Public companies have for many years used the spin-off as a technique for transferring a business unit that is no longer a good strategic fit with the businesses they wish to retain. Although there have been relatively few spin-offs since the pandemic began, this tool is likely to receive renewed attention as the economy emerges from the pandemic and companies reconfigure their businesses.
This webcast reviews the principal issues that management teams and their advisors are likely to confront when they structure a spin-off transaction, including corporate, tax, capital markets, intellectual property and employee benefits matters. It will focus on the latest techniques for solving the problems that most frequently arise in each of these areas.
View Slides (PDF)
PANELISTS:
Stephen Glover is a partner in Gibson Dunn’s Washington, D.C. office and Co-Chair of the firm’s Mergers and Acquisitions Practice Group. Mr. Glover has an extensive practice representing public and private companies in complex mergers and acquisitions, including spin-offs and related transactions, as well as other corporate matters. Mr. Glover’s clients include large public corporations, emerging growth companies and middle market companies in a wide range of industries. He also advises private equity firms, individual investors and others.
Daniel Angel is a partner in Gibson Dunn’s New York office, Co-Chair of the firm’s Technology Transactions Practice Group and a member of its Strategic Sourcing and Commercial Transactions Practice Group. He is a transactional attorney who has represented clients on technology-related transactions since 2003. Mr. Angel has worked with a broad variety of clients ranging from market leaders to start-ups in a wide range of industries including financial services, private equity funds, life sciences, specialty chemicals, insurance, energy and telecommunications.
Mike Collins is a partner in Gibson Dunn’s Washington, D.C. office and Co-Chair of the Executive Compensation and Employee Benefits Practice Group. His practice focuses on all aspects of employee benefits and executive compensation. He represents buyers and sellers in corporate transactions and companies in drafting and negotiating employment and equity compensation arrangements, and has advised many clients on the employment and benefits issued raised in corporate spin-offs.
Andrew Fabens is a partner in Gibson Dunn’s New York office, Co-Chair of the firm’s Capital Markets Practice Group and a member of the firm’s Securities Regulation and Corporate Governance Practice Group. Mr. Fabens advises companies on long-term and strategic capital planning, disclosure and reporting obligations under U.S. federal securities laws, corporate governance issues and stock exchange listing obligations. He represents issuers and underwriters in public and private corporate finance transactions, both in the United States and internationally.
Saee Muzumdar is a partner in Gibson Dunn’s New York office and a member of the firm’s Mergers and Acquisitions Practice Group. Ms. Muzumdar is a corporate transactional lawyer whose practice includes representing both strategic companies and private equity clients (including their portfolio companies) in connection with all aspects of their domestic and cross-border M&A activities and general corporate counseling.
Dan Zygielbaum is a partner in Gibson Dunn’s Washington, D.C. office and a member of the firm’s Tax and Real Estate Investment Trust (REIT) Practice Groups. Mr. Zygielbaum’s practice focuses on tax planning for public and private M&A, spinoffs, joint ventures, investment fund formations, real estate transactions, REITs, and capital markets transactions. His clients include private equity and real estate sponsors, public and private companies, REITs, sovereign wealth funds, and real estate investors, developers, managers, and lenders.
Julia Lapitskaya is of counsel in Gibson Dunn’s New York office and a member of the firm’s Securities Regulation and Corporate Governance Practice Group. Ms. Lapitskaya’s practice focuses on corporate governance best practices, state corporate laws, SEC regulations and executive compensation disclosure issues, with particular emphasis on disclosure issues and issues arising in initial public offerings and mergers and acquisitions transactions.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
In honor of Data Privacy Day—a worldwide effort to raise awareness and promote best practices in privacy and data protection—we offer this ninth edition of Gibson Dunn’s United States Cybersecurity and Data Privacy Outlook and Review.
2020 was a year of tremendous upheaval and disruption; the privacy and cybersecurity space was no exception. The COVID-19 pandemic, which continues to devastate communities worldwide, raised new and challenging questions about the balance between data protection and public health. Unprecedented cyberattacks by, among others, foreign state actors, highlighted vulnerabilities in both the private and public sectors. Sweeping new privacy laws were enacted, and came into effect. The full ramifications of these changes and challenges are extraordinary, and stand to impact almost every person and company in the country.
This Review places these and other 2020 developments in broader context, addressing: (1) the regulation of privacy and data security, including key updates related to the COVID-19 pandemic, other legislative developments, enforcement actions by federal and state authorities, and new regulatory guidance; (2) trends in civil litigation around data privacy in areas including privacy class actions, digital communications, and biometric information privacy laws; and (3) the collection of electronically stored information by government actors, including the extraterritoriality of subpoenas and warrants and the collection of data from electronic devices. While we do not attempt to address every development that occurred in 2020, this Review examines a number of the most significant developments affecting companies as they navigate the evolving cybersecurity and privacy landscape.
This Review focuses on cybersecurity and privacy developments within the United States. For information on developments outside the United States, please see Gibson Dunn’s International Cybersecurity and Data Privacy Outlook and Review, which addresses developments in 2020 outside the United States that are of relevance to domestic and international companies alike. We have adopted the practice of referring to companies by generic descriptors in the body of this Review; for further details, please see the endnotes.
________________________
TABLE OF CONTENTS
I. REGULATION OF PRIVACY AND DATA SECURITY
A. Biden Administration and Presidential Transition
1. Data Privacy
2. Consumer Protection
1. Federal Regulatory Efforts
2. State Regulatory Efforts
1. State Legislative Developments
2. Federal Legislative Developments
1. Federal Trade Commission
2. Department of Health and Human Services and HIPAA
3. Securities and Exchange Commission
4. Other Federal Agencies
5. State Attorneys General and Other State Agencies
B. Computer Fraud and Abuse Act (CFAA) Litigation
C. Telephone Consumer Protection Act (TCPA) Litigation
D. California Consumer Privacy Act (CCPA) Litigation
E. Illinois Biometric Information Privacy Act (BIPA) Litigation
III. GOVERNMENT DATA COLLECTION
A. Collection of Cell Phone Data
B. Extraterritorial Warrants and Data Transfers
________________________
I. REGULATION OF PRIVACY AND DATA SECURITY
A. Biden Administration and Presidential Transition
The year 2021 brings with it a new administration under President Biden and a potential shift from the deregulatory priorities often pursued under President Trump. With a closely divided Congress, defined by extremely narrow Democratic majorities in the House and Senate, much of the movement on the legislative and regulatory front may depend on the new administration’s ability to find common ground for bipartisan efforts; however, we do anticipate ramped-up legislation, regulation, and enforcement efforts in the data privacy and consumer protection space under the Biden administration.
1. Data Privacy
Republican and Democratic policymakers alike have recognized the need for federal privacy legislation, but persistent differences in approach have foiled efforts to enact a comprehensive legislative scheme so far. Key points of contention around potential federal legislation have included whether and to what extent that legislation should preempt more stringent state laws and whether the legislation should include a private right of action. But as momentum builds among states to enact increasingly stringent data privacy and breach notification laws, so too does the pressure on policymakers seeking to enact meaningful privacy legislation at the federal level. For example, and as we detail further at Section I.C.1., California voters passed an initiative last November to strengthen existing legislation through the California Privacy Rights and Enforcement Act of 2020, and several other states have similar bills in committee at their state legislatures.[1] And, as state privacy laws become more rigorous, it may be more difficult for federal legislation to preempt those state laws entirely because the federal framework would need to be that much more stringent.
That said, the Democratic Party Platform on which President Biden ran provides some additional insight into potential legislative initiatives of the new administration. For example, the platform indicates that President Biden intends to renew the Consumer Privacy Bill of Rights, originally proposed by President Obama, which would seek to add strong national standards protecting consumers’ privacy rights.[2] The Platform also indicates that President Biden intends to prioritize updating the Electronic Communications Privacy Act (ECPA) to afford protections for digital content equaling those for physical content.[3]
Policymakers on both sides of the aisle also have expressed concern about Section 230 of the Communications Decency Act and, in particular, the scope of immunity that courts have accorded to social media companies under the statute. The Department of Justice (DOJ) has proposed revisions to the law, including significant limitations on immunity.[4] It is unclear, however, whether legislators will be able to agree on the scope of changes to that immunity, with Republicans voicing concerns about perceived anti-conservative bias in the ways that social media companies self-regulate speech and Democrats raising concerns about the spread of misinformation and hate speech.
Outside of ongoing legislative efforts, the Biden administration’s short-term focus likely will center on administrative action, including promoting federal investigations and enforcement, issuing informal guidance, and initiating formal rulemaking relating to privacy. Such activity would be consistent with Vice President Harris’s background as former Attorney General of California and her previous privacy enforcement efforts, including the creation of California’s Privacy Enforcement and Protection Unit.[5]
With respect to such federal regulatory enforcement action, it is worth noting that the Federal Trade Commission (FTC) had, at the end of the Trump administration, a Republican Chairman and a 3-2 Republican majority. Yet after President Biden took office, FTC Chairman Joseph Simons announced he would resign effective January 29, 2021, clearing the way for President Biden to appoint a Democratic commissioner and designate a new chair.[6] Further, insofar as FTC Commissioner Rohit Chopra has been nominated as permanent Director of the Consumer Financial Protection Bureau (CFPB), a further FTC vacancy may soon need to be filled.[7]
In the health care arena, we have seen a recent focus on patient privacy rights under HIPAA. The U.S. Department of Health and Human Services Office for Civil Rights (OCR) announced more than a dozen settlements related to “right of access” provisions under HIPAA during the past year, which we discuss further herein at Section I.D.2. The Biden administration has indicated a desire to continue to promote patient control and use of data, and likely will continue to focus on “right of access” enforcement actions.
Beyond the federal level, states remained active in bringing enforcement actions regarding data security and data breach response throughout the Trump administration’s term. Given the strong ties that President Biden and Vice President Harris each have to state Attorneys General,[8] cooperation between federal and state enforcement authorities is likely to increase even further under the Biden administration.
2. Consumer Protection
The Consumer Financial Protection Bureau (CFPB), an agency formed during the Obama administration in 2010 following the financial crisis, saw decreased enforcement activity under the Trump administration, in part because President Trump replaced the Bureau’s original director in 2017. Since President Biden took office, however, former CFPB director Kathy Kraninger stepped down at the President’s request, and Dave Uejio, who previously served as CFPB’s strategy program manager, took over as the CFPB’s acting director. President Biden has also nominated current FTC Commissioner Rohit Chopra to serve as the permanent CFPB director, a nomination the Senate is expected to consider soon.[9]
On another note, in early 2020 Congress passed, and President Trump signed into law, the Coronavirus Aid, Relief and Economic Security Act (CARES Act), which, among other things, provided forgivable loans to small businesses and placed payment forbearance obligations on financial institutions for mortgage and student loan borrowers and other prohibitions on negative credit reporting due to the COVID-19 pandemic.[10] The CARES Act small business loans were extended by Congress in December. The Biden administration could seek to enact into law additional COVID-19 stimulus legislation to supplement already-existing laws; indeed, President Biden has already called for a $1.9 trillion stimulus package.[11] In the short term, and particularly as the COVID-19 pandemic continues to have devastating economic impacts on millions of Americans, CFPB enforcement will likely entail closer monitoring of banks and financial institutions for compliance with the CARES Act, especially related to ensuring compliance with the small business loan provisions.
In addition, the Biden administration likely will bring several Obama-era priorities back into focus, including regulation of payday lenders, student loan servicers, affordable credit, credit reporting, and discriminatory lending practices against minority borrowers.[12] Federal-state cooperation is likely here as well, and such cooperation already has begun. In September 2020, for example, the FTC partnered with three other federal agencies and 16 states to conduct “Operation Corrupt Collector” in an effort to challenge debt-collection practices.[13] We anticipate these kinds of enforcement partnerships to continue under the Biden administration.
B. COVID-19 and Privacy
1. Federal Regulatory Efforts
i. Two COVID-19 Privacy Bills Introduced in Congress
In May of 2020, during the last Congress, federal lawmakers introduced two competing privacy bills aimed at protecting privacy interests related to data collection in connection with the COVID-19 response.
The COVID-19 Consumer Data Protection Act (CCDPA), introduced by Senator Jerry Moran (R-KS), requires companies under the jurisdiction of the FTC to obtain affirmative consent for data collection processes related to tracking the spread of COVID-19.[14] The bill would have covered geolocation data, proximity data, and personal health information related to tracking COVID-19 spread; applications measuring compliance with social distancing guidelines; and contact tracing efforts. Additionally, the bill outlined definitions for data deidentification standards and would have established security requirements for companies collecting covered data.
The bill would only have applied for the duration of the COVID-19 health emergency, as declared by the Secretary of Health and Human Services,[15] and it would have established an exclusion for employee health data collected for COVID-19 workplace safety. Importantly, the CCDPA would have expressly preempted existing state laws with respect to COVID-19 data. Proponents of the bill suggested that this would have allowed companies to strike the right balance between individual privacy and innovation, but others argued it would have resulted in less protection for people in states, such as California or Illinois, where current state laws may already provide broader privacy protections.[16] The CCDPA also lacked a private right of action; only the FTC and state Attorneys General would have had enforcement power.
Alternatively, Senator Richard Blumenthal (D-CT) introduced the Public Health Emergency Privacy Act (PHEPA) in an effort to regulate entities that use contact tracing and digital monitoring tools to stop the spread of COVID-19.[17] Like Senator Moran’s bill, PHEPA called for requiring user consent and reasonable data security practices. Unlike the CCDPA, however, Senator Blumenthal’s proposal would not have preempted existing state privacy laws, would have created a private right of action, and would have applied to government entities in addition to private businesses.[18] Additionally, the bill would have required federal agencies to report on the potential impact of data collection on civil rights, and would have expressly barred using the data to restrict any individual’s right to vote.
Ultimately, neither bill moved forward in the last Congress, and so to the extent such proposals remain salient in 2021 (the 117th Congress), they would need to be reintroduced.
ii. HIPAA Guidance and Enforcement Discretion in Response to COVID-19
In response to the challenges presented by the pandemic, the Federal Government, through the Department of Health and Human Services Office for Civil Rights (OCR), has relaxed HIPAA enforcement and issued new guidance to reassure companies assisting in the fight against COVID-19.
In March 2020, OCR announced it would exercise its enforcement discretion and not impose penalties for noncompliance against health care providers “in connection with the good faith provision of telehealth during the COVID-19 nationwide public health emergency.”[19] OCR subsequently extended that discretion to violations associated with good faith disclosures to public health authorities and participation in COVID-19 testing sites.[20]
That same month, OCR also issued new guidance to ensure HIPAA compliance in the wake of COVID-19. This guidance addressed how covered entities may disclose protected health information to law enforcement, paramedics, and other first responders so as to comply with HIPAA and still facilitate the sharing of real-time information to keep themselves and the public safe.[21] Additional guidance addressing how health care providers may identify and contact recovered COVID-19 patients about blood and plasma donation without violating HIPAA followed in June.[22]
iii. CDC Vaccination Program’s Data Use and Sharing Agreement
The Centers for Disease Control (CDC) Vaccination Program Interim Playbook includes a data sharing plan that asks states to provide personal information from residents as part of the CDC’s vaccine distribution program.[23] Personal information requirements include recipient name, address, date of birth, and other datapoints, which has raised concerns around the security of the CDC’s data systems and use of the information for non-vaccination purposes (although most states have signed onto the data sharing agreement).[24]
2. State Regulatory Efforts
As states look to technological solutions to mitigate the spread of COVID-19, protecting consumer data is at the forefront of many legislators’ minds. In 2020 many states considered laws that would have limited how contact tracing apps and individual contact tracers could use, store, and share location data. To date, though, very few states have passed such measures. New York also has introduced a broader privacy bill that covers the security obligations of many different classes of entities that are responding to the COVID-19 pandemic.[25] In addition, as discussed below, state Attorneys General have been reaching out to corporations to address privacy concerns the pandemic may have exacerbated. We detail recent state legislative initiatives below.
i. Enacted State Laws
California. California enacted AB 713 in September 2020. Although not a direct response to COVID-19, the bill’s exemption of certain forms of deidentified health data from the California Consumer Privacy Act (CCPA) may aid in COVID-19 research.[26] AB 713 exempts certain information from the CCPA, provided it is: (1) deidentified under HIPAA; (2) derived from medical information; and (3) not subsequently reidentified. It also “except[s] information that is collected for, used in, or disclosed in research” from the CCPA,[27] which could lower the cost of compliance for health care researchers already complying with HIPPA and increase access to data for further COVID‑19 research.
AB 713 also allows for the reidentification of deidentified data for a “HIPAA covered entity’s treatment, payment, or health care operation”; public health purposes; and research.[28] It also permits reidentification of data to test or validate a data deidentification technique, but only if the contract for that work bans any other uses or disclosures of the information and requires the return or destruction of the information when the contract ends.[29]
In addition, the bill requires that any business that sells or discloses deidentified patient information disclose in its privacy policy that it does so and that it identify which deidentification method it uses.[30] It also requires that contracts for the sale or license of deidentified information include a requirement that the purchaser or licensee may not further disclose the information to any third party not contractually bound by the same or stricter standards, as well as contractual terms prohibiting reidentification.[31]
Kansas. Kansas is one of the few states to have passed a COVID-19 privacy bill, HB 2016. Unlike other contact tracing bills, it specifically rejects the use of cell phone location data for contact tracing. HB 2016 specifies that contact data, or “information collected through contact tracing,” including “medical, epidemiological, individual movement or mobility, names, or other data,” shall only be used “for the purpose of contact tracing and not for any other purpose,” and may not be disclosed for any reason besides contact tracing.[32] The bill further states that the data should be destroyed when no longer needed for tracing efforts, and that participation in contact tracing is voluntary. It also requires that contact tracers not obtain contact tracing information from a third party, unless the affected party consents or the information was obtained pursuant to a valid warrant. HB 2016 is slated to expire May 1, 2021.
