A activity or investments involving U.S. businesses operating within the sectors implicated by the factors outlined above, transaction parties should carefully assess the likelihood of CFIUS review and the potential need to file a notice or declaration.

C. Enforcement and Penalty Guidelines

Amid the U.S. Government’s increasing scrutiny of transactions involving foreign investments in U.S. companies or operations that potentially impact national security, the Committee in October 2022 issued its first-ever CFIUS Enforcement and Penalty Guidelines (the “CFIUS Guidelines”).  The CFIUS Guidelines are non-binding and do not expressly create any new authorities for the Committee, nor do they appear to be connected to any reported increase in enforcement actions.  However, the issuance of the CFIUS Guidelines may signal the Committee’s intent to enhance enforcement efforts to address national security concerns.  The CFIUS Guidelines also provide the Committee’s first public statement regarding the non-exhaustive aggravating and mitigating factors that the Committee will consider when determining the appropriate response to an alleged violation of its regulations.

Under the CFIUS Guidelines, (1) failure to submit a mandatory declaration or notice in a timely manner, (2) failure to comply with CFIUS mitigation requirements when such mitigation has been imposed, and (3) material misstatements, omissions, or false or materially incomplete certifications made at any point during the CFIUS process each constitute a violation that the Committee may consider to be subject to enforcement and penalty.  CFIUS has the authority to issue civil penalties up to $250,000 per violation for material misstatements, omissions, or false certifications.  Failure to comply with mandatory declaration requirements or violation of a material provision of a mitigation agreement may result in a civil penalty not to exceed the greater of $250,000 or the value of the transaction.

However, the Committee may exercise discretion by weighing all aggravating and mitigating factors, such that not all violations will result in a penalty or remedy.  Examples of such factors, which should be generally familiar to those who have assessed corporate enforcement factors published by other agencies such as the Justice Department, OFAC, and BIS, include the extent to which the conduct impaired U.S. national security, the frequency and duration of the conduct at issue, and the subject person’s history and familiarity with CFIUS, amongst others.

In the CFIUS Guidelines, the Committee formally encourages timely voluntary self-disclosure of potential violations and notes that it will take such disclosures into account when determining its enforcement response to an alleged violation.  However, unlike other agencies, the Committee does not explicitly offer any specific incentives for such disclosure, such as a reduction in the proposed penalty amount, within the CFIUS Guidelines—potentially reducing the likelihood that transaction parties may at their own initiative bring apparent violations to the Committee’s attention.

For a more detailed analysis of the CFIUS Guidelines, please see our October 2022 client alert.

D. Outbound Investment Screening

While CFIUS review of inbound investments into the United States has been a feature of U.S. trade controls for decades, U.S. policymakers have lately weighed creating an unprecedented outbound investment screening mechanism to scrutinize how U.S. persons deploy capital abroad.  Momentum for such a regime appears to be driven in part by concerns among U.S. officials at the prospect of U.S. investors financing or otherwise enabling efforts by strategic competitors such as China to develop critical technologies within their own borders.  Although officials are continuing to debate how to tailor any such regime to avoid unduly restricting investments that present little risk to U.S. national security, developments over the past few months suggest that the United States may be on the cusp of standing up an entirely new outbound investment review mechanism.

The fiscal year 2023 omnibus spending bill signed into law on December 29, 2022 allocated funding to various government agencies, including the U.S. Department of the Treasury.  A joint explanatory statement accompanying the bill encourages Treasury “to address the national security threats emanating from outbound investments from the United States in certain sectors that are critical for U.S. national security.”  Significantly, Treasury has 60 days to “submit a report describing such a program,” including the resources needed over the next three years to establish and implement such a program.

Observers of this space were not surprised by this request.  Many U.S. policymakers have been vocal about their view that existing national security regulations are insufficient to address concerns surrounding the transfer of capital to countries of concern, particularly China and Russia.  Although a proposal that would have created an outbound investment screening regime, the National Critical Capabilities Defense Act (“NCCDA”), was removed from the CHIPS Act in the summer of 2022 and failed to gain traction in other legislation, Congressional efforts to establish such a regime remain ongoing.  Indeed, there are few (if any) other policy proposals that will be debated in the newly-divided Congress that could likely receive similar levels of bipartisan support.

In a September 2022 letter to President Biden, prominent members of Congress urged the White House to move forward with Executive action “to safeguard our national security and supply chain resiliency on outbound investments to foreign adversaries.”  The letter expressed the intent to follow Executive action with legislation, and included a reminder that this was the template used to establish CFIUS.  While we may see a reintroduction of the NCCDA, the potential for Executive action on this topic remains a distinct possibility.

Continuing its efforts to forge multilateral policies on core trade issues, the European Commission has been working in parallel with the United States and has indicated that it is prepared to revise the European Union’s foreign direct investment regulations.  In October 2022, the European Commission published its Work Program 2023, which outlines key initiatives and priorities for the coming year.  Among those key initiatives is “develop[ing] a strong set of strategic trade and investment controls to strengthen [EU] economic security, while also working to diversify value chains.”  The European Commission further indicated that it plans to “examine whether additional tools are necessary in respect of outbound strategic investments controls.”

Although the exact parameters of an outbound investment screening mechanism remain to be seen, there are numerous ways—including through legislation, an Executive Order, or an agency pilot program—that such a regime could potentially come into existence.  Given unsuccessful prior attempts at passing legislation, establishing such a regime via Executive Order appears increasingly likely, pending further consultation by the United States with its European allies.  Substantively, such an Executive Order could prioritize transactions involving sectors such as quantum computing, artificial intelligence, and semiconductors.

Indeed, it is noteworthy that during 2022 the conversation increasingly shifted from whether there should be an outbound screening mechanism in the first instance to how such a mechanism should be designed to best achieve national security objectives while minimizing the regulatory burden on U.S. investors.  As we discuss in a recent article, critics of potential outbound investment regimes urge the U.S. Government to ensure that any such mechanism is targeted and narrow, to ensure that any review of transactions does not overlap with other national security regimes or unduly stifle investment flows.  The efficacy of any outbound investment regime will depend in significant part on the clarity of the policy objectives to be achieved by any outbound review, including clearly identifying what gaps in existing regimes the program hopes to address.

VI. European Union

A. Trade Controls on China

The European Union’s posturing vis-à-vis China continues to evolve in light of a number of factors, such as China’s countermeasures to EU sanctions on human rights, the deliberate exertion of economic coercion against the bloc, and Beijing’s ambivalent position in relation to the war in Ukraine.  All meaningful momentum to sign the Comprehensive Agreement on Investment—a proposed ambitious EU-China deal aimed at dismantling barriers to foreign direct investments—appears to have been lost, and European players have increasingly voiced concerns about Beijing’s global influence and the ways in which it is being exerted.  While China continues to be seen as a systemic rival rather than an explicit threat and the overall stance is not one of direct confrontation, the European Union has been taking some crucial steps in anticipation of a more antagonistic future.

For instance, a proposed regulation is making its way through the European Union’s standard legislative process and, if implemented, it would grant the European Commission the power to retaliate against instances of economic coercion aimed at interfering with the European Union’s sovereign choices, with countermeasures comprising a wide range of restrictions related to trade, investment, and funding.  Economic coercion has been increasingly deployed by Beijing in the past five years as a way of pursuing strategic and geopolitical goals, and EU Member States have become a target.  While the proposed legal text does not mention China explicitly, it was proposed in parallel to China applying discriminatory and coercive measures against exports from Lithuania and exports of EU products containing Lithuanian content, after Lithuania allowed Taiwan to open a de facto embassy on its territory.

Another example of trade policy tools being used to promote the European Union’s values and strategic objectives is the European Commission’s proposal for a regulation banning products made with forced labor from the EU market.  Once again, while the proposed text does not mention China by name, it was published in response to a European Parliament resolution calling for measures to address the situation in Xinjiang shortly after the Uyghur Forced Labor Prevention Act, discussed in Section II.A, above, was enacted by the United States.  Unlike the UFLPA, the proposed regulation would not adopt a rebuttable presumption that all goods manufactured in specific regions of the world are made with forced labor, as goods of all kinds will be within scope, and the burden of proof will remain on enforcing agencies within the European Union.  The range of activities covered by the regulation, however, would be broader than the UFLPA, as products made with forced labor would not only be subject to an import ban, but would also face export restrictions once they are in the European Union and may be withdrawn from market if they inadvertently find their way to EU consumers.  This is a key difference between the European Union’s proposed regulation and the UFLPA, as the European Union will not allow the re-routing and further export of goods which have been deemed to have been produced with forced labor.

Individual EU Member States have also been active in seeking to address forced labor concerns.  On January 1, 2023, the German Supply Chain Act (“LkSG”) came into force for companies with more than 3,000 employees in Germany and that have their central administration, headquarters, registered office, or a branch office in Germany.  Accordingly, the LkSG is now effective for all DAX 40 companies and many other German and multinational companies.  As mentioned in our 2021 Year-End German Law Update, relevant companies must implement dedicated due diligence procedures to safeguard human rights and the environment in their own operations, as well as in their direct supply chains.  Companies are also required to take remedial actions in case a violation of human rights such as forced labor or a violation of environmental standards has occurred or is imminent (for their direct supply chain) or in case they obtain “substantiated knowledge” of such violation.  While the LkSG has introduced obligations also relevant in the context of allegations of forced labor in Xinjiang, it does not go as far as the UFLPA or the draft EU regulation on prohibiting products made with forced labor on the EU market.  It remains to be seen how the German Federal Service for Economic Affairs and Export Control (“BAFA”), which has already published related FAQs and guidance, will enforce the LkSG.

Similarly, the European Union has been deploying its centralized regulatory powers to better protect the EU economy from exogenous shocks.  This past year, the Commission intensified its focus on strengthening European resilience to supply chain disruptions and achieving strategic autonomy for semiconductors given the ongoing shortages in Europe and elsewhere.  The proposed European CHIPS Act is deliberately designed to reduce dependence on non-allies, to focus collaboration efforts on countries like the United States and Japan, and to preserve the competitiveness of EU industries.  In a similar vein, the European Union is enhancing its enforcement concerning distortive market practices with its new Foreign Subsidies Regulation, which is designed to even the playing field between EU businesses—which are under strict scrutiny whenever subsidized by EU Member State governments—and some of their heavily subsidized competitors such as Chinese state-backed companies.  With these measures, the European Union is demonstrating that it is taking Chinese competition more seriously, and the further deployment of trade tools is expected as geopolitical events unfold.

B. Sanctions Developments

1. Institutional and Procedural Developments within the European Union

While the European Union has been at the forefront in implementing sanctions against Russia with an impressive total of nine sanctions packages adopted in 2022, the Russia crisis has underscored some of the weaknesses in the European Union’s sanctions and trade controls enforcement mechanisms and implementation procedures.  The unanimity requirement for Common Foreign and Security Policy measures has led to perverse instances where a single Member State (such as Hungary with respect to the Russia oil import ban) can threaten to block the implementation of EU sanctions, and the lack of uniform enforcement among Member States has posed issues for cross-border operators.  In particular, with sanctions being a foreign policy tool, the difficulty in aligning 27 potentially divergent national security interests has been a recurring theme of the past year.

To begin addressing these shortcomings, the European Council adopted a decision adding sanctions violations to the “list of EU crimes” pursuant to Article 83 of the Treaty on the Functioning of the European Union and, shortly after, the European Commission followed with its proposal for a Directive containing minimum rules on the definition of the new criminal offenses covered and the applicable penalties.  The Directive will have to be adopted by the Council and the European Parliament, yet these developments mark significant milestones in the European Union’s increased efforts to harmonize EU sanctions enforcement, to close existing legal loopholes resulting from a fragmented enforcement approach, and to ultimately increase the deterrent effect of violating EU sanctions.  Furthermore, the European Parliament called on the Council to make use of provisions within the Treaty on European Union that would allow it to take certain decisions without military implications, in particular those concerning sanctions and human rights, by qualified majority rather than unanimity.  This could break the logjam and the unsustainable reality in which one or two recalcitrant EU Member States could hold the will of the European Union hostage.  This is essentially what occurred during the European Union’s negotiations concerning the Russia crude oil import ban which saw Hungary as the sole holdout, delaying the bloc’s finalizing of this measure.  Discussions on qualified-majority voting are ongoing and are likely to be protracted given the delicate constitutional questions that such a move would raise, but the strengthening of the European Union’s sanctions implementation and enforcement powers has gained a priority spot on the bloc’s foreign policy agenda.

Finally, to assist competent authorities in EU Member States with their enforcement efforts, the Commission launched the EU Sanctions Whistleblower Tool, which can be used for the anonymous reporting of past, ongoing, or planned sanctions violations, as well as attempts to circumvent EU sanctions regulations.  More aggressive enforcement trends are expected in 2023.

2. Measures Targeting Russia’s Supporters

The European Union has taken a more decisive stance towards those who assist Russia in its invasion of Ukraine, and its growing confidence in the use of sanctions as a foreign policy tool is evident in this context.  In particular, the European Union has significantly expanded the list of Belarusians and Iranians subject to restrictive measures.  Iran has developed and delivered UAVs to Russia for use against Ukraine, while Belarus has allowed Russia to fire ballistic missiles from its territory and enabled transportation of Russian military equipment.  A number of Iranian individuals and entities have been sanctioned, including military commanders and UAV manufacturers.  Meanwhile, Belarus has been hit with a gradually more severe range of sanctions, spanning from asset freezes on individuals and companies, sectoral financial sanctions, trade restrictions, removal of major banks from the SWIFT messaging system, a prohibition on transactions with the country’s central bank, and others.

In 2023, we can expect to see the European Union expand its use of sanctions tools to target Russia’s supporters and further protect the bloc’s security interests.  Provision has been made within the EU Russia sanctions regime to designate those who actively facilitate infringements of the prohibition against circumvention.  Although this criteria has not yet been used, it lays the groundwork to broaden the reach of EU sanctions without having to institute a new behavior-based or country-based regime.

Separately, Iran has also been subject to additional restrictive measures due to domestic human rights violations.

3. Sanctions Enforcement in Germany

The past year also saw the development of German sanctions enforcement mechanisms.  In May 2022, Germany enacted the Sanctions Enforcement Act I (“SDG I”) containing short-term measures in order to enhance German sanctions enforcement.  In particular, this Act now empowers authorities to summon and question witnesses, seize evidence, search homes and business premises, inspect registers, and preliminarily seize assets until clarification of ownership.  Other measures introduced by the SDG I included a better exchange of sanctions-related information between authorities and additional competences of federal authorities such as the German Federal Financial Supervisory Authority (“BaFin”) and the Central Office for Financial Transaction Investigations (the German Financial Intelligence Unit).  In December 2022, Germany enacted the Sanctions Enforcement Act II (“SDG II”), which brought about structural improvements of sanctions enforcement in Germany.  The SDG II created a new federal body—the Central Department for Sanctions Enforcement (which could become a German equivalent to the United Kingdom’s Office of Financial Sanctions Implementation, discussed in Section VII.B, below).  The Central Department has been given broad powers to identify and seize assets and to manage a sanctions violation whistleblower system.  The Department also has the authority to appoint a monitor to supervise sanctions compliance in companies that have violated, or are at risk of violating, sanctions.

C. Export Controls Developments

Given the historic economic interdependence between the European Union and Russia, the most noteworthy development in the field of EU export controls in the past year has been the unprecedented wave of new measures imposed against Russia.  The European Union had never subjected such a broad range of goods, including consumer goods, to export controls and import bans as stringent as those imposed in relation to Russia.  Bilateral trade in goods and services between the European Union and Russia appears set to decline in 2023, in light of the ever-broader restrictions the European Union is implementing with each new sanctions package.  The European Union has now tested the feasibility of a wide-ranging export controls regime and global trends point in the direction of export controls being further weaponized to protect national security and strategic interests.

D. Foreign Direct Investment Developments

In April 2022, the European Commission published new guidance relating to foreign direct investment from Russia and Belarus, in light of the heightened national security risk that investments by Russian and Belarusian investors in strategic sectors of the economy may pose to the European Union.  The guidance called upon EU Member States to have in place effective foreign direct investment (“FDI”) screening mechanisms, to enhance cooperation between authorities responsible for FDI screenings and those responsible for sanctions enforcement, and to ensure full compliance with anti-money laundering requirements to prevent the misuse of the EU financial system.  While EU Member States are still far from adopting an approach to FDI screening as aggressive as the United States or the United Kingdom, as discussed below, we expect this to be an area of significant focus going forward.  In fact, as noted above, the European Commission in its Work Program 2023 indicated that it is prepared to revise the union’s FDI screening regulation to strengthen its functioning and effectiveness, and also mentioned the need for outbound strategic investment controls to be assessed during the course of the year.

VII. United Kingdom

A. Trade Controls on China

As its foreign policy stance towards China is evolving, the United Kingdom is starting to sharpen the tools in its trade arsenal.  In May 2022, the United Kingdom added China to the list of embargoed destinations for military exports.  Additionally, while initially the United Kingdom had simply been transposing the trade remedies measures that it inherited from the European Union into domestic law, in December 2022 the UK Trade Remedies Authority (“TRA”) conducted its first independent investigation into the need for measures to counter unfair imports causing harm to the UK market.  This review culminated in the introduction of new anti-dumping duties on the import of aluminum extrusions from China to the United Kingdom.  The TRA is a novel addition to the United Kingdom’s post-Brexit trade apparatus, and we expect that the agency will take an increasingly proactive approach as the United Kingdom takes full charge over the protection of its internal market and domestic producers build a relationship with the agency.  Duty levels, however, remain in the low double digits in line with EU precedent, rather than following the U.S. approach under which duties can range up to several hundreds of times the invoiced value of the goods.

Furthermore, the Imports of Products of Forced Labour from Xinjiang (Prohibition) Bill (the “Forced Labor Bill”) was laid before Parliament in May 2022.  The Forced Labor Bill represents the UK equivalent to the Uyghur Forced Labor Prevention Act and, like its U.S. counterpart, aims to prohibit the import of products made with forced labor in the Xinjiang region and will require companies importing products from Xinjiang to the United Kingdom to provide proof that their supply chain does not involve forced labor.  However, the Forced Labor Bill did not complete its passage before the end of the parliamentary session and will need to be reintroduced.  Nevertheless, the UK Government has recently reinforced its concerns about the situation in Xinjiang, stating that it intends to introduce financial penalties for businesses that do not comply with their transparency obligations under the Modern Slavery Act, while continuing to keep the possibility of introducing import bans under close review.

In the meantime, the Home Office, HM Revenue & Customs (“HMRC”), and the National Crime Agency were jointly sued in October 2022 by the nonprofit Global Legal Action Network and international advocacy group World Uyghur Congress.  According to the lawsuit, UK government agencies failed to investigate whether cotton imports from Xinjiang ought to be treated as “criminal property” under the Proceeds of Crime Act 2002 (the “2002 Act”), having potentially been obtained via criminal means such as exploitation of forced labor, human rights violations and, allegedly, money laundering schemes.  This failure to investigate was alleged to be in contravention of the Foreign Prison-Made Goods Act 1897 (the “1897 Act”), which prohibits the importation into the United Kingdom of goods produced in foreign prisons.  A further claim related to the UK Border Force unlawfully fettering its discretion to investigate breaches of the 1897 Act by operating on a reactive, rather than proactive, basis.  On January 20, 2023, a High Court judge dismissed the lawsuit on the basis that the plaintiffs’ evidence lacked the necessary specificity required by the 1897 Act and the 2002 Act to prosecute in relation to criminal offenses and civil powers and stated that an investigation would have little prospect of a successful conclusion without the (unlikely) cooperation of PRC authorities.  We expect more activist litigation in the United Kingdom and across Europe to stimulate legislative action until such time as laws tackling the issue of forced labor are implemented.  Companies are encouraged to preempt the incoming wave of increased supply chain scrutiny by starting to strengthen internal controls.

The lack of a clear direction of travel on China policy is a product of the complex UK-China relationship, which has been further complicated by multiple recent leadership changes in the United Kingdom.  In November 2022, Prime Minister Rishi Sunak declared the “golden era” in UK-China relations to be over, accusing China of competing for global influence using all of the levers of state power.  Shortly afterward, however, the Prime Minister reinstated funding—previously withheld by his predecessor—to the Great Britain-China Centre, an independent body in charge of facilitating dialogue between the two countries.  Echoing the Prime Minister’s public statements, the House of Commons Foreign Affairs Committee published a report supporting the designation of China as a “threat,” rather than as a “systemic competitor,” in the next iteration of the Government’s foreign policy mission statement, known as the Integrated Review of Security, Defense, Development, and Foreign Policy (the “Integrated Review”).  The Committee also called for such a designation to be followed by calibrated and proportionate wider policy change, with a particular focus on domestic resilience and security.  The UK Government is expected to finalize its update of the Integrated Review in the first quarter of 2023, and the type of trade measures deployed going forward will be determined accordingly.

B. Sanctions Developments

The United Kingdom’s newfound freedom to shape its foreign policy only with reference to the country’s own national security interests (rather than in concert with the European Union) marked a significant shift in sanctions policy in the United Kingdom.  London has sought closer alignment with the United States, and a whole-of-government approach is increasingly being adopted to tackle geopolitical crises that may impact the United Kingdom’s interests.  In the field of sanctions, the United Kingdom is wielding its power as a global financial hub, having outsourced large parts of the implementation of sanctions measures to its financial services sector, which acts as gatekeeper of a large portion of global investment and trade.

As a consequence, the UK Government is investing in its Office of Financial Sanctions Implementation (“OFSI”), its key sanctions enforcement agency, most notably by doubling its staff over the course of 2022.  The move is clearly in anticipation of more serious enforcement efforts.  Furthermore, following implementation of the Economic Crime (Transparency and Enforcement) Act 2022, OFSI will be able to—like OFAC, its sister agency in the United States—impose civil monetary penalties on a strict liability basis.  Not knowing or having reasonable cause to suspect that conduct involves a sanctions breach is therefore no longer a viable defense in UK enforcement actions.  In a further shift from previous practice, OFSI has also been granted the power to publicize details of financial sanctions breaches, including a summary of the case and the identity of the person having committed the breach, in line with U.S.-style enforcement actions.  Regardless of the size of the penalties involved, which have traditionally been a fraction of penalties imposed by OFAC, this novelty in the UK system dramatically increases reputational costs for companies subject to enforcement.

As part of the United Kingdom’s effort to bolster OFSI’s enforcement capabilities, a strategic partnership between OFSI and OFAC was announced this past year.  The partnership’s main goal will be information sharing, and the United Kingdom will now be able to leverage OFAC’s and the broader U.S. Government’s investigative powers to pursue its own enforcement actions.  In addition, officials from both units plan to exchange best practices, pool expertise, and align their implementation of economic sanctions, which may lead to a further Americanization of the United Kingdom’s enforcement practices.  The establishment of the partnership marks an important milestone in OFSI’s development and, together with the developments mentioned above, sends a clear signal of an increasing aggressiveness in approach from OFSI.

While these developments have not yet translated into particularly noteworthy enforcement activity as government investigations into potential sanctions violations can last years, OFSI’s workload nevertheless materially increased in 2022, as industry demanded guidance to navigate the complexities of the newly implemented sanctions against Russia.  As reported in the agency’s annual review, OFSI considered 147 reports of suspected financial sanctions breaches, a slight increase compared to the previous year.  Interestingly, a significant number of those reports involved referrals from international partners, further evidencing the greater international cooperation that allied countries are striving to achieve.

C. Export Controls Developments

1. Enforcement Overview

Another example of the United Kingdom’s emboldened enforcement intentions can be found in the field of export controls.  In February 2022, HM Revenue & Customs, the UK enforcement body for breaches of export controls, issued its single largest settlement of £2.7 million in relation to the unlicensed exports of military goods.  The size of the settlement is likely a result of a recent increase in HMRC’s resources for export control enforcement, which had previously been subject to concerns of being underfunded and not commensurate with the scale and complexity of the task.  We are likely to see an increase in effectiveness of investigations in 2023, with more, and higher, compound settlements issued as more resources are utilized by HMRC for enforcement purposes.

Despite the substantial settlement size, and despite requests from the United Kingdom’s Parliamentary Committee on Arms Export Controls, HMRC maintained its policy of not publishing the identity of the exporter and the export destination.  Given the shift in OFSI’s stance in relation to the publication of details relating to sanctions enforcement actions, it is possible that HMRC may soon begin to make more details of export control violations publicly available.

2. Amendments to Export Control Order 2008

On May 19, 2022, an amendment to the Export Control Order 2008 entered into force.  The unlicensed export of dual-use goods, software, or technology not specified in Annex I to the Dual-Use Regulation is prohibited when destined for any military, paramilitary, or police forces, security services, or intelligence services in an embargoed destination, as well as to any person involved in the procurement, research, development, production, or use of controlled items at the direction of such forces.  This new control applies only where the exporter is informed by the UK Secretary of State that the goods caught are, or may be intended, in their entirety or in part, for use by the abovementioned users.  Notably, the amendment added China, the Hong Kong Special Administrative Region, and the Macau Special Administrative Region to the list of embargoed destinations.  Stripping any export control-related distinction between Hong Kong, Macau, and China is in line with U.S. decisions on the same.

3. Suspension of Open General Export Licenses for Russia

In light of Russia’s expanded invasion of Ukraine, the UK Export Control Joint Unit (“ECJU”) suspended all extant export licenses for dual-use items to Russia, as well as the approval of new export licenses to Russia.  Russia was also removed as a permitted destination from nine open general export licenses, including those for oil and gas exploration, chemicals, and cryptographic development.  Exporters are now required to apply for standard individual export licenses (“SIELs”) in order to export items to Russia.  The ECJU has committed to deciding on 70 percent of SIELs applications within 20 working days, and 99 percent of applications within 60 working days, yet delays have been common over the course of the year given the sheer volume of requests.  We expect to see a significant improvement in application processing times during 2023.

D. Foreign Direct Investment Developments

The most explicit expression of the United Kingdom’s all-of-government approach to serve the country’s national security interests is the range of investment control measures adopted thanks to the powers conferred on the UK Secretary of State for Business, Energy, and Industrial Strategy (“BEIS”) by the recently enacted National Security and Investment Act 2021 (the “NSI Act”).  The NSI Act grants BEIS the power to scrutinize, and potentially interfere with, transactions in order to protect UK national security.  Mandatory notification by industry players will be triggered where a transaction involves one of 17 “sensitive” sectors, including energy, quantum technologies, data infrastructure, artificial intelligence, cryptographic authentication, and defense, among others, which have been selected with the United Kingdom’s strategic interests in mind.  In general terms, the NSI Act is the UK version of the United States’ CFIUS regime, and, like its U.S. counterpart, has principally focused on countering Chinese influence over strategically relevant sectors of the UK economy.

Remarkably, during its first year of operation, BEIS blocked or unwound five transactions.  Among those five transactions, four involved Chinese investors, while the last and most recent concerned the acquisition of a UK broadband firm by a subsidiary of a Russian-backed company.  The fact that China is disproportionately the focus of the regime is also apparent from BEIS’s conditional decisions—that is, the agency’s final orders imposing conditions precedent to the completion of a transaction or some ongoing requirements post-acquisition.  Four of the nine conditional decisions issued during 2022 involved investors linked to China.

Most notably, NSI Act powers have recently been used to retroactively unwind transactions that had already completed.  In November 2022, the UK Government ordered Dutch-headquartered and Chinese-owned Nexperia to reverse its acquisition of Newport Wafer Fab, which owns the United Kingdom’s largest semiconductor fabrication facility.  The prospect of compound semiconductor activities at the Newport site being controlled by Chinese investors was deemed a national security concern due in part to the fab’s proximity to an industrial cluster, as the cluster could potentially be compromised and thus prevented from participating in future projects relevant to UK national security in view of the risk of technological expertise and know-how exchanges in the region.

While the UK NSI Act is the product of a reinvigorated intention to mitigate risks to UK national security presented by certain foreign investments, the Nexperia case is also an example of successful lobbying by the United States.  The UK Government had initially determined that the acquisition would not pose a national security concern.  However, the Republican-led congressional China Task Force urged President Biden to engage the UK Government to block the acquisition and, if unsuccessful, to employ all tools necessary to achieve the intended objective including reconsidering the United Kingdom’s position on the CFIUS list of Excepted Foreign States and applying targeted export controls on Newport Wafer Fab.  In particular, the China Task Force raised concerns regarding Nexperia’s ownership, claiming that it is effectively a PRC state-owned enterprise as the company is owned by a Shanghai-listed firm allegedly backed by the Chinese Communist Party.  The UK Government ultimately appears to have concurred in that assessment as it ordered Nexperia to divest its interest in the UK-based fabrication facility, citing the potential risk to national security.

The United Kingdom is expected to continue using all tools to protect itself from influence attempts by non-allies and, in light of the transatlantic collaboration trends outlined above, further alignment on the deployment of CFIUS and the NSI Act regime appears likely.

* * *

In short, 2022 was an extraordinarily active year in the world of U.S., EU, and UK trade controls.  As Russia’s war in Ukraine grinds on and relations between the United States and China remain fraught, we expect further seismic shifts, including the introduction of new outbound investment screening regimes, to keep multinational enterprises occupied throughout the months ahead.

---

The following Gibson Dunn lawyers assisted in preparing this client update: Scott Toussaint, Irene Polieri, Chris Mullen, Judith Alison Lee, Adam M. Smith, Stephenie Gosnell Handler, Michelle Kirschner, Patrick Doris, Benno Schwarz, Katharina Humphrey, Attila Borsos, Lena Sandberg, Christopher Timura, David Wolber, Felicia Chen, Mason Gauch, Hayley Lawrence, Allison Lewis, Nikita Malevanny, Jacob McGee, Annie Motto, Sarah Pongrace, Nick Rawlinson*, Anna Searcey, Samantha Sewall, Audi Syarief, and Claire Yi.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following members and leaders of the firm’s International Trade practice group:

United States
Judith Alison Lee – Co-Chair, International Trade Practice, Washington, D.C. (+1 202-887-3591, [email protected])
Ronald Kirk – Co-Chair, International Trade Practice, Dallas (+1 214-698-3295, [email protected])
Adam M. Smith – Washington, D.C. (+1 202-887-3547, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Marcellus A. McRae – Los Angeles (+1 213-229-7675, [email protected])
Courtney M. Brown – Washington, D.C. (+1 202-955-8685, [email protected])
Christopher T. Timura – Washington, D.C. (+1 202-887-3690, [email protected])
Annie Motto – Washington, D.C. (+1 212-351-3803, [email protected])
Chris R. Mullen – Washington, D.C. (+1 202-955-8250, [email protected])
Sarah L. Pongrace – New York (+1 212-351-3972, [email protected])
Samantha Sewall – Washington, D.C. (+1 202-887-3509, [email protected])
Audi K. Syarief – Washington, D.C. (+1 202-955-8266, [email protected])
Scott R. Toussaint – Washington, D.C. (+1 202-887-3588, [email protected])
Shuo (Josh) Zhang – Washington, D.C. (+1 202-955-8270, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
David A. Wolber – Hong Kong (+852 2214 3764, [email protected])
Qi Yue – Hong Kong – (+852 2214 3731, [email protected])
Fang Xue – Beijing (+86 10 6502 8687, [email protected])

Europe
Attila Borsos – Brussels (+32 2 554 72 10, [email protected])
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Patrick Doris – London (+44 (0) 207 071 4276, [email protected])
Sacha Harber-Kelly – London (+44 (0) 20 7071 4205, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Irene Polieri – London (+44 (0) 20 7071 4199, [email protected])
Benno Schwarz – Munich (+49 89 189 33 110, [email protected])
Nikita Malevanny – Munich (+49 89 189 33 160, [email protected])

*Nick Rawlinson is a recent law graduate practicing in the firm’s New York office and not yet admitted to practice law.

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

In January 2022, the Hong Kong Monetary Authority (“HKMA”) issued a discussion paper inviting feedback on the regulatory approach towards crypto-assets and stablecoins (“Discussion Paper”).[1] We previously published an alert on this topic.[2] Following a feedback period that ended on 31 March 2022, on 31 January 2023, the HKMA issued its ‘Conclusions of the Discussion Paper on Crypto-assets and Stablecoins’ (“Consultation Conclusions”), which proposes the introduction of a stablecoin licensing regime.[3]

Recent events in the crypto market have highlighted the vulnerabilities of the crypto ecosystem, in particular, failures concerning the governance, stabilisation mechanisms, and transparency of crypto service providers. As a response to such failings, the HKMA’s proposals mirror international efforts to regulate stablecoin-related activities; for example, in October 2022, the Monetary Authority of Singapore proposed measures to regulate the issuance of stablecoins.[4]

Under the HKMA’s proposed licensing plans, the HKMA will give priority to regulating stablecoins that purport to reference one or more fiat currencies, irrespective of the intended use or underlying stabilisation mechanism of that stablecoin (“In-Scope Stablecoins”). This means that, in theory, stablecoins that reference fiat currencies through algorithms or arbitrage mechanisms fall under the scope of the HKMA’s proposals. However, for reasons explained in Section I below, such stablecoins are, in practice unlikely to meet the HKMA’s requirements for regulation and as such will most likely continue to be unregulated in the near term. That said, the HKMA has left the door open to expand its regime to allow for future regulation of other types of stablecoin structures.

To preserve flexibility in its regulatory scope, the HKMA will publish “guiding factors” in the future, setting out the factors the HKMA could have regard to in considering whether a particular structure should be declared as stablecoin subject to the HKMA’s regulatory oversight.

I. Key Features of the Proposed Stablecoin Licensing Regime

The HKMA’s proposals follow a risk-based “same risk, same regulation” approach. Rather than introducing a single type of license, the HKMA envisages introducing different licenses targeting different regulated activities. While the HKMA is still formulating the details to its requirements, the table below sets forth a summary of the proposed regulatory parameters of the proposed licensing regime:

Key activities to be regulated	The HKMA proposes to regulate the following critical functions: Governance: establishment and maintenance of the rules governing an In-Scope Stablecoin arrangement; Issuance: issuance, creation or destruction of In-Scope Stablecoins; Stabilisation: stabilisation and reserve management arrangements of an In-Scope Stablecoin, regardless of whether such arrangements are provided by the issuer; and Wallets: provision of services that allow the storage of users’ cryptographic keys, access to the users’ In-Scope Stablecoin holdings and the management of such stablecoins.
Entities that will require a licence	Entities that are involved in the following activities will require a licence under the proposed licensing regime: Conducting a regulated activity concerning an In-Scope Stablecoin; Actively marketing a regulated activity to the public of Hong Kong; or Taking into account matters of significant public interest, the HKMA is of the opinion that the entity should be regulated. Special attention should be paid to regulated activities concerning a stablecoin that purports to reference its value to the Hong Kong dollar (“HKD-backed Stablecoin”). Entities dealing with HKD-backed Stablecoins will be required to apply for a licence and abide by regulatory requirements under the proposed licensing regime, irrespective of whether that the regulated activity is carried out in Hong Kong or actively marketed to the Hong Kong public. One of the suggestions made by the HKMA under the Discussion Paper is to impose a local incorporation requirement as one of the authorisation conditions. The HKMA’s reasoning is that a local incorporation requirement will enable effective supervision over licensed entities, and, where necessary, facilitate seizure of assets to protect users in the event of business failures. Feedback received from the consultation show mixed views towards this suggestion. In light of this, the HKMA has decided to evaluate the alternative suggestions raised by the respondents (for example, imposing the local incorporation requirement only on entities engaging in critical activities in a stablecoin arrangement, such as the management of reserve assets for stabilisation of the stablecoin’s value), and determine whether to go ahead with the local incorporation requirement. The HKMA has also clarified that both Hong Kong authorised banks (“Authorised Institutions” or “AI”) and non-Authorised Institutions (“non-AI”) are eligible to apply for a licence to issue stablecoins. This direction is in line with international standards and will be beneficial to the competitiveness of Hong Kong’s crypto business environment. To ensure the fitness and properness of stablecoin issuers, the HKMA will calibrate the final regulatory requirements applicable to AI and non-AI based on the risks that each type of issuers present to the financial system. While it is acknowledged that AIs are already under stringent regulatory requirements compared to non-AIs, it remains to be seen whether requirements applicable to AI and non-AI stablecoin issuers will be similar or not.
Key regulatory principles	Although the HKMA has not released the details of its regulatory requirements in relation to each regulated activity, the HKMA has published some overarching guidelines which it considers to be the crucial elements of the proposed licensing regime: Comprehensive regulatory framework: the regulatory requirements will cover a broad range of issues, such as ownership, governance and management, financial resources requirements, risk management, anti-money laundering / counter-terrorist financing (“AML/CFT”), user protection, and regular audits and disclosure requirements; Full backing and redemption at par: the value of the reserve assets of a stablecoin arrangement will have to meet the value of the outstanding stablecoins at all times, and the reserve assets need to be of high quality and high liquidity, such that stablecoin holders should be able to redeem the stablecoins into the referenced fiat currency at par within a reasonable period; Principal business restriction: regulated entities should not conduct activities that deviate from their principal business as permitted under their relevant licence (for example, a wallet operator should not engage in lending activities). The significance of the requirement for a stablecoin arrangement to be asset-backed, effectively means that stablecoins which derive their value based on arbitrage or algorithms are unlikely to be accepted under the proposed licensing regime. In other words, although such stablecoins qualify as In-Scope Stablecoins, the HKMA is unlikely to grant a licence for entities providing these stablecoin arrangements. Further, the HKMA has specifically highlighted an on-going concern over the concentration risks in the current crypto market – e.g. where multiple or bundled financial services are provided by the same entity or affiliated companies. This give rise to user protection and conflict of interest risks. While the HKMA is still exploring regulatory options to address this vulnerability at this juncture, this area is expected to become a core regulatory focus in the near future.

The HKMA stresses that it envisages a flexible approach which allows the HKMA to “scope in” regulated activities and entities not strictly captured above under the licensing regime. Therefore, the proposals above should be seen as a visualization of the initial phase of the licensing regime. The HKMA has stated that it will be publishing assessment criteria and guiding principles to support its flexible approach. As such, if unregulated stablecoin related activities and/or unlicensed entities prove to be pose a greater and more imminent threat to Hong Kong’s financial and monetary stability than currently anticipated, the HKMA is open to expanding the licensing regime to cover these activities and entities.

II. The Regulatory Position on Unbacked Crypto-Assets

In the Discussion Paper, the HKMA invited responses on whether it should regulate unbacked crypto assets, given their growing linkage with the mainstream financial system and risk to financial stability. Considering that responses on this point are varied, and in line with global regulatory trends, the HKMA has decided to put on hold any plans to regulated unbacked crypto-assets for the time being, and to instead focus on the regulation on stablecoins. That said, the HKMA will continue to monitor the risks posed by unbacked crypto-assets to Hong Kong’s monetary and financial stability.

III. Next Steps in the Stablecoin Regulations Roadmap

The HKMA aims to put in place the stablecoin regulatory regime by 2023/24. This timeline takes into account the need to align Hong Kong’s local regulatory regime with international recommendations and standards, which are expected to be released over the next one to two years.[5] In view of the cross-border nature of stablecoins, the HKMA has suggested possible cooperation and coordination among relevant financial regulators .

The proposed timeline will allow the HKMA to consider how the stablecoin licensing regime can fit into the broader virtual assets regulatory framework in Hong Kong and in particular, the licensing regime for virtual asset service providers (“VASPs”) administered by the Securities and Futures Commission (“SFC”). The SFC’s licensing regime for VASPs will come into effect on 1 June 2023. Please refer to our client alert on the particulars of the SFC’s licensing regime.[6]

It appears likely that the stablecoin regulations will be introduced either in the form of an amendment to the Payment Systems and Stored Value Facilities Ordinance or as new, standalone legislation. The HKMA has not committed to a transitional period in its Consultation Conclusions. However, in light of the substantial number of responses seeking a transitional period to provide sufficient time for existing service providers to make necessary adjustments to their internal policies, procedures and controls to comply with new regulations, it is possible that the HKMA may consider including a transitional period in the future.

In conclusion, the HKMA’s proposals represent a significant first step towards stablecoin regulation in Hong Kong. It is expected that the HKMA will be conducting further consultations to map out the particulars of the regulations. We will continue to closely monitoring this space and will provide further updates on future developments.

________________________

[1]  “Discussion Paper on Crypto-assets and Stablecoins”, published by the Hong Kong Monetary Authority (12 January 2022), available at https://www.hkma.gov.hk/media/eng/doc/key-information/press-release/2022/20220112e3a1.pdf.

[2]  “Another Step Towards the Regulation of Cryptocurrency in Hong Kong: HKMA Releases Discussion Paper on Stablecoins”, published by Gibson, Dunn & Crutcher (19 September 2022), available at https://www.gibsondunn.com/another-step-towards-the-regulation-of-cryptocurrency-in-hong-kong-hkma-releases-discussion-paper-on-stablecoins/.

[3]  “Conclusion of Discussion Paper on Crypto-assets and Stablecoins”, published by the Hong Kong Monetary Authority (31 January 2022), available at https://www.hkma.gov.hk/media/chi/doc/key-information/press-release/2023/20230131e9a1.pdf.

[4]  “MAS Proposes Measures to Reduce Risks to Consumers From Cryptocurrency Trading and Enhance Standards of Stablecoin-related Activities”, published by the Monetary Authority of Singapore (26 October 2022), available at https://www.mas.gov.sg/news/media-releases/2022/mas-proposes-measures-to-reduce-risks-to-consumers-from-cryptocurrency-trading-and-enhance-standards-of-stablecoin-related-activities.

[5]  In particular, the Financial Stability Board published a proposed framework for international regulation of crypto-asset activities in October 2022, and has aimed to finalise the updated high-level recommendations by July 2023, with a view to implement the revised recommendations by end-2025.

[6]  “Hong Kong Introduces Licensing Regime for Virtual Asset Service Providers”, Gibson, Dunn & Crutcher (30 June 2022), available at https://www.gibsondunn.com/hong-kong-introduces-licensing-regime-for-virtual-asset-services-providers/; “Hong Kong Licensing Regime for Virtual Asset Service Providers Passed with Three-Month Delay to Implementation Timelines”, Gibson, Dunn & Crutcher (8 December 2022), available at https://www.gibsondunn.com/hong-kong-licensing-regime-for-virtual-asset-service-providers-passed-with-three-month-delay-to-implementation-timelines/.

---

The following Gibson Dunn lawyers prepared this client alert: William Hallatt, Arnold Pun, and Jane Lu.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact any member of Gibson Dunn’s Digital Asset Taskforce or the Global Financial Regulatory team, including the following authors in Hong Kong:

William R. Hallatt (+852 2214 3836, [email protected])
Grace Chong (+65 6507 3608, [email protected])
Emily Rumble (+852 2214 3839, [email protected])
Arnold Pun (+852 2214 3838, [email protected])
Becky Chung (+852 2214 3837, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

On January 26, 2023, the Delaware Court of Chancery held, for the first time, that corporate officers owe a duty of oversight.[1]  Authored by Vice Chancellor J. Travis Laster, the decision denies a motion to dismiss under Rule 12(b)(6) of the Court of Chancery Rules but leaves open the possibility that the case will be dismissed under Rule 23.1 for failure to plead demand futility.[2]

Background

This derivative litigation follows public allegations of misconduct by senior officers at a company and its franchises.  Stockholders claim that the company’s directors and officers are liable to the company for failing to oversee it in good faith.  As relevant here, they allege that a senior officer responsible for human resources but not a member of the company’s board of directors “exercised inadequate oversight in response to risks of sexual harassment and misconduct at the [c]ompany and its franchises.”[3]  They also claim that the same officer “breached his fiduciary duties [of loyalty] by engaging personally” in the same type of misconduct.[4]

The defendants moved to dismiss the complaint under Rule 23.1 for failure to plead demand futility and, in the alternative, under Rule 12(b)(6) for failure to state a claim upon which relief can be granted.  The January 26, 2023 decision discussed here addressed only the senior officer’s motion to dismiss under Rule 12(b)(6), leaving unresolved whether the complaint adequately pleaded demand futility—an issue that the court will decide at a later time.

Corporate Officers’ Duty of Oversight

The Delaware Court of Chancery held that officers are subject to the same duty of oversight as directors.  Although this is the first time the court has reached that conclusion explicitly, past rulings have suggested that officers owe the same fiduciary duties as directors.[5]

This decision further reasoned that the duty of oversight owed by officers is evaluated under the same two-prong “Caremark” test that applies to directors.[6]  First, like directors, officers “must make a good faith effort to ensure that information systems are in place so that the officers receive relevant and timely information that they can provide to the directors.”[7]  Second, officers “have a duty to address [red flags they identify] or report upward [to more senior officers or to the board].”[8]

The court observed that oversight liability for officers, however, is more limited than that of directors in at least one important way:  officers generally are liable only for overseeing their particular areas of responsibility.  This limitation applies under both prongs of the test for oversight liability.  The obligation to establish reasonable information systems extends only to the area of an officer’s responsibility.[9]  Similarly, “officers generally only will be responsible for addressing or reporting red flags within their areas of responsibility.”[10]  The court observed that there might be exceptional circumstances, however, involving “egregious” or “sufficiently prominent” red flags that officers must report up, even outside their area.[11]

Like oversight liability for directors, “oversight liability for officers” arises from the duty of loyalty and thus “requires a showing of bad faith.”[12]  Allegations of gross negligence are insufficient.

Breach of Fiduciary Duty as Applied to Sexual Harassment Claims

Applying the above framework, the court went on to hold that plaintiffs had adequately alleged a claim that the company’s senior human resources officer breached his duty of oversight “by consciously ignoring red flags” that indicated a culture of sexual harassment and misconduct in the workplace.[13]  The court focused in particular on plaintiffs’ allegations that the senior officer himself engaged in misconduct, finding that in such cases, “it is reasonable to infer that the officer consciously ignored red flags about similar behavior by others.”[14]  The court nonetheless recognized “record evidence” in 2019 and onwards that the senior officer was “part of the effort by [c]ompany management to address the problem of sexual harassment and misconduct.”[15]

Finally, the court also separately held that fiduciaries “violate the duty of loyalty when they engage in harassment themselves.”[16]  The court reasoned that acts of sexual harassment are in “further[ance of] private interests” rather than “advancing the best interests of the corporation,” and therefore are bad faith conduct that breaches the duty of loyalty.[17]  If a fiduciary “personally engages in acts of sexual harassment, and if the entity suffers harm,” then a plaintiff “should be able to assert a claim for breach of fiduciary duty in an effort to shift the loss that the entity suffered to the human actor who caused it.”[18]  The court concluded:  “Sexual harassment is bad faith conduct.  Bad faith conduct is disloyal conduct.  Disloyal conduct is actionable.”[19]

Analysis

This decision breaks new legal ground, but is unlikely to change derivative litigation materially, at least at the pleadings stage.  Courts have long recognized that officers owe fiduciary duties to the corporation they serve, similar to those that are owed by directors.  And plaintiffs have long asserted claims for breach of those duties, including oversight claims, against officers.

From an employment law perspective, however, the decision carries the potential for broader implications.  For the first time, the Court of Chancery has held that stockholders may bring suit against directors or officers of a corporation on the theory that sexual harassment constitutes a breach of fiduciary duty.  Although there have long been legal remedies for claims of sexual harassment, this decision highlights a potential avenue for derivative claims based on such allegations, providing stockholders with potential recourse to hold corporate officers accountable for actions of sexual misconduct and bringing issues traditionally reserved for employment disputes into the arena of fiduciary duty law.

Significantly, this decision in no way undermines the authority of boards of directors to evaluate whether suing officers is in the best interest of corporations.  Therefore, derivative claims for oversight liability against officers should be dismissed under Rule 23.1 absent particularized allegations that it would be futile for the plaintiff to make a pre-suit litigation demand.  Notably, Vice Chancellor Morgan T. Zurn recently dismissed derivative claims against officers based on the same reasoning.[20]

Finally, although the decision is most notable for its discussion of officer liability, it also underscores the Court of Chancery’s preference for plaintiffs to seek books and records under Section 220 of the Delaware General Corporation Law before asserting derivative claims.  The court recounts its decision to stay the case to allow intervenors to conduct an investigation through Section 220.[21]

Key Takeaways

• Although oversight liability for officers has now been expressly acknowledged, this decision is unlikely to have a significant impact on most derivative litigation at the pleadings stage. In many instances, derivative claims are subject to dismissal because the plaintiff did not satisfy the requirement of making a pre-suit litigation demand or pleading that a demand would be futile.  The test for pleading demand futility is rigorous, and this decision does not alter it.  Nonetheless, the court’s novel findings as to liability for breach of fiduciary duty in the sexual harassment context may incentivize similar claims, at least where a fiduciary is alleged to have personally engaged in acts of sexual harassment.
• To preserve their independence, directors should be cautious about close personal or business relationships not only among themselves but also with officers. Plaintiffs can be expected to argue that such relationships, when they exist, impede directors’ ability to render an impartial judgment as to whether it is in the best interest of a corporation to sue its officers.
• Corporations should evaluate how they document reporting and control efforts at the officer level. Although the process for documenting board oversight is well established, the documentation of officer oversight is sometimes less formal.  Officers are particularly well advised to develop a system for documenting their responses to significant red flags, including in materials provided to the board of directors.  Thorough documentation can show that officers discharged their obligations in good faith by addressing red flags.
• Oversight liability for officers will usually be confined to their areas of responsibility. For that reason, corporations should evaluate how they document the scope of officers’ responsibilities.
• From an employment perspective, corporations should ensure they have appropriate anti-harassment and anti-discrimination policies and practices, including prohibitions of harassment, discrimination and retaliation, along with appropriate training, reporting, investigation, and compliance monitoring.
• This decision may renew discussions about whether corporations should utilize recent amendments to Section 102(b)(7) of the Delaware General Corporation Law to exculpate their officers against certain claims for breach of the duty of care. Although corporations should consider amending their certificates of incorporation to add exculpatory clauses for officers, it should be understood that officer exculpation will not protect against oversight claims.  As the court made clear, oversight claims against officers (as well as directors) are claims for breach of the duty of loyalty.  Exculpatory provisions, however, concern the duty of care and cannot eliminate liability under the duty of loyalty.  Exculpatory provisions for officers, moreover, do not apply to derivative litigation, which is the context in which oversight claims are most often litigated.
• Plaintiffs’ firms are likely to increase efforts to investigate officer misconduct under Section 220, and these efforts could raise challenging disagreements over the proper scope of Section 220 demands. In many cases, board-level documents will provide information “necessary and essential” to assessing officer misconduct, as well as the board’s ability to act in a corporation’s best interests.  Therefore, we do not believe that this decision warrants any expansion of the records that are typically available under Section 220.

____________________________

[1] See In re McDonald’s Corp. S’holder Deriv. Litig., 2023 WL 387292, C.A. No. 2021-0324-JTL, at *1, *9 (Del. Ch. Jan. 26, 2023).

[2] Del. Ch. Ct. R. 12(b)(6); Del. Ch. Ct. R. 23.1.

[3] In re McDonald’s, 2023 WL 387292, at *8.

[4] Id. at *28.

[5] Id. at *13 (citing Gantler v. Stephens, 965 A.2d 695, 709 (Del. 2009)).

[6] See, e.g., id. at *10.

[7] Id. at *11.

[8] Id. at *12.

[9] Id. at *19.

[10] Id.

[11] Id. at *2, *42.

[12] Id. at *22, *24.

[13] Id. at *27.

[14] Id. at *2, *27.

[15] Id. at *28.

[16] Id. at *28.

[17] Id.

[18] Id. at *30.

[19] Id.

[20] See In re Boeing Co. Deriv. Litig., 2021 WL 4059934, C.A. No. 2019-0907-MTZ, at *36 (Del. Ch. Sept. 7, 2021).

[21] In re McDonald’s, 2023 WL 387292, at *8.

