Click for PDF

On March 16, 2022, New York State Governor Kathy Hochul signed two new bills into law that expand non-discrimination protections in the workplace.  As a result, New York now prohibits employers from releasing employee personnel files in retaliation for such employee’s engagement in protected activity.  Additionally, the state will be announcing a state-run sexual harassment hotline that will need to be referenced in anti-harassment policies and postings.

There are also several bills working their way through the State Legislature that, if enacted, would significantly impact employers in New York.  We discuss those potential new laws below.

Newly Enacted Workplace Laws

New York recently enacted two new laws impacting employers.

The first makes it an unlawful retaliatory practice under the New York State Human Rights Law (“NYSHRL”) for an employer to disclose an employee’s “personnel files” because the employee has: (i) opposed any practices forbidden under the NYSHRL; or (ii) filed a complaint, testified, or assisted in any proceeding under the NYSHRL or any other judicial or administrative proceeding.  According to the statute, this is necessary to address “retaliation [that] frequently appears in the form of a leaking of personnel files with the intent to disparage or discredit a victim or witness of discrimination in the workplace.”  This law is effective as of March 16, 2022.  Significantly, the law expressly permits employers to disclose personnel files in the course of commencing or responding to a complaint in any judicial or administrative proceeding.

The second new law requires the State Division of Human Rights to work with the State Department of Labor to establish, by July 14, 2022, a toll-free, confidential hotline to provide counsel and assistance to individuals with concerns of workplace sexual harassment.  Employers will be required to include the hotline number in any sexual harassment postings and policies.  Once “live,” the hotline will be staffed by pro bono attorneys experienced in providing sexual harassment-related counsel, who will be recruited by the Division of Human Rights and organizations representing attorneys, such as the New York State Bar Association.

Bills Under Consideration

Two additional bills, if passed, would have significant implications for employers in New York.  Both of the following bills passed the New York State Senate on March 1, 2022, but have yet to pass the Assembly or be signed into law:

• No Rehire Provisions – Senate Bill S766 would render the release of claims in a settlement agreement between an employer and employee and/or independent contractor unenforceable if the agreement contains a no-rehire clause. No-rehire provisions are commonly included in separation and release agreements to prohibit the individual from applying for or accepting future employment with the employer and its related entities.Notably, under the proposed law, if a release is rendered unenforceable by the inclusion of a no-rehire provision, the employer would remain bound by all other provisions of the agreement, including the obligation to pay any agreed-upon settlement payment.  The bill does not, however: (i) prohibit termination of the employee if mutually agreed upon as part of a settlement; or (ii) automatically require an employer to rehire an employee who had previously settled a case against the employer.If passed, this law would take effect on the 60th day after being signed and would apply to all agreements entered into on and after that date.

• Nondisclosure Provisions in Settlement Agreements – Senate Bill S738 would render unenforceable a release of any claim of discrimination, harassment, or retaliation if the release is included in a settlement agreement that: (i) requires the aggrieved worker to pay liquidated damages for violation of a nondisclosure clause; (ii) requires the aggrieved worker to forfeit all or part of the consideration for violation of a nondisclosure clause; or (iii) contains any statement or disclaimer that the aggrieved employee was not in fact subject to discrimination, harassment, or retaliation.Currently under New York law, any provision in an agreement between an employer and an employee is void if it prevents the disclosure of information related to discrimination unless the employee is notified that they are not prohibited from speaking with law enforcement, the EEOC, the state or local commission of human rights, or an attorney.  If passed, this new law would also require employers to notify employees that nothing precludes them from speaking with the New York Attorney General.  It would also expand coverage to independent contractors.The proposed law would also amend New York General Obligations Law Section 5-336, which prohibits employers from including nondisclosure provisions in agreements resolving claims involving unlawful discrimination unless: (i) the provision is the complainant’s preference; (ii) the provision is set forth in writing; and (iii) the complainant is given twenty-one (21) days to consider and seven (7) days to revoke the agreement.  If passed, the new law would clarify that these requirements apply to agreements settling claims involving harassment and retaliation.  It would also clarify that the complainant may voluntarily agree to the confidentiality provision before the twenty-one (21) day waiting period has elapsed.

  This bill is similar to legislation that was recently enacted regarding settlement and separation agreements in California, but with a couple of notable differences – such as certain language that is required pursuant to California law and the amount of time complainants must be provided to consider the agreement.  Additional information on the California legislation is available here.

  If passed, this law would take effect immediately upon singing and would apply to all agreements entered into on or after that date.

Governor Hochul has indicated that she is likely to sign these bills into law if they pass in the State Assembly. That said, by rendering key provisions of a settlement agreement (i.e., the release itself) unenforceable, these bills may be subject to legal challenge if they are ultimately enacted.

Implications for Employers

In light of the newly enacted laws, New York employers should proceed with even greater caution when considering whether to release personnel file information, including when making public statements in response to an employee’s claim to the extent that the statement discloses information contained in a personnel file.  To that end, employers should consider counseling managers and updating their policies governing access to and disclosure of employee information to ensure compliance.

Employers should also plan to update their New York handbook policies, anti-harassment trainings, and postings with New York State’s anonymous hotline information once available.

We will continue to closely monitor the bills under consideration, which will impact the settlement of discrimination, harassment and retaliation claims.

---

The following Gibson Dunn attorneys assisted in preparing this client update: Harris Mufson, Gabrielle Levin, Danielle Moss, Meika Freeman, and Alex Downie.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. To learn more about these issues, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Labor and Employment practice group, or the following:

Mylan Denerstein – New York (+1 212-351-3850, [email protected])

Gabrielle Levin – New York (+1 212-351-3901, [email protected])

Danielle J. Moss – New York (+1 212-351-6338, [email protected])

Harris M. Mufson – New York (+1 212-351-3805, [email protected])

Jason C. Schwartz – Co-Chair, Labor & Employment Group, Washington, D.C.
(+1 202-955-8242, [email protected])

Katherine V.A. Smith – Co-Chair, Labor & Employment Group, Los Angeles
(+1 213-229-7107, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Introduction

The European Union has reached political agreement on its landmark Digital Markets Act (DMA) legislation. The EU-wide DMA will apply in addition to competition law rules and targets the largest digital platforms. The legislation which introduces a broad-based regulation of digital markets should be formally adopted in the coming weeks and will enter into force at the beginning of 2023.

The DMA is one of the most important pieces of economic legislation in the EU of recent times. It will impose a broad set of upfront, legally binding conduct obligations (dos and don’ts) on companies operating in the EU whose products are determined to be an important gateway for businesses to reach consumers (gatekeepers). The DMA’s impact in European digital markets will be significant both because of the scope of the products that will be covered and because of the number of obligations that will apply.

It is not only gatekeepers who need to take note. All companies operating in the digital space need to be fully attuned to the implications of the DMA as it will likely impact their commercial activities directly or indirectly. They will need to implement a multi-faceted plan in relation to product design, commercial strategy and engagement with public authorities. They will also need to take account of the interplay between the DMA and other competition and regulatory initiatives, both within Europe and globally. Companies whose products are caught by the DMA will need to ensure that they comply with all of the relevant obligations, whilst companies which are not caught by the DMA will need to adjust to the changes in the commercial environment that the DMA will lead to.

What is new?

There has been broad agreement between EU Member States and the European Parliament on the principles of the DMA ever since the European Commission proposed the legislation in December 2020. Recent discussions have focussed on: (1) the turnover and market capitalization thresholds that would apply for companies to be subject to the DMA; (2) which products would be covered; (3) the precise nature of certain obligations; and (4) how the DMA would be enforced. On these points:

• The quantitative thresholds for a company to be caught have increased from an annual turnover of €6.5 billion in the European Economic Area (EEA) to €7.5 billion, and from a global market capitalization of €65 billion to €75 billion.
• Browsers and virtual assistants have been added as products to which the DMA’s obligations will apply.
• Some of the obligations which gatekeepers will have to comply with have been broadened, notably as regards: (1) interoperability between messaging services; (2) a requirement to have a consumer choice screen upon an end user’s first use of a search engine, a virtual assistant or a browser; (3) an extension of the “most-favoured-nation” parity clause provisions; and (4) a requirement to have fair access conditions for search and social networks (this obligation previously applied only to app stores).
• Whilst the European Commission will ultimately remain responsible for DMA enforcement, EU Member State competition authorities will play a supporting role.

Why should your company care?

The DMA will regulate the behaviour of so-called gatekeepers that operate “core platform services” which have a significant impact in the EU market. A company can be designated as a gatekeeper for one or more core platform services. The DMA contains a broad list of what are core platform services but the DMA’s obligations would only apply if a core platform service is an important gateway for business users to reach end users in the EU. The main way in which such designation will occur is via quantitative thresholds based on: (1) company size (EEA turnover and global market capitalization); and (2) product reach (number of active end users and active end users in the EEA for each core platform service).

Once a core platform service is designated as a gatekeeper, it must comply with every DMA obligation that can apply to that product. There are 18 obligations in total, some of which are imprecise and cover a wide variety of different provisions including data access, interoperability, and self-preferencing.

Gatekeepers should care because they will need to comply with the relevant obligations. Because gatekeepers are not specifically defined, companies should check if their products might be caught, either now or in the future and if so, what they should do. If not, your company may still be affected, either because it is doing business with a gatekeeper or because some obligations are imprecise and may lead to a number of consequences – intended and unintended – in digital markets. The DMA is an attempt to rapidly implement broad-based regulation and it will lead to a high degree of uncertainty in digital markets for years to come.

---

The following Gibson Dunn lawyers prepared this client alert: Christian Riis-Madsen, Nicholas Banasevic, and Mairi McMartin.

Gibson Dunn’s lawyers are available to assist in addressing any questions that you may have regarding the issues discussed in this update. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition practice group, or the following:

Nicholas Banasevic – Managing Director, Antitrust & Competition Group, Brussels (+32 2 554 72 40, [email protected])

Christian Riis-Madsen – Co-Chair, Antitrust & Competition Group, Brussels (+32 2 554 72 05, [email protected])

Ali Nikpay – Co-Chair, Antitrust & Competition Group, London (+44 (0) 20 7071 4273, [email protected])

Rachel S. Brass – Co-Chair, Antitrust & Competition Group, San Francisco (+1 415-393-8293, [email protected])

Stephen Weissman – Co-Chair, Antitrust & Competition Group, Washington, D.C. (+1 202-955-8678, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

In a closely followed decision that directly addresses an issue of critical importance for the interactive fantasy sports (“IFS”) industry, in which daily fantasy sports are a subset, the New York Court of Appeals held on March 22, 2022 that IFS contests do not constitute “gambling” within the meaning of New York’s constitutional prohibition on gambling.  White v. Cuomo, No. 12, 2022 WL 837573 (N.Y. Mar. 22, 2022).[1]  In doing so, New York’s highest court followed the reasoning set forth by the Attorney General and further developed in an amicus brief Gibson Dunn filed on behalf of DraftKings and FanDuel (available here), and joined other state courts holding that “it is now ‘widely recognized’ that IFS contests are predominately skill-based competitions” distinguishable from games of chance.  Id. at *7 (quoting Dew-Becker v. Wu, 178 N.E.3d 1034, 1041 (Ill. 2020)).  The White v. Cuomo case confirms the legality of daily fantasy sports in New York.  And it has important implications for the sports betting industry writ large, as it underscores the degree of deference courts must give the New York legislature’s interpretation of the State’s constitutional gambling provisions.

In this alert, we summarize and discuss: (1) the decision of the New York Court of Appeals in White v. Cuomo; and (2) the potential impact of White v. Cuomo on the constitutionality of mobile sports betting and other gambling-related legislation in New York.

White v. Cuomo Ruling

In White v. Cuomo, the New York Court of Appeals was called on to decide whether the legislature had violated the New York Constitution’s general prohibition on lotteries and “other forms of gambling” by enacting a law expressly authorizing and regulating IFS contests.  That legislation, known as article 14, also states that IFS contests do not constitute “gambling” because their outcomes depend on “the skill and knowledge of the participants,” rather than chance, and the “contests are not wagers on future contingent events not under the contestants’ control or influence.”  White, 2022 WL 837573, at *2 (quotation marks omitted).

In a lengthy decision penned by Chief Judge DiFiore, the New York Court of Appeals held that “[b]ecause ample support exists for the legislature’s determination that the IFS contests authorized in article 14 are properly characterized as lawful skill-based competitions for prizes under our precedent, plaintiffs have not met their burden to demonstrate beyond a reasonable doubt that article 14 is unconstitutional.”  White, 2022 WL 837573, at *1.  The Court’s decision has two particularly notable features.

First, the Court underscored the degree of deference due legislative judgments generally and those involving the constitutional prohibition on gambling specifically.  The Court stated that “[i]t is well settled that legislative enactments are entitled to a strong presumption of constitutionality,” and that “courts strike them down only as a last unavoidable result after every reasonable mode of reconciliation of the statute with the Constitution has been resorted to, and reconciliation has been found impossible.”  White, 2022 WL 837573, at *3 (cleaned up).  So great is this level of deference that, “[w]hile courts may look to the record relied on by the legislature, even in the absence of such a record, factual support for the legislation would be assumed by the courts to exist.”  Id. (quotation marks omitted).  Notably, the Court emphasized that this deference extends to legislative judgments regarding whether a particular activity falls within the constitutional prohibition on gambling.

Second, the Court applied the “dominating element” test used by many courts to confirm the legislature’s finding that IFS contests do not constitute gambling.  The “dominating element” is used to determine whether a game is one of “chance,” and therefore constitutes gambling, by evaluating whether the element of chance or skill predominantly controls the game’s result.  Relying heavily upon recent statistical studies demonstrating the importance of player skill in head-to-head fantasy sports games, the Court concluded that the outcomes of such games are predominantly skill-based, and therefore, not gambling.

The White v. Cuomo decision discussed, but ultimately rejected, another test that some courts have employed to determine whether a contest is one of skill or chance—the “material degree” test.  That test analyzes whether the game involves the element of chance to a material degree.  But as the Court of Appeals explained, the “material degree” test does not comport with the standard New York courts have historically applied in determining whether a particular activity constitutes a game of chance.  By adopting the “dominating element” test and rejecting the “material degree” test, the New York Court of Appeals joined a recent, high-profile decision by the Illinois Supreme Court holding that IFS contests are not gambling.

The White v. Cuomo decision was not unanimous, however.  In a dissent joined by two other judges, Judge Wilson  sharply questioned the majority’s deference to the legislature.  In addition, the dissenting judges criticized the majority’s decision to use the “dominating element” test to determine whether a game is one of “chance.”  But as the majority noted, the dissent “provid[ed] no discernable definition for the term ‘gambling’” or any “logical framework for assessing the constitutionality of any particular activity alleged to be ‘gambling.’”  White, 2022 WL 837573, at *10.

Potential Impact

The White v. Cuomo ruling has important implications for the IFS industry and, more broadly, the sports betting industry.  With respect to IFS contests, and most immediately, the ruling closes the chapter on five years of litigation contesting the legality of IFS contests in the largest market in the United States.  New York has decided, once and for all, that IFS contests do not constitute gambling.  The White v. Cuomo decision may also impact the IFS industry beyond the Empire State.  If other state courts follow the reasoning applied by the New York Court of Appeals in White v. Cuomo, IFS operators conducting business in those states will have greater certainty that their operations are not subject to the legal and regulatory hurdles and costs imposed by evolving, and at times ambiguous, laws and regulations in those states.

More broadly, the decision has important implications for the constitutionality of New York’s mobile sports betting legislation.

In 2013, New York voters approved a constitutional amendment to allow the legislature to authorize “casino gambling” “at” up to seven casinos in the State, and expressly delegated to the legislature the task of implementing relevant laws relating to wagering.  N.Y. Const. art I, § 9.  In particular, the constitutional amendment authorizes the legislature to permit gambling as long as (1) the gambling constitutes “casino gambling” and (2) it occurs “at” one of the facilities authorized and prescribed by the legislature.

In April 2021, acting upon this constitutionally delegated authority, the New York legislature enacted legislation authorizing mobile sports wagering, provided the wagers are transmitted to and accepted by servers located at a licensed gaming facility.  See N.Y. Rac. Pari-Mut. Wag. & Breed. Law § 1367-a.  Specifically, the legislation provides that “[a]ll sports wagers through electronic communication . . . are considered placed or otherwise made when and where received by the mobile sports wagering licensee on such mobile sports wagering licensee’s server . . . at a licensed gaming facility, regardless of the authorized sports bettor’s physical location within the state at the time the sports wager is placed.”  Id. § 1367-a(2)(d).  So, for example, a bet requested by an app user in Manhattan would be deemed to occur “at” the casino housing the server that accepts and places the bet.  The legislature further declared that “a sports wager that is made through virtual or electronic means from a location within New York state and is transmitted to and accepted by electronic equipment located at a licensed gaming facility . . . is a sports wager made at such licensed gaming facility.”  S.B. S2509, 2021 Leg., 2021–2022 Sess., Part Y, § 2 (N.Y. 2021).[2]  This statute went into effect on January 8, 2022, and generated nearly $70 million in tax revenue for New York in its first 30 days.  See Press Release, Governor Hochul Announces Nearly $2 Billion in Wagers Over the First 30 Days of Mobile Sports Wagering (Feb. 14, 2022), https://www.governor.ny.gov/news/governor-hochul-announces-nearly-2-billion-wagers-over-first-30-days-mobile-sports-wagering.

The White v. Cuomo decision greatly bolsters the constitutionality of New York’s mobile sports wagering legislation, and the likelihood that the legislature’s finding that mobile sports wagers are placed at the location of the servers would be found valid.  As discussed above, the White v. Cuomo decision underscored the strong deference deference afforded to legislative findings, including the legislature’s interpretation of the New York Constitution’s gambling provisions.  The Court reiterated that “when a legislative enactment is challenged on constitutional grounds, there is both an ‘exceedingly strong presumption of constitutionality’ and a ‘presumption that the [l]legislature has investigated for and found facts necessary to support the legislations.’”  White, 2022 WL 837573, at *3 (citation omitted).  This “exceedingly strong presumption of constitutionality” should apply to the legislature’s exercise of its constitutionally delegated authority to define the contours of legal gambling in the mobile sports wagering legislation and any future legislation enacted under such authority.

____________________________

[1]   Interactive fantasy sports involves the creation of a “virtual ‘team[]’ . . . composed of athletes who play for different real-life teams” and that is pitted against another “virtual team[] compiled by [an]other IFS contestant[].”  White, 2022 WL 837573, at *2.  “The performance of simulated players on an IFS roster corresponds to the performance of the real-life athletes,” but “the outcome of an IFS contest does not mirror the success or failure of any real-life athlete or sports team.”  Id.  That is because “IFS rosters do not replicate real-life teams, IFS scoring systems are premised on an aggregation of statistics concerning each individual athlete’s performance on specific tasks, and IFS contests pit the rosters of participants against one another rather than tying success to the outcome of sporting events.”  Id.

[2]   New York’s mobile sports wagering legislation adopted Gibson Dunn’s constitutional reasoning.  As Gibson Dunn attorneys argued in a 2020 New York Law Journal op-ed, the legislature had the authority to enact legislation legalizing online sports wagering for two reasons.  First, sports betting fits within the New York Constitution’s term “casino gambling,” because “casino gambling” would have been understood to include sports betting at the time the constitutional amendment was passed and adopted.  Second, based on general contract law principles, online sports wagering can be conducted “at” an authorized casino so long as the acceptance and ultimate placement of the wager occurs at a server located at one of the licensed casinos.  See Gibson Dunn, New York State Legalizes Online Sports Wagering (April 13, 2021), https://www.gibsondunn.com/new-york-state-legalizes-online-sports-wagering/.

---

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Litigation or Appellate and Constitutional Law practice groups, or the following authors:

Matthew L. Biben – New York (+1 212-351-6300, [email protected])

Mylan L. Denerstein – New York (+1 212-351-3850, [email protected])

Akiva Shapiro – New York (+1 212-351-3830, [email protected])

Alyssa B. Kuhn – New York (+1 212-351-2653, [email protected])

Todd W. Shaw – Washington, D.C. (+1 202-955-8245, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Munich partner Mark Zimmer and Frankfurt associate Linda Vögele are the authors of “Mehr Macht den Frauen – Das FüPoG II in Privatwirtschaft und öffentlichem Dienst” [PDF] published in the March 2022 issue of the German publication BWV (Bundeswehrverwaltung), together with Adrian Sichma. The article discusses the Second Leadership Positions Act (FüPoG II), containing new requirements for greater gender equality in key leadership functions.