New York. New York recently passed S8450C / A10500C, which limits law and immigration officials from accessing contact tracing information, acting as contact tracers, or receiving information from contact tracers. That law also requires individuals to give “written, informed and voluntary” consent to waive confidentiality and limits the disclosure to the purposes listed in the waiver.[33]
ii. State Laws under Consideration
Alabama. Alabama legislators prefiled a COVID-19 privacy bill, SB1, for their 2021 legislative session. SB1 would prohibit the use of contact tracing data for any other purpose. The bill authorizes the Alabama State Health Officer to adopt rules to implement the act, including defining the types of data that may be collected. With respect to retention, the data must be destroyed “when no longer necessary for contact tracing,” but the act does not set out a specific schedule for deletion.[34] SB1 provides a private right to enjoin violations of the statute, and knowing violations of the act would constitute a class C misdemeanor.[35] In its current form, SB1 has a repeal date of May 1, 2022.
New Jersey. New Jersey’s COVID-19 bill, A4170, covers contact tracing efforts using both verbal interviews and Bluetooth or GPS services and provides a framework for how contact tracing information may be used, who may have access to it, how it may be stored, and for how long. It also outlines penalties for violations of the bill’s usage and deletion guidelines.[36] Information gained from contact tracing efforts may only be used for that purpose and must be deleted from both the public health entity’s records and the records of any third party with whom the information is shared within 30 days of its collection.[37] The public health entity also would be required to list the third parties with whom it shares information on the public health entity’s website.
Third parties who use the contact tracing information for purposes other than contact tracing, or who fail to delete information in the time specified, are subject to a civil penalty of up to $10,000.[38] The Commissioner of Health would be required to publish proposed guidance on how data collected from contact tracing may be used by public health officials and third parties and how those entities will be required to ensure the security and confidentiality of the data, including any auditing provisions, within 30 days of the effective date of the act.
New York. In 2020, New York legislators, including State Senator Kevin Thomas (a past sponsor of a comprehensive New York data privacy bill[39] and proposed amendments to New York’s data breach notification law),[40] introduced S8448D / A10583C, an act “relat[ing] to requirements for the collection and use of emergency health data and personal information and the use of technology to aid during COVID-19.”[41] This bill would have applied to a wide set of “covered entities,” including “any person, including a government entity[,] that collects, processes, or discloses emergency health data … electronically or through communication by wire or radio,” as well as any entity that “develops or operates a website, web application, mobile application, mobile operating system feature, or smart device application for the purpose of tracking, screening, monitoring, contact tracing, or mitigation, or otherwise responding to the COVID-19 public health emergency.”[42]
S8448D / A10583C would have required all covered entities to obtain informed, opt-in consent before collecting or using any “emergency health information,” defined as “data linked or reasonably linkable to an individual, household, or device … that concerns the public COVID‑19 health emergency.” This category would have included, for example, genetic, geolocation, demographic, contact tracing, or device information. Further, the act would have imposed strict limits on how and for what purpose covered entities could have processed, shared, or retained such emergency health data.
In terms of information security, the act would have required covered entities to implement reasonable security procedures and practices. It also would have required all covered entities to undergo regular data protection audits—conducted by third-parties—to assess if they had lived up to any promises made to consumers in their privacy notices. Such audits also would have been charged with assessing the relative benefits and costs of the technology a covered entity utilized, along with “the risk that the technology may result in or contribute to inaccurate, unfair, biased, or discriminatory decisions.”[43] Finally, the act would have authorized New York’s Attorney General to undertake enforcement actions and impose “civil penalties up to $25,000 per violation or up to four percent of annual revenue.”[44] In the 2020 legislative session, S8448D / A10583C passed a vote in the New York State Senate. At the start of the 2021 session, the New York State Senate and New York State Assembly each reintroduced versions of the bill.[45]
iii. State Laws Not Enacted
California. California considered two 2020 bills, AB 660 and AB 1782, that aimed to preserve the privacy of data gathered through contact tracing, but neither made it out of the California Senate Appropriations Committee.
AB 660 sought to “prohibit data collected, received, or prepared for purposes of contact tracing from being used, maintained, or disclosed for any purpose other than facilitating contact tracing efforts.”[46] It also sought to prohibit any law enforcement official from engaging in contact tracing and required deletion of all information collected through contact tracing within 60 days, except for when in the possession of a health department.[47] The proposed bill also included a private right of action for injunctive relief and attorneys’ fees.
AB 1782, the Technology-Assisted Contact Tracing Public Accountability and Consent Terms (TACT-PACT) Act, was a broader bill aimed at businesses engaging in technology-assisted contact tracing (TACT). Under the bill, such businesses were to “provide a simple mechanism for a user to revoke consent for the collection, use, maintenance, or disclosure of data and permit revocation of consent at any time.”[48] The bill also would have required any businesses not affiliated with a public health entity to disclose that fact conspicuously. The TACT-PACT Act sought to require businesses or public health entities offering TACT to issue public reports at least every 90 days containing certain information, such as the “number of individuals whose personal information was collected, used, or disclosed pursuant to TACT,” and the categories and recipients of the information.[49] The bill also would have imposed encryption requirements for information collected using TACT and provided that the California Attorney General, district attorneys, city attorneys, and members of the public could bring civil actions against businesses for relief from violations of this act’s provisions.[50]
Minnesota. Introduced in June 2020, Minnesota’s HF 164 would have authorized contact tracing using electronic means and would have prohibited mandatory tracking or mandatory disclosure of health status; further, that law would have forbidden mandatory health tracking by employers. HF 164 would have allowed any person “aggrieved by a violation of this section” to bring a civil action where they could have been awarded “up to three times the actual damages suffered due to the violation,” punitive damages, costs and attorney fees, and injunctive or other equitable relief the court deems appropriate.[51] HF 164 did not become law in the 2020 session, and has not been subsequently reintroduced.
Ohio. Ohio bill HB 61 / SB 31 sought to establish guidelines for all future contact tracing efforts but failed to pass that state’s senate. This failed bill specified that contact tracing is voluntary, that information acquired during contact tracing is not a public record, and that consent is requisite to beginning any contact tracing.[52]
iv. State Attorneys General and COVID-19 Privacy
State Attorneys General Joint Letter. In June of 2020, approximately 40 Attorneys General sent a joint letter to two large technology companies regarding the companies’ effort to develop an application programming interface (API) for public health authorities to use in creating contact tracing applications.[53] The Attorneys General raised concerns that entities other than public health authorities might use this new API in ways that could “pose a risk to consumers’ privacy.” The Attorneys General therefore called on the companies to: (1) verify that any contact tracing application using this API was, in fact, affiliated with a public health authority; (2) remove from their mobile-app marketplaces those apps that could not be so verified; and (3) remove all contact tracing applications from their respective mobile-app marketplaces at the end of the COVID-19 national emergency.[54]
New York Consent Agreement with Videoconferencing Business. Despite requests from industry groups to delay enforcement due to COVID-19, New York began enforcement of the Stop Hacks and Improve Electronic Data Security (SHIELD) Act in March of 2020. A videoconferencing software made more popular during the pandemic was the first target of a SHIELD-like enforcement action, one that yielded a significant consent decree.[55] Although not technically brought under the SHIELD Act, the consent decree included many provisions aimed at ensuring compliance with the Act’s mandates, including requirements to maintain a comprehensive data security program involving regular security risk assessments, to report those assessments to the office of the New York Attorney General, and to enhance encryption protocols. The videoconferencing business also agreed to stop sharing user data with social media companies and to give videoconference hosts more control over outside access to videoconferences.[56]
C. Legislative Developments
1. State Legislative Developments
i. California
a. California Consumer Privacy Act (CCPA)
Effective January 1, 2020, the California Consumer Privacy Act (CCPA) aims to give California consumers increased visibility into and control over how companies use and share their personal information. The CCPA applies to all entities that conduct business in California and collect California consumers’ personal information if those entities meet certain thresholds relating to their annual revenue or volume of data processing.[57]
Despite initially passing in 2018 and coming into effect early in 2020, the CCPA has continued to evolve throughout 2020, as reported in detail in Gibson Dunn’s prior CCPA updates.[58] On August 14, 2020, California Attorney General Xavier Becerra announced that the state’s Office of Administrative Law approved the final CCPA regulations.[59] The approved regulations—which took effect immediately on August 14, 2020—largely track the final regulations proposed by the Attorney General on June 1, 2020, and include regulations focused on key definitions, notices to consumers, business practices for handling consumer requests, verification of requests, special rules regarding consumers under 16 years of age, and anti-discrimination rules.[60]
On October 12, 2020 and December 10, 2020, Attorney General Becerra submitted additional modifications to the regulations, clarifying the opt-out requirement for the sale of personal information.[61] Specifically, these modifications reintroduce the requirement that businesses that substantially interact with consumers offline must provide an offline notice of a consumer’s ability to opt out of the sale of personal information. In addition, the modifications reintroduce language requiring that the methods used by businesses for submitting requests to opt out “be easy for consumers to execute” and “require minimal steps to allow the consumer to opt-out.” The modifications also provide a uniform opt-out button companies may choose to use.[62]
b. California Privacy Rights and Enforcement Act (CPRA)
On November 3, 2020, only four months after the CCPA became enforceable by the California Attorney General, Californians voted in favor of California Proposition 24, and with it, the California Privacy Rights and Enforcement Act (CPRA), which further amends but does not replace the CCPA. Of note, the CPRA will become law as written and cannot be readily amended by the state legislature. Instead, any significant changes to the law would require further voter action. Although the CPRA will not go into effect until January 1, 2023, it provides consumers with rights relating to personal information collected during the prior 12 months, thus extending the CPRA’s reach to personal information collected on or after January 1, 2022. The CCPA will remain in full force and effect, as previously drafted, until the effective date of the further amendments under the CPRA.
As reported in Gibson Dunn’s prior CPRA updates,[63] the CPRA expands upon the CCPA in granting the right to limit the use of consumers’ sensitive personal information, the right to correct personal information, the right to data minimization, and a broader right to opt out of the sale of personal information; in imposing requirements and restrictions on businesses, including new storage limitation requirements, restrictions on automated decision-making, and audit requirements; and in expanding breach liability. The CPRA also amends the definition of covered “businesses” by increasing the threshold number of consumers or households (and eliminating the consideration of “devices” from this number)[64] from 50,000 to 100,000 (exempting certain smaller businesses)[65] and broadening the threshold percentage of annual revenue to also include revenue derived from sharing personal information.[66] Further, it expands the definition of “publicly available information” to include information “that a business has a reasonable basis to believe is lawfully made available to the general public by the consumer or from widely distributed media,” as well as “information made available by a person to whom the consumer has disclosed the information if the consumer has not restricted the information to a specific audience.”[67] The CPRA also expands the definition of “selling” to expressly include sharing and cross-context behavioral advertising.[68]
Additionally, the CPRA establishes an entirely new enforcement agency—the California Privacy Protection Agency (CPPA)—that will have co-extensive enforcement authority with the California Attorney General. The CPPA will have administrative enforcement authority, while the Attorney General will have civil enforcement authority to impose civil penalties of up to $2,500 per violation or $7,500 per intentional violation or violation involving a minor’s protected personal information.
ii. Other States’ Laws
Aside from the CPRA, several other states considered, passed, or began enforcement on their own data privacy and consumer protection laws in 2020, though to date none have been as far‑reaching as those of California.
a. Maine
Maine’s “Act To Protect the Privacy of Online Customer Information” went into effect July 1, 2020.[69] The Act prohibits Internet providers from using, disclosing, selling or permitting access to customer personal information unless the customer consents, and the provider may not refuse to serve a customer or penalize a customer that does not consent.[70] The Act does provide for some exceptions from obtaining customer consent—specifically, for the purpose of providing the service, advertising the Internet provider’s own services, protecting against fraudulent or unlawful use of the services, providing emergency services, and facilitating payment.[71]
b. Nevada
On October 1, 2019 Nevada’s “Act relating to Internet privacy” went into effect, requiring website operators to permit consumers to opt out of the sale of personal information to third parties.[72] However, as of this writing there has not been news of any enforcement under this law.
A second Nevada privacy law came into effect on January 1, 2021, in the form of amendments to NRS 603A.210 that require government agencies maintaining records that contain personal information about Nevada residents to comply with the current version of the Center for Internet Security Controls or corresponding standards adopted by the National Institute of Standards and Technology of the United States Department of Commerce.[73] Furthermore, the amendment requires Nevada’s Office of Information Security of the Division of Enterprise Information Technology Services of the Department of Administration to create and make available a public list of controls with which the state must comply.[74] Additionally, before disposing of electronic waste, Nevada’s courts must first permanently remove any data stored on such objects.[75]
c. New York
As noted previously, New York’s Stop Hacks and Improve Electronic Data Security Act (SHIELD Act) went into effect in March of 2020.[76] The SHIELD Act amends the state’s existing data breach notification law to impose an affirmative duty on covered entities to implement reasonable data security to protect the “private information” of New York residents (with a more flexible standard for small businesses).[77] To provide “reasonable data security,” a person or business that collects or maintains the private information of New York residents must implement a data security program with specified administrative, technical, and physical safeguards, including disposal of data after that data is no longer necessary for business purposes and designating an employee to oversee the data security program.[78] The Act, however, specifies that entities that are compliant with certain federal statutes, such as the Gramm‑Leach‑Bliley Act (GLBA) or Health Insurance Portability and Accountability Act (HIPAA) are also deemed compliant with the SHIELD Act.[79] The SHIELD Act grants the Attorney General enforcement authority and the power to bring suit for a failure to provide reasonable data security, but does not allow for private action.[80]
Separately, Governor Cuomo recently proposed a comprehensive New York data privacy bill, titled the “New York Data Accountability and Transparency Act” (NYDAT), as part of his 2021 budget.[81] Similar to the CPRA, NYDAT would grant New York residents the right to request that a business destroy or correct that resident’s personal information, as well as the right to opt out of the sale of personal information. The Act would also carry data minimization requirements, and would allow consumers to enforce this and other requirements through a private right of action. Furthermore, NYDAT would create a new data privacy agency, the Consumer Data Privacy Advisory Board, which would be empowered with rulemaking authority.[82]
In prior legislative sessions, comprehensive data privacy bills with even stronger protections have been proposed, such as the New York Privacy Act.[83] That proposal would have imposed on covered entities a “data fiduciary duty,” and would have granted New York residents a private right of action for any violation of the bill.[84] Given newly-elected Democratic supermajorities in both houses of New York’s state legislature,[85] any final NYDAT bill may well end up including some of these heightened protections or broader enforcement mechanisms.
d. Oregon
Oregon’s “Act Relating to actions with respect to a breach of security that involves personal information” went into effect January 1, 2020.[86] The Act defines a covered entity as a person that owns, licenses, maintains, stores, manages, collects, processes, acquires, or otherwise possesses personal information in the course of the person’s business, vocation, occupation, or volunteer activities.[87] Under the Act, covered entities must notify customers and the Attorney General of any breach of security regarding personal information.[88] The Act amended, broadened, and renamed the Oregon Consumer Identity Theft Protection Act, defined “covered entities,” and specifically required vendors to report security breaches.[89] The Act also added usernames (and other methods of identifying a consumer for the purpose of permitting access to a user’s account) to the definition of “Personal information.”[90] Notably, “Personal information” under the Act includes data from automatic measurements of a consumer’s physical characteristics, such as fingerprint, retina, and iris data.[91]
Similarly, Oregon’s “Act Relating to security measures required for devices that connect to the Internet” went into effect January 1, 2020.[92] The Act requires manufacturers to equip Internet‑connected devices with “reasonable” security, which may consist of external authentication or compliance with federal law for such devices. This is similar to California’s Security of Connected Devices law, which also took effect January 1, 2020.[93]
e. Washington
Washington’s “Act relating to the use of facial recognition services,” which will go into effect July 1, 2021, regulates the use of facial recognition technology by state and local governments.[94] The Act requires government agencies that intend to develop, procure, or use facial recognition services to specify the purpose of the technology, produce an accountability report, and ensure that decisions made by such a service are subject to human review if they have legal effect. Such agencies are further required to test the service’s operational conditions, conduct periodic training of individuals who operate the service or process acquired personal data, and, where information gathered by such services is to be used in prosecutions, disclose use of the service to criminal defendants in a timely manner prior to trial.[95] Furthermore, under the Act, state and local agencies must require their providers of facial recognition services to make available an application programming interface (API) or other technical capability to ensure independent review regarding the accuracy and fairness of performance across subpopulations divided by race and other protected characteristics.[96]
f. Additional State Laws Under Consideration and Local Laws Passed
A number of other states continued to consider passing comprehensive privacy laws, both in 2020 and at the start of 2021. In Washington State, for instance, Senator Reuven Carlyle has released the draft Washington Privacy Act 2021 for review and public comment,[97] which marks the third introduction of the Washington Privacy Act. The draft Act seeks to provide consumers the right to access, correct, and delete personal data, and to opt out of collection and use of personal data for certain purposes.[98] Furthermore, the Act would seek to protect use of personal and public health data during the global pandemic as technological innovations emerge, especially in relation to contact tracing.[99]
Several other states also considered biometric privacy legislation in 2020, including Massachusetts, Hawaii, and Arizona.[100] On this point, a growing number of municipalities passed laws or ordinances in 2020 that banned or limited the use of facial recognition technology, including Boston, Pittsburgh, Oakland, San Francisco, Portland (Maine), and Portland (Oregon).[101] Pittsburgh, for its part, enacted a law that limits police use of facial recognition to instances in which its city council finds that acquisition, retention, and use of such technology does not perpetuate bias or pose risks to the civil rights and liberties of residents.[102] Portland, Oregon’s ban, meanwhile, is the first to limit private businesses’ use of facial recognition technology in public places—that ordinance went into effect January 1, 2021.[103] Diverging privacy protections granted across states (and cities) will continue to pose serious questions for businesses navigating this complex compliance environments.