---

The following Gibson Dunn attorneys assisted in preparing this client update: Jason J. Mendro, Mark H. Mixon, Jr., Elizabeth A. Ising, Monica K. Loseman, Brian M. Lutz, Tiffany Phan, Cynthia Chen McTernan, and Minnie Che.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following leaders and members of the firm’s Securities Litigation, Securities Regulation and Corporate Governance, or Labor and Employment practice groups:

Securities Litigation Group:
Christopher D. Belelieu – New York (+1 212-351-3801, [email protected])
Jefferson Bell – New York (+1 212-351-2395, [email protected])
Michael D. Celio – Palo Alto (+1 650-849-5326, [email protected])
Monica K. Loseman – Co-Chair, Denver (+1 303-298-5784, [email protected])
Brian M. Lutz – Co-Chair, San Francisco/New York (+1 415-393-8379/+1 212-351-3881, [email protected])
Mary Beth Maloney – New York (+1 212-351-2315, [email protected])
Jason J. Mendro – Washington, D.C. (+1 202-887-3726, [email protected])
Alex Mircheff – Los Angeles (+1 213-229-7307, [email protected])
Jessica Valenzuela – Palo Alto (+1 650-849-5282, [email protected])
Craig Varnen – Co-Chair, Los Angeles (+1 213-229-7922, [email protected])
Mark H. Mixon, Jr. – New York (+1 212-351-2394, [email protected])

Securities Regulation and Corporate Governance Group:
Elizabeth Ising – Co-Chair, Washington, D.C. (+1 202-955-8287, [email protected])
James J. Moloney – Co-Chair, Orange County, CA (+ 949-451-4343, [email protected])
Ronald O. Mueller – Washington, D.C. (+1 202-955-8671, [email protected])
Lori Zyskowski – Co-Chair, New York (+1 212-351-2309, [email protected])

Labor and Employment Group:
Tiffany Phan – Los Angeles (+1 213-229-7522, [email protected])
Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C. (+1 202-955-8242, [email protected])
Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles (+1 213-229-7107, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

I.  Introduction: Themes and Notable Developments

A.  Themes: Aggressive Enforcement Continues

The principal theme of Securities Enforcement this year is consistent with the message this Administration has promoted since it began: this Commission and its Enforcement Division are seeking to heighten the level of enforcement by employing existing remedies and increasing the price of resolving an enforcement investigation.  The Commission’s Enforcement agenda has played out in numerous ways, most notably in the increase in civil monetary penalties, but in the demand for other remedies as well.

1.  Notable Metrics: Increased Actions, But Particularly Penalties

The enforcement statistics for fiscal 2022 reflect a 6.5% year-over-year increase in stand-alone actions, from 434 in 2021 to 462 in 2022.[1]  However, this number is still well below the five-year high of 526 actions in fiscal 2019.  The distribution of actions across subject matter was generally consistent with prior years, with the majority of cases involving broker-dealers and investment advisers, public company financial reporting, and securities offerings.  There were modest increases year-over-year in the percentage of stand-alone actions for issuer reporting, audit and accounting (16% of actions in 2022, compared to 12% in 2021) and insider trading (9% of actions in 2022, compared to 6% in 2021).  There was a modest decrease in percentage of stand-alone actions for securities offerings (23% of actions in 2022, compared to 33% in 2021).

The more notable metric, and the one emphasized by the Commission, is financial remedies, particularly penalties.  In fiscal 2022, total financial remedies ordered in enforcement actions totaled $6.439 billion, the highest ever, and a nearly 70% increase over 2021.  That total consisted of disgorgement of $2.245 billion (reflecting a 6% decrease from 2021) and penalties of $4.194 billion, a record high, and more than double the penalties ordered in 2021.

In discussing the year’s enforcement statistics, the Commission highlighted the increase in penalties, referring to them as “recalibrated,” “designed to deter future violations,” and “not just a cost of doing business.”  In this respect, the Commission has taken particular note of the fact that, unlike prior years, the penalties ordered in 2022 far exceeded the amount of disgorgement ordered during the same period.  As Director Grewal discussed in a recent speech, the inversion of penalty to disgorgement ratio reflects a determination to make the cost of a violation greater relative to the arguable gain.[2]

To put these penalty metrics in context, it is important to bear in mind that of the total amount of penalties, $1.235 billion was attributable to the settlements with 17 broker-dealer firms for recordkeeping violations in connection with employee text messaging on personal devices.[3]  Moreover, those settlements combined with the three other largest settlements accounted for $2.23 billion in penalties.[4]  In a nod to the likelihood that the quantum of penalties in 2022 may turn out to be an outlier in future years, the Commission appeared to manage future expectations.  Director Grewal expressly noted that, with respect to penalties, “we don’t expect to break these records and set new ones each year because we expect behaviors to change.”[5]

2.  Individual Accountability and Use of Clawback Authority

As in prior years, the Commission emphasized its continued focus on individual accountability – bringing enforcement actions against individuals as well as entities.  The Commission noted that more than two-thirds of its stand-alone enforcement actions involved at least one individual defendant or respondent.

In connection with this theme, the Commission also highlighted the use of claw-back authority under Sarbanes-Oxley Section 304 to order the return of executive compensation even though the executives were not personally accused of engaging in any misconduct.  Section 304 of the Sarbanes-Oxley Act of 2002 requires the CEO and CFO of a public company that is required to restate financial results as a result of “misconduct” to reimburse the issuer for any bonus or other incentive or equity-based compensation received, and any profits realized from the sale of the issuer’s securities, by that person in the year following the initial financial report.  Section 304 does not require that a chief executive officer or chief financial officer engage in, or be aware of, misconduct to trigger the reimbursement requirement.  During 2022, the Commission utilized SOX 304 in at least four enforcement actions to recover compensation from executives who were not accused of engaging in misconduct.[6]

3.  Cooperation: A Questionable Carrot

As a counterpoint to the overarching theme of aggressive enforcement, the Commission also sought to send a message that there are rewards to be had for companies that provide so-called “meaningful cooperation” in the context of an investigation.  However, the examples cited by the Commission might lead one reasonably to question the real benefits of such cooperation.  In two of the examples, the companies were still subjected to enforcement actions, albeit without incurring a civil penalty.[7]  In a third action, the company was also ordered to pay a penalty of $18 million.[8]  Understandably, there remains a significant perception gap in the value of cooperation as between the Commission and companies seeking to benefit by engaging in cooperation and remediation as part of an investigation.

4.  Admissions Required in Some Cases – But No Standard Articulated

Finally, as we had previewed in our 2021 Year-End Alert, the Commission expressed an intent to demand admissions in a greater number of settlements.  True to its word, in reviewing its fiscal 2022 results, the Commission noted that a number of settlements included some form of admissions by the settling parties, including the settlements with broker-dealers for recordkeeping issues related to text messaging.  In its press release announcing the fiscal 2022 results, the Commission referred to requiring admissions “where appropriate.”[9]  However, the Commission has articulated no standards by which one would know when or why admissions would be deemed “appropriate” in any particular case.  Consequently, it will remain an inevitable uncertainty as to when the Commission will demand such admissions.

B.  Commissioner and Senior Staffing Update

As we reported in our 2022 Mid-Year Alert, as of early July, the five-member SEC Commission was back to capacity with the swearing in of Commissioner Jaime Lizárraga on July 18.[10]  Commissioner Lizárraga most recently served as a Senior Advisor to former House Speaker Nancy Pelosi, and previously worked on the Democratic staff of the House Financial Services Committee.  Commissioner Lizárraga has more than 30 years in public service and joins Chair Gary Gensler as the second non-lawyer on the current Commission.

At the senior staff level, there were several changes in leadership, including at the Divisions of Investment Management and Examinations, as well as in the General Counsel’s office.

• In November, Keith E. Cassidy and Natasha Vij Greiner were named Deputy Directors of the Division of Examinations.[11] In addition to their Deputy Director positions, Cassidy and Greiner are the National Associate Directors of the Division’s Technology Controls Program (TCP) and Investment Adviser/Investment Company (IA/IC) examination programs, respectively, roles which they will continue to serve going forward.
• In December, Sarah ten Siethoff was named Deputy Director of the Division of Investment Management.[12] She previously served as Acting Director of the Division of Investment Management throughout 2021, and has been in the Division since 2008.  In addition to her responsibilities as Deputy Director, she will also continue serving as the Associate Director of the Division’s Rulemaking Office, a position she has held since 2018.
• Also in December, SEC General Counsel Dan Berkovitz announced that he would be departing the agency as of January 31, 2023.[13] Current SEC Principal Deputy General Counsel, Megan Barbero, will be appointed General Counsel upon Berkovitz’s departure.  Prior to joining the agency in 2021, Barbero served as Deputy General Counsel for the United States House of Representatives, and previously worked at the Department of Justice and in private practice.

Similar to the first half of 2022, there was significant turnover at the regional offices, with five of the eleven offices experiencing changes in leadership.

• In August, Nicholas P. Grippo was named Regional Director of the Philadelphia Regional Office.[14] Grippo previously served as the Chief of the Criminal Division for the U.S. Attorney’s Office for the District of New Jersey where he supervised approximately 120 prosecutors and support staff.  During his time as an Assistant United States Attorney, Grippo spent five years in the office’s Economic Crimes Unit prosecuting securities fraud and white-collar crimes.
• Also in August, Monique C. Winkler was named Regional Director of the San Francisco Regional Office.[15] Winkler had been serving as the Acting Regional Director in that office since March 2022, and as the Associate Regional Director for Enforcement since 2019.  Winkler has served in a variety of roles in the San Francisco Regional Office since joining the SEC in 2008.
• In October, Jason J. Burt, who had been serving as Acting Co-Director of the Denver Regional Office since July 2022, was promoted to Regional Director.[16] Burt has been at the SEC since 2004, and had served as the Office’s Associate Regional Director, overseeing the enforcement program, since 2019.  While he has primarily been in the Enforcement Division, he has also spent time in the Examinations Division earlier in his career.
• In December, Fort Worth Regional Director David L. Peavler announced that, after a 19-year career at the SEC, he would be leaving the agency.[17] Eric R. Werner and Marshall Gandy will be serving as the Co-Acting Regional Directors until a permanent replacement is named.
• Also in December, Antonia Apps was named Regional Director of the New York Regional Office.[18] Apps was most recently a litigation partner at a New York law firm, focusing on criminal and regulatory matters, and earlier in her career served as an Assistant United States Attorney in the Southern District of New York’s Criminal Division, where she investigated and prosecuted securities fraud cases.

C.  Environmental, Social, and Governance

The SEC continued to focus its attention on environmental, social, and governance (ESG) concerns, relying on what the Commission characterized as “time-tested principles concerning materiality, accuracy of disclosures, and fiduciary duty.”[19]   For example, in September, the Commission’s Investment Advisory Committee held a panel discussion on “the importance of ESG and Greenwashing and the heightened role of ESG for investors.”[20]  However, the second half of 2022 brought fewer ESG-related enforcement action compared with the first half.[21]

In November, the SEC instituted a settled administration action against an asset management firm based on alleged failure to adopt and maintain policies and procedures relating to its ESG investments.[22]  The SEC’s order found that the firm did not have a written policy for certain ESG funds for more than a year, and then did not consistently follow the written policy it adopted.  For example, the asset manager required personnel to complete a questionnaire before including a portfolio company in the funds, but personnel completed certain of the ESG questionnaires after they had already selected the investments for inclusion and relied on previous ESG research conducted in a different manner than what was required in the firm’s policies and practices.  These practices allegedly violated Section 206(4) of the Advisers Act and Rule 206(4)-7, which require advisers to adopt and implement policies and procedures reasonably designed to prevent violations of the Advisers Act.  The firm agreed to a cease-and-desist order, and a $4 million civil penalty.

D.  Whistleblower Awards

The SEC’s whistleblower program continues to result in significant information being transmitted to the SEC, and the whistleblower program continues to provide significant rewards in exchange for information that ultimately contributes to an SEC action.  As of year-end 2022, the SEC has awarded more than $1 billion since issuing its first award in 2012.

In August, the SEC adopted two amendments to rules for the whistleblower program.[23]  The first amendment expands the SEC’s abilities to pay whistleblowers for information and assistance in connection with non-SEC, related actions even where that related action might otherwise be covered by an alternative whistleblower program through another agency.  In order to be eligible for the SEC whistleblower program, the award from the other entity’s program must not be comparable to the SEC’s program, or if the maximum award under the SEC’s program would not exceed $5 million.  The second amendment affirms that the SEC may consider the dollar amount of a potential award for the “limited purpose” of increasing, but not decreasing, an award.  Chair Gary Gensler stated that these amendments are designed to “strengthen” the SEC whistleblower program.

Significant whistleblower awards granted during the second half of this year included:

• Three awards in July, including one award of over $3 million to a whistleblower who reported that a product in which they were solicited to invest was being misrepresented, prompting the opening of an investigation; another award of over $3 million to an insider who had initially reported their concerns internally, and later submitted a “detailed tip,” prompting the opening of an investigation;[24] and an award of more than $17 million to a whistleblower who provided information and assistance that prompted the opening of a new investigation, and resulted in a successful covered action and the success of a related action.[25]
• Two awards in August, both related to the same action—the first award of approximately $13 million was granted to a whistleblower for providing information on “difficult-to-detect” violations, including identifying key witnesses and providing “critical information”; the second whistleblower provided “important new information” during the investigation and received an award of more than $3 million.[26]
• One $10 million award in October, awarded to a whistleblower who provided documents and met with staff twice, where the information provided critical information to the investigation and there was a “close nexus” between the whistleblower’s allegations and the charges in the ultimately successful action.[27]
• One $20 million award in November, to a whistleblower who provided “new and critical information” that led to the success of an enforcement action and supported staff in their efforts to “quickly and efficiently investigate complex issues.”[28]
• Two large awards in December, including a more than $20 million award to a whistleblower for providing new information, meeting with staff multiple times, and remaining cooperative throughout the investigation, which led to a successful enforcement action.[29] The second award was more than $37 million, and was granted to a whistleblower who was the initial source of the company’s investigation, the SEC’s investigation, and an investigation by another agency.  Even though the company reported the alleged conduct to the SEC and another agency, the whistleblower was given credit for the initiation of the investigations because they provided information to the SEC within 120 days of reporting it internally.[30]

II.  Public Company Accounting, Financial Reporting, and Disclosure Cases

A.  Financial Reporting Cases

In early August, the SEC settled an action against a surgical implant manufacturer and its former Chief Financial Officer after the company and CFO allegedly mischaracterized sales figures to investors.[31]  The SEC alleged that between 2015 and 2019, the company, with permission from the CFO, shipped future orders early to accelerate revenue, a practice that violated generally accepted accounting principles (GAAP).  Without admitting or denying the allegations, the company and former CFO agreed to cease and desist from future violations, and pay penalties of $2 million and over $75,000, respectively.  The CFO also agreed to return over $200,000 in bonuses and other compensation to the company, and be suspended from appearing and practicing before the SEC as an accountant.  The SEC separately brought a complaint against the company’s CEO, alleging the executive violated antifraud provisions of federal securities laws based on the same allegations made against the company and CFO.  The complaint seeks, among other relief, the return of the CEO’s bonuses and profits from stock sales, as well as civil penalties.

In late August, the SEC announced a settled action against a construction company based on allegations that between 2017 and 2019, the company’s financial statements inflated the company’s financial performance.[32]  The complaint alleges that a former executive deferred recording costs to create the appearance of inflated profit margins.  The Commission credited the company with self-reporting the executive’s conduct to the Commission, and redesigning its internal accounting policies and procedures to increase the accuracy of its expected costs going forward.  Without admitting or denying the allegations, the company agreed to an injunction from future violations and to pay a $12 million civil penalty.  The SEC also brought a complaint against the executive based on the same conduct, charging him with violating the antifraud and other provisions of federal securities laws, and seeking, among other relief, disgorgement and civil penalties, along with an officer and director bar.  In separate administrative proceedings, pursuant to Section 304 of the Sarbanes-Oxley Act, three additional executives agreed to return more than $1.4 million in bonuses and compensation.

In September, the SEC announced a settled action against a technology company relating to the company’s revenue reporting practices.[33]  In the order, the SEC alleged the company delayed product deliveries to customers, which allowed it to report revenue in future quarters.  The practice, the SEC alleged, concealed poor performance relative to the company’s financial projections in violation of federal securities laws.  Without admitting or denying the allegations, the company agreed to cease and desist from future violations and an $8 million civil penalty.

In October, the SEC announced a settled action against a cannabis company and its former Chief Commercial Office (CCO) for accounting fraud.[34]  According to the SEC, the company filed financial statements with the SEC in three separate quarters that contained material accounting errors related to revenue recognition and goodwill impairment.  The SEC also alleged that in one of the quarters, the company did not know or account for an undisclosed agreement by its then CCO to sell cannabis raw material and to repurchase cannabis product in the following quarter, leading to a $2.3 million accounting error.  The SEC noted that the company discovered this error internally and promptly reported the misconduct to the SEC and provided extensive cooperation and remedial efforts to improve its accounting controls.  Without admitting or denying the SEC’s findings, the company and its former CCO agreed to settle the matter by agreeing to cease and desist from future violations, and agreeing to retain an independent compliance consultant to make recommendations with respect to the firm’s financial reporting and accounting controls.  The SEC assessed no penalty on the company.  The former CCO consented to a three-year officer and director bar, suspension from practicing before the SEC as an accountant for at least three years, and paid $54,000 to the Ontario Securities Commission for similar conduct.

B.  Public Statements and Disclosures

In July, the SEC announced two settled actions relating to allegedly false statements to investors.   First, the SEC settled fraud charges with a life insurance company for making materially misleading statements and omissions regarding investor fees.[35]  Specifically, the SEC alleged the insurance company charged additional fees not listed in investors’ quarterly account statements, and that the insurance company gave the false impression that the account statements included all fees.  Without admitting or denying the allegations, the company agreed to cease and desist from future violations, revise certain disclosures in investor account statements, and to pay a $50 million civil penalty, which will be distributed to affected investors.  Several days later, the SEC announced a settled action against a health insurance distributor and its former CEO for allegedly making false statements to investors regarding its distributor compliance standards.[36]  The SEC further alleged that between March 2017 and March 2020, the company and its CEO misrepresented its consumer satisfaction rates, charged consumers for products they did not authorize, and failed to cancel plans upon consumer requests.  Without admitting or denying the allegations, the company and former executive agreed to cease and desist from future violations, and pay penalties of $11 million and over $1 million, respectively.

In August, the Commission instituted a settled action against a bank and its former CEO for allegedly making inaccurate statements about loans extended by the bank to the CEO’s family trusts.[37]  According to the SEC, the bank’s annual reports and proxy statements from March 2015 to April 2018 did not include loans to the CEO’s family trusts, which totaled nearly $90 million.  The SEC also alleged the bank did not include other loans to its directors and their family members, which totaled tens of millions of dollars, in its reports.  Without admitting or denying the allegations, the bank agreed to cease and desist from future violations and pay disgorgement of more than $2.6 million and a civil penalty of $10 million.  Also without admitting or denying the allegations, the former CEO agreed to a permanent injunction, a two-year officer-and-director bar, and penalties and disgorgement of more than $400,000.

In September, the Commission settled charges with an airplane manufacturer and its former CEO over alleged misstatements made in the wake of airplane crashes in 2018 and 2019.[38]  The order alleged that after the crashes, the company and its CEO assured the public its planes were safe, when it knew of an ongoing safety risk.  Without admitting or denying the allegations, the company and former executive agreed to cease and desist from future violations, and pay penalties of $200 million and $1 million, respectively.

Also in September, the SEC announced settled charges against a minerals company for violating the antifraud, reporting, and internal-controls provisions of the Securities Act and the Exchange Act.[39]  The SEC alleged that the company repeatedly and falsely told investors in 2017 that a technology upgrade at its most prominent mine would cut costs and increase revenue, when costs were actually increasing rather than decreasing.  The SEC also alleged that the company overstated the amount of salt it could produce at this mine.  Separately, the SEC alleged that the company failed to properly assess the risks of mercury contamination at a former facility and the resulting cover-up.  Without admitting or denying the findings, the company paid $12 million to settle the charges, agreed to cease and desist from further violations, and hired an independent compliance consultant to make recommendations concerning its internal controls.

Also in September, the SEC announced a settled action against a multinational bank for the offer and sale of unregistered securities.[40]  The SEC alleged that the bank had recently lost its status as a well-known seasoned issuer and thus, the bank was required to quantify the total number of securities that it planned to offer and sell and to file a new registration statement and pay registration fees for those offerings.  The SEC’s order alleged that because the bank had not established internal controls to track actual offers and sales of securities against registrations in real time, the bank offered and sold approximately $17.7 billion worth of unregistered securities.  Without admitting or denying the SEC’s allegations, the bank agreed to the entry of cease-and-desist orders and to implement and audit new internal controls.  The bank also agreed to pay a $200 million civil penalty and disgorgement of more than $160 million, the latter deemed satisfied by its offer to rescind the unregistered sales.  As noted in the SEC’s order, the bank self-reported its violations, cooperated with the investigation, and commenced a rescission offer.

In December, the SEC announced settled fraud charges with a multinational bank for allegedly misleading investors about its deficient anti-money laundering (AML) compliance program in a foreign branch and failing to disclose the risks posed by this deficiency.[41]  The SEC alleged that the bank knew or should have known that many of the branch’s customers were engaging in transactions with a high risk of involving money laundering, but it did not adequately disclose these risks, resulting in an inflated share price.  These alleged misleading statements included that the bank complied with its AML obligations and that it had effectively managed its AML risks.  The bank settled the charges by consenting to an order permanently enjoining it from future violations as well as penalties and disgorgement of more than $400 million.  The bank ultimately agreed to pay more than $2 billion in an integrated resolution with United States and Danish regulators.

Also in December, the SEC announced that it charged the former CEO of a biotechnology company and the CEO of a research firm that had contracted with the biotech company with fraud and insider trading.[42]  The SEC’s complaint alleged that the biotech CEO exaggerated the company’s progress with regard to an antibody that was being tested as a treatment for various diseases such as COVID-19 and HIV.  Specifically, the SEC’s complaint alleged that the company caused its stock to rise by falsely announcing that it had submitted a completed Biologics License Application to the FDA when the company was aware that its FDA submission was inadequate.  Meanwhile, the CEO sold more than $15 million in stock for a profit of almost $5 million.  The SEC’s complaint further alleged that the research firm CEO aided the biotech company with the inadequate FDA submission and subsequently sold more than $400,000 of the biotech company’s stock.  The SEC’s complaint, pending in federal district court in Maryland, seeks disgorgement, civil penalties, officer-and-director bars, and permanent injunctive relief.

C.  Auditor Independence

In September, the SEC announced charges against an audit firm and three senior employees for improper professional conduct.[43]  The SEC alleged that the firm’s planning and supervision of an audit and its evaluation of the results did not adhere to the Public Company Accountability Oversight Board’s standards.  The SEC also alleged that the lead partner and senior manager on the audits did not adequately supervise and execute the audits.  Another partner allegedly approved the firm’s analysis even though it inflated revenue and contained errors that were material to investors.  Without admitting or denying the SEC’s findings, the firm agreed to pay a $3.75 million penalty and to a cease-and-desist order.  The firm also agreed to retain an independent consultant to review its practices.  Likewise, the lead partner and senior manager neither admitted nor denied the SEC’s findings, and both settled charges by agreeing to a suspension from appearing and practicing as accountants before the SEC, but did not receive a financial penalty.  The third employee agreed to a censure and neither admitted nor denied the SEC’s findings, but did not receive a practice suspension nor financial penalty.

III.  Investment Advisers

A.  Fraud and Misrepresentations

In August, the SEC filed a settled action against an investment management firm and one of its portfolio managers in connection with allegations that they misled investors about the delinquency rates for the firm’s securitization of fix-and-flip home loans.[44]  According to the SEC, the firm raised $90 million in March 2018 by securitizing loans made to borrowers for the purpose of buying, renovating, and selling residential properties.  Under the terms of the deal, the firm faced a higher obligation to repay investors if delinquencies exceeded a certain threshold.  The firm and one of its portfolio managers allegedly diverted funds to pay down outstanding loan balances in order to hide unexpectedly high delinquency rates from investors.  Without admitting or denying the SEC’s allegations, the firm and portfolio manager agreed to a cease-and-desist order, and the imposition of $1.75 million and $75,000 in civil penalties, respectively.

Also in August, the SEC charged an investment adviser and two of its executives with defrauding clients out of more than $75 million.[45]  The SEC alleged that the executives breached their fiduciary duties to their advisory clients by fraudulently causing clients to engage in undisclosed transactions with the executives’ own affiliate companies.  According to the SEC, the executives used complex investment structures and a network of undisclosed affiliate companies to divert money to themselves without their clients’ knowledge.

In September, the SEC filed a settled action against an investment adviser charged with failing to disclose conflicts of interest.[46]  The SEC charged the adviser with failing to provide its clients and investors with adequate information regarding conflicts between the adviser and special purpose acquisition companies (SPACs) owned by the adviser’s personnel.  The adviser allegedly invested client assets in transactions that benefitted the SPACs owned by its personnel.  According to the SEC, the adviser also failed to file timely a required report concerning its beneficial ownership of stock in a public company, which coincided with the adviser’s improper acquisition of additional stock in the company.  Without admitting or denying the SEC’s findings, the adviser agreed to a cease-and-desist order, and a $1.5 million penalty.

B.  Excess Fees

In September, the SEC filed a settled action against an exempt reporting adviser alleged to have charged excess management fees from two venture capital funds.[47]  According to the SEC, the adviser made a series of errors in its own favor when calculating fees, such as by erroneously failing to reduce fees for certain securities subject to write-downs.  Without admitting or denying the SEC’s findings, the adviser agreed to a cease and desist order.  The adviser has also returned over $675,000 plus interest to the two funds and their limited partners, and has agreed to pay a penalty of $175,000.

C.  Compliance and Oversight

In September, the SEC filed a settled action against nine investment advisers for alleged failure to comply with the Custody Rule for client assets and/or related reporting requirements.[48]  The SEC charged some of the advisers with failure to have audits performed timely or to deliver audited financials to investors, in violation of the Investment Advisers Act’s Custody Rule.  The SEC also alleged that some advisers failed to file promptly amended form ADVs to reflect the current status of financial statement audits.  Without admitting or denying the SEC’s findings, the firms agreed to a cease and desist order, and to pay combined civil penalties exceeding $1 million.

In October, and in the context of rulemaking rather than enforcement, the SEC proposed a new rule and rule amendments prohibiting registered investment advisers from outsourcing certain services without conducting due diligence and monitoring the outsourced service providers.[49]  The rule would apply to advisers that outsource certain services or functions, including those that are necessary for providing advisory services in compliance with the federal securities laws, and that if not performed or performed negligently would result in material negative impact to clients.  For example, such services may include providing investment guidelines, portfolio management, models related to investment advice, indices, or trading services or software.  The proposed rule would require advisers to satisfy specific due diligence elements before employing a service provider and to conduct periodic monitoring of the provider’s performance.  The proposed rule would also cover advisers’ retention of third-party recordkeepers.  The proposed rule would also impose record retention requirements for any adviser subject to the rule.

IV.  Broker-Dealers

A.  Recordkeeping

In September, the SEC announced charges and settlements with fifteen broker-dealers and one affiliated investment adviser for allegedly violating recordkeeping provisions of the federal securities laws by failing to maintain and preserve electronic communications.[50]  According to the SEC, the investigation uncovered that the firms’ employees routinely communicated about business matters through text messages on their personal devices, the majority of which were not preserved by the firms as required.  The firms cooperated with the investigation by gathering these communications from the personal devices of a sample of their employees.  The firms admitted to the facts set forth in their respective SEC orders, acknowledging that their conduct violated the recordkeeping provisions, agreed to a cease-and-desist order, and agreed to pay a combined $1.1 billion in fines.  The firms also agreed to retain compliance consultants to conduct comprehensive reviews of relevant policies and procedures.  The Commodity Futures Trading Commission announced separate settlements with the firms for related conduct.

B.  Registration

In August, the SEC announced settled charges against a convertible note dealer and its managing members for failing to register with the SEC as securities dealers.[51]  According to the SEC, the dealer purchased convertible notes from microcap issuers, converted the notes into newly issued shares of stock at a large discount from the market price, and sold the newly issued shares at a significant profit.  These activities required the dealer and its managing members to register as dealers with the SEC or associate with a registered dealer.  Without admitting or denying the SEC’s allegations, the dealer and its managing members agreed to be permanently enjoined from future violations, to pay disgorgement, prejudgment interest, and a civil penalty of more than $9 million, and to a five-year penny stock bar, and to surrender or cancel securities allegedly obtained from their unregistered dealer activity.  They also consented to entry of an order imposing a five-year collateral bar.

In September, the SEC announced charges against a broker-dealer for allegedly violating the municipal advisor registration rule for the first time.[52]  According to the SEC, the broker-dealer, without registering as a municipal advisor, advised a Midwestern city to purchase particular fixed income securities, which it did.  The SEC’s order further found that the broker-dealer did not maintain a system reasonably designed to supervise its municipal securities activities and had inadequate procedures.  The broker-dealer agreed to penalties and disgorgement totaling more than $5.5 million.

In November, the SEC announced charges against two individuals and two New York-based entities they controlled for allegedly operating as unregistered broker-dealers that facilitated more than $1.2 billion of securities trading, primarily in penny stocks.[53]  The SEC alleged that the individuals provided brokerage services to 60 customers including taking possession of customer securities, directing trades to executing brokers, facilitating trade settlements, and disbursing trading proceeds to customers.  The individuals received at least $12 million in compensation.  The individuals acted through two entities which were not registered with the SEC as broker-dealers.  Litigation is ongoing.

C.  Customer Data Deficiencies

In July, the SEC announced separate charges against two dual-registered broker-dealer and investment advisers, and one broker-dealer for alleged deficiencies in their programs to prevent customer identify theft.[54]  According to the SEC, these deficiencies constituted violations of the SEC’s Identify Theft Red Flags Rule, or Regulation S-ID.  Without admitting or denying the SEC’s findings, each firm agreed to a cease-and-desist order, and to penalties of $1.2 million, $925,000, and $425,000.

In September, the SEC announced settled charges against a dual-registered broker-dealer and investment adviser based upon allegations that the firm failed to protect the personal identifying information of approximately 15 million customers over a five-year period.[55]  In particular, the SEC alleged that as far back as 2015, the firm failed to properly dispose of devices, including hard drives and servers, containing PII of millions of customers.  Without admitting or denying the SEC’s allegations, the company agreed to pay a $35 million penalty.

V.  Cryptocurrency and Other Digital Assets

A.  Significant Developments

Throughout 2022, the SEC remained “focused on the rapidly evolving crypto asset securities space,” continuing to investigate and police fraud and misconduct in the area.[56]  The agency brought high-profile enforcement actions such as its action against Samuel Bankman-Fried for fraud relating to the crypto trading platform he co-founded.[57]  At the same time, in remarks in September, Chair Gensler emphasized that “nothing about the crypto markets is incompatible with the securities laws” and rather that traditional principles of investor protection applied to the crypto market, “regardless of underlying technologies.”[58]

In September, the SEC announced it would add an Office of Crypto Assets to its Division of Corporation Finance’s Disclosure Review Program (DRP), joining seven existing offices and one other new office that review issuer filings in order to protect investors.[59]  The SEC said the new office would “enable the DRP to better focus its resources and expertise to address the unique and evolving filing review issues related to crypto assets.”

B.  Registration Cases

In September, the SEC charged a company and its CEO with offering unregistered crypto securities.[60]  The SEC’s order alleged that the company’s tokens acted as unregistered securities because the company promised that they would increase in value, that the company’s management would continue to improve its proprietary trading platform, and that it would make the tokens available on the platform.  Without admitting the findings, the company and its CEO agreed to destroy the remaining tokens, request that they be removed from trading platforms, and pay more than $35 million in disgorgement and civil penalties.  The SEC also brought an action against an individual who it claimed promoted the tokens on social media without registering them and without disclosing that he received a thirty-percent bonus on every token he purchased.

In November, the SEC instituted administrative proceedings against a Wyoming-based organization to determine whether to suspend the registration of two crypto assets it offered for failure to provide complete and accurate information in its Form S-1 registration statement.[61]  The SEC alleged that the organization omitted required information and made misleading statements about its business, organization, and finances, and that it inconsistently claimed the transactions it sought to register were not securities transactions at all.

C.  Fraud Cases

In August, the SEC brought an action against eleven individuals for an alleged cryptocurrency Ponzi scheme, including three U.S.-based promoters.[62]  According to the complaint, the defendants operated and promoted a scheme that promised returns from smart contract operating on popular blockchains such as Ethereum, while actually paying earlier investors with proceeds from new investors.  The SEC alleged that the scheme raised $300 million from investors in the U.S. and overseas, and continued to operate in spite of cease-and-desist orders from the Securities and Exchange Commission of the Philippines and the Montana Commissioner for Securities and Insurance.  Two of the defendants agreed to settle for disgorgement and civil penalties and to be permanently enjoined from violating certain securities laws.

In September, the SEC brought an action against a corporation and two individuals for promoting unregistered crypto securities and unlawfully manipulating the price and trading volume of the securities.[63]  The complaint alleged that the corporation and its then-CEO promoted a token to the public and then hired a foreign market-making firm to create the false appearance of high-volume trading using a trading software—a “bot.”  The company then sold tokens at an artificially inflated price for a profit of more than $2 million.  One defendant—the CEO of the foreign trading firm—consented to the entry of injunctive relief against him and agreed to pay disgorgement and a civil penalty to be determined by the court.

In October, the SEC announced that it had settled charges against a popular social media influencer for promoting a crypto asset on social media without disclosing that she was paid for the promotion.[64]  The SEC’s order alleged that the influencer published a social-media post with a link to a website where purchasers could buy a crypto token, but did not disclose that she was paid $250,000 to do so.  She agreed to pay $1.26 million in disgorgement, penalties, and interest and to refrain from promoting crypto securities for three years.

In November, the SEC brought an action against the promoters of what it alleged was a crypto Ponzi scheme that raised $295 million in Bitcoin from more than 100,000 investors globally.[65]  According to the complaint, the defendants promised investors that a proprietary technology would generate daily returns by engaging in millions of crypto microtransactions.  Instead, they siphoned off funds for their personal gain, and all investor withdrawals came from deposits by other investors.

In December, the SEC announced charges against Samuel Bankman-Fried, co-founder and CEO of FTX Trading Ltd., for defrauding equity investors in the Bahamas-based crypto trading platform he co-founded.[66]  The complaint alleged that Bankman-Fried told investors that the platform was a safe and responsible crypto-trading platform, while instead diverting company assets to his privately-held crypto hedge fund and exposing company investors to inflated and illiquid crypto assets held by the hedge fund.  Bankman-Fried raised $1.8 billion from investors, including $1.1 billion from U.S. investors.  The SEC’s complaint seeks disgorgement and a civil penalty, an injunction against participating in the offer or sale of securities, and an officer-and-director bar.  The U.S. Attorney’s Office for the Southern District of New York and the Commodity Futures Trading Commission announced parallel charges against Bankman-Fried.  Relatedly, and several weeks following the initial case, the SEC brought actions against two additional executives for furthering Bankman-Fried’s scheme.  The two executives agreed to permanent injunctions against participating in the issue or offer of securities, officer and director bars, and disgorgement and civil penalties.  The U.S. Attorney’s Office for the Southern District of New York announced parallel criminal charges.[67]

Also in December, the SEC brought an action against four individuals for raising more than $8.4 million from predominantly Spanish-speaking retail investors for a crypto pyramid scheme.[68]  The defendants allegedly sold “memberships” to hundreds of retail investors by promising returns from their crypto trading and mining operation, but knew or were reckless in not knowing that the platform could only provide returns by raising money from other investors.  The U.S. Attorney for the Southern District of New York announced parallel criminal charges against two of the defendants.

VI.  Insider Trading

A.  Cryptocurrency Exchange

In July, the SEC announced insider trading charges against the former product manager of a cryptocurrency exchange platform for allegedly sharing confidential information in advance of market-moving announcements in the industry.[69]  The SEC alleged that between at least June 2021 and April 2022, the manager provided non-public information obtained through his employment to both his brother and friend, who allegedly purchased assets ahead of the announcements.  The announcements typically resulted in an increase in the assets prices, and the purchases allegedly generated aggregate profits of over $1.1 million.  A representative of the SEC emphasized that insider trading would be enforced regardless of the label placed on the securities involved.  The U.S. Attorney’s Office for the Southern District of New York announced criminal charges against all three individuals.  This is the first instance where insider trading charges have been filed in connection with a cryptocurrency market.

B.  Other Insider Trading Cases

Also in July, the SEC filed a complaint against a former U.S. Representative for Indiana’s 4th Congressional District for allegedly trading ahead of market-moving announcements by two companies.[70]  After leaving office in 2011, the former representative formed a consulting firm whose clients included a major cell phone service provider.  The SEC alleged that during a golf outing in 2018 an executive of the provider shared with the former representative information about a nonpublic acquisition plan and the former representative acquired stock in the target company the next day across various accounts.  When news of the merger became public, he allegedly saw an immediate profit of more than $107,000.  The complaint also alleged that in 2019, he purchased the stock of a company that then announced it would be acquired by one of his consulting firm’s clients resulting in profits that exceeded $227,000.  The complaint seeks disgorgement, penalties, a permanent injunction, and an officer and director bar against the former representative and disgorgement by the representative’s wife.  The U.S. Attorney’s Office for the Southern District of New York announced related criminal charges against the former representative.

In July, the SEC filed insider trading charges against nine individuals in connection with three alleged schemes.[71]  Each action originated from the SEC Enforcement Division’s Market Abuse Unit’s (MAU) Analysis and Detection Center, which used data analysis tools to detect the transactions.  In the first action, the SEC alleged that the former CISO of a technology firm, along with his friends, traded in advance of two corporate acquisition announcements by the firm in 2021 gaining over $5.2 million in profits.  The SEC’s second action is against an investment banker and his close friend who allegedly traded ahead of four acquisition announcements in 2017 that the banker had confidential information about.  The investment banker’s friend allegedly purchased call options on the target companies, and later wired the banker money.  In the final action, the SEC alleged that a former FBI trainee and his friend made $82,000 and $1.3 million, respectively, by trading ahead of a tender offer announcement in 2021.  The former trainee allegedly learned about the deal after reviewing a binder that belonged to his then-romantic partner who worked as an associate for a law firm representing the offeror.  The actions were filed in the Southern District of New York and all three investigations are ongoing.

In September, the SEC announced insider trading charges against the CEO and former president of a mobile internet company.[72]  The SEC alleged that the two individuals established a 10b5-1 trading plan after noticing a drop-off in advertising revenues from the company’s largest advertising partner.  Allegedly, they each sold shares avoiding losses of approximately $200,000 and $100,000.  Additionally in 2016, the CEO allegedly made materially misleading public statements about the company and also caused the company’s failure to disclose a material negative revenue trend in its annual report.  Both individuals agreed to pay civil penalties and also to cease-and-desist orders and undertakings relating to their future securities trading.

Also in September, the SEC filed insider trading charges against two Canadian software engineers who traded ahead on non-public, market-moving financial information.[73]  The SEC alleged that, from at least 2018 to 2021 the two individuals were employed by a newswire distribution company responsible for corporate press releases and used their ability to preview headlines, times, and publication dates of announcements.  The SEC’s action is pending in the District of New Jersey and the Ontario Securities Commission announced that the two engineers have been charged with fraud and insider trading offenses under the Ontario Securities Act.

In November, the SEC announced that it filed insider trading charges against the Chief Information Officer of a pharmaceutical company in the United States District Court for the Western District of Pennsylvania.[74]  The SEC alleged that, from at least 2017 to 2019 the CIO gave material nonpublic information about the companies unannounced drug approval, financial performance, and impending merger to his friend and former colleague generating nearly $8 million and avoiding losses.  The CIO was allegedly receiving cash kickbacks in exchange for information.  The friend was charged previously and the Department of Justice’s Fraud Section announced they will be filing criminal charges.

In December, the SEC filed a complaint against an employee of a major asset management firm for an alleged long-running front-running scheme to share confidential information ahead of the firm’s market moving trades.[75]  The complaint also names a former employee of many financial industry firms, who allegedly received this confidential information and used it to make trades in advance of the firms’ transactions.  Once the price of the security moved as expected, the two individuals would allegedly close their position gaining profits of over $47 million.  The alleged fraud was uncovered by SEC staff using the Consolidated Audit Trail (CAT) database.  The SEC’s action is pending in federal district court in Manhattan and the U.S. Attorney’s Office for the Southern District of New York also announced criminal charges against the two individuals.

C.  Compliance Policy Update

In December, the SEC adopted amendments to Rule 10b5-1 under the Securities Exchange Act of 1934 and new disclosure requirements to enhance investor protections against insider trading.[76]  The changes include updated conditions that must be met to satisfy the 10b5-1 affirmative defense.  Specific additions include: cooling-off periods for persons other than issuers before trading can commence under a 10b5-1 plan, a condition that all persons entering into a Rule 10b5-1 plan must act in good faith with respect to that plan, and a requirement that directors and officers must include representations in their plans certifying that at the time of adoption they are not aware of any material nonpublic information about the issuer or its securities and that they are adopting the plan in good faith and not as part of a plan or scheme to evade the prohibitions of Rule 10b-5.  The amendments restrict the use of multiple overlapping trading plans and limit the ability to rely on the affirmative defense for a single-trade plan to one single-trade plan per 12-month period for all persons other than issuers.

More comprehensive disclosures about issuers’ insider trading policies and procedures are required, including quarterly disclosure regarding the use of Rule 10b5-1 plans and certain other securities trading arrangements.  The final rules require disclosure of issuers’ policies and practices around the timing of options grants and the release of material nonpublic information.

The rules require that issuers use a new table to report any awards beginning four business days before the filing of a periodic report or the filing or furnishing of a current report on Form 8-K that discloses material nonpublic information (with the exception of a Form 8-K that discloses a material new option award grant under Item 5.02(e)) and ending one business day after a triggering event.  Insiders reporting a transaction on Forms 4 or 5 will be required to indicate that it was intended to satisfy the affirmative defense conditions of Rule 10b5-1(c) and to disclose the date the trading plan was adopted.  Finally, bona fide gifts of securities that were previously permitted to be reported on Form 5 will now be reported on Form 4.

These final rules become effective 60 days following publication of the adopting release in the Federal Register.  Section 16 reporting persons will be required to comply with the amendments to Forms 4 and 5 for beneficial ownership reports filed on or after April 1, 2023.  Issuers will be required to comply with the new disclosure requirements in Exchange Act periodic reports on Forms 10-Q, 10-K, and 20-F and in any proxy or information statements in the first filing that covers the first full fiscal period that begins on or after April 1, 2023.  For smaller reporting companies, there is a 6-month deferral of compliance with the additional disclosure requirements.

VII.  Market Manipulation

In August, the SEC announced charges against 18 individuals and entities for an alleged international fraudulent scheme in which dozens of online retail brokerage accounts were hacked and improperly used to purchase microcap stocks to manipulate their price and trading volume.[77] The SEC alleged that the unauthorized purchases enabled those charged to sell their holdings at artificially high prices, reaping over $1 million in illicit proceeds.

In September, the SEC announced charges against three individuals, including a father and son, for alleged fraudulent manipulative securities trading schemes.[78]  One of the schemes allegedly involved artificially inflating the share price of an entity operating as a New Jersey deli producing less than $40,000 in annual revenue from $1 per share in October 2019 to $14 per share by April 2021.  The SEC alleged that the individuals artificially inflated the price of two entities through manipulative trading, and used the entities to acquire privately held companies in reverse mergers, intending to later dump their shares at grossly inflated prices.  However, numerous articles were published discussing the inflated stock prices before the defendants were able to realize the intended profits of the scheme.

In December, the SEC announced charges against eight social media influencers for their alleged involvement in a $100 million securities fraud scheme involving the use of Twitter and Discord to manipulate stocks.[79]  The SEC alleged that, since at least January 2020, seven of the defendants promoted themselves as successful traders and shared misinformation to encourage their substantial social media following to buy stocks that they had previously purchased. According to the SEC, they posted price targets or indicated that they were buying, holding, or adding to their stock positions but later sold their shares once prices and/or trading volumes rose without disclosing their plans to do so while initially promoting the securities.  The complaint further charges that the eighth defendant co-hosted a podcast in which he promoted many of the other defendants as expert traders, providing them with a forum for their manipulative statements.

VIII.  Offering Frauds

In August, the SEC charged a company and its owner in connection with a $1.2 million fraudulent promissory note scheme targeting older Americans.[80]  According to the SEC’s complaint, the individual allegedly induced investors, ranging in age from 64 to 82, to purchase promissory notes issued by his company by promising interest rates ranging from 50% to 175%.  The SEC also alleged that the individual gave investors conflicting explanations as to the nature of the company’s business and allegedly convinced them to roll-over their notes into new notes combining unpaid amounts with new investments by the investors.  The SEC complaint seeks disgorgement of ill-gotten gains with prejudgment interest, civil penalties, and permanent injunctive relief.  The U.S. Attorney’s Office for the District of New Jersey also announced criminal charges against the individual.

In September, the SEC charged an individual for allegedly using a false persona, as a Harvard-educated military veteran and hedge fund billionaire, in order to defraud investors.[81]  According to the complaint, the individual used his false credentials to secure approximately $900,000 of investments in two different companies from more than 30 investors.  The complaint also alleged that the individual sold a couple $1.8 million of shares in a penny stock at a markup of 9,000% over the price he paid and used the couple’s $4 million brokerage account to trade, at a loss, securities of microcap companies in which the individual had an undisclosed financial interest.  The SEC also charged the individual and one of his associates with promoting the stock of several microcap companies on social media without disclosing their simultaneous stock sales as market prices rose.  The SEC seeks permanent injunctive relief, disgorgement with prejudgment interest, civil penalties, a penny stock bar against the individual and his associate, and an officer and director bar against the individual.  The U.S. Attorney’s Office for the Western District of Washington announced criminal charges against the individual.

Also in September, the SEC announced charges against six individuals and two companies for their involvement in a fraudulent scheme to promote the securities of issuers that were conducting or purporting to conduct offerings pursuant to Regulation A.[82]  According to the SEC’s complaint, one of the six individuals promoted the securities of four issuers without disclosing his receipt of compensation for the promotions.  The complaint also charges two associates of this individual with allegedly acting as middlemen for the promotional scheme, including by arranging to receive a percentage of investor funds raised by the issuers in exchange for arranging the promotion.  The SEC also alleged that two of the issuers promoted, as well as their respective CEOs and one of the issuer’s co-founders, participated in the scheme and made material representations and omissions in their filings with the SEC and other investor materials.  The complaint also charges one of the issuers and its CEO with engaging in an offering that was unregistered and not covered by a valid registration exemption.  The SEC complaint seeks permanent injunctions from violations of the charged anti-fraud and anti-touting provisions, conduct-based injunctions, disgorgement, prejudgment interest, and civil monetary penalties.  The two issuers, their CEOs, and one of the issuer’s co-founders agreed to settle the SEC’s enforcement action with permanent injunctions and a combined total of $2.5 million in monetary sanctions, and officer and director bars.  The SEC also instituted a separate, settled, administrative proceeding against the CFO of one of the issuer’s, who agreed to pay a penalty of $25,000 and to be suspended from appearing or practicing before the SEC as an accountant, with the right to apply for reinstatement after three years.

In October, the SEC charged an investment firm and four of its former executives with allegedly running a Ponzi-like scheme that raised $600 million from approximately 2,000 investors.[83]  The SEC alleged that the executives raised funds by promising investors that their money would be used to buy and to develop real estate properties, which would generate profits through a fund set up by the firm to invest in the projects.  Instead, according to the complaint, investor money was allegedly used to pay distributions to other investors, to fund personal and luxury expenses, and to pay reputation management firms to thwart investors’ due diligence.  The SEC also alleged that the firm manipulated the real estate fund’s financial statements and the financial information in marketing materials distributed to investors.  The SEC complaint seeks injunctions against future violations of the antifraud provisions, disgorgement of ill-gotten gains, prejudgment interest, penalties, and officer and director bars against the four executives.

Also in October, the SEC announced that it had updated its Public Alert: Unregistered Soliciting Entities (PAUSE) list, a list of registered entities that use misleading information to solicit primarily non-U.S. investors.[84]  The SEC added 35 soliciting entities, four impersonators of genuine firms, and four bogus regulators to the list.

In November, the SEC announced a settled action against the founder of an investment firm based on alleged violations of the antifraud provisions of the federal securities laws.[85]  The individual allegedly targeted investors from the New York metropolitan area’s Muslim community with a fraudulent investment scheme.  According to the SEC’s complaint, the individual obtained more than $8 million from investors and promised to invest the funds in Quran-compliant investments.  Instead, the SEC alleges, the individual misappropriated the funds in an alleged Ponzi-like scheme.  The individual consented to the entry of a permanent injunction and monetary relief.  The U.S. Attorney’s Office for the Eastern District of New York announced the filing of criminal charges against the individual.

In December, the SEC charged a venture capital firm, its CEO, and co-founder with fraudulently offering and selling more than $6 million of securities to at least 46 individual investors in multiple states, including California, Georgia, and New York.[86]  According to the SEC’s complaint, the firm and its CEO offered to sell investors shares of private companies that might hold an initial public offering without ever intending to buy any shares on behalf of the investors.  The SEC alleged that, instead of purchasing the shares, the CEO used investors funds for himself.  The SEC complaint sough permanent injunctive relief, disgorgement with prejudgment interest, and civil penalties against both the CEO and co-founder.  The complaint seeks permanent injunctive relief and a civil penalty against the company.  Without admitting or denying the allegations, the co-founder agreed to a permanent injunction from future violations and to pay disgorgement, prejudgment interest, and a civil penalty.  The U.S. Attorney’s Office for the Middle District of Georgia announced the filing of related criminal charges.

IX.  Municipal Bond Offerings

In September, the SEC filed charges against one firm and announced settlements with three firms, alleging that each failed to comply with municipal bond offering disclosure requirements.[87]  According to the SEC, each firm purported to rely on the limited offering exemption to the typical disclosure requirements without satisfying all of the criteria for the exemption.  These orders represent the first-ever enforcement proceedings against underwriters who allegedly fail to meet the disclosure requirements of Rule 15c2-12 under the Securities Exchange Act of 1934.  Three firms settled the charges and, without admitting or denying the SEC’s findings, agreed to cease and desist from future violations, and pay over $1.25 million in combined disgorgement and penalties.  The fourth firm faces charges for the same violations in federal district court.

X.  Regulation FD

In December, the SEC announced a settlement to a previously filed action against a company and three executives related to the company’s allegedly selective disclosure of material nonpublic information to research analysts, in violation of Regulation FD and the securities laws.[88]  The SEC complaint alleged that the company learned that a steeper-than-expected decline in its first quarter smartphone sales would cause its revenue to fall short of analysts’ estimates for the quarter.  In response, three executives allegedly made one-on-one calls to analysts at 20 separate firms, disclosing the internal smartphone sales data.  The complaint alleged that the disclosed data was the type of information generally considered “material” by the company’s investors, meaning the company was prohibited from selective disclosure of the data under Regulation FD.  The company and executives, without admitting or denying the allegations, consented to final judgments permanently enjoining them from violating, or aiding and abetting violations of, Regulation FD and the securities laws.  The company agreed to pay a $6.25 million penalty and the three company executives each agreed to pay $25,000.

XI.  Ratings Agencies

In November, the SEC settled a previously filed action against a credit rating agency for allegedly violating conflict of interest rules that prevent sales and marketing factors from influencing credit ratings.[89]  In 2017, the credit rating agency was engaged by an issuer to rate a jumbo residential mortgage backed security transaction in July 2017.  The SEC alleged that the credit rating agency’s commercial employees—tasked with maintaining the relationship with the issuer—improperly attempted to influence the credit rating agency’s analytical employees—tasked with evaluating and assigning the rating—by attempting to persuade the analytics employees to assign a rating consistent with the preliminary projections given to the issuer, even though that projection was based on a calculation error.  The SEC alleged that the content, urgency, and high volume of the communications by the commercial employees to the analytical employees amounted to participation in the ratings process by commercial employees who were influenced by sales and marketing factors.  In response, the credit ratings agency self-reported the conduct, cooperated with the ensuing investigation, and took remedial steps to enhance its policy and procedures.  Even with taking these steps, the credit rating agency agreed to a $2.5 million penalty, a cease-and-desist order, and certain compliance requirements, without admitting or denying the allegations.

_____________________________

[1]    See generally SEC Press Release, SEC Announces Enforcement Results for FY22 (Nov. 15, 2022), available at https://www.sec.gov/news/press-release/2022-206.

[2]    See Remarks at Securities Enforcement Forum by Gurbir S. Grewal, Nov. 15, 2022, available at https://www.sec.gov/news/speech/grewal-speech-securities-enforcement-forum-111522.

[3]    See SEC Press Release, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures (Sept. 27, 2022), available at https://www.sec.gov/news/press-release/2022-174; SEC Press Release, JPMorgan Admits to Widespread Recordkeeping Failures and Agrees to Pay $125 Million Penalty to Resolve SEC Charges (Dec. 17, 2021), available at https://www.sec.gov/news/press-release/2021-262.  

[4]    See SEC Press Release, Ernst & Young to Pay $100 Million Penalty for Employees Cheating on CPA Ethics Exams and Misleading Investigation (June 28, 2022), available at https://www.sec.gov/news/press-release/2022-114; SEC Press Release, available at https://www.sec.gov/news/press-release/2022-179; SEC Press Release, SEC Charges Allianz Global Investors and Three Former Senior Portfolio Managers with Multibillion Dollar Securities Fraud (May 17, 2022), available at https://www.sec.gov/news/press-release/2022-84. 

[5]    ­See Note 2, supra.