Click for PDF

As Russia continues to wage its unlawful war against Ukraine, in recent weeks Russia has severely restricted free expression within its borders.  While journalists in Russia have long had to navigate a host of draconian laws designed to stifle free expression and limit media coverage critical of the government,[1] these new measures amount to a drastic escalation.  Through both administrative and legislative measures, Russia has totally restricted several media outlets from operating in Russia.  Among other things, Russia is threatening harsh criminal and monetary penalties against those who report on the conflict as a war or an invasion.

The catalyst for the new restrictions is Russia’s desire to control the public narrative associated with the war.  Russia’s media agency, Roskomnadzor, has blocked access to media platforms (including social media) and news outlets on a variety of alleged bases, including that certain outlets and platforms were allegedly spreading misinformation about Russia’s actions in Ukraine and restricting access to government-backed media.[2]

Concurrently, Russia adopted amendments to the Criminal Code that introduces prison terms of up to 15 years for persons convicted of disseminating “knowingly false information” about military operations.[3]  The same law introduces a maximum penalty of five years imprisonment for “discrediting” and “calling for obstruction” of the use of the Russian armed forces.[4]  In practice, these new measures grant Russia broad authority to impose harsh penalties for any criticism of Russia’s conduct against Ukraine.  Under the serious threat of criminal prosecution, major foreign news outlets as well as prominent independent Russian news outlets, have been forced to take significant measures.  Some have suspended operations in Russia,[5] removed content regarding Russia’s attacks on Ukraine,[6] or shut down entirely.[7]

In addressing recent legislative amendments, three Special Rapporteurs of the United Nations’ Human Rights Council have observed that “[w]hile the government claims that the purpose of the new legislation is to protect the ‘truth’ about what it euphemistically calls a ‘special military operation’ in Ukraine, in reality the law places Russia under a total information blackout on the war and in so doing gives an official seal of approval to disinformation and misinformation.”[8] The Special Rapporteurs explain that “[b]y restricting reporting and blocking access to information online the authorities are not only choking the last vestiges of independent, pluralistic media in Russia, but they are also depriving the population of their right to access diverse news and views at this critical time when millions of Russians legitimately want to know more about the situation in Ukraine.”[9]

Russia’s restrictions on the media violate its international human rights obligations.  In addition, Russia’s actions may also breach obligations it owes foreign investors under investment treaties to which it is party.  Below, we set out options that may be available to affected media companies and journalists seeking to challenge Russia’s actions.

Claims Before Human Rights Bodies

At this time and until September 16, 2022, Russia is a party to the European Convention on Human Rights (the “European Convention”).  While Russia was removed from the Council of Europe on March 16,[10] the Committee of Ministers (the Council of Europe’s statutory decision-making body)[11] and the European Court of Human Rights (“ECHR”)[12] have confirmed that Russia will remain a party to the European Convention until September 16.  Accordingly, the ECHR “remains competent to deal with applications directed against the Russian Federation in relation to acts or omissions capable of constituting a violation of the Convention provided that they occurred until 16 September 2022.”[13]

Pursuant to the European Convention, Russia must guarantee physical and legal persons in its jurisdiction basic human rights, including the right to free expression.[14]  Russia’s actions to suppress the media are clear violations of its obligations under the European Convention, and any effort by Russia to enforce its new censorship laws may amount to further violations.  Thus, media companies and journalists who have been impacted by Russia’s recent measures may be able to seek remedies for these violations before the ECHR.[15]

To successfully bring an application before the ECHR, applicants must: (i) satisfy the jurisdictional and admissibility criteria required by the European Convention; and (ii) demonstrate a violation of the European Convention.

To have standing before the ECHR, a person (either physical or legal) must be able to show that a party to the European Convention committed a violation of the European Convention against them within its jurisdiction,[16] and was “directly affected” by the violation.[17]  In addition, an applicant should seek to exhaust remedies in the jurisdiction whose actions are being challenged and bring a claim within four months of a final decision.[18]  This requirement, however, is not a hard and fast rule, and “must take realistic account not only of the existence of formal remedies in the legal system of the Contracting Party concerned but also of the general legal and political context in which they operate as well as the personal circumstances of the applicants.”[19]  In this case, an applicant could argue there is an “administrative practice” of censoring journalists in Russia that renders exhaustion of local remedies futile or ineffective.[20]  In this context, any application should be brought within four months of the applicant receiving notice of the act that is the subject of the application or any prejudicial effect arising from the act.[21]

On the merits, Russia’s measures appear to be clear violations of its obligations under the European Convention.  The European Convention states that “[e]veryone has the right to freedom of expression. This right shall include freedom to hold opinions and to receive and impart information and ideas without interference by public authority and regardless of frontiers.”[22] Legislation that causes potential authors to adopt a form of self-censorship, as is the case in Russia, can amount to an interference with the right to freedom of expression.[23]  Free expression can only be limited if the restriction is: (i) provided for by law, (ii) in pursuit of a legitimate aim, and (iii) necessary and proportionate to achieve that aim.[24]

With respect to (i), the ECHR has held that domestic laws that restrict freedom of expression must be formulated “with sufficient precision to enable the person concerned to regulate his or her conduct: he or she needed to be able – if need be with appropriate advice – to foresee, to a degree that was reasonable in the circumstances, the consequences that a given action could entail.”[25]  The ECHR has further emphasized that “indiscriminate blocking measure[s] which interfere[] with lawful content . . . as a collateral effect of a measure aimed at illegal content . . . amounts to arbitrary interference” with the right to free expression.[26]  Here, Russia has, for example, criminalized “discrediting” and “calling for obstruction” of the use of the Russian military.  These vague terms could arguably extend to any form of criticism of the Russian military.

With respect to (ii), while Russia contends that the restrictions are necessary for national security, it is widely acknowledged that the purpose of these restrictions is to suppress criticism and dissent of Russia’s unlawful war.  As the Special Rapporteurs note, these new restrictions are “yet another drastic step in a long string of measures over the years, restricting freedom of expression and media freedom and further shrinking the civic space in the Russian Federation.”[27]  Indeed, in recent cases against Russia, the ECHR has concluded that Russia has acted with an “ulterior purpose” to “suppress political pluralism.”[28]  In any event, the ECHR has concluded that where opinions do not incite violence, a state cannot rely on the defense of national security to restrict the public’s right to be informed by using criminal law to influence the media.[29]

With respect to (iii), there is no basis for Russia to contend that these laws are necessary and proportionate.  As Professor Marko Milanovic of the University of Nottingham School of Law has explained, these laws “are almost entirely divorced from addressing specific harms caused by speech, and they are so overbroad that they generate a veritable storm of chilling effects on speech in the public interest (indeed, that’s their whole point).”[30]  In cases involving the suspension of media publication and distribution, the ECHR has held that “[t]he practice of banning the future publication of entire periodicals . . . went beyond any notion of ‘necessary’ restraint in a democratic society and, instead, amounted to censorship.”[31]

A successful applicant will receive relief in the form of a declaration that the State’s laws or actions are in violation of the European Convention, as well as just satisfaction, i.e., monetary compensation, for damages incurred.[32]

In addition to the ECHR, other human rights mechanisms may be available to hold Russia accountable for its violations of human rights.  For example, Russia is also currently a State Party to the International Covenant on Civil and Political Rights (“ICCPR”) as well as the First Optional Protocol to the ICCPR.[33]   Similar to its obligations under the European Convention, Russia is also obligated under the ICCPR to guarantee persons in its jurisdiction basic human rights, including the right to free expression.[34]  Individuals who have been impacted by Russia’s recent measures may therefore also be able to seek remedies for violations of the ICCPR before the Human Rights Committee at the United Nations.  Unlike the ECHR, only physical persons can submit complaints to the Human Rights Committee.[35]  In addition, if the same matter has been submitted to another treaty body or regional human rights mechanism (like the ECHR), the Human Rights Committee cannot examine the complaint.[36]

Claims Under Bilateral Investment Treaties

As will be addressed in a forthcoming alert regarding potential international arbitration remedies arising from Russia’s recent conduct, Russia is a party to multiple bilateral investment treaties (“BITs”) pursuant to which it owes certain obligations to qualifying foreign investors from states with which it has BITs and their investments.  These obligations include, among others, the obligation to treat investors and their investments fairly and equitably and not to expropriate investments without the payment of adequate compensation.  To the extent media entities (or other companies and individuals) qualify as investors with investments under one of these treaties and have suffered breaches of a BIT due to Russia’s actions, these investors may be able to submit such claims in international arbitration directly against the Russian state.

____________________________

[1] See, e.g., Russia: New assault on independent media, NGOs and activists through suffocating fines, Amnesty International (Oct. 29, 2018), https://www.amnesty.org/en/latest/news/2018/10/russia-new-assault-onindependent-media-ngos-and-activists-through-suffocating-fines/; Russia: New bills criminalising insults to the State and spread of ‘fake news’ threaten freedom of expression, Article 19 (Jan. 25, 2019), https://www.article19.org/resources/russia-new-bills-criminalising-online-insults-of-state-and-the-spread-of-fake-news-threaten-freedom-of-expression/; Russia advances legislation on ‘fake news’ and ‘disrespecting authorities’, Committee To Protect Journalists (Mar. 7, 2019), https://cpj.org/2019/03/russia-advances-legislation-on-fake-news-and-disre/; Letter from Special Rapporteur on the promotion and protection of the right to freedom of opinion and expression to the Government of Russia (May 1, 2019), here; Russian Federation: “Fake News” Bill Prompted By COVID-19 Threatens Freedom Of Expression, Amnesty International (Apr. 3, 2020), https://www.amnesty.org/download/Documents/EUR4620932020ENGLISH.pdf.

[2] See, e.g., Elizabeth Culliford, Russia blocks Facebook, accusing it of restricting access to Russian media, Reuters (Mar. 4, 2022, 7:16 PM), https://www.reuters.com/business/media-telecom/russia-blocks-facebook-accusing-it-restricting-access-russian-media-2022-03-04/; Shannon Bond & Bobby Allyn, Russia is restricting social media. Here’s what we know, NPR (Mar. 11, 2022, 1:57 PM), https://www.npr.org/2022/03/07/1085025672/russia-social-media-ban; Russia blocks Ekho Moskvy and Dozhd TV, restricts social media access, Committee to Protect Journalists (Mar. 1, 2022, 5:48 PM), https://cpj.org/2022/03/russia-blocks-echo-of-moscow-and-dozhd-tv-restricts-social-media-access/.  See also Об ограничении доступа к социальной сети Instagram (About restricting access to the social network Instagram), Roskomnadzor (Mar. 11, 2022), https://rkn.gov.ru/news/rsoc/news74180.htm; Приняты меры по защите российских СМИ (Measures taken to protect Russian media), Roskomnadzor (Feb. 25, 2022), https://rkn.gov.ru/news/rsoc/news74108.htm; Приняты ответные меры на ограничение доступа к российским СМИ (Response measures taken to restrict access to Russia media), Roskomnadzor (Mar. 4, 2022), https://rkn.gov.ru/news/rsoc/news74156.htm.

[3] See UN rights experts raise alarm over Russia’s ‘choking’ media clampdown at home, UN News (Mar. 11, 2022), https://news.un.org/en/story/2022/03/1113762.

[4] See UN rights experts raise alarm over Russia’s ‘choking’ media clampdown at home, UN News (Mar. 11, 2022), https://news.un.org/en/story/2022/03/1113762.

[5] See, e.g., Michael M. Grynbaum, The New York Times Pulls Its News Staff From Russia, N.Y. Times (Mar. 8, 2022), https://www.nytimes.com/2022/03/08/business/media/new-york-times-russia-press-freedom.html; Oliver Darcy, CNN, BBC, and others suspend broadcasting from Russia after Putin signs law limiting press, CNN (Mar. 4, 2022, 10:05 PM), https://www.cnn.com/2022/03/04/media/bbc-cnn-russia-putin-media-law/index.html; Ukraine war: BBC News journalists resume English-language broadcasts from Russia, BBC News (Mar. 8, 2022), https://www.bbc.com/news/entertainment-arts-60667770.

[6] See, e.g., Russia’s Novaya Gazeta cuts Ukraine war reporting under censorship, Reuters, (Mar. 4, 2022, 11:55 AM), https://www.reuters.com/world/russias-novaya-gazeta-cuts-ukraine-war-reporting-under-censorship-2022-03-04/.

[7] See, e.g., Anton Troianovski, Russia Takes Censorship to New Extremes, Stifling War Coverage, N.Y. Times (Mar. 4, 2022), https://www.nytimes.com/2022/03/04/world/europe/russia-censorship-media-crackdown.html; Anton Troianovski, Last Vestiges of Russia’s Free Press Fall Under Kremlin Pressure, N.Y. Times (Mar. 3, 2022), https://www.nytimes.com/2022/03/03/world/europe/russia-ukraine-propaganda-censorship.html.

[8] UN rights experts raise alarm over Russia’s ‘choking’ media clampdown at home, UN News (Mar. 11, 2022), https://news.un.org/en/story/2022/03/1113762.

[9] UN rights experts raise alarm over Russia’s ‘choking’ media clampdown at home, UN News (Mar. 11, 2022), https://news.un.org/en/story/2022/03/1113762.

[10] Council of Europe, Ministers’ Deputies Decision CM/Del/Dec(2022)1428ter/2.3, Consequences of the aggression of the Russian Federation against Ukraine (Mar. 16, 2022), https://search.coe.int/cm/‌pages/result_details.‌aspx?objectid=‌0900001680a5d7d9.  See also Committee of Ministers, The Russian Federation is excluded from the Council of Europe, Council of Europe (Mar. 16, 2022), https://www.coe.int/en/web/cm/news/-/asset_publisher/‌hww‌luK1RCEJo‌/content/the-russian-federation-is-excluded-from-the-council-of-europe/16695; European Convention, Art. 58(3) (“Any High Contracting Party which shall cease to be a member of the Council of Europe shall cease to be a Party to this Convention under the same conditions.”).

[11] Council of Europe, Ministers’ Deputies Resolution CM/Res(2022)3, On legal and financial consequences of the cessation of membership of the Russian Federation in the Council of Europe (Mar. 23, 2022), https://search.coe.int/cm/pages/result_details.aspx?objectid=0900001680a5ee2f.  See also Committee of Ministers, Russia ceases to be a Party to the European Convention on Human Rights on 16 September 2022, Council of Europe (Mar. 23, 2022), https://www.coe.int/en/web/portal/-/russia-ceases-to-be-a-party-to-the-european-convention-of-human-rights-on-16-september-2022.

[12] European Court of Human Rights, Resolution of the European Court of Human Rights on the consequences of the cessation of membership of the Russian Federation to the Council of Europe in light of Article 58 of the European Convention on Human Rights (Mar. 23, 2022), here.

[13] European Court of Human Rights, Resolution of the European Court of Human Rights on the consequences of the cessation of membership of the Russian Federation to the Council of Europe in light of Article 58 of the European Convention on Human Rights (Mar. 23, 2022), here.

[14] Convention for the Protection of Human Rights and Fundamental Freedoms, Nov. 4, 1950, available at https://www.echr.coe.int/documents/convention_eng.pdf (hereinafter “European Convention”).

[15] The ECHR may receive applications from any “person, non-governmental organisation or group of individuals.”  European Convention, Art. 34.  This includes companies that do not exercise governmental or other powers beyond those conferred by ordinary private law.  See Slovenia v. Croatia, App. No. 54155/16, Grand Chamber Decision, Nov. 18, 2020, §§ 61-63, https://hudoc.echr.coe.int/eng?i=001-206897.

[16] See European Convention, Art. 1.

[17]Roman Zakharov v. Russia, App. No. 47143/06, Judgment, Dec. 4, 2015, § 164, https://hudoc.echr.coe.int/eng?i=001-159324.

[18] See European Convention, Art. 35(1).

[19] Akdivar and Others v. Turkey, App. No. 21893/93, Judgment, Sept. 16, 1996, § 69, https://hudoc.echr.coe.int/eng?i=001-58062.

[20] See Ukraine v. Russia (re Crimea), App. Nos. 20958/14 and 38334/18, Grand Chamber Decision, Dec. 16, 2020, §§ 260-63, 363-68, https://hudoc.echr.coe.int/eng?i=001-207622; Georgia v. Russia (II), App. No. 38263/08, Grand Chamber Judgment, Jan. 21, 2021, §§ 98-99, 220-21, https://hudoc.echr.coe.int/eng?i=001-207757.

[21] See Dennis and Others v. The United Kingdom, App No. 76573/01, Decision, July 2, 2002, https://hudoc.echr.coe.int/eng?i=001-22838 (“[T]he object of the [four] month time limit under Article 35 § 1 is to promote legal certainty, by ensuring that cases raising issues under the Convention are dealt with in a reasonable time and that past decisions are not continually open to challenge.”).

[22] European Convention, Art. 10.

[23] Altuğ Ganer Akçam v. Turkey, App. No. 27520/07, Judgment, Jan. 25, 2012, §§ 67-83, https://hudoc.echr.coe.int/eng?i=001-107206; Vajnai v. Hungary, App. No. 33629/06, Judgment, July 8, 2008, § 54, https://hudoc.echr.coe.int/eng?i=001-87404.

[24] See European Convention, Art. 10(2).

[25] Perinçek v. Switzerland, App. No. 27510/08, Grand Chamber Judgment, Oct. 15, 2015, § 131, https://hudoc.echr.coe.int/eng?i=001-158235.

[26] OOO Flavus and Others v. Russia, App. Nos. 12468/15, 23489/15, 19074/16, Judgment, June 23, 2020, § 38, https://hudoc.echr.coe.int/eng?i=001-203178.  See also Vladimir Kharitonov v. Russia, App. No. 10795/14, Judgment, June 23, 2020, § 46, https://hudoc.echr.coe.int/eng?i=001-203177 (“The Court reiterates that it is incompatible with the rule of law if the legal framework fails to establish safeguards capable of protecting individuals from excessive and arbitrary effects of blocking measures”).

[27] UN rights experts raise alarm over Russia’s ‘choking’ media clampdown at home, UN News (Mar. 11, 2022), https://news.un.org/en/story/2022/03/1113762.

[28] Navalnyy v. Russia (No. 2), App. No. 43734/14, Apr. 9, 2019, §§ 96-98, https://hudoc.echr.coe.int/eng?i=001-192203.  See also Marko Milanovic, The Legal Death of Free Speech in Russia, EJIL:Talk! (March 8, 2022), https://www.ejiltalk.org/the-legal-death-of-free-speech-in-russia/.

[29] See Gözel et Özer v. Turkey, App. Nos. 43453/04 and 31098/05, Judgment, July 6, 2010, § 56, https://hudoc.echr.coe.int/eng?i=001-99780.

[30] Marko Milanovic, The Legal Death of Free Speech in Russia, EJIL:Talk! (Mar. 8, 2022), https://www.ejiltalk.org/the-legal-death-of-free-speech-in-russia/.

[31] See Ürper and Others v. Turkey, App. Nos. 14526/07 et al., Judgment, Oct. 20, 2009, § 44, https://hudoc.echr.coe.int/eng?i=001-95201.

[32] European Convention, Art. 41.

[33] Ratification Status for Russian Federation, UN Treaty Body Database, here (last available Mar. 23, 2022).

[34] See International Covenant on Civil and Political Rights, Mar. 23, 1976, available at https://treaties.un.org/‌doc/Treaties/1976/03/19760323%2006-17%20AM/Ch_IV_04.pdf.

[35] See A Newspaper Publishing Company v. Trinidad and Tobago, Communication No. 360/1989, U.N. Doc. Supp. No. 40 (44/A/40) (1989).

[36] See Optional Protocol to the International Covenant on Civil and Political Rights, Mar. 23, 1976, available at https://treaties.un.org/doc/Treaties/1976/03/19760323%2007-37%20AM/Ch_IV_5p.pdf, Art. 5(2)(a).  See also European Convention, Art. 35(2)(b).

---

The following Gibson Dunn lawyers prepared this client alert: Rahim Moloo, Charline Yim, Marryum Kahloon, and Nadia Alhadi in New York.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s International Arbitration or Transnational Litigation practice groups, or the following authors:

Rahim Moloo – New York (+1 212-351-2413, [email protected])
Charline Yim – New York (+1 212-351-2316, [email protected])
Marryum Kahloon – New York (+1 212-351-3867, [email protected])

Please also feel free to contact the following practice group leaders:

International Arbitration Group:
Cyrus Benson – London (+44 (0) 20 7071 4239, [email protected])
Penny Madden QC – London (+44 (0) 20 7071 4226, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On March 15, 2022, President Joe Biden signed into law the Cyber Incident Reporting for Critical Infrastructure Act, which was included in an omnibus appropriations bill.[1]  Against the backdrop of high-profile cyberattacks on critical infrastructure providers and growing concerns of retaliatory cyberattacks relating to Russia’s invasion of Ukraine, the House approved the bipartisan legislation on March 9 and the Senate unanimously approved the legislation on March 11 after failing to pass similar legislation in recent years.