2. Federal Legislative Developments
i. Comprehensive Privacy Legislation
As the patchwork of federal, state, and local privacy regulations grows more complex, comprehensive federal privacy legislation remains a popular, but elusive goal, often divided along partisan lines.[104] Democratic legislators, in general, favor federal privacy legislation that includes a private right of action, while Republicans tend to favor legislation that explicitly preempts state privacy laws.[105] With a Democratic administration and (narrow) Democratic majorities in Congress, the chances of passing federal privacy legislation may be greater now than in past years. At the same time, because many states and cities have made noteworthy legislative developments in 2020 (as outlined above), Democratic legislators may feel less incentive to compromise on a federal privacy law if it means accepting federal preemption of such state- and city-level efforts.[106]
In any case, with the 2020 election behind us, 2021 may well see a renewed push for a comprehensive federal privacy law. Several bills introduced during 2020, as discussed below, provide insight into the type of legislation we may see in the months and years ahead. But it remains to be seen which, if any, of these approaches will gain traction in 2021, particularly as any such bills from the last Congress would need to be reintroduced in the current one.
a. Republican-Backed Legislation
The Setting an American Framework to Ensure Data Access, Transparency, and Accountability Act (SAFE DATA Act),[107] introduced in the last Congress by Senator Roger Wicker (R-MS)—the leading Republican on the Senate Commerce, Science, and Transportation Committee—has been called the “strongest piece of [privacy] legislation put forth by Senate Republicans to date.”[108] Introduced and referred to the Committee on Commerce, Science, and Transportation in September 2020, the SAFE DATA Act was largely an updated version of the U.S. Consumer Data Privacy Act (CDPA), which had been introduced by Republicans towards the end of 2019.[109] The SAFE DATA Act also drew upon two prior bipartisan proposals—the Filter Bubble Transparency Act,[110] and the Deceptive Experiences To Online Users Reduction Act (DETOUR Act).[111] Key features of the SAFE DATA Act included: (1) requiring companies to obtain express consent before processing sensitive data or using personal data for behavioral or psychological studies; (2) providing users with the right to access, correct and delete their data, as well as data portability; (3) requiring companies to notify users if personal data is used with an “opaque” algorithm to select content that the user sees, and to offer users a version of the platform that uses an “input‑transparent” algorithm instead; and (4) creating a victims’ relief fund within the Treasury Department to provide consumers with monetary relief for privacy violations.[112] The bill remained consistent with the two pillars of other Republican-backed efforts by expressly preempting state laws and many federal laws, and by not providing for a private right of action.[113]
Senator Jerry Moran (R-KS) also introduced the Consumer Data Privacy and Security Act of 2020 (CDPSA),[114] which would have provided for the broad preemption of all related state and local laws, and would not have included a private right of action.[115] This bill was referred to the Committee on Commerce, Science, and Transportation in March,[116] but did not become law.
b. Democratic-Backed Legislation
The Data Broker Accountability and Transparency Act of 2020 (DATA Act) was introduced in the House and referred to the House Committee on Energy and Commerce in May,[117] though the last Congress did not enact it as law. This proposal was the House version of a bill introduced in the Senate in September 2019.[118] The DATA Act would have provided individuals with a right to access their data, dispute that data’s accuracy, and opt out of the use of their data for marketing purposes.[119] Additionally, the Act would have required data brokers to inform consumers on how to exercise their rights, and establish procedures to ensure the accuracy of collected personal information.[120] However, it did not include a private right of action—enforcement would have been left to the FTC and to state Attorneys General.[121]
Additionally, Senator Kirsten Gillibrand (D-NY) introduced the Data Protection Act of 2020 to create an independent national Data Protection Agency (DPA) that would have been empowered to promulgate rules and initiate enforcement actions to protect individual privacy—thus taking enforcement out of the FTC’s hands.[122] In particular, the bill’s supporters were concerned that a comprehensive federal privacy law without a private right of action could leave the FTC alone to enforce privacy rights, “which [Democrats] are convinced would lead to weak enforcement.”[123] Senator Gillibrand’s bill would have worked to address this concern by creating a new independent agency tasked with enforcing individual privacy rights instead.[124] The DPA would have had the authority to investigate and issue subpoenas against covered entities on its own initiative, or individual consumers could have themselves brought complaints and requests to the DPA.[125]
Finally, last June Senator Sherrod Brown (D-OH), the top Democrat on the Senate Banking, Housing, and Urban Affairs Committee, released a discussion draft of the Data Accountability and Transparency Act of 2020.[126] Although it was not formally introduced in the last Congress, the Act was noteworthy in that rather than depend on the usual consent-based privacy framework that requires users to agree to privacy policies to use online services, this proposal would have completely banned the collection, use and sharing of personal data in most circumstances.[127] Additionally, it would have outlawed facial recognition technology and would have created a new agency with enforcement authority to protect privacy.[128]
c. Bipartisan-Backed Legislation
The Application Privacy, Protection and Security Act of 2020 (APPS Act)[129] was one of the only bipartisan comprehensive privacy laws proposed in the last Congress. First introduced in 2013, the APPS Act was reintroduced by Representative Hank Johnson (D-GA) and cosponsored by Representative Steve Chabot (R-OH).[130] It was referred to the House Committee on Energy and Commerce in May,[131] though it ultimately failed to become law. The APPS Act would have established new rules governing the collection and use of consumer data by applications on mobile devices.[132] It would have required developers to take “reasonable and appropriate measures” to secure personal data from unauthorized access, although it did not offer standards for what would be considered “reasonable.”[133] The proposal would also have required developers to provide specific information on the types of data that the application collects, the purpose of the collection, and the developer’s data retention policy.[134] Consumers, in turn, would have been given the right to opt out of data collection and delete previously collected data.[135] The APPS Act would only have preempted state laws that directly conflicted with it or provided a lower “level of transparency, user control, or security” than the APPS Act itself.[136] Finally, the proposal would not have provided a private right of action—instead, it would have been enforced by the FTC and by state Attorneys General.[137]
ii. Other Federal Legislation
In addition to the comprehensive privacy proposals considered in 2020, additional federal legislation was proposed, and in some cases enacted, on narrower and more specific topics related to data privacy and cybersecurity. Below are proposals that gained traction in 2020 or that may gain legislative momentum in 2021.
a. Internet of Things Cybersecurity Improvement Act
The Internet of Things Cybersecurity Improvement Act of 2020 (IoT Cybersecurity Improvement Act) was signed into law by President Trump on December 4, 2020.[138] The Act mandates certain security requirements for IoT devices purchased by the federal government.[139] These guidelines will be issued by the Office of Management and Budget, consistent with the National Institute of Standards and Technology’s (NIST) recommendations.[140] NIST will be tasked with working with the Department of Homeland Security to create these guidelines to help ensure that federal government devices and networks are secure from malicious cyberattacks.[141]
b. Biometric and Facial Recognition Legislation
Three federal legislative proposals were introduced in 2020 regarding the use of biometric and facial recognition technology. In part because this technology has been shown to disproportionately misidentify women and people of color,[142] legislators, and particularly Democratic legislators, have prioritized this space in order to better ensure equity and protect individuals’ privacy and safety. While none were enacted in the last Congress, each reflects the increased emphasis placed on this issue:
- The Ethical Use of Facial Recognition Act was introduced by Senators Jeff Merkley (D-OR) and Cory Booker (D-NJ), and would have placed a moratorium on the use of facial recognition technology by the federal government until Congress passed legislation regulating its use.[143]
- The Facial Recognition and Biometric Technology Moratorium Act of 2020 was a bicameral proposal[144] that would have barred federal government use of biometric technology, a ban which could only be lifted through a subsequent act of Congress.[145] The bill included a prohibition on the use of such data in judicial proceedings and a private right of action for individuals whose data is used in violation of the Act.[146] Senators Bernie Sanders (I-VT) and Elizabeth Warren (D‑MA) co-sponsored the Senate proposal,[147] while the House bill was co‑sponsored by seventeen Democratic House members.[148]
- The National Biometric Information Privacy Act of 2020 was introduced in the Senate by Senators Jeff Merkley (D-OR) and Bernie Sanders (I-VT).[149] The bill would have prohibited private companies from collecting biometric data without consumer or employee consent.[150] Additionally, it would have limited the ability to retain, buy, sell and trade biometric information without written consent.[151] The bill would have been enforced by state Attorneys General, as well as by individuals through a private right of action.[152]
c. Lawful Access to Encrypted Data Act
The Lawful Access to Encrypted Data Act was a Republican bicameral proposal that would have required device manufacturers and service providers to assist law enforcement in accessing encrypted data if a proper warrant were obtained, and which would have directed the United States Attorney General to create a prize competition to award participants who create a lawful access solution to an encrypted environment.[153]
d. USA FREEDOM Reauthorization Act of 2020
In March 2020, as discussed in more detail at Section III.B., three Foreign Intelligence Surveillance Act (FISA) authorities lapsed: (1) Section 215 of the USA Patriot Act, also known as the “business records” provision;[154] (2) the “lone wolf” authority;[155] and (3) the “roving wiretap” authority.[156] Initially, this appeared to provide an opportunity for changes to be made to FISA, and the Senate passed several bipartisan FISA amendments aimed at strengthening various privacy protections.[157] However, the House rejected these amendments, and as of this writing, these authorities continue to remain lapsed unless and until the current Congress reauthorizes them.
e. Attempts to Weaken Section 230 of the Communications Decency Act
Under Section 230 of the Communications Decency Act (Section 230)[158] online platforms and technology companies are shielded from liability for content posted by certain third parties.[159] Several legislative proposals in the last Congress directly aimed at curtailing this immunity, and while none became law, similar efforts will almost surely be made in 2021.[160] Key 2020 bills included:
- The Limiting Section 230 Immunity to Good Samaritans Act (Good Samaritans Act) was introduced by Senator Josh Hawley (R-MO) in June of 2020.[161] That bill would have required companies that want to receive Section 230 immunity to contractually bind themselves to a duty of good faith when enforcing their terms of service in order to avoid discriminatorily applying such terms, or risk a $5,000 fine per violation.[162] Sponsoring senators stated that the bill’s goal was to decrease technology companies’ ability to silence conservative political speech.[163]
- Senate Judiciary Chairman Lindsey Graham (R-SC) and bipartisan co‑sponsors introduced the Eliminating Abusive and Rampant Neglect of Interactive Technologies Act of 2020 (EARN IT Act).[164] Upon introduction, the EARN IT Act was referred to the Committee on the Judiciary, where it was unanimously approved.[165] On July 20, the proposal was placed on the Senate Legislative Calendar.[166] As of November, the EARN IT Act had a total of sixteen bipartisan co-sponsors,[167] though ultimately the last Congress did not enact it into law. The proposal would have established a national commission to determine best practices for technology companies to prevent the exploitation of children online. It also would have created an incentive for technology companies to follow those practices by removing Section 230 immunity for child sexual abuse posted on their platforms.[168]
- The Behavioral Advertising Decisions Are Downgrading Services Act (BAD ADS Act) was introduced by Senator Josh Hawley (R-MO) and referred to the Committee on Commerce, Science, and Transportation in July.[169] Had it become law, the BAD ADS Act would have required large technology companies to stop personalized behavioral advertising in order to maintain their Section 230 immunity.[170]
f. Amendments to the Children’s Online Privacy Protection Act of 1998
In 2019, the FTC launched a broad review of the Children’s Online Privacy Protection Act of 1998 (COPPA)[171] in an effort to modernize the statute and provide greater protections for children online.[172] Two pieces of legislation were proposed in the House in January 2020 to amend and update COPPA as a result of this initiative, though neither ultimately became law.
First, the bipartisan PROTECT Kids Act would have: (1) raised the minimum age under which parental consent must be obtained before a company can collect personal data from 13 to 16 years old; (2) clarified that COPPA applies to mobile applications; and (3) added geolocation and biometric data as categories of personal data protected under COPPA.[173] Second, the Democratic-supported PRIVACY Act would have modified requirements for commercial entities with respect to information collected from children under 13, and “young consumers” under 18 years old.[174] For example, it would have required: (1) securing such information and periodically testing security measures; (2) obtaining consent to process such information; and (3) providing consumers the right to access and delete it.[175]
D. Enforcement and Guidance
1. Federal Trade Commission
As in past years, in 2020 the Federal Trade Commission (FTC) was one of the federal government’s foremost enforcers in the area of privacy and data security. In this section, we discuss the FTC’s robust enforcement actions during 2020. We also preview an important legal challenge for the FTC at the Supreme Court, where the Court is poised to resolve a split among the Circuit Courts of Appeals regarding the FTC’s authority to seek monetary relief under Section 13 of the FTC Act.[176]
i. Data Security and Privacy Enforcement
The FTC pursued a number of significant enforcement, and related, actions in 2020 relating to data privacy.
Section 6(b) Study Related to Social Media and Video Streaming Companies. In mid‑December, the FTC issued orders to nine major technology companies, requiring them to provide the FTC with information regarding how the companies collect, use, and present personal information; their advertising and user engagement practices; and how their practices affect minors.[177] The FTC issued these orders under Section 6(b) of the FTC Act, which gives the FTC authority to conduct broad studies without first identifying a specific law enforcement purpose. These types of studies typically lead to reports and potentially legislative proposals.
Landmark Settlement. In April, the U.S. District Court for the District of Columbia approved a landmark $5 billion settlement with a major technology company over allegations by the FTC that the company misled users into thinking certain settings would protect their information, including pictures and videos, when instead such information was allegedly shared by the company with advertisers and other third parties.[178] In a statement at the time, FTC Chairman Joe Simons indicated that the settlement was “by far the largest monetary penalty ever obtained by the United States on behalf of the FTC and the second largest in any context.”[179]
Significant Consent Breach Settlement. In August, a major social media platform announced that it expects to pay up to $250 million to resolve charges by the FTC that the company had breached a 2011 consent decree by using data that users provided for security purposes, such as phone numbers and email addresses, to target such users with advertisements.[180] The company initially entered into the 2011 consent decree, which remains in effect until 2031, after hackers were able to gain unauthorized control over users’ accounts on the company’s platform, including access to some users’ private messages.
Cybersecurity Practices Settlement. In November, the FTC announced a major, albeit nonmonetary, settlement with a leading digital communications company over allegations that the company engaged in unfair and deceptive practices by issuing misleading statements regarding the company’s cybersecurity practices.[181] The FTC alleged that the company represented to users that it used end-to-end encryption on all teleconferences, when in fact it only used such encryption when a call was hosted on a customer’s server. The FTC also alleged that the company advertised itself as using 256-bit encryption despite actually using a lower level of encryption; that the company advertised that it immediately encrypted and stored teleconference recordings when in fact such recordings remained unencrypted for 60 days; and that the company circumvented certain browser privacy safeguards and failed to disclose this circumvention.
Children’s Privacy Consent Decree. In July, media reports indicated that the FTC was investigating the developer of a popular social media application for alleged violations of a 2019 consent decree geared toward protecting children’s privacy.[182] The consent decree required the company to delete videos and personal information relating to users under the age of 13. The FTC has not yet commented on the investigation, but two unidentified individuals have reported being interviewed by the FTC in connection with this investigation.
ii. Supreme Court to Rule on FTC’s Monetary Relief Authority
The FTC typically seeks monetary relief in privacy and cybersecurity actions under Section 13(b) of the FTC Act, which states that, “Whenever the Commission has reason to believe … that any person, partnership, or corporation is violating, or is about to violate any provision of law enforced by the Federal Trade Commission[,]” the Commission may seek “a temporary restraining order or a preliminary injunction[.]”[183] As discussed in last year’s Review, despite the lack of any express reference to monetary remedy or relief, the FTC views its authority to recover monetary relief under Section 13(b) as well settled. But in 2019, the Court of Appeals for the Seventh Circuit created a circuit split by holding in FTC v. Credit Bureau Center, LLC[184] that Section 13(b) does not authorize the FTC to seek monetary awards, breaking with eight other circuits and with its own prior precedent. The Seventh Circuit reached this decision by relying on the textualist observation that Section 13(b) “authorizes only restraining orders and injunctions,”[185] and although the court conceded that it had previously “endorsed [the FTC’s] starkly atextual interpretation,” it ultimately determined that “[s]tare decisis cannot justify adherence to [that] approach.”[186]
In July, the U.S. Supreme Court granted certiorari[187] in a related case, AMG Capital Management, LLC v. FTC,[188] to resolve whether Section 13(b) does confer the authority to impose monetary awards.[189] In AMG, the Ninth Circuit affirmed an approximately $1.27 billion equitable monetary award the FTC obtained under Section 13(b) against a payday lender. Although the Ninth Circuit observed that Plaintiff’s argument regarding the FTC’s authority to obtain monetary judgments under Section 13(b) “ha[d] some force,” it concluded such an argument was “foreclosed by our precedent.”[190] Should the Supreme Court ultimately hold that the FTC lacks such authority, the ruling could have seismic implications on how the FTC goes about enforcing federal data privacy and security laws, an outcome that would likely lead to new legislation.
2. Department of Health and Human Services and HIPAA
As discussed above, in 2020 the Department of Health and Human Services (HHS) grappled with unprecedented patient privacy challenges caused by the COVID-19 pandemic. While HHS continued to conduct investigations and issue civil penalties for violations of the Health Insurance Portability and Accountability Act (HIPAA), it also allowed for some leniencies, especially with regard to telehealth regulations. The Office for Civil Rights (OCR) at HHS was particularly active in 2020 through its new HIPAA Right of Access Initiative, which it launched toward the end of 2019. The OCR settled more than a dozen Right of Access Initiative investigations in 2020, with entities ranging from hospital systems to solo practitioners—all in an effort to ensure patients have timely and affordable access to their own medical records.
Also to that end, in December 2020, HHS OCR proposed significant changes to the HIPAA Privacy Rule via a Notice of Proposed Rulemaking (NPRM). These proposed changes seek to increase patients’ access to their electronic health information, advance the state of coordinated health care, and reduce the regulatory burdens on the healthcare industry more broadly. These developments are further addressed below.
i. HHS OCR Enforcement
In 2020, the OCR continued to enforce privacy protections for patients through investigations and settlements, especially as part of its Right of Access Initiative. 2020 also saw the second‑largest settlement in OCR’s history ($6.85 million paid by a large health insurer). However, the numerous smaller-dollar settlements that the OCR reached with a diverse range of health care entities, including solo practitioners and non-profits, tend to reflect HHS’s “high‑volume, low‑penalty focus” as announced in April 2019.[191] The following are notable HIPAA‑related settlements from 2020:
Large Health Insurer Malware Attack. The largest settlement of the year, at $6.85 million, involved a large regional health insurer that was subject to a malware attack that compromised the health data of over 10 million individuals. The attack was perpetrated using a phishing email that gained access to the insurer’s IT system. The OCR investigation found “systemic noncompliance with the HIPAA Rules including failure to conduct an enterprise-wide risk analysis, and failures to implement risk management, and audit controls.”[192] The insurer agreed to two years of monitoring, in addition to the monetary penalty.