[6]    See SEC Press Release, SEC Charges Infrastructure Company Granite Construction and Former Executive with Financial Reporting Fraud (Aug 25, 2022), available at https://www.sec.gov/news/press-release/2022-150; SEC Press Release, SEC Charges New Jersey Software Company and Senior Employees with Accounting-Related Misconduct (June 7, 2022), available at https://www.sec.gov/news/press-release/2022-101; SEC Press Release, Synchronoss Technologies to Pay $12.5 Million to Settle Charges, Former CEO to Reimburse Company (June 7, 2022), available at https://www.sec.gov/news/press-release/2022-101.

[7]    See SEC Press Release, Remediation Helps Tech Company Avoid Penalties (Jan. 28, 2022), available at https://www.sec.gov/news/press-release/2022-14; SEC Press Release, SEC Charges Oilfield Services Company and Former CEO with Failing to Disclose Executive Perks and Stock Pledges (Nov. 22, 2021), available at https://www.sec.gov/news/press-release/2021-244.

[8]    See SEC Press Release, SEC Charges Health Care Co. and Two Former Employees for Accounting Improprieties (Feb. 22, 2022), available at https://www.sec.gov/news/press-release/2022-31.

[9]    See Note 1, supra.

[10]    SEC Press Release, Jaime Lizárraga Sworn In as SEC Commissioner (July 18, 2022), available at https://www.sec.gov/news/press-release/2022-123.

[11]    SEC Press Release, Keith E. Cassidy and Natasha Vij Greiner Appointed Deputy Directors of Division of Examinations (Nov. 7, 2022), available at https://www.sec.gov/news/press-release/2022-202.

[12]    SEC Press Release, Sarah ten Siethoff Named Deputy Director of the Division of Investment Management (Dec. 21, 2022), available at https://www.sec.gov/news/press-release/2022-233.

[13]    SEC Press Release, SEC Announces Departure of Dan Berkovitz; Megan Barbero Named General Counsel (Dec. 22, 2022), available at https://www.sec.gov/news/press-release/2022-235.

[14]    SEC Press Release, SEC Names Nicholas Grippo as Regional Director of Philadelphia Office (Aug. 15, 2022), available at https://www.sec.gov/news/press-release/2022-143.

[15]    SEC Press Release, SEC Names Monique Winkler as Regional Director of San Francisco Office (Aug. 15, 2022), available at https://www.sec.gov/news/press-release/2022-144.

[16]    SEC Press Release, SEC Names Jason J. Burt as Regional Director of the Denver Office (Oct. 24, 2022), available at https://www.sec.gov/news/press-release/2022-190.

[17]    SEC Press Release, Fort Worth Regional Director David L. Peavler to Leave SEC (Dec. 1, 2022), available at https://www.sec.gov/news/press-release/2022-212.

[18]    SEC Press Release, Antonia Apps Named Director of New York Regional Office (Dec. 27, 2022), available at https://www.sec.gov/news/press-release/2022-237.

[19]    See Note 1, supra.

[20]    Meeting Agenda, U.S. Securities and Exchange Commission Investor Advisory Committee (Sept. 21, 2022), available at https://www.sec.gov/spotlight/investor-advisory-committee/iac092122-agenda.htm.

[21]    The first half of the year brought at least two high-profile ESG enforcement actions—against a prominent investment advisor and an investment “robo-adviser” purporting to offer Shari’ah-compliant investment advice.  SEC Press Release, SEC Announces Enforcement Results for FY22 (Nov. 25, 2022), available at https://www.sec.gov/news/press-release/2022-206.  By contrast, the SEC only brought one comparable action in the second half of 2022.

[22]    SEC Press Release, SEC Charges Goldman Sachs Asset Management for Failing to Follow its Policies and Procedures Involving ESG Investments (Nov. 22, 2022), available at https://www.sec.gov/news/press-release/2022-209.

[23]    SEC Press Release, SEC Amends Whistleblower Rules to Incentivize Whistleblower Tips (Aug. 26, 2022), available at https://www.sec.gov/news/press-release/2022-151.

[24]    SEC Press Release, SEC Awards Whistleblowers More than $6 Million (July 15, 2022), available at https://www.sec.gov/news/press-release/2022-122.

[25]    SEC Press Release, SEC Issues More Than $17 Million Award to a Whistleblower (July 19, 2022), available at https://www.sec.gov/news/press-release/2022-125.

[26]    SEC Press Release, SEC Awards More Than $16 Million to Two Whistleblowers (Aug. 9. 2022), available at https://www.sec.gov/news/press-release/2022-139.

[27]    SEC Press Release, SEC Awards More than $10 Million to Whistleblower (Oct. 31, 2022), available at https://www.sec.gov/news/press-release/2022-196.

[28]    SEC Press Release, SEC Awards $20 Million to Whistleblower (Nov. 28, 2022), available at https://www.sec.gov/news/press-release/2022-211.

[29]    SEC Press Release, SEC Awards More Than $20 Million to Whistleblower (Dec. 12, 2022), available at https://www.sec.gov/news/press-release/2022-218.

[30]    SEC Press Release, SEC Awards More Than $37 Million to Whistleblower (Dec. 19, 2022), available at https://www.sec.gov/news/press-release/2022-231.

[31]    SEC Press Release, SEC Charges Surgical Implant Manufacturer Surgalign and Former Senior Executives with Accounting and Disclosure Fraud (Aug. 3, 2022), available at https://www.sec.gov/news/press-release/2022-137.

[32]    SEC Press Release, SEC Charges Infrastructure Company Granite Construction and Former Executive with Financial Reporting Fraud (Aug. 25, 2022), available at https://www.sec.gov/news/press-release/2022-150.

[33]    SEC Press Release, SEC Charges VMware with Misleading Investors by Obscuring Financial Performance (Sept. 12, 2022), available at https://www.sec.gov/news/press-release/2022-160.

[34]    SEC Press Release, SEC Charges Canadian Cannabis Company and Former Senior Executive with Accounting Fraud (Oct. 24, 2022), available at https://www.sec.gov/news/press-release/2022-191.

[35]    SEC Press Release, Equitable Financial To Pay $50 Million Penalty To Settle SEC Charges That It Provided Misleading Account Statements to Investors (July 18, 2022), available at https://www.sec.gov/news/press-release/2022-124.

[36]    SEC Press Release, SEC Charges Tampa-Based Health Insurance Distributor and its Former CEO with Making False Statements to Investors (July 20, 2022), available at https://www.sec.gov/news/press-release/2022-126.

[37]    SEC Press Release, SEC Charges Eagle Bancorp and Former CEO with Failing to Disclose Related Party Loans (Aug. 16, 2022), available at https://www.sec.gov/news/press-release/2022-146.

[38]    SEC Press Release, Boeing to Pay $200 Million to Settle SEC Charges that It Misled Investors About the 737 MAX (Sept. 22, 2022), available at https://www.sec.gov/news/press-release/2022-170.

[39]    SEC Press Release, SEC Charges Compass Minerals for Misleading Investors About Its Operations at World’s Largest Underground Salt Mine (Sept. 23, 2022), available at https://www.sec.gov/news/press-release/2022-171.

[40]    SEC Press Release, available at https://www.sec.gov/news/press-release/2022-179.

[41]    SEC Press Release, SEC Charges Danske Bank with Fraud for Misleading Investors About Its Anti-Money Laundering Compliance Failures in Estonia (Dec. 13, 2022), available at https://www.sec.gov/news/press-release/2022-220.

­[42]    SEC Press Release, SEC Charges Former CEO of Biotech Company CytoDyn with Fraud, Insider Trading (Dec. 20, 2022), available at https://www.sec.gov/news/press-release/2022-232.

[43]    SEC Press Release, SEC Charges Audit Firm RSM and Three Senior-Level Employees with Failure to Properly Conduct Client Audits (Sept. 30, 2022), available at https://www.sec.gov/news/press-release/2022-180.

[44]    SEC Press Release, SEC Charges Angel Oak Capital Advisors with Misleading Investors in $90 Million Fix-and-Flip Securitization (Aug. 10, 2022), available at https://www.sec.gov/news/press-release/2022-140.

[45]    SEC Press Release, SEC Charges Advisory Firm and Executives with Devising an Elaborate Scheme to Defraud Clients out of More Than $75 Million (Aug. 30, 2022), available at https://www.sec.gov/news/press-release/2022-153.

[46]    SEC Press Release, SEC Charges Perceptive Advisors for Failing to Disclose SPAC-Related Conflicts of Interest (Sept. 6, 2022), available at https://www.sec.gov/news/press-release/2022-155.

[47]    SEC Press Release, SEC Charges Venture Capital Adviser Energy Innovation Capital Management for Overcharging Fees (Sept. 2, 2022), available at https://www.sec.gov/news/press-release/2022-154.

[48]    SEC Press Release, SEC Charges Two Advisory Firms for Custody Rule Violations, One for Form ADV Violations, and Six for Both (Sept. 9, 2022), available at https://www.sec.gov/news/press-release/2022-156.

[49]    SEC Press Release, SEC Proposes New Oversight Requirements for Certain Services Outsourced by Investment Advisers (Oct. 26, 2022), available at https://www.sec.gov/news/press-release/2022-194.

[50]    SEC Press Release, SEC Charges 16 Wall Street Firms with Widespread Recordkeeping Failures, available at https://www.sec.gov/news/press-release/2022-174.

[51]    SEC Press Release, SEC Charges Convertible Note Dealer and its Long Island-Based Owners for Failure to Register, available at https://www.sec.gov/news/press-release/2022-135.

[52]    SEC Press Release, SEC Charges Loop Capital Markets in First Action against Broker-Dealer for Violating Municipal Advisor Registration Rule, available at https://www.sec.gov/news/press-release/2022-163.

[53]    SEC Press Release, SEC Charges Unregistered Brokers That Facilitated More Than $1.2 Billion in Primarily Penny Stock Trades, available at https://www.sec.gov/news/press-release/2022-207.

[54]    SEC Press Release, SEC Charges JPMorgan, UBS, and TradeStation for Deficiencies Relating to the Prevention of Customer Identity Theft, available at https://www.sec.gov/news/press-release/2022-131.

[55]    SEC Press Release, Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers, available at https://www.sec.gov/news/press-release/2022-168.

[56]    SEC Press Release, SEC Announces Enforcement Results for FY22 (Nov. 25, 2022), available at https://www.sec.gov/news/press-release/2022-206.

[57]    SEC Press Release, SEC Charges Samuel Bankman-Fried with Defrauding Investors in Crypto Asset Trading Platform FTX (Dec. 13, 2022), available at https://www.sec.gov/news/press-release/2022-219.

[58]    SEC Remarks, Chair Gensler: Crypto Markets Not Incompatible With Securities Laws (Sept. 8, 2022), available at https://www.sec.gov/page/chair-gensler-crypto-markets-not-incompatible-securities-laws.

[59]    SEC Press Release, SEC Division of Corporation Finance to Add Industry Offices Focused on Crypto Assets and Industrial Applications and Services (Sept. 9, 2022), available at https://www.sec.gov/news/press-release/2022-158.

[60]    SEC Press Release, Sparkster to Pay $35 Million to Harmed Investor Fund for Unregistered Crypto Asset Offering (Sept. 19, 2022), available at https://www.sec.gov/news/press-release/2022-167.

[61]    SEC Press Release, SEC Seeks to Stop the Registration of Misleading Crypto Asset Offerings (Nov. 18, 2022), available at https://www.sec.gov/news/press-release/2022-208.

[62]    SEC Press Release, SEC Charges Eleven Individuals in $300 Million Crypto Pyramid Scheme (Aug. 1, 2022), available at https://www.sec.gov/news/press-release/2022-134.

[63]    SEC Press Release, SEC Charges The Hydrogen Technology Corp. and Its Former CEO for Market Manipulation of Crypto Asset Securities (Sept. 28, 2022), available at https://www.sec.gov/news/press-release/2022-175.

[64]    SEC Press Release, SEC Charges Kim Kardashian for Unlawfully Touting Crypto Security (Oct. 3, 2022), available at https://www.sec.gov/news/press-release/2022-183.

[65]    SEC Press Release, SEC Charges Creator of Global Crypto Ponzi Scheme and Three US Promoters in Connection with $295 Million Fraud (Nov. 4, 2022), available at https://www.sec.gov/news/press-release/2022-201.

[66]    SEC Press Release, SEC Charges Samuel Bankman-Fried with Defrauding Investors in Crypto Asset Trading Platform FTX (Dec. 13, 2022), available at https://www.sec.gov/news/press-release/2022-219.

[67]    SEC Press Release, SEC Charges Caroline Ellison and Gary Wang with Defrauding Investors in Crypto Asset Trading Platform FTX (Dec. 21, 2022), available at https://www.sec.gov/news/press-release/2022-234.

[68]    SEC Press Release, SEC Charges Four Individuals in Crypto Pyramid Scheme that Targeted Spanish-Speaking Communities (Dec. 14, 2022), available at https://www.sec.gov/news/press-release/2022-227.

[69]    SEC Press Release, SEC Charges Former Coinbase Manager, Two Others in Crypto Asset Insider Trading Action (July 21, 2022), available at https://www.sec.gov/news/press-release/2022-127.

[70]    SEC Press Release, SEC Charges Former Indiana Congressman with Insider Trading (July 25, 2022), available at https://www.sec.gov/news/press-release/2022-128.

[71]    SEC Press Release, SEC Files Multiple Insider Trading Actions Originating from the Market Abuse Unit’s Analysis and Detection Center (July 25, 2022), available at https://www.sec.gov/news/press-release/2022-129.

[72]    SEC Press Release, SEC Charges Cheetah Mobile’s CEO and its Former President with Insider Trading (Sept. 21, 2022), available at https://www.sec.gov/news/press-release/2022-169.

[73]    SEC Press Release, SEC Charges Two Canadian Software Engineers with Insider Trading (Sept. 30, 2022), available at https://www.sec.gov/news/press-release/2022-181.

[74]    SEC Press Release, SEC Charges Pharmaceutical Co. Chief Information Officer in $8 Million Insider Trading Scheme (Nov. 10, 2022), available at https://www.sec.gov/news/press-release/2022-204.

[75]    SEC Press Release, SEC Charges Financial Services Professional and Associate in $47 Million Front-Running Scheme (Dec. 14, 2022), available at https://www.sec.gov/news/press-release/2022-228.

[76]    SEC Press Release, SEC Adopts Amendments to Modernize Rule 10b5-1 Insider Trading Plans and Related Disclosures (Dec. 14, 2022), available at https://www.sec.gov/news/press-release/2022-222.

[77]    SEC Press Release, SEC Charges 18 Defendants in International Scheme to Manipulate Stocks Using Hacked US Brokerage Accounts, available at https://www.sec.gov/news/press-release/2022-145.

[78]    SEC Press Release, SEC Charges Father-Son Duo and Associate in Market Manipulation Schemes Resulting in a New Jersey Deli with a $100 Million Valuation, available at https://www.sec.gov/news/press-release/2022-172.

[79]    SEC Press Release, SEC Charges Eight Social Media Influencers in $100 Million Stock Manipulation Scheme Promoted on Discord and Twitter, available at https://www.sec.gov/news/press-release/2022-221.

[80]    SEC Press Release, SEC Charges Barred Broker and His Company with Defrauding Older Americans, available at https://www.sec.gov/news/press-release/2022-147.

[81]    SEC Press Release, SEC Charges Man for Defrauding Investors out of Millions of Dollars by Posing as Hedge Fund Billionaire, available at https://www.sec.gov/news/press-release/2022-178.

[82]    SEC Press Release, SEC Charges Eight in Scheme to Fraudulently Promote Securities Offerings, available at https://www.sec.gov/news/press-release/2022-182.

[83]    SEC Press Release, New Jersey Real Estate Development Firm and Four Executives Charged With $600 Million Ponzi-like Fraud, available at https://www.sec.gov/news/press-release/2022-188.

[84]    SEC Press Release, SEC Updates List of Firms Using Inaccurate Information to Solicit Investors, available at https://www.sec.gov/news/press-release/2022-195.

[85]    SEC Press Release, SEC Charges Halal Capital Founder with Multimillion Dollar Fraudulent Scheme That Targeted Muslim Community, available at https://www.sec.gov/news/press-release/2022-200.

[86]    SEC Press Release, SEC Charges Vika Ventures and its CEO in $6 Million Fraudulent Offering, available at https://www.sec.gov/news/press-release/2022-217.

[87]    SEC Press Release, SEC Charges Four Underwriters in First Actions Enforcing Municipal Bond Disclosure Law (Sept. 13, 2022), available at https://www.sec.gov/news/press-release/2022-161.

[88]    SEC Press Release, AT&T Settles SEC Charge of Selectively Disclosing Material Information to Wall St. Analysts, available at https://www.sec.gov/news/press-release/2022-215.

[89]    SEC Press Release, SEC Charges S&P Global Ratings with Conflict of Interest Violations (Nov. 14, 2022), available at https://www.sec.gov/news/press-release/2022-205.

---

The following Gibson Dunn lawyers assisted in the preparation of this client update: Mark Schonfeld, Richard Grime, Barry Goldsmith, Tina Samanta, Lauren Cook Jackson, Timothy Zimmerman, Zoe Clark, Kate Googins, Jacob Marsh, Priya Datta, Ina Kosova, Elizabeth Walsh*, Eitan Arom, and David Reck.

Gibson Dunn is one of the nation’s leading law firms in representing companies and individuals who face enforcement investigations by the Securities and Exchange Commission, the Department of Justice, the Commodities Futures Trading Commission, the New York and other state attorneys general and regulators, the Public Company Accounting Oversight Board (PCAOB), the Financial Industry Regulatory Authority (FINRA), the New York Stock Exchange, and federal and state banking regulators.

Our Securities Enforcement Group offers broad and deep experience. Our partners include the former Director of the SEC’s New York Regional Office, the former head of FINRA’s Department of Enforcement, the former United States Attorneys for the Central and Eastern Districts of California and the District of Maryland, and former Assistant United States Attorneys from federal prosecutors’ offices in New York, Los Angeles, San Francisco and Washington, D.C., including the Securities and Commodities Fraud Task Force.

Securities enforcement investigations are often one aspect of a problem facing our clients. Our securities enforcement lawyers work closely with lawyers from our Securities Regulation and Corporate Governance Group to provide expertise regarding parallel corporate governance, securities regulation, and securities trading issues, our Securities Litigation Group, and our White Collar Defense Group.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work or any of the following:

Securities Enforcement Practice Group Leaders:
Richard W. Grime – Washington, D.C. (+1 202-955-8219, [email protected])
Mark K. Schonfeld – New York (+1 212-351-2433, [email protected])

Please also feel free to contact any of the following practice group members:

New York
Zainab N. Ahmad (+1 212-351-2609, [email protected])
Reed Brodsky (+1 212-351-5334, [email protected])
James J. Farrell (+1 212-351-5326, [email protected])
Barry R. Goldsmith (+1 212-351-2440, [email protected])
Mary Beth Maloney (+1 212-351-2315, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Tina Samanta (+1 212-351-2469, [email protected])

Washington, D.C.
Stephanie L. Brooker (+1 202-887-3502, [email protected])
Daniel P. Chung (+1 202-887-3729, [email protected])
M. Kendall Day (+1 202-955-8220, [email protected])
Jeffrey L. Steiner (+1 202-887-3632, [email protected])
Patrick F. Stokes (+1 202-955-8504, [email protected])
David C. Ware (+1 202-887-3652, [email protected])
F. Joseph Warin (+1 202-887-3609, [email protected])
Lauren Cook Jackson (+1 202-955-8293, [email protected])

San Francisco
Winston Y. Chan (+1 415-393-8362, [email protected])
Thad A. Davis (+1 415-393-8251, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])
Michael Li-Ming Wong (+1 415-393-8234, [email protected])

Palo Alto
Michael D. Celio (+1 650-849-5326, [email protected])
Paul J. Collins (+1 650-849-5309, [email protected])
Benjamin B. Wagner (+1 650-849-5395, [email protected])

Denver
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
Timothy M. Zimmerman (+1 303-298-5721, [email protected])

Los Angeles
Michael M. Farhang (+1 213-229-7005, [email protected])
Douglas M. Fuchs (+1 213-229-7605, [email protected])
Nicola T. Hanna (+1 213-229-7269, [email protected])
Debra Wong Yang (+1 213-229-7472, [email protected])

*Elizabeth Walsh is a recent law graduate working in the firm’s Denver office and not yet admitted to practice law.

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

In an unprecedented year for UK regulated firms, the UK Financial Conduct Authority (“FCA”) has taken extensive action in advancing a number of regulatory initiatives. This client alert assesses the regulatory landscape through the perspective of four areas of increasing regulatory focus: (a) the UK future regulatory direction of travel; (b) fintech and cryptoassets; (c) environment, social and governance (“ESG”) developments; and (d) the proposed extension the regulatory regime to non-financial services businesses.

A. UK future regulatory direction of travel

“A bold collection of reforms taking forward the government’s vision for an open, sustainable, and technologically advanced financial services sector that is globally competitive and acts in the interests of communities and citizens.”[1] Jeremy Hunt, Chancellor of the Exchequer, 9 December 2022, written statement to Parliament

On December 9, the Chancellor of the Exchequer announced a set of major reforms to the UK’s financial services sector (dubbed the “Edinburgh Reforms”), which the government hopes will advance its vision for an open, sustainable and technologically advanced financial services sector.

The package contains 30 announcements, bringing together new and existing regulatory initiatives, and builds on the reform measures introduced through the Financial Services and Markets Bill (“FSMB”). We provide an overview of the reforms most relevant to our clients below.

I. Potential reform to the Senior Managers & Certification Regime

A review of the Senior Managers & Certification Regime will be conducted in Q1 2023, assessing where the regime could be reformed. This will entail a Call for Evidence collating feedback on the effectiveness, scope and proportionality of the regime as well as reviews by the FCA and PRA on the regulatory aspects of the framework.

II. Amendments to the prospectus and securitisation regimes

Several illustrative draft Statutory Instruments[2] have been published to demonstrate how the government can use the powers in the FSMB to reform the prospectus and securitisations regimes, which will help simplify the capital raising process for companies on UK markets and make the UK a more attractive destination for Initial Public Offerings.

III. Exploring the case for a UK central bank digital currency

A consultation will be published to explore the case for a central bank digital currency and to consult on a potential design. The Bank of England is also set to release a technology Working Paper setting out cutting-edge technology considerations informing the potential build of a digital pound.

IV. Establishing a financial market infrastructure sandbox

To ensure the financial services sector is prepared to embrace and facilitate the adoption of cutting-edge technologies, the government confirmed its intention to set up a Financial Market Infrastructure Sandbox in 2023, which will enable firms to test and adopt new technologies and innovations in providing the infrastructure services that underpin markets.

V. Regulating ESG rating providers

To deliver on its commitment to align the financial services sector with Net Zero and to support the sector to unlock the necessary private financing, a consultation on bringing ESG rating providers into the regulatory perimeter will be published in Q1 2023.

VI. Reforming the Short Selling Regulation

A Call for Evidence[3] on reforming the Short Selling Regulation has been launched, seeking views on the practice of short selling and whether and how the practice should best be regulated. The review intends to ensure that the UK’s approach to regulating the short selling of shares admitted to trading reflects the specificities of UK markets, continuing to facilitate the benefits of short selling, whilst also protecting market participants and supporting market integrity. Responses are requested by 5 March 2023.

VII. Repealing the regime for PRIIPs

A consultation[4] has been issued on the repeal of the regime for packaged retail and insurance-based investment products (“PRIIPs”) and an alternative retail disclosure framework. The government notes that current rules are unnecessarily prescriptive and can present information in unhelpful or misleading ways. Under the new regime, the FCA will determine the format and presentation requirements for disclosure. Responses are requested by 5 March 2023.

VIII. Re-assessing the role of the UK regulators

On 8 December, the government issued remit letters to the FCA[5] and PRA[6] which set targeted recommendations for how the regulators should have regard to supporting the government’s ambition to encourage economic growth in the interests of consumers and businesses as well as its objective to promote the international competitiveness of the UK. The remit letters align with the new secondary objectives of the regulators to promote growth and international competitiveness of the UK economy, which are being introduced through the FSMB.

IX. Removing certain reporting requirements under UK MiFID II / MiFIR

In addition to existing Wholesale Markets Review measures, Regulations[7] have been laid before Parliament on 9 December that are intended to remove certain burdensome EU requirements related to reporting rules. For example, the rules to be repealed include the MiFID II 10% depreciation reporting rule.

B. Fintech and cryptoassets

“One area of global focus is crypto, both opportunities and risks – a new product, easily accessible and able to operate cross-border, raising issues of consumer protection, market integrity, data privacy and financial crime and more.”[8] Nikhil Rathi, FCA CEO, 14 July 2022, speech at Peterson Institute for International Economics

(1) Overview

Cryptoasset markets have faced a turbulent year. Regulators view the speed of growth of cryptoassets and growing interconnectedness with “traditional” finance as potentially posing a systemic risk. In response, the FCA has noted that its approach to the regulation of cryptoassets aims to “balance innovation and competition alongside the need for orderly markets and consumer protection”.[9] Currently, the UK does not have a bespoke regulatory regime for cryptoassets. Some cryptoassets, such as security tokens, fall within existing regulatory perimeters due to their specific characteristics most cryptoassets are currently unregulated. However, as discussed below, 2022 has seen some significant developments in this regard.

(2) Developments in 2022

Cryptoassets developments in the Financial Services and Markets Bill

The FSMB is a landmark piece of legislation for the whole UK financial services industry. The FSMB was introduced into Parliament in July and it is the first major piece of post-Brexit legislation through which the UK will build the future regulatory framework in the UK, which includes the regulatory framework for cryptoassets. Amongst a multitude of other reforms, the FSMB proposes to hand power to HM Treasury to create new digital asset regulatory regimes and bring certain cryptoassets within the scope of, and modify existing regulatory frameworks. The proposals reflect the aim to be proportionate and risk based, and, as such, the UK will start by regulating a few specific cryptoassets and service providers.

The FSMB proposes to extend the existing regulatory regime to cover “digital settlement assets”; a new concept in UK law which encompasses stablecoins used as a means of payment, meaning that stablecoins and cryptoassets used exclusively for investment purposes are excluded from the new rules. Under the FSMB, HM Treasury is granted a sweeping range of powers to create a regulatory regime around digital settlement assets, including the power to issue “designated activity regulations”.

The FSMB also allows for a payment system using digital settlement assets to be designated as a regulated payment system by HM Treasury, which will bring such payment system under the remit of the Payment Systems Regulator (“PSR”). The PSR will then have powers to issue directions, influence system rules, conduct investigations and so on, with the primary aim of ensuring that the relevant DSA-based payment systems are subject to appropriate economic and competition regulation.

Law Commission consultation on legal status of cryptoassets

Towards the end of the year, the Law Commission consulted on proposals for legal reform of the law relating to property as regards cryptoassets.[10] While the consultation concluded that English law is largely flexible enough to accommodate cryptoassets, it does propose some limited reform. For example, the consultation recommended the recognition of a distinct third category of personal property “date objects”, which would encompass cryptotokens, including NFTs.

Introduction of a cryptoasset firm change in control regime

Since January 2020, exchange providers and wallet providers have been subject to registration requirements and supervision for anti-money laundering requirements. In August of this year, the FCA imposed a 25% change in control threshold on these firms, meaning that a new owner acquiring 25% or more of the shares or voting rights must be approved by the FCA as fit and proper in advance.[11]

Implementation of the “travel rule”

The UK is also implementing the travel rule in respect of any payments made in cryptoassets in the UK. The travel rule, which requires information on the source of the assets and its beneficiary to “travel” with the transaction will have a de-minimis threshold of €1,000. Cryptoasset service providers (i.e. exchange and wallet providers) are expected to have implemented their compliance solutions by September 1, 2023.

(3) What to expect in 2023

In line with the government’s intention turn the UK into a “global hub for cryptoasset technology”[12], 2023 will see further developments in the sphere of cryptoasset regulations. Most notably, we will watch the implementation of the FSMB and the outcome of the consultation on establishing a UK Central Bank Digital Currency. Additionally, a Financial Market Infrastructure Sandbox in 2023. The government has also indicated that, in the near future, certain “qualifying cryptoassets” will be brought within the scope of the financial promotion restrictions. The definition of “qualifying cryptoassets” has not yet been confirmed, but it will likely include any cryptographically secured representation of value or contractual rights which is fungible and transferable.[13] On 1 February 2023, HM Treasury published a consultation on the future financial services regulatory regime for cryptoassets . A separate client alert will shortly be published on this consultation.

C. ESG developments

“As the world is looking to financial markets to enable the transition to a greener and more sustainable economy, international collaboration has never been more vital.  As a regulator, we have been mandated by the government to help firms transition to net zero and asked to take into account Government policy in relation to energy security.”[14] Nikhil Rathi, FCA CEO, 26 April 2022, speech at City Week 2022

(1) Overview

In the last couple of years, sustainable investing and sustainable finance have come to the fore on the global stage, primarily as a result of the climate crisis and the resulting net zero commitments increasingly being given around the world. It reflects an acknowledgement of the real financial impacts of climate change and broader ESG related issues.

Globally, no financial regulator has within its core obligations the mandate to consider the environment or broader ESG issues. Regulators typically focus on: (i) investor protection; (ii) market integrity; and (iii) financial stability.  There is increasingly a realisation on a global basis that ESG risks can challenge each of these core regulatory objectives in different ways. Therefore, in 2022, the focus on ESG has become even more intense in the UK, and we are seeing regulatory initiatives designed to mitigate these risks.

In October 2021, the UK Government set out its Roadmap to Sustainable Investing, which introduced plans for a UK equivalent to the EU Sustainable Finance Disclosure Regulation (Regulation (EU 2019/2088) (the “EU SFDR”). Following this, in November 2021, the FCA published a discussion paper, setting out proposals for the Sustainability Disclosure Requirements and its sustainable investment labelling scheme, each setting the foundations for the key developments in 2022.

(2) Developments in 2022

Sustainability disclosure requirements and investment labels 

In October 2022, the FCA unveiled rules for sustainability disclosure requirements and investment labels (the “SDR Consultation”).[15] The proposed regime will establish certain sustainable investment labels, supplemented by consumer-facing disclosures and detailed entity- and product-level disclosures, as well as naming and marketing rules with broader applicability, a general anti-greenwashing rule and certain obligations on distributors. The core elements of the regime are directed principally at UK asset managers managing funds marketed to retail investors in the UK, albeit the regime will still be relevant to UK alternative investment fund managers (“AIFMs”). FCA-regulated asset owners (such as pension and insurance funds) are not covered by the proposals but the FCA expects to extend the regime to asset owners in due course.

The proposed anti-greenwashing rule will apply to all FCA-regulated firms and the proposed distribution rules to distributors, including investment platforms and financial advisers. Non-UK AIFMs that are marketing funds in the UK via the UK’s national private placement regime are not within scope of the new regime.

The FCA is proposing to introduce three sustainable investment labels (“sustainable focus”, “sustainable improvers” and “sustainable impact”) which distinguish between different types of sustainable product, according to the nature of the objective and the primary channel by which each can achieve or encourage positive sustainability outcomes.

The proposed disclosure requirements include consumer-facing disclosures, applying irrespective of whether a product makes use of a sustainable investment label, and detailed entity- and product-level disclosures.

The SDR Consultation aims, as far as possible, to achieve international coherence with other regimes, such as the EU SFDR and proposals by the Securities and Exchange Commission (“SEC”) in the United States. However, whilst the FCA considered the EU SFDR and SEC proposals in building the framework of the proposed regime, the starting point for the proposed regime is different – focusing on the labelling of sustainable investment products to clamp down on greenwashing, whereas the EU SFDR and SEC proposals focus on categorising products principally to determine disclosure requirements.

FCA TCFD–aligned disclosure rules

In January 2022, the FCA introduced rules for standard listed companies and large regulated asset owners and asset managers to disclose transition plans as part of its Task Force on Climate-Related Financial Disclosures (“TCFD”)-aligned disclosures, initially on a comply-or-explain basis. The first disclosures under these rules will be made in 2023.

(3) What to expect in 2023

The SDR Consultation closed on 25 January 2023, and the FCA expects to publish the final rules in a policy statement by 30 June 2023. The proposed rules will have a staggered implementation.

In 2023 we will also see the launch of a consultation on bringing ESG ratings providers into the regulatory perimeter.

D. Bringing non-financial services firms within the regulatory regime

“UK financial services firms are increasingly relying on third-party services to support their operations. But while these bring multiple benefits, this increasing reliance also poses systemic risks to the supervisory authorities’ objectives, including UK financial stability, market integrity and consumer protection.”[16]

(1) Overview

Non-financial service firms in their interaction with the financial sector are increasingly becoming a focus of regulators. For example, according to the UK regulators, financial services firms have become increasingly reliant on a small number of cloud and other third party providers outside the financial sector for the performance of essential services. These arrangements could, in the event of failure or disruption of the relevant technology provided to multiple firms, be a source of systemic risk to the financial sector. The risk posed to financial stability by disruption at a small number of third party service providers relied upon by firms has been on the political and regulatory agenda for some time^[17] and is now being addressed.

Additionally, as part building a post-Brexit regulatory framework in the UK, a designated activities regime will cover activities and market participants which do not fall within the regulatory perimeter of the Financial Services and Markets Act 2000.

Lastly, in the last year, Big Tech firms – large technology companies with established technology platforms – have become increasingly active in the financial services sphere as a result of their large user bases, ecosystems, high market shares and significant financial resources. As a result, an increased regulatory interest has started to emerge into the way in which large digital companies operate in the UK.

(2) Developments in 2022

Regulating “critical third parties” to the financial services sector

In a landmark reform, certain services provided by “critical third parties” to financial sector participants will be directly overseen by UK regulators, according to the Financial Services and Markets Bill and a discussion paper published in July.[18] The Proposals will empower HM Treasury, in consultation with the regulators, to designate third party service providers as “critical”. Factors that will be relevant to a designation include the materiality of services provided, critical functions and certain important business services. The discussion paper sets out a framework for identifying potential critical third parties, suggesting that some cloud service providers will likely meet the designation requirements.

The regulators will be granted extensive new powers in relation to material services provided by the designated third party to financial services firms, including the imposition of duties in relation to the provision of material services and to direct a third party from taking or refraining from specific action. The regulators will also be able to appoint investigators to investigate potential breaches of relevant rules imposed by the Regulators, enter the party’s premises under warrant, publicise failings and, if required, prohibit a critical third party from providing future services to financial services firms.

Notably, firms already subject to oversight, regulation or supervision will not be recommended for designation where their existing authorisation, supervisory or oversight arrangement allow the regulators to impose equivalent requirements on the resilience of any services they provide to other firms and financial market institutions. However, in instances where a firm meets the designation criteria and provides services to other firms that are not already subject to regulatory oversight or supervision, the proposed measures for critical third parties could apply to that firm in respect of those particular services. The proposed critical third party regime is likely going to enter into force during 2024.

Introduction of the designated activities regime

The proposed Financial Services and Markets Bill creates a Designated Activities Regime, under which the FCA will be able to make rules relating to certain designated financial services activities, however, the FCA’s remit will not extend to the wider unrelated activities of any person that carries out a designated activity, meaning that FCA authorisation or the fulfilment of threshold conditions will not be required.  The activities covered by the Designated Activities Regime will be those currently regulated by retained EU law, but which are unregulated under the existing Financial Services and Markets Act 2000. Examples of designated activities include entering into derivative contracts, short selling, public offerings and using or contributing to a benchmark.

Big Tech firm’s entry into financial services

On 25 October 2022, the FCA published a discussion paper on the potential competition benefits and harms from Big Tech firms entering into retail financial services.[19] The discussion paper does not propose any regulatory or policy changes, but rather focuses on the impact that Big Tech can have on payments, deposit taking, consumer credit and insurance, and potential entry strategies for these firms into these financial markets as well as their potential competition implications and identifies five key themes:

There is a potential for Big Tech firms to enhance the overall value of their ecosystems with further entry and expansion in retail financial services sectors through innovative propositions. Big Tech entry is unlikely to differentiate between financial services markets as entry into one market will create opportunities for expansion into complementary markets, with Big Tech firms’ core and other activities playing a role. In the short term, a partnership-based model is likely to continue to be the dominant entry strategy for Big Tech firms, but in the longer term they may seek to rely less on partnerships and compete more directly with existing firms. Big Tech firms’ entry may not be sequential or predictable. While initial forms of entry may be hard to predict, once momentum builds, significant market changes might occur quickly. In the short-term and possibly enduring longer, Big Tech firms’ entry in financial services could benefit many consumers. These benefits could arise from Big Tech firms’ own innovations as well as increasing other market participants’ incentives to innovate, improve quality and reduce prices through increased competition. In the longer term, there is a risk that the competition benefits from Big Tech entry in financial services could be eroded if these firms can create and exploit entrenched market power, scale and size to harm healthy competition and worsen consumer outcomes.

(3) What to expect in 2023

Subject to the outcome of Parliamentary debates on the FSMB, and after having considered responses to the discussion paper which closed on 23 December 2022, the FCA and PRA plan to consult on their proposed requirements and expectations for critical third parties in mid to late 2023.

The FCA intends to publish formal policy documents for discussion and/or consultation on the Designated Activities Regime in 2023, in parallel to the parliamentary process to enact the FSMB.

The discussion paper on Big Tech in financial services closed on 15 January 2023, following which the FCA intends to publish a Feedback Statement in the first half of 2023.

_____________________________

[1]      https://questions-statements.parliament.uk/written-statements/detail/2022-12-09/hcws425

[2]      https://www.gov.uk/government/publications/building-a-smarter-financial-services-framework-for-the-uk   

[3]      https://www.gov.uk/government/consultations/short-selling-regulation-call-for-evidence

[4]      https://www.gov.uk/government/consultations/priips-and-uk-retail-disclosure

[5]      https://www.gov.uk/government/publications/recommendations-for-the-financial-conduct-authority-december-2022

[6]      https://www.gov.uk/government/publications/recommendations-for-the-prudential-regulation-committee-december-2022

[7]      https://www.legislation.gov.uk/uksi/2022/1297/pdfs/uksi_20221297_en.pdf

[8]      https://www.fca.org.uk/news/speeches/how-uk-will-regulate-future

[9]      https://www.fca.org.uk/publications/business-plans/2022-23

[10]    https://www.lawcom.gov.uk/project/digital-assets/

[11]    https://www.fca.org.uk/firms/financial-crime/cryptoassets-aml-ctf-regime

[12]    https://www.gov.uk/government/news/government-sets-out-plan-to-make-uk-a-global-cryptoasset-technology-hub

[13]   Click here.

[14]    https://www.fca.org.uk/news/speeches/critical-issues-financial-regulation-fca-perspective

[15]    https://www.fca.org.uk/publication/consultation/cp22-20.pdf

[16]    https://www.fca.org.uk/publications/discussion-papers/dp22-3-operational-resilience-critical-third-parties-uk-financial-sector

[17]    Click here and here.

[18]    Click here.

[19]    https://www.fca.org.uk/publication/discussion/dp22-5.pdf.

---

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. If you wish to discuss any of the matters set out above, please contact the Gibson Dunn lawyer with whom you usually work, any member of Gibson Dunn’s Global Financial Regulatory team, or the following authors in London:

Michelle M. Kirschner (+44 (0) 20 7071 4212, [email protected])
Matthew Nunan (+44 (0) 20 7071 4201, [email protected])
Martin Coombes (+44 (0) 20 7071 4258, [email protected])
Chris Hickey (+44 (0) 20 7071 4265, [email protected])

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.

I. Introduction

In this tenth edition of Gibson Dunn’s US Cybersecurity and Data Privacy Outlook and Review, we provide an overview of some of the most significant developments in cybersecurity and data privacy in the United States in 2022 and look ahead to trends for 2023.

In addition to the privacy and cybersecurity challenges that were and continue to be wrought by the COVID-19 pandemic, 2022 was shaped by volatile geopolitics. Russia’s invasion of Ukraine ushered in a new era of cyberwarfare and exacerbated the already-precarious threat landscape. In addition, there was a spate of new privacy and cyber laws and regulations due in large part to new technologies and the increased attention on protective privacy and cyber hygiene. There was also a substantial uptick in regulatory scrutiny and enforcement, as well as civil and criminal litigation, which further amplified the focus and urgency of privacy and cybersecurity issues. Although the full impact of these developments is yet to be realized, one thing is clear: the challenges and opportunities are extraordinary, far reaching, and unprecedented.

This Review places these and other 2022 developments in broader context. We proceed by addressing: (1) the regulation of privacy and data security, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy and security in areas including data breach, digital, telecommunications, and biometric information privacy laws; and (3) trends related to data innovations and governmental data collection. We refer to companies by generic descriptors in the body of the alert; for further details, please see the endnotes.

For information on developments outside the United States—which are relevant to domestic and international companies alike—please see Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review.

___________________________

I. Introduction

II. Regulation of Privacy and Data Security

A. Legislation

1. State Legislation and Related Regulations

a. Comprehensive State Privacy Laws

i. California
ii. Virginia
iii. Colorado
iv. Connecticut
v. Utah
vi. Practical Implications of State Privacy Laws on AdTech Ecosystem

b. Other State Privacy Laws

i. California Age-Appropriate Design Code Act
ii. California’s Confidentiality of Medical Information Act
iii. New York Department of Financial Services’ Proposed Amendments to Part 500 Cybersecurity Rules and
New Guidance Related to Cryptocurrencies

2. Federal Legislation

B. Enforcement and Guidance

1. Federal Trade Commission

a. FTC Organization Updates
b. Algorithmic Bias and Artificial Intelligence
c. Commercial Surveillance and Data Security

i. April 2022 Speech by FTC Chair Khan
ii. Rulemaking on Commercial Surveillance and Data Security

d. FTC’s Approach to Data Security
e. Notable FTC Enforcement Actions
f. Financial Privacy
g. Children’s and Teens’ Privacy
h. Dark Patterns

2. Consumer Financial Protection Bureau

a. Regulation of Nonbank Entities
b. Artificial Intelligence and Algorithmic Bias
c. Data Harvesting and Contribution
d. Personal Financial Data Rights Rulemaking
e. Data Security

3. Securities and Exchange Commission

a. Regulation
b. Enforcement

4. Department of Health and Human Services and HIPAA

a. Rulemaking on HIPAA Compliance and Data Breaches
b. Telehealth and Data Security Guidance
c. Reproductive and Sexual Health Data
d. HHS Enforcement Actions

5. Other Federal Agencies

a. Department of Homeland Security
b. Department of Justice
c. Department of Energy
d. Joint Agency Actions Regarding Banking Cybersecurity
e. Department of Commerce AI Initiative

6. State Agencies

a. National Association of Attorneys General
b. State AGs’ Reaction to Dobbs
c. State AG Letter on National Consumer Privacy Laws
d. Dark Patterns
e. Other State AG Actions
f. New York Department of Financial Services

III. Civil Litigation Regarding Privacy and Data Security

A. Data Breach Litigation

1. Standing Implications of TransUnion v. Ramirez
2. Potential Increase in Trials and Derivative Lawsuits
3. Major Settlements
4. Rise in State and Federal Legislation

B. Computer Fraud and Abuse Act Litigation

C. Telephone Consumer Protection Act Litigation

D. State Law Litigation

1. California Consumer Privacy Act Litigation

a. Potential Anchoring Effect of CCPA Statutory Damages
b. Requirements for Adequately Stating a CCPA Claim
c. Broadening the Scope of a “Data Breach”
d. CCPA Violations Under the UCL
e. CCPA as a Shield for Immunity to Substantive Claims Litigation
f. The CCPA in Discovery Disputes
g. Supplementing Time for the CCPA’s 30-Day Notice Requirement
h. Guidance on Reasonable Security Measures in Connection with the CCPA
i. Staying CCPA Litigation Due to Other, First-Filed Litigation Arising from the Same Data Breach

2. Illinois Biometric Information Privacy Act Litigation
3. Texas Biometric Privacy Law Litigation

E. Other Noteworthy Litigation

IV. Trends Related To Data Innovations and Governmental Data Collection

V. Conclusion

___________________________

 II. Regulation of Privacy and Data Security

Since 2018, five states have enacted comprehensive data privacy legislation. Two of these laws passed in 2021, and two—Utah and Connecticut—passed in 2022. An additional 27 state legislatures considered comprehensive consumer privacy bills this past year, but have yet to enact them. Another notable legislative development in 2022 was the significant progress towards passing a bipartisan federal privacy bill, the American Data Privacy and Protection Act (“ADPPA”). While the future of the ADPPA is uncertain, this bill has provided a useful framework that will likely pave the way for future attempts at enacting a federal privacy law. We detail these recent legislative initiatives below.

 A. Legislation

 1. State Legislation and Related Regulations

 a. Comprehensive State Privacy Laws

To date, five states – California, Colorado, Connecticut, Virginia, and Utah – have enacted comprehensive data privacy legislation. California was the first state to enact such legislation in 2018 with the California Consumer Privacy Act (“CCPA”), and before another state could enact legislation, enacted a second law in 2020, the California Privacy Rights Act (“CPRA”). California was followed by other states, as seen in the table below. These state privacy laws are generally similar, but there are notable differences that we discuss in this section.

Law	Enacted Date	Effective Date
California Consumer Privacy Act (CCPA)	June 28, 2018	January 1, 2020
California Privacy Rights Act (CPRA)	November 3, 2020	January 1, 2023
Virginia Consumer Data Protection Act (VCDPA)	March 2, 2021	January 1, 2023
Colorado Privacy Act (CPA)	July 7, 2021	July 1, 2023
Connecticut Data Privacy Act (CTDPA)	May 10, 2022	July 1, 2023
Utah Consumer Privacy Act (UCPA)	March 24, 2022	December 31, 2023

Last year, an additional 27 state legislatures considered comprehensive consumer privacy bills, which largely align with Virginia’s, Colorado’s, and Connecticut’s laws (California and Utah have some unique features), and would have provided consumers with the right to access, correct, and delete their personal information, the right to data portability, the right to opt out of the sale of their personal information, as well as the use of their personal information for targeted advertising and profiling, and the right not to be discriminated against for exercising these rights. However, some of the proposed bills follow Utah’s more business-friendly approach (e.g., the Ohio Personal Privacy Act and Pennsylvania’s H.B. 1126), while others are more similar to the CPRA (which we discuss in more detail below). Still others go even further – for example, the New Jersey Disclosure and Accountability Transparency Act would prohibit the processing or collection of any personal information without affirmative consent from the consumer.[1]

For 2023, at least nine states have already introduced comprehensive privacy bills, generally consistent with prior legislative efforts. Oregon is a notable addition, with a bill resulting from a working group organized by the state Attorney General which includes a private right of action. Five states also currently have legislation to increase protections for children’s data, including some following the lead of California’s Age Appropriate Design Code Act. And at least seven states are considering bills addressing particular subsets of data, such as collection and use of biometric data or health data and third-party data brokers.

 i. California

The CCPA was signed into law by Governor Jerry Brown in June 2018, and took effect on January 1, 2020. On August 24, 2022, California Attorney General Rob Bonta announced the first settlement of a CCPA enforcement action, which included $1.2 million monetary relief, and equitable relief, as discussed in more detail in Section ‎II.B.6 below.

The CCPA has continued to evolve over the past year. The CPRA, which went into effect on January 1, 2023, represents the most significant change to date. Passed as a ballot initiative (Proposition 24) in November 2020, the CPRA amends and builds upon the CCPA. Accordingly, the CPRA includes several key changes to the CCPA, the most significant of which have been detailed in prior Gibson Dunn alerts.[2] 2022 saw companies scrambling to become compliant with the CPRA, even when the regulations were—once again—not finalized by the time the law took effect.

California Consumer Privacy Act (“CCPA”)

The CCPA applies to any for-profit organization that collects California consumers’ personal information, does business in California, and satisfies one of the following thresholds:

• has annual gross revenues in excess of $25 million;
• buys, receives for its commercial purposes, sells, or shares for commercial purposes the personal information of 50,000 or more California consumers, households, or devices, annually; or
• derives 50 percent or more of its annual revenues from selling California consumers’ personal information.[3]

Notably, the CCPA is the only comprehensive state privacy law that applies to entities based on revenue alone (the first criterion above). Other states generally require that the business processes the data of a threshold number of state consumers in order for the law to apply, and those thresholds are generally higher (typically 100,000). The CCPA is also the only state law that applies solely because a business is deriving a certain percentage of its revenue from selling consumers’ personal information (the third criterion above). Other states’ laws generally apply only if the business processes a threshold number of state consumers’ data (typically 25,000) and derives revenue from selling personal information.

The CCPA grants privacy rights to California consumers, imposes duties on businesses that meet the thresholds described above, and is enforced through both administrative enforcement and a limited private right of action for consumers whose nonencrypted and nonredacted data was breached as a result of a business’s violation of these aforementioned duties. We discuss CCPA-related private litigation in more detail in Section ‎II.B.6 below. The CCPA has served as an example for other states when enacting comprehensive privacy legislation. Specifically, the CCPA grants consumers the following rights, which other states have consistently incorporated into their laws:

• right to access personal information that a business has collected about them;[4]
• right to data portability;[5]
• right to delete personal information that a business has collected about them;[6]
• right to opt out of the sale of their personal information;[7] and
• right to not be discriminated against for exercising these rights.[8]

California Privacy Rights Act (“CPRA”)

As mentioned above, the CPRA amends and builds upon the CCPA. A change worth mentioning is the applicability thresholds, which align more closely with other states’ laws that followed. The CPRA increases the CCPA’s processing threshold from 50,000 to 100,000 consumers or households, eliminates the consideration of “devices” from this number, and removes information that the business receives for its commercial purposes, but does not buy, sell or share from the calculation.[9] This change will reduce the law’s applicability to smaller businesses. On the other hand, the CPRA expands the threshold for the percentage derived from selling personal information to also include revenue derived from “sharing” personal information.[10]

Businesses that meet the revised applicability thresholds should be aware that the CPRA imposes additional obligations on them, and they need to come into compliance now, if they have not already. The CPRA expands upon the CCPA by: granting consumers new rights (i.e., the right to limit the use of their sensitive personal information, the right to correct their personal information, the right to data minimization, and a broader right to opt out of the “sale” or “sharing” of personal information, which the CPRA defines as sharing for cross-context behavioral advertising, whether or not for monetary or other valuable consideration); and by imposing requirements and restrictions on businesses, including new storage limitation requirements, restrictions on automated decision-making, and audit requirements. The CPRA also sunsetted the CCPA’s exemptions for personal information obtained from employees and job applicants in the context of employment as well as certain personal information obtained in business-to-business (“B2B”) transactions. Furthermore, the CPRA provides consumers with rights relating to their personal information collected on or after January 1, 2022, despite its January 1, 2023 effective date.

The CPRA also establishes a new, first-of-its-kind, enforcement agency – the California Privacy Protection Agency (“CPPA”) – which is set to begin enforcement on July 1, 2023. Importantly, the CPRA makes the CCPA’s 30-day cure period discretionary, seemingly intending to allow the CPPA authority to find a violation absent any notice and cure period.[11] In making a decision to provide time to cure, the CPPA may consider whether the business intended to violate the CPRA and voluntary efforts taken to cure the alleged violation prior to being notified by the CPPA, making such efforts important absent strict compliance.[12] Although the CPPA is expected to have primary responsibility for enforcing the CPRA, the CPPA’s enforcement authority will be co-extensive with the California Attorney General, and consumers have a limited private right of action. The CPPA is tasked with handling administrative enforcement (i.e. bring administrative proceedings),[13] while the Attorney General will continue to handle civil enforcement (i.e. bringing an action in a civil court action).[14] The CPPA may impose administrative fines and the Attorney General may impose civil penalties, in each case of up to $2,500 per violation or $7,500 per intentional violation or violation involving a minor’s protected personal information.[15]

The CPPA is also tasked with implementing the CPRA through regulations,[16] and rulemaking authority was officially transferred in April 2022.[17] Proposed regulations were initially released on July 8, 2022. For additional information about the proposed regulations, please see our previous client alert, which highlights what we believe to be some of the most interesting and potentially impactful draft regulations. Further modifications were released in response to public comments on November 3, 2022.[18] Comments on the proposed modifications were accepted until November 21, 2022, and the rulemaking process is ongoing. These modifications clarify that businesses must treat opt-out preference signals as a valid request to opt-out of the sale and sharing of personal information for “any consumer profile associated with that browser or device, including pseudonymous profiles,” in addition to the browser or device itself.[19] The revisions also clarify that if a business received an opt-out preference signal that conflicts with the consumer’s participation in the business’s financial incentive program and does not ask the consumer to affirm their intent with regard to the financial incentive program, the business must still process the opt-out preference signal as a valid request to opt-out of the sale and sharing of the consumer’s personal information.[20] The CPPA also further expounded the already lengthy section on dark patterns, adding a sentence indicating that “a business’s intent to design the user interface to subvert or impair user choice weighs heavily in favor of establishing a dark pattern.”[21]

The soonest we expect to receive finalized rules is April 2023. Notably, the most recent draft of the regulations explicitly allows the CPPA to take into account the delay in issuing regulations when deciding whether to pursue investigations of alleged violations of the CPRA.[22] Although the regulations are subject to change, they still provide helpful guidance for businesses that can be implemented now.

 ii. Virginia

The VCDPA,[23] which was signed into law in March 2021 and went into effect on January 1, 2023, enumerates a number of similar rights for Virginia consumers, as discussed in our prior client alert. Virginia was the second state to enact comprehensive privacy legislation, following California. However, the VCDPA differs from the CCPA/CPRA in several notable ways, and Colorado, Connecticut, and Utah have declined to follow some of the CCPA’s/CPRA’s provisions in favor of the VCDPA’s.