The Act creates two new reporting obligations on owners and operators of critical infrastructure:

• An obligation to report certain cyber incidents to the Cybersecurity and Infrastructure Security Agency (CISA) of the U.S. Department of Homeland Security (DHS) within 72 hours, and
• An obligation to report ransomware payments within 24 hours.

The new reporting obligations will not take effect until the Director of CISA promulgates implementing regulations, including “clear description[s] of the types of entities that constitute covered entities.”[2]  The Act does provide guideposts for which entities may be covered and refers to the Presidential Policy Directive 21 from 2013, which deems the following sectors as critical infrastructure: chemical; commercial facilities; communications; critical manufacturing; dams; defense industrial base; emergency services, energy; financial services; food and agriculture; government facilities; healthcare and public health; information technology; nuclear reactors, materials, and waste; transportation systems; and water and wastewater systems.[3]

The Act considerably expands the reporting obligations of covered entities and CISA’s role with respect to cyber reporting initiatives, the rulemaking process, and information sharing among federal agencies.  Below is a summary of the legislation, as well as key takeaways.

I. The Act’s Impact on Covered Entities

A.    Reporting Obligations

Under the Act, covered entities that experience a “covered cyber incident” are required to report the incident to CISA no later than 72 hours after the entity “reasonably believes” that such an incident has occurred.[4]  The Act defines a “covered cyber incident” as one that is “substantial” and meets the “definition and criteria” to be set by the CISA Director in the forthcoming rulemaking process.[5]  In addition, covered entities are also required to report any ransom payments made as a result of a ransomware attack to CISA no later than 24 hours after making the payment.[6]  Entities are required to report ransom payments even if the underlying ransomware attack is not a covered cyber incident.”[7]  If a covered entity experiences a covered incident and remits a ransom before the 72-hour deadline, it may submit a single report to satisfy both reporting requirements.[8]  Covered entities that are required to report cyber incidents or ransom payments also will be required to preserve relevant data.[9]  Although the Act specifies some of the content that reports should contain,[10] the CISA Director will further prescribe report contents through the rulemaking process.

After reporting a covered incident, covered entities will be required to submit updates as “substantial new or different information becomes available” until the covered entity notifies CISA that the incident has been fully mitigated and resolved.[11]  Such supplemental reports will need to address whether a covered entity made a ransom payment after submitting the initial report.

To “enhance the situational awareness of cyber threats,” the legislation provides for voluntary reporting of incidents and ransom payments by non-covered entities, as well as the voluntary provision of additional information beyond what is mandatory by covered entities.[12]  Required and voluntary reporting will receive the same protections, further described below.

Notably, the Act creates an exception whereby its reporting requirements will not apply to covered entities that, “by law, regulation, or contract,” are already required to report “substantially similar information to another Federal agency within a substantially similar timeframe.”[13]  However, this exception will be available only if the relevant federal agency has an “agency agreement and sharing mechanism” in place with CISA.

B.    Protections for Reporting Entities

Recognizing some of the concerns relating to reporting, the Act protects reporting entities from certain liability associated with the submission of required or voluntary reports.  Under the Act, submitted cyber incident and ransom payment reports cannot be used by CISA, other federal agencies, or any state or local government to regulate, including through enforcement action, the activities of the covered entity that submitted the report.[14]

In addition, submitted reports must:

• Be considered commercial, financial, and proprietary information if so designated;
• Be exempt from disclosure under freedom of information laws and similar disclosure laws;
• Not constitute a waiver of any applicable privilege or protection provided by law; and
• Not be subject to a federal rule or judicial doctrine regarding ex parte communications.[15]

Certain additional protections further encourage compliance and recognize the concerns that victim companies may face in providing notifications.  Notably, the required reports, and material used to prepare the reports, cannot be received as evidence, subject to discovery, or used in any proceeding in federal or state court or before a regulatory body.[16]  Also, no cause of action can be maintained based on the submission of a report unless it is an action taken by the federal government to enforce a subpoena against a covered entity.  These liability protections only apply to litigation based on the submission of a cyber incident or ransom payment report to CISA, not the underlying cyber incident or ransom payment.[17]

II. CISA’s Oversight and Responsibilities under the Act

By considerably expanding CISA’s role, the Act essentially establishes CISA as the central federal agency responsible for cyber reporting for companies operating within a critical infrastructure sector, advancing the forthcoming rulemaking process, and coordinating with other agencies with respect to information sharing and new initiatives.

A.    Forthcoming Rulemaking

The Act provides some parameters for key definitions and processes, but ultimately requires CISA to spell out various requirements via rulemaking.  The legislation requires the CISA Director—in consultation with Sector Risk Management Agencies, the Department of Justice, and other federal agencies—to issue a notice of proposed rulemaking within 24 months.[18]  The Director must issue a final rule within 18 months of issuing the proposed rule.[19]  Among other items, the Director will need to issue regulations concerning which entities are covered by the requirements, the types of substantial cyber incidents that the Act covers, data preservation, and the manner, timing, and form of reports.

Once the final rule is issued, CISA will conduct an outreach and education campaign to inform likely covered entities and supporting cybersecurity providers of the Act’s requirements.[20]

B.    Information Assessment and Sharing

The Act requires CISA to aggregate, analyze, and share information learned from submitted reports to provide government agencies, Congress, companies, and the public with an assessment of the constantly evolving cyber threat landscape.  (When sharing information with non-federal entities and the public, CISA is required to anonymize the victim entities that filed report(s).[21])

Some of the responsibilities of CISA’s National Cybersecurity and Communications Integration Center (“the Center”) include immediately reviewing submitted reports to determine whether the incident relates to an ongoing cyber threat or security vulnerability.[22]  Moreover, the legislation enhances federal cyber incident sharing.  The Center is required to make reports available to relevant Sector Risk Management Agencies and appropriate federal agencies within 24 hours of receipt.[23]  Similarly, federal agencies that receive incident reports (including from non-covered entities) must submit them to CISA no later than 24 hours following receipt.[24]

The Act sets forth authorized uses and sharing of submitted reports.  Information may be disclosed to, retained by, and used by federal agencies solely for: a cybersecurity purpose; to identify a cyber threat or security vulnerability; to respond to, prevent or mitigate specific threats of death, serious bodily harm, or serious economic harm; to respond to or prevent a serious threat to a minor; or to respond to an offense arising out of a reported incident.[25]

Among other items, the Center is tasked with establishing mechanisms to receive feedback from stakeholders, facilitating timely information sharing with critical infrastructure companies, and publishing quarterly unclassified reports on cyber incident trends and recommendations.[26]  The Act also imposes on CISA several congressional reporting requirements, including briefings to describe stakeholder engagement with rulemaking and enforcement mechanism effectiveness.[27]

C.    Enforcement

The Act provides several enforcement mechanisms.  If a covered entity fails to submit a required report, the CISA Director may obtain information about the cyber incident or ransom payment by directly engaging with the covered entity “to gather information sufficient to determine whether a covered cyber incident or ransom payment has occurred.”[28]  If the covered entity does not respond to the initial information request within 72 hours, the CISA Director may issue a subpoena.  Failure to comply with the subpoena – or information furnished in response to a subpoena – may result in the referral of the matter to the Department of Justice for enforcement.[29]

Additionally, the Act denies covered entities some of the protections detailed above if they do not comply with its reporting requirements.

Under the Act, the CISA Director must provide an annual report to Congress that conveys anonymized information about the number of initial requests for information, issued subpoenas, and referred enforcement matters.[30]  This report will be published on CISA’s website.

D.    Forthcoming Initiatives

Finally, the Act sets forth several initiatives to enhance cybersecurity coordination efforts:

• Cyber Incident Reporting Council: The Act calls for DHS to lead an intergovernmental Cyber Incident Reporting Council to “coordinate, deconflict, and harmonize Federal incident reporting requirements[.]”[31]
• Ransomware Vulnerability Warning Pilot Program: No later than one year after the Act’s enactment, CISA is required to establish a new Ransomware Vulnerability Warning Pilot Program.[32]  Leveraging existing authorities and technology, this program is tasked with identifying the most common security vulnerabilities used in ransomware attacks and techniques on how to mitigate and contain the security vulnerabilities.
• Joint Ransomware Task Force: The Act instructs the CISA Director to establish and chair the Joint Ransomware Task Force “to coordinate an ongoing nationwide campaign against ransomware attacks, and identify and pursue opportunities for international cooperation.”[33]

III. Takeaways

Once in effect, the Act will considerably expand reporting considerations for some entities.  Accordingly, companies should consider the following next steps:

• Companies in Many Sectors Are Potentially Subject to the New Reporting Requirements. Companies in the many industry sectors cited in Presidential Policy Directive 21 should closely monitor the proposed rulemaking and evaluate whether the Act’s requirements are likely to apply to their businesses.  Entities that may be covered by the Act may wish to comment during the rulemaking process, as the final rule will impose more detailed requirements.
• Companies Should Identify Existing Reporting Obligations and Monitor Interagency Sharing Agreements. Although the Act’s reporting obligations will not become effective for some time, critical infrastructure entities should take steps now to prepare for potentially overlapping disclosure obligations.  As detailed above, the Act creates an exception whereby its reporting requirements will not apply to covered entities that file a substantially similar report with another federal agency.  However, this exception will be available only if the relevant federal agency has an agreement and sharing mechanism in place with CISA.  The law also authorizes federal (but not state) agencies to coordinate, deconflict and harmonize federal incident reporting obligations.In order to monitor developments in the harmonization of federal incident reporting obligations, as well as track agency sharing mechanisms, potentially impacted entities should first assess their other federal cybersecurity disclosure obligations.  Some of these obligations may stem from reporting obligations imposed on federal government contractors and recent executive orders.  For instance, the Biden administration’s Executive Order in May 2021, “Improving the Nation’s Cybersecurity,” requires federal contractors to share information regarding incidents.[34]  In 2021, the Transportation Security Administration also issued a directive which requires pipeline entities to report confirmed and potential incidents.[35]Public companies should also consider whether reports submitted under the Act may prompt disclosures under the SEC’s newly proposed rule, which requires public disclosure of material cybersecurity incidents within four business days.[36]Finally, the recent reporting developments should be assessed against a heightened enforcement backdrop—namely, the DOJ’s Civil Cyber-Fraud Initiative, which seeks to leverage the False Claims Act to hold accountable contractors and recipients of federal funds and grants that knowingly violate contractual obligations to monitor and report cybersecurity incidents and breaches.[37]

• Companies May Need to Revisit their Cybersecurity Policies, Procedures, and Programs. In light of the Act’s requirements, potentially impacted entities should determine whether changes to their cyber programs may be required, examine their internal policies and procedures to reflect the Act’s requirements, and address and prepare for overlapping disclosure obligations under state, federal and international laws.

________________________

   [1]   See Cyber Incident Reporting for Critical Infrastructure Act of 2022, H.R. 2471, 116th Cong. (2022).

   [2]   H.R. 2471 § 2242(c)(1).  This provision provides that when promulging the final rule to define “covered entities,” the CISA Director must consider the national security, economic security, and public health and safety consequences of a potential cyberattack on the entity, the likelihood that such an entity could be targeted, and the extent to which a cyberattack will enable disruption of the reliable operation of critical infrastructure.

   [3]   H.R. 2471 § 2240(5).  See also White House, Office of the Press Secretary, Presidential Policy Directive — Critical Infrastructure Security and Resilience, Feb. 12, 2013, available at https://obamawhitehouse.archives.gov/the-press-office/2013/02/12/presidential-policy-directive-critical-infrastructure-security-and-resil; CISA, Critical Infrastructure Sectors, available at https://www.cisa.gov/critical-infrastructure-sectors.

   [4]   H.R. 2471 § 2242(a)(1)(A).

   [5]   Id. at § 2240(4).  The legislation does not define “substantial.”

   [6]   H.R. 2471 § 2242(a)(2)(A).

   [7]   H.R. 2471 § 2242(a)(2)(B).

   [8]   H.R. 2471 § 2242(a)(5)(A).

   [9]   H.R. 2471 § 2242(a)(4).

  [10]   At a minimum, covered incident reports must convey certain information about the incident, including:

• a description of the covered incident;
• a description of the vulnerabilities exploited, security defenses in place, and tactics, techniques, and procedures used to perpetrate the incident;
• information about the actor(s) reasonably believed to be responsible for the incident;
• and the identification of categories of information that were, or are reasonably believed to have been, accessed or acquired by an unauthorized person.See H.R. 2471 § 2242(c)(4).  The Act also details minimum reporting requirements for ransom payments.  See id. at § 2242(c)(5).

  [11]   H.R. 2471 § 2242(a)(3).

  [12]   H.R. 2471 § 2243.

  [13]   H.R. 2471 § 2242(a)(5).

  [14]   H.R. 2471 § 2245(a)(5)(A).

  [15]   H.R. 2471 § 2245(b).

  [16]   H.R. 2471 § 2245(c)(3).

  [17]   H.R. 2471 § 2245(c).

  [18]   H.R. 2471 § 2242(b)(1).

  [19]   H.R. 2471 § 2242(b)(2).

  [20]   H.R. 2471 § 2242(e)

  [21]   H.R. 2471 § 2245(d).

  [22]   H.R. 2471 § 2245(a)(2)(A).

  [23]   H.R. 2471 § 2241(a)(10).

  [24]   H.R. 2471 § 104(a)(1).

  [25]   H.R. 2471 § 2245(a)(1).

  [26]   H.R. 2471 § 2241(a).

  [27]   H.R. 2471 §§ 107; 2244(g).

  [28]   H.R. 2471 § 2244(a).

  [29]   H.R. 2471 § 2244(c)-(d).

  [30]   H.R. 2471 § 2244(g).

  [31]   H.R. 2471 § 2246(a).

  [32]   H.R. 2471 § 105.

  [33]   H.R. 2471 § 106(a)(1).

  [34]   See Exec. Order No. 14,028, 86 Fed. Reg. 26,633 (May 12, 2021).

  [35]   See Press Release, Dep’t of Homeland Security, DHS Announces New Cybersecurity Requirements for Critical Pipeline Owners and Operators (May 27, 2021), https://www.dhs.gov/news/2021/05/27/dhs-announces-new-cybersecurity-requirements-critical-pipeline-owners-and-operators.

  [36]   See Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022), available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf; see also Gibson Dunn’s client alert on the SEC’s proposed rule, available at https://www.gibsondunn.com/sec-proposes-rules-on-cybersecurity-disclosure/.

  [37]   See Press Release, U.S. Dep’t of Justice, Deputy Attorney General Lisa O. Monaco Announces New Civil Cyber-Fraud Initiative (Oct. 6, 2021), https://www.justice.gov/opa/pr/deputy-attorney-general-lisa-o-monaco-announces-new-civil-cyber-fraud-initiative.

---

This alert was prepared by Ashlie Beringer, Alexander H. Southwell, Ryan T. Bergsieker, and Snezhana Stadnik Tapia.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The United States and the European Union have issued or announced new export controls targeting Russia, Belarus, and the Russia-backed separatist regions of Ukraine known as the Donetsk People’s Republic and the Luhansk People’s Republic. These new controls include a substantial expansion of item-based licensing requirements, an extension of export licensing requirements to new products using or made with certain controlled software and technology, an expansion of military end use and end user controls, changes to the license review policy, and the modification of existing license exceptions for the Russia- and Belarus-specific context. More recent changes include prohibitions on the export of oil and gas refining equipment, bank notes, and luxury goods.

These changes, and concurrent Entity List designations, reflect significant export controls cooperation both internationally and between U.S. government agencies. As tensions continue to rise, we will likely see more series of tools from the NATO countries and their allies to exert economic pressure on Russia to deescalate the ongoing crisis in Ukraine and withdraw its army from Ukraine’s borders. Hear from our experts about these developments and how companies should proactively assess their exposure to the export controls measures being discussed.

---

Click for PDF

On 2 March 2022, Heads of State, Environment Ministers, and representatives from 175 countries endorsed a resolution at the United Nations Environment Assembly (“UNEA-5”) in Nairobi to negotiate an international legally binding agreement to “end plastic pollution” by the end of 2024 (the “UNEA Resolution”).[1]  The UNEA Resolution, End Plastic Pollution: Towards an Internationally Legally Binding Instrument, is the culmination of several years of negotiations and advocacy by governments, international organizations, and the private sector,[2] which pledges to address the full lifecycle of plastic—including its production, design, and disposal.[3]  Its adoption has been described as “a cure” for “plastic pollution,”[4] and “the most significant environmental multilateral deal since the Paris Accord [on Climate Change].”[5]  As discussed below, the ultimate treaty could have major repercussions on how plastics are regulated and used around the world with material implications for business.

I. Background

Over the last 5-10 years, national, local, and regional governments and international organizations have adopted a growing number of action plans and instruments to address plastic pollution and its interlinkages with biodiversity, climate change, health, and social issues.  At the national level, many countries have moved to limit or ban single-use plastics.[6]  There has also been a surge of interest in this issue at the multilateral level, including:

• UN Environment’s Global Partnership on Marine Litter (2012);[7]
• UN Environment Assembly Resolutions on Marine Litter and Microplastics (2014-);[8]
• G7 Action Plan to Combat Marine Litter (2015),
• G20 Action Plan on Marine Litter (2017),[9]
• Ocean Plastics Charter (2018),[10]
• Amendments to the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and their Disposal (“Basel Convention”) (2019),[11]
• G20 Osaka Blue Ocean Vision and Implementation Framework (2019),[12]
• Association of Southeast Asian Nations (“ASEAN”) Framework of Action on Marine Debris and the Bangkok Declaration on Combating Marine Debris (2019),[13]
• ASEAN Regional Action Plan for Combating Marine Debris in the ASEAN Member States (2021–25),[14]
• Asia-Pacific Economic Cooperation (“APEC”) Roadmap on Marine Debris (2019),[15]
• Caribbean Community (“CARICOM”) St. Johns Declaration to Address Plastic Pollution in Caribbean Sea (2019),[16]
• Alliance of Small Island States (“AOSIS”) Leaders Declaration (2021), and
• The Ministerial Conference on Marine Litter and Plastic Pollution (2021).[17]

Although ubiquitous, plastics are currently not subject to any single international treaty regime.  For example, the 2018 amendments to the Basel Convention meant that, for the first time, transboundary shipments of plastic scrap and waste would be regulated, leading to new export and import requirements for many companies, including U.S. businesses.[18]  However, this did not address the majority of plastic products.  In addition, the proliferation of local, national, and regional initiatives has given rise to often differing and incompatible rules, imposing greater costs on the regulated industry.