Low Penalty Settlements. As part of HHS OCR’s recent “high-volume, low-penalty focus,” HHS OCR also reached multiple settlements with individual health care providers and other smaller entities. As one example, a Utah-based solo practitioner settled with the OCR for $100,000 following an investigation that revealed a “failure to implement basic HIPAA requirements.”[193] This case, and other similarly small settlements reached in 2020, demonstrate that HHS is increasingly interested in ensuring HIPAA compliance at all levels of the health care sector.
Right of Access Settlements. HHS also reached a number of settlements under the Right of Access Initiative, which is intended to enforce HIPAA provisions aimed at ensuring patients have access to their own medical records. As just one example, a small psychiatry office in Colorado agreed to pay $10,000 to the OCR in response to a complaint that it had failed to comply with the HIPAA Privacy Rule’s right of access provision. Many of the other Right of Access Initiative settlements in 2020 involved similarly low monetary settlement amounts, with the focus instead being placed on corrective action.[194]
ii. Involvement by State Attorneys General
In recent years, state Attorneys General have been increasingly involved in enforcing HIPAA regulations, a trend which continued in 2020. Most notably, in September, a 43-state coalition of Attorneys General reached a settlement with a major health insurer over the largest health data breach in United States history, which occurred between December 2014 and January 2015. The insurer’s $39.5 million settlement with the Attorneys General followed its record-setting $16 million settlement with the OCR in 2018,[195] and the approval, also in 2018, of a $115 million class action settlement in the Northern District of California.[196] We expect that state Attorneys General will continue taking an active enforcement and investigatory role with respect to health care data privacy protections going forward.
iii. COVID-19 Regulations and Guidance
The pandemic has raised many challenging patient privacy issues, requiring HHS to balance the desire for robust privacy protections with the necessity of timely and widespread access to testing and care. HHS has been active in issuing guidelines in response to the novel issues posed in 2020, as demonstrated by the following:
- Patient-Provider Communications. In March 2020, HHS announced it would “exercise its enforcement discretion and … waive potential penalties for HIPAA violations against health care providers that serve patients through everyday communications technologies during the COVID-19 nationwide public health emergency.”[197] This Notification of Enforcement Discretion (NDE) cleared providers for the good faith use of videoconferencing services, such as FaceTime and Skype, when communicating with patients remotely. The NDE currently has no expiration date.[198]
- COVID-19 Testing Sites. In April 2020, HHS announced it would not impose penalties “for violations of the HIPAA Rules against covered entities or business associates in connection with the good faith participation in the operation of COVID-19 testing sites during the COVID-19 nationwide public health emergency.”[199] This NDE allowed those companies and agencies equipped to facilitate COVID-19 testing to launch efforts without being stalled by the need to ensure robust HIPAA protections.
- Blood and Plasma Donation. In June 2020, HHS issued guidance that “covered health care providers [can] contact their patients who have recovered from COVID‑19 to inform them about how they can donate their blood and plasma containing antibodies to help other patients with COVID-19.”[200] In August 2020, the Trump administration amended this guidance to further provide that hospitals, pharmacies, laboratories, and health plans may also contact recovered patients about blood donation.[201]
iv. Request for Public Comments on HHS’s Notice of Proposed Rulemaking (HIPAA Privacy Rule)
On December 10, 2020, HHS announced an NPRM with respect to HIPAA’s Privacy Rule as part of its Regulatory Sprint to Coordinated Care initiative. The initiative, launched under HHS Secretary Alex Azar, broadly seeks to “promote value-based health care by examining federal regulations that impede efforts among health care providers and health plans to better coordinate care for patients.”[202]
The currently proposed changes to HIPAA, in particular, would facilitate increased patient and caregiver access to medical records, as well as decrease regulatory barriers to information sharing between providers for the purposes of care coordination and case management.[203] The NPRM was published in the Federal Register on January 21, 2021, and stakeholders have until March 22, 2021 to submit comments.[204]
3. Securities and Exchange Commission
The Securities and Exchange Commission (SEC) is increasingly focused on digital practices and risks, as evidenced by its recent guidance on privacy and cybersecurity and its prioritization of information security issues. For example, a review of SEC enforcement actions in 2020 shows that cryptocurrency and initial coin offerings remained a central focus for the Commission. The Commission also filed two enforcement actions related to web-based market manipulation schemes. That said, the SEC announced no new enforcement actions related to account intrusions, hacking, or cybersecurity controls and safeguarding customer information in 2020.
i. Data Privacy Guidance and Examination Priorities
On January 7, 2020, the SEC’s Office of Compliance Inspections and Examinations (OCIE) released its 2020 Examination Priorities for registered firms.[205] The Priorities make clear that companies could face regulatory action if they materially understate their digital risks, avoid discussing significant incidents they have already experienced, or publicly overstate their data security or privacy practices. The Priorities emphasize that registrants’ use of non-traditional sources of data from inputs like mobile device geolocations, consumer credit card records, and other Internet-based information, will be a particular focus of examination review.[206] The Priorities also establish that OCIE will prioritize cyber and other information security risks.[207]
On January 27, 2020, OCIE also issued guidance regarding data loss prevention policies, scrutiny of third-party vendors, and the use of detailed and routinely tested incident response plans to prepare for issues in the cybersecurity space.[208] This guidance prominently features data loss prevention policies, and recommends that firms regularly scan for vulnerabilities in their systems, establish patch management programs, and screen for insider threats by monitoring suspicious activity.
Further, on July 28, 2020, the SEC announced the creation of a new specialized unit within OCIE designed to rapidly respond to current market threats and critical matters.[209] In light of the SEC’s increased focus on digital risks, this Event and Emerging Risks Examination Team (EERT) was specifically tasked with addressing cybersecurity incidents (in addition to other significant market events that could have a systemic impact or that place investors assets at risk).
ii. Cryptocurrency
The SEC also focused substantial enforcement resources on combatting unregistered or fraudulent initial coin offerings (ICOs) to the public, filing no fewer than 23 individual enforcement actions related to digital assets or ICOs in the 2020 calendar year.[210] Two cases were particularly significant because the courts affirmed an expansive interpretation of the SEC’s regulatory authority:
- On June 26, 2020, the SEC won a cryptocurrency enforcement decision before the U.S. District Court for the Southern District of New York, ultimately resulting in an $18.5 million civil penalty.[211] Addressing the plaintiff’s earlier motion for a preliminary injunction, the court found that the digital assets in question were, in fact, subject to applicable securities laws, and that the SEC had shown a substantial likelihood of success in proving that the defendants had engaged in an unregistered offering of securities in their sale of digital tokens to investors.[212] By focusing on “economic reality” and piercing through contractual representations and warranties to decide whether a token sale should be regulated under the securities laws, the court articulated a broad interpretation of the SEC’s enforcement authority.[213]
- Similarly, on September 30, 2020, U.S. District Court for the Southern District of New York gave the SEC another significant victory, this time against a mobile messenger application company, alleging that the company had engaged in an unregistered offer and sale of digital asset securities. The Court again emphasized the “economic realities” of the transactions at issue and found that under the Supreme Court’s test in SEC v. W.J. Howey Co.,[214] the company’s token sales were a single integrated offering and so needed a registration statement.[215]
In addition to obtaining these significant decisions, the Commission filed many other cryptocurrency-related actions over the course of the year, with claims ranging from defrauding investors to engaging in unauthorized sales of securities.[216] This underscores the emphasis the Commission continues to place on enforcement in this area.
iii. Web-Based Market Manipulation
2020 also saw the SEC zero in on web-based market manipulation concerns. For example, towards the beginning of the year, the Commission filed a complaint against a Russian national (and entities he controlled) for allegedly participating in a plot to lure investors into purchasing fictitious certificates of deposit promoted through internet advertising and “spoofed” websites that imitate the actual sites of legitimate financial institutions.[217] On December 23, 2020, the Court entered default judgment for the SEC based on the defendants’ failure to respond.[218] Likewise, later in 2020, the Commission filed charges against a former day trader for his alleged role in a market manipulation scheme in which he and several other individuals fabricated online rumors about publicly traded companies in order to trade around the temporary price increases caused by the dissemination of the false information.[219] Taken together, these developments suggest that web-based manipulation will also be an important area of enforcement (consistent with the Commission’s renewed focus on cybersecurity and data integrity discussed above).
4. Other Federal Agencies
In addition to the FTC, HHS, and SEC, other federal government entities continue to make headlines in the data security, privacy, and consumer protection space. This past year, there were notable developments at the Federal Communications Commission (FCC), the Department of Justice (DOJ), the Department of Defense (DoD), and the Department of Transportation (DOT).
i. Federal Communications Commission
a. Telephone Consumer Protection Act
While COVID-19 has slowed down many federal agencies, the pandemic has not impacted the pace of enforcement related to the Telephone Consumer Protection Act (TCPA). Indeed, new developments continue to arise daily at the time of this writing.
Under the Telephone Robocall Abuse Criminal Enforcement and Deterrence Act (TRACED Act), passed in December of 2019, the Federal Communications Commission (FCC) was required to clarify exemptions to the TCPA by December 30, 2020.[220] To that end, the FCC has now issued a Notice of Proposed Rulemaking[221] that could bring about substantial changes to TCPA enforcement—including making certain classes of non-commercial calls to residential phone lines, which were previously exempt, actionable under the TCPA.[222]
Additionally, two major cases involving interpretation and enforcement of the TCPA are currently making their way through the federal court system. The U.S. Supreme Court heard oral arguments in Facebook, Inc. v. Duguid on December 8, 2020—a case centered on a dispute over the definition of the term “autodialer” under the TCPA.[223] Additionally, in Carlton & Harris Chiropractic Inc. v. PDR Network, LLC, the Fourth Circuit set up another TCPA issue that may ultimately reach the Supreme Court when it ruled that FCC interpretation of portions of the TCPA is not subject to Chevron deference, as had been widely assumed.[224] District courts have given the FCC strong deference with respect to their interpretations of the TCPA for over a decade;[225] however, the result of PDR Network—if it stands—would allow courts to apply a much more relaxed form of deference, and to more frequently override the FCC’s interpretations of the TCPA.
b. Enforcement against Telecommunications Firms
In addition to its rulemaking function, the FCC has continued to actively enforce privacy and consumer protection laws under its purview. In late February 2020, for example, the FCC handed down over $200 million in fines against several of the nation’s major mobile carriers.[226] The fines resulted from a 2017 investigation into Securus, a prison phone company, which revealed that company’s plans to share users’ real-time location tracking information—obtained from the major mobile carriers—with law enforcement.[227] Press reports later confirmed that customer information from mobile carriers ended up in the hands of law enforcement officers without a warrant or any other valid legal orders.[228]
ii. Department of Justice
Although the DOJ has not traditionally played a leading role in enforcing privacy, cybersecurity, or consumer protection laws, in 2020 the DOJ took action significantly implicating all three areas.
First, in October 2020, the DOJ announced that it was moving forward with a high-profile antitrust investigations into the country’s largest technology companies. In what will likely become the largest antitrust lawsuit in more than two decades, the DOJ took aim at the tech industry and sued a large search engine platform and technology business.[229] Attorney General William Barr accused the search engine of using “its monopoly power … to lock up key pathways to search on mobile phones, browsers, and next generation devices [such] that no one can feasibly challenge [the search engine’s] dominance.”[230] Just two months later, the DOJ’s suit against the search engine was followed by federal and state antitrust cases against a large social media company, alleging similarly anticompetitive behavior.[231] We will continue to monitor the progress of both lawsuits throughout 2021 and beyond as a new Attorney General inherits these current actions from the previous administration.
Second, also in October, the DOJ made statements on two emerging technologies with privacy implications—encryption and cryptocurrency—sharing concerns about both. Both technologies have become widely used in numerous industries and have afforded users a newfound ability to protect the privacy of their data online.
On October 1, 2020, the DOJ published a comprehensive, 83-page strategy outlining the Department’s attitude towards cryptocurrency—both the underlying blockchain technology itself and the more esoteric markets for trading various forms of cryptocurrency.[232] In the report, the DOJ revealed an intention to litigate perceived abuses in both domestic and international cryptocurrency exchanges.
Later that month, the Attorney General co-signed a statement from the law enforcement branches of seven nations—the United States, the United Kingdom, Australia, New Zealand, Canada, India, and Japan—urging the tech “industry to address [the governments’] serious concerns” about end-to-end encryption.[233] In this statement, the DOJ called on tech companies to “include mechanisms in the design of their encrypted products and services [to allow governments to] gain access to data in a readable and usable format.”[234] While the debate about including a “backdoor” to encrypted devices and data has been raging for over a decade, this joint statement signals increased government pressure on companies to include such an ability, or else to curtail the use of end-to-end encryption in consumer devices entirely.[235]
iii. Department of Defense
On December 1, 2020 the DoD’s Cyber Maturity Model Certification (CMMC) finally came into effect after a rule change was delayed earlier in the year.[236] CMMC now requires that all contractors with the DoD achieve one of five levels of cybersecurity, based on the sensitivity of the contracted-for products and services.[237] Furthermore, CMMC has created a board of certified accreditors who will test all potential DoD contractors to determine their level of cybersecurity.[238] Companies must receive the proper CMMC accreditation before signing future contracts with the DoD. This represents a fundamental shift for the agency, whose cyber policy used to simply require contractors to self-certify compliance with a given standard of security.[239]
iv. Department of Transportation & National Institute of Standards and Technology
On January 8, 2020 the DOT published Ensuring American Leadership in Automated Vehicles 4.0 (AV 4.0) which laid out the federal government’s position towards the development and deployment of autonomous vehicles.[240] The report focused on three key areas: (1) the U.S. Government autonomous vehicle (AV) principles; (2) administration efforts supporting AV technology growth and leadership; and (3) U.S. Government activities and opportunities for collaboration.[241] While the report offered many suggestions for safety, security and privacy, AV 4.0 stopped short of issuing any concrete regulations.[242] However, the Department signaled that more concrete regulations may be on the horizon when it issued an Advance Notice of Proposed Rulemaking on November 23, 2020.[243]
The National Institute of Standards and Technology (NIST) also released two concurrent publications in May that provide guidance on cybersecurity precautions that manufacturers should incorporate into all devices with Internet connectivity[244]—part of the IoT Cybersecurity Improvement Act,[245] as referenced above in Section I.C.2. This guidance will encourage companies to implement appropriate security measures by evaluating the device in connection with its user interactions and other systems that the device may interact with.
5. State Attorneys General and Other State Agencies
As evident from the above discussions, state Attorneys General continued their work in the data privacy and cybersecurity space throughout 2020, often collaborating to bring enforcement actions involving large-scale data breaches, as well as consumer protection actions aimed at regulating the technology industry.
i. State Attorneys General Enforcement Actions
Health Insurance Company. As noted above, in September 2020, a health insurance company agreed to pay $39.5 million to resolve claims brought by the Attorneys General of 42 states and the District of Columbia after a 2015 data breach exposed personal information of nearly 80 million consumers.[246] The Attorneys General alleged the insurance company violated state laws and HIPAA by not encrypting consumers’ personal information.[247] As part of the settlement, the company also agreed to implement a comprehensive security program.[248]
Home Improvement Retailer. A coalition of the Attorneys General of 46 states and the District of Columbia entered into a settlement with a home improvement company in November 2020 over allegations regarding a data breach that compromised the financial information of over 40 million consumers.[249] The Attorneys General claimed that a 2014 data breach allowed hackers to access the payment information of consumers who used the company’s self-checkout lanes throughout the United States.[250] Under the settlement, the company agreed to pay $17.5 million and to implement a comprehensive information security program designed to protect and secure the confidentiality of consumers’ personal information.[251]
Videoconferencing Platform. As discussed in Section I.B.2, in May 2020, the New York Attorney General’s Office entered into a letter agreement with a videoconferencing business that became more popular during the pandemic, settling an investigation into the company’s privacy and data security practices.[252] In March, the New York Attorney General’s Office began investigating the company’s cybersecurity, citing specifically to vulnerabilities that could enable uninvited third parties to interrupt conferences and access consumer webcams.[253] Recognizing the cooperation of the videoconferencing platform in the investigation, the agreement was focused mainly on forward-looking, rather than punitive, remedies, such as requiring the company to implement new security and privacy measures, to establish a comprehensive data security program, and to better encrypt users’ information.[254]
Search Engine Platform and Technology Company. The Arizona Attorney General filed a complaint against a search engine platform and technology company in May 2020, alleging the company’s collection of location data violated the Arizona Consumer Fraud Act.[255] The complaint, filed in Maricopa County Superior Court, specifically alleges that the company continues to collect information regarding users’ location even if users turn off the smartphone operating system’s digital tracking features.[256] Arizona’s Attorney General further alleges that the company misled consumers to believe location tracking was controlled by a single setting, while making other location‑tracking settings difficult for users to locate.[257] The court denied a motion to dismiss the complaint in September 2020.[258]
California Attorney General CCPA Enforcement Letters. Despite protests from industry groups seeking additional time for compliance in light of COVID-19, the office of the California Attorney General, as scheduled, began enforcing the California Consumer Privacy Act (CCPA) starting July 1, 2020. This enforcement has thus far consisted of sending out enforcement letters informing businesses of their current non-compliance with the CCPA. Businesses have 30 days from the receipt of such letters to remedy any alleged violations—and failure to do so can lead to a civil action brought by the Attorney General. To date, these letters do not appear to have targeted a particular industry or sector, though this may change during 2021.