The VCDPA applies to all for-profit organizations that “conduct business in [Virginia] or produce products or services that are targeted to residents of [Virginia]” and either:

• during a calendar year, control, or process the data of at least 100,000 Virginia consumers; or
• derive more than 50% of their gross revenue from the sale of personal data and control or process the data of at least 25,000 Virginia consumers.[24]

Unlike California’s laws, the VCDPA does not contain a revenue-only based threshold, and Colorado, Connecticut, and Utah have followed suit. Therefore, even large businesses will not be subject to such state laws unless they process the personal information of a certain number of residents. Also, the term “consumer” as defined in the VCDPA does not include any person “acting in a commercial or employment context”[25]—another departure from the CPRA (in light of the sunsetted exemptions) that Colorado, Connecticut, and Utah have followed. Thus, applicability of the other laws is more narrow.

That said, the VCDPA, like the CPRA, grants Virginia consumers the right to access, correct, and delete their personal data, the right to data portability, and the right to opt out of the sale of their personal data (but limits the definition of “sale” to the exchange of personal data for “monetary” (as opposed to “valuable”) consideration by the controller to a third party, and explicitly does not include transfers to affiliates and processors).[26] While the CPRA provides Californians with the right to opt out of the sharing of their personal information for the purpose of cross-context behavioral advertising, the VCDPA goes a step further and grants Virginians the right to opt-out of any processing of their personal data for the purpose of targeted advertising.[27] The VCDPA also provides Virginians with the right to opt out of any processing of personal data for the purposes of profiling in furtherance of decisions that produce legal or similarly significant effects.[28]

Additionally, the VCDPA requires that controllers obtain consent before processing a consumer’s sensitive data, defined as including “[p]ersonal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration status”; genetic or biometric data processed for the purpose of uniquely identifying a natural person; the personal data collected from a known child; and precise geolocation data (as defined by the VCDPA).[29] The definition of “sensitive data” under the VCDPA is narrower than the equivalent “sensitive personal information” under the CPRA.

The VCDPA also grants consumers the right to appeal a controller’s refusal of a consumer request through a novel “conspicuously available” appeal process to be established by the controller.[30] Within 60 days of receiving an appeal, a controller must inform the consumer in writing of its response to the appeal, including a written explanation of the reasons for the decision.[31] If a controller denies the appeal, it must also provide the consumer with an “online mechanism, if available, or other method” through which the consumer can submit a complaint to the Virginia Attorney General.[32] The VCDPA also contains GDPR-like requirements. Namely, the VCDPA requires controllers to conduct “data protection assessments” to evaluate the risks associated with processing activities that pose a heightened risk, such as processing personal data for purposes of targeted advertising or profiling, and the controller-processor relationship must be governed by a data processing agreement.[33]

In April 2022, Virginia Governor Glenn Youngkin signed into law three amendments to the VCDPA. One amendment provided that data controllers that have obtained personal data from a source other than the consumer will be deemed to be in compliance with a consumer’s request to delete if they opt the consumer out of the processing of such personal data, allowing businesses to avoid potentially technically infeasible requirements to delete data, so long as they no longer use it for any purpose.[34] Another changed the definition of “nonprofit organization” to include political organizations, thus exempting such entities from the VCDPA.[35] Because the VCDPA does not allow the Attorney General to promulgate regulations, these amendments finalized the VCDPA’s text ahead of its January 1, 2023 effective date, and the law is now in full effect.

Enforcement of the VCDPA is entrusted to the Virginia Attorney General and subject to a 30-day cure period.[36] The Attorney General may seek injunctive relief and damages for up to $7,500 for each violation, as well as “reasonable expenses incurred in investigating and preparing the case, including attorney fees.”[37] Notably, the VCDPA, unlike the CCPA/CPRA, does not grant consumers a private right of action.[38]

 iii. Colorado

As discussed in a prior client alert, the CPA was enacted on July 7, 2021 and will go into effect on July 1, 2023.[39] The CPA largely follows Virginia’s model. The CPA applies to any legal entity that “[c]onducts business in Colorado or produces or delivers commercial products or services that are intentionally targeted to residents of Colorado” and that:

• during a calendar year, controls, or processes the personal data of 100,000 or more Colorado consumers, or
• both derives revenue or receives discounts from selling personal data and processes or controls the personal data of 25,000 or more Colorado consumers.[40]

Notably, like the VCDPA (and unlike the CPRA), the statute does not include a standalone revenue threshold for determining applicability. Also of note, the CPA applies to nonprofit organizations that meet these thresholds, whereas other states’ privacy laws exempt nonprofit organizations. Like the VCDPA and unlike the CPRA, the CPA does not apply to employee or B2B data.

The CPA will grant Colorado consumers the right to access, correct, and delete their personal data held by entities within the scope of the law, as well as the right to data portability.[41] Following Virginia’s model, it will also give Colorado consumers the right to opt out of the processing of their personal data for (a) targeted advertising, (b) sale of their personal data, and (c) certain profiling.[42] The CPA, like the CPRA, adopts a broad definition of “sale” of personal data to mean “the exchange of personal data for monetary or other valuable consideration by a controller to a third party.”[43] However, the CPA contains some broader exemptions from the definition of “sale” than the CPRA, including for the transfer of personal data to an affiliate or to a processor or when a consumer discloses personal data by using the controller to interact with a third party or makes personal data publicly available.[44] The CPA permits consumers to communicate this opt out through technological means, such as a browser or device setting.[45] By July 1, 2024, consumers must be allowed to opt out of the sale of their data or its use for targeted advertising through a “user-selected universal opt-out mechanism.”[46] Additionally, the CPA, like the VCDPA, requires businesses to obtain opt-in consent before processing consumers’ sensitive data,[47] which includes children’s data, genetic or biometric data, and data that could reveal race, ethnicity, religious beliefs, sexual orientation, sex life, mental or physical health conditions, or citizenship status.[48] Finally, the CPA follows Virginia’s lead in requiring controllers to establish an internal appeals process for consumers when the controller does not take action on their request.[49]

Like its California and Virginia counterparts, the CPA also obligates covered entities to practice data minimization and implement technical safeguards.[50] The CPA, like the VCDPA and CPRA, requires in-scope entities to conduct “data protection assessments” to evaluate the risks associated with certain processing activities that pose a heightened risk.[51] The CPA, like the VCDPA, also requires controllers and processors to contractually define their relationship.[52]

The CPA permits the Colorado Attorney General to promulgate rules for the purpose of carrying out the CPA. The Colorado Attorney General’s office initially published draft rules on September 30, 2022, and subsequently published revised draft rules on December 21, 2022 in response to public input gathered at several stakeholder meetings.[53] Significantly, the December revisions remove the requirement that privacy notices be centered around business purposes (rather than the categories of personal information collected), which would have conflicted with California’s notice requirements and made interoperability across states difficult. The draft rules require that controllers notify consumers of “substantive or material changes” to their privacy notices. The draft rules clarify that where the CPA requires consumer consent, controllers will need to obtain such consent before January 1, 2024 in order to continue processing data collected prior to July 1, 2023. The draft rules also add a new requirement that controllers must obtain consent in order to process “sensitive data inferences[,]” which are defined as “inferences made by a [c]ontroller based on [p]ersonal [d]ata, alone or in combination with other data, which indicate an individual’s racial or ethnic origin; religious beliefs; mental or physical health condition or diagnosis; sex life or sexual orientation; or citizenship or citizenship status”; provided, that controllers may process sensitive data inferences from consumers over the age of thirteen without consent if (1) the processing purposes are obvious, and (2) such inferences are deleted within 24 hours, (3) not transferred, sold, or shared with any processor, affiliates, or third parties, and (4) not processed for any purpose other than the express purpose disclosed to the consumer. Additionally, the draft rules clarify the CPA’s purpose specification and secondary use provisions, and include a requirement that controllers must obtain consent before processing personal data for purposes that are not “reasonably necessary to or compatible with specified [p]rocessing purpose(s).” The draft rules also require controllers create and enforce retention schedules, including setting specific time limits for the erasure of personal data and annually reviewing and deleting data that is no longer necessary. Comments on the draft rules will be accepted until February 1, 2023, when the Colorado Attorney General’s office will hold a public rulemaking hearing (though, to be considered at the hearing, comments should have been submitted by January 18, 2023).

The CPA limits enforcement to the Colorado Attorney General and state district attorneys, subject to a 60-day cure period for any alleged violation until January 1, 2025 (in contrast to the 30-day cure period under the VCDPA and the CPRA’s discretionary cure period).[54] The Attorney General and district attorneys may enforce the CPA by seeking injunctive relief or civil penalties. A violation of the CPA constitutes a deceptive trade practice for purposes of the Colorado Consumer Protection Act, with violations punishable by civil penalties of up to $20,000 per violation (with a “violation” measured per consumer and per transaction).[55] The CPA’s maximum penalty per violation is notably higher than that of other states’ laws.

 iv. Connecticut

The CTDPA,[56] which was enacted on May 10, 2022, largely follows Virginia’s and Colorado’s model, with very few departures of significance. The details of the CTDPA are also discussed in a prior client alert. The CTDPA will take effect at the same time as the CPA, on July 1, 2023, six months after the CPRA and VCDPA, and six months before Utah’s law will take effect on December 31, 2023.

The CTDPA applies to persons that conduct business in Connecticut or produce products or services that are targeted to residents of the state, and that control or process the personal data of a particular number of residents during the preceding calendar year, namely either:

• 100,000 or more Connecticut consumers, excluding consumers whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or
• 25,000 or more Connecticut consumers, where the business derives more than 25% of its gross revenue from the sale of personal data.[57]

Connecticut is the only state law to explicitly carve out payment transaction data from its applicability threshold; this provision was added to alleviate concerns of restaurants, small convenience stores, and similar businesses that process the personal information of many customers for the sole purpose of completing a transaction.

Like the VCDPA and CPA, and unlike the CPRA, the CTDPA defines “consumer” to exclude individuals “acting in a commercial or employment context.”[58]

Like its predecessors, the CTDPA will grant Colorado consumers the right to access, correct, and delete their personal data, as well as the right to data portability.[59] The CTDPA allows consumers to opt out of the processing of their personal data for purposes of (a) targeted advertising, (b) the sale of personal data, and (c) profiling in furtherance of solely automated decisions that produce similarly significant effects, following the Virginia and Connecticut models.[60] And, the CTDPA defines “sale” broadly—similar to California’s CPRA and Colorado’s CPA—to include “the exchange of personal data for monetary or other valuable consideration.”[61] By January 1, 2025, data controllers must allow Connecticut consumers to exercise their opt-out right through an opt-out preference signal.[62] Unlike California, which expects its CPPA to opine on what an opt-out signal might be and how it might work, and Colorado, which expects its Attorney General to define the technical requirements of such a mechanism, Connecticut’s provision is largely undefined, encouraging the market to create signals, bringing with it the potential for confusion as to what signals must be followed.

The CTDPA, like Virginia’s and Colorado’s laws, also prohibits processing a consumer’s sensitive data without consent, and requires data controllers to provide a mechanism for revoking consent that is “at least as easy as” the mechanism by which the consumer provided consent.[63] It also requires data controllers to practice data minimization and purpose limitation, implement technical safeguards, conduct data protection assessments, and enter into contracts with their processors.[64] Finally, the CTDPA follows Virginia’s and Colorado’s lead in requiring controllers to establish a conspicuously available internal appeals process for consumers when the controller does not take action on their request.[65]

Notably, Connecticut does not include a private right of action in its law – the CTDPA limits enforcement to the Connecticut Attorney General.[66] Until December 31, 2024, enforcement actions will be subject to a 60-day cure period; thereafter, the Attorney General may, but is not required to, provide an opportunity to correct an alleged violation.[67] A violation of the CTDPA will constitute an unfair trade practice,[68] which carries civil penalties of up to $5,000 per violation for willful offenses.[69]

 v. Utah

Utah’s comprehensive privacy law, unlike the other states’ laws, only applies to companies that meet both a revenue threshold and a processing threshold. By contrast, California’s law applies to companies that meet either a revenue threshold or a processing threshold, whereas Virginia’s, Colorado’s, and Connecticut’s laws only contain processing thresholds. Like Virginia, Colorado, and Connecticut, Utah exempts employee and B2B data from the UCPA’s scope by defining “consumer” to exclude individuals acting in “an employment or commercial context.”[70]

While Utah’s law is similar to Virginia’s, Colorado’s and Connecticut’s laws, it has a few differences that may make the law easier for businesses to follow. The UCPA does not provide consumers the right to opt out of the use of their personal information for profiling. Moreover, out of the five states with enacted comprehensive privacy legislation, Utah is the only state that does not grant consumers a right to correct inaccuracies in their personal data. The UCPA also does not require in-scope businesses to perform data protection assessments or require businesses to set up a mechanism for consumers to appeal a business’s decision regarding the consumer’s request to exercise any of their personal data rights.

Utah’s law also makes it easier to charge a fee when responding to consumer requests. Specifically, businesses may charge a reasonable fee when responding to consumer requests to exercise their personal data rights in California only if those requests are “manifestly unfounded or excessive[,]”[71] in Virginia only if those requests are “manifestly unfounded, excessive, or repetitive[,]”[72] and in Colorado only if a second request is made in a 12-month period.[73] By contrast, Utah allows businesses to charge a reasonable fee in those situations as well as when the business “reasonably believes the primary purpose in submitting the request was something other than exercising a right” or is harassing, disruptive, or poses an undue burden on the controller.[74]

While Utah’s Division of Consumer Protection can investigate potential violations, Utah’s law limits enforcement to the Attorney General, subject to a 30-day cure period.[75] If the Attorney General does bring such an action, they may recover statutory damages of up to $7,500 per violation or actual damages.[76]  See Appendix A for a Comprehensive State Privacy Laws Comparison Chart.

 vi. Practical Implications of State Privacy Laws on AdTech Ecosystem

State privacy laws will have a particular impact for companies operating in the AdTech space. AdTech, or “advertising technology,” encompasses software and tools that agencies, brands, publishers, and platforms use to target, deliver, and measure the success of ad campaigns. In practice, the AdTech ecosystem typically involves businesses leveraging products from AdTech companies and publishers to serve targeted ads to consumers as part of digital marketing campaigns. The ability to target ads to particular consumers relies heavily on the use of personal information or inferences derived therefrom. Accordingly, as the foregoing state privacy laws go into effect this year, businesses engaged in the transfer or processing of personal data for targeted ads may need to reassess their practices and provide opt-out mechanisms to remain compliant with applicable privacy laws.

In particular, the CPRA requires businesses to offer consumers the ability to opt-out of the “sharing”[77] of their personal information to third parties for “cross context behavioral advertising” (which the CPRA defines as the targeting of ads to a consumer based on the consumer’s personal information obtained from services other than the business in which the consumer intentionally interacts).[78]

In addition, Virginia’s, Colorado’s, Connecticut’s, and Utah’s laws each require businesses to offer consumers the ability to opt out of the processing of their personal data for targeted ads.[79]

Despite the minor differences in verbiage, in practice, businesses can offer consumers the ability to opt out of the “sharing” of personal information for “cross-context behavioral advertising” in California, as well as the right to opt out of “targeted advertising” to consumers in Virginia, Colorado, Utah, and Connecticut, by using the same opt-out mechanism.

Notably, the privacy laws in California, Colorado, and Connecticut will also require companies to recognize and respect “universal opt-out signals”—signals that are sent to the business’ website by a consumer’s browser or control to communicate the individual has chosen to opt out of the sale, sharing, or use of their personal data for targeted advertising.[80] For any company engaging in targeted ads that is subject to these laws, it is important to ensure that the opt-out mechanism offered complies with the specific requirements in the applicable state privacy law. As discussed above, California expects its CPPA to opine on what an opt-out signal might be and how it might work and Colorado expects its Attorney General to define the technical requirements of such a mechanism. By contrast, Connecticut’s provision is largely undefined, encouraging the market to create signals, bringing with it the potential for confusion as to what signals must be followed. To assess whether these laws apply, businesses will need to conduct data mapping to understand data flows, data combinations, and who is processing what data, and for what purposes.

 b. Other State Privacy Laws

 i. California Age-Appropriate Design Code Act

The California Age-Appropriate Design Code Act (“CAADCA”),[81] which is aimed at protecting the wellbeing, data, and privacy of children under the age of eighteen using online platforms, was signed into law by Governor Gavin Newsom on September 15, 2022 and will take effect on July 1, 2024.

The CAADCA applies to businesses that provide any online service, product or feature “likely to be accessed by children” under the age of eighteen, and defines “likely to be accessed by children” to mean that it is reasonable to expect that the online service, product, or feature would be accessed by children under the age of eighteen, based on certain enumerated indicators.[82]

The CAADCA requires businesses within its scope to comply with certain requirements, including to configure default privacy settings to offer a high level of privacy[83] and to use “clear language suited to the age of children likely to access that online service, product, or feature” in their policies.[84] The CAADCA also prohibits such businesses from profiling children or collecting, selling, sharing, or retaining children’s personal information unless necessary to provide the online service, product, or feature unless the business can demonstrate that doing so is in the best interest of children.[85] The CAADCA requires a purpose limitation and further prohibits using children’s personal information “in a way that the business knows, or has reason to know, is materially detrimental to the physical health, mental health, or well-being of a child.”[86] The CAADCA also prohibits using dark patterns to lead or encourage children to provide personal information, forego privacy protections, or to take any action that the business knows (or has reason to know) is materially detrimental to the child’s physical or mental health or well-being.[87]

The CAADCA also requires that businesses within its scope complete a data protection impact assessment (“DPIA”) before any new online services, products, or features that are likely to be accessed by children are offered to the public, maintain documentation of the assessment for as long as the online service, product, or feature is likely to be accessed by children, and biennially review the assessment.[88] Additionally, the business must document any “risk of material detriment to children” identified by any such DPIA and create a timed plan to mitigate or eliminate such risks before the online service, product, or feature is accessed by children.[89]

Enforcement of the CAADCA is tasked to the California Attorney General, who may seek an injunction or civil penalty up to $2,500 per affected child for each negligent violation and $7,500 per affected child for each intentional violation, subject to a 90-day cure period if the business has conducted DPIAs in material compliance with the CAADCA’s requirements.[90] The CAADCA is explicit that it does not provide a private right of action.[91]

 ii. California’s Confidentiality of Medical Information Act

On September 28, 2022, Governor Newsom signed into law Assembly Bill No. 2089,[92] which amends California’s Confidentiality of Medical Information Act (“CMIA”). Specifically, AB 2089 clarifies that any business that offers a “mental health digital service” to a consumer “for the purpose of allowing the individual to manage the individual’s information, or for the diagnosis, treatment, or management of a medical condition of the individual” is considered a “provider of health care” and therefore subject to the CMIA.[93] AB 2089 defines “mental health digital service” as “a mobile-based application or internet website that collects mental health application information from a consumer, markets itself as facilitating mental health services to a consumer, and uses the information to facilitate mental health services to a consumer.”[94] AB 2089 also amended the definition of “medical information” to include “mental health application information[,]” which is defined as “information related to a consumer’s inferred or diagnosed mental health or substance use disorder . . . collected by a mental health digital service.”[95] Together, these changes expand the scope of the CMIA and strengthen protections for mental health information collected by a mental health digital service.

 iii. New York Department of Financial Services’ Proposed Amendments to Part 500 Cybersecurity Rules and New Guidance Related to Cryptocurrencies

The New York State Department of Financial Services (“DFS”) has also been active in the cybersecurity space, primarily through promulgation and enforcement of its Part 500 Cybersecurity Rules, which are becoming a floor that other agencies are looking to as a model regulation. As discussed in more depth in our recent client alert, DFS recently announced proposed amendments to these rules, which would increase cybersecurity oversight expectations for senior leaders, heighten technology requirements, expand the set of events covered under the mandatory 72-hour notification requirements, introduce a new 24-hour reporting requirement for ransom payments and a 30-day submission of defenses, introduce significant new requirements for business continuity and disaster recovery, and heighten annual certification and assessment requirements, among other changes.[96]

Separately, DFS also issued new guidance related to cryptocurrencies, requiring virtual currency entities to monitor crypto transactions and maintain information about their customers.[97]

 2. Federal Legislation

1. American Data Privacy and Protection Act

While federal consumer privacy legislation has been a topic of conversation for decades, the ADPPA, introduced in 2022, marked the most successful attempt at enacting such a law. Although this bill ultimately met its end ­­when Congress adjourned in January 2023, it provided meaningful insight and laid the groundwork for future federal data privacy laws. On June 3, 2022, leaders in the U.S. House and Senate released a discussion draft of the comprehensive federal data privacy and data security bill, the ADPPA. On June 21, the ADPPA was introduced in the House; on June 23, 2022, it passed the House Subcommittee on Consumer Protection and Commerce; and on July 20, 2022, the House Committee on Energy and Commerce voted 53-2 to advance the ADPPA to the full House.[98] Although former House Speaker Nancy Pelosi did not bring the bill to a vote on the House floor, the ADPPA advanced further than any prior bill attempting to enact comprehensive federal privacy legislation. The bill’s substantial progress can be attributed to the significant bipartisan support it received when first introduced, demonstrating the widespread interest in comprehensive federal privacy legislation.

The ADPPA defined “covered entity” to include “any entity or any person . . . that alone or jointly with others determines the purposes and means of collecting, processing, or transferring covered data and . . . is subject to the Federal Trade Commission Act” in addition to common carriers and nonprofit organizations.[99] With the exception of Colorado’s CPA, the ADPPA’s scope was notably broader than most enacted comprehensive state privacy laws, which exempt nonprofit organizations.

Hallmarks of the ADPPA included a “duty of loyalty,” requiring covered entities to: engage in “data minimization”; limit the collection, processing, and transferring of certain covered data to instances where there is a permissible purpose; and adopt “privacy by design” principles.[100] This was in stark contrast with the current consent-based privacy regime. Under the ADPPA, data minimization required covered entities to limit the collection, processing, or transfer of covered data to “what is reasonably necessary and proportionate” to the delineated purposes.[101] The ADPPA’s duty of loyalty required covered entities to obtain “affirmative express consent” from data subjects before collecting, processing, or transferring certain personal information.[102] Finally, “privacy by design” principles required that covered entities “establish, implement, and maintain reasonable policies, practices, and procedures regarding the collection, processing, and transfer of covered data” that account for certain considerations.[103] These requirements were similar to the CPRA’s data minimization and privacy by design requirements and were more prescriptive than the data minimization and privacy by design provisions outlined in the GDPR, the first regulation to implement these principles. While the GDPR offers general guidelines to ensure data minimization and privacy by design, the ADPPA outlined specific considerations covered entities should weigh along with requirements, particularly in the context of privacy by design.

The ADPPA also sought to regulate how covered entities design and employ “algorithms,” a term the ADPPA defined as including machine learning, artificial intelligence, and other computational processing techniques.[104] Specifically, the ADPPA stated that covered entities could not “collect, process, or transfer covered data in a manner that discriminates in or otherwise makes unavailable the equal enjoyment of goods or services on the basis of race, color, religion, national origin, sex, or disability.”[105] Furthermore, the ADPPA required “large data holders” that use algorithms to conduct “algorithm impact assessments” to evaluate how the algorithms employed by the entity use data and what outputs they produce.[106] These assessments were required to be submitted for evaluation with the FTC.[107]

Federal enforcement of the ADPPA was to be left largely to the FTC, which was to be granted rulemaking authority under the Administrative Procedure Act.[108] The bill called for the creation of a “Bureau of Privacy” within the FTC to help enforce violations of the ADPPA, as well as an “Office of Business Mentorship” for covered entities to provide covered entities with guidance and education on compliance.[109] Violations of the ADPPA were to be treated as “unfair or deceptive act[s] or practice[s]” under the FTC Act.[110] The ADPPA also granted state attorneys general and states’ chief consumer protection officers, or states’ consumer protection agencies with expertise in data protection, the ability to bring federal civil actions to enforce the ADPPA.[111] Although the ADPPA provided for a private right of action, that provision was only to have gone into effect four years after the law’s enactment.[112] This delayed private right of action was to include a requirement that potential plaintiffs notify either the FTC or their state attorney general prior to bringing suit, and those agencies would then have the discretion to intervene in such action within sixty days.[113] With entities concerned about the burden and cost of class action lawsuits, the private right of action was a sticking point for the ADPPA.

Preemption was one of the most contentious aspects of the bill and was largely responsible for the end of the ADPPA’s movement through the legislative process. The ADPPA explicitly preempted most state privacy legislation, including under the five comprehensive privacy statutes in California, Virginia, Colorado, Utah, and Connecticut.[114] However, both the Illinois Biometric Information Privacy Act and the Illinois Genetic Information Privacy Act would have enjoyed express preservation under the ADPPA, ensuring that they would not have been preempted.[115] Stakeholders were concerned that the ADPPA’s preemption of state privacy laws would ultimately weaken protections for consumers.[116] Echoing the concerns of California lawmakers, consumers, and the California Privacy Protection Agency,[117] former Speaker Pelosi released a statement in September noting that the ADPPA “does not guarantee the same essential consumer protections as California’s existing privacy laws.”[118] This skepticism from former Speaker Pelosi and other lawmakers ultimately led to the waning of the ADPPA’s initial support. Senator Maria Cantwell (D-Wash.), Chair of the Senate Committee on Commerce, Science, and Transportation, citing concerns about the ADPPA’s enforcement loopholes and preemption, stated in June that she would not support the bill in its current form.[119] Senator Cantwell also expressed concerns with the four-year delay in the ADPPA’s private right of action, indicating that she would prefer a bill that allows consumers to file suit “on day one.”[120] Although it was ultimately not enacted, the ADPPA and its progress demonstrated the enormous support for a federal comprehensive privacy law in the United States and provides important context for future potential efforts to enact one.

 B. Enforcement and Guidance

In 2022, several different governmental regulators were active players in enforcement and regulatory efforts related to data privacy and cybersecurity, including efforts related to regulation of artificial intelligence, commercial surveillance, financial privacy, children’s and teens’ privacy, and dark patterns, among others.

 1. Federal Trade Commission

The Federal Trade Commission (“FTC”) was a particularly active player in the regulation and enforcement of data privacy and cybersecurity in 2022. The Commission took a number of significant steps toward addressing issues related to algorithmic bias and artificial intelligence, commercial surveillance, data security, consent interfaces and dark patterns, advertising technology, and children’s privacy, among others. In this section, we discuss actions the FTC took in furtherance of several of these key areas over the past year.

 a. FTC Organization Updates

There were notable updates in the FTC organization in 2022. First, ending the stalemate between two Democratic and two Republican Commissioners, on May 11, 2022, Vice President Kamala Harris broke the 50-50 Senate tie to confirm Alvaro Bedoya. The FTC is headed by five Commissioners each serving a seven-year term, and no more than three Commissioners can be of the same political party.

The addition of Commissioner Bedoya established the first Democratic majority at the FTC since Commissioner Rohit Chopra left the agency to lead the Consumer Financial Protection Bureau in October 2021, and is seen as a booster as Chair Lina Khan seeks to accomplish her ambitious agency agenda. Commissioner Bedoya hails from the Center on Privacy and Technology at the Georgetown University Law Center, where he served as the founding director and a professor. At Georgetown, Commissioner Bedoya specialized in digital privacy issues, including on the intersection of privacy and civil rights, biometric software, “algorithmic discrimination,” children’s privacy, and data aggregation.

In October 2022, Commissioner Noah Phillips, nominated by President Trump in 2018, left the FTC to return to private practice, creating a vacancy on the five-member Commission. Commissioner Phillips, together with fellow Republican Commissioner Christine Wilson (who remains a Commissioner), had questioned the direction of the Commission on a variety of issues. President Joe Biden has yet to select Phillips’ successor, but is expected to defer to Senate Minority Leader Mitch McConnell to recommend a Republican candidate per tradition.

The FTC lost and added several key technology and data privacy personnel in the last year. Departures include Erie Meyer (Chief Technologist), Maneesha Mithal (Associate Director of Division of Privacy and Identity Protection), and Kristin Cohen (also formerly Associate Director of Division of Privacy and Identity Protection). Additions include Olivier Sylvain (Senior Advisor on Technology to the Chair) and Stephanie Nguyen (Chief Technology Officer and expert in human-computer interaction).[121]

 b. Algorithmic Bias and Artificial Intelligence

The FTC has long expressed concern about the use of artificial intelligence (“AI”) and algorithms, namely that companies rely on algorithms built on incomplete or biased data sets, resulting in allegedly discriminatory practices.[122] The FTC heightened its messaging on AI and algorithmic issues in 2021, when it published a blog post warning companies that if they did not hold themselves accountable for the performance of their algorithms, the FTC would do it for them.[123] The FTC asserted its enforcement authority under three laws important to algorithm and AI regulation. First, the FTC stated that it could take action against allegedly discriminatory algorithms under Section 5 of the Federal Trade Commission Act (“FTC Act”), which prohibits unfair or deceptive acts or practices in or affecting commerce.[124] Second, the FTC cited the Fair Credit Reporting Act (“FCRA”), which prohibits certain uses of algorithms to deny employment, insurance and other benefits.[125] Finally, the FTC pointed to Equal Credit Opportunity Act (“ECOA”), which bans algorithms that introduce credit discrimination based on race, color, religion, or other protected characteristics.[126]

Congress has also sparked interest in the same issues, which culminated in its 2021 directive that the FTC “study and report on whether and how artificial intelligence (AI) ‘may be used to identify, remove, or take any other appropriate action necessary to address’ a wide variety of specified ‘online harms.’”[127] In its report, the FTC shared its concerns that algorithms and AI may be “inaccurate, biased, and discriminatory by design.”[128]

The report highlights three main concerns regarding the use of AI tools and how algorithms may cause more harm than they solve.

• First, the FTC stressed that algorithms and AI tools may have inherent design flaws and inaccuracies, specifically with “unrepresentative datasets, faulty classifications, failure to identify new phenomena, and lack of context and meaning.”[129]
• Second, the FTC worried that AI tools are biased and will result in discriminatory outcomes. The FTC has warned that it will intervene if an algorithm results in an unfair practice, which the FTC argued includes discriminatory outcomes.[130]
• Third, the FTC considered the relationship between algorithms and commercial surveillance.[131] The FTC stated that AI tools may incentivize and enable invasive forms of surveillance and data extraction practices.

On October 19, 2022, the FTC announced its first lawsuit in which alleged discrimination was brought as a stand-alone violation of FTC Section 5. The action, in which the FTC asserted that an automotive group charged Black and Latino consumers higher fees and financing costs, could signal greater Section 5 enforcement against algorithmic discrimination in the future.[132] Notably, while the FTC has regulated AI tools and algorithms in the past, it has only done so in relation to data collection, and has yet to enforce against a company’s allegedly biased or discriminatory algorithms under Section 5 of the FTC Act.[133]

 c. Commercial Surveillance and Data Security

 i. April 2022 Speech by FTC Chair Khan

On April 11, 2022, Chair Lina Khan spoke at the International Association of Privacy Professionals (“IAPP”) Global Privacy Summit. During her speech, Chair Khan spoke of the increased integration of data technologies into consumers’ lives and the FTC’s concern about increased data privacy risks to consumers.[134] She made clear that the FTC plans to continue using Section 5 of the FTC Act and “other statutory authorities” to “take swift and bold action.”[135]

Chair Khan discussed three ways that the FTC plans to approach data practices:

• First, Chair Khan stated that the FTC intends to focus on dominant firms and intermediaries that cause widespread harm. Chair Khan said that the FTC’s main focus will be on firms whose actions may facilitate unlawful conduct “on a massive scale.”[136]
• Second, Chair Khan shared that the FTC plans to take an interdisciplinary approach and consider how data collection and commercial surveillance intersect. Chair Khan noted that the FTC will rely on lawyers, economists, and technologists and shared that the FTC already increased the number of data scientists, engineers, user design experts, and AI researchers on its staff.[137]
• Third, Chair Khan stated that the FTC will implement “effective” remedies that “fully cure the underlying harm,” which may include depriving lawbreakers of the “fruits of their misconduct.”[138] She explained that remedies may include deleting ill-gotten data and destroying any derivative algorithms. This statement appears consistent with the FTC’s past practices of ordering companies that allegedly engaged in improper data collection to delete their datasets and algorithms.[139]

Chair Khan also suggested ways that the FTC may “update” its approach regarding data privacy and surveillance. During the speech, she shared that the FTC was considering rulemaking to address commercial surveillance due to indications that the current frameworks addressing unlawful surveillance conduct are outdated and insufficient.[140] Chair Khan explained that she did not believe data protection should be limited to procedural protections but should include more substantive limits. At the end of her speech, she called on Congress to enact more expansive privacy legislation.[141]

 ii. Rulemaking on Commercial Surveillance and Data Security

Indeed, a few months after Chair Khan’s IAPP speech, the FTC initiated an Advance Notice of Proposed Rulemaking (“ANPRM”) on commercial surveillance and data security.[142] The ANPRM signaled the FTC’s desire to address a broad range of potential consumer harms through data asymmetry between companies and consumers, and is the first in a series of steps by the FTC that, if completed, could lead to the adoption of the first sweeping nationwide privacy regulation.

The FTC sought public comment and responses to 95 separate questions related to a variety of topics related to “consumer surveillance” and “lax data security practices.”[143] The FTC defined “commercial surveillance” as the “collection, aggregation, analysis, retention, transfer, or monetization of consumer data and the direct derivatives of that information,” and “data security” as “breach risk mitigation, data management and retention, data minimization, and breach notification and disclosure practices.”[144]

Notably, the ANPRM sought information regarding the prevalence of algorithmic error, discrimination based on protected categories facilitated by algorithmic decision-making systems, and how the FTC should address algorithmic discrimination through the use of proxies.[145]

The FTC hosted a virtual public forum on September 8, 2022 to solicit feedback regarding the ANPRM.[146] The FTC received over 11,000 comments before the public comment period closed on November 21, 2022. The FTC is reviewing comments and considering next steps.[147] The ANPRM will remain an important area to watch in 2023, particularly given the ADPPA’s stalled progress in advance of the 118th Congress.

 d. FTC’s Approach to Data Security

On December 14, 2022, the FTC held a virtual Open Meeting on cybersecurity. During the Open Meeting, the Deputy Chief Technologist of the FTC, Alex Gaynor, discussed several key takeaways from FTC recent data security cases and other cyber best practices and outlined four key modern security practices that the Commission considers best practices.

The Deputy Chief Technologist stated these best practices should be implemented across the board, which may suggest the agency is looking to impose these best practices as requirements, in conjunction with its corporate surveillance ANRPM. Deputy Chief Technologist Gaynor noted that the FTC’s recent orders have emphasized the use of “modern technologies to address costs” relating to data security. He identified four “modern security practices” that the FTC deems essential as highlighted in recent FTC orders over the past year, which include multifactor authentication (“MFA”), phishing resistant form of MFA for employees, encryption and authentication of all connections within company system, and compliance with data retention schedules. Adding to Deputy Chief Technologist Gaynor’s presentation, Chair Khan and Commissioners highlighted accountability and administrability, as well as data minimization, as key principles behind data security orders.

 e. Notable FTC Enforcement Actions

Chair Lina Khan’s statement that the FTC would consider new and “effective” remedies is consistent with FTC enforcement actions in 2022.[148] Proposed and final remedies in at least four FTC enforcement actions went beyond civil penalties and included mandated security programs and, in one case, data and algorithm disgorgement. The FTC also continued to increase its collaboration with the Department of Justice’s (“DOJ”) Consumer Protection Branch, which litigates actions involving civil penalties on behalf of the FTC and thus has become a more frequent partner for the agency as it more frequently seeks civil penalties from defendants. Discussed below are a few of the FTC’s most progressive and consequential enforcement measures of 2022.

• Diet and Fitness Services Company. In March, the DOJ’s Consumer Protection Branch filed a complaint on behalf of the FTC against a fitness company and its subsidiary in which it alleged the companies violated the Children’s Online Privacy Protection Act (“COPPA”) by collecting the personal information of children as young as eight who used the subsidiary’s app to track their weight, physical activity, and food intake. The complaint alleged that the companies violated COPPA by collecting this information without providing notice to parents and retaining the information indefinitely, only deleting it when requested by a parent. The companies agreed to pay a $1.5 million civil penalty and to delete all illegally collected data, in addition to destroying any algorithm derived from the collected data.[149]
• Large Social Media Platform. In March 2011, a social media company had entered into an administrative consent decree with the FTC for alleged failure to implement reasonable safeguards to prevent unauthorized access of users’ personal information. Based on allegations that the company was found to have violated the consent decree, the company entered into an amended settlement with the FTC and agreed to a stipulated court order with DOJ’s Consumer Protection Branch under which it agreed to pay a civil penalty of $150 million.[150] The complaint filed by the Consumer Protection Branch on behalf of the FTC alleges that the company violated the consent decree by collecting customers’ phone numbers for the stated purpose of multifactor authentication and security but exploiting it to target advertisements to users.[151] As part of the new settlement, the company is required to notify users about its improper use of users’ personal data and the FTC enforcement action, offer multifactor authentication options that do not require users to provide phone numbers, and implement enhanced privacy and information security programs.[152] The company is also required to obtain privacy and security assessments by an independent third party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.[153] This latest settlement comes at a moment where the company is under increased scrutiny from consumer advocates and Congress. On November 17, 2022, a group of U.S. Senators wrote a letter to Chair Khan, urging the agency to investigate the company’s recent changes to its verification system for potential violations of the consent decree.[154]
• Online Retail Platform. On June 23, 2022, the FTC settled claims against an online retailing platform that it had lax security practices which allowed data thieves to access personal information about millions of users. As a result of the settlement, the company must (1) pay $500,000 in redress; (2) send notices to consumers about the data breach and settlement; (3) replace its current authentication methods with multifactor authentication methods; (4) implement and maintain an Information Security Program which includes third-party security assessments; and (5) provide a redacted version of its third-party security assessments to the public.[155]
• Online Alcohol Marketplace. On October 24, 2022, the FTC issued a complaint and order regarding allegations that an online alcohol marketplace company and its CEO committed certain security failures which led to a data breach exposing certain customer information.[156] The FTC placed particular emphasis on the fact that the company and its CEO were aware of the security problems two years before the breach and failed to mitigate the issues.[157] The order requires the company to (1) destroy any unnecessary personal data it collected; (2) in the future, collect only data necessary to conduct its business; and (3) implement a comprehensive information security program including security training, controls on who can access personal data, and mandatory multifactor authentication.[158] Most notably, the order also applies to the CEO, requiring him to implement an information security program at any company he moves to which collects consumer information from more than 25,000 individuals.[159]
• Mobile App Attribution and Analytics Company. On August 29, 2022, the FTC filed a complaint against a mobile app attribution and mobile app analytics company, after the company itself sought a preemptive declaratory judgment that its data collection practices did not violate Section 5 of the FTC Act.[160] The complaint alleged that the company collected and sold geolocation data that could reveal consumers’ visits to houses of worship, reproductive health facilities, and addiction recovery centers, among other sensitive information. The company allegedly gathered data from hundreds of millions of personal devices and sold data samples from tens of millions of these devices on publicly accessible online marketplaces.[161] In a press release, the FTC argued that the data, such as precise coordinates and a unique mobile device number, could be combined with other information, like a home address, to reveal a user’s identity.[162] The FTC is seeking a permanent injunction to block further collection and sale of the identifying data by the company.[163]
• Education Technology Company. On October 31, 2022, the FTC issued a complaint and order regarding numerous security breaches that led to the misappropriation of personal information of approximately 40 million consumers.[164] The FTC alleged that the named education technology company failed to take reasonable cybersecurity measures to protect the data of its users. For example, the FTC alleged that the company failed to implement two-factor authentication and failed to implement adequate encryption of sensitive customer information.[165] As a result of the violations, the company will be required to revamp its cybersecurity program as well as detail and limit its data collection, provide consumer access to data, and implement multifactor authentication.[166]
• Video Game Developer. On December 19, 2022, the FTC and DOJ’s Consumer Protection Branch reached the largest-ever settlement with a video game development company, under which the company agreed to pay $520 million for alleged violations of COPPA.[167] The settled complaint alleged that, despite its alleged awareness that many children played its battle royale combat game, the company proceeded to collect personal data from children without first obtaining parental consent.[168] The company also allegedly enabled default settings matching children and teens with strangers for game play, exposing them to harm.[169] Finally, the complaint also alleged the company used dark patterns to trick users into making purchases, charge account holders without their authorization, and block access to purchased content.[170] In addition to monetary penalties, the settlement requires the company “to adopt strong privacy default settings for children and teens, ensuring that voice and text communications are turned off by default.”[171]

 f. Financial Privacy

The FTC approved changes to the Safeguards Rule in October 2021, which included more specific criteria for the safeguards financial institutions must implement as part of their information security programs. Although many provisions of the Rule went into effect 30 days after the publication of the Rule in the Federal Register, certain sections of the Rule were set to go into effect on December 9, 2022. These sections included requirements that required financial institutions to:

• designate a qualified individual to oversee their information security program;
• develop a written risk assessment;
• limit and monitor who can access sensitive customer information;
• encrypt all sensitive information;
• train security personnel;
• develop an incident response plan;
• periodically assess the security practices of service providers; and
• implement multifactor authentication or another method with equivalent protection for any individual accessing customer information.

On November 15, 2022, however, the FTC issued a press release announcing a six-month extension of the deadline for financial institutions to comply with the new provisions in the Safeguards Rule that were to become effective in December 2022. The FTC granted the extension due to reports from businesses that personnel shortages and supply chain issues would delay the necessary improvements to security systems and procedures. The new deadline for complying with certain sections is June 9, 2023.[172]

 g. Children’s and Teens’ Privacy

During the pandemic, and as more children and families rely on technology, the FTC became increasingly focused on regulating children’s data privacy through COPPA. In the last decade, the FTC has amended and expanded COPPA in an attempt to regulate the collection of kid’s information online.[173] COPPA imposes requirements on operators of websites or online services regarding the collection of personal information from children under the age of 13. In a December 2021 blog post, the FTC warned that COPPA is not limited to sites and apps “directed to children,” but may include companies that are not “consumer-facing.”[174] The FTC stated that it will apply COPPA to sites or online services that have “actual knowledge that [they are] collecting personal information from users of another Web site or online service directed to children.”[175] The deadline for comments on the COPPA rule elapsed on December 11, 2022, although the FTC’s review is still ongoing.[176] The FTC’s enforcement efforts through COPPA correspond with its larger goal of prioritizing investigations into violations impacting vulnerable communities.

As discussed above, in the first part of 2022, the FTC settled with a weight-watching company and its subsidiary in a COPPA enforcement (see discussion at Section ‎II.B.1.e above). The FTC also released a policy statement on May 19, 2022 (the “May Statement”), speaking to COPPA compliance and the use of education technology (also known as “Ed Tech”).[177] In the May Statement, the FTC restated its intention to enforce “meaningful substantive limitations on operators’ ability to collect, use, and retain children’s data, and requirements to keep that data secure.”[178]

The May Statement set out four particular areas:

• Mandatory Collection of Data:

The FTC stated it will pay particular attention to whether companies conditioned participation on a child disclosing more information than is reasonably necessary.[179]

• Use Prohibitions:

The FTC warned COPPA-covered companies that they are strictly limited in how they can use personal information collected from children. The FTC cautioned that companies could only use the child’s personal information to provide the requested online education service and that the information could not be used for any unrelated commercial purpose.[180]

• Retention Prohibitions:

The FTC reminded companies that they could not retain personal information for longer than was reasonably necessary to fulfill the purpose for which the information was collected.[181]

• Security Requirements:

The FTC stated that COPPA requires companies to have procedures to maintain the confidentiality, security, and integrity of personal information from children.[182] The FTC further noted that it will take the position that a company is in violation of COPPA’s security provisions if the company fails to take reasonable security precautions, regardless of whether an actual breach occurs.[183]

In a separate post, the FTC suggested that companies provide a “non-neutral age gate” for their sites or apps, ensure that parents receive notice of the collection of their children’s data, and securely and diligently destroy data when it is no longer reasonably necessary to maintain.[184] The FTC is accepting comments on a petition filed by the Center for Digital Democracy, Fairplay and other groups, asking the agency to promulgate a rule banning particular “engagement-optimizing” features targeted at minors.[185] In an Advanced Notice of Proposed Rulemaking published on August 22, 2022, the agency also asked whether commercial surveillance practices harm children and teenagers.[186]

 h. Dark Patterns

On September 15, 2022, the FTC, pursuant to a request by Congress, released a report (the “Report”) discussing sophisticated design practices known as “dark patterns,” which can trick or manipulate consumers into buying products or services or giving up their privacy.[187] More specifically, the Report warned that certain practices may obscure consumers’ data privacy choices and thus be considered dark patterns. The Report lists: (1) not allowing consumers to definitively reject data collection or use; (2) repeatedly prompting consumers to select settings they wish to avoid; (3) presenting confusing toggle settings leading consumers to make unintended privacy choices; (4) purposely obscuring consumers’ privacy choices and making them difficult to access; (5) highlighting a choice that results in more information collection, while greying out the option that enables consumers to limit such practices; or (6) including default settings that maximize data collection and sharing.[188]

The Report references a 2017 settlement as a “clear example.”[189] The FTC had alleged that the company, a smart TV manufacturer, enabled a default setting titled “Smart Inactivity,” which in effect enabled the company to collect and share consumers’ television viewing activity with third parties without making it clear that it was doing so.[190] The FTC alleged that by keeping the name of the default setting vague, the company effectively removed consumers’ ability to make an informed choice about their data sharing.[191]

The Report warns entities employing dark patterns that the FTC will continue to take action where these practices violate the FTC Act or other statutes and regulations enforced by the FTC (e.g., the Restore Online Shoppers Confidence Act, the Telemarketing Sales Rule, the Truth in Lending Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act, the COPPA, and the Equal Credit Opportunity Act). Particularly with the backdrop of the FTC’s proposed rulemaking on commercial surveillance and data security, the Report signals that the FTC will continue to take action to ensure that the notice and choices presented to consumers regarding their data are clear, easily understandable, and accessible. As evidenced by its recent enforcement actions, dark pattern activity has been a focus area of FTC enforcement.[192]

 2. Consumer Financial Protection Bureau

It was a busy year for the Consumer Financial Protection Bureau (“CFPB”), with 2022 highlighting a significant expansion of the CFPB’s supervisory reach and underscoring the its authority in data privacy, security, and consumer protection. As discussed below, in the first half of 2022, the CFPB signaled its intent to regulate both banking and nonbanking companies. The CFPB also continues to be interested in how AI is used in the financial services industry. In the latter half of 2022, the CFPB issued a long-awaited rulemaking on data access and portability, and reminded regulated entities about its increasing focus on potential misuse and abuse of personal financial data.

 a. Regulation of Nonbank Entities

In April 2022, the CFPB announced that it intends to invoke a largely unused legal provision of the Dodd-Frank Wall Street Reform and Consumer Protection Act of 2010 (“Dodd-Frank Act”) to supervise nonbank financial companies, such as fintech and digital assets firms, that purportedly pose risk to consumers.[193] As discussed in Gibson Dunn’s prior alert, the CFPB has generally used the Dodd-Frank Act to supervise only banks and credit unions.[194] However, the CFPB claimed in April that nonbank entities are subject to its supervision if the CFPB has “reasonable cause that the entity’s activities pose risks to consumers.”[195] The CFPB stated that reasonable cause can be based on complaints collected by the CFPB, whistleblower complaints, judicial opinions and administrative decisions, state and federal partners, or news reports. The CFPB warned nonbank companies to be prepared to respond to CFPB notices regarding unfair, deceptive, or abusive acts or practices, or practices that the CFPB believes violate federal consumer financial law.[196] In November 2022, the CFPB finalized changes to its nonbank supervision procedural rule.[197] The following month, the CFPB also proposed another rule, which would requiring nonbank entities to register with the agency if they are subject to any local, state or federal court order or regulatory enforcement orders.[198]

 b. Artificial Intelligence and Algorithmic Bias

The CFPB made clear that it is paying particular attention to companies’ use of AI, specifically algorithms. The CFPB cautioned that using algorithms based on biased or incomplete datasets may target highly specific demographics and violate federal consumer financial protection laws. In a February 2022 press release, CFPB Director Rohit Chopra stated that “[i]t is tempting to think that machines crunching numbers can take bias out of the equation, but they can’t.”[199]

In 2023, the CFPB intends to regulate the use of algorithms and AI in the following ways:

• Equal Credit Opportunity Act

The Equal Credit Opportunity Act (“ECOA”) prohibits discrimination in any aspect of a credit transaction. In a circular published on May 26, 2022, the CFPB asserted that the ECOA requires creditors that use complex algorithms in any part of the credit decision-making process to provide specific and accurate reasons for any adverse decisions, regardless of the level of complication or the opaqueness of the algorithms.[200] The CFPB defined an adverse action to include denying an application, terminating an existing credit account, making unfavorable changes to the terms of an existing account, and refusing to increase a credit limit.[201]

In the circular, the CFPB warned companies that they “are not absolved of their legal responsibility when they let a black-box model make lending decisions” and that “[t]here is no exception for violating the law because a creditor is using technology that has not been adequately designed, tested, or understood.”[202]

The FTC is also responsible for ECOA enforcement and education regarding most non-bank financial service providers. In its annual summary of its ECOA enforcement activities to the CFPB, the FTC highlighted its expertise enforcing laws important to developers and users of AI, including the ECOA.[203] The FTC noted its experience with respect to big data analytics and machine learning, AI, and predictive analytics, and referred to its recent guidance on AI and algorithms, cautioning businesses to hold themselves accountable and use AI truthfully, fairly, and equitably.[204]

• Consumer Financial Protection Act

In a blog published on March 16, the CFPB stated its mandate to address and eliminate unfair practices that allegedly run afoul of the Consumer Financial Protection Act (“CFPA”).[205] The CFPA prohibits unfair, deceptive, and abusive acts or practices in connection with a consumer financial product or service. In its blog, the CFPB focused on machine learning models and their alleged potential for biased outcomes. The CFPB shared its plans to regulate models that allegedly cause discriminatory harm in the financial markets, and announced changes to its examination guidelines in its “broad efforts to identify and address unfair acts and practices[.]”[206] According to the CFPB, the new guidelines encourage examiners to review any policies and practices that exclude individuals from products or services in an unfairly discriminatory manner. The CFPB stated that the new guidelines would expand the CFPB’s authority to include allegedly unfair practices that are traditionally outside the scope of the ECOA.[207]

On August 10, the CFPB took action against a fintech company that used a faulty algorithm that wrongfully depleted checking accounts which led to overdraft penalties for customers. The CFPB found that the company violated the CFPA by engaging in deceptive acts or practices, required the company to pay redress to its harmed customers, and fined the company $2.7 million for its actions.[208]

• Housing Valuations

In a February 2022 article, the CFPB raised concerns regarding the use of computer models and AI to determine home valuations.[209] According to the CFPB, a home valuation is one of the most important steps in the mortgage process and inaccurate valuations put consumers at risk. The CFPB is “particularly concerned that without proper safeguards, flawed versions of [automated valuation models] could digitally redline certain neighborhoods . . . and perpetuate historical lending, wealth, and home value disparities.”[210] The CFPB shared that it intends to work with its federal partners to require random sample testing and model review to ensure a high level of confidence in estimates produced by automated valuation models and algorithms.

 c. Data Harvesting and Contribution

In 2022, the CFPB continued to express concerns about how companies collect, use, and share data with third parties, such as data brokers, and across product lines. The CFPB focused on a few areas where data harvesting is of particular concern:

• Algorithmic Bias

In a May press release, the CFPB raised concerns about the amount of data harvesting conducted on Americans.[211] The CFPB stated that the high quantity of data harvested gives firms the ability to know detailed information about customers before they ever interact with them. The CFPB reflected that firms use detailed datasets developed from data harvesting to run algorithms for a broad range of commercial uses.[212] Like the FTC, the CFPB worried that algorithms based on incomplete or biased datasets would harm consumers. The CFPB stated its intent to closely examine companies’ automated decision-making models for potentially discriminatory outcomes, as well as the data inputs used to train and develop the models.[213]

At a National Association of Attorneys General Capital Forum in December 2022, FTC Chair Khan and CFPB Director Chopra served as panelists and addressed state AGs on a number of pressing priorities, including privacy. Both panelists continued to express concerns about collection and use of data, including algorithms and automated decision-making.[214]

• Behavioral Targeting

With the growth of online commerce and electronic payment services, Director Chopra identified a particular interest of the CFPB in Big Tech companies and how they allegedly “exploit their payment platforms.”[215] Director Chopra said that tech companies that seek to profit from behavioral targeting, such as targeted advertising and marketing, benefit from data related to consumer purchasing behavior. While the CFPB has studied Chinese tech giants in the past, in the last months of 2021, the CFPB included domestic tech companies in its investigations and requested data harvesting information from several large U.S. companies.[216]

On August 10, the CFPB also issued an interpretive rule reminding digital marketing providers for financial firms that they must comply with federal consumer financial protection law.[217] The CFPB emphasized that digital marketers acting as service providers can be held liable under the CFPA for committing unfair, deceptive, or abusive acts or practices as well as other consumer financial protection violations.[218]

• Credit Cards and “Buy Now, Pay Later” Loans

The CFPB’s concerns relate not only to data harvesting but also to data contribution and suppression. In a May 2022 blog post, the CFPB explained that companies that fail to share complete and accurate data with credit reporting companies may impact consumers’ ability to access credit at the most competitive rates.[219] The CFPB shared its concern that credit card companies are unfairly impacting consumers’ credit scores by suppressing actual monthly payment amount information. The CFPB stated that it sent letters to major U.S. banks requesting information about their data sharing practices.[220]

In September 2022, the CFPB also published a report with insights on the growth of the Buy Now, Pay Later (“BNPL”) industry, whereby BNPL lenders offer to divide a total purchase into several equal payments, with the first due at checkout.[221] The report highlighted several areas of risk of consumer harm, including data harvesting and monetization. Specifically, the report noted the shift toward proprietary app usage, allowing BNPL lenders to harvest and monetize consumer data by building digital profiles of users’ shopping preferences and behavior.[222] Director Chopra stated that the CFPB “will be working to ensure that borrowers have similar protections, regardless of whether they use a credit card or a [BNPL] loan.”[223]

 d. Personal Financial Data Rights Rulemaking

On October 27, 2022, the CFPB announced that it is in the process of writing a regulation to implement Section 1033 of the Dodd-Frank Act, which authorizes the CFPB to prescribe rules under which consumers may access information about themselves from their financial service providers.[224] Section 1033 requires the CFPB to balance a number of different priorities — including data privacy, consumer choice, and information security — in accordance with the process established by Congress in the Small Business Regulatory Enforcement Fairness Act (“SBREFA”). The CFPB released an outline that provides proposals and alternatives under consideration for the proposed data rights rulemaking.[225]

According to Director Chopra, the rulemaking “has the potential to jumpstart competition, giving Americans new options for financial products”[226] and “explor[es] safeguards to prevent excessive control or monopolization by one, or even a handful of, firms.”[227] The CFPB plans to publish a report on input received through the SBREFA process in the first quarter of 2023, issue the proposed rule later in 2023, and finalize and implement the rule in 2024.[228] The CFPB’s approach to consumer data here is novel, and once adopted, the rule will significantly impact banks and fintech companies in the consumer financial data sharing industry.

 e. Data Security

In the second half of 2022, the CFPB reminded companies that it is a data security regulator. In August, the CFPB confirmed in a circular that financial companies may violate federal consumer financial protection law when they fail to safeguard consumer data.[229] The published circular provided examples where the failure to implement certain data security measures might increase the risk that a firm’s conduct triggers liability under the CFPA.[230] These measures include multi-factor authentication, adequate password management, and timely software updates. More recently, the CFPB published a new bulletin analyzing rise in crypto-asset complaints.[231] The bulletin identified several common risk themes, including hacks by malicious actors.