For these reasons, a new international “Plastics Treaty”—focused on plastics as the central issue rather than as an incident to other subject areas—increasingly came to be seen as a key step in regulating global plastic production, use, and disposal, and has been advocated by many businesses looking for harmonized regulatory standards, predictable national targets, and common metrics to make their short- and long-term operational and investment decisions.[19]

II. The Roadmap for a New “Plastics Treaty”

As described below, the UNEA Resolution[20] provides substantive guidance on its key provisions and sets out the procedural roadmap for the new treaty:

A. Substantive Roadmap

The UNEA Resolution also includes a number of provisions that will provide the likely contours of the new Plastics Treaty:

• First, contrary to widespread expectations, the UNEA Resolution is not limited to marine plastics or marine debris; it also covers “other environments,” including land-based sources.
• Second, it not only seeks to limit or reduce plastic pollution, but aims at “the long-term elimination of plastic pollution, in marine and other environments.”[21]
• Third, it adopts a “full lifecycle” of plastic, covering all aspects of its production, use, and disposal.[22]
• Fourth, it aims to foster coordination among existing international environmental treaties to “prevent plastic pollution and its related risks to human health and adverse effects on human well-being and the environment.”[23]
• Fifth, it seeks to address all aspects of the “sustainable production and consumption of plastics,” including improved waste management, greater resource efficiency and the adoption of “circular economy” approaches.[24]
• Sixth, it underlines the importance of sustainable design so that products and materials “can be reused, remanufactured or recycled and therefore retained in the economy for as long as possible along with the resources they are made of, as well as minimizing the generation of waste.”[25] This provision targets, in particular, single-use plastics.
• Seventh, it notes specifically the need to regulate “microplastics” (i.e., the miniscule plastic fragments that are created by the breakdown of plastics over time or are intentionally manufactured into some products, such as cosmetics).[26]
• Finally, it envisages a role for “all stakeholders, including the private sector,” in achieving the treaty objectives.[27]

B. Procedural Roadmap

The UNEA Resolution is but the first step in the treaty process, which is typical for the negotiation of multilateral environmental treaties.  It established an Intergovernmental Negotiating Committee (the “Committee”) that will begin its work during the second half of 2022, with the aim of completing a draft treaty by the end of 2024.[28]  The Committee will be working on the draft text, and attempt to resolve big divisions over how ambitious the treaty should be.  By the end of the year, the UN Environment Programme (“UNEP”) will also convene a stakeholder forum in conjunction with the first session of the Committee to share knowledge and best practices in different parts of the world.  When the Committee has completed its work on the draft text, UNEP will hold a diplomatic conference to formally adopt and open the new treaty for signature.[29]

III. Expectations of Global Divergence and Implications for Economy and Business

The new Plastics Treaty, if ultimately adopted, could have significant implications for the global economy and individual businesses.  The final Plastics Treaty will not spell an end for the use of plastics.  Indeed, the UNEA Resolution recognized “the important role of plastics for society.”[30]  However, the treaty, depending on its provisions, may lead to a sharp increase in compliance costs not only for the regulated industry and plastics manufacturers, but also for companies across the value chain, including consumer-facing companies.[31]

The treaty itself will likely not include detailed prescriptions: the UNEA delegates opted to model the Plastics Treaty on the 2015 Paris Agreement on Climate Change (the “Paris Agreement”), which, as a “bottom-up” treaty, relies on nationally-set commitments to attain the treaty’s objectives.  Under the Paris Agreement, countries can set their own binding targets using a range of policies.  Here too, we can expect that the final Plastics Treaty will allows individual States to adopt their own rules and regulations, in line with their national circumstances and capabilities, which will be reported and updated in national action plans.[32]

As a consequence, the final Plastics Treaty will likely eschew adopting a single approach and will allow the Contracting States to apply a range of approaches—from voluntary to binding rules.[33]  In terms of voluntary rules, many businesses already have in place targets for plastics through voluntary initiatives, such as the Global Commitment[34] and the Plastics Pact Network,[35] ReSource: Plastic,[36] and the World Economic Forum’s Global Plastic Action Partnership,[37] while some financial institutions are developing responsible investment practices that support a circular economy for plastics.[38]  But there is also a wide spectrum of binding rules, ranging from caps on plastic production, targets to increase waste collection and recycling, to commitments to phase out single-use plastics entirely or restrict manufacturing or design of plastic packaging, that could be imposed in implementation of the treaty.[39]  Finally, the treaty may provide a greater incentive for Governments to shift the cost of recycling or waste disposal to the manufacturers or, in the case of some developing countries, to the importers.  This too could impact long-term investment decisions and regulatory compliance for businesses across the value chain.

We can therefore expect to see considerable variation and stringency of rules across jurisdictions in terms of new regulatory measures aimed at curbing plastic pollution,[40] with the final rules being set by individual States.  Management of organizations will face the challenge trying to map out the implications for their business and business models—which for some industries and sectors are likely to be significant—while the final rules and their implementation at national level are still being crystallized.  In this regard, especially given the short treaty negotiation timetable, it will be important that individual businesses, management, and boards start tracking these unfolding developments at all levels of government and think proactively about these issues and how they will likely impact their operations, investment decisions, and compliance.

__________________________

   [1]   U.N. Env’t Assemb. Draft Res., U.N. Doc. UNEP/EA.5/L.23/Rev.1, End Plastic Pollution: Towards an International Legally Binding Instrument (Mar. 2, 2022) (“UNEA Resolution”).

   [2]   The Business Call for a UN Treaty on Plastic Pollution, https://www.plasticpollutiontreaty.org/ (last visited Mar. 20, 2022).

   [3]   See Nations Sign Up to End Global Scourge of Plastic Pollution, UN News (Mar. 2, 2022), https://news.un.org/en/story/2022/03/1113142 (last visited Mar. 20, 2022); Historic Day in the Campaign to Beat Plastic Pollution: Nations Commit to Develop a Legally Binding Agreement, UN Env’t, Press Release (Mar. 2, 2022), https://www.unep.org/news-and-stories/press-release/historic-day-campaign-beat-plastic-pollution-nations-commit-develop (last visited Mar. 20, 2022).

   [4]   See id. (quoting Espen Barth Eide, President of UNEA-5 and Norway’s Minister for Climate and the Environment).

   [5]   See id. (quoting Inger Andersen, Executive Director of UN Environment).

   [6]   See e.g., State Plastic Bag Legislation, Nat’l Conf. of State Legisl. (Feb. 8, 2021), https://www.ncsl.org/research/environment-and-natural-resources/plastic-bag-legislation.aspx (last visited Mar. 20, 2022); Victoria Masterson, As Canada Bans Bags and More, This Is What’s Happening with Single-Use Plastics Around the World, World Econ. Forum (Oct. 26, 2020), https://www.weforum.org/agenda/2020/10/canada-bans-single-use-plastics/ (last visited Mar. 20, 2022) (reviewing proposed ban in Canada and existing rules in Kenya, Zimbabwe, UK, New York, California, Hawaii, the EU, and China).  See also Kimiko de Freytas-Tamura, Public Shaming and Even Prison for Plastic Bag Use in Rwanda, N.Y. Times (Oct. 28, 2017), https://www.nytimes.com/2017/10/28/world/africa/rwanda-plastic-bags-banned.html (last visited Mar. 20, 2022).  Similarly, there are a number of such initiatives in the UK, including the UK Plastics Pact, a collaboration between businesses from across the entire plastics value chain, is supported by the UK Government and coordinated by the Waste and Resources Action Programme (“WRAP”).  See The UK Plastics Pact, WRAP, https://wrap.org.uk/taking-action/plastic-packaging/the-uk-plastics-pact (last visited Mar. 20, 2022).  The UK is also introducing a world-leading plastic packaging tax from 1 April 2022, set at £200 per ton, on plastic packaging which does not meet a minimum threshold of at least 30% recycled content.  See The Plastic Packaging Tax (Descriptions of Products) Regulations 2021, 2021 No. 1417.

   [7]   Global Partnership on Marine Litter, UN Env’t, https://www.unep.org/explore-topics/oceans-seas/what-we-do/addressing-land-based-pollution/global-partnership-marine (last visited Mar. 20, 2022).

   [8]   See U.N. Env’t Assemb. Res. 1/6, U.N. Doc. UNEP/EA.1/Res.6, Marine Plastic Debris and Microplastics (2014); Res. 2/11, U.N. Doc. UNEP/EA.2/Res.11, Marine Plastic Litter and Microplastics (Aug. 4, 2016); Res. 3/7, U.N. Doc. UNEP/EA.3/Res.7, Marine Litter and Microplastics (Dec. 5, 2017); Res. 4/6, U.N. Doc. UNEP/EA.4/Res.6, Marine Plastic Litter and Microplastics (Mar. 28, 2019); Res. 4/7, U.N. Doc. UNEP/EA.4/Res.7, Environmentally Sound Management of Waste (Mar. 28, 2019); Res. 4/9, U.N. Doc. UNEP/EA.4/Res.9, Addressing Single-use Plastic Products Pollution (Mar. 28, 2019).

   [9]   G20 Action Plan on Marine Litter, 2017 G20 Hamburg Summit (July 8, 2017).

  [10]   Ocean Plastics Charter, launched at the G7 Charlevoix Summit (2018).

  [11]   New International Requirements for the Export and Import of Plastic Recyclables and Waste, U.S. Env’t Protection Agency, https://www.epa.gov/hwgenerators/new-international-requirements-export-and-import-plastic-recyclables-and-waste (last visited Mar. 20, 2022).  See also Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal, opened for signature Mar. 22, 1989, 1673 U.N.T.S. 126 (entered into force May 5, 1992) [hereinafter Basel Convention]; The Secretariat of the Basil Convention, Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and Their Disposal: Text and Annexes Revised in 2019 (2020).

  [12]   Towards Osaka Blue Ocean Vision – G20 Implementation Framework for Actions on Marine Plastic Litter, G20 Implementation Framework for Actions on Marine Plastic Litter, https://g20mpl.org/ (last visited Mar. 20, 2022).

  [13]   ASEAN Framework of Action on Marine Debris, ASEAN, https://environment.asean.org/wp-content/uploads/2019/06/ASEAN-Framework-of-Action-on-Marine-Debris-FINAL.pdf (last visited Mar. 20, 2022).

  [14]   ASEAN Regional Action Plan for Combating Marine Debris in the ASEAN Member States (2021-2025), ASEAN, https://asean.org/book/asean-regional-action-plan-for-combating-marine-debris-in-the-asean-member-states-2021-2025-2/ (last visited Mar. 20, 2022).

  [15]   APEC Roadmap on Marine Debris, APEC, https://www.apec.org/meeting-papers/annual-ministerial-meetings/2019/2019_amm/annex-b (last visited Mar. 20, 2022).

  [16]   Fortieth Regular Meeting of the Conference of Heads of Government of the Caribbean Community (July 2019), CARICOM, https://caricom.org/wp-content/uploads/DECISIONS-40-HGC-JUL-2019.pdf (last visited Mar. 20, 2022).

  [17]   Ministerial Conference on Marine Litter and Plastic Pollution: Informal Consultations Addressing the Mandates of UNEA 3/7 and 4/6 towards the 5th UN Environmental Assembly (UNEA-5.2) jointly organized Ecuador, Germany, Ghana, and Vietnam, https://ministerialconferenceonmarinelitter.com/ (last visited Mar. 20, 2022).

  [18]   The new Basel Convention requirements for transboundary shipments of plastic scrap and waste took effect on January 1, 2021.  See U.S. EPA, supra note 11.

  [19]   See Business Call, supra note 2.

  [20]   UNEA Resolution, pmbl. (noting “with concern” that “the high and rapidly increasing levels of plastic pollution represent a serious environmental problem at a global scale, negatively impacting the environmental, social and economic dimensions of sustainable development.”).

  [21]   UNEA Resolution, pmbl.

  [22]   Id. ¶ 3.

  [23]   Id. pmbl.  This includes, inter alia, 1973 International Convention for the Prevention of Pollution from Ships and its 1978 Protocol, the Basel Convention on the Control of Transboundary Movements of Hazardous Wastes and their Disposal, the Stockholm Convention on Persistent Organic Pollutants, the Rotterdam Convention on the Prior Informed Consent Procedure for certain Hazardous Chemicals and Pesticides in International Trade, the United Nations Convention on the Law of the Sea, the 1972 Convention on the Prevention of Marine Pollution by Dumping of Wastes and Other Matters and its 1996 Protocol, the Strategic Approach to International Chemicals Management, the United Nations Framework Convention on Climate Change, the Convention on Biological Diversity.

  [24]   Id. ¶ 3(b).

  [25]   Id. pmbl.

  [26]   Id. pmbl.

  [27]   Id. ¶ 3(l).

  [28]   UNEA Resolution, ¶ 1.

  [29]   See UN Env’t, supra note 3.

  [30]   Id. pmbl.

  [31]   John Geddie & Joe Brock, “‘Biggest Green Deal since Paris’: UN Agrees Plastic Treaty Roadmap,” Reuters (Mar. 2, 2022), https://www.reuters.com/business/environment/biggest-green-deal-since-paris-un-agrees-plastic-treaty-roadmap-2022-03-02/ (last visited Mar. 20, 2022).

  [32]   UNEA Resolution, ¶ 3.

  [33]   Id. pmbl. (“underlining that there is no single approach”).  See also id. ¶¶ 3, 4, 15.

  [34]   The Global Commitment 2021 Progress Report, Ellen MacArthur Found., https://ellenmacarthurfoundation.org/global-commitment/overview (last visited Mar. 20, 2022).

  [35]   The Plastics Pact Network, Ellen MacArthur Found., https://ellenmacarthurfoundation.org/the-plastics-pact-network (last visited Mar. 20, 2022).

  [36]   ReSource Plastic, https://resource-plastic.com/ (last visited Mar. 20, 2022).

  [37]   Global Plastic Action P’ship, https://globalplasticaction.org/ (last visited Mar. 20, 2022).

  [38]   See Business Call, supra note 2.

  [39]   Indeed, one of the key proponents and drafters of the UNEA Resolution, Rwanda, more than a decade ago adopted strict bans on the import, production, use or sale of plastic bags and packaging.  See The World Is Awash in Plastic. Nations Plan a Treaty to Fix That, N.Y. Times (Mar. 2, 2022), https://www.nytimes.com/2022/03/02/climate/global-plastics-recycling-treaty.html.  See also supra note 6.

  [40]   UNEA Resolution, pmbl., ¶¶ 3 & 4.

---

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Environmental, Social and Governance (ESG), Transnational Litigation, or International Arbitration practice groups, or the following authors:

Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])
Maria L. Banda – Washington, D.C. (+1 202-887-3678, [email protected])

Please also feel free to contact the following practice group leaders:

Environmental, Social and Governance (ESG) Group:
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Ronald Kirk – Dallas (+1 214-698-3295, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])

Transnational Litigation Group:
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Perlette Michèle Jura – Los Angeles (+1 213-229-7121, [email protected])
Andrea E. Neuman – New York (+1 212-351-3883, [email protected])
William E. Thomson – Los Angeles (+1 213-229-7891, [email protected])

International Arbitration Group:
Cyrus Benson – London (+44 (0) 20 7071 4239, [email protected])
Penny Madden QC – London (+44 (0) 20 7071 4226, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

“Sandbagging” in the acquisition context refers to a situation where a buyer closes an acquisition on the basis of representations in the purchase agreement it knows to be false, then proceeds to sue the seller post-closing based on a breach of those same representations.  Although Delaware was historically regarded as a pro-sandbagging jurisdiction, the Delaware Supreme Court’s stance on sandbagging came into question following dicta contained in a 2018 decision, Eagle Force Holdings, LLC v. Campbell.  In Eagle Force, a footnote by Justice Valihura stated that the Supreme Court had not resolved the “interesting question” of “whether a party can recover on a breach of warranty claim where the parties know that, at signing, certain of them were not true,” while then-Chief Justice Strine in his partial dissent expressed “doubt” that a plaintiff can “turn around and sue because what he knew to be false remained so.”  But we now have a (mostly) clear statement on the subject from the Chancery Court.  In Arwood v. AW Site Services, LLC, Vice Chancellor Slights upheld a buyer’s claim for breach of representations, notwithstanding the sellers’ sandbagging objections based on the buyer’s extensive due diligence.

The Arwood decision arose out of a post-closing dispute over an alleged fraudulent billing scheme that caused a substantial overstatement of revenue.  After the closing, the sellers sued the buyer to release funds held in escrow.  The buyer countered with claims for fraud and breach of representations regarding the financial condition and lawful operations of the target business, in each case related to the alleged fraudulent billing scheme.  The Chancery Court dismissed most claims of both parties, but it upheld the buyer’s claim for breach of contract based on inaccurate representations.

Notably, the Court rejected the sellers’ sandbagging defense to the buyer’s breach of contract claim.  The sellers had asserted that, given the buyer’s intimate knowledge of the sellers’ business and unrestricted access to information in diligence, the buyer either knew the sellers’ representations to be untrue, or acted with reckless disregard for the truth.  As a result, the sellers contended, the buyer should be precluded from recovering based on breach of representations it knew or should have known to be false.  The Court disagreed: “In my view, Delaware is, or should be, a pro-sandbagging jurisdiction.  The sandbagging defense is inconsistent with our profoundly contractarian predisposition.”

The Court also distinguished between the standard required to prevail in a breach of contract claim as compared to a fraud claim.  The Court noted that, to prove fraud, the plaintiff must prove that its action was taken in justifiable reliance on the subject representation, and whether reliance is justified is measured in context, based on the plaintiff’s knowledge and experience as well as the relationship of the parties.  The Court concluded that recklessness on the part of the buyer in relying on representations it might easily have determined to be untrue can defeat a claim against the seller for fraud (because reliance was not “justified”), just as recklessness on the part of the seller in making inaccurate representations can result in fraud liability.  In the instant case, the Court found that the buyer’s complete access to information regarding the target business (where “the source of the fraud stared them in the face”), the buyer’s knowledge that the sellers did not have reliable financial systems and lacked sophistication, and the buyer’s financial savvy, rendered any reliance on the false representations unjustified.

However, the Court noted that reliance, justified or not, does not come into play in breach of contract cases premised on inaccurate representations.  All that mattered was that the seller made the representations as embodied within the contractual language.  “The reasonableness, or not, of [Buyer]’s reliance upon the sellers’ representations is not a relevant consideration in assessing the bona fides of [Buyer’s] indemnification claim.”  The sellers represented a fact to be true in the acquisition agreement and as such, the buyer was entitled to the benefit of the representation, regardless of any diligence conducted or what the buyer “should have known” as a result thereof.

Notwithstanding Arwood, the final word regarding Delaware’s position on sandbagging remains to be spoken: the opinion notes that, as expressed in Eagle Force, the Delaware Supreme Court has not yet conclusively resolved the issue.  In any event, under Arwood, to the extent the viability of sandbagging remains open in Delaware, it does so solely in the case of a buyer’s actual knowledge.  For Vice Chancellor Slights, whether a buyer had constructive knowledge of the truth is not relevant to the sandbagging inquiry, a position the Vice Chancellor believes is shared by the Delaware Supreme Court.  Or, as per an Arwood footnote, “I note that the term’s origin is consistent with this conclusion.  Sandbagging robbers knew their sock weapons were filled with sand; they did not swing socks at unsuspecting victims with reckless disregard for their weapons’ efficacy.”

Where does Arwood leave parties as to inclusion of sandbagging language in the acquisition agreement, and the effect of a buyer’s knowledge of falsity when the agreement is silent?  The Chancery Court indicated that in the absence of specific contractual language addressing the issue, the parties will have implicitly opted for Delaware’s default rule that permits sandbagging.  However, if the parties wish to  provide for a different result, they remain free to include express anti-sandbagging clauses, which per the Court constitute “effective risk management tools that every transactional planner now has in her toolbox.”

---

Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For further information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Mergers and Acquisitions or Private Equity practice groups, or the authors:

Robert B. Little – Dallas (+1 214-698-3260, [email protected])
Marina Szteinbok – New York (+1 212-351-4075, [email protected])

Please also feel free to contact the following practice group leaders:

Mergers and Acquisitions Group:
Eduardo Gallardo – New York (+1 212-351-3847, [email protected])
Robert B. Little – Dallas (+1 214-698-3260, [email protected])
Saee Muzumdar – New York (+1 212-351-3966, [email protected])

Private Equity Group:
Richard J. Birns – New York (+1 212-351-4032, [email protected])
Scott Jalowayski – Hong Kong (+852 2214 3727, [email protected])
Ari Lanin – Los Angeles (+1 310-552-8581, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On 2 March 2022, the United States signed the Convention of 2 July 2019 on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters (the “Hague Judgments Convention” or the “Convention”).[1]  The Hague Judgments Convention seeks to enhance access to justice and facilitate international trade and investment by encouraging the free flow of judgments across national borders.[2]  It does so by providing a set of clear, predictable rules under which civil and commercial judgments rendered by the courts of one Contracting State are recognized and enforced in other Contracting States.  While not yet in force, the Hague Judgments Convention could provide an important complement to the widely adopted 1958 New York Convention on the Recognition and Enforcement of Foreign Arbitral Awards[3] (the “New York Convention”) (which provides for the recognition and enforcement of arbitral awards), as well as its sister treaty, the 2005 Hague Choice of Court Convention.[4]

I. Recognition of Foreign Judgments in the United States

At present, there is no federal law that governs the recognition of foreign judgments in the United States, nor is there an international treaty in force.  Rather, recognition and enforcement are a question of state law, although the rules are relatively consistent across all 50 U.S. states and the District of Columbia.[5]  Most U.S. states have modeled their approaches to foreign judgment recognition on the model laws promulgated by the National Conference of Commissioners on Uniform State Laws—the Uniform Foreign Money Judgments Recognition Act of 1962 (the “1962 Uniform Act”), or increasingly, the Uniform Foreign-Country Money Judgments Recognition Act of 2005 (the “2005 Uniform Act”).[6]

Generally, the United States favors recognition and enforcement of foreign judgments: in U.S. state and federal courts, foreign judgments are presumptively entitled to recognition and enforcement unless specific mandatory or discretionary grounds for non-recognition apply.[7]

II. The Hague Judgments Convention

The 2019 Hague Judgments Convention is the culmination of over 25 years of negotiations at the Hague Conference on Private International Law (the “Hague Conference”).[8]  The process began in 1992 at the request of the United States, which sought to develop a global approach to jurisdiction and recognition of judgments.[9]  The final text of the Hague Judgments Convention was eventually signed and opened for signature on 2 July 2019.  Signatory States in addition to the United States include Uruguay, Ukraine, Israel, Costa Rica, and the Russian Federation (in order of signature).[10]  The European Commission is also contemplating accession on behalf of the EU Member States.[11]  

Recognition of Arbitral Awards under the New York Conventions and Foreign Judgments under the Hague Judgments Convention

The Convention will enter into force as soon as the second State deposits its instrument of ratification, acceptance, approval, or accession.[12]  However, under Article 29 (the “bilateralization” clause), a Contracting State can prevent the application of the Convention to judgments rendered by the courts of a particular State by making a targeted declaration.[13]

The Convention applies to “the recognition and enforcement of judgments relating to civil or commercial matters.”[14]  It specifically excludes subjects that are fundamental to State sovereignty or public policy (such as criminal, revenue, customs, or administrative matters),[15] as well as other specialized areas, some of which are subject to other treaty regimes or where the rules vary more significantly across jurisdictions (such as matters involving family disputes, intellectual property, antitrust, defamation, privacy, or armed forces matters).[16]

The Convention, like most domestic laws, favors recognition.  It requires each Contracting State to recognize and enforce judgments from other Contracting States in accordance with its terms and permits refusal only on those grounds expressly set out in the Convention.[17]

Article 5(1) of the Convention sets out 13 “bases” of recognition and enforcement, including, inter alia, that:

1. The judgment debtor is habitually resident in the foreign forum;
2. The judgment debtor has their principal place of business in the foreign forum (and the claim on which the judgment is based arose out of the activities of that business);
3. The judgment debtor expressly consented to the foreign court’s jurisdiction;
4. The judgment debtor waived his jurisdictional objections by arguing on the merits in the forum state;
5. The judgment ruled on a lease of immovable property (tenancy) and it was given by a court of the State in which the property is situated; or,
6. The judgment ruled on a non-contractual obligation arising from death, physical injury, damage to or loss of tangible property, and the act or omission directly causing such harm occurred in the forum State, irrespective of where that harm occurred.