New Massachusetts Data Privacy and Security Division. On August 13, 2020, the Massachusetts Attorney General announced the creation of the Data Privacy and Security Division (DPSD) within the Massachusetts Attorney General’s office. The Division will focus on investigating and enforcing potential violations of the state’s consumer protection and data breach laws.[259]
ii. New York Department of Financial Services
As noted in our 2019 Review, in May 2019, New York’s Department of Financial Services (DFS) announced the creation of a Cybersecurity Division.[260]
On July 21, 2020 the DFS joined the ranks of cybersecurity regulators by announcing charges against an insurer for violations of the DFS’s cybersecurity regulations.[261] According to the DFS’s Statement of Charges and Notice of Hearing, the insurer had an alleged vulnerability in its information system, resulting in the potential exposure of millions of documents containing sensitive personal information.[262] The DFS claims that the insurer knew about the vulnerability but underestimated the level of risk associated with it.[263] The insurer is strongly contesting the charges, noting that only 32 clients may have had their nonpublic information compromised.[264] In any case, this matter should shine some additional light on the expansiveness of DFS’s cybersecurity policies and the extent of its authority.[265]
In October 2020, DFS also issued a report criticizing a social media company for becoming prey to a “simple” hacking technique earlier that summer.[266] Hackers accessed accounts of high‑profile individuals and companies to send out fraudulent messages, resulting in the unlawful attainment of over $118,000 of Bitcoin.[267] DFS urged lawmakers to establish a regulator to “monitor and supervise” mainstream social media platforms, arguing the hack demonstrated the dangerous ability to “weaponize” such platforms.[268]
Lastly, on October 15, 2020, DFS announced plans for its first ever “tech sprint” to develop a set of common standards and an open source technical framework to be adopted by DFS and other regulatory agencies with the goal of speeding up collection of supervisory data needed to monitor financial firms.[269] The multi-day event, set for early 2021, will host teams of fintech (financial technology) professionals, compliance experts and others to respond to the need for more up-to-date information about the health of banks and other financial institutions.[270] DFS said it selected cryptocurrency companies as the starting point, with future events in the series to potentially focus on other types of nonbank financial firms.[271]
II. CIVIL LITIGATION
A. Data Breach Litigation
After 2019 was declared “the worst year on record” for data breaches,[272] breaches and other security lapses continued to occur at a high rate in the past year. As COVID-19 forced many people to work remotely, a survey conducted by a cybersecurity company found that remote work led to security breaches at up to 20% of companies surveyed in 2020.[273] Indeed, some of the world’s largest businesses experienced data breaches in 2020, including technology giants, hospitality and entertainment chains, and health care companies. Various parts of the United States government also recently were found to have suffered a major, months-long data breach.[274] Unsurprisingly, a number of these breaches have spawned class action or shareholder derivative litigation. The past year also saw several major settlements resolving data breach cases from prior years.
1. Class Action and Shareholder Derivative Litigation
Social Networking Platform. A shareholder derivative lawsuit in the U.S. District Court for the Northern District of California, originating from a March 2018 report that a third party wrongfully obtained information about the users of a large social networking platform, remains ongoing, with an amended complaint filed against the social media company on December 17, 2019.[275] In response to the social media company’s renewed motion to dismiss, plaintiffs have argued that their amended complaint now alleges sufficient demand futility based on new information regarding the founder and CEO’s control over the company’s board. The court has yet to rule on the renewed motion to dismiss.[276]
Online Retailer and Technology Company. In April 2020, the U.S. District Court for the Western District of Washington denied a large retailer and technology company’s motion to compel arbitration in a class action discussed in last year’s Review.[277] In this case, plaintiffs allege that the company used voice-enabled devices to build a “massive database of billions of voice recordings” containing private information of children without the consent of the children or their parents. The company has since appealed the ruling.[278]
Videoconferencing Provider. In April 2020, a major videoconferencing provider was sued in a putative class action in the U.S. District Court for the Northern District of California for allegedly having “inadequate data privacy and security measures” and making false assertions that its videoconference service was end-to-end encrypted.[279] While the lawsuit does not allege that the company actually suffered any data breach, it does allege security vulnerabilities and cites security-related investigations into the company by the New York and Connecticut state Attorneys General.[280] The lawsuit also alleges that the company’s executives impermissibly dumped stock prior to stock price declines caused by disclosures relating to the company’s security vulnerabilities.[281] Similar allegations caused the company to reach a settlement with the FTC in November 2020, as well, as discussed in further detail in Section II.D.1.
Two months later, in June 2020, the company, its CFO, and all but one of its nine board members were sued in U.S. District Court for the District of Delaware in a shareholder derivative action.[282] The derivative suit specifically alleges that a number of defendants, including the company’s CEO, breached their fiduciary duties and profited from “lucrative insider sales” made while in possession of material nonpublic information about the company’s alleged security vulnerabilities.[283]
Clinical Laboratory Company. In April 2020, a company that operates a network of clinical laboratories, along with several of its directors and officers, was sued in the Delaware Court of Chancery in a shareholder derivative action alleging breaches of fiduciary duties relating to two data breaches.[284] The suit alleges that the first data breach resulted in the exposure of credit card information, personally identifiable information, and personal health information, while the second breach resulted in the exposure of further personal health information.[285] The suit also alleges insufficient data security measures and practices and conscious disregard or delay in disclosing the breaches.[286]
Search Engine Platform and Technology Company. On August 7, 2020, a proposed class action lawsuit was filed against a search engine platform and technology company for allegedly recording consumers via the company’s connected, voice-activated home devices.[287] The complaint alleges that the company thereby violated the California Invasion of Privacy Act, the California Consumer Privacy Act, as well as the federal Wiretap Act, by recording consumers using sensitive microphones in the company’s devices without user consent.[288] The company has moved to consolidate this claim with other pending litigation on a similar issue.[289]
Cloud Computing Company. In August 2020, a cloud computing company was sued in a putative class action in the U. S. District Court for the District of South Carolina.[290] The suit alleges that “negligent conduct” on the part of the defendant made the personal information of the defendant’s customers vulnerable to hackers.[291] Specifically, the suit alleges that a three‑month ransomware attack, occurring between February and May 2020, exposed the personal information of “students, patients, donors, and other individual users,” and that the defendant did not notify the persons whose data had been exposed until July or August 2020.[292] Although the defendant has asserted that social security, credit card, and bank account numbers were not exposed by the breach, the suit alleges that that the defendant “cannot be assured” such data was not exposed.[293]
Financial Services Company. In November 2020, a financial services company and several of its officers and directors were sued in the U.S. District Court for the District of Delaware in a shareholder derivative action alleging Securities Act violations and breaches of fiduciary duties relating to an alleged security flaw that persisted for years before being exposed in May 2019.[294] The suit alleges that publicly accessible URLs hosted by the company exposed customers’ sensitive personal information, including names, addresses, birth dates, social security numbers, bank account numbers, and more.[295] The suit alleges that the company failed to remedy this vulnerability even after it was exposed by a penetration test conducted in December 2018.[296] The suit also alleges that the company’s CEO profited by selling stock after the vulnerability was detected but before it was publicly exposed.[297]
2. Key Settlements
Technology Company. The U.S. District Court for the Northern District of California approved a $13 million cy pres settlement of claims against a major search engine platform and technology company that allegedly gathered information from unencrypted Wi-Fi networks using its geo‑mapping car fleet.[298] The settlement, which a class member has appealed to the U.S. Court of Appeals for the Ninth Circuit, includes a $10 million grant to data security charities in lieu of a distribution to class members. Although the district court stated the settlement ultimately benefits class members by protecting their interest in internet security through the work of these charities, the objecting class member is arguing that plaintiffs’ counsel breached their duty to class members by negotiating a deal that would provide monetary disbursements to third parties rather than their clients.[299] The Ninth Circuit has yet to rule on the appeal.[300]
Technology Company. In June 2020, the U.S. District Court for the Northern District of California preliminarily approved a $7.5 million class action settlement for claims filed in 2018 relating to data breaches affecting a since-discontinued social media service.[301] The parties agreed to the terms of the settlement in January 2020.[302]
Web Services Company. In July 2020, the U.S. District Court for the Northern District of California approved a $117.5 million class action settlement for claims stemming from data breaches that affected at least 194 million customers between 2012 and 2016.[303] The order approving the settlement is notable due to the detailed analysis evaluating the reasonableness of the settlement, in which the court compared the settlement to another large data breach settlement approved in 2018.[304] The Court used a number of factors, including the per capita recovery and other remedies under the settlement, the multiplicity of the breaches, the time period over which the breaches occurred, the companies’ denials regarding the breaches, the companies’ promptness in notifying users of the breaches, the sensitivity of the exposed data, and more.[305] These factors may be applied in future data breach cases to determine the reasonableness of settlement terms.
B. Computer Fraud and Abuse Act (CFAA) Litigation
The scope of the Computer Fraud and Abuse Act (CFAA) has divided the federal circuit courts, but some clarity may be on the horizon. The CFAA provides for criminal penalties and private civil remedies against anyone who accesses a computer “without authorization” or who “exceeds” their “authorized access” to such a computer.[306] Circuit courts are divided over whether a person who is authorized to access information on a computer for certain purposes “exceeds authorized access” in violation of the CFAA by accessing the same information, but for other, unauthorized purposes. The First, Fifth, Seventh, and Eleventh Circuits have held that the CFAA imposes liability in such circumstances.[307] By contrast, the Second, Fourth, Sixth, and Ninth Circuits have held that the CFAA does not reach such conduct.[308]
On April 20, 2020, the U.S. Supreme Court agreed to hear Van Buren v. United States, which may resolve this circuit split.[309] In Van Buren, the Eleventh Circuit upheld the CFAA conviction of a Georgia police officer who was paid by an informant to look up license-plate information in a database that could only be used for law-enforcement purposes.[310] The Court agreed to consider whether the officer violated the CFAA when he used that database for an unauthorized purpose.[311] At oral argument in November, the officer’s attorney and the government sparred over whether upholding the conviction would create an interpretation of the CFAA that would criminalize common activities, such as employees accessing social media websites while at work. Indeed, Justice Gorsuch warned that a broad interpretation of the CFAA could end up “making a federal criminal of us all” and Justice Sotomayor worried that the CFAA is “dangerously vague.”[312] A decision is expected later in 2021.
Although Van Buren is a criminal case, its outcome will have implications for civil CFAA cases as well, particularly those involving the collection of information from publicly available websites. In fact, the petitioner in LinkedIn v. hiQ Labs, Inc. has urged the Supreme Court to grant its petition for certiorari to address whether other companies may use automated software to “scrape” or harvest large amounts of data from public websites such as the appellant’s professional social networking website.[313] The Ninth Circuit held that such automated mass data collection is not a CFAA violation where the information can be collected without circumventing a login or other authorization procedure.[314] The appellant, however, argues that this “scraping” is a CFAA violation because the social networking website denied authorization to data harvesters by sending a cease-and-desist letter and by employing technical measures to thwart such scraping.[315] The Court has not yet acted on the petition.
More targeted efforts at collecting data from public-facing websites have also raised CFAA concerns. One such effort is at issue in Sandvig v. Barr.[316] In that case, a group of researchers brought a pre-enforcement challenge in U.S. District Court for the District of Columbia, alleging that the CFAA violated the First Amendment as applied to the researchers’ intended conduct of intentionally violating employment websites’ terms of service in order to research whether such websites engage in race- or gender-based discrimination. The researchers intended to use fake candidate profiles (a terms of service violation) to test various publicly accessible websites for employment discrimination. The researchers alleged that the CFAA would criminalize such conduct, and thereby violate their First Amendment rights. The trial court concluded that the researchers would risk CFAA liability only if they planned to bypass the websites’ authentication mechanisms, such as a requirement to enter a password. Because the planned conduct would not have bypassed such login procedures, the court found the researches would not have violated the CFAA. The court reasoned that “[c]riminalizing terms-of-service violations risks turning each website into its own criminal jurisdiction and each webmaster into his own legislature.”[317] The court concluded that, in light of this holding, the researchers’ First Amendment claims were moot. The researchers have appealed the decision, which is currently pending in the D.C. Circuit.[318]
C. Telephone Consumer Protection Act (TCPA) Litigation
The past year also brought several significant actions and noteworthy developments related to civil litigation under the Telephone Consumer Protection Act (TCPA).
First, at the start of the year, the Eleventh Circuit joined the Third and D.C. Circuits in adopting a narrow reading of what constitutes an automatic telephone dialing system (ATDS) under the TCPA.[319] The court determined that the TCPA’s phrase “using a random or sequential number generator” modifies both the “stor[age]” and “produc[tion]” of numbers.[320] As such, the court found that the TCPA only covers devices that both “store numbers using a random or sequential number generator, or produce such numbers using a random or sequential number generator and dial them.”[321] Shortly thereafter, the Seventh Circuit denied a petition for rehearing in a case on this issue, joining the Third, D.C., and Eleventh Circuits in adopting a narrow reading of what amounts to an ATDS under the TCPA.[322]
These rulings deepened the circuit split created by the Ninth Circuit’s September 2018 decision in Marks v. Crunch San Diego, LLC, which interpreted the TCPA’s definition of an ATDS broadly to apply to any equipment with the capacity to store and automatically dial numbers, even if the device cannot itself store or produce the numbers using a random or sequential number generator.[323] In April, the Second Circuit became the first federal appellate court to join the Ninth Circuit in adopting this broad interpretation of autodialers under the TCPA.[324] The Sixth Circuit followed suit a few months later, applying a broad interpretation of ATDS in its decision in Allan v. Pennsylvania Higher Education Assistance Agency.[325]
With the scope of the TCPA’s definition of ATDS continuing to divide the circuit Courts of Appeal, on July 9, 2020, the Supreme Court granted certiorari in Facebook v. Duguid, responding to the social media company’s petition filed in late 2019.[326] The case is expected to provide some much-needed clarity as to what constitutes an ATDS under the TCPA. In September, the federal government filed an amicus brief in support of the social media company and joined the company in urging the Supreme Court to reject the Ninth Circuit’s broad view of devices subject to the TCPA’s autodialer restrictions.[327] The Court heard arguments in early December and is expected to reach a decision by the spring of 2021.[328] Whichever side the Court comes out on, the decision will have drastic implications for TCPA liability. But in any case, the decision is likely to provide businesses currently subject to divergent TCPA standards throughout the country with more concrete direction.
In addition to agreeing to hear Facebook v. Duguid, the Supreme Court addressed another aspect of the TCPA in Barr v. American Association of Political Consultants, Inc.[329] The Court there upheld the TCPA’s sweeping ban on autodialed calls to cell phones, but struck down an exception for calls made to collect federally backed debts, reaching this result on First Amendment grounds.[330] Between a plurality opinion and various concurrences, six justices found that the TCPA’s robocall restrictions and the government-debt exception amounted to content-based speech restrictions that were impermissible under the First Amendment.[331] In this view, the TCPA’s robocall restriction was content-based because it favored speech made for purposes of collecting government debt over speech made for political or other important purposes.[332] Justice Sotomayor, acting as the sixth vote to strike down the government exception, agreed that the exception violated the First Amendment, but found that the appropriate standard was intermediate scrutiny, rather than strict scrutiny.[333] With six justices finding the government-debt exception for robocalls unconstitutional, the Court then considered whether to invalidate the TCPA’s robocall restriction in its entirety, or to instead sever the government-debt exception while upholding the remainder of the restriction. Applying “traditional severability principles,” the Court decided to uphold the TCPA’s sweeping ban on robocalls while invalidating and severing the government-debt exception from the remainder of the statute.[334] Given the varied rationales among the Court’s plurality and concurring opinions, however, the case’s broader First Amendment ramifications remain to be seen.
D. California Consumer Privacy Act (CCPA) Litigation
1. Broadening the Scope of a “Data Breach”
Since the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020, various consumers have filed suits seeking relief for CCPA violations. In particular, the CCPA includes a private right of action in the context of a data breach, allowing consumers, both individually and as a class, to initiate a civil suit when their personal information is subject to an “unauthorized access and exfiltration, theft, or disclosure as a result of the business’[s] violation of the duty to implement and maintain reasonable security procedures and practices.”[335] Despite the limited basis for a private right of action under the CCPA, litigants have attempted to enlarge its scope by including CCPA-based claims in such data privacy actions.
Videoconferencing Company. On March 30, 2020, a class action was filed in the federal district court for the Northern District of California against a videoconferencing company.[336] In their original complaint, plaintiffs alleged that the defendant unlawfully shared user data with a social media partner in violation of the CCPA.[337] This case, however, does not allege a conventional data breach claim. Instead, the plaintiffs claimed that the voluntary data sharing arrangement between these companies itself constituted a breach.[338] Interestingly, in a recent filing, the plaintiffs dropped this CCPA claim as a distinct cause of action, instead simply asserting the alleged violation in passing.[339] A motion to dismiss has been filed and is currently pending.[340]
Retailers and Loss Prevention Service Provider. On July 7, 2020, a similar class action was filed in the federal district court for the Central District of California against several retail companies and a loss prevention service provider.[341] The plaintiffs’ allegations are based on the defendants’ voluntary sharing of consumer information with a third-party loss prevention service provider.[342] The plaintiffs alleged that the retailers’ sharing of information in an “unsecured, unrestricted manner” to create consumer reports and to generate a risk score which was shared with other defendants resulted in a widespread and unauthorized dissemination of personal information.[343] According to the amended complaint, the plaintiffs claim that the defendants violated the CCPA by: (1) collecting and using personal information without providing consumers with notice; (2) failing to inform users of personal information collected about them and the third parties with whom that information was shared; and (3) failing to prevent non‑encrypted and non-redacted personal information from unauthorized disclosure as a result of the defendants’ failure to implement and maintain reasonable security procedures and practices.[344] Notably, the first two violations are not subject to the CCPA’s private right of action, which is a trend in CCPA litigation that we cover in further detail below. Many of the retailers have now sought to compel arbitration and dismiss the claims.[345]
2. Expanding the Definition of “Personal Information”
The CCPA establishes a limited private right of action for when a consumer’s “nonencrypted and nonredacted personal information” is “subject to an unauthorized access and exfiltration, theft, or disclosure as a result of the business’s violation of the duty to implement and maintain reasonable security procedures.”[346] However, the CCPA’s definition of “personal information” for this private right of action is narrower than the definition of “personal information” for the rest of the CCPA, including only: (1) Social Security number; (2) driver’s license number or California identification card number; (3) account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account; (4) medical information; or (5) health insurance information.[347] Recently, consumers have attempted to expand the types of information that would be actionable under the CCPA in the case of a data breach. Below, we highlight a salient example:
Software Company. On July 21, 2020, a class action was filed against a software company in the federal district court for the Central District of California.[348] The plaintiffs claimed that sensitive student information was unlawfully accessed after the defendant failed to maintain appropriate data safeguards in accordance with the CCPA.[349] The defendant filed a motion to dismiss, arguing that the plaintiffs’ allegations rely on a definition of “personal information” that was beyond the scope of the statute.[350] Specifically, the defendant argued that the CCPA does not protect student information like the “parent name, student name, student ID (School), physical resident address, email address, and password hashes” that were accessed in the case.[351] The court has not yet ruled on the motion to dismiss, and proceedings are currently stayed pending settlement discussions.[352]
3. Litigating Notice and Opt-Out Provisions
The CCPA’s larger regulatory scheme notably protects a consumer’s right to be notified about a business’s collection, use, sharing, or sale of their personal information, and to opt out of having such information sold to third parties.[353] While the California Attorney General is presently tasked with enforcing these broader provisions, consumers are limited to bringing actions for data breach-related claims under Section 1798.150.[354] The text of the CCPA explicitly prohibits private suits involving other provisions of the statute.[355] Nevertheless, litigants have still attempted to enforce the statute’s notice and opt-out provisions through private actions.