 3. Securities and Exchange Commission

In 2022, the Securities and Exchange Commission (“SEC”) emphasized the importance of transparency in cybersecurity risks and incidents. This goal of increased transparency was evident in the SEC’s proposed rules in February and March, which would impose stricter cybersecurity disclosure and reporting requirements. Subsequently, the SEC announced that it would double the size of its Crypto Assets and Cyber Unit, which was followed by several enforcement actions by this unit. The increase in enforcement resources, in combination with the likely promulgation of final cybersecurity rules, signal that this will likely be an area of heightened enforcement activity for the SEC in 2023.

 a. Regulation

• February 2022 Proposed Rules for Registered Investment Advisers, Registered Investment Companies, and Business Development Companies

On February 9, 2022, the SEC proposed cybersecurity rules for registered investment advisers, registered investment companies, and business development companies.[232] The key requirements of the proposed rules are policies and procedures, reporting, disclosures, and recordkeeping.

The rules would require advisers and funds to implement new “policies and procedures reasonably designed to address cybersecurity risks.”[233] The SEC specifies that these policies and procedures should cover risk assessments, user security and access, protection of information, threat and vulnerability management, and incident response and recovery.[234] Investors and funds would be required to review their policies and procedures at least annually and to provide the SEC with a written report of the review.[235]

The new rules would also mandate reporting “significant cybersecurity incidents” to the SEC, including those on behalf of a fund or private fund client, and to disclose cybersecurity risks and incidents to clients and prospective clients.[236] This information about cybersecurity incidents and risks should also factor into risk disclosures in fund registration statements under the proposed rule.[237]

Finally, the proposed rules impose new recordkeeping requirements for records related to cybersecurity risk management, cyber incidents, and policies and procedures.[238]

Commissioner Peirce released a dissenting statement.[239] She explained that although she is in favor of establishing a cybersecurity reporting system, she would advocate for a public-private partnership system rather than the traditional regulation-examination-enforcement regime.

In the SEC’s rulemaking agenda, which was recently published by the Office of Information and Regulatory Affairs,[240] the agency indicated that it will take final action on the proposed rule in April of 2023.[241]

• March 2022 Proposed Rules for Public Companies

On March 9, 2022, as reported in detail in Gibson Dunn’s prior client alert, the SEC proposed new cybersecurity disclosure rules for public companies. These rules would require (i) current reporting of material cybersecurity incidents and (ii) periodic reporting of material updates to cybersecurity incidents, risk management, strategy, governance, and expertise.[242]

Reporting Material Cybersecurity Incidents

The proposed rules would require disclosure of any “material cybersecurity incident” within four business days of the determination that the company has experienced a “material cybersecurity incident.”[243] The SEC will not permit reporting delays, even in the case of an ongoing investigation.[244] The required disclosure includes: (1) when the incident was discovered and whether it is ongoing; (2) a description of the nature and scope of the incident; (3) whether data was accessed, altered, stolen, or used for any unauthorized purpose; (4) the incident’s effect on operations; and (5) whether the company has remediated or is remediating.[245]

Periodic Reporting Requirements

The proposed rules would also require periodic reporting of material updates to cybersecurity incidents, as well as the company’s cybersecurity risk management, strategy, governance, and expertise.

• Material Updates to Cybersecurity Incidents: Companies would be required to disclose any material changes to information required to be disclosed pursuant to proposed Item 1.05 of Form 8-K in the company’s Form 10-Q or Form 10-K for the covered period in which the material change occurred.[246] Item 106(d) would also require companies to disclose when previously undisclosed individually immaterial cybersecurity incidents became material in the aggregate.[247]
• Risk Management and Strategy: Companies would be required to disclose their policies and procedures, as relevant to identifying and managing cybersecurity risks and threats.
• Governance: The proposed Item 106(c) of Regulation S-K would require companies to disclose the role of the board of directors and management in cybersecurity governance.
• Board of Directors’ Cybersecurity Expertise: Under proposed Item 407(j) of Regulation S-K, companies would be required to annually disclose any cybersecurity expertise of their directors.
• Foreign Private Issuers: Comparable changes to require similar disclosures on an annual basis on Form 20-F.[248]

Commissioner Peirce again dissented. She generally objected to her colleagues’ approach as going beyond the SEC’s limited role by effectively setting forth expectations for what cybersecurity programs should look like.[249] She also voiced a specific objection to the lack of a cyber incident reporting delay, in particular, in cases where there is cooperation with law enforcement.

The agency plans to take final action on this proposed rule in April 2023.[250]

• Anticipated 2023 Rules

In addition to likely finalizing the cyber rules from February and March 2022, we anticipate that additional data privacy and security rules are forthcoming.

In a January 2022 speech, SEC Chair Gary Gensler suggested that “customer and client data privacy and personal information” is the “next arena.”[251] He noted that “there may be opportunities to modernize and expand” Regulation S-P, which was adopted more than two decades ago and requires companies to implement policies and procedures for the protection of customer records and information.[252] He mentioned that he had asked SEC staff for recommendations on certain related issues, and thus, a data privacy-oriented rule may be issued in 2023.

Gensler revisited the possibility of new rules related to modernizing Regulation S-P in his remarks to the Financial and Banking Information Infrastructure Committee and the Financial Services Sector Coordination Council in April. He noted that new rules would likely “require breach notifications when a customer’s information is accessed without authorization.”[253] In these remarks, Gensler also stated that the agency is considering additional cybersecurity rules. First, Gensler mentioned the possibility of issuing rules similar to the February 2022 proposed rules, but for broker-dealers. Second, he discussed updating Regulation Systems Compliance and Integrity (“SCI”) to cover a broader range of entities and strengthening it to “shore up the cyber hygiene” of covered entities.[254] Finally, Gensler indicated that the SEC was considering how it can further address cybersecurity risks that come from service providers in the financial sector.

The SEC’s rulemaking agenda signals that at least some of Gensler’s plans may take shape in the form of proposed rules early as April of 2023. The agency previewed that it is considering proposing rules “to address registrant cybersecurity risk and related disclosures, amendments to Regulation S-P and Regulation SCI, and other enhancements related to the cybersecurity and resiliency of certain Commission registrants.”[255]

 b. Enforcement

In addition to the proposed rules, the SEC signaled its intent to regulate companies through enforcement by nearly doubling the size of its Crypto Assets and Cyber Unit (formerly known as the Cyber Unit).[256] This expansion will better equip the SEC to police wrongdoing in crypto markets and to identify cybersecurity disclosure and control issues.[257]

Since this announcement, the unit has been highly active in investigating and charging crypto-related issues.[258] The SEC has taken on some of the bigger industry players in the last year. In February, the SEC fined a crypto lending company $100 million based on registration failures.[259] Later, in October, the SEC settled charges against Kim Kardashian for $1.26 million after she publicly endorsed tokens without disclosing the $250,000 she received in exchange for the promotion.[260] The SEC wrapped up 2022 with much publicized charges against the former CEO and co-founder of a major cryptocurrency exchange and hedge fund for violations of the anti-fraud provisions of the Securities Act of 1933 and the Securities Exchange Act of 1934.[261] These charges were brought in parallel with the U.S. Attorney’s Office for the Southern District of New York and the Commodities Futures Trading Commission and were quickly followed by charges against two other former leaders at the companies, who are cooperating with the investigation.[262]

Much of the SEC’s crypto agenda going forward will hinge on the outcome in the SEC’s lawsuit against another cryptocurrency company for allegedly selling unregistered securities. The SEC and that cryptocurrency company submitted the final reply briefs for summary judgment in December 2022, which will potentially answer the question of whether one of the company’s tokens is a security.[263] As of the time of this report, no court date had been set for oral argument on the motions or for trial.

In addition to the numerous crypto enforcement actions, the FTC has announced a few actions related to data privacy and security. In late July, the SEC charged certain financial institutions with violations of the SEC’s Identity Theft Red Flags Rule or Regulation S-ID, based on deficiencies in their identity theft prevention programs.[264] They agreed to pay penalties of $1.2 million, $925,000, and $425,000, respectively, and to cease and desist from future violations of Regulation S-ID.[265] Shortly thereafter, in August, the SEC announced that it had filed charges against three individuals who allegedly tipped and traded information about a credit reporting agency’s 2017 data breach in advance of the public announcement of the breach.[266] Then, in September, the SEC announced charges against and a settlement with a different financial institution. The SEC alleged that the institution failed to protect the personal identifying information of 15 million consumers over a five-year period, and without admitting or denying these allegations, it consented to the SEC’s order finding that the firm violated certain rules under Regulation S-P and agreed to pay a $35 million fine.[267] Once the final cybersecurity rules are implemented, likely in 2023, we expect to see additional enforcement in this area.

 4. Department of Health and Human Services and HIPAA

 a. Rulemaking on HIPAA Compliance and Data Breaches

The Department of Health and Human Services (“HHS”) embarked on rulemaking in November 2022 to relax administrative hurdles around patient substance abuse records, as required by the Coronavirus Aid, Relief, and Economic Security Act (“CARES” Act).[268] The proposal would harmonize regulations related to patient substance abuse records that differ from the privacy and data-breach requirements of the Health Insurance Portability and Accountability Act (“HIPAA”) and its related regulations.[269] Most notably, the notice explains that the proposed rule would (1) make it easier for providers to share substance abuse records with other providers by requiring only single patient consent, and (2) give HHS enforcement authority over violations of the substance-abuse regulations.[270] HHS Secretary Xavier Becerra explained that the rule would both improve care coordination among providers and strengthen privacy protections so patients can seek treatment without worrying that their substance abuse records will be improperly disclosed.[271]

Separately, HHS’s Office of Civil Rights (“OCR”) is considering whether to conduct new cybersecurity rulemaking, as it published a request for information (“RFI”) in April 2022 under the Health Information Technology for Economic and Clinical Health Act of 2009 (“HITECH” Act).[272] OCR asked for feedback on whether it should consider recognized cybersecurity measures when assessing fines and other remedies for data breaches, as well as whether it should consider distributing any penalties it receives to the individuals’ whose protected health information (“PHI”) was compromised. [273] The RFI comes as data breaches involving unsecured PHI are on the rise, according to a U.S. Government Accountability Office (“GAO”) report.[274] Now that the comment period has closed, OCR is weighing whether to issue future guidance or rulemaking on this issue.[275]

 b. Telehealth and Data Security Guidance

Three years into the coronavirus pandemic, HHS has yet to signal that it is preparing to transition to a post-pandemic world. Due to the pandemic, rules on telehealth services were relaxed to provide more flexibility amidst the declared “Public Health Emergency” (“PHE”).[276]

However, HHS has continued to extend the emergency status, which keeps in place its pandemic-era enforcement discretion surrounding telehealth that would expire alongside the PHE.[277] At the time of publishing this Review, the Biden Administration has continued to extend the PHE but has signaled it may want to end it in the spring.[278] Meanwhile, HHS has explained that some telehealth practices can continue even after the end of the eventual end of the PHE, publishing guidance in June 2022 to clarify how covered entities may continue to provide telehealth services.[279] HHS noted that the HIPAA Privacy Rule does not apply to audio-only telehealth over a standard landline, but there are compliance considerations when data is transmitted electronically, such as through voice over internet protocol (“VoIP”) or on smartphone applications.[280]

The increasing use of technology for remote access of health-related information continues to be an administration priority. For example, in June 2022, the White House convened government officials to discuss cybersecurity threats in the health-care space.[281] And in guidance issued in December 2022, OCR reminded covered entities and their vendors that HIPAA rules related to privacy and disclosure apply to technologies used to track a user’s interactions with an app or website if the data collected includes protected health information.[282]

 c. Reproductive and Sexual Health Data

Another recent focus of HHS has been educating the public and addressing concerns with state law enforcement access to health-care data, particularly as it relates to sexual and reproductive health. Following Texas Governor Greg Abbott’s order for Texas officials to open child abuse investigations concerning transgender children receiving gender-affirming care,[283] including with guidance that clarified that HIPAA prohibits the disclosure of gender affirming care in most situations, among other recommendations.[284] But a federal district court in Texas later vacated that guidance—although it did not mention HIPAA—because it found that government officials “appear to misstate the law and do not detail what went into their decision-making.”[285]

Following the Supreme Court’s June 2022 ruling in Dobbs v. Jackson Women’s Health Org., which reversed Roe v. Wade (1973) and ended federal protection for abortion access,[286] HHS also issued guidance clarifying the protections regarding reproductive-health data and educating the public on the limits of those protections, such as the limitations on disclosing PHI to law enforcement.[287]

More actions may be forthcoming as OCR Director Melanie Fontes Rainer[288] said in the wake of the ruling that “all options are on the table” as OCR considers additional ways to respond to Dobbs.[289]

 d. HHS Enforcement Actions

OCR has continued to enforce the HIPAA Privacy Rule through actions targeting medical-records access, PHI security, and data breaches.

These efforts include OCR’s continued push to bring cases under its HIPAA Right of Access Initiative to encourage compliance with the HIPAA Privacy Rule’s provision giving individuals the right to access their health records. For example, OCR announced in July 2022 that it had resolved eleven investigations involving such access,[290] and another three in September 2022, bringing the total number of cases under the initiative to 41.[291] These enforcement actions resulted in settlements that ranged from $3,500 to $240,000 and were brought against entities varying in size from local one-office practices to a regional health-care providers operating 17 different hospitals.[292]

OCR has also settled several cases involving improper disclosure and disposal of PHI. In August 2022, a dermatology practice agreed to pay more than $300,000 for putting empty specimen containers that had labels with patient information in the garbage bin in the practice’s parking lot, an alleged violation of the HIPAA Privacy Rule’s requirements to safeguard the privacy of patient information.[293] In March 2022, OCR also settled with a dental practice that used patients’ names and addresses in campaign literature for the dentist’s Alabama state senate campaign.[294] OCR also settled with several dental practices throughout the year that disclosed PHI in response to online reviews of their dental practices.[295]

Further, in July 2022, OCR announced a settlement with a state university’s health sciences department following a data breach where a hacker gained access to an university web server containing electronic PHI of 279,865 individuals. The university agree to pay $875,000 for not implementing proper security measures, conducting an appropriate investigation, or timely notifying HHS of the breach.[296]

OCR intends these enforcement actions to serve as cautionary tales for others. OCR Director Fontes Rainer warned after a recent settlement, “OCR is sending a clear message to regulated entities that they must appropriately safeguard patients’ protected health information. We take complaints about potential HIPAA violations seriously, no matter how large or small the organization.”[297]

 5. Other Federal Agencies

 a. Department of Homeland Security

The Department of Homeland Security (“DHS”) continued the cybersecurity “sprints” initiative it launched in 2021, with international cybersecurity as the designated focus for the first quarter of 2022.[298] The international cybersecurity sprint included efforts to strengthen collaboration and cooperation with law enforcement partners around the world, build domestic and international capacity to defend against cyberattacks, and combat transnational cybercrimes.

In February 2022, pursuant to President Biden’s Executive Order on Improving the Nation’s Cybersecurity, DHS established the Cyber Safety Review Board (“CSRB”), a public-private advisory board tasked with reviewing and assessing “significant cybersecurity events so that government, industry, and the broader security community can better protect [the] nation’s networks and infrastructure.”[299] The unique public-private composition of the CSRB reflects the Biden Administration’s acknowledgment that much of the U.S.’s critical infrastructure is owned and operated by the private sector, and thus has a crucial role in preventing and addressing cybersecurity threats. In its inaugural year, the CSRB issued its first report on a major cybersecurity incident and launched a review of a second incident. In July 2022, the CSRB released a report addressing the Apache Log4j vulnerabilities discovered in late 2021; Log4j, a widely used logging framework among Java developers, had vulnerabilities that enabled cyberattackers to execute malicious code or extract data. The report made 19 recommendations for industry and government entities to prevent and respond more effectively to future incidents.[300] In December 2022, the CSRB announced its review of the prolific international hacker group Lapsus$, which has reportedly targeted major corporations and government agencies around the world in extortion attacks since 2021.[301]

As required by the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”),[302] DHS’s Cybersecurity and Infrastructure Security Agency (“CISA”) published a Notice of Proposed Rulemaking in September 2022 regarding CIRCIA’s new reporting requirements for cyber incidents and ransom payments.[303] CISA sought public feedback on a range of topics, including which entities are covered by the requirements, the types of substantial cyber incidents that CIRCIA covers, data preservation, and the manner, timing, and form of reports. CISA subsequently hosted a series of public listening sessions from September through November 2022 to receive input on the forthcoming proposed regulations.[304] The CISA Cybersecurity Advisory Committee also reserved a portion of its quarterly meeting held in December 2022 for public comment.[305] Under the CIRCIA, the final rule must be issued by March 2024 (within 18 months of the Notice of Proposed Rulemaking).[306] Further analysis of the CIRCIA and ongoing considerations was reported in detail in Gibson Dunn’s recent alert on the act.[307]

 b. Department of Justice

The DOJ continued to enhance and expand its capacity to prevent and respond to malicious cyber activity, including through the work of the Civil Cyber-Fraud Initiative (“CCFI”) and the Ransomware and Digital Extortion Task Force. The DOJ also adapted its enforcement priorities in light of the Biden Administration’s focus on preventing corruption.

The CCFI, launched by Deputy Attorney General Monaco in 2021, demonstrates the DOJ’s willingness to deploy civil enforcement tools to prevent cybersecurity-related fraud.[308] The initiative seeks to “hold accountable entities or individuals that put U.S. information or systems at risk by knowingly providing deficient cybersecurity products or services, knowingly misrepresenting their cybersecurity practices or protocols, or knowingly violating obligations to monitor and report cybersecurity incidents and breaches.”[309] The CCFI plans to utilize the False Claims Act, including its whistleblower provision, to pursue cybersecurity fraud by government contractors and grantees.[310] In March 2022, the DOJ reached its first settlement under this initiative—for $930,000—in a case involving a medical services contractor who allegedly failed to securely store medical records as required in contracts with the Air Force and State Department.[311] In the second settlement under this initiative, a defense contractor agreed to pay $9 million to resolve allegations that it made misrepresentations regarding its compliance with cybersecurity requirements outlined in federal contracts.[312] The DOJ is poised to continue this trend of pursuing enforcement actions against companies that have received federal funds and failed to adhere to cybersecurity standards to protect and secure data.

In 2021, the Biden Administration declared that the government’s fight against corruption was a core national security interest.[313] Curbing illicit finance was designated as a pillar of the U.S.’s anti-corruption program.[314] Given this focus, the DOJ will likely increase its enforcement efforts in the coming years on foreign bribery, the illicit use and laundering of cryptocurrency, and ransomware and digital extortion, among other areas.

In response to the global proliferation of ransomware attacks on companies and government entities, as well as the increased scope of damage caused by such attacks, the Biden Administration created the Ransomware and Digital Extortion Task Force within the DOJ.[315] In addition to actively investigating hundreds of ransomware variants and ransomware groups, over the past year, the DOJ has successfully recovered portions of ransom payments made in high-profile attacks by domestic and foreign hackers.[316]

In May 2022, the DOJ clarified its priorities for prosecutions under the Computer Fraud and Abuse Act (“CFAA”). The DOJ formally recognized non-prosecution of ethical security hackers hired to identify system vulnerabilities (commonly referred to as “white hat” hackers) who are conducting “good faith security research” which includes “accessing a computer solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability.”[317] The DOJ also clarified that it will not seek to charge a number of other hypothetical CFAA violations, such as using a pseudonym on a social networking site that prohibits them, checking sports scores or paying bills online while at work, or embellishing online dating profiles contrary to the site’s terms of service.[318] Under this new policy, the DOJ intends to focus its resources on cases where a defendant was either not authorized at all to access a computer, or was authorized to access part of a computer but knowingly accessed a part of the computer to which the authorized access did not extend.[319]

Although the DOJ is unlikely to target private companies for enforcement in cyberattacks, companies should be prepared to face increased pressure to report cyberattacks, share information, and take swift and appropriate action to prevent these attacks.

 c. Department of Energy

In June 2022, the Department of Energy (“DOE”) released its National Cyber-Informed Engineering Strategy, which provides a framework to protect the nation’s energy infrastructure by incorporating cybersecurity measures into the engineering and design stage of grid development.[320] The DOE guidance emphasizes building cybersecurity measures into infrastructure early in the design lifecycle, instead of attempting expensive, potentially less-effective aftermarket bolt-on efforts.[321] The strategy also focuses on reducing disruptions of critical energy infrastructure even if a cyberattack is successful.[322]

The DOE released a report and recommendations on the cybersecurity of distributed energy resources (“DER”), such as distributed solar, wind, and other clean energy technologies.[323] The study found that while a cyberattack on DER systems would likely have a negligible impact on grid reliability, as the use of DER systems rapidly grows and evolves, cybersecurity must be taken into consideration. The report makes policy recommendations for decisionmakers and provides strategies for DER operators and electric power entities to make the nation’s power grids more secure.

 d. Joint Agency Actions Regarding Banking Cybersecurity

The Office of the Comptroller of the Currency (“OCC”), the Federal Reserve System, and the Federal Deposit Insurance Corporation (“FDIC”) issued a joint rule for banking organizations and bank service providers regarding computer-security incident notifications.[324] The application of the rule varies slightly depending on the regulating agency.[325] The rule requires organizations to report cyber incidents to its primary federal regulator within 36 hours of determining a notification incident occurred, and to inform affected customers of an incident in certain situations.[326]

At the recommendation of the Government Accountability Office, the Treasury Department’s Federal Insurance Office (“FIO”) and the DHS’s CISA are conducting a joint assessment of whether there should be a federal insurance response to catastrophic cyber incidents, and potential structures for a federal insurance response.[327] The agencies issued a request for comments in September 2022 to gather public input on a range of topics, including what cyber incidents could have a catastrophic effect on critical infrastructure, how to measure the financial impact of catastrophic cyber incidents, which types of cyber incidents should warrant a federal insurance response, and how to structure a federal insurance response for catastrophic cyber incidents.[328] The FIO and CISA will report the results of its joint assessment to Congress in order to inform deliberations on the merits of a federal insurance response to catastrophic cyber incidents.[329]

 e. Department of Commerce AI Initiative

The U.S. Department of Commerce announced the appointment of 27 committee members who were nominated by the public to the National Artificial Intelligence Advisory Committee (“NAIAC”) in April 2022.[330] The NAIAC’s role is to ensure the U.S. “leads the world in the ethical development and adoption of AI, provides inclusive employment and education opportunities for the American public, and protects civil rights and civil liberties in our digital age.”[331] The NAIAC will advise President Biden on AI-related issues, including bias, security of data, the use of AI for security or law enforcement, and whether AI use is consistent with privacy rights, civil rights, civil liberties, and disability rights.[332]

The NAIAC held open meetings in May and October 2022 to discuss topics such as the competitiveness of U.S. AI, the science around AI, the potential use of AI for workforce training and government operations, oversight of AI systems, and the adequacy of addressing societal issues with AI.[333] The NAIAC is required to submit a report with its findings and recommendations to President Biden and Congress after its first year, and to submit subsequent reports no less than every three years.[334]

 6. State Agencies

State privacy enforcers wielded their considerable authority with decisiveness and creativity in 2022, capping the year with the largest multistate privacy settlement in United States history.

 a. National Association of Attorneys General

The National Association of Attorneys General (“NAAG”) launched the Center for Cyber and Technology to help state attorneys general “in understanding technical aspects of emerging and evolving technologies, conducting cybercrime investigations and prosecutions, and ensuring secure and resilient public and private sector networks and infrastructure.”[335] The Center will also work to form strategic partnerships with government agencies, nonprofits, and private sector entities to focus on cyber-related issues.[336]

On December 12, 2022, the NAAG sent a letter to the Federal Communications Commission (“FCC”) on behalf of 51 state and territory attorneys general expressing their support for more stringent protections against robotexts, citing a slew of consumer complaints concerning unwanted text messages.[337] The NAAG also sent a letter signed by 41 state attorneys general to the FCC commending the agency’s commitment to stopping robocalls.[338] Most of the signing states have committed to information sharing agreements with the FCC to combat robocalls, and those states that have yet to enter any agreements have signaled a good faith effort to do so.[339]

 b. State AGs’ Reaction to Dobbs

Just as the Supreme Court’s June 2022 ruling in Dobbs v. Jackson Women’s Health Org. set off a flurry of activity at HHS in regards to protecting health and reproductive data, several states have also reacted swiftly in response to the decision. A coalition of 22 state attorneys general issued a statement committing to use the full force of the law to support those seeking abortions.[340] Conversely, other states have embraced the Court’s ruling.[341] State attorneys general have pressured technology companies in different directions. For example, the California Attorney General issued a statement warning companies of the consequences for failing to protect reproductive health information, emphasizing the heightened security and confidentiality obligations associated with the California Confidentiality of Medical Information Act.[342] He also sponsored a first-in-the-nation law, passed by the California State Legislature, that prohibits technology companies from responding to out-of-state search warrants for private reproductive health data.[343] On the other side of the spectrum, a coalition of 17 Republican state attorneys general wrote to another large tech company to threaten legal action if it suppresses anti-abortion pregnancy centers in response to political pressure.[344]

 c. State AG Letter on National Consumer Privacy Laws

On July 19, 2022, a coalition of ten state attorneys general, led by California Attorney General Rob Bonta, wrote Congress to demand that any national consumer privacy law not preempt state legislation, urging that a national law should set a floor, not a ceiling, for privacy regulation.[345] The states cited HIPAA as a model for its provision giving states concurrent enforcement authority and only preempting “contrary” state laws.[346] The letter cited the need to adapt to a fast-paced, rapidly changing industry with appropriate regulation to protect consumer privacy rights.[347]

 d. Dark Patterns

State agencies have shared the FTC’s and Congress’ concern over “dark patterns.” For example, the New York Attorney General’s Office secured $2.6 million in disgorged profits from an online travel company for use of deceptive online advertising including the use of “dark patterns,” or “nefarious tactics . . . used to manipulate and trick consumers into buying goods or services.”[348]

Overstating user control of privacy settings can also potentially constitute a “dark pattern,” and can lead to regulatory action. On November 14, 2022, a coalition of 40 state attorneys general reported a $394 million settlement with a major tech company for allegedly misrepresenting the level of user control over location history collection.[349] It is the largest multistate settlement in history, and requires the company to be more transparent to users about its location tracking practices.[350]

In addition to the multistate suit, the company defended against similar allegations in several other state actions. As reported in Section I.A of our 2021 annual review, the Arizona Attorney General filed a complaint focused on misconduct in its collection of location data.[351] In October 2022, the technology company settled with Arizona for $85 million.[352] And in January 2022, the District of Columbia, which did not join the previous settlement, brought a separate lawsuit against the same large tech company, again for allegedly manipulating users with “dark patterns” to track and collect their location history.[353] According to the complaint, the company allegedly misled users to believe that they could protect their location privacy by changing their account and device settings; however, it was extremely difficult to limit location tracking.[354] Attorneys General of Texas, Washington, and Indiana also have pending lawsuits on similar issue.[355] All investigation and proceedings originated from an AP story revealing the company’s location tracking practices.[356]

 e. Other State AG Actions

Large tech companies have become the targets of data privacy-related lawsuits and investigations from attorneys general on both sides of the aisle, who have asserted legal theories ranging from deceptive practices to unauthorized collection of biometric data. The Texas, California, and New York attorneys general have been particularly active.

This February, Texas Attorney General Ken Paxton launched a suit against a large social media company under Texas’ Capture or Use of Biometric Identifier Act alleging illegal capture and use of biometric data retrieved from uploaded photos and videos.[357] Paxton is also bringing data privacy-related lawsuits under Texas’ Deceptive Trade Practices Act; for instance, in May of 2022, he amended a suit against a large tech company to allege that its web browser’s “Incognito Mode” falsely implies to consumers that their data is not being tracked.[358]

California Attorney General Rob Bonta is also targeting businesses that have loyalty programs that may violate the California Consumer Privacy Act.[359] Further analysis of California’s enforcement policies related to customer loyalty programs can be found in Gibson Dunn’s prior alert.[360] This spring, the California Attorney General’s office released an opinion paper indicating that, under the California Consumer Privacy Act, a consumer’s right know information a business has collected on that consumer includes internal inferences or “characteristic[s] deduced about a consumer.”[361]

On August 24, 2022, Bonta announced the first settlement under the CCPA, resolving allegations against a large retailer of beauty products that it failed to disclose it was selling consumers’ personal information and that it neglected to process requests to opt out of data sales.[362] The retailer agreed to $1.2 million in penalties and to provide streamlined procedures for opting out of the sale of personal information, including a requirement to honor user-enabled global privacy controls.[363] Bonta emphasized he is “committed to the robust enforcement of California’s groundbreaking data privacy law.”[364]

The New York Attorney General’s Office often sets the tone for attorneys general across the country, increasingly bringing high-profile actions alongside federal regulators, as covered in more detail in Gibson Dunn’s recent alert.[365] The New York Attorney General stated that internet-related issues were the number one source of consumer complaints to the office in 2021, and the area is a key focus for enforcement actions.[366] New York Attorney General Letitia James kicked off 2022 by announcing that an investigation into credential stuffing resulted in 17 affected companies taking steps to protect consumers.[367] Her office announced a $600,000 settlement with a medical company following a data breach at the company that allegedly compromised 2.1 million customers’ information.[368] Another data breach settlement was entered with a grocery retailer, requiring $400,000 in penalties along with protective measures, based on allegations that the company exposed the sensitive information of more than 3 million customers, including over 830,000 New Yorkers.[369] The New York Attorney General’s office was also part of an agreement along with 45 other states to settle with a major cruise line company for $1.25 million after a 2019 data breach at the company allegedly compromised the information of 180,000 employees and customers.[370]

 f. New York Department of Financial Services

The New York State DFS has also been active in enforcing of its Part 500 Cybersecurity Rules, effective beginning in 2019. For example, the same major cruise line company referenced above was subject to a $5 million penalty—separate from the one imposed by the New York Attorney General, discussed above—from DFS for violating its Cybersecurity Regulation for failing to timely report its 2019 and 2021 data breaches, and for failing to implement Multi-Factor Authentication and adequate cybersecurity training, all of which rendered improper its cybersecurity compliance certifications.[371]

In step with enforcement of its cybersecurity rules, DFS has been at the vanguard of regulation of virtual currencies. In August 2022, DFS announced another settlement, a $30 million penalty against a young cryptocurrency exchange based on allegations that the company was not compliant with cybersecurity and transaction monitoring requirements and improperly certified its compliance with the DFS regulations, including the Part 500 Cybersecurity Rules.[372]

 III. Civil Litigation Regarding Privacy and Data Security

 A. Data Breach Litigation

Cybercrimes targeting consumer data are increasingly pervasive according the Identity Theft Resource Center (“ITRC”) which compiles statistical information on data breaches. The ITRC reported that 2021 featured almost 2,000 data breaches, a record-breaking number and a more than 68% increase over 2020 and 23% increase over the previous record reached in 2017.[373] Nearly 50% of data breach victims in 2022 were affected by breaches at just two companies, with 23 million consumers affected when a major telecommunications company suffered a data breach and 69 million consumers affected when a virtual game site was hacked.[374] These trends signify that the business community will continue to contend with increasingly aggressive attacks by cybercriminals and litigation by affected consumers and shareholders while simultaneously grappling with the evolving legal landscape surrounding data security.

 1. Standing Implications of TransUnion v. Ramirez

Data breach litigation often takes the form of federal class actions due to the number of affected consumers, and the uniform administration of federal rather than state class actions under the Class Action Fairness Act. Data breach litigants pursuing claims against data custodians in federal court are subject to the standing requirements of Article III of the U.S. Constitution. In 2021, the U.S. Supreme Court decided TransUnion v. Ramirez, a landmark decision increasing the burden on plaintiffs to demonstrate standing in actions for money damages brought in federal court.[375] The Court held that the risk of future harm was insufficient to establish the concrete injury required for standing under Article III, especially where the plaintiff was unaware of the risk of future harm.[376] This decision has the potential to seriously affect plaintiffs whose data has been breached but not yet misused.

Prior to the Supreme Court’s decision in TransUnion, circuit courts had differing interpretations on whether the increased risk of future harm resulting from a data breach was sufficient to constitute a “concrete and particularized and actual or imminent” harm as required to establish Article III standing.[377] For example, the Second Circuit held that plaintiffs were not foreclosed from establishing standing based on a future risk of identity theft, and laid out three non-exhaustive factors to evaluate that risk.[378] In that same year, the Eleventh Circuit declined to extend standing to a class of data breach plaintiffs based on an increased risk of future harm resulting from a data breach.[379] The Supreme Court in TransUnion attempted to resolve the circuit split; however, divergent approaches to the issue of standing persist.

In the wake of the TransUnion decision, some courts have chosen to interpret the Supreme Court’s reasoning expansively and confer standing even when data has yet to be misused. For example, the Third Circuit in Clemens v. ExecuPharm, found standing for a data breach plaintiff whose data had not yet been misused, when “the exposure to the risk of future harm itself cause[d] a separate concrete harm” such as psychological or emotional harm or spending money on mitigation measures.[380] Other courts have relied on the Court’s language in TransUnion, which identified “intrusion on seclusion” as an intangible harm sufficient to serve as a basis for standing.[381] In similar cases, other courts have taken different approaches in applying TransUnion. In Cooper v. Bonobos Inc., the court declined to confer standing on a data breach plaintiff because the risk of identity theft was too remote to constitute an injury in fact.[382] Based on the varying interpretations and uncertainty surrounding interpretations of TransUnion, it is clear that courts will continue to grapple with its application and how to assess standing for data breach litigants whose data has not yet been misused but are at a higher risk of harm.

 2. Potential Increase in Trials and Derivative Lawsuits

Litigation surrounding data breaches rarely goes to trial, but the Missouri district court case Hiscox Ins. Co. v. Warden Grier did just that, resulting in a multi-day trial in which the jury ruled for the defense.[383] The action was brought by an insurance company claiming (1) breach of contract; (2) breach of implied contract; (3) breach of fiduciary duty; and (4) negligence, after a hacker gained access to consumer data on the servers of the defendant law firm retained by the insurance company.[384] Like many data breach cases, the plaintiff relied largely on a common law cause of action, which in this case was negligence.[385] While public perception of data breaches tends to favor plaintiffs, this case serves as a reminder that careful defendants can still convince a jury that they acted appropriately under the circumstances. Whether this will embolden future defendants to consider taking similar cases to trial rather than settling with plaintiffs remains to be seen.

In the last few years there has also been an uptick in derivative lawsuits from prior data breach cases. Many of these cases, like Reiter v. Fairbanks, rely on alleged breaches of oversight duties by company directors.[386] Results in these derivative suits are mixed, but where plaintiffs do recover, payouts can be quite high. As data breaches continue to become more common, derivative cases against directors can be expected to become more common as well.

 3. Major Settlements

There have been significant settlements in 2022 that reflect the financial ramifications that modern data breaches can bring. A large financial institution agreed to a $60 million settlement regarding a data breach that compromised the data of around 15 million customers.[387] This payment is in addition to the $60 million civil penalty imposed by the OCC in 2020 related to the same events.[388] After a 2017 data breach that exposed the information of 147 million individuals, a major credit reporting bureau finalized a settlement in January of 2022 that included up to $425 million to assist victims of the breach.[389] In September of 2022, another large financial institution reached a $190 million settlement stemming from a cyber incident in 2019 in which about 140,000 Social Security numbers and 80,000 bank account numbers were exposed.[390] On the government side, the U.S. Office of Personnel Management reached a $63 million settlement agreement after information on federal government employees and contractors was compromised.[391] Class action suits like these reaffirm the need for appropriate data security measures.

 4. Rise in State and Federal Legislation

As discussed in more detail in Section ‎II.A.1 above, new comprehensive state data privacy legislation has become increasingly common, promising to bring fundamental changes to data breach litigation. Enacted state data privacy legislation aims to give consumers added control over their data and how it used and stored and expands the avenues by which consumers can pursue claims against data custodians in the event of data breaches. There are currently active data privacy bills in committee in states across the country, including Illinois, Michigan, Massachusetts, New Jersey, New York, Ohio, D.C., Rhode Island, and Pennsylvania.[392] As additional state data privacy legislation is considered across the country, the legal landscape surrounding data privacy will continue to transform. As discussed below, the CCPA and BIPA grant consumers a limited private right of action for data breaches, creating an additional front for data custodians to litigate in the event of a data breach. Similarly, the ADPPA also sought to create a private right of action for litigants at the federal level. Other states have enacted data privacy laws without creating a private right of action for consumers. For example, the VCDPA is enforced solely by the Virginia Attorney General.[393] The enacted and upcoming changes to data privacy laws will significantly impact data breach litigation in a multitude of ways. The lack of a unified approach to data privacy laws amongst the states leads to complexity and uncertainty and makes careful consideration of new emerging legislation important.

 B. Computer Fraud and Abuse Act Litigation

The Computer Fraud and Abuse Act generally makes it unlawful to “intentionally access a computer without authorization” or to “exceed[] authorized access.”[394] In recent years, several high-profile court decisions have limited the CFAA’s scope. As a result, relatively commonplace online activity—like mere breaches of a website’s terms of service or routine data scraping—are now unlikely to violate the CFAA. In 2022, these decisions also prompted the DOJ to narrow its CFAA enforcement policies, as previously described in this Review.

On June 3, 2021, the U.S. Supreme Court issued its much-anticipated opinion in Van Buren v. United States, holding that the CFAA’s “exceeds authorized access” clause does not extend to circumstances where an individual has legitimate access but uses that access for a “prohibited purpose.”[395] In Van Buren, a police officer improperly accepted a $5,000 payment to run a license plate search in a law enforcement computer database.[396] The officer was legitimately authorized to use the database for law enforcement purposes, but department policy forbade him from using the database for any other reason, including the license plate search at issue.[397]

The Eleventh Circuit upheld the officer’s criminal conviction, but the Supreme Court reversed, resolving a circuit split on the CFAA’s scope.[398] The Court held that “an individual ‘exceeds authorized access’ when he accesses a computer with authorization but then obtains information located in particular areas of the computer—such as files, folders, or databases—that are off limits to him.”[399] Therefore, the Court reasoned, the officer “did not ‘exceed authorized access’ to the database” because he was legitimately permitted to access it, even though he ultimately used it for an improper purpose.[400]

Following Van Buren, on April 18, 2022, the Ninth Circuit decided hiQ Labs, Inc. v. LinkedIn.[401] This was the second Ninth Circuit decision in hiQ because, ten months earlier, the Supreme Court had granted certiorari in the case, vacating and remanding it back to the Ninth Circuit for reconsideration based on Van Buren.[402]

In hiQ, a professional networking platform had tried to block a data analytics company from scraping data from its publicly available pages in violation of the platform’s terms of use.[403] In May 2017, the professional networking platform sent the data analytics company a cease-and-desist letter, which prompted the data analytics company to file a complaint for injunctive and declaratory relief to continue its data scraping operations.[404] The district court granted the request for a preliminary injunction and the professional networking platform appealed.[405]

The Ninth Circuit held the district court did not abuse its discretion by granting the preliminary injunction because the data analytics company was likely to succeed on its claim that the CFAA does not bar data scraping in this context.[406] The court reasoned the CFAA’s “prohibition on unauthorized access is properly understood to apply only to private information—information delineated as private through use of a permission requirement of some sort.”[407] Thus, “[i]t is likely that when a computer network generally permits public access to its data, a user’s accessing that publicly available data will not constitute access without authorization under the CFAA.”[408] The case’s outcome was therefore consistent with longstanding Ninth Circuit authority that violating the “terms of use of a website—without more—cannot establish liability under the CFAA.”[409] Of course, the outcome of hiQ does not mean that breaching a website’s terms of use leaves website operators without recourse—state contract and tort law may still provide avenues for relief.[410] Indeed, in December 2022, after six years of litigation, the parties in hiQ filed a consent judgment that required the data analytics company to pay $500,000 and permanently enjoined it from breaching the professional networking platform’s terms, including scraping data, among other matters.[411] The court subsequently entered that judgment.[412]

District courts around the country have also continued to grapple with the CFAA’s outer bounds. We highlight two cases from 2022 of particular interest.

Ryanair DAC v. Booking Holdings Inc. In October 2022, a Delaware federal district court held that an airline had sufficiently stated CFAA claims against various online travel booking companies, which had allegedly accessed non-public sections of the airline’s website by creating user accounts and bypassing certain technological restrictions.[413] Interpreting Van Buren, the court held that the “operative question” in CFAA cases under Section 1030(a)(2) “is whether a technological or code-based limitation exists to prevent access to a computer by those who do not have proper authorization.”[414] Because the airline had restricted access to the data at issue only to authenticated users—and because the airline had instituted other technological measures to block would-be data scrapers—the defendants had plausibly breached the CFAA when they accessed that data.[415] The court also credited the plaintiff’s allegations that its terms of use prohibited data scraping—which by itself would not be sufficient to establish liability under the CFAA—distinguishing the case from hiQ on the basis that the data at issue here was not entirely “accessible to the public.”[416]

United States v. Thompson. In March 2022, a Washington federal district court held the government had sufficiently stated CFAA claims against an alleged computer hacker. The hacker allegedly had (1) “created proxy scanners that allowed her to identify [] servers with misconfigured web application firewalls”; (2) sent certain commands to those servers that automatically returned security credentials to them; (3) accessed those servers using the security credentials; (4) copied data to them; and (5) set up “cryptocurrency mining operations” on them for her benefit.[417] The court rejected the defendant’s argument that she had authorized access to the servers as a matter of law because the servers were configured to provide her with valid security credentials.[418] At the same time, the court seemed potentially swayed by the defendant’s claim that the servers’ misconfiguration rendered the information residing on them equivalent to information on a “public-facing web page”—somewhat redolent of the allegations in hiQ.[419] The court noted that the “question of whether accessing a server that is not meant to be public (unlike a public facing website) but nonetheless lacks protective authentication requirements constitutes acting ‘without authorization’ under the CFAA therefore exists in a gray area.”[420] The court ultimately held the jury should resolve that question in the context of this case.[421]

On May 19, 2022, the DOJ also announced adjustments to its CFAA enforcement policies, aligning the policies with Van Buren and hiQ.[422]

The DOJ has now committed not to prosecute “without authorization” claims unless: “(1) the defendant was not authorized to access the protected computer under any circumstances by any person or entity with the authority to grant such authorization; (2) the defendant knew of the facts that made the defendant’s access without authorization; and (3) prosecution would serve the [DOJ]’s goals for CFAA enforcement.”[423] Similarly, the DOJ will not prosecute “exceeds authorized access” claims premised solely on violations of “a contract, agreement, or policy, with the narrow exception of contracts, agreements, or policies that entirely prohibit defendants from accessing particular files, databases, folders, or user accounts on a computer in all circumstances.”[424] In other words, the DOJ will not prosecute mere violations of contractual access restrictions or terms of service established by Internet service providers or publicly-available web services, as was the case in hiQ.[425] Thus, “exceeding authorized access” prosecutions will be confined to circumstances where: “(1) a protected computer is divided into areas . . . (2) that division is established in a computational sense . . . (3) a defendant is authorized to access some areas, but unconditionally prohibited from accessing other areas of the computer; (4) the defendant accessed an area of the computer to which his authorized access did not extend; (5) the defendant knew of the facts that made his access unauthorized; and (6) prosecution would serve the [DOJ]’s goals for CFAA Enforcement” (as described in the policy statement).[426]

In discussing those policy goals, the DOJ offered guidance for government attorneys to consider when determining whether to pursue CFAA prosecutions. This guidance pronounced that government attorneys should decline to prosecute security researchers that access an organization’s networks “solely for purposes of good-faith testing, investigation, and/or correction of a security flaw or vulnerability, where such activity is carried out in a manner designed to avoid any harm to individuals or the public.”[427] Notably, the DOJ clarified that, across all prosecutions, prosecutors must be ready to prove a particular mental state: “that the defendant was aware of the facts that made the defendant’s access unauthorized at the time of the defendant’s conduct,” and “not merely that the defendant subsequently misused information or services that he was authorized to obtain from the computer at the time he obtained it.”[428]

 C. Telephone Consumer Protection Act Litigation

Civil litigation under the Telephone Consumer Protection Act (“TCPA”) has continued to present pivotal questions brought by changing technology over the past year. Specifically, courts have been deliberating issues related to calling systems and the devices on which calls are received in the aftermath of a landmark Supreme Court decision in 2021, which clarified and restricted the definition of an automatic telephone dialing system (“ATDS”).[429]

On April 1, 2021, in a TCPA action brought against a major social media platform, the Supreme Court held that the adverbial phrase “using a random or sequential number generator” in the statutory definition of ATDS modifies both the words “store” and “produce” as used in the statute.[430] Accordingly, the Court held that a device is an ATDS under the TCPA only if it can store telephone numbers using a random or sequential number generator, or produce telephone numbers using a random or sequential number generator.[431] This reversed the Ninth Circuit’s broad interpretation of the term that included any device capable of storing and automatically dialing numbers.[432] Following the Supreme Court’s guidance, many courts have raised the threshold of TCPA challenges even higher.[433] Most prominently, in Panzarella v. Navient Solutions, Inc., the Third Circuit held that to allege a TCPA violation under §227(b)(1)(A)(iii), it is not enough to show that the dialing system satisfies the narrow definition of ATDS in accordance with the Supreme Court’s holding.[434] Litigants must also show that the challenged call actually employed ATDS’s capacity to use a random or sequential number generator.[435] This has made it more difficult for claims focused on the use of an ATDS to succeed. However, plaintiffs have begun pivoting toward bringing TCPA claims that do not center around the use of an ATDS. For example, a number of suits have been brought alleging the use of “an artificial or prerecorded voice,” which also violates the TCPA under Section 227(b)(1)(A).[436]

Violations of the TCPA can result in penalties as high as $500 per violation, and damages can be increased up to three times that amount if the court finds that the violation was willful or knowing.[437] Each year, thousands of TCPA claims are brought to the courts. However, the number of claims dropped by nearly 50% from 2020 to 2021, potentially reflecting the limitations on plaintiffs’ ability to bring successful claims under the TCPA.[438] Yet claims continue to be brought under the TCPA under new theories that do not require proving the use of an ATDS under the new, narrower, definition.

In the California federal district court case, Tracy Eggleston v. Reward Zone, the plaintiff argued that all text messages should be considered pre-recorded calls under the TCPA, and should therefore not require an ATDS to constitute a violation.[439] While this argument was dismissed by the court, this case demonstrates one of the many ways plaintiffs have sought to sidestep the new limitations courts have imposed on TCPA claims. This case also raises important questions about the TCPA’s applicability to modern technology, like text messaging. This concern was also raised by Supreme Court Justice Clarence Thomas who questioned the established practice of considering text messages to be calls under the TCPA during oral arguments in the 2021 landmark case, asking “at what point do we say this statute is an ill fit for current technology?”[440] The uncertainty surrounding the TCPA’s relevance in the face of technological advancement remains, leaving room for challenges to the application and interpretation of the law.

State governments have also taken legislative steps in response to the narrow definition of ATDS. For example, Florida passed the Florida Telephone Solicitation Act (“FTSA”)[441] in amendment of the Florida Telemarketing Act, which covers any “automated system for the selection or dialing of telephone numbers.”[442] The newly enacted Oklahoma Telephone Solicitation Act also employs the same language.[443] Litigants have wasted no time testing the FTSA, which survived a constitutional challenge in Turizo v. Subway Franchisee Advertising Fund Trust, a case involving claims that the FTSA violated the Supremacy Clause, Dormant Commerce Clause, First Amendment, and Due Process Clause of the Fifth Amendment.[444] While this case survived a motion to dismiss on constitutional grounds, there is likely to be more litigation around the constitutionality of state laws that attempt to emulate the TCPA.

Along with the limitations on TCPA claims imposed by the Supreme Court decision, requirements for bringing TCPA claims involving the Do Not Call Registry (“DNC Registry”) have also increased. In Rambough v. Smith Agency, an Iowa federal district court held that in order to bring a claim that a phone number was illegally used because of its status on the DNC Registry, the plaintiff must be the individual that registered the number.[445] In this case, the court dismissed the plaintiff’s challenge because she failed to allege that “she registered her telephone number on the do-not-call-registry.”[446] Even though the number was on the DNC Registry, the court ruled that the plaintiff should have re-registered the number herself in order to ensure protection under the law.[447] The court ultimately dismissed the case with prejudice, signaling that at least some courts will impose a more stringent requirement for TCPA claims involving the wrongful use of phone numbers on the DNC Registry.[448]

While courts have a shown a desire to restrict the TCPA, that trend is not universal. In the New York district court case Rose v. New TSI Holdings, the court strayed from prior precedent in its decision regarding a fairly basic TCPA claim involving a cellphone number on the DNC Registry.[449] The court ruled that the plaintiff’s claim that the number “was a personal number that [the plaintiff] did not use for business purposes and that [] has been listed on the DNC Registry since 2004” was sufficient for the plaintiff’s TCPA claim to survive a motion to dismiss.[450] This was a notable relaxation of the usual requirement at the motion to dismiss stage that plaintiffs show factual evidence that the number is for “residential use.” In fact, there has been disagreement over whether cell phones can fall under the umbrella of “residential telephones” at all.[451] More litigation on this issue should be expected in the near future.