These bases for jurisdiction and enforcement echo the basic concepts found in domestic U.S. recognition and enforcement law,[18] including the constitutional due process requirements reflected in the notion of “minimum contacts” that U.S. courts require for the exercise of long-arm jurisdiction and the comity-based rules adopted by the U.S. Supreme Court in the seminal decision, Hilton v. Guyot, 159 U.S. 113 (1895).

If any of the jurisdictional tests (or “jurisdictional filters”[19]) in Article 5(1) is met, then the judgment is presumptively “eligible” for recognition and enforcement.[20]  Under Article 15, national law provides a further independent basis for recognition.[21]  In this sense, “the convention is a floor, not a ceiling.”[22]

Article 7 of the Convention, in turn, sets out discretionary bases for non-recognition, including, inter alia, the following:

1. The defendant was not notified, or the manner of notification was incompatible with fundamental principles of service of documents in the forum State;
2. The decision was obtained by fraud;
3. Recognition or enforcement would be “manifestly incompatible” with the public policy of the recognizing State;
4. The specific proceedings were incompatible with fundamental principles of procedural fairness of the recognizing State; or,
5. The judgment is inconsistent with a judgment given by a court of the recognizing State in a dispute between the same parties.[23]

This too reflects the traditional non-recognition grounds found in most national legal systems, including that of the United States, such as inconsistency with the forum State’s public policy, due process violations, fraud, lack of notice or proper service, and conflict with other judgments.[24]

The Hague Judgments Convention is therefore in line with many precepts of existing U.S. recognition and enforcement law reflected in the 2005 Uniform Act.[25]  However, the Convention covers not only foreign money judgments, but civil and commercial decisions generally.

III. Implications for the Recognition of Foreign Judgments in the United States

The Convention could be “a gamechanger for cross-border dispute settlement”[26] by providing a set of consistent rules for the recognition and enforcement of foreign judgments, much like the New York Convention has been for the widespread adoption of arbitral awards.  Ultimately, a judgment in an international dispute is only as valuable as the judgment creditor’s ability to have it recognized and enforced abroad (where the judgment debtor or its assets may be found).  However, making the enforcement of foreign judgments easier can be a double-edged sword.  While a more robust and predictable enforcement regime can certainly be beneficial, that is only the case where the foreign court provides due process and a just outcome.

Ultimately, the force of the Hague Judgments Convention will depend on how widely it is signed and ratified.  Following the U.S. signature, the Hague Judgments Convention will not automatically come into force in the United States.  It must first undergo a ratification process in U.S. Congress, a procedure that can in some cases take several years.  Ratification may be slower here due to the prevalence of state law (and absence of federal law) in this particular area.[27]

For U.S. litigants, if ultimately ratified by the United States, the Hague Judgments Convention could aid the recognition and enforcement of U.S. judgments in a wider range of countries, in particular in jurisdictions that may currently refuse recognition on reciprocity grounds (i.e., where a foreign court would not recognize a U.S. judgment unless convinced that its judgment would receive the same treatment by a U.S. court).  Similarly, the Convention could facilitate the recognition and enforcement of foreign judgments issued by courts of other Contracting States in U.S. courts (of course subject to the above-mentioned non-recognition defenses).  This would greatly increase the ability of both U.S. and non-U.S. litigants to obtain meaningful cross-border relief in transnational litigation.

Until the Hague Judgments Convention comes into force, global trade and investment will continue to be facilitated by alternative dispute resolution mechanisms, such as the New York Convention for arbitral awards, as discussed above, and the new Singapore Convention for international settlement agreements resulting from mediation.[28]  Thus, for now, international arbitration awards remain more portable than foreign judgments (in addition to other advantages of international arbitration, like the selection of a neutral forum to avoid any “home court” advantage).[29]

___________________________

   [1]   Convention on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, July 2, 2019, https://www.hcch.net/en/instruments/conventions/full-text/?cid=137 (hereinafter “Convention”) (last visited Mar. 18, 2022).

   [2]   See Hague Conference on Private International Law, Explanatory Note Providing Background on the Proposed Draft Text and Identifying Outstanding Issues, Prel. Doc. No 2, 3 (2016) (“[T]he future Convention is intended to pursue two goals: to enhance access to justice; [and] to facilitate cross-border trade and investment, by reducing costs and risks associated with cross-border dealings.”)

   [3]   Convention on the Recognition and Enforcement of Foreign Arbitral Awards (hereinafter “New York Convention”), June 10, 1958, 21.3 U.S.T. 2517, 3 U.N.T.S. 330.

   [4]   Convention on Choice of Court Agreements, June 30, 2005, 44 I.L.M. 1294 (hereinafter “2005 Choice of Court Convention”).

   [5]   See Gibson Dunn, New York Updates Law on Recognition of Foreign Country Money Judgments to Bring in Line with Other U.S. Jurisdictions, June 22, 2021, https://www.gibsondunn.com/new-york-updates-law-on-recognition-of-foreign-country-money-judgments-bring-in-line-with-other-us-jurisdictions/.

   [6]   See id.

   [7]   See id.

   [8]   See generally Louise Ellen Teitz, Another Hague Judgments Convention? Bucking the Past to Provide for the Future, 29 Duke J. Comp. & Int’l L. 491 (2019) (reviewing the Convention’s negotiations history).

   [9]   See generally Ronald A. Brand, The Hague Judgments Convention in the United States: A “Game Changer” or a New Path to the Old Game?, 82 U. Pitt. L. Rev. 847 (2021).

  [10]   See Hague Conference on Private International Law, Status Table – Convention of 2 July 2019 on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, https://www.hcch.net/en/instruments/conventions/status-table/?cid=137 (last visited Mar. 18, 2022).

  [11]   European Commission, Proposal for a Council Decision on the Accession by the European Union to the Convention on the Recognition and Enforcement of Foreign Judgments in Civil or Commercial Matters, COM (2021) 388 (July 16, 2021), here (last visited Mar. 18, 2022) (recommending accession to the Convention so as to ensure the circulation of foreign judgments beyond the EU area and to increase “growth in international trade and foreign investment and the mobility of citizens around the world”).

  [12]   See Convention, art. 28.

  [13]   See id. at art. 29.

  [14]   Id. at art. 1(1).

  [15]   See id. at art.1(2).

  [16]   See id. at art. 2.

  [17]   See id. at art. 4(1) (“A judgment given by a court of a Contracting State (State of origin) shall be recognised and enforced in another Contracting State (requested State) in accordance with the provisions of this Chapter. Recognition or enforcement may be refused only on the grounds specified in this Convention.”).

  [18]   See Gibson Dunn, New York Updates Law on Recognition of Foreign Country Money Judgments to Bring in Line with Other U.S. Jurisdictions, June 22, 2021, https://www.gibsondunn.com/new-york-updates-law-on-recognition-of-foreign-country-money-judgments-bring-in-line-with-other-us-jurisdictions/.

  [19]   See Brand, supra note 9, at 851.

  [20]   On the other hand, a judgment that ruled on rights in rem in immovable property “shall be recognised and enforced if and only if the property is situated in the State of origin.”  Convention, art. 6.

  [21]   Convention, art. 15 (“Subject to Article 6, this Convention does not prevent the recognition or enforcement of judgments under national law.”)

  [22]   Teitz, supra note 8, at 503.

  [23]   Convention, art. 7.

  [24]   See also 2005 Choice of Court Convention, art. 9 (setting forth grounds for non-recognition).

  [25]   See Gibson Dunn, New York Updates Law on Recognition of Foreign Country Money Judgments to Bring in Line with Other U.S. Jurisdictions, June 22, 2021, https://www.gibsondunn.com/new-york-updates-law-on-recognition-of-foreign-country-money-judgments-bring-in-line-with-other-us-jurisdictions/.

  [26]   Hague Conference on Private International Law, Gamechanger for Cross-Border Litigation in Civil and Commercial Matters to be Finalized in the Hague (June 18, 2019) (quoting the Secretary General of the Hague Conference), https://www.hcch.net/en/news-archive/details/?varevent=683 (last visited Mar. 18, 2022).

  [27]   The United States has been a member of the Hague Conference since 1964 and is currently a Contracting Party to seven Hague Conventions (Convention Abolishing the Requirement of Legalisation for Foreign Public Documents (“Apostille Convention”), Oct. 5, 1961, 527 U.N.T.S.; Convention on the Service Abroad of Judicial and Extrajudicial Documents in Civil or Commercial Matters (“Service Convention”), Nov. 15, 1965, 658 U.N.T.S. 163; Convention on the Taking of Evidence Abroad in Civil or Commercial Matters (“Evidence Convention”), Mar. 18, 1970, 847 U.N.T.S. 231; Convention on the Civil Aspects of International Child Abduction (“Child Abduction Convention”), Oct. 25, 1980, 1343 U.N.T.S. 89; Convention on Protection of Children and Co-operation in respect of Intercountry Adoption (“Adoption Convention”), May 29, 1993, 1870 U.N.T.S. 167; Convention on the Law Applicable to Certain Rights in respect of Securities Held with an Intermediary (“Securities Convention”), July 5, 2006, 46 I.L.M. 649; Convention on the International Recovery of Child Support and Other Forms of Family Maintenance (“Child Support Convention”), Nov. 23, 2007, 47 I.L.M. 257.  The U.S. has not yet ratified the 2005 Choice of Court Convention, often seen as the sister treaty to the Hague Judgments Convention.

  [28]   See generally United Nations Convention on International Settlement Agreements Resulting from Mediation, opened for signature Aug. 7, 2019 (adopted Dec. 20, 2018) (“Singapore Convention”), https://treaties.un.org/pages/ViewDetails.aspx?src=TREATY&mtdsg_no=XXII-4&chapter=22&clang=_en (last visited Mar. 18, 2022).

  [29]   For international commercial arbitration awards, the above map shows the broad reach of the New York Convention.

---

The following Gibson Dunn lawyers prepared this client alert: Rahim Moloo, Lindsey D. Schmidt, Maria L. Banda, and Nika Madyoon.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these issues. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s International Arbitration, Judgment and Arbitral Award Enforcement or Transnational Litigation practice groups, or the following:

Rahim Moloo – New York (+1 212-351-2413, [email protected])
Lindsey D. Schmidt – New York (+1 212-351-5395, [email protected])
Anne M. Champion – New York (+1 212-351-5361, [email protected])
Maria L. Banda – Washington, D.C. (+1 202-887-3678, [email protected])

Please also feel free to contact the following practice group leaders:

International Arbitration Group:
Cyrus Benson – London (+44 (0) 20 7071 4239, [email protected])
Penny Madden QC – London (+44 (0) 20 7071 4226, [email protected])

Judgment and Arbitral Award Enforcement Group:
Matthew D. McGill – Washington, D.C. (+1 202-887-3680, [email protected])
Robert L. Weigel – New York (+1 212-351-3845, [email protected])

Transnational Litigation Group:
Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Perlette Michèle Jura – Los Angeles (+1 213-229-7121, [email protected])
Andrea E. Neuman – New York (+1 212-351-3883, [email protected])
William E. Thomson – Los Angeles (+1 213-229-7891, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

With the energy transition gaining pace and the use of LNG as a bridge fuel to phase out the use of coal for power generation, the environmental credentials of LNG are in the spotlight.  Although LNG has lower carbon emissions than other fossil fuels, participants in the LNG industry have been exploring ways to further decarbonise the LNG value chain.  So called ‘carbon-neutral’ LNG transactions, where carbon credits are used to offset the emissions from LNG, are gaining popularity and there is a nascent market developing, with over 30 carbon-neutral LNG cargoes having been traded to date.

To encourage the growth of such transactions, certain organisations have published methodologies which seek to standardise the measurement and reporting of emissions from LNG, as well as ensuring that the carbon credits used to offset these emissions have been properly issued and retired, and price assessments are now being published to help market participants track the incremental cost of carbon-neutrality in LNG transactions.  As the world works towards net zero, an increased focus on emissions is driving stricter requirements for LNG projects and LNG transactions which could signal a growing role for carbon-neutral LNG.

In this alert, we analyse carbon-neutral LNG transactions and consider the measurement of emissions and transaction reporting, with a view to establishing whether carbon-neutral LNG trades are the beginning of a new paradigm that the LNG industry will need to adopt in order to address the requirements of governments, customers and stakeholders.

Read More

---

The following Gibson Dunn lawyers assisted in the preparation of this article: Brad Roach, Nick Kendrick, and Zan Wong. The authors wish to thank Jeffrey Moore and Kenneth Foo from S&P Global Platts for their contributions to this article.

Gibson Dunn lawyers are available to assist in addressing any questions you may have regarding the article. Please contact Brad Roach or the Gibson Dunn lawyer with whom you usually work, or the following leaders of the firm’s Oil and Gas practice group:

Brad Roach – Singapore (+65 6507 3685, [email protected])
Michael P. Darden – Houston (+1 346 718 6789, [email protected])
Anna P. Howell – London (+44 (0) 20 7071 4241, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On 23 February 2022, the European Commission (“EC”) published its long-awaited draft directive on “Corporate Sustainability Due Diligence” (the “Directive“),[1] which sets out mandatory human rights and environmental due diligence obligations for corporates, together with a civil liability regime to enforce compliance with the obligations to prevent, mitigate and bring adverse impacts to an end.[2]

The draft Directive will now undergo further review and debate, with its likely adoption by the European Parliament and subsequent implementation into domestic legal systems anticipated by 2027.

This was hailed as an opportunity to introduce uniform standards for corporates operating in Europe, in circumstances where numerous individual jurisdictions have been developing their own, differing human rights and environmental due diligence and/or reporting obligations (see our previous client alert).

Key features of the Directive Applies to: Large EU-incorporated “companies”[3] with either: (i) more than 500 employees, and a net worldwide turnover of more than EUR 150 million (Group 1); or (ii) more than 250 employees, and a net worldwide turnover of more than EUR 40 million, where at least 50% of this net turnover was generated in a high-impact sector (certain manufacturing industries; agriculture, forestry and fisheries; and the extraction of mineral resources, the manufacture of metal products and the wholesale trade of mineral resources and products) (Group 2). Companies incorporated outside the EU with: (i) a net EU turnover of more than EUR 150 million; or (ii) with an EU turnover of more than EUR 40 million where at least 50% of the net worldwide turnover was generated in a high impact sector.[4] Creates mandatory obligations for relevant companies to conduct human rights and environmental due diligence to identify actual or potential adverse impacts across their own operations, their subsidiaries’ operations, and the value chains of their “established business relationships”. In this context, the Directive expressly envisages the development of preventive action plans and the imposition of contractual terms on business partners, and creates an obligation to bring actual adverse impacts to an end. Corporates are also expected to: undertake “periodic assessments” to monitor the effectiveness of their efforts; establish a grievance mechanism for stakeholders including affected persons, trade unions and other workers’ representatives of individuals in the value chain, as well as civil society organisations; and report annually on matters covered by the Directive. Where companies are not already subject to existing reporting requirements under EU law,[5] companies must publish an annual statement on their website by 30 April each year for the previous calendar year. Introduces a new obligation requiring Group 1 companies to adopt climate change action plans. Expands the nature of directors’ duties to include an obligation to consider the consequences of their decisions on human rights, climate change and the environment, and to implement and oversee due diligence actions and policies. Envisages civil liability of companies for failure to conduct adequate due diligence and a sanctions regime to be imposed by each Member State which is “effective, proportionate and dissuasive”. In terms of scope: The Commission expects around 12,800 entities to fall within the scope of the new legislation.[6] Small to medium sized enterprises (SMEs) are not within the scope of the Directive. “Turnover” is not defined in the current Directive or the earlier EU Parliament draft and, in particular, it is not clear how to calculate turnover which is “generated … in the Union”. While the narrower tailored approach of the Directive (compared to the previous EU Parliament draft Directive) has been welcomed by many corporates, there are some ambiguities as to its breadth. This includes, for example, its application to non-EU incorporated asset managers, which are not expressly referred to in the definition of in-scope “Companies” for the purposes of the application of the Directive.[7]

Introduction of four key corporate due diligence obligations

The Directive lays down four key due diligence obligations regarding actual and potential “adverse human rights impacts” and “adverse environmental impacts” (both of which the Directive defines by reference to international conventions).  The due diligence is to be conducted not only in relation to companies’ own operations and those of their subsidiaries, but also the operations of their “established business relationships” (whether direct or indirect), where those operations are related to the company’s “value chains”.[8]

“Value chain” is broadly defined as “activities related to the production of goods or the provision of services by a company, including the development of the product or the service and the use and disposal of the product as well as the related activities of upstream and downstream established business relationships of the company”.  For regulated financial services companies, the Directive gives further guidance, noting that the value chain “shall only include the activities of the clients receiving such loan, credit, and other financial services and of other companies belonging to the same group whose activities are linked to the contract in question”.

Integrate human rights and environmental due diligence

First, companies are required to integrate human rights and environmental due diligence into all of their corporate policies and have in place “a specific due diligence policy” which contains: (i) a description of the company’s due diligence approach; (ii) a code of conduct to be followed by company employees and subsidiaries; and (iii) a description of processes put in place to implement due diligence—including measures taken to extend its application to “established business relationships”.

Identify actual or potential adverse impacts

Second, as noted above, companies are required to take appropriate measures to identify actual and potential adverse human rights and environmental impacts arising not only from their own operations, but their subsidiaries’ and the operations of established business relationships in their value chains.  (Certain companies are, however, confined to identifying only “severe” adverse impacts.)[9]  This is an ongoing, continuous obligation for companies within the scope of the Directive, except for financial institutions which need only identify adverse impacts before providing a service (such as credit or a loan).

In terms of how to identify the adverse impacts, the Directive contemplates the use of both qualitative and quantitative information, including use of independent reports, information gathering through the complaints procedure (see below) and consultations with potentially affected groups.