Videochat Application. On April 17, 2020, a class action was filed in the federal district court for the Southern District of California against the owners of a videochat application.[356] The plaintiffs claimed that the defendants failed to provide adequate notice of the application’s data collection activities and did not give consumers the opportunity to opt out of the sale of their personal information, including opt outs through the required “Do Not Sell My Personal Information” link.[357] The plaintiffs pursued a CCPA violation claim based on the alleged failure to provide notice, even though the CCPA does not provide for a private right of action for these types of claims. On August 4, 2020, the court granted the defendants’ motion to compel arbitration.[358]
Social Networking Platform. On May 20, 2020, a similar class action was filed against a social networking platform in the federal district court for the Central District of California.[359] The plaintiffs alleged that the platform’s facial recognition technology scanned videos, extracted biometric information, and stored data without notifying users.[360] The plaintiffs argued that the platform violated the CCPA by failing to provide notice and the opportunity to opt out of its third-party disclosure, as well as by collecting, retaining, and using customers’ biometric information without notice.[361] The complaint did not address the issue of whether these claims could be litigated in light of the statute’s restrictions on suits by private litigants. The case has since been consolidated and transferred to the federal district court for the Northern District of Illinois.[362]
4. CCPA Violations under the UCL
California’s Unfair Competition Law (UCL) creates a private right of action for consumers to enjoin and seek restitution for a business act or practice that is “unlawful,” “unfair,” or “fraudulent.”[363] Violations of other statutes can serve as a predicate for a UCL claim. However, the text and legislative history of the CCPA establish that consumers are prohibited from using CCPA violations as the basis for a cause of action under a separate statute, which seems to clearly preclude using the CCPA as the basis for liability under the UCL.[364] Nevertheless, consumers are testing the limits of this restriction.
Facial Recognition Technology Company. On February 27, 2020, a class action was filed against a technology company in the federal district court for the Southern District of California. The plaintiffs claimed that the defendant scraped and sold biometric information without adequate notice to consumers.[365] The plaintiffs therefore alleged that the defendant violated the UCL by failing to provide the appropriate notice under the CCPA.[366] On December 15, 2020, the United States Judicial Panel on Multidistrict Litigation consolidated and transferred the case to the federal district court for the Northern District of Illinois.[367]
Online Marketplace. On June 11, 2020, a class action was filed in the federal district court for the Northern District of California against an online marketplace for artists.[368] The plaintiffs alleged that the defendant’s insufficient security procedures breached its duty of care and allowed hackers to access consumer information in violation of the CCPA.[369] The plaintiffs also brought a separate UCL claim predicated on the defendant’s alleged unlawful conduct.[370] The parties are currently in arbitration-related discovery.[371]
E. Illinois Biometric Information Privacy Act (BIPA) Litigation
2020 was yet another active year for litigation under the Illinois Biometric Information Privacy Act (BIPA), which creates a private right of action against entities that fail to comply with the statute’s requirements for collection and storage of biometric data.[372] Courts examined a variety of issues in BIPA cases, including standing and preemption by other state statutes. The COVID-19 pandemic also introduced new types of BIPA litigation associated with health screenings and remote work. Courts have yet to decide on BIPA’s extraterritorial application and statute of limitations, the resolution of which could impact the viability of a number of BIPA cases.
Standing in Federal Court. As set out in last year’s Review, there has been a flood of class actions against large corporations following the Illinois Supreme Court’s decision in Rosenbach v. Six Flags, which conferred standing on plaintiffs who allege BIPA violations even without pleading an actual injury.[373] In 2020, the Seventh Circuit took a similar position in Bryant v. Compass Group USA, Inc., holding that a procedural violation of section 15(b) of BIPA is sufficient to constitute an injury for Article III standing.[374] Subsequently, in Fox v. Dakkota Integrated Systems, the Seventh Circuit held that federal courts can also hear claims under section 15(a) of BIPA when plaintiffs allege a “concrete and particularized harm,” such as an invasion of the privacy interest in biometric data.[375]
BIPA Settlements. The trend of sizeable settlements that we noted in last year’s Review has persisted throughout 2020, including a BIPA class action suit involving a large social media company that settled for $650 million in August 2020.[376] Given the law’s mandatory statutory penalties of $1,000 per negligent violation or $5,000 per intentional or reckless violation, even this settlement may represent only a small percentage of the possible statutory damages.[377] The decisions affirming plaintiffs’ standing to bring BIPA suits in at least some federal courts[378] and the large settlements at issue, indicate we will likely continue to see significant BIPA litigation in 2021.
Compelling Arbitration in Employment-Related BIPA Lawsuits. Lawsuits against employers that collect employees’ biometric data for timekeeping purposes continue to represent a significant portion of BIPA cases in state and federal courts.[379] In last year’s Review, we reported that some plaintiff-employees had successfully used BIPA to avoid being compelled into arbitration.[380] Although some plaintiffs achieved similar results in 2020,[381] other plaintiffs were indeed compelled into arbitration based on the courts’ analysis of the arbitration agreements at issue.[382]
BIPA Preemption by State Laws. Another 2020 development in employee-related BIPA litigation was an Illinois court decision holding that employees may pursue BIPA claims without preemption by the Illinois Workers’ Compensation Act, which is generally read to be an exclusive remedy for workplace injuries.[383] At the same time, however, courts continue to hold that BIPA is preempted by the Labor Management Relations Act[384] and Railway Labor Act.[385]
Extraterritorial Application of BIPA. On this point, in 2020 some employees attempted to bring BIPA claims not only against in-state employers but also against third-party operators of workplace systems that collect biometric data, even if not based in Illinois.[386] These and other suits against out-of-state companies have implicated questions about the extraterritorial scope of BIPA. In a recent case involving an insurer, the Illinois Supreme Court held that a statute can be applied extraterritorially even without “clear intent” in its statutory language if “the circumstances that relate to the disputed transaction occur primarily and substantially in Illinois.”[387] But the extent to which, under this holding, events must take place in Illinois for BIPA to apply to out‑of‑state entities remains an open question.
COVID-19-Related BIPA Litigation. The COVID-19 pandemic has also created additional BIPA litigation. Employees have alleged that certain COVID-19 safety protocols imposed by employers collect biometric information in violation of BIPA.[388] Parents have also brought lawsuits on behalf of their children using educational platforms for remote learning that allegedly collect and store biometric data in violation of BIPA.[389] We anticipate that more COVID‑19‑related BIPA litigation is likely to take place as workplaces and educational institutions impose screening measures on workers and students for identification remotely.
Statute of Limitations. The statute of limitations for BIPA remains unsettled, as the law contains no express provision establishing a statute of limitations. While a few state and federal courts have found that there is a five-year statute of limitations period for BIPA,[390] this question is currently pending in the Illinois First Appellate District in Tims v. Black Horse Carriers, Inc.[391] The Tims decision could have a substantial impact on the viability of future BIPA lawsuits, particularly if the court rules in favor of the defendants and holds that BIPA’s statute of limitations period is only one year.
F. Other Notable Cases
In addition to the cases described above, 2020 has seen important updates on cases previously reported in last year’s Review, as well as new matters concerning children’s privacy and remote learning, connected vehicles and devices, and new legal questions in the fintech space.
Technology Company – Location History. A technology company has been accused of withholding relevant information in connection with the proposed class action alleging the company illegally tracked and stored users’ location data.[392] The plaintiffs have moved to lift the stay on discovery requested by the technology company after they filed an amended complaint based on evidence surfaced by contemporaneous litigation brought by the Arizona Attorney General’s Office.[393] The court has yet to rule on the motion.[394]
Technology Company – Medical Records. In September, U.S. District Court for the Northern District of Illinois granted the motion to dismiss all claims in a suit concerning the release of depersonalized medical information by a university to a technology company as part of a research partnership.[395] The proposed class action had alleged that the technology company and the university engaged in deceptive business practices for turning over medical information on all patients who were treated at the university’s medical center from 2009 through 2016.[396] The court found that the plaintiff had not sufficiently alleged any harm as a result of this practice, and thus dismissed all claims. The plaintiff stated plans to appeal this decision.[397]
Connected Vehicles and Devices and the Internet of Things. Likewise, in March 2020, the U.S. District Court for the Southern District of Illinois dismissed a case against an automobile manufacturer alleging that defects in vehicle infotainment systems had left them vulnerable to hacking.[398] The court reasoned that the threat of future harm from such potential hacking did not constitute a sufficiently cognizable injury to give standing to the plaintiffs, who alleged that the vulnerabilities substantially undermined the value of the vehicles compared to what they had paid.[399] The plaintiffs have since appealed the decision to the United States Court of Appeals for the Seventh Circuit, arguing that the lower court did not properly consider the evidence of the vulnerabilities and the valuation decrease as a result.[400]
The Wiretap Act and Technology Companies. Additional connected-devices cases continue to work their way through the federal courts, raising both state and federal claims.[401] A case in the U.S. District Court for the District of New Jersey against electronics companies for harvesting data from “smart TVs,” which partially survived a motion to dismiss in 2019, has again survived dismissal of the amended complaint alleging federal Wiretap Act violations.[402] In its second order, the court restated its previous conclusion that the electronics companies do not constitute “parties” to the communications at issue (which could have exempted them from liability); rather, the court found them analogous to smartphone companies, entities that have been held to be “hosts,” not participants, and thus subject to the Wiretap Act.[403] The court also rejected an interlocutory appeal, finding that there were still factual issues to be resolved.[404] The electronics companies have now moved for a separation of the claims, arguing that moving forward in discovery as joint defendants with a rival company would materially harm their business interests.[405] The companies have also filed a motion to compel individual arbitration and strike the class claims. The court granted a motion to sever the claims, but has yet to rule on whether to compel arbitration.[406]
COPPA and Child Privacy Cases. Virtual learning and a renewed focus on children’s privacy during the pandemic have resulted in a new wave of litigation related to the collection of data from children, including under the Children’s Online Privacy Protection Rule promulgated under COPPA.[407] The State of New Mexico brought claims in federal court against a major technology company for collecting data from children using its free classroom services and computers provided to underserved communities for online learning.[408] The lawsuit alleged that the company used these free services to track the online activities of students without proper notice to or consent from the students or their parents.[409] Although the case was dismissed for insufficiently alleging a violation of COPPA because of disclosures on the company’s website about the services and data collection practices, the New Mexico Attorney General has appealed the dismissal, the resolution of which is still pending.[410]
The privacy of minors in online and mobile device gaming has also continued to make headlines. As we covered in last year’s Review, a class action against gaming and app creation companies in California survived a critical motion to dismiss in 2019.[411] The plaintiffs brought a proposed class action against these companies for allegedly selling information gathered from games aimed at children and adolescents without parental consent.[412] On August 5, 2020, the parties agreed to settle out of court. The proposed settlements do not include any monetary award for class members, but would limit the companies’ ability to collect information from children using their apps.[413] More recently, the FTC filed a complaint against a popular gaming app developer, alleging the company allowed third-party ad networks to collect information by tracking user behavior from child-directed apps without proper notice to or consent from the parents.[414] The action is pending in federal court.
Similarly, a video streaming company settled a case with the New York Attorney General and the FTC involving allegations of COPPA violations for tracking and targeting advertisements to users watching videos directed at children under 13 for a record $170 million.[415] Although this case has been settled, similar allegations have been raised in the UK in a suit alleging damages of over $2 billion.[416]
Fintech Litigation. Financial technology (fintech) companies have also increasingly become the target of privacy concerns for their collection of both personal banking data and transaction‑level data from users. On August 25, 2020, users of a fintech service brought a proposed class action in the U.S. District Court for the Northern District of California against a fintech company, alleging that the company mishandles sensitive user information. The plaintiffs claim that the company, which provides budgeting tools, savings trackers, account history information and account verification, invades the privacy of users by collecting transaction‑level data without the knowledge or consent of its users, and puts that sensitive information at risk by sending these consumer files to third-party buyers in an easily hackable format.[417] On November 4, 2020, the company filed a motion to dismiss the proposed class action suit for failure to state a claim, arguing that the company collects and sells the consumer data only after it has been anonymized and aggregated with the anonymized data of other consumers; therefore, consumers can have no reasonable expectation of privacy in it.[418] The court has yet to rule on this motion.[419]
On May 4, 2020, another fintech company whose product is utilized by banking and financial apps was accused of accessing, using, and selling app customers’ personal banking data without their consent, according to a proposed class action (also filed in the Northern District of California).[420] The parties are awaiting a decision on the company’s motion to dismiss.
III. GOVERNMENT DATA COLLECTION
A. Collection of Cell Phone Data
In 2020, a number of cases addressed the issue of individuals’ privacy rights with respect to digital data stored on cell phones and similar personal electronic devices. Several court decisions strengthened the government’s ability to collect and search data without warrants through the Fourth Amendment’s “third-party” doctrine, under which a person generally “has no legitimate expectation of privacy in information he voluntarily turns over to third parties.”[421] However, courts have reached divergent conclusions regarding the government’s ability to collect digital data under the Foreign Intelligence Surveillance Act (FISA).
Cases Regarding the Collection of Personal Data. In June 2020, the U.S. Court of Appeals for the Fifth Circuit held that an individual does not have a Fourth Amendment privacy interest in the records of their Bitcoin transactions.[422] The court declined to extend the limitation of the third-party doctrine as it applies to cell phones to either Bitcoin’s public blockchain or to records from a virtual currency exchange.[423] The court analogized Bitcoin blockchain and the virtual currency exchange’s records to bank records and telephone call logs because: (1) they contain limited information; and (2) transferring and receiving Bitcoin requires an affirmative act, which is more akin to voluntarily placing a call than an unknowing collection of cell phone location data.[424] The court also noted that Bitcoin users are unlikely to expect that the Bitcoin transaction data will be kept private since every transaction is recorded in a publicly available blockchain.[425]
In United States v. Carme, a Barnstable police detective used BitTorrent-deciphering software to download 192 public files, which helped generate evidence against a criminal defendant.[426] When this tactic was challenged on Fourth Amendment grounds, the district court for the District of Massachusetts declined to expand privacy protections to file‑sharing software that makes it harder for third parties to view the entirety of a file (unlike traditional peer-to-peer file‑sharing, which makes such viewing easier).[427] In reaching this result, the court stressed that there is no reasonable expectation of privacy when a matter is voluntarily disclosed or entrusted to third parties, even if the particular file-sharing software gave the illusion of additional privacy by fragmenting the contents of shared files.[428]
In United States v. Trader, the Eleventh Circuit Court of Appeals similarly found that the government’s warrantless collection of a criminal suspect’s email address and internet protocol addresses from a third party’s business records was constitutional and did not violate the Fourth Amendment.[429] The Trader court emphasized that a business record that might incidentally reveal location information, such as an email address or internet protocol address, falls outside the narrow exception to the third-party doctrine as it applies to cell phone location records.[430]
Data Collection Pursuant to a FISA Order. In another notable development, this past year saw the federal courts further divide on when and under what conditions the government’s data collection under FISA might violate the Fourth Amendment.
On September 2, 2020, the Ninth Circuit ruled that the National Security Agency (NSA) violated Section 1861 of FISA by collecting phone records in bulk without showing their relevance to any specific, authorized, and existing investigation before collection.[431] The NSA collected from major telecommunication providers call records or telephony metadata for communications: (1) between the United States and abroad; and (2) wholly within the United States, including the defendant’s local phone calls.[432] These records included information such as the phone numbers involved in a call and the time and duration of the call, but not the voice content of any call.[433] The Ninth Circuit distinguished the data at issue from Smith v. Maryland,[434] a Supreme Court case that involved the government installing a “pen register,” a device that records numbers dialed from a phone.[435] Instead, analogizing the data at issue in this case to the cell phone location information in Carpenter v. United States,[436] the court found that an individual’s telephony metadata collected on a continuing basis is akin to 24-hour surveillance.[437] The Ninth Circuit did not, however, reach an ultimate conclusion on whether the government’s metadata collection program was therefore prohibited by the Fourth Amendment.
In a December 2019 decision, however, the U.S. Court of Appeals for the Second Circuit reached a contrasting result when applying the Fourth Amendment to email collection under FISA.[438] The court in that case, United States v. Hasbajrami, found the “incidental collection” of communications—the collection of the communications of individuals in the United States acquired in the course of the surveillance of individuals without ties to the United States and located abroad—was permissible under the Fourth Amendment.[439] The court noted that surveillance in Hasbajrami was permissible under Section 702 of FISA, and that the government does not have to return to the FISA court to seek approval before it undertakes surveillance of any specific individual.[440]
FISA Authorities Lapsed. As mentioned briefly above, in March 2020, three FISA authorities lapsed[441]: (1) Section 215 of the USA Patriot Act, also known as the “business records” provision;[442] (2) the “lone wolf” authority;[443] and (3) the “roving wiretap” authority.[444] Each has, in the past, been a prominent law enforcement tool. Under Section 215, the NSA can petition the Foreign Intelligence Surveillance Court (FISC) to order the production of business records and other tangible things relevant to specific investigations.[445] The lone wolf authority allows the FBI to surveil a non‑U.S. citizen who is suspected of planning a terrorist attack but cannot be linked to a foreign terrorist organization.[446] Finally, the roving wiretap authority enables the FBI to continue the wiretap of a criminal suspect, even if the suspect switches phones.[447] It is meant for individuals using burner phones or alternating between several devices.[448] To date, as set out at Section I.C.2., these sources of authority have not been reauthorized, setting the stage for further legislative action in 2021.