 D. State Law Litigation

 1. California Consumer Privacy Act Litigation

In addition to those regulatory actions discussed above, the CCPA includes a private right of action, allowing consumers, individually and as a class, to pursue civil litigation when their personal information falls subject to “unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures and practices.”[452] The CCPA provides for the greater of either statutory damages—between $100 and $750 per consumer per incident—or actual damages, plus injunctive or declaratory relief, and any other relief a court deems appropriate.[453] These remedial provisions contribute to the seminal trend of companies facing continually increasing costs to settle data protection violations.

 a. Potential Anchoring Effect of CCPA Statutory Damages

The CCPA’s provision of either actual damages or statutory damages of $100 to $750 per consumer per incident has the potential to frame the discussion of settlement terms. Such a potential anchoring effect appears reflected in at least one recent settlement.

Automobile Manufacturers and Marketing Vendor. Residents of California and Florida, car owners and lessees, filed class actions alleging that the failure of auto manufacturers and a marketing vendor to adequately secure and safeguard data allowed hackers to steal the personal information and sensitive personal information—there meaning driver’s license numbers, Social Security numbers, payment card numbers, bank account or routing numbers, dates of birth, and/or tax identification numbers—of 3.3 million individuals.[454] The plaintiffs asserted causes of action for negligence, breach of implied contract, violation of the CCPA, violation of California’s Unfair Competition Law (“UCL”), and breach of contract.[455] In an order dated December 13, 2022, the court preliminarily approved a settlement between the parties.[456] The settlement’s terms appear to reflect the potential anchoring effect of the CCPA’s statutory damages provision.[457] Under the settlement, California residents whose sensitive personal information was affected would receive $350 cash payments; consumers outside California, whose sensitive personal information was affected, would receive $80; and those in the U.S. whose non-sensitive personal information was affected would receive $20.[458] The total settlement fund would be in the amount of $3,500,000, with $5,000 representative incentive awards for each of four representative plaintiffs, $1,050,000 in attorney’s fees, and up to $50,000 in litigation costs.[459]

 b. Requirements for Adequately Stating a CCPA Claim

A few recent decisions this past year provide further insight into how courts continue to give shape to the contours of the CCPA. The below cases address questions regarding the extent to which plaintiffs must plead supporting facts to adequately allege a claim under the CCPA, and who may bring claims of CCPA violations.

Waste Disposal Company. Plaintiffs, current and former employees of a waste disposal company, brought suit after the company suffered a data breach.[460] A consolidated amended complaint asserted various claims on behalf of a putative nationwide class, and violations of the CCPA, the California UCL, and other California statutes on behalf of a subclass of California plaintiffs.[461] The court granted the waste disposal company’s motion to dismiss the plaintiffs’ CCPA claim, as well as all other claims. In reaching its decision, the court reasoned that the complaint failed to plausibly allege that the company violated its “duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information.”[462] The court similarly held that plaintiffs’ assertions that the company failed to cure purported violations of the CCPA or to change security practices were fatally conclusory, lacking allegations regarding any notice of cure, and did not explain what violations needed remediation.[463] Regarding plaintiffs’ argument that the company failed to remedy its CCPA violations because their data remained exposed and susceptible to exploitation, the court reasoned that “the CCPA does not require businesses that have experienced a data breach to place consumers in the same position they would have been absent a breach. It just requires them to remedy any ‘violation’ of their ‘duty to implement and maintain reasonable security procedures and practices.’”[464] The court found plaintiffs did not allege that the company failed to remedy violations of that duty.[465]

Notably, the court also raised sua sponte, without deciding the issue, that employee plaintiffs might not fall within the CCPA’s purview because they might not qualify as “consumers” under the CCPA.[466] The court also noted, but likewise found unnecessary to decide, that plaintiffs may have an obligation to plead compliance with the CCPA’s 30-day notice requirement.[467]

The plaintiffs’ appeal of the dismissal of their complaint remains pending before the Second Circuit.[468]

 c. Broadening the Scope of a “Data Breach”

As discussed in the ninth edition of Gibson Dunn’s United States Cybersecurity and Data Privacy Outlook Review,[469] various consumers have filed suits seeking relief for CCPA violations and have sought to expand the limited basis for the CCPA’s private right of action by incorporating claims alleged under the CCPA in data breach actions. Courts have responded by continuing to emphasize the limited scope of the private right of action.

Retailers and Loss Prevention Service Provider. This class action before the Central District of California named retailers and a loss prevention service provider as defendants and was previously covered in this Review’s ninth edition.[470] There we noted that plaintiffs’ allegations were based on the defendants’ voluntary sharing of consumer information with a third-party loss prevention service provider that generated customer risk scores. We return here with an update that the court granted in part defendants’ motion to dismiss, dismissing with prejudice most of plaintiffs’ claims, including the claim under the CCPA.[471] The court in this decision addressed plaintiffs’ CCPA claims and the narrowness of the private right of action in three parts.[472] First, the court agreed with defendants that the CCPA was not retroactive in effect—i.e., plaintiffs who allegedly attempted returns or exchanges before the operative date of the CCPA were required to have those claims dismissed because the CCPA (1) was not yet in effect and (2) lacked an express retroactivity provision as necessary to apply retroactively.[473] Second, the court held that the CCPA’s private right of action is clearly limited to claims brought under Section 1798.150(a), and accordingly dismissed with prejudice the plaintiffs’ CCPA claims under Sections 1798.100(b), 110(c), and 115(d). Finally, the court addressed the plaintiffs’ CCPA claim under Section 1798.150(a). The court held that under Section 1798.150(a) a plaintiff is required to show that the theft of “nonencrypted and nonredacted personal information” resulted from “the business’s violation of the duty to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect the personal information.”[474] The court found that the sale of the plaintiffs’ non-anonymized data was “a business decision to combat retail fraud,” not the result of the defendant violating the duty to implement reasonable security measures, and thus no violation of the statute was alleged.[475] The court also held that the out-of-state plaintiffs’ claims lacked standing because the CCPA does not apply to non-California residents.[476]

 d. CCPA Violations Under the UCL

As we reported in the ninth edition of this Review, California’s UCL—like the CCPA—provides a private right of action for consumers.[477] Under the UCL, the private right is to enjoin and seek restitution for a business act or practice that is “unlawful,” “unfair,” or “fraudulent.”[478] Violations of other statutes can serve as the “unlawful” predicate for a UCL claim. However, the CCPA’s text and legislative history prohibit consumers from using CCPA violations as a predicate for a cause of action under a separate statute, seemingly precluding the CCPA from constituting grounds for liability under the UCL.[479] Nevertheless, private litigants have continued to test this prohibition on such use of the CCPA, as in the following example:

Loan Servicing Company. On April 21, 2022, a class action was filed in California Superior Court against a loan servicing company.[480] In their complaint, the plaintiffs alleged that the defendant failed to implement reasonable security measures in violation of the CCPA, resulting in a data breach of the class’s personal information.[481] The plaintiffs sought actual damages, equitable and declaratory relief, and other relief deemed appropriate by the court.[482] In an example of how plaintiffs are further incorporating the CCPA into data breach actions, the plaintiffs also claimed that the loan servicing company committed “unlawful” business practices within the meaning of the UCL by failing to implement appropriate data security that complied with the CCPA.[483] The plaintiffs further asserted that the defendant violated the UCL by engaging in “unfair” business practices contrary to public policies reflected in the CCPA.[484] The loan servicing company removed the complaint to the U.S. District Court for the Southern District of California.[485] On May 9, 2022, the Southern District of California granted a joint motion to transfer venue to the Southern District of Florida.[486] As of this writing, the case has been electronically transferred to but not docketed in the Southern District of Florida.

 e. CCPA as a Shield for Immunity to Substantive Claims Litigation

Over the past year, parties in several actions have attempted to wield the CCPA as a shield, whether as a source of immunity or otherwise, to protect themselves from claims under substantive law. In particular, while courts have continued to find that the scope of liability under the CCPA remains limited, some courts nonetheless have found also that the law does not provide defendants with particular affirmative defenses in certain circumstances.

People Search Website. On November 19, 2021, plaintiffs brought a class action suit against the operator of a website that aggregates and makes available individuals’ public information from both online and offline sources, alleging violations of the UCL, as well as California’s, Indiana’s, and Ohio’s right of publicity and appropriation of name or likeness statutes.[487] Notably, whereas plaintiffs alleged no violation of the CCPA, defendant moved to dismiss the complaint contending that, among other arguments, the CCPA granted immunity from plaintiffs’ UCL claim because the CCPA expressly allows the use of publicly available information.[488] On April 19, 2022, the court denied the motion and specifically rejected this argument, holding that the CCPA only “exempt[s] publicly available data from special notification and disclosure rules that the statute imposes on companies that collect Californians’ data,” and that the CCPA did not nullify plaintiffs’ privacy torts or California UCL claims.[489] On July 8, 2022, the court denied a motion to certify an interlocutory appeal,[490] and on September 13, 2022, the case was referred to private alternative dispute resolution.[491] On January 18, 2023, the plaintiffs and defendant people search website filed a joint statement of discovery dispute concerning the scope of social media posts that the plaintiffs would be required to produce.[492] The plaintiffs had agreed to produce social media posts visible to all members of the public, whereas the people search website sought production also of social media posts that were visible only to plaintiffs’ social media “friends.”[493] The plaintiffs contended that the people search website misunderstood their legal theory that they suffered injury by violations of state laws prohibiting the use of personal information for commercial purposes.[494] On January 25, 2023, the court resolved the dispute by denying the people search website’s request.[495] The court found it unclear how the many years of non-public social media posts were proportional to the needs of the case or relevant to resolving the issues.[496] The court further found that the people search website’s theory that the posts were necessary to show that the plaintiffs lacked privacy rights in that information seemed tenuous.[497] According to the most recent publicly available information on the docket, the parties are scheduled to mediate on March 7, 2023,[498] with the plaintiffs’ motion for class certification due February 10, 2023, the defendants’ opposition due March 24, 2023, and the hearing on the motion set for May 10, 2023.[499]

 f. The CCPA in Discovery Disputes

The CCPA has played a role in recent discovery disputes. A number of litigants have sought to leverage the CCPA as a defense in a range of conflicts in discovery—from sanctions motions to objections to discovery requests. These efforts, however, have generally been less than successful. Additionally, information generated pursuant to the CCPA has become a target of discovery: the CCPA and its August 2020 implementing regulations require businesses that collect personal information for incentive programs to estimate the “value [provided] to the business” by the consumer’s data, considering factors specified in the regulations.[500]

Workforce Automation Company. On September 29, 2022, the U.S. District Court for the Northern District of Ohio issued discovery spoliation sanctions against a workforce automation company and its founder—in the form of a mandatory adverse-inference instruction to the jury.[501] The court rejected as not credible the defendants’ claim that the data destruction that occurred when the founder both deleted previously exported Slack data and changed Slack data retention settings from unlimited to seven days resulted from a misunderstanding of their obligations under the CCPA and International Standard of Operation Compliance (“ISO”).[502] The court found that the founder admittedly changed the retention settings and deleted the previously exported data shortly after becoming aware of the likelihood of litigation a month before receiving a litigation hold letter.[503] The court further found that the company then failed to revert to unlimited Slack data retention for almost a year after receiving the litigation hold’s request to preserve all data relevant to the litigation.[504] The timing of the data destruction, coupled with the persistent refusal to retain Slack data indefinitely, led the court to find the defendants’ claims of a misunderstanding of CCPA and ISO compliance obligations not credible.[505] Rather, the court noted the defendants’ failure—despite plaintiffs’ requests—to produce any evidence to support their claim that the seven-day retention policy was instituted to comply with the CCPA and ISO.[506]

Law Firm. Similarly, litigants have been unsuccessful in arguing that the CCPA creates a privacy right or a privilege that shields disclosure during discovery.[507] In one such litigation, a defendant law office objected to a request for production of documents on the basis that the discovery would invade protected privacy interests established by California privacy statutes, including the CCPA.[508] The court sided with plaintiffs, agreeing that the privacy objection lacked merit because, at the outset, the California Constitution, the CCPA, and other California privacy statutes were not applicable in the federal discovery proceeding.[509] Rather, the court reasoned, even if the state constitution and statutes created a privilege—which the court declined to decide, “only federal law on privilege applies in cases, such as this one, involving federal question jurisdiction.”[510]

 g. Supplementing Time for the CCPA’s 30-Day Notice Requirement

The CCPA’s statutory scheme notably requires that a “consumer provide[] a business 30 days’ written notice identifying the specific provisions of [the CCPA] the consumer alleges have been or are being violated.”[511] A recent decision upheld defendants’ argument that this requirement is one that a plaintiff must meet prior to initiating a CCPA claim and that a plaintiff “cannot supplement the time between the notice and the initiation of the lawsuit by amending [the] complaint.”[512]

Health Care Company. On June 29, 2020, plaintiffs brought a putative class action against a health care company after a breach of the company’s computer systems resulted in the personal information and protected health information of employees, contractors, and health care benefit plan participates being stolen.[513] On June 1, 2022, the court granted in part and denied in part defendant’s motion to dismiss a second amended consolidated class action complaint, dismissing with prejudice a California plaintiff’s allegation that the health care company violated the CCPA by providing inadequate data security and failing to prevent the data breach.[514] The court noted that it had previously dismissed the CCPA claim (without prejudice) in September 2021 because the plaintiff failed to allege out-of-pocket damages, did not seek statutory damages, failed to comply with the CCPA’s 30-day notice requirement, and failed to allege how data security measures were inadequate.[515] In its motion to dismiss the second amended complaint, the defendant healthcare company contended that the California plaintiff still failed to allege compliance with the CCPA’s 30-day notice requirement.[516] The court agreed and rejected the plaintiff’s argument that notice was timely because over 30 days had elapsed between the notice and the filing of the second amended complaint.[517] Pointing out that courts have held that pre-suit notice requirements aim to permit a defendant to cure the defect outside court, the court found that the CCPA’s requirement serves the same end and allowing a plaintiff to supplement the time between serving the notice and initiating the lawsuit by filing an amended complaint would defeat the notice requirement’s purpose.[518] Further, in this case, the plaintiff had served notice just three days before initially filing the CCPA claim; the court therefore dismissed the claim with prejudice.[519]

 h. Guidance on Reasonable Security Measures in Connection with the CCPA

A few CCPA decisions this past year have suggested some guidance on what courts might find would be reasonable data security measures and what potential defendants can do to implement reasonable data security procedures and avoid liability under the CCPA.

Insurance Broker Companies. After suffering a cybersecurity attack in 2020, insurance brokers were named defendants in putative class actions brought by former employees and clients who asserted injuries under common law, data notification statutes, and consumer protection statutes, including the CCPA.[520] On September 28, 2022, the court notably held that plaintiffs adequately alleged that defendants failed to implement reasonable data security measures, as required by the CCPA, and held that plaintiffs sufficiently identified those measures that defendants assertedly failed to implement in alleging that:

(1) the United States government recommends certain measures that organizations can take to prevent and detect ransomware attacks, including awareness and training programs, spam filters, firewalls, anti-virus and anti-malware programs; and (2) Defendants failed to implement “one or more of the above measures to prevent ransomware attacks.”[521]

The U.S. District Court for the Northern District of Illinois agreed with defendants, stating that it “strains plausibility to assume that Defendants caused increased spam to those Plaintiffs who do not allege that their contact information was accessed via the Data Breach.”[522] However, the court held that plaintiffs did plausibly assert that the breach caused other kinds of harm such as “‘lost time,’ anxiety, and increased concerns for the loss of the privacy as a result of the Data Breach.”[523] The court did agree with defendants that one of the complaint’s CCPA claims was deficient for omitting allegations regarding a plaintiff’s personal experience with the data breach, but as both parties acknowledged this was done inadvertently, the court permitted the plaintiff to amend and permitted the other CCPA claim to proceed.[524]

Fintech Company. A fintech company agreed to pay up to $20 million to provide compensation and credit monitoring to thousands of customers who claimed their accounts were hacked in order to settle a putative class action alleging that the company failed to take sufficient steps to prevent unauthorized access to users’ accounts, thereby committing common law negligence, breach of contract, violation of the CCPA, UCL, and other California statutes.[525] The lawsuit alleged that the company failed to maintain industry-standard security measures that plaintiffs claimed could have prevented third parties from accessing approximately 40,000 customer accounts.[526]

The fintech company filed two motions to dismiss, each granted in part and denied in part.[527] Plaintiffs’ motion for approval of the settlement portrayed a “major question of law” in those motions as to “whether Plaintiffs’ CCPA claim could survive despite [the company’s] contention that no data breach of its computer systems had occurred.”[528] Specifically, the fintech company challenged “whether the CCPA applies where a defendant’s own computer network was not subject to a security breach.”[529] The U.S. District Court for the Northern District of California found the CCPA claim to be adequately pleaded.[530]

The parties proceeded to discovery in which over 11,000 pages of documents were produced regarding the fintech company’s security and business practices during the period before the parties turned to mediation in March 2022, eventually reaching a settlement in principle on May 4, 2022.[531] Plaintiffs acknowledged that given the fintech company’s conduct in the case, it would have been reasonable to assume that any award for statutory damages under the CCPA would be towards the lower end of the $100 to $750 range.[532]

As part of the settlement, the company agreed to implement “improved policies and procedures to prevent unauthorized access to customer accounts,” including “supplemental two-factor authentication; screening for, and prompting users to update, potentially compromised passwords; proactive monitoring of account takeovers; customer awareness campaigns that provide information and tools for better cybersecurity hygiene; and real-time voice support.”[533] These new procedures would need to be instituted for at least 18 months.[534] As further part of the settlement, the company would pay class members up to $260 each, as well as provide two years’ worth of credit monitoring and identity theft protections services estimated to be worth approximately $19.5 million.[535]

 i. Staying CCPA Litigation Due to Other, First-Filed Litigation Arising from the Same Data Breach

Insurance Companies. On May 26, 2022, the U.S. District Court for the Southern District of California resolved defendant insurance company entities’ motion to transfer a putative data breach class action to the Eastern District of New York—where other class actions arising from the same data breach were already pending—by staying the Southern District of California action until the Eastern District of New York litigation concluded.[536]

In late April and early May 2021, after the insurance company entities announced the data breach, five putative class action lawsuits were filed by plaintiffs in three different district courts: three in the Eastern District of New York, one in the District of Maryland, and one in the Southern District of California.[537] Plaintiffs transferred or consented to transfer the other actions to be heard by the same judge in the Eastern District of New York, but plaintiffs in the Southern District of California opposed defendants’ motion for such transfer.[538]

To resolve the disputed motion, the Southern District of California court applied the three-factor first-to-file rule, which permits a district court to transfer, stay, or dismiss an action when a complaint regarding the same parties and issues has already been filed in another district.[539] Applying the rule’s namesake first factor, the district court found the Eastern District of New York action had been filed first.[540] Regarding the second factor, the similarity of parties, the court observed that the Eastern District of New York’s actions proposed nationwide classes, and the Southern District of California proposed a California class, “making the classes duplicative.”[541] Regarding the third factor, similarity of issues, the court agreed with the plaintiffs that the other four actions asserted no California state law claims, but noted each raised breach or invasion of privacy claims under New York State law or the Driver’s Privacy Protection Act.[542] Rather, the court found persuasive, and adopted, the reasoning of a June 2021 Central District of California CCPA decision that addressed a parallel data breach action filed in Nevada with Nevada state-law claims[543]: “Because ‘[t]his factor does not require total uniformity of claims but rather focuses on the underlying factual allegations,’ . . . the core theory is what drives the analysis.”[544] The Southern District of California court found that because all five actions implicated how the data breach occurred, the measures in place at the time, and the insurance companies’ response, they would be “duplicative litigation” posing a risk of disparate judgments to which the first-to-file rule would apply.[545] The court then determined to exercise its discretion to stay the case pending resolution of the Eastern District of New York actions to conserve judicial resources and promote efficiency.[546]

 2. Illinois Biometric Information Privacy Act Litigation

The Illinois Biometric Information Privacy Act (“BIPA”), passed into law in 2008, was the first statute governing the regulation, collection, use, and handling of biometric data by private entities. With BIPA, Illinois has become the leading state for litigation alleging violations of biometric data privacy. BIPA regulates private entities that collect or are in possession of “biometric identifier[s],” which are defined by the Act to include “a retina or iris scan, fingerprint, voiceprint, or scan of hand or face geometry,” while excluding writing, physical descriptions of a person, or photographs.[547] Biometric information is defined broadly to include “any information . . . based on an individual’s biometric identifier used to identify an individual.”[548] The Act prohibits for-profit transactions of biometric data by the collectors of that data, which likely disincentivizes the collection of biometric data by private entities,[549] unless the source of the biometric data consents to the sharing of their data.[550]

BIPA creates an expansive private right of action. In its 2019 decision, Rosenbach v. Six Flags Entertainment Corp., the Illinois Supreme Court held that “a person need not have sustained actual damage beyond violation of his or her rights under [BIPA] in order to bring an action under it.”[551] This “no actual damages” holding was affirmed by the Illinois Supreme Court’s 2022 decision, McDonald v. Symphony Bronzeville Park, LLC, where the Court held that the Illinois Workers’ Compensation Act, which provides the exclusive means for an employee to recover from an employer for work-related injuries, does not preempt BIPA.[552] McDonald removed a key defense for businesses that utilize employees’ biometric information, so businesses that deal with such information should be careful to follow BIPA precisely, or risk liquidated damages—$1,000 per violation and $5,000 for willful or reckless violations—as well as attorneys’ fees and other litigation costs.[553]

Even so, there are limitations to BIPA’s private right of action. In Walton v. Roosevelt University, the Appellate Court of Illinois held that a labor union member’s claim against his employer for collection of his biometric handprint as a means of clocking in and out of work was preempted by the federal Labor Management Relations Act.[554] The Court determined that the claim was preempted because Walton’s collective bargaining agreement clearly indicated that the employer’s timekeeping procedures was a topic for negotiation.[555]

Despite this preemption, 2022 has seen a swathe of BIPA-related litigation in the U.S. For example, private plaintiffs have used BIPA to bring claims against a software company that provides automated proctoring tools for exams,[556] and against a company allegedly collecting sales workers’ biometric data by scanning their facial geometry.[557] Additionally, prominent technology companies have faced a rise in BIPA-related litigation. In February 2020, plaintiffs—comprised of users whose pictures had allegedly been scanned by a social media company in connection with its “Tag Suggestions” program—and the company reached a $650 million settlement relating to its alleged collection of users’ biometric data without their consent, in violation of BIPA.[558] Illinois plaintiffs have also recently reached a $35 million settlement with a photo-sharing social media company for allegedly violating BIPA by purportedly failing to obtain consent to collect app users’ facial scans, or to transfer them to third parties.[559] Litigation is also currently pending against a large software company for its alleged collection of facial biometric data,[560] against Clearview AI—a facial recognition software company—for its collection of consumer data;[561] and against a jewelry company for its virtual try-on tool, which allegedly captures users’ facial geometry.[562]

In each of these proposed class action lawsuits, plaintiffs alleged that private companies failed to obtain informed, written consent to the collection of their biometric data; disclosed and disseminated that information without consent; and violated BIPA’s disclosure and retention requirements. Companies should be careful about collecting information—such as facial scans, facial geometry data, voiceprints, and wellness data—and the nature of any consumer notice provided and consent obtained. That notice and consent should also include provisions regarding the sharing of biometric data, especially in instances where a third-party Application Programming Interface (“API”) is being used to process that biometric data. Finally, companies should develop comprehensive data retention policies and schedules for destroying biometric data, which must be done “when the initial purpose for collecting or obtaining such identifiers or information has been satisfied within 3 years of the individual’s last interaction with the private entity, whichever occurs first.”[563]

 3. Texas Biometric Privacy Law Litigation

Illinois is not the only state where litigation and investigations have been launched related to the collection and use of individuals’ biometric features. In Texas, the Texas Capture and Use of Biometric Identifier Act (“CUBI”) regulates private entities that capture “biometric identifiers” for commercial purposes.[564] The Act defines “biometric identifiers” as “a retina or iris scan, fingerprint, voiceprint, or record of hand or face geometry,” and makes it illegal to capture “a biometric identifier of an individual for a commercial purpose unless the person” provides informed consent for such capture.[565] The Act prohibits the sale, lease, or disclosure of biometric identifiers except in certain situations, and places an affirmative duty on the capturer to handle biometric identifiers with “reasonable care” and to destroy the biometric identifier after a reasonable amount of time no later than a year after the date the reason for the collection expires.[566] A notable difference between CUBI and other similar state biometric privacy laws (like Illinois’s BIPA) is that CUBI does not create a private right of action, but rather empowers only the Attorney General to bring civil claims against a party for violations of the Act.[567] Like BIPA, CUBI provides for steep statutory damages—up to $25,000 for each violation.[568]

There is not yet any meaningful precedent or case law discussing or construing CUBI. Attorney General Ken Paxton brought the first suit under CUBI against a large social media company in February 2022, alleging that the company’s collection of “facial geometries” in connection with its facial recognition and tagging feature that it deprecated in November 2021 violated the Act, in addition to bringing claims under Texas’ Deceptive Trade Practices Act.[569] The suit’s CUBI claims argue that the company’s “tagging” system, which prompted users on the platform to “tag” other individuals in photos and later in videos when the software detected a face, allegedly trained the software to associate a particular facial geometry with an individual without that individual’s consent or knowledge.[570]

In late October, 2022, the State filed a similar action against another large tech company for alleged violations of CUBI.[571] Specifically, the suit alleges that the company impermissibly captured voiceprints and facial geometries of users through certain services it offers, and that the company used these biometric identifiers for their own commercial benefit.[572]

Significantly, these two cases are the first actions brought under CUBI since it was enacted in 2009. Though there are similarities between CUBI and other equivalent state law—for example, the definitions of “biometric identifier” in CUBI and BIPA are essentially identical—there are differences as well, such as BIPA’s more stringent requirements for obtaining informed consent[573] and the absence of a private right of action under CUBI.[574] With states like Texas beginning to enforce data privacy laws—though perhaps with different underlying motivations than other states—it is clear that companies can expect to face increasing enforcement actions and associated costs regarding these data privacy laws across the country.

 E. Other Noteworthy Litigation

Anti-Wiretapping Statutes, Session Replay Litigation and Express Prior Customer Consent. 2022 has seen a deluge of lawsuits, including consumer class actions, brought under federal and state anti-wiretapping statutes. These statutes were initially intended to prevent surreptitious recording of or eavesdropping on phone calls without the consent of everyone involved, but have evolved to cover other forms of electronic and digital communications as technology has evolved. The suits allege that businesses and their software providers are violating state anti-wiretapping statutes and invading consumers’ privacy rights through various technologies, including pixel tools, software development kits (“SDKs”), and “session replay” technologies—essentially a tool that allows businesses and their session replay service providers to analyze visitors’ interactions with their public-facing website or mobile/web application to understand and optimize user experience—without obtaining sufficient and valid consent.

Nearly all 50 U.S. states have some form of anti-wiretapping statute; however, 13 states require “two-party” (or “all-party”) consent (three of these 13 states have some instances, however, where one party consent is applicable).[575] This arguably means that companies are required to inform all parties who are part of a conversation that they are being recorded and further obtain their consent to the recording. Litigation in this area has thus far been most prominent in California, Pennsylvania, and Florida—all three of which are two-party consent states. Plaintiffs generally allege in these lawsuits that a customer’s interactions with a business’s website or app is a “communication” between the customer and the business, which is being “recorded” and “intercepted” by the business and the third-party pixel, SDK, or session replay service provider—essentially a form of wiretapping.[576]

An unpublished Ninth Circuit decision in May 2022 spurred a wave of session replay lawsuits, especially in California.[577] In Javier v. Assurance IQ LLC, the plaintiff alleged that the defendant—an insurance platform—violated Section 631 of the California Invasion of Privacy Act (“CIPA”) by employing session replay technology to track or record the plaintiff’s “communication” on its websites.[578] Notably, Section 631 does not actually mention “track” or “record”; instead, it penalizes anyone “who reads, or attempts to read, or to learn the contents” of a communication “without the consent of all parties to the communication”.[579] The Ninth Circuit not only held that a plaintiff could base a CIPA claim on session replay software, which several district courts had previously rejected, but also found that CIPA prohibits companies from recording communications without first informing all parties of the recording.[580] This can be interpreted as creating an additional compliance obligation for businesses by reversing the trial court’s ruling that retroactive consent is valid.[581] That is, website operators may now have to obtain express prior consent from California users for their use of session replay technology under CIPA. This decision has opened the door to dozens of new wiretapping cases filed in California under CIPA, including ones targeting businesses’ use of the “live chat” feature, or chatbots—artificial intelligence technology that can answer customer questions directly or narrow down the customer’s issues before connecting them with a live customer service representative.[582]

In August 2022, the Third Circuit joined the Ninth Circuit in reversing a trial court’s dismissal of a session replay case.[583] In Popa v. Harriet Carter Gifts, Inc., the Third Circuit ruled that the transfer of consumer data from a business’s website to service providers is considered “interception” under Pennsylvania’s Wiretapping and Electronic Surveillance Control Act (“WESCA”).[584] Previously, before the Pennsylvania General Assembly’s 2012 revisions to WESCA modified the definition of “intercept,”[585] Pennsylvania courts applied a “direct party” exception to WESCA, finding that a party who directly receives a communication does not “intercept” it.[586] Popa also raised the issue of jurisdiction in session replay cases, finding that “interception” occurs where a third party routes a communication to its own servers (even if the servers are out of state); in other words, at the location of the plaintiff’s browser, situated in Pennsylvania. Predictably, multiple class actions have followed on the heels of this decision, each alleging that companies violated WESCA by tracking the plaintiffs’ activities on retailers’ websites. While the Eleventh Circuit has not ruled on any session replay cases, and most of the session replay software cases brought in federal district courts in Florida have been dismissed for failure to state a claim,[587] one Middle District of Florida case denied the defendant’s motion to dismiss by finding that the plaintiff successfully distinguished the complaint’s allegations from previously dismissed session replay cases.[588] There, the plaintiff alleged that the live chat function on a storage company’s website, which was recorded by the company, violated the Florida Security of Communications Act (“FSCA”) and the “[d]efendant’s use of session replay software during [plaintiff’s] visit to its website recorded more than just her non-substantive browsing movements.” The court found that the plaintiff “sufficiently demonstrated how her claim’s involvement of live chat communications distinguishes it from the other session replay software cases recently dismissed by courts in Florida.”[589] However, the court added that the determination of whether the FSCA applied to a website’s recording of its live chats is more appropriately addressed at the summary judgment stage.[590]

Grant of Certiorari – Section 230. Section 230 of the Communications Decency Act (“Section 230”) has long protected “interactive computer service[s]” from liability where they are treated as the publisher or speaker of third-party content.[591] Historically, it has provided online platforms with broad immunity against liability if a third-party—typically a user—posts illegal content, with limited exceptions.

In October 2022, the U.S. Supreme Court agreed to hear two related cases that would explore the scope of Section 230 in the anti-terrorism context and have the potential of redefining the broad immunity granted by Section 230.[592] In both cases, the plaintiffs argued that the technology companies should be held liable when they provided online social media platforms for ISIS that launched attacks resulting in the death of their relatives.[593] According to the plaintiffs, ISIS used those platforms to recruit members, plan attacks, issue terrorist threats, and intimidate civilian populations, often with little or no interference and sometimes with active promotion by the platform’s algorithms.[594] A major barrier to plaintiffs’ claims was Section 230.[595]

On appeal, the Ninth Circuit decided the two cases in a single opinion, but reached drastically different conclusions. In the first case related to a series of attacks launched by ISIS in Paris, the Ninth Circuit found that Section 230 barred most of the plaintiffs’ claims.[596] In the second case resulted from ISIS’s attack in Istanbul, the Ninth Circuit reversed lower court’s dismissal because it determined that the social media companies were indeed aware their role in ISIS’s terrorism scheme, and did not reach to discuss the implication of Section 230.[597] Therefore, in the first petition for certiorari, relatives of the terrorist attack victims argued that Section 230 could not immunize interactive computer services when their algorithms make targeted recommendations of extremist content, because by making recommendations they are no longer merely “publishing” third-party contents.”[598] In the second petition, the platform providers countered that they were not liable for “aiding and abetting” ISIS in violation of the Antiterrorism Act simply because “their undisputed efforts to detect and prevent terrorists from using their widely available services allegedly could have been more meaningful or aggressive.”[599]

The granting of certiorari marked the first time the U.S. Supreme Court has taken the opportunity to scrutinize the scope of Section 230. Regardless the outcome of the cases, the Supreme Court’s decision would leave a profound impact of the Section 230 community, especially in the contexts of algorithmic immunity and the Antiterrorism Act.

However, the Supreme Court’s decision in the above two cases may still leave open a larger question of Section 230 immunity. In two other cases, there is a circuit split over the issue of whether recommending content through an algorithm could constitute developing content,[600] and there is no expectation that the certiorari would be granted. Florida and Texas enacted similar legislation that prohibited social media platforms from taking certain moderation actions against political candidates. The Eleventh Circuit overruled the Florida law in May of this year, (1) rejecting the Attorney General’s argument that social media platforms was a “common carrier” rather than an “interactive computer service” and (2) finding that Florida unconstitutionally sought to proclaim platforms as “common carriers” and strip them of First Amendment protections.[601] By contrast, the Fifth Circuit upheld the analogous Texas law in September this year, holding that (1) platforms were common carriers since algorithmic recommendations did not constitute “editorial discretion” as required under Section 230 and (2) the Texas law did not violate the First Amendment since there was no “intimate connection” between user content and moderation by platforms that “exercise virtually no editorial control or judgment.”[602]

Cryptocurrency – Investigation and Litigation following Cyberattacks. One day after it filed for bankruptcy in November, a cryptocurrency exchange platform stated that “unauthorized access” to a large amount of assets it managed had occurred.[603] The DOJ has reportedly launched a criminal investigation into the stolen assets worth more than $370 billion, an investigation that is separate from the fraud charges brought against the co-founder of the cryptocurrency company.[604] This incident highlights the importance of guarding against and properly responding to cyberattacks for the cryptocurrency industry.

 IV. Trends Related To Data Innovations and Governmental Data Collection

This decade continued with further advancements in the AI space and Metaverse, with the concepts of augmented reality (“AR”) and virtual reality (“VR”) garnering commercial and public attention. In the digital assets space, drastic crypto-asset fluctuations, alleged misleading representations, and account takeovers also drew regulatory concerns and legal uncertainties. And as companies and data transfers expand globally, entities on both sides of the Atlantic are eagerly anticipating a replacement for the EU/US Privacy Shield, which was invalidated in 2020 by Schrems II. Accordingly, this section on New Trends and Data Innovations discusses privacy implications of developments with the Metaverse, key regulatory developments in the AI space, proposed policy approaches for digital assets, as well as cross-border collaboration efforts regarding personal data transfers.

Developments in the Metaverse—Privacy Law Implications

The Metaverse is a virtual environment that serves as an interface for immersive interactions amongst its users and visitors through AR, VR, and avatars. The processing of data across the Metaverse is quite extensive and often involves personal data, which, coupled with the novelty of the ecosystem, raises unique privacy concerns.

At the outset, a key feature of the Metaverse is interoperability, as it aims to provide users with a seamless experience, allowing digital identities to transport themselves amongst different environments, even if the environments are hosted by different platforms.[605] In the absence of a global privacy framework, one threshold matter is determining the jurisdiction or governing law covering a given interaction or entity in the Metaverse—for instance, whether governing law should be based on the location of the underlying user or entity, of the entity hosting the Metaverse platform, or of the property/place of the interaction within the Metaverse itself. For example, the California Privacy Rights Act protects California residents. However, the entity hosting the platform may not know the location of the underlying user, device, or entity, or have the ability to determine this without collection of additional personal data—which may conflict with current practices, raise security concerns, or jeopardize anonymity in the Metaverse. Indeed, it is unclear from a jurisdictional perspective the extent to which liability and compliance with US state and federal consumer protection laws, global privacy regimes, and other laws applicable to Metaverse interactions should be assigned, prioritized, and resolved.

As noted, the collection and use of personal data in the Metaverse to develop immersive and personalized experiences can be quite extensive. For example, for users to experience a more accurate version of their respective avatars (which are digital representations of users), Metaverse platforms may leverage a wide array of personal data to develop the avatars – from personal identifiers, characteristics and inferences, to body language, traits, facial geometry and eye movements. To the extent this data (or even the actions of one’s digital avatar) is not de-identified and can be reasonably traced back to the underlying user, it would constitute personal data subject to various privacy regimes. Further, data elements such as facial geometry likely constitute biometric data, which is generally considered to be sensitive personal data and raises additional privacy requirements. For example, the Illinois Biometric Privacy Information Act (which was discussed in detail in Section ‎III.D.2), requires, inter alia, companies to provide notice and obtain consent from users prior to the collection of their biometric data. As entities continue to collect more data in the Metaverse from users across the world, it may prove difficult to surface, track, and monitor these prominent notices, implement the appropriate consent mechanisms and archive responses, and determine the proper purposes, legal bases, and levels of protection applicable for certain categories of personal data across regions.

The Metaverse is also not immune from cybersecurity concerns involving the unauthorized access or acquisition of one’s personally identifiable information—which may prove difficult to track in the Metaverse given the increasing sophistication of the threat landscape, absence of centralized regulatory oversight in the ecosystem, and a general lack of understanding as to how virtual environments process, store, and protect personal data.

Separately, the issue of children’s privacy—long a focus of legislators and regulators—may raise additional challenges in the Metaverse. Notably, age verification and tracking parental consent, navigating the manner and stages at which notice and parental consent may be required for children in the Metaverse (e.g., prior to purchases, certain interactions, or data collections), implementing heightened privacy controls, and determining whether and how to impose parental locks on Metaverse content or environments, are all important considerations for companies when developing Metaverse offerings. These challenges are exacerbated with the jurisdictional issues outlined above and the passage of new children’s privacy laws such as the California Age-Appropriate Design Code Act (which was discussed in detail in Section ‎II.A.1.b.i).

AI Developments. Over the past year there have been numerous developments in the AI space that have far-reaching implications across industries and jurisdictions, in addition to increasing enforcement by the FTC and CFPB. Additional background is available in our Artificial Intelligence and Automated Systems 2022 Legal Review.

New York City’s Automated Employment Decision Tools Law. New York City enacted its Automated Employment Decision Tools (“AEDT”) law, which will be enforced starting April 15, 2023. The law—which is similar to those enacted at the state level by Illinois and Maryland—regulates AI-driven tools in connection with employment processes, such as in hiring and promotion processes.[606] In particular, the law requires employers and employment agencies in New York City to comply with various requirements when using AEDT in their hiring and promotion processes. AEDT is broadly defined as “any computational process, derived from machine learning, statistical modeling, data analytics, or artificial intelligence, that is used to substantially assist or replace discretionary decision making for making employment decisions that impact natural persons.”[607] Under proposed guidance, employers will be required to complete an independent bias audit of the tool, provide a publicly available summary regarding the audit and distribution date of the tool, give notice to New York City-resident job candidates and employees that the tool has been used, and make available information about the source and type of data collected by the tool and employer’s data retention policy (with certain limitations).[608] Employers should consider these requirements, assess whether any AEDTs are in use by business and HR teams, review their practices regarding automated tools and data retention, and work internally and with third-party vendors to ensure compliance.

White House Office of Science and Technology Policy Published the Blueprint for an AI Bill of Rights: Making Automated Systems Work for the American People. The White House’s Office of Science and Technology issued its Blueprint for an AI Bill of Rights, signaling increased interest in AI issues and AI-related guidance and principles.[609] The Bill of Rights focuses on equitable access to the use of AI systems and on best practices that encourage transparency and trust in automated systems and decisions. In particular, the proposed Bill of Rights focuses on five principles considered central to safeguarding the public, including: (1) the development of safe and effective systems that require extensive testing prior to deployment; (2) implementation of algorithmic discrimination protections such that the public does not face discrimination based on any type of legally protected classification; (3) built-in protections for data collection allowing users to control how their personal data is used; notice requirements that sufficiently let users know when AI is in use; and (4) the option for users to reject the use of AI and choose a human alternative where this is possible.[610]

While this Blueprint does not have legal force without Congressional legislation or agency-led rulemaking, it outlines a priority for the Biden Administration where we can expect further developments. Accordingly, companies may consider reviewing their AI practices and implementing regular auditing to ensure that their existing systems align with these principles.

Digital Assets. As the digital assets industry grows, so do concerns over protecting the participants, their assets, and the overall security of the eco-system. Account takeover attacks have proliferated in recent times, rising 131% in the first half of 2022, when compared to the same period in 2021.[611] Digital assets have become a critical part of the financial infrastructure, as they get further integrated into the global payment systems. On March 9, 2022, President Biden issued an executive order entitled “Ensuring Responsible Development of Digital Assets” outlining the administration’s general views towards regulatory treatment of digital assets.[612] While the order does not contain a specific regulatory proposal, it helps clarify that the U.S. has endorsed development of the digital assets ecosystem, especially given nations’ divergent approach to the issue. Below are key highlights from the executive order:

• The executive order has identified a number of risk areas involving digital assets that may implicate multiple participants in the digital assets ecosystem, including exchanges, intermediaries, and companies that accept digital assets as a payment mechanism. Some of the risk areas highlighted are privacy, cybersecurity, systemic risk, illicit finance, sanctions evasion and climate.
• In terms of further action, the executive order calls for multiple government agencies, including the Treasury, the Attorney General, the Director of Office of Science and Technology Policy to further research and submit reports to the President for consideration.
• Importantly, the executive order also outlines the policy approach towards development of a central bank digital currency (“CBDC”). The order endorses CBDC as having the potential to support low-cost transactions, particularly for cross-border transfers, and emphasizes ensuring interoperability with other central bank digital currencies issued by other monetary authorities.
• Notably absent from the executive order is any discussion on tax information reporting provisions under the existing HR 3684, the Infrastructure Investment and Jobs Act, that mandates reporting obligations with respect to cryptocurrencies.

Further to the executive order, on September 16, 2022[613] the White House announced that nine reports, including those authored by the Treasury, Department of Commerce, Department of Justice, and the Office of Science and Technology Policy, were submitted to the President.[614] As announced in the press release, the reports recommended that agencies support private-sector research in this arena, while also suggesting risk mitigating measures such as tightened law enforcement and creation of cryptocurrency mining standards. The Biden-Harris administration accordingly announced that: (i) the federal agencies themselves would encourage adoption of instant payment systems, (ii) the administration would consider recommendations for a framework to cover non-banking payment providers, (iii) regulators such as the FTC and the SEC would aggressively undertake monitoring and/or enforcement, (iv) Treasury and regulators to collaborate with private U.S. firms on sharing of best practices, (v) agencies are encouraged to issue rules for risk mitigation in the digital asset space.

The press release also announced that the President would evaluate whether legislative action is to be proposed for amendment of Bank Secrecy Act and other laws prohibiting unlicensed money transfers, in order to expressly cover digital asset service providers and/or to increase penalties.[615]

The Department of Justice also made public its September 16, 2022 report discussing the ways in which digital asset technologies are exploited, and emphasizing the launch of Digital Asset Coordinators Network, a network comprised of 150 federal prosecutors tasked with providing specialist expertise on digital asset crimes.[616] The Treasury’s Financial Stability Oversight Council likewise released its report on October 3, 2022, recommending enactment of legislation designed to enable federal financial regulators to regulate the spot market for crypto-assets that are not securities; extend supervision to affiliates of crypto-asset entities; and study vertical integration by crypto-companies, amongst other measures.[617]

In summary, the March 2022 executive order has set in motion actions from multiple agencies, thereby paving the way for future regulatory and enforcement actions, as well as influencing the development of the digital assets industry. On January 3, 2023, Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency released a joint statement assessing crypto-assets issued or stored on public or decentralized networks to be risky activities and indicated their intent to carefully supervise banking organizations’ proposals to engage in such activities.[618] On January 12, 2023, the House Financial Services Committee announced the formation of a subcommittee on Digital Assets, Financial Technology and Inclusion, with the aim to lay down the rules of the road amongst the federal regulators and identifying best practices and fostering inclusion with respect to the digital asset ecosystem.[619]

New District Court Decision Provides Useful Guidance on Application of Trademark Law to NFTs: Executive actions and potential legislative intervention are one part of the equation that would shape the regulation of, and accordingly influence the development of, the digital assets industry, especially on a macro-level. Judicial resolution of disputes involving different types of digital assets form the other part of the equation and would serve to provide specific guidance on application of regulations to the digital assets industry. For example, in Hermès International, et al. v. Mason Rothschild,[620] District Judge Jed S. Rakoff of the Southern District of New York denied a motion to dismiss the trademark infringement dispute involving non-fungible tokens (“NFTs’”). An artist had created NFTs called “MetaBirkins.” The NFT was a digital image of a large design house’s handbag depicted as if made of fur. The design house sued, but the artist argued that the NFT was protected expression under Rogers v. Grimaldi,[621] which had held that the use of a famous trademark for artistic work is not infringement if the name is “minimally artistically relevant” to the product, and does not “explicitly mislead” as to content, authorship, sponsorship, or endorsement.

Judge Rakoff declined to rule at the motion to dismiss stage whether the MetaBirkin label qualified as minimally artistically relevant, as the Rogers case requires to protect a defendant.[622] The court acknowledged that the threshold for artistic relevance under the Rogers case is “low,” but also observed that design house had alleged the artist did not intended artistic expression because he had told the press about his efforts to “create that same kind of illusion that [the design house’s bag] has in real life as a digital commodity.”[623]

And regardless of whether the MetaBirkin label qualified as artistically relevant, Judge Rakoff held that the design house had adequately alleged that the MetaBirkin label was explicitly misleading, which was sufficient to state a claim that the Rogers test does not protect the individual’s conduct.  Accordingly, the court denied the motion to dismiss.[624]  Judge Rakoff later denied the parties’ motions for summary judgment, and the case is set for trial.[625]

Government Data Collection.

New EU/U.S. Data Privacy Framework—Executive Order and Next Steps. On October 7, 2022, President Biden issued an executive order listing steps to implement the U.S.’s commitments under the EU-US data privacy framework.[626] The order was issued in response to the Court of Justice of the European Union’s invalidation of the EU/US Privacy Shield, which created significant legal uncertainty for companies transferring personal data to and from the US to the EU. In particular, the executive order:

• Directs that the U.S.’s intelligence activities be conducted with privacy and civil liberties safeguards—including for a legitimate purpose and proportionately to such purpose—and requires oversight to the process.
• Calls on intelligence organizations to update their policies and procedures, and seeks to create a two-tiered mechanism for redress of complaints from qualifying EU individuals on collection of personal information in contravention of applicable U.S. law.[627]
• Directs the U.S. Attorney General to issue regulations for creation of a Data Protection Review Court (“DPRC”), which would function as the second level of review in the two tiered mechanism discussed above. Accordingly on October 7, 2022, regulations were issued for the DPRC.[628]

The executive order and the regulation from the Attorney General triggered further actions from the EU side, in terms of proposing an adequacy decision, subject to European Parliament’s scrutiny.[629] Under Article 45 of the Regulation (EU) 2016/679, a transfer of personal data from the EU to another country is permitted without specific authorization after the European Commission has determined that such country affords an “adequate” level of data protection.[630] On December 13, 2022, the European Commission issued a draft adequacy decision, noting that the U.S.’ new framework, once adopted, would provide comparable privacy safeguards.[631] It is to be noted that the December 13, 2022 decision is still a draft, and has to be adopted by a committee comprising of EU states’ representatives and is subject to European Parliament’s scrutiny. Once adopted, the updated privacy framework, would enable transfer of personal data to participating U.S. companies (who join the privacy framework and commit to privacy regulations such as deletion of personal data after completion of purpose, extension of protection despite third party sharing) without specific authorizations.[632]

CLOUD Act Updates. The Clarifying Lawful Overseas Use of Data Act (“CLOUD Act”), enacted in 2018, enables the U.S. to enter into executive agreements with other countries that fulfil criteria such as availability of “substantive and procedural protections for privacy and civil liberties” by the foreign government, procedural safeguards to minimize data sourcing of U.S. persons.[633] As noted by the Department of Justice, a CLOUD Act agreement can be utilized to remove restrictions under each country’s domestic laws, when a qualifying data request is issued by the counterparty to the agreement.[634]

Recently, in October 2022, the U.S. and UK entered into a Data Access Agreement pursuant to the CLOUD Act, the first of its kind.[635] Hence, both U.S. and U.K. are to ensure that their domestic laws permit service providers to comply with orders for data production issued by the other country.[636] However, the agreement sets out certain requirements before the orders issued by either party can seek the benefit of the agreement, including that orders must be for investigation/prosecution of “serious crimes” and must not intentionally target persons in the other country.[637] The U.S. and UK have each selected designated authorities to implement the access agreement. For the U.S., that agency is the DOJ’s Office of International Affairs; and for the UK, it is the Investigatory Powers Unit of the UK Home Office.[638]

The U.S. has also announced negotiations of an agreement under the CLOUD Act with Canada,[639] which, once adopted, could provide an expedited path for data requests bypassing the existing mutual legal assistance process. The U.S. had also signed a data access agreement in December 2021 with Australia, [640] whereunder each nation has undertaken to ensure that its domestic laws permit service providers to comply with data request orders issued in accordance with the agreement.

 V. Conclusion

As with recent years, data privacy and cybersecurity law and policy has evolved substantially over the course of 2022 in an effort to keep up with the unrelenting pace of technological developments and applications. Further, challenges to privacy and cybersecurity arose from global events such as the ongoing COVID-19 pandemic and the launch of Russia’s invasion of Ukraine. As a similar, rapid rate-of-change is expected to continue over the year ahead, 2023 will undoubtedly bring novel and more sophisticated developments in law and technology as various stakeholders—companies, governments, and the general public—react to unpredictable challenges and opportunities. In particular, we will see continued aggressive regulatory actions in numerous areas. We will continue tracking these important issues in the year ahead.

Appendix A

Comprehensive State Privacy Laws – Comparison Chart

	CCPA	CPRA	VCDPA	CPA	CTDPA	UCPA
Effective Date	Jan. 1, 2020	Jan. 1, 2023	Jan. 1, 2023	July 1, 2023	July 1, 2023	Dec. 31, 2023
Applicability Thresholds	For-profit businesses that do business in California and: 1.    Have a gross annual revenue of over $25 million; 2.    Buy, receive, or sell the personal information of 50,000 or more California residents, households, or devices; or 3.    Derive 50% or more of their annual revenue from selling California residents’ personal information.	For-profit businesses that do business in California and: 4.    Have a gross annual revenue of over $25 million in the preceding calendar year; 5.    Buy, sell, or share the personal information of 100,000 or more California residents or households; or 6.    Derive 50% or more of their annual revenue from selling or sharing California residents’ personal information.	Persons that conduct business in Virginia or produce products or services that are targeted to residents of Virginia and that annually control or process personal data of at least: 1.   100,000 Virginia residents; or 2.   25,000 Virginia residents and derive over 50% of gross revenue from the sale of personal data.	Any legal entity that conducts business in Colorado or produces or delivers commercial products or services intentionally targeted to residents of Colorado and annually controls or processes personal data of: 1.   100,000 or more Colorado residents; or 2.   25,000 or more Colorado residents and derives revenue or receives discounts from selling personal data.	Persons that conduct business in Connecticut or produce products or services that are targeted to residents of Connecticut, and that during the preceding calendar year control or process the personal data of: 1.   100,000 or more Connecticut residents, excluding residents whose personal data is controlled or processed solely for the purpose of completing a payment transaction; or 2.   25,000 or more Connecticut residents, where the business derives more than 25% of its gross revenue from the sale of personal data.	Any person that conducts business in Utah or produces a product or service that is targeted to residents of Utah, has annual revenue of $25,000,000 or more; and annually controls or processes personal data of: 1.    100,000 or more Utah residents; or 2.    25,000 or more Utah residents and derives over 50% of gross revenue from the sale of personal data.
Exemption for B2B Data	✔	❌	✔	✔	✔	✔
Exemption for Employee Data	✔	❌	✔	✔	✔	✔
Exemption for Non-Profits	✔	✔	✔	❌	✔	✔
Penalties	$2,500 per violation $7,500 per intentional violation	$2,500 per violation $7,500 per intentional violation or violation involving a minor’s protected information	$7,500 per violation plus “reasonable expenses incurred in investigating and preparing the case, including attorney fees”	$20,000 per violation	$5,000 per violation for willful offenses	$7,500 per violation or actual damages
Private Right of Action	✔	✔	❌	❌	❌	❌
Cure Period	30 days	Discretionary	30 days	60 days until Jan. 1, 2025	60 days until Dec. 31, 2024	30 days
Consumer Rights
Right to Access	✔	✔	✔	✔	✔	✔
Right to Data Portability	✔	✔	✔	✔	✔	✔
Right to Delete	✔	✔	✔	✔	✔	✔
Right to Correct	❌	✔	✔	✔	✔	❌
Right to Opt Out of Sale	✔	✔	✔	✔	✔	✔
Right to Opt Out of Sharing for Targeted Advertising	❌	✔* For cross-context behavioral advertising	✔ Implied	✔ Implied	✔ Implied	✔ Implied
Right to Opt Out of Processing for Targeted Advertising	❌	❌	✔	✔	✔	✔
Right to Opt Out of Processing for Profiling	❌	❌	✔	✔	✔	❌
Right to Opt In or Out of Processing of Sensitive Information	❌	✔ Opt Out	✔ Opt In	✔ Opt In	✔ Opt In	✔ Opt Out
Right to Non-discrimination	✔	✔	✔	✔	✔	✔
Businesses’ Obligations
Respond to Opt-Out Signal Preferences	❌	✔	❌	✔ By July 1, 2024	✔ By Jan. 1, 2025	❌
Data Minimization	❌	✔	✔	✔	✔	✔
Purpose Limitation	✔	✔	✔	✔* Purpose Specification	✔	✔* Purpose Specification
Implement Technical Safeguards	✔	✔	✔	✔	✔	✔
Conduct Data Protection Assessments When Processing Poses a Heightened Risk	❌	✔	✔	✔	✔	❌
Enter into Data Processing Agreements with Processors	❌* Required to qualify as a “service provider” relationship	✔	✔	✔	✔	✔
Respond to Consumer Requests	✔	✔	✔	✔	✔	✔
Establish Internal Appeals Process for Consumer Requests	❌	❌	✔	✔	✔	❌

__________________________
[1] New Jersey Disclosure and Accountability Transparency Act (“NJ DaTA”), A.B. 505, 2022-23 Sess. §§ (3)(a)(1), (4)(a) (N.J. 2022).