Prevent or mitigate potential adverse impacts

Third, companies have an obligation to prevent potential adverse impacts – and, where this is not possible, to adequately mitigate adverse impacts that have been or should have been identified pursuant to the prior identification obligation.  This is contemplated through a number of strategies:

• Companies should, where complex prevention measures are required, develop and implement a “prevention action plan” (in consultation with affected stakeholders), including timelines and indicators for improvement. Related measures include the requirement to make necessary investment into management or production processes and infrastructures.
• In the case of direct business relationships, companies should seek contractual assurances from their direct business partners that the latter will ensure compliance with the company’s code of conduct and prevention action plan, including by seeking contractual assurances from their own partners, to the extent that their activities are part of the company’s value chain. This is known as “contractual cascading”.
• In the case of indirect business relationships, where potential adverse impacts cannot be prevented or mitigated through the prevention action plan and related measures, the company may seek to conclude a contract with that indirect partner, aimed at achieving compliance with the company’s code of conduct or a prevention action plan.
• Where the potential adverse impacts cannot be prevented or adequately mitigated by the prevention action plan and use of contractual assurances and contracts, the company is required to refrain from entering into new or extending existing relations with the partner in question. To the extent permitted by the relevant local laws, the company must also: (i) temporarily suspend commercial relations with the partner in question, while pursuing prevention and minimisation efforts (provided there is reasonable expectation that the efforts will succeed in the short-term), or (ii) where the potential adverse impact is severe, terminate the business relationship with respect to activities concerned.

Bring to an end or minimise actual adverse impacts

Finally, companies must bring to an end actual adverse impacts that have been or should have been identified.  Where this is not possible, companies should ensure that they minimise the extent of such an impact.  Companies are required to take the following actions, as necessary: (i) neutralise the adverse impact or minimise its extent, including through the payment of damages to the affected persons; (ii) implement a corrective action plan with timelines and indicators; (iii) seek contractual assurances; and (iv) make necessary investments.  As with the obligation to prevent and mitigate potential adverse impacts, there are provisions governing circumstances where the actual adverse impact cannot be brought to an end or minimised.[10]

Standalone climate change obligation

Group 1 companies are required to adopt a plan to ensure that the business model and strategy of the company are compatible with limiting global warming to 1.5°C in line with the Paris Agreement.  The plan should identify the extent to which climate change is a risk for, or an impact of, the company’s operations.  Fulfilment of the obligations in the plan should then be taken into account in the context of directors’ variable remuneration, where such remuneration is linked to the director’s contribution to business strategy and long-terms interests and sustainability.

Expansion of directors’ duties

The Directive introduces a “directors’ duty of care” provision requiring directors to take into account the human rights, climate change and environmental consequences of their decisions in the short, medium and long term.  Directors[11]  should put into place and oversee due diligence actions and policies, and adapt the company’s strategy where necessary.  Member States must ensure that their laws applicable to breach of directors’ duties are extended to the provisions in the Directive.  As currently drafted, the Directive itself does not impose personal liability on directors for non-compliance.

In practical terms, this will likely carry with it obligations of transparency, and boards should document how they are engaging with sustainability requirements and considering risks in all relevant decision-making, including on matters of strategy.  Directors should also ensure that they are sufficiently informed on how due diligence processes and reporting lines are resourced and managed within the company, and conduct training on ESG matters.

What will be required of the board will ultimately be industry-specific, but it will be important to demonstrate that the board is actively engaging with these issues.

Sanctions and enforcement

Non-compliance with the substantive requirements of the Directive carries the threat of civil liability and specific sanctions.  A civil liability provision requires Member States to ensure companies are liable for damages if: (a) they have failed to prevent or mitigate potential adverse impacts; and (b) as a result of this failure, an adverse impact that could have been avoided in fact occurred and caused damage.  Importantly, a company cannot escape liability by relying on local law (for example, where the jurisdiction of the alleged adverse impact does not provide for damages).  Where, however, a company has taken the “appropriate” due diligence measures identified in the Directive, there should be no such liability unless it was “unreasonable” in the circumstances to expect that the action taken (including as regards verifying business partners’ compliance) would be adequate to prevent, mitigate, bring to an end or minimise the extent of the adverse impact.  This begs the question as to what may be considered “unreasonable” and what measures are to be considered “appropriate” for the relevant company, to which there are no clear answers in the Directive.  Further guidance on the scoping of expectations and nature of “appropriate” due diligence will be essential.

Meanwhile, the Directive requires Member States to set up supervisory authorities to monitor compliance, but gives discretion as regards sanctions for non-compliance.  These authorities will be empowered to conduct investigations, issue orders to stop violations, and publish their decisions.

In-scope companies which are incorporated outside the EU must also appoint an “authorised representative”, i.e. a natural or legal person domiciled or established in the EU Member State in which that company generated most of its annual net turnover in the EU in the previous year. The authorised representative must have a mandate to act on the company’s behalf in relation to complying with the Directive, and will communicate and cooperate with supervisory authorities.

Next steps

The draft Directive will now be presented to the Council of the European Union and the European Parliament, upon whom it is incumbent to reach agreement on a final text.  It is expected that the Directive will be subject to further debates by a range of industry, government and NGO stakeholders, and it remains to be seen whether any material changes will be made.  The political tailwinds behind EU-wide action in this area are strong,[12] particularly as national governments across the EU continue to implement their own legislative measures and the European Parliament has already advocated for similar legislation.  Current best estimates envisage adoption in or around 2023, with subsequent transposition into national law two to four years thereafter.  Hence, it is likely that the earliest that companies will be required to report pursuant to the proposed Directive will be in relation to the financial years ending 2025 or 2026.

The draft Directive is an ambitious proposal and there remain a number of open questions regarding the scope and nature of the duties envisaged.  Further guidance on issues such as the nature of due diligence has been promised by the Commission, and will be critical as corporates seek to understand their obligations and address them in practical terms.

__________________________

[1]   On the same date, the European Commission also published a Q&A publication and a factsheet which provide further colour and background to the draft Directive.  These are available on the European Commission’s Corporate Sustainability Due Diligence website.

[2]   This follows a public consultation period held between 26 October 2020 and 8 February 2021, and an EU Parliament draft directive on “Corporate Due Diligence and Corporate Accountability” published on 10 March 2021 (the “EU Parliament draft Directive“). See our previous client alert, addressing the 27 January 2021 report containing the proposed EU Parliament draft Directive.

[3]   The definition of “companies” extends beyond corporate entities to other forms of enterprises with separate legal personality by reference to the Accounting Directive 2013/34 and to certain regulated financial undertakings regardless of their legal form. See Article 2(iv) of the draft Directive (defining “Company”).

[4]   See Article 2(2) of the draft Directive. Whilst the parameters of application of the Directive draw upon thresholds and definitions that have been utilised in other EU sustainability and ESG-related regulations (such as the Non-Financial Reporting Directive and the proposed new Corporate Sustainability Reporting Directive (CSRD)), this threshold relating to turnover attributable to high impact sectors is a new development.

[5]   Namely, the reporting requirements under Articles 19a and 29a of Directive 2014/95/EU (the Non-Financial Reporting Directive), which will soon be replaced by the Corporate Sustainability Reporting Directive).

[6]   This compares to the broader scope of the CSRD which is expected to capture around 50,000 entities.

[7]   See Article 2(iv) of the draft Directive (defining “Company”).

[8]   The italicized terms are defined under the Directive (Article 3).

[9]   Namely, Group 2 companies, and non-EU companies generating a net turnover of more than EUR 40 million but not more than EUR 150 million in the EU in the preceding financial year, provided at least 50% of its net worldwide turnover was generated in a high-impact sector.

[10]   Namely, as in Article 7, the company may seek to conclude a contract with an entity with whom it has an indirect relationship with a view to achieving compliance with the company’s code of conduct or corrective plan (Article 7(4)), and refrain from entering into new or extending existing relations with the partner in connection with or in the value chain where the impact has arisen, and shall temporarily suspend commercial relationships or terminate the business relationship where the adverse impact is severe (Article 7(6)).

[11]   “Directors” is defined broadly in the draft Directive as those who are part of the “administrative, management or supervisory bodies of a company”, the CEO and any Deputy CEO, in addition to other persons who perform similar functions. “Board of directors” is broadly defined as “the administrative or supervisory body responsible for supervising the executive management of the company”, or those performing equivalent functions. See draft Directive, Articles 3((o), (p).

[12]   This proposal also comes off the back of a flurry of other developments in the EU in relation to ESG-related regulation. These developments include the European Commission’s presentation of the same date of a Communication on Decent Work Worldwide, and very recent feedback and developments on proposed changes to the CSRD from various European Parliament committees, including the Permanent Representatives Committee’s (Coreper) general approach regarding the European Commission’s proposed CSRD, published on 18 February 2022 and European Parliament’s Economic and Monetary Affairs Committee’s (ECON) opinion and proposed changes to the CSRD, published on 28 February 2022.

---

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Environmental, Social and Governance (ESG) practice, or the following authors:

Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])
Sophy Helgesen – London (+44 (0) 20 7071 4261, [email protected])
Stephanie Collins – London (+44 (0) 20 7071 4216, [email protected])
Ashley Kate Hammett – London (+44 (0) 20 7071 4240, [email protected])

Please also feel free to contact the following ESG practice leaders:

Susy Bullock – London (+44 (0) 20 7071 4283, [email protected])
Elizabeth Ising – Washington, D.C. (+1 202-955-8287, [email protected])
Perlette M. Jura – Los Angeles (+1 213-229-7121, [email protected])
Ronald Kirk – Dallas (+1 214-698-3295, [email protected])
Michael K. Murphy – Washington, D.C. (+1 202-955-8238, [email protected])
Selina S. Sagayam – London (+44 (0) 20 7071 4263, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

Utah is poised to join California, Virginia, and Colorado in enacting comprehensive data privacy legislation.  Although Utah’s law largely follows the Virginia and Colorado models—with a few provisions that may ease the burden on businesses—it adds to an increasingly active state legislative landscape.  Meanwhile, California is proposing changes to its landmark privacy law as other states plow ahead with debating or updating their own data privacy laws.  Companies should account for these changes as they develop programs to comply with the laws.

Utah Consumer Privacy Act

In Utah, the legislature unanimously passed the Utah Consumer Privacy Act.[1] After the bill reaches the governor’s desk, he will have 20 days to sign or veto it or it will become law automatically signature if the governor vetoes the bill, the legislature has sufficient votes to override the veto, given that it was passed unanimously. Once enacted, the new law will become effective by its terms on December 31, 2023,[2]—approximately one year after the similar laws in Colorado and Virginia go into force.  Comparable to the other laws, the new law applies to companies that (1) conduct business in Utah or target consumers in the state, (2) have $25 million or more in annual revenue, and (3) either (a) process or control personal data of 100,000 or more Utah consumers or (b) process or control personal data of 25,000 or more Utah consumers and derive 50 percent or more of their gross revenue from selling personal data.[3]

While Utah’s law is similar to Virginia’s and Colorado’s laws, it has a few differences that may make the law easier for businesses to follow.  For example, like Virginia and Colorado, Utah does not include a private right of action in its law, although the attorney general can seek statutory damages, as described more fully below.  However, unlike the laws in Virginia and Colorado, Utah’s law does not require businesses to conduct and document data protection assessments about their data-processing practices.[4]  Utah also does not require businesses to set up a mechanism for consumers to appeal a business’s decision regarding the consumer’s request to exercise any of their personal data rights.[5]  And finally, Utah’s law makes it easier to charge a fee when responding to consumer requests.  Specifically, businesses may charge a fee when responding to consumer requests to exercise their personal data rights in Virginia only if those requests are “manifestly unfounded, excessive, or repetitive,”[6] or in Colorado only if a second request is made in a 12-month period.[7]  But Utah allows businesses to charge a fee in both those situations as well as when the business “reasonably believes the primary purpose in submitting the request  was something other than exercising a right” or is harassing, disruptive, or poses an undue burden on the controller.[8]

Relating to enforcement, while Utah’s Division of Consumer Protection can investigate potential violations, Utah’s law, like Colorado’s and Virginia’s, limits enforcement to the state attorney general.[9]  The attorney general must give companies at least 30 days to cure before initiating an action.[10]  If the attorney general does bring such an action, they may collect statutory damages of up to $7,500 per violation or actual damages.[11]

Developments in Other States

As Utah moves ahead with its new privacy law, California legislators have floated proposals to extend the business-to-business and employment-related exemptions in the California Consumer Privacy Act (“CCPA”).  Under those exemptions, the CCPA does not generally apply to employment-related data or data involved in transactions between businesses for due diligence or to provide a good or service.  The California Privacy Rights Act (“CPRA”) is presently set to sunset those exemptions on January 1, 2023.  But the bills introduced in California would extend those exemptions either through January 1, 2026, or pursuant to the alternative bill, indefinitely.[12]

California is not the only state with updates to its comprehensive data privacy law in the works.  Colorado’s attorney general announced recently that a formal notice of proposed rulemaking under the Colorado Privacy Act will be issued by this fall to prepare regulations that will be implemented by January 2023.  In the meantime, town halls and meetings are planned to gather comments on that rulemaking.

Other states are moving rapidly to join California, Colorado, Virginia, and Utah.  Data privacy laws have passed committee or chamber votes this year in Indiana, Iowa,  Florida, Massachusetts, Ohio, Washington, and Wisconsin, and numerous other states also are considering legislation.  Although the precise contours of these laws—and how many, if any more this year, will be enacted, and when—remain in flux, the enactment of state privacy laws already has ushered in notable regulatory changes affecting how companies collect and manage data while imposing a host of new obligations and potential liability, across the country.  Companies would be well-served to focus their compliance programs accordingly.

We will continue to monitor developments in this area, and are available to discuss these issues as applied to your particular business.

___________________________

   [1]   Utah Consumer Privacy Act (“UCPA”), S.B. 227, 2022 Leg. Sess. (Utah 2022).

   [2]   UCPA, § 17.

   [3]   UCPA, § 3, 13-61-102(1).

   [4]   See Colorado Privacy Act (“CPA”), S.B. 21-190,  § 6-1-1309, 73d Leg., 2021 Regular Sess. (Colo. 2021); Virginia Consumer Data Protection Act (“VCDPA”), S.B. 1392, § 59.1-576, 2021 Spec. Sess. (Va. 2021).

   [5]   See CPA, 6-1-1306(3)(a); VCDPA, § 59.1-573(C).

   [6]   VCDPA, § 59.1-573(B)(3).

   [7]   CPA, § 6-1-1306(2)(c).

   [8]   UCPA, § 7, 13-61-203(4)(b)(i)(B)-(C).

   [9]   UCPA, § 13, 13-61-305; § 13, 13-61-401; § 14, 13-61-402(1)-(2).

   [10]   UCPA, § 14, 13-61-402(3)(b)-(c).

   [11]   UCPA, § 14, 13-61-402(3)(d).

   [12]   See A.B. 2871, 2021–2022 Reg. Sess. (Calif. 2022); A.B. 2891, 2021–2022 Reg. Sess. (Calif. 2022).

---

This alert was prepared by Ryan T. Bergsieker, Cassandra Gaedt-Sheckter, Eric M. Hornbeck and Alexander H. Southwell.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Data Innovation practice group:

United States
Alexander H. Southwell – Co-Chair, PCDI Practice, New York (+1 212-351-3981, [email protected])
S. Ashlie Beringer – Co-Chair, PCDI Practice, Palo Alto (+1 650-849-5327, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
David P. Burns – Washington, D.C. (+1 202-887-3786, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Robert K. Hur – Washington, D.C. (+1 202-887-3674, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])

Europe
Ahmed Baladi – Co-Chair, PCDI Practice, Paris (+33 (0) 1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0) 1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0) 1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])

Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

On March 9, 2022, the Securities and Exchange Commission (“SEC” or “Commission”) held a virtual open meeting where it considered a rule proposal for new cybersecurity disclosure requirements for public companies, primarily consisting of: (i) current reporting of material cybersecurity incidents and (ii) periodic reporting of material updates to cybersecurity incidents, the company’s cybersecurity risk management, strategy, and governance practices, and the board of directors’ cybersecurity expertise, if any.

The proposal passed on party lines and the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022 (which is 60 days from the date that the rules were proposed). Below please find a summary description of the rule proposal, as well as certain Commissioner’s concerns related to the proposal.

Summary of Proposed Amendments

New Current Reporting Requirements

The proposed amendments would require current reporting of material cybersecurity incidents by adding new Item 1.05 to Form 8-K.   As is the case with almost all other Form 8-K items, Item 1.05 would require companies to disclose material cybersecurity incidents[1] within four business days. The trigger date for the disclosure is the date of the materiality determination, rather than the date of discovery of the incident, although companies are required to make a materiality determination as soon as reasonably practicable after discovery. Required disclosure would include:

• When the incident was discovered and whether it is ongoing;
• A brief description of the nature and scope of the incident;
• Whether any data was stolen, altered, accessed, or used for any other unauthorized purpose;
• The effect of the incident on the company’s operations; and
• Whether the company has remediated or is currently remediating the incident.

According to the release, “[w]hat constitutes “materiality” for purposes of the proposed cybersecurity incidents disclosure would be consistent with that set out in the numerous cases addressing materiality in the securities laws, including:  TSC Industries, Inc. v. Northway, Inc.,[2] Basic, Inc. v. Levinson,[3] and Matrixx Initiatives, Inc. v. Siracusano[4].”[5] The SEC noted in the proposed rule that it would not expect companies to disclose technical information about its planned response, cybersecurity systems, related networks and devices, or vulnerabilities “in such detail as would impede the company’s response or remediation of the incident.”[6] However, Item 1.05 would not allow for a reporting delay when there is an ongoing internal or external investigation related to the cybersecurity incident. Notably, however, an untimely filing of Item 1.05 disclosure on Form 8-K would not result in a loss of Form S-3 and Form SF-3 eligibility and would be covered by the safe harbor for Section 10(b) and Rule 10b-5 liability. With respect to foreign private issuers, the amendments would similarly create a disclosure trigger for cybersecurity incidents on Form 6-K.

New Periodic Reporting Requirements

Material Updates to Cybersecurity Incidents. The proposed amendments would add additional disclosure requirements to public companies’ quarterly and annual reports by introducing new Item 106(d) of Regulation S-K, which would require companies to disclose any material changes, additions, or updates to information required to be disclosed pursuant to proposed Item 1.05 of Form 8-K in the company’s Form 10-Q or Form 10-K for the covered period (the company’s fourth fiscal quarter in the case of a Form 10-K) in which the material change, addition, or update occurred. Item 106(d) would also require companies to disclose when a series of previously undisclosed individually immaterial cybersecurity incidents becomes material in the aggregate.

Risk Management and Strategy. In addition, public companies would be required to disclose their policies and procedures, if any, to identify and manage cybersecurity risks and threats. The company would also be required to describe whether it engages assessors or other third parties in connection with its risk assessment and any policies or procedures for risks in connection with the use of third party service providers. The other topics included in proposed Item 106(b) would require disclosure regarding whether the company undertakes to prevent, detect and minimize the threat of cybersecurity incidents; whether the company has business continuity, contingency or recovery plans in the event of cybersecurity incident;  whether previous cybersecurity incidents have informed changes in the company’s governance, policies and procedures, or technologies; whether and how cybersecurity-related risk and incidents have affected or are reasonably likely to affect the company’s results of operations or financial condition; and whether and how cybersecurity risks are considered as part of the company’s business strategy, financial planning, and capital allocation.

Governance. Proposed Item 106(c) of Regulation S-K would require disclosure regarding the role of the board of directors and management in cybersecurity governance. With respect to the board of directors, companies would need to disclose whether the entire board, specific board members or a board committee is responsible for the oversight of cybersecurity risks. Disclosure would also need to include a discussion of the processes by which the board is informed about cybersecurity risks, the frequency of discussions on cybersecurity, and whether and how the board or responsible board committee considers cybersecurity risks as part of its business strategy, risk management, and financial oversight. With respect to management, companies would need to disclose whether certain management positions or committees are responsible for measuring and managing cybersecurity risk and the relevant expertise of such persons. The company would also need to disclose whether it has designated a chief information security officer, or someone in a comparable position, and if so, to whom that individual reports within the company’s organizational chart, the relevant expertise of any such persons, the processes by which such persons or committees are informed about and monitor the prevention, mitigation, detection, and remediation of cybersecurity incidents, and whether and how frequently such persons or committees report to the board or a committee of the board on cybersecurity risk.

Director Cybersecurity Expertise. Proposed Item 407(j) of Regulation S-K would require companies to annually disclose (in proxy statements for their annual meetings of shareholders or their annual reports on Form 10-K) cybersecurity expertise of directors of the company, if any. If any member of the board has cybersecurity expertise, the company would be required to disclose the name of any such director, and provide such detail as necessary to fully describe the nature of the director’s expertise. Cybersecurity expertise would remain undefined, but the proposed rule would introduce criteria relevant for the determination, such as whether the director has work experience in cybersecurity, whether the director obtained a certification or degree in cybersecurity, and whether the director has knowledge, skills or other background in cybersecurity. Similar to the existing safe harbor with respect to “audit committee financial experts,” proposed Item 407(j)(2) would state that a person who is determined to have expertise in cybersecurity will not be deemed an expert for any purpose, including, without limitation, for purposes of Section 11 of the Securities Act of 1933, as a result of being designated or identified as a director with expertise in cybersecurity pursuant to proposed Item 407(j).