B. Extraterritorial Warrants and Data Transfers
In 2018, Congress passed the Clarifying Lawful Overseas Use of Data Act (CLOUD Act).[449] A year later, the United Kingdom passed a similar law called the Crime (Overseas Production Orders) Act 2019.[450] Based on these mirroring statutes, the United States and the United Kingdom entered into the first-ever CLOUD Act bilateral pact: the US-UK Bilateral Data Access Agreement, known as “DICA” in 2019.[451] The Agreement came into force on July 8, 2020.[452]
While the United States had engaged in negotiations with Australia[453] and the European Union[454] to implement similar bilateral pacts in 2019, no agreement has been finalized. Nevertheless, Australia took several steps in 2020 suggesting an agreement may be close. In spring 2020, the Australian government introduced legislation that would provide the legal basis, where a designated international agreement is in place, for sending data requests directly to foreign providers, explicitly noting that “[t]he Bill provides the legislative framework for Australia to give effect to future bilateral and multilateral agreements for cross-border access to electronic information and communications data.”[455] The Australian Parliamentary Joint Committee on Intelligence and Security also issued a call for public comments concerning the legislation.[456] Many businesses and organizations responded with comments reflecting broader critiques of the CLOUD Act—such as the Australian Privacy Foundation’s statement that the bill is “deeply flawed.”[457] That said, although no additional CLOUD Act formal agreements were made in 2020, additional bilateral agreements may still be finalized in 2021.
There may be, however, a significant complicating factor for any EU-US bilateral agreement. On July 16, 2020, the Court of Justice of the European Union (CJEU) struck down the U.S.-EU Privacy Shield as legally invalid (Schrems II).[458] CJEU noted that, under the EU’s General Data Protection Regulation (GDPR), a transfer of personal data out of the EU may take place only if the third country ensures an adequate level of data protection. Maximilian Schrems, a resident of Austria, lodged a series of complaints with the Irish supervisory authority, the Data Protection Commission (DPC), seeking to prohibit the transfer of his personal data from the European subsidiary of a social media company to its parent corporation in the U.S.[459] In deciding Schrems’s case, CJEU found that limitations on the protection of personal data in the U.S. meant that country’s domestic law failed to meet EU requirements. Specifically, CJEU found that: (1) U.S. law does not adequately limit the personal data that U.S. public authorities may access and use through surveillance programs; and (2) the relevant provisions in U.S. law do not grant data subjects actionable rights before the courts as against U.S. governmental authorities.[460]
On August 10, 2020, the U.S. Department of Commerce and the European Commission announced, in response to the Schrems II decision, that they had initiated discussions to evaluate the potential for an enhanced U.S.-EU Privacy Shield framework to comply with the CJEU’s Schrems II ruling.[461] That same month, a European privacy group filed a lawsuit against over 100 websites, alleging the sites were still sending data to the United States in violation of the CJEU’s decision.[462]
C. Other Notable Developments
1. Police Use of Facial Recognition Software
Facial recognition software (FRS) gained publicity in 2020 not only for its potential use in controlling the spread of COVID-19,[463] but also for its widespread adoption by federal and local law enforcement. The technology’s accuracy has been called into question by an MIT study, which found that FRS results in a disproportionate number of misidentifications, particularly for individuals of color.[464] Tensions heightened after media reports revealed that several law enforcement agencies had contracted with an FRS company that had scraped over three billion images from publicly available social media websites without consent.[465] These reports gave rise to greater scrutiny, including a March 2020 action brought by the Vermont Attorney General[466] and a May 2020 action by the ACLU alleging violations of Illinois’s Biometric Information Privacy Act (BIPA).[467]
Cities and local governments have begun responding to this backlash. For example, the New York Police Department (NYPD) published protocols limiting its own use of facial recognition.[468] This updated policy requires that facial recognition technology only be used for legitimate law enforcement purposes, and that a facial recognition match may serve as a lead but does not constitute probable cause for an arrest.[469] Similarly, the Los Angeles Police Department (LAPD) has barred officers and detectives from using third-party facial recognition platforms in their investigations.[470] And as discussed at Section I.C.1., various municipalities have either banned or significantly curtailed the use of FRS.
2. Government Use of Aerial Surveillance
In a further development at the intersection of privacy and law enforcement, in recent years the Baltimore Police Department (BPD) launched its controversial “Aerial Investigation Research,” or “AIR,” program. Three aircraft equipped with high-definition cameras now fly above Baltimore for 12 hours each day to identify specific individuals who are suspected of committing or witnessing serious crimes, as well as those who crossed their paths before and after the crimes took place.[471] On April 9, 2020, community activists and city residents brought a 42 U.S.C. § 1983 action against the BPD, alleging this aerial surveillance violated their First Amendment associational rights and Fourth Amendment protection against unreasonable searches.[472] The district court denied the plaintiffs’ request for a preliminary injunction against the BPD program, likening it to conventional surveillance techniques the Supreme Court found to be permissible in Carpenter v. United States.[473]
On appeal, a panel of the Fourth Circuit upheld the program as constitutional, in part because the AIR cameras do not photograph a person’s features, but rather reduce each individual on the ground to a pixelated dot.[474] The court also noted that BPD officers can only access these photographs if specific violent crimes are reported in a particular location, and cannot identify someone photographed by AIR without relying on ground-based cameras.[475] The court also held the program does not violate a reasonable expectation of privacy because an individual has a limited expectation of privacy in public, and AIR only constitutes short-term surveillance of an individual’s public movements.[476] Finally, the court found that the program does not violate First Amendment rights to freely associate because individuals would not likely be deterred from associating simply to avoid showing up as dots in surveillance photographs.[477] However, an en banc rehearing request was granted by the full Fourth Circuit in December 2020, leaving the question far from settled.
3. Scooter Companies Required to Share Real-Time Location Data
Also this past year, the Los Angeles Department of Transportation (LADOT) renewed its One Year Dockless Mobility permit program for the operation of scooter ride-sharing businesses in Los Angeles. The program offers businesses a permit is contingent on such businesses sharing real-time location data with the city.[478] In March, the scooter ride-sharing subsidiary of a large ride-sharing business sued the LADOT over this data-sharing requirement, arguing that in practice, the rule operates as a warrantless administrative search. On this point, the scooter ride‑sharing subsidy claimed that LADOT or others can use the time-stamped geolocation data to identify individual users’ travel patterns.[479] The case was voluntarily dismissed without prejudice by the scooter-riding subsidiary on June 15, 2020 after that entity was acquired by a different scooter ride-sharing company.[480] In June, however, the ACLU filed a complaint on behalf of the scooter ride‑share users raising similar privacy arguments.[481] Of note, the LADOT’s scooter requirements underscore a limit in CCPA protections: because the location data is provided to the government and not for a commercial purpose, that law would not apply.
IV. CONCLUSION
2020 was, in every sense of the word, unprecedented. U.S. privacy and cybersecurity law and policy have been forced to evolve at a breakneck pace, both to face long-standing risks (like sophisticated, state-sponsored cybercriminals) and once-in-a-generation challenges (like a worldwide pandemic). These changes will reverberate throughout 2021 and beyond, shaping how companies, governments, and the general public use, protect, and regulate data. In the year ahead, we will continue to track these important issues.
____________________
[1] See Gretchen Ramos and Darren Abernathy, Additional U.S. States Advance the State Privacy Legislation Trend in 2020, National Law Review (Dec. 15, 2020), available at https://www.natlawreview.com/article/additional-us-states-advance-state-privacy-legislation-trend-2020.
[2] 2020 Democratic Party Platform (Aug. 18, 2020), available at https://www.demconvention.com/wp-content/uploads/2020/08/2020-07-31-Democratic-Party-Platform-For-Distribution.pdf.
[4] Press Release, Department of Justice, The Justice Department Unveils Proposed Section 230 Legislation (Sept. 23, 2020), available at https://www.justice.gov/opa/pr/justice-department-unveils-proposed-section-230-legislation; Department of Justice’s Review of Section 230 of the Communications Decency Act of 1996, available at https://www.justice.gov/ag/department-justice-s-review-section-230-communications-decency-act-1996.
[5] Press Release, State of California Department of Justice, Attorney General Kamala D. Harris Announces Privacy Enforcement and Protection Unit (July 19, 2012), available at https://oag.ca.gov/news/press-releases/attorney-general-kamala-d-harris-announces-privacy-enforcement-and-protection.
[6] See Reuters Staff, U.S. FTC chair says he will resign along with senior staff, Reuters (Jan. 19, 2021), available at https://www.reuters.com/article/us-ftc-simons/us-ftc-chair-says-he-will-resign-along-with-senior-staff-idUSKBN29O1XB.
[7] Michelle Price, Biden appoints U.S. consumer watchdog veteran as acting director after Trump appointee resigns, Reuters (Jan. 21, 2021), available at https://www.reuters.com/article/us-usa-biden-cfpb/biden-appoints-u-s-consumer-watchdog-veteran-as-acting-director-after-trump-appointee-resigns-idUSKBN29Q249.
[8] President Biden’s late son, Beau Biden, served as attorney general of Delaware, and Harris served as attorney general of California.
[9] Michelle Price, Biden appoints U.S. consumer watchdog veteran as acting director after Trump appointee resigns, Reuters (Jan. 21, 2021), available at https://www.reuters.com/article/us-usa-biden-cfpb/biden-appoints-u-s-consumer-watchdog-veteran-as-acting-director-after-trump-appointee-resigns-idUSKBN29Q249.
[10] H.R. 748, CARES Act, Public Law 116-136 (Mar. 27, 2020).
[11] See Stephen Carroll, Biden begins political battle for $1.9 trillion stimulus plan, France24 (Jan. 21, 2021), available at https://www.france24.com/en/tv-shows/business-daily/20210121-president-biden-begins-political-battle-for-1-9-trillion-stimulus-plan.
[12] See Eleanor Laise, Joe Biden Could Face an Uphill Battle to Restore Consumer Protections, Barron’s (Nov. 13, 2020), available at https://www.barrons.com/articles/whats-next-for-the-cfpb-and-why-it-matters-51605307530.
[13] Lesley Fair, Operation Corrupt Collector cracks down on illegal debt collection tactics, Federal Trade Commission (Sept. 29, 2020), available at https://www.ftc.gov/news-events/blogs/business-blog/2020/09/operation-corrupt-collector-cracks-down-illegal-debt.
[14] S. 3663, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3663/text.
[16] Allison Grande, Sens. Float Privacy Bill To Protect Data In COVID-19 Era, Law 360 (Apr. 30, 2020) available at https://www.law360.com/articles/1269228/sens-float-privacy-bill-to-protect-data-in-covid-19-era; Adam Schwartz, Two Federal COVID-19 Privacy Bills: A Good Start and a Misstep, Electronic Frontier Foundation (May, 28, 2020), available at https://www.eff.org/deeplinks/2020/05/two-federal-covid-19-privacy-bills-good-start-and-misstep.
[17] S. 3749, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3749/text.
[19] U.S. Department of Health & Human Services, Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 30, 2020), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
[20] U.S. Department of Health & Human Services, OCR Announces Notification of Enforcement Discretion to Allow Uses and Disclosures of Protected Health Information by Business Associates for Public Health and Health Oversight Activities During The COVID-19 Nationwide Public Health Emergency (Apr. 2, 2020), available at https://www.hhs.gov/about/news/2020/04/02/ocr-announces-notification-of-enforcement-discretion.html; U.S. Department of Health & Human Services, OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency (Apr. 9, 2020), available at https://web.archive.org/web/20210117020355/
https://www.hhs.gov/about/news/2020/04/09/ocr-announces-notification-enforcement-discretion-community-based-testing-sites-during-covid-19.html.
[21] U.S. Department of Health & Human Services, OCR Issues Guidance to Help Ensure First Responders and Others Receive Protected Health Information about Individuals Exposed to COVID-19 (Mar. 24, 2020), available at https://web.archive.org/web/20210117001045/
https://www.hhs.gov/about/news/2020/03/24/ocr-issues-guidance-to-help-ensure-first-responders-and-others-receive-protected-health-information-about-individuals-exposed-to-covid-19.html.
[22] U.S. Department of Health & Human Services, OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities (June 12, 2020), available at https://web.archive.org/web/20210116081727/
https://www.hhs.gov/about/news/2020/06/12/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-blood-and-plasma-donation.html.
[23] Centers for Disease Control and Prevention (CDC), COVID-19 Vaccination Program Interim Playbook for Jurisdiction Operations (Oct. 29, 2020) available at https://www.cdc.gov/vaccines/imz-managers/downloads/COVID-19-Vaccination-Program-Interim_Playbook.pdf.
[24] Sheryl Gay Stolberg, Some States Balk After C.D.C. Asks for Personal Data of Those Vaccinated, N.Y. Times (Dec. 8, 2020) available at https://www.nytimes.com/2020/12/08/us/politics/cdc-vaccine-data-privacy.html.
[25] Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, S.8848D (N.Y. 2020), available at https://legislation.nysenate.gov/pdf/bills/2019/S8448D.
[26] Cal. Civ. Code §§ 1798.130(a)(5)(D), 1798.146, and 1798.148.
[27] Act to amend Section 1798.130 of, and to add Sections 1798.146 and 1798.148 to, the Civil Code, relating to consumer privacy, and declaring the urgency thereof, to take effect immediately, A.B. 713 (Cal. 2020) (enacted), available at https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?
bill_id=201920200AB713.
[28] Cal. Civ. Code §§ 1798.130(a)(5)(D), 1798.146, and 1798.148.
[32] Act concerning governmental response to the 2020 COVID-19 pandemic in Kansas, H.B. 2016 (Kan. 2020) (enacted), available at http://www.kslegislature.org/li_2020s/b2020s/
measures/documents/hb2016_enrolled.pdf.
[33] N.Y. Pub. Health Code § 2181 Act to amend the public health law, in relation to the confidentiality of contact tracing information, S.8450C (N.Y. 2020), available at https://legislation.nysenate.gov/pdf/bills/2019/S8450C.
[34] Act relating to contact tracing of the COVID-19 virus, S.B.1 (Ala. 2020), available at http://alisondb.legislature.state.al.us/ALISON/SearchableInstruments/2021RS/PrintFiles/SB1-int.pdf.
[36] Act concerning data privacy related to certain health information and supplementing Title 26 of the Revised Statutes, A.4170 (N.J. 2020), available at https://www.njleg.state.nj.us/2020/Bills/A4500/4170_R1.HTM.
[39] An act to amend the general business law, in relation to the management and oversight of personal data [the “New York Privacy Act”], S. 5642, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5642.
[40] An act to amend the general business law and the state technology law, in relation to notification of a security breach, S5575B, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://www.nysenate.gov/legislation/bills/2019/s5575/amendment/b
[41] Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, S.8848D (N.Y. 2020), available at https://www.nysenate.gov/legislation/bills/2019/S8448.
[45] See Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, S.301 (N.Y. 2021), available at https://www.nysenate.gov/legislation/bills/2021/S301; Act in relation to the collection of emergency health data and personal information and the use of technology to aid during COVID-19; and providing for the repeal of such provision upon the expiration thereof, H.687 (N.Y. 2021), available at https://legislation.nysenate.gov/pdf/bills/2021/A687.
[46] Act to add Title 1.81.10 (commencing with Section 1798.600) to Part 4 of Division 3 of the Civil Code, relating to personal information, A.B.660 (Cal. 2020), available at https://leginfo.legislature.ca.gov/faces/
billTextClient.xhtml?bill_id=201920200AB660.
[48] Act to add Title 4.5 (commencing with Section 1924) to Part 4 of Division 3 of the Civil Code, to add Chapter 5 (commencing with Section 104000) to Part 2 of Division 102 of the Health and Safety Code, and to add Part 6 (commencing with Section 22360) to Division 2 of the Public Contract Code, relating to personal information, A.B.1782 (Cal. 2020), available at https://leginfo.legislature.ca.gov/faces/
billNavClient.xhtml?bill_id=201920200AB1782.
[51] Bill for an act relating to health, H.F.164 (Minn. 2020), available at https://www.revisor.mn.gov/bills/text.php?number=HF164&
type=bill&version=0&session=ls91&session_year=2020&session_number=1.
[52] See Act to Exempt EMS telecommunicator info from Public Records Law, S.B. 31 (Ohio 2020), available at https://www.legislature.ohio.gov/legislation/legislation-summary?id=GA133-SB-31.
[53] See Press Release, Office of the Attorney General, Attorney General Herring Tells Tech Companies to Protect Public from Shady “Contact Tracing Apps” (June 17, 2020), available at https://www.oag.state.va.us/media-center/news-releases/1739
-june-17-2020-herring-tells-tech-companies-to-protect-public-from-shady-contact-tracing-apps.
[55] See Press Release, N.Y. State Office of the Attorney General, Attorney General James Secures New Protections, Security Safeguards for All Zoom Users (May 7, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.
[57] See Cal. Civ. Code § 1798.140(c).
[58] See, e.g., California Approves Final CCPA Regulations, and Bill Extending Key Exemptions Moves Forward at the Legislature, Gibson Dunn (Aug. 20, 2020), available at https://www.gibsondunn.com/california-approves-final-ccpa-regulations-and-bill-extending-key-exemptions-moves-forward-at-the-legislature/; California Consumer Privacy Act Update: Attorney General Finalizes Regulations and Provides Interpretive Guidance, Gibson Dunn (June 12, 2020), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-finalizes-regulations-and-provides-interpretive-guidance/; California Consumer Privacy Act Update: Attorney General Proposes Further Revisions to CCPA Regulations, Gibson Dunn (Mar. 17, 2020), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-proposes-further-revisions-to-ccpa-regulations/; California Consumer Privacy Act Update: Attorney General Proposes Regulations Version 2.0, Gibson Dunn (Feb. 19, 2020), available at https://www.gibsondunn.com/california-consumer-privacy-act-update-attorney-general-proposes-regulations-version-2-0/.