[2] See, e.g., Insights on New California Privacy Law Draft Regulations, Gibson Dunn (June 15, 2022), available at https://www.gibsondunn.com/insights-on-new-california-privacy-law-draft-regulations/; U.S. Cybersecurity and Data Privacy Outlook and Review – 2021, § (I)(C)(1)(i)(b), Gibson Dunn (Jan. 28, 2021), available at https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2021/; The Potential Impact of the Upcoming Voter Initiative, the California Privacy Rights Act, Gibson Dunn (Sept. 29, 2020), available at https://www.gibsondunn.com/potential-impact-of-the-upcoming-voter-initiative-the-california-privacy-rights-act/; As California Consumer Privacy Act Enforcement Commences, a Tougher New Data Privacy Law Will Go Before California Votes in November, Gibson Dunn (July 1, 2020), available at https://www.gibsondunn.com/as-california-consumer-privacy-act-enforcement-commences-a-tougher-new-data-privacy-law-will-go-before-california-voters-in-november/.

[3] Cal. Civ. Code § 1798.140(c)(1).

[4] Cal. Civ. Code § 1798.110.

[5] Cal. Civ. Code § 1798.100(d).

[6] Cal. Civ. Code § 1798.105.

[7] Cal. Civ. Code § 1798.120.

[8] Cal. Civ. Code § 1798.125(a)(1).

[9] Compare Cal Civ. Code § 1798.140(c)(1)(B) [prior CCPA text], with Cal. Civ. Code §§ 1798.140(d)(1)(B) [as modified by CPRA].

[10] Compare Cal. Civ. Code § 1798.140(c)(1)(C) [prior CCPA text], with Cal. Civ. Code § 1798.140(d)(1)(C) [as modified by CPRA].

[11] Cal. Civ. Code. § 1798.199.45(a).

[12] Cal. Civ. Code. § 1798.199.45(a).

[13] Cal. Civ. Code §§ 1798.155(a), 1798.199.10(a), 1798.199.40(a).

[14] Cal. Civ. Code § 1798.199.90(a).

[15] Cal. Civ. Code §§ 1798.155(a), 1798.199.90(a).

[16] Cal Civ. Code. §1798.199.10(a).

[17] Cal. Priv. Prot. Agency, News & Announcements, CPPA Releases Notice of Proposed Regulatory Action Implementing New Consumer Privacy Law (July 8, 2022) available at https://cppa.ca.gov/announcements/.

[18] California Privacy Protection Agency, California Consumer Privacy Act Regulations, available at https://cppa.ca.gov/regulations/consumer_privacy_act.html.

[19] Draft Regulations § 7025(c)(1).

[20] Draft Regulations § 7025(c)(4).

[21] Draft Regulations § 7004(c).

[22] Draft Regulations § 7302(b).

[23] Virginia Consumer Data Protection Act (“VCDPA”), S.B. 1392, 2021 Sess. (Va. 2021) (to be codified in Va. Code tit. 59.1 §§ 59.1-571 to 581).

[24] VCDPA, §§ 59.1-572(A)-(B).

[25] VCDPA, § 59.1-571.

[26] VCDPA, §§ 59.1-573(A)(1)-(5), 59.1-571.

[27] VCDPA, § 59.1-573(A)(5).

[28] VCDPA, § 59.1-573(A)(5).

[29] VCDPA, §§ 59.1-571, 59.1-574(A)(5).

[30] VCDPA, § 59.1-573(C).

[31] VCDPA, § 59.1-573(C).

[32] VCDPA, § 59.1-573(C).

[33] VCDPA, §§ 59.1-575(B), 59.1-576(A)-(B).

[34] H 381, 2022 Gen. Assemb., Reg. Sess. (Va. 2022).

[35] S 534, 2022 Gen. Assemb., Reg. Sess. (Va. 2022).

[36] VCDPA, §§ 59.1-579(A)-(B), 59.1-580(A).

[37] VCDPA, §§ 59.1-580(B)-(C).

[38]VCDPA, § 59.1-579(C).

[39] Colorado Privacy Act (“CPA”), S.B. 21-190, 73rd Gen. Assemb., Reg. Sess. (Colo. 2021) (to be codified in Colo. Rev. Stat. Title 6).

[40] CPA, § 6-1-1304(I).

[41] CPA, §§ 6-1-1302(c)(II)(A), 6-1-1306(1)(b)-(e).

[42] CPA, § 6-1-1306(1)(a).

[43] CPA, § 6-1-1303(23)(a) (emphasis added).

[44] CPA, § 6-1-1303(23)(b).

[45] CPA, § 6-1-1306(1)(a)(II).

[46] CPA, § 6-1-1306(1)(a)(IV)(B).

[47] CPA, § 6-1-1308(7).

[48] CPA, § 6-1-1303(24).

[49] CPA, § 6-1-1306(3)(a).

[50] See generally CPA, §§ 6-1-1305(2)(b), 6-1-1308(3).

[51] CPA, §§ 6-1-1309(1), (3).

[52] CPA, § 6-1-1305(3)-(5).

[53] Colo. Dep’t of Law, Proposed Colorado Privacy Act Rules, to be codified at 4 Colo. Code Regs. § 904-3, available at https://coag.gov/app/uploads/2022/12/CPA_Version-2-Proposed-Draft-Regulations-12.21.2022.pdf.

[54] CPA, §§ 6-1-1311(1)(a), (d).

[55] CPA, § 6-1-1311(1)(c); see also Colo. Rev. Stat. § 6-1-112(1)(a).

[56] Connecticut Data Privacy Act (“CTDPA”), S.B. 6, 2022, Gen. Assemb., Reg. Sess. (Conn. 2022).

[57] CTDPA, § 2.

[58] CTDPA, § 1(7).

[59] CTDPA, §§ 4(a)(1)-(4).

[60] CTDPA, § 4(a)(5).

[61] CTDPA, § 1(26).

[62] CTDPA, § 6(e)(1)(A)(ii).

[63] CTDPA, § 6(a)(6).

[64] CTDPA, §§ 6(a)(1)-(3), 7(b), 8.

[65] CTDPA, § 4(d).

[66] CTDPA, § 11(a).

[67] CTDPA, §§ 11(b)-(c).

[68] CTDPA, § 11(e).

[69] Conn. Gen. Stat. § 42-110o.

[70] UCPA, § 13-61-101(10)(b).

[71] Cal. Civ. Code § 1798.145(h)(3).

[72] VCDPA, § 59.1-573(B)(3).

[73] CPA, § 6-1-1306(2)(c).

[74] UCPA, §§ 13-61-203(4)(b)(i)(B)-(C).

[75] UCPA, §§ 13-61-305, 13-61-401, 13-61-402(1)-(2), 13-61-402(3)(a)-(c).

[76] UCPA, § 13-61-402(3)(d).

[77] Cal. Civ. Code § 1798.140(ah), available at https://www.caprivacy.org/cpra-text/.

[78] Cal. Civ. Code § 1798.140(k), available at https://www.caprivacy.org/cpra-text/.

[79] “Targeted Advertising” is defined similarly under each state privacy law. See § (25)(a), Colorado Privacy Act, available at https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf. See also § 59.1-571, Virginia Consumer Data Protection Act, available at https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/. See also § 34(a), 13-61-101, Utah Consumer Privacy Act, available at https://le.utah.gov/~2022/bills/static/SB0227.html. See also § 1(28), Connecticut SB6, available at https://www.cga.ct.gov/2022/ACT/PA/PDF/2022PA-00015-R00SB-00006-PA.PDF.

[80] See CPRA Draft Regulations § 7025(a), available at https://cppa.ca.gov/meetings/materials/20221021_22_item3_modtext.pdf; see also § 6-1-1306 (1)(a)(IV)(A), Colorado Privacy Act. See also § 6 (e)(B), Connecticut SB6.

[81] Cal. Civ. Code §§ 1798.99.28-.40.

[82] Cal. Civ. Code § 1798.99.30(b)(4).

[83] Cal. Civ. Code § 1798.99.31(a)(6).

[84] Cal. Civ. Code § 1798.99.31(a)(7).

[85] Cal. Civ. Code §§ 1798.99.31(b)(2)-(3).

[86] Cal. Civ. Code §§ 1798.99.31(b)(1), (4).

[87] Cal. Civ. Code § 1798.99.31(b)(7).

[88] Cal. Civ. Code § 1798.88.31(a)(1)(A).

[89] Cal. Civ. Code § 1798.88.31(a)(2).

[90] Cal. Civ. Code § 1798.99.35.

[91] Cal. Civ. Code § 1798.99.35(d).

[92] A.B. No. 2089, 2021-22 Leg. Sess. (Cal. 2022) (to be codified at Cal Civ. Code 56.05, 56.06, 56.251).

[93] Id.

[94] Id.

[95] Id.

[96] N.Y. Dep’t Fin. Servs., Proposed Second Amendment to 23 NYCRR 500 (Nov. 9, 2022), available at https://www.dfs.ny.gov/system/files/documents/2022/10/rp23a2_text_20221109_0.pdf.

[97] Press Release, N.Y. Dep’t Fin. Servs., DFS Superintendent Adrienne A. Harris Issues New Guidance To Prevent and Manage Suspicious Activities in the Virtual Currency Industry: New York State-Regulated Virtual Currency Entities Encouraged To Adopt Blockchain Analytics Tools as a Best Practice (Apr. 28, 2022), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202204281.

[98] Actions – H.R. 8152 – 117th Congress (2021-2022): American Data Privacy and Protection Act, H.R. 8152, 117th Cong. (2022), http://www.congress.gov/.

[99] American Data Privacy and Protection Act (“ADPPA”), H.R. 8152, 117th Cong. § 2(9)(A) (2022).

[100] Id. at §§ 101(a), 102(a).

[101] Id. at § 101(a).

[102] Id. at § 102(a).

[103] Id. at § 103(a).

[104] Id. at § 2(2).

[105] Id. at § 207(a)(1).

[106] Id. at § 207(c)(1).

[107] Id. at § 207(c)(3)(C).

[108] Id. at §§ 401, 207(c)(5).

[109] Id. at § 401(a)-(b).

[110] Id. at § 401(a)(1).

[111] Id. at § 402(a).

[112] Id. at § 403(a).

[113] Id. at § 403(a)(3)(A).

[114] Id. at § 404(b)(1).

[115] Id. at § 404(b)(2)(L).

[116] Letter from Rob Bonta, California Attorney General, et al., to Congress (July 19, 2022), available at https://oag.ca.gov/system/files/attachments/press-docs/Letter%20to%20Congress%20re%20Federal%20Privacy.pdf.

[117] Letter from Ashkan Soltani, Executive Director of the California Privacy Protection Agency, to Nancy Pelosi, Speaker of the United States House of Representatives, and Kevin McCarthy, Minority Leader of the United States House of Representatives, H.R. 8152, The American Data Privacy and Protection Act – Oppose (Aug 15, 2022), available at https://cppa.ca.gov/pdf/hr8152_oppose.pdf.

[118] Press Release, Congresswoman Nancy Pelosi, Pelosi Statement on Federal Data Privacy Legislation (Sep. 1, 2022), available at https://pelosi.house.gov/news/press-releases/pelosi-statement-on-federal-data-privacy-legislation.

[119] Christiano Lima, Top Senate Democrat Casts Doubt on Prospect of Major Data Privacy Bill, Wash. Post (June 22, 2022, 5:53 PM), available at https://www.washingtonpost.com/technology/2022/06/22/privacy-bill-maria-cantwell-congress/.

[120] Rebecca Kern, Bipartisan draft bill breaks stalemate on federal data privacy negotiations, Politico (June 3, 2022, 1:17 PM), available at https://www.politico.com/news/2022/06/03/bipartisan-draft-bill-breaks-stalemate-on-federal-privacy-bill-negotiations-00037092.

[121] See Press Release, Federal Trade Commission, FTC Chair Lina M. Khan Announces New Appointments in Agency Leadership Positions (Nov. 19, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/11/ftc-chair-lina-m-khan-announces-new-appointments-agency-leadership-positions; Press Release, Federal Trade Commission, Federal Trade Commission Chair Lina M. Khan Appoints New Chief Technology Officer and Public Affairs Director (Oct. 3, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/10/federal-trade-commission-chair-lina-m-khan-appoints-new-chief-technology-officer-public-affairs.

[122] See, e.g., Andrew Smith, Using Artificial Intelligence and Algorithms, Federal Trade Commission (Apr. 8, 2020), available at https://www.ftc.gov/business-guidance/blog/2020/04/using-artificial-intelligence-and-algorithms; Report, Big Data: A tool for inclusion or exclusion?, Federal Trade Commission (Jan. 2016), available at https://www.ftc.gov/system/files/documents/reports/big-data-tool-inclusion-or-exclusion-understanding-issues/160106big-data-rpt.pdf.

[123] Elisa Jillson, Aiming for Truth, Fairness, and Equity in Your Company’s Use of AI, Federal Trade Commission (Apr. 19, 2021), available at https://www.ftc.gov/news-events/blogs/business-blog/2021/04/aiming-truth-fairness-equity-your-companys-use-ai.

[124] Id.

[125] Id.

[126] Id.

[127] Report to Congress, Federal Trade Commission, Combatting Online Harms Through Innovation (June 16, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Combatting%20Online%20Harms%20Through%20Innovation%3B%20Federal%20Trade%20Commission%20Report%20to%20Congress.pdf.

[128] Press Release, Federal Trade Commission, FTC Report Warns About Using Artificial Intelligence to Combat Online Problems (June 16, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-report-warns-about-using-artificial-intelligence-combat-online-problems.

[129] Id.

[130] Id.

[131] Id.

[132] Press Release, Federal Trade Commission, Federal Trade Commission Takes Action Against Passport Automotive Group for Illegally Charging Junk Fees and Discriminating Against Black and Latino Customers (Oct. 18, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/10/federal-trade-commission-takes-action-against-passport-automotive-group-illegally-charging-junk-fees.

[133] Press Release, Federal Trade Commission, FTC Finalizes Settlement with Photo App Developer Related to Misuse of Facial Recognition Technology (May 7, 2021), available at https://www.ftc.gov/news-events/news/press-releases/2021/05/ftc-finalizes-settlement-photo-app-developer-related-misuse-facial-recognition-technology.

[134] Lina M. Khan, Chair, Federal Trade Commission, Remarks of Chair Lina M. Khan As Prepared for Delivery IAPP Global Privacy Summit 2022 (Apr. 11, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Remarks%20of%20Chair%20Lina%20M.%20Khan%20at%20IAPP%20Global%20Privacy%20Summit%202022%20-%20Final%20Version.pdf.

[135] Id.

[136] Id.

[137] Id.

[138] Id.

[139] Id.

[140] Id.

[141] Id.

[142] Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (published Aug. 22, 2022), available at https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.

[143] Id.

[144] Id.

[145] Id.

[146] Events Announcement, Federal Trade Commission, Commercial Surveillance and Data Security Public Forum (Sept. 8, 2022), available at https://www.ftc.gov/news-events/events/2022/09/commercial-surveillance-data-security-anpr-public-forum.

[147] Id.

[148] Lina M. Khan, Chair, Federal Trade Commission, Remarks of Chair Lina M. Khan As Prepared for Delivery IAPP Global Privacy Summit 2022 (Apr. 11, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Remarks%20of%20Chair%20Lina%20M.%20Khan%20at%20IAPP%20Global%20Privacy%20Summit%202022%20-%20Final%20Version.pdf.

[149] Complaint, U.S. v. Kurbo, Inc. and WW International, Inc., FTC Docket No. 22-CV-946 (Feb. 16, 2022).

[150] Press Release, Federal Trade Commission, FTC Charges Twitter with Deceptively Using Account Security Data to Sell Targeted Ads (May 25, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads.

[151] Id.

[152] Id.

[153] Id.

[154] Richard Blumenthal et al., Letter to FTC Chair Lina Khan (Nov. 17, 2022), available at https://www.blumenthal.senate.gov/imo/media/doc/111722ftctwitterletter.pdf.

[155] Press Release, Federal Trade Commission, FTC Finalizes Action Against CafePress for Covering Up Data Breach, Lax Security (June 24, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/06/ftc-finalizes-action-against-cafepress-covering-data-breach-lax-security-0.

[156] Press Release, Federal Trade Commission, FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers (Oct. 24, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-takes-action-against-drizly-its-ceo-james-cory-rellas-security-failures-exposed-data-25-million.

[157] Id.

[158] Id.

[159] Id.

[160] Charles Manning, Open Letter from Kochava CEO (Sep. 1, 2022), available at https://www.kochava.com/open-letter-from-kochava-ceo/.

[161] Complaint, FTC v. Kochava, Inc., FTC Docket No. 22-CV-377 (Aug. 29, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf.

[162] Press Release, Federal Trade Commission, FTC Sues Kochava for Selling Data that Tracks People at Reproductive Health Clinics, Places of Worship, and Other Sensitive Locations (Aug. 29, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/08/ftc-sues-kochava-selling-data-tracks-people-reproductive-health-clinics-places-worship-other.

[163] Complaint, FTC v. Kochava, Inc., FTC Docket No. 22-CV-377, at 11 (Aug. 29, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/1.%20Complaint.pdf.

[164] Press Release, Federal Trade Commission, Multiple Data Breaches Suggest Ed Tech Company Chegg Didn’t Do its Homework, Alleges FTC (Oct. 31, 2022), available at https://www.ftc.gov/business-guidance/blog/2022/10/multiple-data-breaches-suggest-ed-tech-company-chegg-didnt-do-its-homework-alleges-ftc.

[165] Id.

[166] Press Release, Federal Trade Commission, FTC Brings Action Against Ed Tech Provider Chegg for Careless Security that Exposed Personal Data of Millions of Customers (Oct. 31, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/10/ftc-brings-action-against-ed-tech-provider-chegg-careless-security-exposed-personal-data-millions.

[167] Press Release, Federal Trade Commission, Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Dec. 19, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations.

[168] Id.

[169] Id.

[170] Id.

[171] Id.

[172] Press Release, Federal Trade Commission, FTC Extends Deadline by Six Months for Compliance with Some Changes to Financial Data Security Rule (Nov. 15, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/11/ftc-extends-deadline-six-months-compliance-some-changes-financial-data-security-rule.

[173] Lesley Fair, FTC to Ed Tech: Protecting kid’s privacy is your responsibility, Federal Trade Commission (May 19, 2022), available at https://www.ftc.gov/business-guidance/blog/2022/05/ftc-ed-tech-protecting-kids-privacy-your-responsibility.

[174] Lesley Fair, Where in the world is…? FTC challenges stealthy geolocation tracking and COPPA violations, Federal Trade Commission (Dec. 15, 2021), available at https://www.ftc.gov/business-guidance/blog/2021/12/where-world-ftc-challenges-stealthy-geolocation-tracking-coppa-violations.

[175] Id.

[176] Press Release, Federal Trade Commission, FTC Extends Deadline for Comments on COPPA Rule until December 11 (Dec. 9, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2019/12/ftc-extends-deadline-comments-coppa-rule-until-december-11.

[177] Lesley Fair, FTC to Ed Tech: Protecting kid’s privacy is your responsibility, Federal Trade Commission (May 19, 2022), available at https://www.ftc.gov/business-guidance/blog/2022/05/ftc-ed-tech-protecting-kids-privacy-your-responsibility.

[178] Id.

[179] Id.

[180] Id.

[181] Id.

[182] Id.

[183] Lina M. Khan, Chair, Federal Trade Commission, Remarks of Commission Chair Lina Khan at the FTC Open Commission Meeting (May 19, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/Transcript-Open-Commission-Meeting-May-19-2022.pdf.

[184] Lesley Fair, When it comes to health data, comply with COPPA—no kidding, Federal Trade Commission (Mar. 4, 2022), available at https://www.ftc.gov/business-guidance/blog/2022/03/when-it-comes-health-data-comply-coppa-no-kidding.

[185]  Petition for Rulemaking of the Center for Digital Democracy, Fairplay, 87 Fed. Reg. 74056 (published Dec. 2, 2022), available at https://www.federalregister.gov/documents/2022/12/02/2022-26254/petition-for-rulemaking-of-the-center-for-digital-democracy-fairplay-et-al.

[186]  Trade Regulation Rule on Commercial Surveillance and Data Security, 87 Fed. Reg. 51273 (published Aug. 22, 2022), available at https://www.federalregister.gov/documents/2022/08/22/2022-17752/trade-regulation-rule-on-commercial-surveillance-and-data-security.

[187] Staff Report, FTC, Bringing Dark Patterns to Light (Sept. 15, 2022), https://www.ftc.gov/system/files/ftc_gov/pdf/P214800%20Dark%20Patterns%20Report%209.14.2022%20-%20FINAL.pdf.

[188] Id.

[189] Id. at 18.

[190] FTC v. VIZIO, Inc. and VIZIO Inscape Servs., LLC, (D.N.J.); FTC Press Release, Vizio to Pay $2.2 Million to

FTC, State of New Jersey to Settle Charges It Collected Viewing Histories on 11 Million Smart Televisions Without

Users’ Consent (Feb. 6, 2017), available at https://www.ftc.gov/news-events/press-releases/2017/02/vizio-pay-22-million-ftcstate-new-jersey-settle-charges-it.

[191] Id.

[192] Press Release, Federal Trade Commission, Fortnite Video Game Maker Epic Games to Pay More Than Half a Billion Dollars over FTC Allegations of Privacy Violations and Unwanted Charges (Dec. 19, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/12/fortnite-video-game-maker-epic-games-pay-more-half-billion-dollars-over-ftc-allegations; Press Release, Federal Trade Commission, FTC Action Against Vonage Results in $100 Million to Customers Trapped by Illegal Dark Patterns and Junk Fees When Trying to Cancel Service (Nov. 3, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/11/ftc-action-against-vonage-results-100-million-customers-trapped-illegal-dark-patterns-junk-fees-when-trying-cancel-service.

[193] Press Release, CFPB, CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers (Apr. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-invokes-dormant-authority-to-examine-nonbank-companies-posing-risks-to-consumers/.

[194] CFPB Invokes Dormant Dodd-Frank Authority to Regulate Nonbank Financial Companies, Gibson Dunn (May 5, 2022) available at https://www.gibsondunn.com/cfpb-invokes-dormant-dodd-frank-authority-to-regulate-nonbank-financial-companies/.

[195] Press Release, CFPB, CFPB Invokes Dormant Authority to Examine Nonbank Companies Posing Risks to Consumers (Apr. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-invokes-dormant-authority-to-examine-nonbank-companies-posing-risks-to-consumers/.

[196] Id.

[197] Press Release, CFPB, The CFPB Finalizes Rule to Increase Transparency Regarding Key Nonbank Supervision Tool (Nov. 10, 2022), https://www.consumerfinance.gov/about-us/blog/the-cfpb-finalizes-rule-to-increase-transparency-regarding-key-nonbank-supervision-tool/.

[198] CFPB, Proposed Rule: Registry of Nonbank Covered Persons Subject to Certain Agency and Court Orders, Docket No. CFPB-2022-0080 (Dec. 12, 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_proposed-rule__registry-of-nonbank-covered-persons_2022.pdf.

[199] Press Release, CFPB, Consumer Financial Protection Bureau Outlines Options to Prevent Algorithmic Bias in Home Valuations (Feb. 23, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-outlines-options-to-prevent-algorithmic-bias-in-home-valuations/.

[200] CFPB, Circular 2022-03, Adverse Action Notification Requirements in Connection with Credit Decisions Based on Complex Algorithms (2022), available at https://www.consumerfinance.gov/compliance/circulars/circular-2022-03-adverse-action-notification-requirements-in-connection-with-credit-decisions-based-on-complex-algorithms/.

[201] Id.

[202] Press Release, CFPB, CFPB Acts to Protect the Public from Black-Box Credit Models Using Complex Algorithms (May 26, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-acts-to-protect-the-public-from-black-box-credit-models-using-complex-algorithms/.

[203] Press Release, FTC, FTC Staff Provides Annual Letter to CFPB on 2021 Equal Credit Opportunity Act Activities (Feb. 23, 2022), available at https://www.ftc.gov/news-events/news/press-releases/2022/02/ftc-staff-provides-annual-letter-cfpb-2021-equal-credit-opportunity-act-activities.

[204] FTC, FTC Enforcement Activities under the ECOA and Regulation B in 2021: Report to the CFPB (Feb. 23, 2022), available at https://www.ftc.gov/system/files/ftc_gov/pdf/p154802cfpbecoareport2021.pdf.

[205] Eric Halperin & Lorelei Salas, Cracking Down on Discrimination in the Financial Sector, CFPB Blog (Mar. 16, 2022), available at https://www.consumerfinance.gov/about-us/blog/cracking-down-on-discrimination-in-the-financial-sector/.

[206] Id.

[207] Id.

[208] Press Release, CFPB, CFPB Takes Action Against Hello Digit for Lying to Consumers About Its Automated Savings Algorithm (Aug. 10, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-against-hello-digit-for-lying-to-consumers-about-its-automated-savings-algorithm/.

[209] Press Release, CFPB, Consumer Financial Protection Bureau Outlines Options to Prevent Algorithmic Bias in Home Valuations (Feb. 23, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-outlines-options-to-prevent-algorithmic-bias-in-home-valuations/.

[210] Id.

[211] Press Release, CFPB, CFPB Acts to Protect the Public from Black-Box Credit Models Using Complex Algorithms (May 26, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-acts-to-protect-the-public-from-black-box-credit-models-using-complex-algorithms/.

[212] Id.

[213] Id.

[214] Paul Singer, Abigail Stempson & Beth Chun, Statements to the State AGs: CFPB and FTC Priorities for 2023, Kelley Drye (Dec. 9, 2022), https://www.adlawaccess.com/2022/12/articles/statements-to-the-state-ags-cfpb-and-ftc-priorities-for-2023/.

[215] Rohit Chopra, Statement Regarding the CFPB’s Inquiry into Big Tech Payment Platforms, CFPB (Oct. 21, 2021), https://www.consumerfinance.gov/about-us/newsroom/statement-regarding-the-cfpbs-inquiry-into-big-tech-payment-platforms/.

[216] Id.

[217] Press Release, CFPB, CFPB Warns that Digital Marketing Providers Must Comply with Federal Consumer Finance Protections (Aug. 10, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-warns-that-digital-marketing-providers-must-comply-with-federal-consumer-finance-protections/.

[218] Id.

[219] John McNamara, CFPB Tells Credit Card CEOs: Practice of Suppressing Payment Data Has Potential for Consumer Harm, CFPB Blog (May 25, 2022), https://www.consumerfinance.gov/about-us/blog/cfpb-tells-credit-card-ceos-practice-of-suppressing-payment-data-has-potential-for-consumer-harm/.

[220] Id.

[221] CFPB, Buy Now, Pay Later: Market Trends and Consumer Impacts (Sept. 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_buy-now-pay-later-market-trends-consumer-impacts_report_2022-09.pdf.

[222] Press Release, CFPB, CFPB Study Details the Rapid Growth of “Buy Now, Pay Later” Lending (Sept. 15, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-study-details-the-rapid-growth-of-buy-now-pay-later-lending/.

[223] Id.

[224] Press Release, CFPB, CFPB Kicks Off Personal Financial Data Rights Rulemaking (Oct. 27, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-kicks-off-personal-financial-data-rights-rulemaking/.

[225] CFPB, Small Business Advisory Review Panel for Required Rulemaking on Personal Financial Data Rights (Oct. 27, 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_data-rights-rulemaking-1033-SBREFA_outline_2022-10.pdf.

[226] Press Release, CFPB, CFPB Kicks Off Personal Financial Data Rights Rulemaking (Oct. 27, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-kicks-off-personal-financial-data-rights-rulemaking/.

[227] Press Release, Director Chopra’s Prepared Remarks at Money 20/20, CFPB (Oct. 25, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/director-chopra-prepared-remarks-at-money-20-20/.

[228] Id.

[229] CFPB, Circular 2022-04, Insufficient Data Protection or Security for Sensitive Consumer Information (2022), available at https://www.consumerfinance.gov/compliance/circulars/circular-2022-04-insufficient-data-protection-or-security-for-sensitive-consumer-information/.

[230] Press Release, CFPB, CFPB Takes Action to Protect the Public from Shoddy Data Security Practices (Aug. 11, 2022), available at https://www.consumerfinance.gov/about-us/newsroom/cfpb-takes-action-to-protect-the-public-from-shoddy-data-security-practices/.

[231] CFPB, Complaint Bulletin: An Analysis of Consumer Complaints Related to Crypto-Assets (Nov. 2022), available at https://files.consumerfinance.gov/f/documents/cfpb_complaint-bulletin_crypto-assets_2022-11.pdf.

[232] Press Release, SEC, SEC Proposes Cybersecurity Risk Management Rules and Amendments for Registered Investment Advisers and Funds (Feb. 9, 2022), available at https://www.sec.gov/news/press-release/2022-20.

[233] Cybersecurity Risk Management for Investment Advisers, Registered Investment, 87 Fed. Reg. 13524, 13561 (proposed Mar. 9, 2022) (to be codified at 40 C.F.R. pts. 230-279).

[234] Id.

[235] Id. at 13576.

[236] Id. at 13533, 13540.

[237] Id. at 13541.

[238] Id. at 13578-79.

[239] Hester M. Peirce, Statement by Commissioner Peirce on Proposal for Mandatory Cybersecurity Disclosures, SEC (Feb. 9, 2022), available at https://www.sec.gov/news/statement/peirce-statement-cybersecurity-risk-management-020922.

[240] Off. of Mgmt. and Budget, Off. of Info. & Reg. Affs., SEC Agency Rule List – Fall 2022, https://www.reginfo.gov/public/do/eAgendaMain?operation=OPERATION_GET_AGENCY_RULE_LIST&currentPub=true&agencyCode=&showStage=active&agencyCd=3235&csrf_token=719D9069A6A2307A419060DE1EA2B78FA7F312F3D9ECC0826CE5C087AC965D1D54A2056E2C7574CDC380C46931D210AF148D (last visited Jan. 26, 2023).

[241] Off. of Mgmt. and Budget, Off. of Info. & Reg. Affs., Cybersecurity Risk Governance (3235-AN08), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=3235-AN08 (last visited Jan. 26, 2023).

[242] Press Release, SEC, SEC Proposes Rules on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure by Public Companies (Mar. 9, 2022), available at https://www.sec.gov/news/press-release/2022-39.

[243] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, 87 Fed. Reg. 16590, 16595 (proposed Mar. 23, 2022) (to be codified at 17 C.F.R. pts. 229-249).

[244] Id. at 16596-97.

[245] Id. at 16595.

[246] Id.

[247] Id. at 16599.

[248] Id. at 16602.

[249] Hester M. Peirce, Dissenting Statement on Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure Proposal, SEC (Mar. 9, 2022), available at https://www.sec.gov/news/statement/peirce-statement-cybersecurity-030922.

[250] Off. of Mgmt. and Budget, Off. of Info. & Reg. Affs., Cybersecurity Risk Governance (3235-AM89), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=3235-AM89 (last visited Jan. 26, 2023).

[251] Gary Gensler, Chair, SEC, Remarks on Cybersecurity and Securities Laws at the Northwestern University Pritzker School of Law (Jan. 24, 2020), available at https://www.sec.gov/news/speech/gensler-cybersecurity-and-securities-laws-20220124.

[252] Id.

[253] Gary Gensler, Chair, SEC, Remarks by Chair Gensler Before the FBIIC and FSSCC (Apr. 15, 2022), available at https://corpgov.law.harvard.edu/2022/04/15/remarks-by-chair-gensler-before-the-fbiic-and-fsscc/.

[254] Id.

[255] Off. of Mgmt. and Budget, Off. of Info. & Reg. Affs., Cybersecurity (3235-AN15), https://www.reginfo.gov/public/do/eAgendaViewRule?pubId=202210&RIN=3235-AN15 (last visited Jan. 26, 2023).

[256] Press Release, SEC, SEC Nearly Doubles Size of Enforcement’s Crypto Assets and Cyber Unit (May 3, 2022), available at https://www.sec.gov/news/press-release/2022-78.

[257] Id.

[258] See, e.g., Press Release, SEC, SEC Seeks to Stop the Registration of Misleading Crypto Asset Offerings (Nov. 18, 2022), available at https://www.sec.gov/news/press-release/2022-208 (instituting administrative proceeding against American CryptoFed DAO LLC “to determine whether a stop order should be issued to suspend the registration of the offer and sale of two crypto assets, the Ducat token and the Locke token”); Press Release, SEC, SEC Charges Creator of Global Crypto Ponzi Scheme and Three US Promoters in Connection with $295 Million Fraud (Nov. 4, 2022), available at https://www.sec.gov/news/press-release/2022-201 (filing charges against defendants allegedly involved in “fraudulent crypto Ponzi scheme” under antifraud, securities registration, and broker-dealer registration provisions of the securities laws); Press Release, SEC, SEC Charges The Hydrogen Technology Corp. and its Former CEO for Market Manipulation of Crypto Asset Securities (Sept. 28, 2022), available at https://www.sec.gov/news/press-release/2022-175 (announcing charges against individuals and entity “for their roles in effectuating the unregistered offers and sales of crypto asset securities”); Press Release, SEC, Sparkster to Pay $35 Million to Harmed Investor Fund for Unregistered Crypto Asset Offering (Sept. 19, 2022), available at https://www.sec.gov/news/press-release/2022-167 (issuing cease-and-desist order “for the unregistered offer and sale of crypto asset securities” and charging failure to disclose compensation for promoting tokens); Press Release, SEC, SEC Charges Eleven Individuals in $300 Million Crypto Pyramid Scheme (Aug. 1, 2022), available at https://www.sec.gov/news/press-release/2022-134 (bringing charges against individuals “for their roles in creating and promoting  . . . a fraudulent crypto pyramid and Ponzi scheme”); Press Release, SEC, SEC Charges Former Coinbase Manager, Two Others in Crypto Asset Insider Trading Action (July 21, 2022), available at https://www.sec.gov/news/press-release/2022-127 (charging former Coinbase product manager, his brother, and his friend for insider trading crypto assets); Press Release, SEC, SEC Halts Fraudulent Cryptomining and Trading Scheme (May 6, 2022), available at https://www.sec.gov/news/press-release/2022-81 (charging defendants with “unregistered offerings and fraudulent sales of investment plans called mining packages to thousands of investors”); Press Release, SEC, SEC Charges NVIDIA Corporation with Inadequate Disclosures about Impact of Cryptomining (May 6, 2022), available at https://www.sec.gov/news/press-release/2022-79 (announcing a settlement for $5.5 million based on “inadequate disclosures concerning the impact of cryptomining on the company’s gaming business”).

[259] Press Release, SEC, BlockFi Agrees to Pay $100 Million in Penalties and Pursue Registration of its Crypto Lending Product (Feb. 14, 2022), available at https://www.sec.gov/news/press-release/2022-26.

[260] Press Release, SEC, SEC Charges Kim Kardashian for Unlawfully Touting Crypto Security (Oct. 3, 2022), available at https://www.sec.gov/news/press-release/2022-183.

[261] Press Release, SEC, SEC Charges Samuel Bankman-Fried with Defrauding Investors in Crypto Asset Trading Platform FTX (Dec. 13, 2022), available at https://www.sec.gov/news/press-release/2022-219.

[262] Id.; see also Press Release, SEC, SEC Charges Caroline Ellison and Gary Wang with Defrauding Investors in Crypto Asset Trading Platform FTX (Dec. 21, 2022), available at https://www.sec.gov/news/press-release/2022-234.

[263] Jessica Corso, SEC, Ripple Issue Final Salvos As Crypto Decision Nears, Law360 (Dec. 5, 2022), available at https://www.law360.com/articles/1555098/sec-ripple-issue-final-salvos-as-crypto-decision-nears.

[264] Press Release, SEC, SEC Charges JPMorgan, UBS, and TradeStation for Deficiencies Relating to the Prevention of Customer Identity Theft (July 27, 2022), available at https://www.sec.gov/news/press-release/2022-131.

[265] Id.

[266] Press Release, SEC, SEC Charges Three Chicago-Area Residents with Insider Trading Around Equifax Data Breach Announcement (Aug. 16, 2022), available at https://www.sec.gov/litigation/litreleases/2022/lr25470.htm.

[267] Press Release, SEC, Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers (Sept. 20, 2022), available at https://www.sec.gov/news/press-release/2022-168.

[268] Press Release, Department of Health and Human Services, HHS Proposes New Protections to Increase Care Coordination and Confidentiality for Patients With Substance Use Challenges (Nov. 28, 2022), available at https://www.hhs.gov/about/news/2022/11/28/hhs-proposes-new-protections-increase-care-coordination-confidentiality-patients-substance-use-challenges.html.

[269] Press Release, Department of Health and Human Services, HHS Proposes New Protections to Increase Care Coordination and Confidentiality for Patients With Substance Use Challenges (Nov. 28, 2022), available at https://www.hhs.gov/about/news/2022/11/28/hhs-proposes-new-protections-increase-care-coordination-confidentiality-patients-substance-use-challenges.html.

[270] Press Release, Department of Health and Human Services, HHS Proposes New Protections to Increase Care Coordination and Confidentiality for Patients With Substance Use Challenges (Nov. 28, 2022), available at https://www.hhs.gov/about/news/2022/11/28/hhs-proposes-new-protections-increase-care-coordination-confidentiality-patients-substance-use-challenges.html.

[271] Press Release, Department of Health and Human Services, HHS Proposes New Protections to Increase Care Coordination and Confidentiality for Patients With Substance Use Challenges (Nov. 28, 2022), available at https://www.hhs.gov/about/news/2022/11/28/hhs-proposes-new-protections-increase-care-coordination-confidentiality-patients-substance-use-challenges.html.

[272] Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended, 45 Fed. Reg. 19833 (June 6, 2022).

[273] Request for Information, Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended, 87 Fed. Reg. 19833, 19833-34 (April 6, 2022), available at https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health.

[274] Press Release, U.S. Government Accountability Office, Electronic Health Information:

HHS Needs to Improve Communications for Breach Reporting (May 27, 2022), available at https://www.gao.gov/products/gao-22-105425.

[275] Request for Information, Considerations for Implementing the Health Information Technology for Economic and Clinical Health (HITECH) Act, as Amended, 87 Fed. Reg. 19833, 19833-34 (April 6, 2022), available at https://www.federalregister.gov/documents/2022/04/06/2022-07210/considerations-for-implementing-the-health-information-technology-for-economic-and-clinical-health.

[276] Press Release, Department of Health and Human Services, OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 30, 2020), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.

[277] Department of Health and Human Services, Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth, available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

[278] Adam Cancryn, Biden team eyes end of Covid emergency declaration and shift in Covid team, Politico (Jan. 10, 2023), available at https://www.politico.com/news/2023/01/10/biden-covid-public-health-emergency-extension-00077154.

[279] Department of Health and Human Services, Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth (June 13, 2022), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

[280] Department of Health and Human Services, Guidance on How the HIPAA Rules Permit Covered Health Care Providers and Health Plans to Use Remote Communication Technologies for Audio-Only Telehealth (June 13, 2022), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-audio-telehealth/index.html.

[281] Press Release, White House, Readout of Healthcare Cybersecurity Executive Forum Hosted by National Cyber Director Chris Inglis (June 16, 2022), available at https://www.whitehouse.gov/briefing-room/statements-releases/2022/06/16/readout-of-healthcare-cybersecurity-executive-forum-hosted-by-national-cyber-director-chris-inglis/.

[282] Department of Health and Human Services, Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates (Dec. 1, 2022), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html.

[283] Press Release, Department of Health and Human Services, Statement by HHS Secretary Xavier Becerra Reaffirming HHS Support and Protection for LGBTQI+ Children and Youth (Mar. 2, 2022), available at https://www.hhs.gov/about/news/2022/03/02/statement-hhs-secretary-xavier-becerra-reaffirming-hhs-support-and-protection-for-lgbtqi-children-and-youth.html.

[284] Department of Health and Human Services, HHS Notice and Guidance on Gender Affirming Care, Civil Rights, and Patient Privacy (March 2, 2022, and updated Oct. 1, 2022), available at https://www.hhs.gov/sites/default/files/hhs-ocr-notice-and-guidance-gender-affirming-care.pdf.

[285] Texas v. E.E.O.C., No. 2:21-CV-194-Z, 2022 WL 4835346, at *9 (N.D. Tex. Oct. 1, 2022).

[286] See Dobbs v. Jackson Women’s Health Org., 579 U.S. ___ (2022).

[287] Department of Health and Human Services, HIPAA Privacy Rule and Disclosures of Information Relating to Reproductive Health Care (June 29, 2022), available at https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/phi-reproductive-health/index.html.

[288] Press Release, Department of Health and Human Services, HHS Announces Melanie Fontes Rainer as Director of the Office for Civil Rights (Sept. 14, 2022), available at https://www.hhs.gov/about/news/2022/09/14/hhs-announces-melanie-fontes-rainer-as-director-of-the-office-for-civil-rights.html.

[289] Alexandra Kelley, The HHS’s Office of Civil Rights is focusing on guidance and stakeholder coordination to enforce reproductive health data post Roe v. Wade. Nextgov (Sept. 28, 2022), available at https://www.nextgov.com/analytics-data/2022/09/all-options-are-table-hhs-privacy-official-doubles-down-data-protection/377791/.

[290] Press Release, Department of Health and Human Services, Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA (July 15, 2022), available at https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html.

[291] Pres Release, Department of Health and Human Services, OCR Settles Three Cases with Dental Practices for Patient Right of Access under HIPAA (Sept. 20, 2022), available at https://www.hhs.gov/about/news/2022/09/20/ocr-settles-three-cases-dental-practices-patient-right-access-under-hipaa.html.

[292] Press Release, Department of Health and Human Services, Eleven Enforcement Actions Uphold Patients’ Rights Under HIPAA (July 15, 2022), available at https://www.hhs.gov/about/news/2022/07/15/eleven-enforcement-actions-uphold-patients-rights-under-hipaa.html.

[293] Press Release, Department of Health and Human Services, OCR Settles Case Concerning Improper Disposal of Protected Health Information (Aug. 23, 2022), available at https://www.hhs.gov/about/news/2022/08/23/ocr-settles-case-concerning-improper-disposal-protected-health-information.html.

[294] Press Release, Department of Health and Human Services, Four HIPAA Enforcement Actions Hold Healthcare Providers Accountable With Compliance (Mar. 28, 2022), available at https://www.hhs.gov/about/news/2022/03/28/four-hipaa-enforcement-actions-hold-healthcare-providers-accountable-with-compliance.html.

[295] Press Release, Department of Health and Human Services, Four HIPAA Enforcement Actions Hold Healthcare Providers Accountable With Compliance (Mar. 28, 2022), available at https://www.hhs.gov/about/news/2022/03/28/four-hipaa-enforcement-actions-hold-healthcare-providers-accountable-with-compliance.html; Press Release, Department of Health and Human Services, HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information (Dec. 14, 2022), available at https://www.hhs.gov/about/news/2022/12/14/hhs-civil-rights-office-enters-settlement-with-dental-practice-over-disclosures-of-patients-protected-health-information.html.

[296] Press Release, Department of Health and Human Services, Oklahoma State University – Center for Health Services Pays $875,000 to Settle Hacking Breach (July 14, 2022), available at https://www.hhs.gov/about/news/2022/07/14/oklahoma-state-university-center-health-services-pays-875000-settle-hacking-breach.html.

[297] Press Release, Department of Health and Human Services, HHS Civil Rights Office Enters Settlement with Dental Practice Over Disclosures of Patients’ Protected Health Information (Dec. 14, 2022), available at https://www.hhs.gov/about/news/2022/12/14/hhs-civil-rights-office-enters-settlement-with-dental-practice-over-disclosures-of-patients-protected-health-information.html.

[298] FY22 Cybersecurity Sprints, Department of Homeland Security (Nov. 1, 2022), available at https://www.dhs.gov/cybersecurity-sprints.

[299]Press Release, Department of Homeland Security, DHS Launches First-Ever Cyber Safety Review Board (Feb. 3, 2022), available at https://www.dhs.gov/news/2022/02/03/dhs-launches-first-ever-cyber-safety-review-board.

[300]Press Release, Department of Homeland Security, Cyber Safety Review Board Releases Unprecedented Report of its Review into Log4j Vulnerabilities and Response (July 14, 2022), available at https://www.dhs.gov/news/2022/07/14/cyber-safety-review-board-releases-report-its-review-log4j-vulnerabilities-and; see also Review of the December 2021 Log4j Event, Report of the Cyber Safety Review Board (July 11, 2022), available at https://www.cisa.gov/sites/default/files/publications/CSRB-Report-on-Log4-July-11-2022_508.pdf.

[301] Press Release, Department of Homeland Security, Cyber Safety Review Board to Conduct Second Review on Lapsus$ (Dec. 2, 2022), available at https://www.dhs.gov/news/2022/12/02/cyber-safety-review-board-conduct-second-review-lapsus.

[302] Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022).

[303] Request for Information on the Cyber Incident Reporting for Critical Infrastructure Act of 2022, 87 Fed. Reg. 55833 (published Sept. 12, 2022), available at https://www.federalregister.gov/documents/2022/09/12/2022-19551/request-for-information-on-the-cyber-incident-reporting-for-critical-infrastructure-act-of-2022.

[304] Cyber Incident Reporting for Critical Infrastructure Act of 2022 Listening Sessions, 87 Fed. Reg. 55830 (published Sept. 12, 2022), available at https://www.federalregister.gov/documents/2022/09/12/2022-19550/cyber-incident-reporting-for-critical-infrastructure-act-of-2022-listening-sessions; Cyber Incident Reporting for Critical Infrastructure Act of 2022: Washington, D.C. Listening Session, 87 Fed. Reg. 60409 (published Oct. 5, 2022), available at https://www.federalregister.gov/documents/2022/10/05/2022-21635/cyber-incident-reporting-for-critical-infrastructure-act-of-2022-washington-dc-listening-session.

[305] Notice of Cybersecurity and Infrastructure Security Agency Cybersecurity Advisory Committee Meeting, 87 Fed. Reg. 69283 (published Nov. 18, 2022), available at https://www.federalregister.gov/documents/2022/11/18/2022-25110/notice-of-cybersecurity-and-infrastructure-security-agency-cybersecurity-advisory-committee-meeting.

[306] Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Cybersecurity & Infrastructure Security Agency, available at https://www.cisa.gov/circia.

[307] Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA), Cybersecurity & Infrastructure Security Agency, available at https://www.cisa.gov/circia; see also Gibson Dunn’s client alert on the Cyber Incident Reporting for Critical Infrastructure Act, available at https://www.gibsondunn.com/president-biden-signs-into-law-the-cyber-incident-reporting-for-critical-infrastructure-act-expanding-cyber-reporting-obligations-for-a-wide-range-of-public-and-private-entities/.

[308] Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[309] Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[310] Press Release, Department of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), available at https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

[311] Press Release, Department of Justice, Contractor Pays $930,000 to Settle False Claims Act Allegations Relating to Medical Services Contracts at State Department and Air Force Facilities in Iraq and Afghanistan (Mar. 8, 2022), available at https://www.justice.gov/usao-edny/pr/contractor-pays-930000-settle-false-claims-act-allegations-relating-medical-services.

[312] Press Release, Department of Justice, Aerojet Rocketdyne Agrees to Pay $9 Million to Resolve False Claims Act Allegations of Cybersecurity Violations in Federal Government Contracts (July 8, 2022), available at https://www.justice.gov/opa/pr/aerojet-rocketdyne-agrees-pay-9-million-resolve-false-claims-act-allegations-cybersecurity.

[313] United States Strategy on Countering Corruption, The White House (Dec. 6, 2021), available at https://www.whitehouse.gov/wp-content/uploads/2021/12/United-States-Strategy-on-Countering-Corruption.pdf.

[314] Id.

[315] Guidance Regarding Investigations and Cases Related to Ransomware and Digital Extortion, Department of Justice Office of the Deputy Attorney General (June 3, 2021), available at https://www.justice.gov/media/1144356/dl?inline=.

[316] Press Release, Department of Justice, Justice Department Seizes and Forfeits Approximately $500,000 from North Korean Ransomware Actors and their Conspirators (July 19, 2022), available at https://www.justice.gov/opa/pr/justice-department-seizes-and-forfeits-approximately-500000-north-korean-ransomware-actors; Press Release, Department of Justice, Department of Justice Seizes $2.3 Million in Cryptocurrency Paid to the Ransomware Extortionists Darkside (June 7, 2021), available at https://www.justice.gov/opa/pr/department-justice-seizes-23-million-cryptocurrency-paid-ransomware-extortionists-darkside.

[317] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), available at https://www.justice.gov/opa/pr/department-justice-announces-new-policy-charging-cases-under-computer-fraud-and-abuse-act.

[318] Id.

[319] Id.

[320] Press Release, Department of Energy, DOE Releases Strategy for Building Cyber-Resilient Energy Systems (June 15, 2022), available at https://www.energy.gov/articles/doe-releases-strategy-building-cyber-resilient-energy-systems

[321] Department of Energy, National Cyber-Informed Engineering Strategy (June 15, 2022), available at https://www.energy.gov/articles/doe-releases-strategy-building-cyber-resilient-energy-systems; see also Department of Energy, The U.S. Department of Energy’s (DOE) National Cyber-Informed Engineering (CIE) Strategy Document (June 14, 2022), available at https://www.energy.gov/ceser/articles/us-department-energys-doe-national-cyber-informed-engineering-cie-strategy-document.

[322] Department of Energy, National Cyber-Informed Engineering Strategy (June 15, 2022), available at https://www.energy.gov/articles/doe-releases-strategy-building-cyber-resilient-energy-systems.

[323] Office of Cybersecurity, Energy Security, and Emergency Response, DOE Cybersecurity Report Provides Recommendations to Secure Distributed Clean Energy on the Nation’s Electricity Grid (Oct. 6, 2022), available at https://www.energy.gov/ceser/articles/doe-cybersecurity-report-provides-recommendations-secure-distributed-clean-energy.

[324] Supervision and Regulation Letter, Board of Governors of the Federal Reserve System, SR 22-4 / CA 22-3: Contact Information in Relation to Computer-Security Incident Notification Requirements (Mar. 29, 2022), available at https://www.federalreserve.gov/supervisionreg/srletters/SR2204.htm.

[325] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66424 (published Nov. 23, 2021), available at https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank.

[326] Computer-Security Incident Notification Requirements for Banking Organizations and Their Bank Service Providers, 86 Fed. Reg. 66424 (published Nov. 23, 2021), available at https://www.federalregister.gov/documents/2021/11/23/2021-25510/computer-security-incident-notification-requirements-for-banking-organizations-and-their-bank.

[327] Potential Federal Insurance Response to Catastrophic Cyber Incidents, 87 FR 59161 (Sept. 29, 2022).

[328] Id.

[329] Cyber Insurance: Action Needed to Assess Potential Federal Response to Catastrophic Attacks, GAO-22-104256, U.S. Government Accountability Office (June 2022), available at https://www.gao.gov/products/gao-22-104256.

[330] Press Release, Department of Commerce, U.S. Department of Commerce Appoints 27 Members to National AI Advisory Committee (Apr. 14, 2022), available at https://www.commerce.gov/news/press-releases/2022/04/us-department-commerce-appoints-27-members-national-ai-advisory.

[331] Id.

[332] Id.

[333] Notice of Federal Advisory Committee Open Meeting, 87 FR 23168 (Apr. 19, 2022); Notice of Federal Advisory Committee Open Meeting, 87 FR 58312 (Sept. 26, 2022).

[334] National Artificial Intelligence Advisory Committee (NAIAC), available at https://www.ai.gov/naiac/.