Foreign Private Issuers. Comparable changes would be made to require similar disclosures on an annual basis on Form 20-F.

Structured Data Requirements

Disclosures required under the proposed rules would need to be tagged in Inline XBRL, which would include block text tagging of narrative disclosures, as well as detail tagging of quantitative amounts disclosed within the narrative disclosures. According to the release, “[t]his Inline XBRL tagging would enable automated extraction and analysis of the granular data required by the proposed rules, allowing investors and other market participants to more efficiently perform large-scale analysis and comparison of this information across registrants and time periods.”[7]

For additional information on the proposed amendments, please see the following links:

• Press Release
• Proposed Rule
• Fact Sheet

Commissioner Concerns

The Commission voted three to one in support of the proposed amendments, with Commissioner Peirce dissenting. Chair Gensler supported the proposed rules noting that “companies and investors alike would benefit if this disclosure were required in a consistent, comparable, and decision-useful manner.”[8] Chair Gensler emphasized two ways in which the proposed rules would enhance cybersecurity disclosure and allow investors to assess cybersecurity risks more effectively, by requiring (i) ongoing disclosures regarding companies’ governance, risk management, and strategy with respect to cybersecurity risks and (ii) mandatory, material cybersecurity incident reporting. Commissioner Peirce expressed some reservations about the proposal. Specifically, Commissioner Peirce voiced concern that: (i)  the governance disclosure requirements could be viewed as substantive guidance for the composition and functioning of both the boards of directors and management of public companies; (ii) the policy disclosure requirements may pressure companies to consider adapting their existing policies and procedures to conform to the Commission’s preferred approach; and (iii) the Commission is not best suited to design cybersecurity programs to be effective for all companies. Although Commissioner Peirce was more supportive of the cybersecurity incident reporting requirements, stating that they provided guideposts for companies to follow in reporting material cybersecurity incidents, she was critical of the proposed rule’s inflexibility with regard to whether temporary relief from the disclosure requirements would best protect investors in cases of ongoing investigations.

For the published statements of the Commissioners, please see the following links:

• Chair Gensler
• Commissioner Peirce
• Commissioner Crenshaw

As mentioned above, the comment period ends on the later of 30 days after publication in the Federal Register or May 9, 2022 (which is 60 days from the date that the rules were proposed). Comments may be submitted: (1) using the SEC’s comment form at https://www.sec.gov/rules/submitcomments.htm; (2) via e-mail to [email protected] (with “File Number S7-09-22″ on the subject line); or (3) via mail to Secretary, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549-1090. All submissions should refer to File Number S7-09-22.

Takeaways

The proposed rule contemplates extensive changes to current reporting requirements, and many of the disclosure topics act as guidance with respect to the SEC’s expectations for public companies’ cybersecurity risk management, strategy, and governance. In light of these changes, public companies should consider the following:

• Incident Disclosure Obligations Take Priority Over All Other Considerations. As noted by Commissioner Peirce, proposed Item 1.05 of Form 8-K does not provide companies with flexibility with respect to the timing of disclosing material cybersecurity incidents, even when it may be beneficial to delay disclosure. Under the proposed rule, companies would be required to report material cybersecurity incidents within four business days of the materiality determination, even when doing so may hinder the efforts of law enforcement to investigate the extent of the incident or apprehend wrongdoers. The disclosure mandate would also effectively override any deferral provided under state and local law, as companies will still need to timely file the required Form 8-K even where a state or local law would permit a delay in notifying the public about the incident. In addition, the proposed rule does not distinguish ongoing incidents from past or remediated incidents in the reporting requirements, which could result in required disclosure of cybersecurity incidents that still have active vulnerabilities. In these instances, disclosure could exacerbate the severity of the incident, as wrongdoers could become aware of and seek to exploit current vulnerabilities in the company’s systems. In essence, the proposed rule does not allow companies to take into account any other considerations on whether to disclose material cybersecurity incidents. The proposing release justifies the rule by stating that it is “critical to investor protection and well-functioning orderly and efficient markets that investors promptly receive information regarding material cybersecurity incidents.”[9]  However, the SEC does not demonstrate that the inflexibility of the rule is necessary for the functioning of the markets or that such other considerations are less critical to investor protection than strict adherence to the proposed reporting regime. Moreover, the mere fact that the trigger date for the disclosure requirement is the date of the materiality determination does not provide companies with flexibility given the rule’s expectation that companies will make such determination as soon as reasonably practicable after discovery of the incident.
• Companies May Need to Revisit their Cybersecurity Policies and Procedures. The proposed rule would require companies to disclose many facets of their cybersecurity policies and procedures, such as whether there are procedures for overseeing cybersecurity risk arising from the use of third party service providers. These disclosure topics are likely to incentivize companies to revisit their policies and procedures in order to ensure that they address such topics, as companies will want to avoid disclosure of policies that lack features that the SEC focuses on or that appear less robust than those of their peers. In addition, it will be important for companies revisiting their cybersecurity policies to ensure that they provide for effective disclosure controls and procedures that include communication between the cybersecurity team, or those responsible for cybersecurity, and the legal team. These channels of communication will be necessary for the prompt assessment and escalation of detected cybersecurity incidents, which serves the purposes of providing for proper oversight and complying with the proposed disclosure requirements. Communication will need to be maintained through the conclusion and remediation of cybersecurity incidents, given the requirement to provide material updates to the disclosure and to disclose any series of previously undisclosed, immaterial incidents that become material in the aggregate. Companies without a chief information security officer, or equivalent, should consider whether such a position should be created in light of the requirement to disclose whether the company has such an officer.
• Boards May Need to Revisit Their Oversight Role and Structures. While many companies already include disclosure on the board’s role in overseeing cybersecurity risk in their proxy statements, the proposed rule introduces a broad set of discussion topics that will need to be addressed. In particular, boards that have not delegated responsibility for overseeing cybersecurity disclosures to a specific board committee will need to consider whether it is appropriate to do so. Companies should also consider the channels through which cybersecurity information is communicated to the board (or designated committee) and evaluate whether such channels provide effective and timely communications. Boards will also need to assess whether the amount of time spent addressing cybersecurity during meetings is appropriate given the requirement to disclose the frequency of discussions on the topic.
• Director Cybersecurity Experience will be at a Premium. Requiring disclosure of whether any of a company’s directors have cybersecurity expertise will likely pressure companies to prioritize candidates with cybersecurity experience as part of their search process in order to avoid appearing behind on cybersecurity compared to their peers. Given that companies will need to describe such expertise in their annual disclosure, directors with substantive cybersecurity experience may be highly sought after. In addition, many companies include cybersecurity in director skill matrices in their proxy statements. Should the rules be adopted as proposed, those companies will need to consider whether their assessments of experience align with the criteria proposed by the SEC, or risk potentially confusing investors with two different standards for cybersecurity expertise.

__________________________

[1] Cybersecurity incident is defined to mean an unauthorized occurrence on or conducted through a company’s information systems that jeopardizes the confidentiality, integrity, or availability of a company’s information systems or any information residing therein.

[2] TSC Indus. v. Northway, 426 U.S. 438, 449 (1976).

[3] Basic Inc. v. Levinson, 485 U.S. 224, 232 (1988).

[4] 563 U.S. 27 (2011).

[5] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022) at Part II.B.1, available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.

[6] Id.

[7] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022) at Part II.G, available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.

[8] Chairman Gary Gensler, “Statement on Proposal for Mandatory Cybersecurity Disclosures” (Mar. 9, 2022), available https://www.sec.gov/news/statement/gensler-cybersecurity-20220309.

[9] Cybersecurity Risk Management, Strategy, Governance, and Incident Disclosure, Exchange Act Release, No. 34-94382 (Mar. 9, 2022) at Part II.B.3, available at https://www.sec.gov/rules/proposed/2022/33-11038.pdf.

---

This alert was prepared by Alexander H. Southwell, Ashlie Beringer, Lori Zyskowski, Thomas J. Kim, and Julia Lapitskaya.

Gibson Dunn lawyers are available to assist in addressing any questions you may have about these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Privacy, Cybersecurity and Data Innovation and Securities Regulation and Corporate Governance practice groups, or the following authors:

Alexander H. Southwell – New York (+1 212-351-3981, [email protected])

S. Ashlie Beringer – Palo Alto (+1 650-849-5327, [email protected])

Lori Zyskowski – New York (+1 212-351-2309, [email protected])

Thomas J. Kim – Washington, D.C. (+1 202-887-3550, [email protected])

Julia Lapitskaya – New York (+1 212-351-2354, [email protected])

We would like to thank Matthew Dolloff in our New York office for his work on this article.

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The United States, the European Union, the United Kingdom, Australia, Japan and other countries have issued or announced sanctions and export controls targeting Russia and the Russia-backed separatist regions of Ukraine known as the Donetsk People’s Republic and the Luhansk People’s Republic. The United States took the first step by issuing broad jurisdiction-based sanctions on the two regions, similar to the existing sanctions on the Crimea region of Ukraine, and followed up with additional sanctions targeting Russia’s financial system. NATO allies also announced sanctions—including targeted designations by the United Kingdom and a sanctions package by the European Union—and non-NATO allies promised or implemented tough sanctions in close coordination. As tensions continue to rise, we continue to see more series of tools from the NATO countries and their allies to exert economic pressure on Russia to deescalate the ongoing crisis in Ukraine and withdraw its army from Ukraine’s borders.

Hear from our experts about these developments and how companies should proactively assess their exposure to the sanctions and export controls measures being discussed.

---

---

MODERATOR:

David A. Wolber is a Registered Foreign Lawyer (New York) in Hong Kong and Of Counsel in the Hong Kong office of Gibson, Dunn & Crutcher. He is a member of the firm’s International Trade Practice Group. Mr. Wolber assists clients around the world in understanding and navigating complex legal, compliance, reputational, political and other risks arising out of the interplay of various international trade, national security and financial crime laws and regulations, with particular expertise advising clients on economic and trade sanctions, export controls, foreign direct investment controls/CFIUS, anti-money laundering (AML) and anti-bribery and anti-corruption (ABC) laws and regulations.

PANELISTS:

Patrick Doris is a partner in the London office whose practice includes transnational litigation, cross-border investigations, and compliance advisory for clients including major global investment banks, global corporations, leading U.S. operators in the financial sectors, and global manufacturing companies, among others. He advises financial sector clients and others on OFAC and EU sanctions violations, responses to major cyber-penetration incidents, and other matters relating to national supervisory and regulatory bodies.

Christopher T. Timura is Of Counsel in the Washington D.C. office. He counsels clients on compliance with U.S. and international customs, export controls, and economic sanctions law and represents them before the departments of State (DDTC), Treasury (OFAC and CFIUS), Commerce (BIS), Homeland Security (CBP and ICE), and Justice in voluntary and directed disclosures, civil and criminal enforcement actions and investment reviews. Working with in-house counsel, boards, and other business personnel, he helps to identify and leverage existing business processes to integrate international trade compliance, and CSR-related data gathering, analysis, investigation, and reporting throughout client business operations.

Richard Roeder is an associate in the Munich office who was previously seconded to the Washington, D.C. office and worked with the firm’s U.S. sanctions and export control team and assisted clients in managing the challenges posed by the divergence between U.S. and EU economic and financial sanctions. He advises clients in the banking, insurance, automotive, mining, oil and gas, healthcare and information technology industries in the areas of sanctions, anti-money-laundering and anti-corruption compliance.

Claire Yi is an associate in the Washington, D.C. office. She is a member of the firm’s International Trade and White Collar Defense and Investigations Practice Groups. Ms. Yi received her Juris Doctor, magna cum laude, from Harvard Law School, where she was an Articles Editor for Harvard International Law Journal. During law school, she served as an intern for the Compliance and Business Risk Department at the World Bank-International Finance Corporation, for the Office of the Inspector General at the State Department, and for the Office of the Legal Adviser at the State Department.

Click for PDF

On March 9, 2022, President Biden signed a long-awaited Executive Order (titled “Ensuring Responsible Development of Digital Assets” and issued with an accompanying Fact Sheet) regarding the U.S. government’s strategy for digital assets, defined to include cryptocurrencies and other forms of exchange that are recorded on the blockchain.[1]  Citing the need for the federal government to address the role of digital assets in the financial system, the Executive Order represents the first whole-of-government approach to the benefits and risks of digital assets.  It is a general policy statement that reflects the views of the administration, as opposed to a specific proposal for regulation.

In our view, there are three principal takeaways from the Executive Order.  First, it acknowledges the exponential growth and opportunity that the digital asset ecosystem presents, and outlines a policy interest in “responsible financial innovation” and the need for evolution and coordination to ensure that the United States continues to be a leader in the space.  Second, the Executive Order identifies a number of perceived general risk areas that digital assets can pose on issues ranging from consumer protection to national security to the environment.  Third, to address these risks, the Executive Order tasks various federal agencies—working in coordination—to draft a host of reports, frameworks, and action plans to evaluate the various perceived challenges and opportunities presented by digital assets.  We discuss each takeaway in order below.

U.S. Commitment to Digital Asset Leadership

To date, countries around the world have taken divergent stances on digital assets. Cryptocurrency transactions are banned in China, for instance, whereas other jurisdictions have gone as far as to make bitcoin legal tender.[2]  It was not clear where the White House would come down on this spectrum, as individual U.S. lawmakers, regulators, and enforcers have offered differing views on how to approach digital assets.

The Executive Order offers a strong endorsement of the potential of digital assets and the need for the United States to play a leading role in shaping the design of this ecosystem.  Specifically, it declares that “[w]e must reinforce United States leadership in the global financial system and in technological and economic competitiveness, including through the responsible development of payment innovations and digital assets.”[3]  Further, it provides that the U.S. has an interest in remaining at the “forefront” of the “responsible development and design of digital assets,” where its leadership can “sustain United States financial power and promote United States economic interests.”[4]  One potential way to do so is by creating a central bank digital currency (“CBDC”), which, as discussed below, the Executive Order tasks various parts of the government to study at length.

The Executive Order also recognizes the benefits that digital assets can provide to consumers, as they may help expand equitable access to financial services by, for instance, “making investments and domestic and cross-border funds transfers and payments cheaper, faster, and safer.”[5]

At the same time, the Executive Order acknowledges that many opportunities and challenges posed by blockchain-based ecosystems fall outside the scope of existing laws and that government approaches to date have been “inconsistent,” “necessitating an necessitate an evolution and alignment of the United States Government approach to digital assets.”[6]

Potential Risks in the Digital Asset Ecosystem

The Executive Order identifies a number of broad potential risk areas involving digital assets that may implicate a wide range of participants in the ecosystem including exchanges, custody providers, investors, token issuers, and companies that accept digital assets for payment.  Specific risks cited in the Executive Order include:

• Data Protection—Without “sufficient oversight and standards,” firms providing digital asset services “may provide inadequate protections for sensitive financial data, custodial and other arrangements relating to customer assets and funds.”[7]
• Privacy—Key “safeguards” identified in “responsible development” of digital assets include “maintain[ing] privacy” and “shield[ing] against arbitrary or unlawful surveillance.”[8]
• Risk Disclosures—An important facet of protecting investors is ensuring adequate “disclosures of risks associated with investment.”[9]
• Cybersecurity—Cybersecurity issues that have occurred at major digital asset exchanges and trading platforms to date have contributed to billions of dollars of losses.[10]
• Systemic Risk—In order to mitigate systemic risk, digital asset issuers, exchanges and trading platforms, and other intermediaries “should, as appropriate, be subject to and in compliance with regulatory and supervisory standards that govern traditional market infrastructures and financial firms.”[11] Moreover, new and unique uses of digital assets “may create additional economic and financial risks” that require “an evolution to a regulatory approach.”[12]
• National Security and Illicit Finance—Noting that digital assets can pose significant national security and illicit finance risks ranging from terrorism financing to cybercrime, the Executive Order aims to “ensure appropriate controls and accountability” for digital asset systems to “promote high standards for transparency, privacy, and security” in order to counter these activities.[13]
• Sanctions Evasion­—Digital assets may be used to circumvent sanctions.[14]
• Climate and Pollution—The United States also has an interest in reducing “negative climate impacts and environmental pollution” from “some cryptocurrency mining.”[15]

In light of some of these risks, President Biden’s Executive Order provides that the United States “must support technological advances that promote responsible development and use of digital assets,” including by ensuring that digital asset technologies “are developed, designed, and implemented in a responsible manner” that includes privacy and security, features and controls to defend against illicit exploitation, and efforts to reduce negative environmental impacts.[16]

Researching the Path Forward

To determine the next steps for the U.S. government in the digital asset space, the Executive Order establishes an interagency process to address many of the opportunities and challenges outlined above.[17]  Further, it calls for a number of reports, frameworks, action plans, and more to be developed, as outlined in the table below.

Critically, the Executive Order does not itself implement any new regulations over the digital asset space or require that agency reviews adopt particular rules or requirements.  Instead, it just identifies what homework needs to be done.  Accordingly, the Executive Order has not changed the jurisdiction of any U.S. regulator or enforcer with respect to digital assets, nor does it call for Congress to act to expand the jurisdiction or authority of independent agencies such as the CFTC or SEC, even as it opens by acknowledging that the novel challenges and opportunities presented by digital assets may not be within the scope of existing federal laws.[18]  Various federal agencies are therefore instructed to “consider” whether some of the digital asset risks that are identified—such as privacy, consumer protection, and investor protection—are within the jurisdiction of existing regulators or “whether additional measures may be needed.”[19]  The agencies’ conclusions to those questions, of course, will be of great interest to all market participants and those interested in digital assets and blockchain technology, including potentially to members of Congress.

Notably absent from the Executive Order is any reference to regulations implementing the tax information reporting provisions of HR 3684, the Infrastructure Investment and Jobs Act, signed into law on November 15, 2021.  As discussed in this Gibson Dunn Client Alert, those provisions are one of the few recent legislative measures addressing digital assets and include effective dates that contemplate reporting requirements on a broad range of digital asset transactions beginning in January of 2023.

Subject	Lead Agency	Supporting Agencies	Detailed Description	Due
Action Plans, Frameworks, and Reports
Report on Strengthening International Law Enforcement[18]	DOJ	State, Treasury, DHS	How to strengthen international law enforcement cooperation for detecting, investigating, and prosecuting criminal activity related to digital assets.	Within 90 days (June 7, 2022)
Framework for International Engagement[19]	Treasury	State, Commerce, USAID, other relevant agencies	Establishing a framework for interagency international engagement to enhance adoption of global principles and standards for how digital assets are used and transacted.	Within 120 days (July 7, 2022) and an update one year later
Report on Prosecution of Crimes related to Digital Currency[20]	DOJ	Treasury, DHS	The role of law enforcement agencies in detecting, investigating, and prosecuting criminal activity related to digital assets, including any recommendations on regulatory or legislative actions.	Within 180 days (September 5, 2022)
Report on the Future of Money and Payment Systems[21]	Treasury	State, DOJ, Commerce, DHS,  OMB, DNI	Topics include (i) the conditions that drive broad adoption of digital assets; (ii) the extent to which technological innovation may influence these outcomes; and (iii) the implications for the United States financial system, the modernization of and changes to payment systems, economic growth, financial inclusion, and national security.  Also, various considerations related to the potential development of a CBDC.	Within 180 days (September 5, 2022)
Report on the Implications of Development and Adoption of Digital Assets[22]	Treasury	Labor and other agencies, potentially including FTC, SEC, CFTC, CFPB, and Federal banking agencies	Conditions that would drive mass adoption of different types of digital assets and the risks and opportunities such growth might present.  Policy recommendations to protect United States consumers, investors, and businesses, and support expanding access to safe and affordable financial services.	Within 180 days (September 5, 2022)
Report on Environmental Impact Mitigation[23]	OSTP	Treasury, DOE, EPA, CEA, National Climate Advisor, other relevant agencies	Connections between distributed ledger technology and economic and energy transitions, including the potential for these technologies to impede or advance efforts to tackle climate change and the impacts these technologies have on the environment.	Within 180 days (September 5, 2022), update one year later
Framework for Enhancement of United States Economic Competitiveness[24]	Commerce	State, Treasury, other relevant agencies	A framework for enhancing United States economic competitiveness in, and leveraging of, digital asset technologies.	Within 180 days (September 5, 2022)
Report on Financial Stability Risks and Regulatory Gaps[25]	Treasury	FSOC[26]	The specific financial stability risks and regulatory gaps posed by various types of digital assets and recommendations to address such risks, including any proposals for new legislation or additional or adjusted regulation and supervision.	Within 210 days (October 5, 2022)
Coordinated Action Plan to Mitigate Identified Risks[27]	Treasury	State, DOJ, Commerce, DHS, OMB, DNI, other relevant agencies	The role of law enforcement and measures to increase financial services providers’ compliance with AML/CFT obligations related to digital asset activities.	Within 120 days  of submission  of the National Strategy for Combating Terrorist and Other Illicit Financing
CBDC Research
Assessment of Legislative Changes[28]	DOJ	Treasury, Federal Reserve	Whether legislative changes would be necessary to issue a United States CBDC.	Within 180 days (September 5, 2022)
Technical Evaluation of the Requirements to Support a CBDC System[29]	OSTP; U.S. CTO	Treasury, Federal Reserve, other agencies	The technological infrastructure, capacity, and expertise that would be necessary at relevant agencies to facilitate and support the introduction of a CBDC system.	Within 180 days (September 5, 2022)
Legislative Proposal related to a United States CBDC[30]	DOJ	Treasury, Federal Reserve	Based upon Future of Money Report and any relevant materials developed by the Federal Reserve.	Within 210 days (October 5, 2022)
Recommendation for Continued Research[31]	Federal Reserve		Encouraged to continue research on the extent to which CBDCs could improve future payments systems, to assess the optimal form of a U.S. CBDC, to develop a strategic plan that evaluates the necessary steps and requirements for the potential implementation and launch of a U.S. CBDC, and evaluate the extent to which a U.S. CBDC could enhance or impede the ability of monetary policy to function effectively as a macroeconomic stabilization tool.	N/A
Considerations, Notices, and Voluntary Submissions
Submission of Supplemental Annexes relating to Illicit Finance Risks[32]	Treasury, State, DOJ, Commerce, DHS, OMB, DNI, other agencies		Agencies may submit supplemental annexes offering additional views on illicit finance risks posed by digital assets.	Within 90 days of submission of the National Strategy for Combating Terrorist and Other Illicit Financing
Consideration of Competition Policy[33]</td	DOJ, FTC, CFPB		Potential effects the growth of digital assets could have on competition policy.	N/A
Consideration of Consumer Protection and Privacy[34]	FTC, CFPB		Whether privacy or consumer protection measures within their respective jurisdictions may be used to protect users of digital assets and whether additional measures may be needed.	N/A
Consideration of Investor and Market Protections[35]	SEC, CFTC, Federal Reserve, FDIC, OCC		Whether investor and market protection measures within their respective jurisdictions may be used to address the risks of digital assets and whether additional measures may be needed.	N/A

Conclusion

The Executive Order is both a landmark and a question mark for U.S. digital asset policy.  It boldly proclaims that the United States intends to lead in promoting the responsible development and design of digital assets, even as it details in broad strokes many of the risks that the digital asset ecosystem could pose to consumers, investors, and citizens.  But it does not address how these risks will be addressed in concrete terms, nor does it speak to the unique privacy, consumer and cybersecurity values and opportunities that are furthered by the technological innovation of the blockchain.  As a result, continued uncertainty remains in the digital asset space with respect to, among other things, a clear regulatory framework, with regulation by enforcement continuing to be significant, even on certain fundamental questions.  In the coming months, Gibson Dunn will be closely monitoring additional developments and the research outputs required by the Executive Order in order to help its clients across the digital asset space navigate regulatory risks and requirements in the United States.

___________________________

[1]   Many of the top administration officials and heads of agencies announced their support for the Executive Order, including Treasury Secretary Yellen, Consumer Financial Protection Bureau (“CFPB”) Chairman Chopra, Commerce Secretary Raimondo, National Security Advisor Sullivan and National Economic Council Director Deese, Commodity Futures Trading Commission (“CFTC”) Chairman Behnam, and a tweet from Securities and Exchange Commission (“SEC”) Chair Gensler.  The White House also convened a background call with senior administration officials to discuss the Executive Order.

[2]   See, e.g., Alun John, Samuel Shen and Tom Wilson, China’s top regulators ban crypto trading and mining, sending bitcoin tumbling, Reuters (Sept. 24, 2021), https://www.reuters.com/world/china/china-central-bank-vows-crackdown-cryptocurrency-trading-2021-09-24/; Aaryamann Shrivastava, Swiss City To Make Bitcoin a Legal Tender After Mexico and El Salvador, FX Empire (Mar. 4, 2022), https://www.fxempire.com/news/article/swiss-city-to-make-bitcoin-a-legal-tender-after-mexico-and-el-salvador-922943.

[3]   Executive Order, § 2(d).

[4]   Executive Order, § 2(d).

[5]   Executive Order, § 2(e).

[6]   Executive Order, § 2(a).

[7]   Executive Order, § 2(a).

[8]   Executive Order, § 2(a).

[9]   Executive Order, § 2(a).

[10]   Executive Order, § 2(b).

[11]   Executive Order, § 2(b).

[12]   Executive Order, § 2(c).

[13]   Executive Order, § 2(c).

[14]   Executive Order, § 2(f).

[15]   Executive Order, § 2(f).

[16]   Executive Order, § 3.

[17]   Executive Order, § 5(b)(v); see also Executive Order, § 4(b).

[18]   Executive Order, § 8(b)(iv).

[19]   Executive Order, §§ 8(b)(i); 8(b)(ii).

[20]   Executive Order, § 5(b)(iii).

[21]   Executive Order, § 4(b).

[22]   Executive Order, § 5(b)(i).

[23]   Executive Order, §§ 5(b)(vii); 5(b)(viii).

[24]   Executive Order, § 8(b)(iii).

[25]   Executive Order, § 6(b).

[26]   The FSOC comprises 10 voting members (the heads of Treasury, the Federal Reserve, OCC, CFPB, SEC, FDIC, CFTC, FHFA, NCUA, and a Senate-confirmed member with insurance expertise) and five nonvoting members (Office of Financial Research, Federal Insurance Office, a state insurance commissioner, a state banking supervisor, and a state securities commissioner).  See About FSOC, U.S. Department of Treasury, https://home.treasury.gov/policy-issues/financial-markets-financial-institutions-and-fiscal-service/fsoc/about-fsoc.

[27]   Executive Order, § 7(c).

[28]   Executive Order, § 4(d)(i).

[29]   Executive Order, § 5(b)(ii).

[30]  Executive Order, § 4(d)(ii).

[31]  Executive Order, § 4(c).

[32]  Executive Order, § 7(b).

[33]  Executive Order, § 5(b)(iv).

[34]  Executive Order, § 5(b)(v).

[35]   Executive Order, § 5(b)(vi)

---

Gibson Dunn stands ready to help guide industry players through the most complex challenges that lay at the intersection of regulation, public policy, and technical innovation of blockchain and cryptocurrency.  If you wish to discuss any of the matters set out above, please contact Gibson Dunn’s Crypto Taskforce ([email protected]), or any member of its Financial Institutions, Global Financial Regulatory, Public Policy, Administrative Law and Regulatory, Privacy, Cybersecurity and Data Innovation, Tax Controversy and Litigation, or White Collar Defense and Investigations teams.

Ashlie Beringer – Co-Chair, Privacy, Cybersecurity & Data Innovation Group, Palo Alto (+1 650-849-5327, [email protected])

Matthew L. Biben – Co-Chair, Financial Institutions Group, New York (+1 212-351-6300, [email protected])

Michael D. Bopp – Co-Chair, Public Policy Group, Washington, D.C. (+1 202-955-8256, [email protected])

Stephanie L. Brooker – Co-Chair, White Collar Defense & Investigations Group, Washington, D.C.
(+1 202-887-3502, [email protected])

M. Kendall Day – Co-Chair, Financial Institutions Group, Washington, D.C. (+1 202-955-8220, [email protected])

Michael J. Desmond – Co-Chair, Global Tax Controversy & Litigation Group, Los Angeles/ Washington, D.C. (+1 213-229-7531, [email protected])

Roscoe Jones, Jr. – Co-Chair, Public Policy Group, Washington, D.C.
(+1 202-887-3530, [email protected])

Thomas J. Kim – Partner, Securities Regulation and Corporate Governance Practice Group, Washington, D.C. (+1 202-887-3550, [email protected])

Arthur S. Long – Partner, Financial Institutions and Securities Regulation Practice Groups, New York (+1 212-351-2426, [email protected])

Eugene Scalia – Co-Chair, Administrative Law and Regulatory Group, Washington, D.C. (+1 202-955-8543, [email protected])

Jeffrey L. Steiner – Co-Chair, Global Financial Regulatory Group, Washington, D.C. (+1 202-887-3632, [email protected])

Helgi C. Walker – Co-Chair, Global Litigation Group, Washington, D.C. (+1 202-887-3599, [email protected])

Chris Jones – Senior Associate, White Collar Defense & Investigations Group, San Francisco (+1 415-393-8320, [email protected])

Associate Allison Ortega also contributed to this client alert.

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

New York partner Anne M. Champion and associate Lee R. Crain are the authors of “New York Times v. Sullivan Is Safe From Sarah Palin” [PDF] published by Bloomberg Law on February 25, 2022.

Click for PDF

On February 14, 2022, the Department of Justice and U.S. Attorney’s Office for the Middle District of Florida announced they had reached a $5.5 million settlement with NCH Healthcare System (“NCH”) to resolve common law claims arising from NCH’s donations to local government entities—payments that the government alleged were used improperly to fund Florida’s share of Medicaid payments made to NCH.

NCH is a non-profit entity that operates two hospitals in Collier County, Florida.  The government alleged that between October 2014 and September 2105, NCH provided free nursing and athletic training services to the Collier County School Board and paid other financial obligations on behalf of Collier County.[1]  Under the government’s theory, these donations were designed to artificially increase Medicaid payments made to NCH without any corresponding expenditure of state or local funds on health care.  Instead, the donations allowed the county and its local school board to avoid various expenditures, which left funds available to be paid to the State of Florida as its share of Medicaid payments owed to NCH.  Under federal law, specifically 42 U.S.C. § 1396b(w)(2)(B), Florida’s share of Medicaid payments must consist of state or local government funds, and not “non-bona fide donations” from private health care providers.  A non-bona fide donation triggers a corresponding federal expenditure for the federal share of Medicaid without any corresponding increase in state expenditures.  This is prohibited by law to ensure that states pay their required share of Medicaid payments and are incentivized to prevent fraud, waste, and abuse in their Medicaid programs.[2]

Notably, the NCH settlement agreement released only common law claims of mistake and unjust enrichment, and the United States expressly reserved its rights to later bring claims under the False Claims Act (“FCA”) and other laws.[3]  Of the $5.5 million settlement payment, just under $5 million was designated as “restitution” for tax purposes—suggesting that the parties agreed that NCH would pay a multiple of 1.1 times single damages, notwithstanding that the United States is limited to recovering single damages under common law theories.[4]  By comparison, DOJ policy is to compromise False Claims Act claims for no less than double damages, with exceptions to go lower where the defendant demonstrates substantial cooperation with the government’s investigation.  While it’s not necessarily the case that the narrow release in this case means that there will ultimately be subsequent FCA litigation, it does highlight that DOJ may be willing to pursue and settle cases involving potential allegations of health care fraud for less than double damages based on so-called “innocent” overpayments—albeit without an FCA release—where evidence of scienter may fail to meet the threshold for a viable FCA case.[5]  Further, NCH agreed to fully cooperate with the government’s investigation of other potential defendants, including its officers and employees, and to provide the United States with all relevant non-privileged documents, including reports and interview memoranda, relating to the alleged conduct.[6]

The NCH settlement also signals that in-kind and monetary donations made to state and local entities may be at an increased risk of scrutiny by the Department of Justice.  The NHS settlement comes amidst ongoing investigations and settlements involving donations made by pharmaceutical manufacturers to purportedly independent foundations and patient assistance programs, and could signal that the government might infer bad intent from a broader array of donations made by healthcare entities.  Clearly, the government will not shy away from pursuing transactions under the fraud and abuse laws that it believes run afoul of regulatory requirements, even if such transactions confer public benefit.  In light of these heightened risks, clients are advised to carefully scrutinize their donation practices, whether monetary or in-kind.

___________________________

[1]   NCH Healthcare Settlement Agreement, Office of Pub. Affairs, U.S. Dep’t of Justice (Feb. 14, 2022) at recital B, https://www.justice.gov/opa/press-release/file/1471946/download; see also Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Florida’s NCH Healthcare System Agrees to Pay $55 Million to Settle Common Law Allegations (Feb. 14, 2022), https://www.justice.gov/opa/pr/florida-s-nch-healthcare-system-agrees-pay-55-million-settle-common-law-allegations.

[2]   The federal government provides partial funding for state Medicaid programs through Federal Financial Participation (“FFP”) funding.  42 C.F.R. § 431.958. The amount of FFP funds each state is eligible for is based on the state’s own Medicaid expenditure amount, which may only include state or local government funds.  42 U.S.C. § 1396b(a).  Non-bona fide donations from private health care providers, including in-kind services, may not be included in the calculation of the state’s own Medicaid expenditures.  Id. §§ 1396b(w)(1)(a), (2)(B).

[3]   NCH Healthcare Settlement Agreement, supra note 1, ¶ 3.

[4]   See, e.g., U.S. ex rel. Robinson-Hill v. Nurses’ Registry & Home Health Corp., No. CIV.A. 5:08-145-KKC, 2015 WL 3403054, at *4 (E.D. Ky. May 27, 2015) (“Recovery on a claim for payment by mistake is limited to that portion of the payment in excess of the actual amount owed.  Lastly, recovery on a claim for unjust enrichment is limited to the amount of the benefits improperly received by the defendant.  Thus, with these common law claims, the United States may recover the amounts wrongfully or erroneously paid to defendants by the Medicare program, but the Government is not entitled to recover any penalties or punitive damages.”) (internal citations omitted).

[5]   See also, e.g., Drakontas LLC Settlement Agreement, U.S. Atty’s Office for the Eastern Dist. of Pa. (May 3, 2016) at III.C–D, https://www.justice.gov/usao-edpa/file/849061/download (releasing only common law breach of contract, payment by mistake, and unjust enrichment claims when DOJ alleged defendant operated a non-compliant accounting system that resulted in the U.S. making improper and excessive payments).

[6]   NCH Healthcare Settlement Agreement, supra note 1, ¶ 8.

---

The following Gibson Dunn lawyers assisted in the preparation of this alert: Jonathan M. Phillips, Winston Y. Chan, Brendan Stewart, and Emma Strong.

Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s False Claims Act/Qui Tam Defense, FDA and Health Care, Government Contracts, or White Collar Defense and Investigations practice groups.

Washington, D.C.
Jonathan M. Phillips – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 202-887-3546, [email protected])
F. Joseph Warin (+1 202-887-3609, [email protected])
Joseph D. West (+1 202-955-8658, [email protected])
Robert K. Hur (+1 202-887-3674, [email protected])
Geoffrey M. Sigler (+1 202-887-3752, [email protected])
Lindsay M. Paulin (+1 202-887-3701, [email protected])

San Francisco
Winston Y. Chan – Co-Chair, False Claims Act/Qui Tam Defense Group (+1 415-393-8362, [email protected])
Charles J. Stevens (+1 415-393-8391, [email protected])

New York
Reed Brodsky (+1 212-351-5334, [email protected])
Mylan Denerstein (+1 212-351-3850, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Brendan Stewart (+1 212-351-6393, [email protected])
Casey Kyung-Se Lee (+1 212-351-2419, [email protected])

Denver
John D.W. Partridge (+1 303-298-5931, [email protected])
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])
Reid Rector (+1 303-298-5923, [email protected])

Dallas
Robert C. Walters (+1 214-698-3114, [email protected])
Andrew LeGrand (+1 214-698-3405, [email protected])

Los Angeles
Nicola T. Hanna (+1 213-229-7269, [email protected])
Timothy J. Hatch (+1 213-229-7368, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
James L. Zelenay Jr. (+1 213-229-7449, [email protected])

Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

Click for PDF

A cross-office, cross-disciplinary Gibson Dunn team represents Shanghai Pudong Science and Technology Investment Co. (“PDSTI”) in matters related to its investment in ICON Aircraft, Inc. (“ICON”).

PDSTI, a Chinese investment company specializing in technology industries, obtained unconditional CFIUS approval in February 2022 for its 2017 investment in ICON, a U.S. manufacturer of recreational amphibious aircraft. Due to that investment, PDSTI holds 47% of ICON and has the right to appoint a majority of its board.

In June 2021, five U.S.-based ICON shareholders filed a derivative lawsuit against PDSTI and its affiliates, among others, in the Delaware Court of Chancery, alleging that the defendants are working to expropriate ICON’s assets to China. Before the PDSTI defendants moved to dismiss, the same shareholders reported PDSTI’s non-notified 2017 transaction to CFIUS, commencing a months-long process in August 2021. Gibson Dunn also represents the PDSTI defendants in the ongoing Delaware lawsuit.

Despite heightened U.S. government review of Chinese investments in recent years, PDSTI and ICON successfully obtained unconditional approval without any mitigation measures after a thorough and comprehensive review and investigation by CFIUS. The Wall Street Journal covered this matter and remarked that “[t]he outcome is … notable given how carefully [CFIUS] has been scrutinizing Chinese investment in U.S. technology in recent years.”

* * * *

The Gibson Dunn corporate team is led by Fang Xue. The Gibson Dunn CFIUS team includes Judith Alison Lee, Scott Toussaint, and Claire Yi, and former counsel Stephanie Connor. The Gibson Dunn litigation team includes Mark Kirsch, Jeffrey Rosenberg, Kevin White, and Andrew Ferguson. The Gibson Dunn restructuring team is led by David Feldman.

© 2022 Gibson, Dunn & Crutcher LLP

Attorney Advertising:  The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.

The United States, the European Union, the United Kingdom, Australia, and Japan issued or announced sanctions targeting Russia and the Russia-backed separatist regions of Ukraine known as the Donetsk People’s Republic and the Luhansk People’s Republic. The United States took the first step by issuing broad jurisdiction-based sanctions on the two regions, similar to the existing sanctions on the Crimea region of Ukraine, and followed up with additional sanctions targeting Russia’s financial system. NATO allies also announced sanctions—including targeted designations by the United Kingdom and a sanctions package by the European Union—and non-NATO allies promised tough sanctions in close coordination. As tensions continue to rise, we will likely see more series of tools from the NATO countries and their allies to exert economic pressure on Russia to deescalate the ongoing crisis in Ukraine and withdraw its army from Ukraine’s borders.

Hear from our experts about these developments and how companies should proactively assess their exposure to the sanctions and export controls measures being discussed.

---

---

MODERATOR:

Judith Alison Lee is a partner in the Washington, D.C. office and Co-Chair of the firm’s International Trade Practice Group. Ms. Lee is a Chambers ranked leading International Trade, Export Controls, and Economic Sanctions lawyer practicing in the areas of international trade regulation, including USA Patriot Act compliance, economic sanctions and embargoes, export controls, and national security reviews (“CFIUS”). Ms. Lee also advises on issues relating to virtual and digital currencies, blockchain technologies and distributed cryptoledgers.

PANELISTS:

Patrick Doris is a partner in the London office whose practice includes transnational litigation, cross-border investigations, and compliance advisory for clients including major global investment banks, global corporations, leading U.S. operators in the financial sectors, and global manufacturing companies, among others. He advises financial sector clients and others on OFAC and EU sanctions violations, responses to major cyber-penetration incidents, and other matters relating to national supervisory and regulatory bodies.

Richard Roeder is an associate in the Munich office who was previously seconded to the Washington, D.C. office and worked with the firm’s U.S. sanctions and export control team and assisted clients in managing the challenges posed by the divergence between U.S. and EU economic and financial sanctions. He advises clients in the banking, insurance, automotive, mining, oil and gas, healthcare and information technology industries in the areas of sanctions, anti-money-laundering and anti-corruption compliance.

Adam Smith is a partner in the Washington, D.C. office and a highly experienced international trade lawyer. Mr. Smith previously served in the Obama Administration as the Senior Advisor to the Director of OFAC and as the Director for Multilateral Affairs on the National Security Council. Mr. Smith focuses on international trade compliance and white collar investigations, including with respect to federal and state economic sanctions enforcement, the FCPA, embargoes, and export controls.

Claire Yi is an associate in the Washington, D.C. office and a member of the firm’s International Trade and White Collar Defense and Investigations Practice Groups. Ms. Yi’s background includes having interned in the Compliance and Business Risk Department at the World Bank-International Finance Corporation, in the Office of the Inspector General at the State Department, and in the Office of the Legal Adviser at the State Department.