[335] NAAG Center on Cyber and Technology, National Association of Attorneys General (July 18, 2022), available at https://www.naag.org/naag-center-on-cyber-and-technology/.

[336] Press Release, National Association of Attorneys General, NAAG Announces Formation of Center on Cyber and Technology (May 9, 2022), available at https://www.naag.org/press-releases/naag-announces-formation-of-center-on-cyber-and-technology/.

[337] Press Release, National Association of Attorneys General, 51 Attorneys General Support FCC Proposal to Require Anti-Robotext Protections (Dec. 12, 2022), available at https://www.naag.org/press-rel12eases/51-attorneys-general-robotext-protection/.

[338] Press Release, National Association of Attorneys General, 41 State Attorneys General Pledge to Join FCC and Other States in Combatting Robocalls (June 2, 2022), available at https://www.naag.org/press-releases/41-state-attorneys-general-pledge-to-join-fcc-and-other-states-in-combatting-robocalls/.

[339] NAAG Letter to FCC, National Association of Attorneys General, Re: State Attorneys General Support FCC Efforts in Combatting Robocalls (May 31, 2022), available at https://naagweb.wpenginepowered.com/wp-content/uploads/2022/06/Letter-to-FCC-re-Robocalls_FINAL.pdf.

[340] Press Release, State of California Department of Justice, Attorney General Bonta, National Coalition of Attorneys General Issue Joint Statement Reaffirming Commitment to Protecting Access to Abortion Care (June 27, 2022), available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-national-coalition-attorneys-general-issue-joint.

[341] See e.g., Press Release, Utah Office of the Attorney General, Utah Attorney General’s Office Statement on Supreme Court Abortion Ruling (June 24, 2022), available at https://attorneygeneral.utah.gov/utah-attorney-generals-office-statement-on-supreme-court-abortion-ruling/; Press Release, Missouri Attorney General, Missouri Attorney General Eric Schmitt Becomes First to Issue Opinion Following SCOTUS Opinion in Dobbs, Effectively Ending Abortion in Missouri (June 24, 2022), available at https://ago.mo.gov/home/news/2022/06/24/missouri-attorney-general-eric-schmitt-becomes-first-to-issue-opinion-following-scotus-opinion-in-dobbs-effectively-ending-abortion-in-missouri.

[342] Press Release, State of California Department of Justice, Attorney General Bonta Emphasizes Health Apps’ Legal Obligation to Protect Reproductive Health Information (May 26, 2022), available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-emphasizes-health-apps-legal-obligation-protect.

[343] Press Release, State of California Department of Justice, Attorney General Bonta Testifies at Maryland Cybersecurity Council on California’s Groundbreaking Effort to Protect Digital Information on Abortion (Sep. 22, 2022), available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-testifies-maryland-cybersecurity-council-california%E2%80%99s.

[344] Letter, Virginia Office of the Attorney General and Kentucky Office of the Attorney General, Re: Google Must Not Discriminate Against Crisis Pregnancy Centers (July 21, 2022), available at https://www.oag.state.va.us/files/StateAttorneysGeneralLettertoGoogleJuly21,2022.pdf.

[345] Press Release, State of California Department of Justice, Attorney General Bonta Leads Coalition Calling for Federal Privacy Protections that Maintain Strong State Oversight (July 19, 2022), available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-leads-coalition-calling-federal-privacy-protections.

[346] Id.

[347] Id.

[348] Press Release, NY Attorney General, Attorney General James Secures $2.6 Million From Online Travel Agency for Deceptive Marketing (Mar. 16, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-secures-26-million-online-travel-agency-deceptive.

[349] Press Release, Oregon Department of Justice, Google: AG Rosenblum Announces Largest AG Consumer Privacy Settlement in U.S. History (Nov. 14, 2022), available at https://www.doj.state.or.us/media-home/news-media-releases/largest-ag-consumer-privacy-settlement-in-u-s-history/.

[350] Id.

[351] Press Release, Arizona Attorney General, Attorney General Mark Brnovich Files Lawsuit Against Google Over Deceptive and Unfair Location Tracking (May 27, 2020), available at https://www.azag.gov/press-release/attorney-general-mark-brnovich-files-lawsuit-against-google-over-deceptive-and-unfair.

[352] Press Release, Arizona Attorney General, Attorney General Mark Brnovich Achieves Historic $85 Million Settlement with Google (Oct. 4, 2022), available at https://www.azag.gov/press-release/attorney-general-mark-brnovich-achieves-historic-85-million-settlement-google.

[353] Complaint, District Of Columbia v. Google LLC, 2022-CA-000330-B (D.C. Super. Ct. Jan. 24, 2022).

[354] Id. at ¶¶45–94.

[355] Press Release, District of Columbia Attorney General, AG Racine Leads Bipartisan Coalition in Suing Google Over Deceptive Location Tracking Practices That Invade Users’ Privacy (Jan. 24, 2022), available at https://oag.dc.gov/release/ag-racine-leads-bipartisan-coalition-suing-google.

[356] Ryan Nakashima, Google tracks your movements, like it or not, AP News (Aug. 13, 2018), available at https://apnews.com/article/north-america-science-technology-business-ap-top-news-828aefab64d4411bac257a07c1af0ecb.

[357] Press Release, Attorney General of Texas, Paxton Sues Facebook for Using Unauthorized Biometric Data (Feb. 14, 2022), available at https://www.texasattorneygeneral.gov/news/releases/paxton-sues-facebook-using-unauthorized-biometric-data.

[358] Press Release, Attorney General of Texas, AG Paxton Amends Google Lawsuit to Include ​”Incognito Mode” as Another Deceptive Trade Practices Act Violation (May 19, 2022), available at https://www.texasattorneygeneral.gov/news/releases/ag-paxton-amends-google-lawsuit-include-incognito-mode-another-deceptive-trade-practices-act.

[359]Press Release, State of California Department of Justice, On Data Privacy Day, Attorney General Bonta Puts Businesses Operating Loyalty Programs on Notice for Violations of California Consumer Privacy Act (Jan. 28, 2022), available at https://oag.ca.gov/news/press-releases/data-privacy-day-attorney-general-bonta-puts-businesses-operating-loyalty.

[360] Client Alert, Gibson, Dunn & Crutcher LLP, California AG’s CCPA Enforcement Priorities Expand to Loyalty Programs (Feb. 3, 2022), available at https://www.gibsondunn.com/california-ags-ccpa-enforcement-priorities-expand-to-loyalty-programs/.

[361] Opinion Paper, State of California Department of Justice, Opinion of Rob Bonta on Califronia Consumer Privacy Act Right to Know (Mar. 10, 2022), available at https://oag.ca.gov/system/files/opinions/pdfs/20-303.pdf.

[362] Press Release, State of California Department of Justice, Attorney General Bonta Announces Settlement with Sephora as Part of Ongoing Enforcement of California Consumer Privacy Act (Aug. 24, 2022), available at https://oag.ca.gov/news/press-releases/attorney-general-bonta-announces-settlement-sephora-part-ongoing-enforcement.

[363] Id.

[364] Id.

[365] Client Alert, Gibson, Dunn & Crutcher LLP, New York Attorney General’s Office Fall Round-Up (Nov. 15, 2022), available at https://www.gibsondunn.com/new-york-attorney-generals-office-fall-round-up-november-2022/#_ednref21.

[366] Press Release, NY Attorney General, Attorney General James Releases Top 10 Consumer Complaints of 2021 (Mar. 7, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-releases-top-10-consumer-complaints-2021.

[367] Press Release, NY Attorney General, Attorney General James Alerts 17 Companies to “Credential Stuffing” Cyberattacks Impacting More Than 1.1 Million Consumers (Jan. 5, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-alerts-17-companies-credential-stuffing-cyberattacks.

[368] Press Release, NY Attorney General, Attorney General James Announces $600,000 Agreement with EyeMed After 2020 Data Breach (Jan. 24, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-announces-600000-agreement-eyemed-after-2020-data-breach.

[369] Press Release, NY Attorney General, Attorney General James Secures $400,000 From Wegmans After Data Breach Exposed Consumers’ Personal Information (June 30, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-secures-400000-wegmans-after-data-breach-exposed-consumers.

[370] Press Release, NY Attorney General, Attorney General James Recovers $1.25 Million for Consumers Affected by Carnival Cruise Line’s Data Breach (June 23, 2022), available at https://ag.ny.gov/press-release/2022/attorney-general-james-recovers-125-million-consumers-affected-carnival-cruise.

[371] Press Release, NY Department of Financial Services, DFS Superintendent Harris Announces $5 Million Penalty On Cruise Company Carnival Corporation And Its Subsidiaries For Significant Cybersecurity Violations (June 24, 2022), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202206241.

[372] Press Release, NY Department of Financial Services, DFS Superintendent Harris Announces $30 Million Penalty on Robinhood Crypto for Significant Anti-Money Laundering, Cybersecurity & Consumer Protection Violations (Aug. 21, 2022), available at https://www.dfs.ny.gov/reports_and_publications/press_releases/pr202208021.

[373] Identity Theft Resource Center’s 2021 Annual Data Breach Report, Identity Theft Resource Center, available at https://www.idtheftcenter.org/post/identity-theft-resource-center-2021-annual-data-breach-report-sets-new-record-for-number-of-compromises/ (last visited Dec. 8, 2022).

[374] Q3 2022 Data Breach Analysis, Identity Theft Resource Center, available at https://www.idtheftcenter.org/publication/q3-2022-data-breach-analysis/ (last visited Dec. 8, 2022).

[375] TransUnion LLC v. Ramirez, 141 S. Ct. 2190 (2021) (finding that plaintiffs who have not suffered concrete harm due to data breach, and instead claim they are at heightened risk of future farm, do not have standing to sue under Article III of the U.S. Constitution).

[376] Id. at 2211.

[377] Lujan v. Defenders of Wildlife, 504 U.S. 555, 560-61 (1992) (synthesizing U.S. Supreme Court jurisprudence on the constitutional minimum requirements for standing).

[378] McMorris v. Carlos Lopez & Assocs., 996 F.3d 295 (2d Cir. 2021) (finding the following factors persuasive in establishing standing based on future harms: “(1) whether the plaintiffs’ data has been exposed as the result of a targeted attempt to obtain that data; (2) whether any portion of the [compromised] dataset has already been misused, even if the plaintiffs themselves have not yet experienced identity theft or fraud; and (3) whether the type of data that has been exposed is sensitive such that there is a high risk of identity theft or fraud.”).

[379] Tsao v. Captiva MVP Rest. Partners, LLC, 986 F.3d 1332 (11th Cir. 2021) (finding that breaches of existing credit card information do not amount to a “substantial risk” of harm, and reasoning that it will be difficult for a named plaintiff to plead facts sufficient to demonstrate standing where no there is no evidence that any class members’ data has been misused).

[380] Clemens v. ExecuPharm Inc., 48 F.4th 146, 156 (3d Cir. 2022) (emphasis in original) (quoting TransUnion LLC v. Ramirez, 210 L. Ed. 2d 568, 141 S. Ct. 2190, 2211 (2021)).

[381] Bohnak v. Marsh & McLennan Cos., Inc., 580 F. Supp. 3d 21 (S.D.N.Y. 2022) (finding that certain intangible harms such as privacy related harms, have been judicially cognizable and are sufficiently concrete and analogous to the common law tort of public disclosure of private information, to confer standing on a data breach plaintiff despite there being no materialized misuse of data).

[382] Cooper v. Bonobos, Inc., No. 21-CV-854 (JMF), 2022 WL 170622 (S.D.N.Y. Jan. 19, 2022).

[383] Hiscox Ins. Co. Inc. et al v. Warden Grier LLP, No. 4:20-cv-00237 (W.D. Mo.).

[384] Id.

[385] Id.

[386] Reiter v. Fairbanks, No. 2021-1117 (Del. Ch. filed Jan. 11, 2020).

[387] In re Morgan Stanley Data Security Litigation, 1:20-cv-05914-AT (S.D.N.Y).

[388] News Release, Office of the Comptroller of the Currency, OCC Assesses $60 Million Civil Money Penalty Against Morgan Stanley (Oct. 8, 2020), available at https://www.occ.gov/news-issuances/news-releases/2020/nr-occ-2020-134.html.

[389] Settlement Update, Federal Trade Commission, Equifax Data Breach Settlement, available at https://www.ftc.gov/enforcement/refunds/equifax-data-breach-settlement (last visited July 20, 2022).

[390] Dan Avery, Capital One $190 Million Data Breach Settlement: Today is the Last Day to Claim Money, cnet (Sept. 30, 2022) https://www.cnet.com/personal-finance/capital-one-190-million-data-breach-settlement-today-is-deadline-to-file-claim.

[391] In re U.S. Office of Personnel Management Data Security Breach Litigation, No. 15-1394 (ABJ) (D.D.C.).

[392] 2022 Consumer Privacy Legislation, Nat’l Conf. of St. Legislatures (June 10, 2022) available at https://www.ncsl.org/research/telecommunications-and-information-technology/2022-consumer-privacy-legislation.aspx.

[393] Virginia Passes Comprehensive Privacy Law, Gibson Dunn (March 8, 2021), available at https://www.gibsondunn.com/wp-content/uploads/2021/03/virginia-passes-comprehensive-privacy-law.pdf.

[394] 18 U.S.C. § 1030(a)(2).

[395] Van Buren v. United States, 141 S. Ct. 1648, 1654–55 (2021).

[396] Id. at 1653.

[397] Id.

[398] Id. at 1653–54.

[399] Id. at 1662 (emphasis added).

[400] Id.

[401] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180 (9th Cir. 2022).

[402] LinkedIn Corp. v. hiQ Labs, Inc., 141 S. Ct. 2752 (2021).

[403] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1187 (9th Cir. 2022).

[404] Id. at 1187–88.

[405] Id. at 1188.

[406] Id. at 1197–1201.

[407] Id. at 1197.

[408] Id. at 1201.

[409] Facebook, Inc. v. Power Ventures, Inc., 844 F.3d 1058, 1067 (9th Cir. 2016).

[410] hiQ Labs, Inc. v. LinkedIn Corp., 31 F.4th 1180, 1201 (9th Cir. 2022).

[411] See Stipulation and [Proposed] Consent Judgment and Permanent Injunction, hiQ Labs, Inc. v. LinkedIn Corp., No. 3:19-cv-00410-EMC (N.D. Cal. Dec. 6, 2022), ECF No. 405.

[412] See Consent Judgment and Permanent Injunction, hiQ Labs, Inc. v. LinkedIn Corp., No. 3:19-cv-00410-EMC (N.D. Cal. Dec. 8, 2022), ECF No. 406.

[413] Ryanair DAC v. Booking Holdings Inc., 2022 WL 13946243, at *11 (D. Del. Oct. 24, 2022).

[414] Id.

[415] Id.at *10–11.

[416] Id. at *11–12.

[417] United States v. Thompson, 2022 WL 834026, at *2 (W.D. Wash. Mar. 21, 2022), reconsideration denied, 2022 WL 1719221 (W.D. Wash. May 27, 2022).

[418] Id. at *2–3.

[419] Id. at *4.

[420] Id. at *5.

[421] Id.

[422] Press Release, Department of Justice, Department of Justice Announces New Policy for Charging Cases under the Computer Fraud and Abuse Act (May 19, 2022), available at https://www.justice.gov/opa/press-release/file/1507126/download.

[423] Id. at 2.

[424] Id. at 4.

[425] Id.

[426] Id. at 3.

[427] Id. at 4.

[428] Id. at 5.

[429] Facebook, Inc. v. Duguid, 141 S. Ct. 1163, 209 L. Ed. 2d 272 (2021).

[430] Id. at 1173.

[431] Id. at 1163, 1167 (“To qualify as an ‘automatic telephone dialing system,’ a device must have the capacity either to store a telephone number using a random or sequential generator or to produce a telephone number using a random or sequential number generator.”); see also Supreme Court Declines To Extend Telephone Consumer Protection Act’s Coverage Of Automatic Telephone Dialing Systems, Gibson Dunn (Apr. 1, 2021), available at https://www.gibsondunn.com/supreme-court-declines-to-extend-telephone-consumer-protection-acts-coverage-of-automatic-telephone-dialing-systems/.

[432] See Duguid v. Facebook, Inc., 926 F.3d 1146, 1151 (9th Cir. 2019) (citing Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018), and noting that “[i]n Marks, we clarified that the adverbial phrase ‘using a random or sequential number generator’ modifies only the verb ‘to produce,’ and not the preceding verb, ‘to store’”), rev’d 141 S. Ct. 1163 209 L. Ed. 2d 272 (2021).

[433] See Barnett v. First Nat’l Bank of Omaha, No. 3:20-CV-337-CHB, 2022 WL 2111966 (W.D. Ky. June 10, 2022); Mina v. Red Robin Int’l, Inc., No. 20-CV-00612-RM-NYW, 2022 WL 2105897 (D. Colo. June 10, 2022); Panzarella v. Navient Sols., Inc., No. 20-2371, 37 F.4th 867 (3d Cir. June 14, 2022); DeMesa v. Treasure Island, LLC, No. 218CV02007JADNJK, 2022 WL 1813858 (D. Nev. June 1, 2022); Jiminez v. Credit One Bank, N.A., No. 17 CV 2844-LTS-JLC, 2022 WL 4611924 (S.D.N.Y. Sept. 30, 2022).

[434] Panzarella v. Navient Solutions, Inc., 37 F.4th 867, 867-68 (3rd Cir. 2022) (“This is so because a violation of section 227 (b)(1)(A)(iii) requires proof that the calls at issue be made ‘using’ an ATDS. The issue turns . . . on whether Navient violated the TCPA when it employed this dialing equipment to call the Panzarellas.”).

[435] See Barnett v. First Nat’l Bank of Omaha, No. 3:20-CV-337-CHB, 2022 WL 2111966 (W.D. Ky. June 10, 2022); Mina v. Red Robin Int’l, Inc., No. 20-CV-00612-RM-NYW, 2022 WL 2105897 (D. Colo. June 10, 2022); Panzarella v. Navient Sols., Inc., No. 20-2371, 37 F.4th 867 (3d Cir. June 14, 2022); DeMesa v. Treasure Island, LLC, No. 218CV02007JADNJK, 2022 WL 1813858 (D. Nev. June 1, 2022); Jiminez v. Credit One Bank, N.A., No. 17 CV 2844-LTS-JLC, 2022 WL 4611924 (S.D.N.Y. Sept. 30, 2022).

[436] See, e.g., Pizarro v. Quinstreet, Inc., No. 3:22-cv-02803-MMC, 2022 WL 3357838 (N.D. Cal. Aug. 15, 2022).

[437] 47 U.S.C. § 227(b)(3).

[438] FCRA Leads the Way: WebRecon Stats For DEC 2021 & Year in Review, WebRecon, LLC, available at https://webrecon.com/fcra-leads-the-way-webrecon-stats-for-dec-2021-year-in-review/ (last visited, Dec. 16, 2022).

[439] Tracy Eggleston et al. v. Reward Zone USA LLC, et al., No. 2:20-cv-01027-SVW-KS, 2022 WL 886094 (C.D. Cal. Jan. 28, 2022).

[440] Transcript of Oral Argument at 31, Facebook, Inc. v. Duguid, 141 S.Ct. 1163 (2021) (No. 19-511).

[441] An act relating to telephone solicitation; amending s. 501.059, F.S.; defining terms; prohibiting certain telephonic sales calls without the prior express written consent of the called party; removing provisions authorizing the use of certain automated telephone dialing systems; providing a rebuttable presumption for certain calls made to any area code in this state; providing a cause of action for aggrieved called parties; authorizing a court to increase an award for willful and knowing violations; amending s. 501.616, F.S.; prohibiting a commercial telephone seller or salesperson from using automated dialing or recorded messages to make certain commercial telephone solicitation phone calls; revising the timeframe during which a commercial telephone seller or salesperson may make commercial solicitation phone calls; prohibiting commercial telephone sellers or salespersons from making a specified number of commercial telephone solicitation phone calls to a person over a specified timeframe; prohibiting commercial telephone sellers or salespersons from using certain technology to conceal their true identity; providing criminal penalties; reenacting s. 501.604, F.S., relating to exemptions to the Florida Telemarketing Act, to incorporate the amendment made to s. 501.616, F.S., in a reference thereto; reenacting s. 648.44(1)(c), F.S., relating to prohibitions regarding bail bond agent telephone solicitations, to incorporate the amendment made to s. 31 501.616, F.S., in a reference thereto; providing an effective date, S.B. 1120, 2021 Leg., Reg. Sess. (Fla. 2021), available at https://www.flsenate.gov/Session/Bill/2021/1120/BillText/er/PDF.

[442] §501.059(8)(a), Fla. Stat. (2022).

[443] An Act relating to telephone solicitation; creating the Telephone Solicitation Act of 2022; defining terms; prohibiting certain telephonic sales calls without the prior express written consent of the called party; prohibiting commercial telephone sellers or salespersons from using certain technology to conceal their true identity; providing a rebuttable presumption for certain calls made to any area code in this state; prohibiting a commercial telephone seller or salesperson from using automated dialing or recorded messages to make certain commercial telephone solicitation phone calls; providing the time frame during which a commercial telephone seller or salesperson may make commercial solicitation phone calls; prohibiting commercial telephone sellers or salespersons from making a specified number of commercial telephone solicitation phone calls to a person over a specified time frame; exempting certain persons; providing a cause of action for aggrieved called parties; authorizing a court to increase an award for willful and knowing violations; providing for codification; and providing an effective date, H.B. 3168, 2022 Leg., Reg. Sess. (Okla.2022), available at https://www.flsenate.gov/Session/Bill/2021/1120/BillText/er/PDF.

[444] Turizo v. Subway Franchisee Advertising Fund Trust Ltd., No. 21-CIV-61493-RAR, 2022 WL 2919260 (S.D. Fla. May 18, 2022).

[445] Rombough v. Robert D Smith Ins. Agency, Inc. et al., No. 22-CV-15-CJW-MAR, 2022 WL 2713278 (N.D. Iowa June 9, 2022).

[446] Id. at *3.

[447] Id. at *4.

[448] Id. at *5.

[449] Rose v. New TSI Holdings, Inc., No. 21-CV-5519 (JPO), 2022 WL 912967 (S.D.N.Y. Mar. 28, 2022).

[450] Id. at *4.

[451] Compare Morgan v. U.S. Xpress, Inc., No. 3:17-cv-00085, 2018 WL 3580775 (W.D. Va. Jul. 25, 2018) (holding that cell phones are necessarily separate from residential telephone lines); Hunsinger v. Alpha Cash Buyers, LLC, No. 3:21-CV-1598-D, 2022 WL 562761 (N.D. Tex. Feb. 24, 2022) (holding that DNC Registry rules can apply to cell phones).

[452] Cal. Civ. Code § 1798.150(a)(1).

[453] Id.

[454] Class Action Complaint for 1. Negligence; 2. Breach of Implied Contract; 3. Violation of California’s Consumer Privacy Act; 4. Violation of California’s Unfair Competition Law; and 5. Breach of Contract, Hajny v. Volkswagen Grp. of Am. Inc., No. C22-01841, ¶¶ 2 & n.3, 11-17 (Cal. Sup. Ct. Contra Costa Cnty. Aug. 30, 2022).

[455] Id. ¶¶ 98-148.

[456] Order After Hearing Re: Preliminary Approval of Class Action Settlement, Service v. Volkswagen Grp. of Am., Inc., No. MSC22-01841 (Cal. Sup. Ct. Contra Costa Cnty. Dec. 13, 2022). See also Tentative Ruling, Service v. Volkswagen Grp. of Am., Inc., No. C22-01841 (Cal. Sup. Ct. Contra Costa Cnty. Dec. 1, 2022), available at https://www.cc-courts.org/civil/TR/Department%2039%20-%20Judge%20Weil/39_120122.pdf.

[457] Order After Hearing Re: Preliminary Approval of Class Action Settlement, Service v. Volkswagen Grp. of Am., Inc., No. MSC22-01841, at 3 (Cal. Sup. Ct. Contra Costa Cnty. Dec. 13, 2022).

[458] Id.

[459] Id.

[460] In re Waste Mgmt. Data Breach Litig., No. 21CV6147, 2022 WL 561734, at *1 (S.D.N.Y. Feb. 24, 2022).

[461] Id.

[462] Id. at *6 (citing Cal. Civ. Code § 1798.150(a)(1); Maag v. U.S. Bank, Nat’l Assoc., No. 21-cv-00031, 2021 WL 5605278, at *2 (S.D. Cal. Apr. 8, 2021)).

[463] Id.

[464] Id.

[465] Id.

[466] Id. at *7 n.3.

[467] Id.

[468] See Case Calendaring, In re Waste Mgmt. Data Breach Litig., No. 22-641 (2d Cir. Dec. 9, 2022) (proposing week of March 13, 2023), ECF No. 77.

[469] California Consumer Privacy Act (CCPA) Litigation, U.S. Cybersecurity and Data Privacy Outlook and Review – 2021 (Jan. 28, 2021), https://www.gibsondunn.com/us-cybersecurity-and-data-privacy-outlook-and-review-2021/#_Toc62718905.

[470] Id. (discussing Hayden v. Retail Equation, Inc., No. 8:20-01203 (C.D. Cal. filed July 7, 2020).

[471] Hayden v. Retail Equation, Inc., No. 8:20-01203, 2022 WL 2254461, at *8 (C.D. Cal. May 4, 2022). The court did permit a claim of invasion of privacy to proceed. Id. The court subsequently granted plaintiffs’ motion for reconsideration, to instead dismiss the plaintiffs’ California Unfair Competition Law (“UCL”) claims for equitable relief with leave to amend. Hayden v. Retail Equation, Inc., No. 8:20-01203, 2022 WL 3137446, at *4 (C.D. Cal. July 22, 2022).

[472] Hayden v. Retail Equation, Inc., No. 8:20-01203, 2022 WL 2254461, at *4 (C.D. Cal. May 4, 2022).

[473] Id. (citing Cal. Civ. Code § 1798.198; Cal. Civ. Code § 3 (“[n]o part of [this Code] is retroactive, unless expressly so declared.”); Gardiner v. Walmart Inc., No. 20-cv-04618, 2021 WL 2520103, at *2 (N.D. Cal. March 5, 2021) (holding that a plaintiff must allege that the defendant violated “the duty to implement and maintain reasonable security procedures and practices . . . on or after January 1, 2020.”)).

[474] Id. at *5 (quoting Cal. Civ. Code § 1798(a)).

[475] Id.

[476] Id.

[477] Cal. Bus. & Prof. Code § 17200.

[478] Id.

[479] Cal. Civ. Code § 1798.150(c); S. Judiciary Comm., AB-375, 2017-2018 Sess. (Cal. 2018).

[480] Class Action Complaint for Violations of CCPA, California Unfair Competition Law, and Breach of Contract, Rubio v. Lakeview Loan Serv’g, LLC, No. CVRI2201604 (Cal. Super. Ct. April 21, 2022).

[481] Id. ¶ 66.

[482] Id. ¶ 68.

[483] Id. ¶ 71.

[484] Id. ¶ 73.

[485] Notice of Removal, Rubio v. Lakeview Loan Serv’g, LLC, No. 3:22CV00603 (S.D. Cal. April 28, 2022); Notice of Filing of Notice of Removal, Rubio v. Lakeview Loan Serv’g, LLC, No. CVRI2201604 (Cal. Super. Ct. April 29, 2022).

[486] Transfer Order, Rubio v. Lakeview Loan Serv’g, LLC, No. 3:22CV00603 (S.D. Cal. May 9, 2022).

[487] Class Action Complaint, Kellman v. Spokeo, Inc., No. 3:21CV08976 (N.D. Cal. Nov. 19, 2021).

[488] Kellman v. Spokeo, Inc., No. 3:21-CV-08976-WHO, 2022 WL 1157500, at *12 (N.D. Cal. Apr. 19, 2022).

[489] Id. (emphases in original).

[490] Order Denying Mot. to Certify Interlocutory Appeal, Kellman v. Spokeo, Inc., No. 3:21-CV-08976 (N.D. Cal. July 8, 2022), ECF No. 64.

[491] Minute Entry for Proceedings, Kellman v. Spokeo, Inc., No. 3:21-CV-08976 (N.D. Cal. Sept. 13, 2022), ECF No. 69.

[492] Defendant Spokeo, Inc.’s & Plaintiffs’ Joint Statement of Discovery Dispute, Kellman v. Spokeo, Inc., No. 3:21-CV-08976, at 1 (N.D. Cal. Jan. 18, 2023), ECF No. 79

[493] Id.

[494] Id. at 3-5.

[495] Order Regarding Discovery Dispute, Kellman v. Spokeo, Inc., No. 3:21-CV-08976, at 1 (N.D. Cal. Jan. 18, 2023), ECF No. 80.

[496] Id. at 2.

[497] Id.

[498] Status Report, Kellman v. Spokeo, Inc., No. 3:21-CV-08976 (N.D. Cal. Sept. 13, 2022), ECF No. 71.

[499] Order Extending Briefing Schedule for Class Certification, Kellman v. Spokeo, Inc., No. 3:21-CV-08976 (N.D. Cal. Jan. 4, 2023), ECF No. 78.

[500] California Consumer Privacy Act (CCPA), Cal. Civ. Code tit. 1.81.5 § 1798.140 (c) (2018); 11 Cal. Code of Regs. § 999.337, Calculating the Value of Consumer Data (operative Aug. 14, 2020).

[501] Drips Holdings, LLC v. Teledrip, LLC, No. 5:19-cv-2789, 2022 WL 4545233, at *3-5 (N.D. Ohio Sept. 29, 2022) (adopting in part, rejecting in part R. & R., Drips Holdings, LLC v. Teledrip LLC, No. 5:19-CV-02789, 2022 WL 3282676 (N.D. Ohio Apr. 5, 2022)).

[502] Id.

[503] Id. at *1.

[504] Id.

[505] Id. at *3-4.

[506] Id.

[507] See RG Abrams Ins. v. L. Offs. of C.R. Abrams, No. 2:21-CV-00194, 2022 WL 422824, at *11 (C.D. Cal. Jan. 19, 2022).

[508] Id. at *9-11.

[509] Id. at *11.

[510] Id. (citing United States v. Zolin, 491 U.S. 554, 562 (1989) (citing Fed. R. Evid. 501); Hardie v. Nat’l Collegiate Athletic Ass’n, No. 3:13-CV-00346, 2013 WL 6121885 at *3 (S.D. Cal. Nov. 20, 2013) (“Because jurisdiction in this action is based upon a federal question, California’s privacy laws are not binding on this court.”); Kalinoski v. Evans, 377 F. Supp. 2d 136, 140–41 (D.D.C. 2005) (“The Supremacy Clause of the United States Constitution (as well as Federal Rule of Evidence 501) prevent a State from directing a federal court with regard to the evidence it may order produced in the adjudication of a federal claim.”)).

[511] Cal. Civ. Code § 1798.150(b).

[512] Griffey v. Magellan Health Inc., No. CV-20-01282-PHX-MTL, 2022 WL 1811165, at *6 (D. Ariz. June 1, 2022).

[513] Id. at *1.

[514] Id. at *6.

[515] Id.

[516] Id.

[517] Id.

[518] Id.

[519] Id.

[520] In re Arthur J. Gallagher Data Breach Litig., No. 22-cv-137, 2022 WL 4535092, at *1 & 4 (N.D. Ill. Sept. 28, 2022).

[521] Id. at *5 (quoting Complaint ¶¶ 62, 66).

[522] Id. at *6.

[523] Id.

[524] Id. at *10-11.

[525] Allison Grande, Robinhood Inks $20M Deal To Settle Suit Over Account Hacks, Law360 (July 6, 2022), https://www.law360.com/cybersecurity-privacy/articles/1508681/robinhood-inks-20m-deal-to-settle-suit-over-account-hacks; Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK (N.D. Cal. July 1, 2022), ECF No. 61.

[526] Allison Grande, Robinhood Inks $20M Deal To Settle Suit Over Account Hacks, Law360 (July 6, 2022), https://www.law360.com/cybersecurity-privacy/articles/1508681/robinhood-inks-20m-deal-to-settle-suit-over-account-hacks; Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, at 1 (N.D. Cal. July 1, 2022), ECF No. 61.

[527] Allison Grande, Robinhood Inks $20M Deal To Settle Suit Over Account Hacks, Law360 (July 6, 2022), https://www.law360.com/cybersecurity-privacy/articles/1508681/robinhood-inks-20m-deal-to-settle-suit-over-account-hacks; Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, at 3 (N.D. Cal. July 1, 2022), ECF No. 61.

[528] Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, at 3 (N.D. Cal. July 1, 2022), ECF No. 61.

[529] Id. at 14.

[530] Order Granting In Part & Denying In Part Defs.’ Mot. To Dismiss Pls.’ Second Am. Compl., Mehta v. Robinhood Fin. LLC, No. 21-cv-01013-SVK (N.D. Cal. Sept. 8, 2021), ECF No. 41; Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, at 3 (N.D. Cal. July 1, 2022), ECF No. 61; Allison Grande, Robinhood Can’t Get Out Of Revamped Data Breach Suit, Law360 (Sept. 9, 2021), https://www.law360.com/articles/1420135.

[531] Allison Grande, Robinhood Inks $20M Deal To Settle Suit Over Account Hacks, Law360 (July 6, 2022), https://www.law360.com/cybersecurity-privacy/articles/1508681/robinhood-inks-20m-deal-to-settle-suit-over-account-hacks; Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, at 3 (N.D. Cal. July 1, 2022), ECF No. 61.

[532] Pls.’ Mot. Prelim. Approval of Settlement, Mehta v. Robinhood Fin. LLC, No. 21-CV-01013-SVK, at 20 (N.D. Cal. July 1, 2022), ECF No. 61.

[533] Id. at 6.

[534] Id.

[535] Id. at 1.

[536] Vennerholm v. GEICO Cas. Co., No. 21-CV-806-GPC, 2022 WL 1694429, at *3 (S.D. Cal. May 26, 2022).

[537] Id. at *1; Brody v. Berkshire Hathaway, Inc. & GEICO, No. CV 21-02481 (KAM) (RML) (E.D.N.Y., filed May 4, 2021), Viscardi v. GEICO, No. CV 21-02481 (KAM) (RML) (E.D.N.Y. filed May 6, 2021); Connelly v. Berkshire Hathaway, No. 8:21-CV-00152 (TDC) (E.D.N.Y. filed May 11, 2021).

[538] Vennerholm v. GEICO Cas. Co., No. 21-CV-806-GPC, 2022 WL 1694429, at *1 (S.D. Cal. May 26, 2022).

[539] Id. (quoting Pacesetter Sys., Inc. v. Medtronic, Inc., 678 F.2d 93, 94-95 (9th Cir. 1982) (citing Church of Scientology of Cal. v. U.S. Dep’t of Army, 611 F.2d 738, 749 (9th Cir. 1989))).

[540] Id. at *2.

[541] Id.

[542] Id.

[543] Id. (citing Mullinix v. US Fertility, LLC, No. SACV 21-00409-CJC(KESx), 2021 WL 4935976 (C.D. Cal. June 8, 2021)).

[544] Id. (quoting Zimmer v. Domestic Corp., 2018 WL 1135634, at *4 (C.D. Cal. Dec. 22, 2018)).

[545] Id.

[546] Id. at *3.

[547] Biometric Information Privacy Act (“BIPA”), 740 Ill. Comp. Stat. 14/10 (2008).

[548] Id.

[549] Thornley v. Clearview AI, Inc., 984 F.3d 1241, 1247 (7th Cir. 2021).

[550] See, e.g., Ronquillo v. Doctor’s Associates, LLC, 2022 WL 1016600 (N.D. Ill. 2022).

[551] Rosenbach v. Six Flags Ent. Corp., 129 N.E. 3d 1197, 1205 (Ill. 2019).

[552] McDonald v. Symphony Bronzeville Park, LLC, 193 N.E.3d 1253, 1269 (Ill. 2022).

[553] BIPA, 740 Ill. Comp. Stat. 14/20 (2008).

[554] Walton v. Roosevelt Univ., 193 N.E.3d 1276, 1279, 1282-85 (Ill. Ct. App. 2022), appeal allowed, 193 N.E.3d 8 (Table) (Ill. May 25, 2022).

[555] Id. at 1282-85.

[556] Patterson v. Respondus, Inc., 593 F. Supp. 3d 783 (N.D. Ill. 2022), reconsideration denied, 2022 WL 7100547 (N.D. Ill. 2022).

[557] Wilk v. Brainshark, Inc., 2022 WL 4482842 (N.D. Ill.).

[558] In re Facebook Biometric Information Privacy Litig., 2020 WL 4818608 (N.D. Cal. 2020); In re Facebook Biometric Information Privacy Litig., 2022 WL 822923 (N.D. Cal. 2022).

[559] Boone v. Snap Inc., 2022 WL 3328282 (N.D. Ill. 2022); see Boone v. Snap Inc., No. 2022LA000708 (N.D. Ill. Nov. 22, 2022).

[560] Kashkeesh v. Microsoft Corp., 2022 WL 2340876 (N.D. Ill. 2022).

[561] See, e.g., In re Clearview AI, Inc., Consumer Privacy Litig., 2022 WL 3226777 (N.D. Ill 2022).

[562] Complaint, Gielow v. Pandora Jewelry, LLC., No. 2022CH11181 (Ill. Cir. Ct. Nov. 15, 2022)

[563] BIPA, 740 Ill. Comp. Stat 14/15 (2008).

[564] Texas Capture and Use of Biometric Identifier Act (“CUBI”), Tex. Bus. & Com. § 503.001 (2017).

[565] Id. §§ 503.001(a)–(b).

[566] Id. § (c).

[567] Id. § (d).

[568] Id.

[569] Press Release, Attorney General of Texas, Paxton Sues Facebook for Using Unauthorized Biometric Data (Feb. 14, 2022), available at https://www.texasattorneygeneral.gov/news/releases/paxton-sues-facebook-using-unauthorized-biometric-data.

[570] Id.

[571] Press Release, Attorney General of Texas, Paxton Sues Google for its Unauthorized Capture and Use of Biometric Data and Violation of Texans’ Privacy (Oct. 20, 2022), available at https://texasattorneygeneral.gov/news/releases/paxton-sues-google-its-unauthorized-capture-and-use-biometric-data-and-violation-texans-privacy.

[572] Id.

[573] Compare BIPA, 740 Ill. Comp. Stat. 14/15(b) (requiring entities to inform users in writing about the capture of biometric identifiers and a written release from the user) with CUBI, Tex. Bus. & Com. § 503.001(b) (requiring persons only to “inform[]” users about the capture biometric identifiers and requiring only “consent” from users).

[574] Compare BIPA, 740 Ill. Comp. Stat. 14/20 with CUBI, Tex. Bus. & Com. § 503.001(d).

[575] Recording Law, All Party (Two Party) Consent States – List and Details, available at https://recordinglaw.com/party-two-party-consent-states/.

[576] See, e.g., Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022); Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

[577] Javier v. Assurance IQ, LLC, No. 21-16351, 2022 WL 1744107 (9th Cir. May 31, 2022).

[578] Id.

[579] Cal. Penal Code § 631.

[580] Javier, No. 21-16351 at *2.

[581] Javier v. Assurance IQ, LLC, No. 20-cv-02860-JSW, 2021 WL 940319 (N.D. Cal., March 9, 2021).

[582] See, e.g., Class Action Complaint, Valenzuela v. Papa Murphy’s International, LLC et al, No. 5:22-cv-01789 (C.D. Cal. October 11, 2022)—this proposed class action in California federal court alleges that a pizza chain violated CIPA by secretly wiretapping the private conversations of everyone who communicates via the business’s online chat feature; Class Action Complaint, Miguel Licea v. Old Navy LLC, No. 5:22-cv-01413 (C.D. Cal. August 10, 2022)—another proposed class action filed in federal court in California alleges that a clothing retailer surreptitiously deployed “keystroke monitoring” software to intercept, monitor, and record all communications (including keystrokes and mouse clicks) of visitors to its website; Class Action Complaint, Annette Cody v. Columbia Sportswear Co. et al, 8:22-cv-01654 (C.D. Cal September 7, 2022)— this digital privacy class action alleging that a sportswear retailer relied on keystroke monitoring methods to secretly record user activity has been removed from the Superior Court of California to the U.S. District Court for the central district of California; Class Action Complaint, Esparza v. Crocs, Inc. et al, No 3:22-cv-01842 (S.D. Cal. October 26, 2022)—this proposed class action alleges that a footwear retailer “secretly wiretaps the private conversations of everyone who communicates through the chat feature” on its website and “allows at least one third party to eavesdrop on such communications in real time and during transmission to harvest data for financial gain”; as of November 22, 2022, it has been removed from the superior court to the federal court in the southern district of California.

[583] Popa v. Harriet Carter Gifts, Inc., 45 F.4th 687 (3d Cir. 2022).

[584] 18 Pa. Cons. Stat. Ann. § 5701-5782.

[585] https://www.legis.state.pa.us/cfdocs/legis/LI/consCheck.cfm?txtType=HTM&ttl=18&div=0&chpt=57.

[586] See, e.g., Commonwealth v. Proetto, 771 A.2d 823 (Pa. Super. Ct. 2001); Commonwealth v. Cruttenden, 58 A.3d 95 (Pa. 2012).

[587] See, e.g., Goldstein v. Costco Wholesale Corp., 559 F. Supp. 3d 1318 (S.D. Fla. Sept. 9, 2021) (dismissed); Swiggum v. EAN Servs., LLC, No. 8:21-493, 2021 WL 3022735 (M.D. Fla. July 16, 2021) (dismissed).

[588] Makkinje v. Extra Space Storage, Inc., 8:21-cv-2234-WFJ-SPF, 2022 WL 80437 (M.D. Fla., Jan. 7, 2022).

[589] Id. at *2.

[590] Id.

[591] 47 U.S. Code § 230.

[592] Gonzalez v. Google LLC, 143 S. Ct. 80 (2022) (granting certiorari); Twitter, Inc. v. Taamneh, 143 S. Ct. 81 (2022) (granting certiorari).

[593] Gonzalez v. Google LLC, 2 F.4th 871, 880–83 (9th Cir. 2021) (summarizing claims of Gonzalez Plaintiffs regarding Google’s responsibility in facilitating ISIS’s attacks in Paris); id. at 883–84 (summarizing complaint of Taamneh Plaintiffs regarding Twitter, Facebook, and Google’s role in aiding and abetting ISIS’s attack in Istanbul).

[594] Id.

[595] 47 U.S.C. § 230(c); see also Fair Hous. Council of San Fernando Valley v. Roommates.Com, LLC, 521 F.3d 1157, 1162 (9th Cir. 2008).

[596] Gonzalez, 2 F.4th at 897. For other claims based on the revenue sharing theory between the technology company and ISIS that survived Section 230, they failed because the plaintiffs failed to establish the technology company’s motivation to support international terrorism. See id. at 899–907.

[597] Id. at 907–10.

[598] Petition of Writ of Certiorari at (i), Gonzalez v. Google LLC, No. 21-1333 (U.S. Apr. 4, 2022).

[599] Petition of Writ of Certiorari at 14–15, Twitter, Inc. v. Taamneh, No. 21-1496 (U.S. May 26, 2022).

[600] NetChoice, L.L.C. v. Paxton, 49 F.4th 439, 490 (5th Cir. 2022); NetChoice, LLC v. Att’y Gen., Fla., 34 F.4th 1196, 1230 (11th Cir. 2022).

[601] NetChoice, LLC v. Att’y Gen., Fla., 34 F.4th 1196, 1230 (11th Cir. 2022).

[602] NetChoice, L.L.C. v. Paxton, 49 F.4th 439, 490 (5th Cir. 2022).

[603] David Yaffe-Bellany, FTX Investigating Possible Hack Hours After Bankruptcy Filing, N.Y. Times (Nov. 12, 2022), available at https://www.nytimes.com/2022/11/12/business/ftx-cryptocurrency-hack.html.

[604] Ava Benny-Morrison, US Probes How $372 Million Vanished in Hack After FTX Bankruptcy, Bloomberg (Dec. 27, 2022), available at https://www.bloomberg.com/news/articles/2022-12-27/us-probes-how-372-million-vanished-in-hack-after-ftx-bankruptcy.

[605] Metaverse and Privacy, IAAP, available at https://iapp.org/news/a/metaverse-and-privacy-2/.

[606] NYC Dep’t Consumer & Worker Prot., Notice of Public Hearing and Opportunity to Comment on Proposed Rules, available at https://rules.cityofnewyork.us/wp-content/uploads/2022/09/DCWP-NOH-AEDTs-1.pdf.

[607] N.Y.C., No. 1894-2020A § 20-870 (Nov. 11, 2021), available at https://legistar.council.nyc.gov/LegislationDetail.aspx?ID=4344524&GUID=B051915D-A9AC-451E-81F8-6596032FA3F9.

[608] Id.

[609] White House, Office for Science and Technology, available at https://www.whitehouse.gov/ostp/ai-bill-of-rights/.

[610] Id.

[611] Report: Account takeover attacks spike-fraudsters aim at fintech and crypto, Venturebeat, November 28, 2022, https://venturebeat.com/security/report-account-takeover-attacks-spike-fraudsters-take-aim-at-fintech-and-crypto/.

[612] Exec. Order No. 14067, 87 FR 14143, Executive Order on Ensuring Responsible Development of Digital Assets (Mar. 9, 2022), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2022/03/09/executive-order-on-ensuring-responsible-development-of-digital-assets/.

[613] Press Release, The White House, FACT SHEET: White House Releases First-Ever Comprehensive Framework for Responsible Development of Digital Assets (Sep. 16, 2022), available at https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/16/fact-sheet-white-house-releases-first-ever-comprehensive-framework-for-responsible-development-of-digital-assets/.

[614] Press Briefings, The White House, Background Press Call by Senior Administration Officials on the First-Ever Comprehensive Framework for Responsible Development of Digital Assets (Sep. 16, 2022), available at https://www.whitehouse.gov/briefing-room/press-briefings/2022/09/16/background-press-call-by-senior-administration-officials-on-the-first-ever-comprehensive-framework-for-responsible-development-of-digital-assets/.

[615] Press Release, The White House, FACT SHEET: White House Releases First-Ever Comprehensive Framework for Responsible Development of Digital Assets (Sep. 16, 2022), available at https://www.whitehouse.gov/briefing-room/statements-releases/2022/09/16/fact-sheet-white-house-releases-first-ever-comprehensive-framework-for-responsible-development-of-digital-assets/.

[616] The U.S. Department of Justice, Justice Department Announces Report on Digital Assets and Launches Nationwide Network (Sep. 16, 2022), available at https://www.justice.gov/opa/pr/justice-department-announces-report-digital-assets-and-launches-nationwide-network.

[617] Financial Stability Oversight Council, Report on Digital Asset Financial Stability Risks and Regulation (Oct. 3, 2022), available at https://home.treasury.gov/system/files/261/Fact-Sheet-Report-on-Digital-Asset-Financial-Stability-Risks-and-Regulation.pdf.

[618] Joint Statement on Crypto-Asset Risks to Banking Organizations (Jan. 2023), available at https://www.fdic.gov/news/press-releases/2023/pr23002a.pdf

[619] Press Release, Financial Services Committee, McHenrt Announces Financial Services Subcomittee Chairs and Jurisdiction for 118th Congress (Jan. 2023), available at https://financialservices.house.gov/news/documentsingle.aspx?DocumentID=408500

[620] Hermès International, et al. v. Mason Rothschild, No. 22-cv-384 (JSR), Dkt. 16 (S.D.N.Y).

[621] Rogers v. Grimaldi, 875 F.2d 994 (2d Cir. 1989).

[622] Hermès International, et al. v. Mason Rothschild, No. 22-cv-384 (JSR), Dkt. 50 (May 18, 2022) (memorandum order regarding motion to dismiss).

[623] Id.

[624] Id.

[625] Hermès International, et al. v. Mason Rothschild, No. 22-cv-384 (JSR) Minute Entry (S.D.N.Y November 18, 2022).

[626] Exec. Order 14086, 87 FR 62283, Enhancing Safeguards for United States Signals Intelligence Activities (Oct. 7, 2022), available at https://www.whitehouse.gov/briefing-room/presidential-actions/2022/10/07/executive-order-on-enhancing-safeguards-for-united-states-signals-intelligence-activities/.

[627] Id.

[628] Data Protection Review Court, 87 Fed. Reg. 62303 (Oct. 14, 2022) (rulemaking related to 20 C.F.R. § 201), available at https://www.govinfo.gov/content/pkg/FR-2022-10-14/pdf/2022-22234.pdf?utm_source=federalregister.gov&utm_medium=email&utm_campaign=subscription+mailing+list

[629] Questions & Answers: EU-U.S. Data Privacy Framework, European Commission (Oct. 7, 2022), available at https://ec.europa.eu/commission/presscorner/detail/en/qanda_22_6045.

[630] EU General Data Protection Regulation (GDPR): Regulation (EU) 2016/ 679.

[631] Press Release, European Commission, Data protection: Commission starts process to adopt adequacy decision for safe data flows with the US (Dec. 13, 2022), available at https://ec.europa.eu/commission/presscorner/detail/en/IP_22_7631.

[632] Id.

[633] 18 U.S.C. § 2523.

[634] Press Release, U.S. Department of Justice, Promoting Public Safety, Privacy and the Rule of Law Around the World: The Purpose and Impact of the CLOUD Act (Apr. 2019), available at https://www.justice.gov/opa/press-release/file/1153446/download.

[635] Press Release, U.S. Department of Justice, Landmark U.S.-UK Data Access Agreement Enters into Force (Oct. 3, 2022), available at https://www.justice.gov/opa/pr/landmark-us-uk-data-access-agreement-enters-force.

[636] Article 3(1), Agreement between the Government of the United States of America and the Government of the United Kingdom of Great Britain and Northern Ireland on Access to Electronic Data for the Purpose of Countering Serious Crime, U.S.-U.K. (Oct. 3, 2022), available at https://www.justice.gov/criminal-oia/cloud-act-agreement-between-governments-us-united-kingdom-great-britain-and-northern.

[637] Id. at Article 4.

[638] Press Release, U.S. Department of Justice, Landmark U.S.-UK Data Access Agreement Enters into Force (Oct. 3, 2022), available at https://www.justice.gov/opa/pr/landmark-us-uk-data-access-agreement-enters-force.

[638] Press Release, U.S. Department of Justice, United States and Canada Welcome Negotiations of a CLOUD Act Agreement (Mar. 22, 2022), available at https://www.justice.gov/opa/pr/united-states-and-canada-welcome-negotiations-cloud-act-agreement.

[639] Press Release, U.S. Department of Justice, United States and Canada Welcome Negotiations of a CLOUD Act Agreement (Mar. 22, 2022), available at https://www.justice.gov/opa/pr/united-states-and-canada-welcome-negotiations-cloud-act-agreement.

[640] Press Release, U.S. Department of Justice, United States and Australia Enter CLOUD Act Agreement to Facilitate Investigations of Serious Crime (Dec. 15, 2021), available at https://www.justice.gov/opa/pr/united-states-and-australia-enter-cloud-act-agreement-facilitate-investigations-serious-crime.

---

The following Gibson Dunn lawyers assisted in the preparation of this article: Alexander H. Southwell, Cassandra Gaedt-Sheckter, Svetlana S. Gans, Amanda M. Aycock, Ryan T. Bergsieker, Abbey Barrera, Snezhana Stadnik Tapia, Matt Buongiorno, Terry Wong, Ruby Lang, Jay Mitchell, Sarah Scharf, Edmund Bannister*, Jenn Katz, Eric Hornbeck, Cassarah Chu, Michael Kutz, Najatt Ajarar*, Matthew Reagan, Nicole Lee, Emma Li*, Jay Minga, Apratim Vidyarthi*, Diego Wright*, Yixian Sun*, Mashoka Maimona*, Kunal Kanodia, Ayushi Sutaria*, Stanton Burke, Justine Deitz, and Brendan Krimsky.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity & Data Innovation practice group:

United States
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Jane C. Horvath – Co-Chair, PCDI Practice, Washington, D.C. (+1 202-955-8505, [email protected])
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Gustav W. Eyler – Washington, D.C. (+1 202-955-8610, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Svetlana S. Gans – Washington, D.C. (+1 202-955-8657, [email protected])
Lauren R. Goldman – New York (+1 212-351-2375, [email protected])
Stephenie Gosnell Handler – Washington, D.C. (+1 202-955-8510, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
Vivek Mohan – Palo Alto (+1 650-849-5345, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Rosemarie T. Ring – San Francisco (+1 415-393-8247, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, [email protected])
Joel Harrison – London (+44(0) 20 7071 4289, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

*Najatt Ajarar, Edmund Bannister, Emma Li, Yixian Sun, Ayushi Sutaria, Apratim Vidyarthi, Diego Wright, and Mashoka Maimona are recent law graduates in the New York and San Francisco offices not yet admitted to practice law.

© 2023 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice. Please note, prior results do not guarantee a similar outcome.