[59] Final Text of Proposed Regulations, State Cal. Dep’t Just. Off. Att’y Gen. (Jan. 19, 2020), available at https://oag.ca.gov/sites/all/files/agweb/pdfs/privacy/oal-sub-final-text-of-regs.pdf?
[61] Text of Fourth Set of Proposed Modifications, State Cal. Dep’t Just. Off. Att’y Gen. (Dec. 10, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-prop-mods-text-of-regs-4th.pdf; Text of Third Set of Proposed Modifications – Comparison Version, State Cal. Dep’t Just. Off. Att’y Gen. (Oct. 12, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-third-set-mod-101220.pdf?.
[62] Text of Fourth Set of Proposed Modifications, State Cal. Dep’t Just. Off. Att’y Gen. (Dec. 10, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-prop-mods-text-of-regs-4th.pdf; Text of Third Set of Proposed Modifications – Comparison Version, State Cal. Dep’t Just. Off. Att’y Gen. (Oct. 12, 2020), available at https://www.oag.ca.gov/sites/all/files/agweb/pdfs/privacy/ccpa-text-of-third-set-mod-101220.pdf?.
[63] See, e.g., The Potential Impact of the Upcoming Voter Initiative, the California Privacy Rights Act, Gibson Dunn (Sept. 29, 2020), available at https://www.gibsondunn.com/potential-impact-of-the-upcoming-voter-initiative-the-california-privacy-rights-act/; As California Consumer Privacy Act Enforcement Commences, a Tougher New Data Privacy Law Will Go Before California Votes in November, Gibson Dunn (July 1, 2020), available at https://www.gibsondunn.com/as-california-consumer-privacy-act-enforcement-commences-a-tougher-new-data-privacy-law-will-go-before-california-voters-in-november/.
[64] Whereas the CCPA defines “business” in part as a for-profit entity that collects consumers’ personal information, which does business in California and possesses “the personal information of 50,000 or more consumers, households, or devices,” Cal. Civ. Code § 1798.140(c)(1)(B) [prior CCPA text], the CPRA will remove such devices from consideration. See Cal. Civ. Code § 1798.140(d)(1) [as modified by CPRA].
[65] Compare Cal. Civ. Code § 1798.140(c)(1)(B) [prior CCPA text], with Cal. Civ. Code § 1798.140(d)(1)(B) [as modified by CPRA].
[66] Compare Cal. Civ. Code § 1798.140(c)(1)(C) [prior CCPA text], with Cal. Civ. Code § 1798.140(d)(1)(C) [as modified by CPRA].
[67] Compare Cal. Civ. Code § 1798.140(o)(2) [prior CCPA text] with Cal. Civ. Code § 1798.140(v)(2) [as modified by CPFRA].
[68] Compare Cal. Civ. Code § 1798.140(t) [prior CCPA text], with Cal. Civ. Code § 1798.140(ad) [as modified by CPRA].
[69] An Act to Protect the Privacy of Online Customer Information, S. P. 275, 2019 Leg., 129th Sess. (Me. 2019), available at http://www.mainelegislature.org/legis/bills/
getPDF.asp?paper=SP0275&item=9&snum=129.
[72] An Act relating to Internet privacy, S.B. 220, 2019 Leg., 80th Sess. (Nev. 2019), available at https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Text.
[73] An Act relating to public safety; designating the month of October of each year as “Cybersecurity Awareness Month”; revising requirements relating to emergency response plans for schools, cities, counties and resort hotels; clarifying the authority of the Governor to call members of the Nevada National Guard into state active duty upon a request for assistance from certain governmental entities that have experienced a significant cybersecurity incident; requiring each city or county to adopt and maintain a cybersecurity incident response plan; revising the duties of the Nevada Office of Cyber Defense Coordination of the Department of Public Safety; requiring the Office to submit a quarterly report to the Governor regarding cybersecurity; revising provisions relating to the disclosure of records by the Office; and providing other matters properly relating thereto, S.B. 69, 2019 Leg., 80th Sess. (Nev. 2019), available at https://www.leg.state.nv.us/Statutes/
80th2019/Stats201915.html#Stats201915_CH412.
[76] An act to amend the general business law and the state technology law, in relation to notification of a security breach, S5575B, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://www.nysenate.gov/legislation/bills/2019/s5575/amendment/b.
[78] Stop Hacks and Improve Electronic Data Security Act (SHIELD Act), 2019-2020 Leg., Reg. Sess. S5575B (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5575B.
[81] N.Y. Bar Ass’n, January 21, 2021 State Legislative Developments, NYBA Online (Jan. 22, 2021), available at https://www.nyba.com/NYBA/Publications/Friday_s_News/NYBA/
Publications/Fridays_News.aspx?hkey=79bbbf02-4315-4d19-8349-fe28b3a3de2e.
[83] An act to amend the general business law, in relation to the management and oversight of personal data [the “New York Privacy Act”], S. 5642, 2019-2020 Leg., Reg. Sess. (N.Y. 2019), available at https://legislation.nysenate.gov/pdf/bills/2019/S5642.
[85] See Josefa Velasquez, New York’s State Senate Democrats Gain a Supermajority. What Could They Do With It?, The City (Nov. 23, 2020), available at https://www.thecity.nyc/2020/11/23/21612024/new-york-state-senate-democrats-gain-a-supermajority.
[86] An Act Relating to actions with respect to a breach of security that involves personal information, S.B. 684, 80th Or. Leg. Assemb., Reg. Sess. (O.r. 2019), available at https://olis.leg.state.or.us/liz/2019R1/
Downloads/MeasureDocument/SB684/Enrolled.
[92] An Act Relating to security measures required for devices that connect to the Internet, H.B. 2395, 80th Leg. Assemb., Reg. Sess. (Or. 2019), available at https://olis.leg.state.or.us/liz/2019R1/Downloads/MeasureDocument/HB2395/Enrolled.
[93] Id.; An act to add Title 1.81.26 (commencing with Section 1798.91.04) to Part 4 of Division 3 of the Civil Code, relating to information privacy, S.B. 327, 2017-2018 Leg., Reg. Sess. (Cal. 2018), available at https://leginfo.legislature.ca.gov/faces/
billNavClient.xhtml?bill_id=201720180SB327.
[94] An Act Relating to the use of facial recognition services, S.B. 6280, 66th Leg., Reg. Sess. (Wash. 2020), available at http://lawfilesext.leg.wa.gov/biennium/2019-20/Pdf/
Bills/Session%20Laws/Senate/6280-S.SL.pdf?q=20201214093740.
[97] For the bill’s current language, as submitted to the Washington State Legislature, see Wash. State Leg. Committee Schedule, Bill Req. S-4873.3/20 3rd draft [“Concerning the management and oversight of personal data”], available at https://app.leg.wa.gov/committeeschedules/Home/Document/208507; for the draft version bearing Senator Carlyle’s name, see @Reuvencarlyle, Twitter (Sept. 9, 2020), available at https://twitter.com/Reuvencarlyle/status/1303808769218945025.
[98] Reuven Carlyle, Washington Privacy Act 2021 (DRAFT), Senate Democrats (Aug. 5, 2020).
[100] An Act relating to privacy, H.B. 2572, 30th Leg., Reg. Sess. (Haw. 2020), available at https://www.capitol.hawaii.gov/session2020/bills/HB2572_SD1_.pdf; An Act relative to consumer data privacy, Bill S.120, 191st General Court (Mass. 2019), available at https://malegislature.gov/Bills/191/S120/BillHistory; An Act relating to biological characteristics, H.B. 2478, 44th Leg., 1st Reg. Sess.(Ariz. 2019), available at https://www.azleg.gov/legtext/54leg/1R/bills/HB2478P.pdf.
[101] Henry Kenyon, Voters in Portland, Maine, vote to ban use of facial recognition tech, CQ Roll Call Washington Data Privacy Briefing (Nov. 6, 2020), available at https://today.westlaw.com/Document/Ia69ed770208c11ebbea4f0dc9fb69570/View/
FullText.html?transitionType=Default&contextData=(sc.Default)&
VR=3.0&RS=cblt1.0.
[102] Ashley Murray, City Council Approves Bill to Regulate Facial Recognition Technology, Pittsburgh Post-Gazette (Sept. 23, 2020), available at https://1.next.westlaw.com/Document/I6048e330fd7211eaadd8fa89d4036ae0/View/FullText.html?transitionType=Default&contextData=(sc.Default).
[103] Prohibit the use of Face Recognition Technologies by private entities in places of public accommodation in the City, Ordinance No. 190114 (Sept. 9, 2020), available at https://efiles.portlandoregon.gov/Record/13945283.
[104] See, e.g., Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2, 2020), available at https://www.bloomberg.com/news/articles/2020-01-02/privacy-fight-continues-in-california-dc-and-beyond.
[107] S. 4626, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4626/text.
[108] Muge Fazlioglu, Consolidating US Privacy Legislation: The SAFE DATA Act, iAPP (Sept. 21, 2020), available at https://iapp.org/news/a/consolidating-u-s-privacy-legislation-the-safe-data-act/.
[109] United States Consumer Data Privacy Act of 2019 Staff Discussion Draft (2019), available at https://privacyblogfullservice.huntonwilliamsblogs.com/wp-content/uploads/sites/28/2019/12/Nc7.pdf.
[110] S. 2763, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/2763/text.
[111] S. 1084, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/1084/text.
[112] S. 4626, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4626/text.
[114] S. 3456, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3456/text.
[117] H.R. 6675, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6675/text.
[118] S. 2577, 116th Cong. (2019), available at https://www.congress.gov/bill/116th-congress/senate-bill/2577/text.
[119] H.R. 6675, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6675/text.
[122] S. 3300, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3300/text.
[123] Eric Newcomer, California Will Be Key Battleground in Tech Privacy Fight in 2020, Bloomberg (Jan. 2, 2020), available at https://www.bloomberg.com/news/articles/2020-01-02/privacy-fight-continues-in-california-dc-and-beyond.
[124] S. 3300, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3300/text.
[126] Data Accountability and Transparency Act of 2020 Staff Discussion Draft (2020), available at https://www.law360.com/articles/1284404/attachments/0.
[129] H.R. 6677, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6677/text.
[138] Internet of Things Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207, available at https://www.congress.gov/bill/116th-congress/house-bill/1668/text.
[139] Justin Katz, Senate Passes IoT Cybersecurity Bill, Federal Computer Week (Nov. 18, 2020), available at https://fcw.com/articles/2020/11/18/iot-cyber-bill-passes-senate.aspx.
[142] Chris Mills Rodrigo, Booker, Merkley Propose Federal Facial Recognition Moratorium, The Hill (Feb. 12, 2020), available at https://thehill.com/policy/technology/482815-booker-merkley-propose-facial-recognition-moratorium.
[143] S. 3284, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3284/text.
[144] See H.R. 7356, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/7356/text; S. 4084, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4084/text.
[145] Press Release, Ed Markey United States Senator for Massachusetts, Senators Markey and Merkley, and Reps. Jayapal, Pressley to Introduce Legislation to Ban Government Use of Facial Recognition, Other Biometric Technology (June 25, 2020), available at https://www.markey.senate.gov/news/press-releases/senators-markey-and-merkley-and-reps-jayapal-pressley-to-introduce-legislation-to-ban-government-use-of-facial-recognition-other-biometric-technology.
[147] S. 4084, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4084/cosponsors.
[148] H.R. 7356, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/7356/cosponsors.
[149] S. 4400, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4400/actions.
[153] See H.R. 7891, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/7891/text; S. 4051, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4051/text.
[154] 50 U.S.C. § 1861 (2018).
[155] 50 U.S.C. § 1801(b)(1)(C) (2015).
[156] 50 U.S.C. § 1805(c)(2)(B) (2018).
[157] H.R. 6172, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/6172/all-actions.
[158] Communications Decency Act of 1996, 47 U.S.C. § 230 (1996).
[160] See, e.g., Jessica Guynn, Trump and Biden vs. Facebook: Why Section 230 could get repealed in 2021, USA Today (Jan. 4, 2021), available at https://www.usatoday.com/story/tech/2021/01/04/trump-biden-pelosi-section-230-repeal-facebook-twitter-google/4132529001/ (describing political support for Section 230 reform or repeal in 2021).
[161] S. 3983, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3983/text.
[163] Press Release, Marco Rubio U.S. Senator for Florida, Rubio, Hawley Announce Bill Empowering Americans to Hold Big Tech Companies Accountable for Acting in Bad Faith (June 17, 2020), available at https://www.rubio.senate.gov/public/index.cfm/press-releases?
ContentRecord_id=47276D77-62D6-4E04-9FA2-1CD761179B90#:~
:text=The%20Limiting%20Section%20
230%20Immunity,if%20they%20violate%20those%20terms.
[164] S. 3398, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/3398/actions.
[168] Press Release, Committee on the Judiciary, Chairman Graham Applauds Senate Judiciary Committee for Unanimously Approving the EARN IT Act (July 2, 2020), available at https://www.judiciary.senate.gov/press/rep/releases/chairman-graham-applauds-
senate-judiciary-committee-for-unanimously-approving-the-earn-it-act#
:~:text=The%20EARN%20IT%20Act%20was,Against%20Online%20
Child%20Sexual%20Exploitation.%E2%80%9D.
[169] S. 4337, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/senate-bill/4337/text.
[171] Children’s Online Privacy Protection Act of 1998, 15 U.S.C. § 6501–6505 (1998).
[172] Press Release, Federal Trade Commission, FTC Seeks Comments on Children’s Online Privacy Protection Act Rule: FTC to host workshop on COPPA in October as part of initiative (July 25, 2019), available at https://www.ftc.gov/news-events/press-releases/2019/07/ftc-seeks-comments-childrens-online-privacy-protection-act-rule.
[173] H.R. 5573, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/5573/text.
[174] H.R. 5703, 116th Cong. (2020), available at https://www.congress.gov/bill/116th-congress/house-bill/5703/text.
[176] 15 U.S.C. § 53(b); see AMG Capital Mgmt., LLC v. Fed. Trade Comm’n, No. 19-508, 2020 WL 3865250 (U.S. July 9, 2020).
[177] See Press Release, Federal Trade Commission, FTC Issues Orders to Nine Social Media and Video Streaming Services Seeking Data About How They Collect, Use, and Present Information (Dec. 14, 2020), available at https://www.ftc.gov/news-events/press-releases/2020/12/ftc-issues-orders-nine-social-media-video-streaming-services.
[178] United States v. Facebook, Inc., 456 F. Supp. 3d 115 (D.D.C. 2020).
[179] See Press Release, Federal Trade Commission, FTC Chairman’s Statement Regarding the Court’s Approval of the Facebook Settlement (Apr. 24, 2020), available at https://www.ftc.gov/news-events/press-releases/2020/04/ftc-chairmans-statement-regarding-courts-approval-facebook.
[180] See Kate Conger, F.T.C. Investigating Twitter for Potential Privacy Violations, N.Y. Times (Aug. 3, 2020), available at https://www.nytimes.com/2020/08/03/technology/ftc-twitter-privacy-violations.html.
[181] Agreement Containing Consent, In the Matter of Zoom Video Communications, Inc., File No. 1923167 (F.T.C. Nov. 9, 2020), available at https://www.ftc.gov/system/files/documents/cases/1923167zoomacco2.pdf.
[182] See Diane Bartz, Exclusive: U.S. probing allegations TikTok violated children’s privacy – sources, Reuters (July 7, 2020), available at https://www.reuters.com/article/us-tiktok-privacy-children-exclusive/exclusive-u-s-probing-allegations-tiktok-violated-childrens-privacy-sources-idUSKBN248373.
[184] FTC v. Credit Bureau Ctr., LLC, 937 F.3d 764 (7th Cir. 2019).
[187] AMG Capital Mgmt., LLC v. Fed. Trade Comm’n, No. 19-508, 2020 WL 3865250 (U.S. July 9, 2020).
[188] AMG Capital Management, LLC v. FTC, 910 F.3d 417 (9th Cir. 2018).
[189] Initially Credit Bureau Center, LLC and AMG Capital Management, LLC were consolidated to be heard together, but on November 9, the Supreme Court withdrew its consolidation order and vacated its order granting certiorari in Credit Bureau Center, LLC. FTC v. Credit Bureau Ctr., No. 19-825, 2020 WL 6551765 (U.S. Nov. 9, 2020).
[190] AMG Capital Management, LLC, 910 F.3d at 426.
[191] Alexander Southwell, Ryan Bergsieker and Sarah Erickson, Where Data Privacy And CFPB Are Headed Under Biden, Law360 (Nov. 24, 2020), available at https://www.law360.com/articles/1331226/where-data-privacy-and-cfpb-are-headed-under-biden.
[192] Press Release, Department of Health and Human Services, Health Insurer Pays $6.85 Million to Settle Data Breach Affecting Over 10.4 Million People (Sept. 25, 2020), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/premera/index.html.
[193] Press Release, Department of Health and Human Services, Health Care Provider Pays $100,000 Settlement to OCR for Failing to Implement HIPAA Security Rule Requirements (Mar. 3, 2020), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/porter/index.html.
[194] Press Release, Department of Health and Human Services, OCR Settles Five More Investigations in HIPAA Right of Access Initiative (Sept. 15, 2020), available at https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/agreements/right-of-access-initiative/index.html.
[195] Press Release, Department of Health and Human Services, Anthem Pays OCR $16 Million in Record HIPAA Settlement Following Largest U.S. Health Data Breach in History (Oct. 15, 2018), available at https://www.hhs.gov/guidance/document/anthem-pays-ocr-16-million-record-hipaa-settlement-following-largest-health-data-breach.
[196] Steve Adler, Court Approves Anthem $115 Million Data Breach Settlement, HIPAA J. (Aug. 20, 2018), available at https://www.hipaajournal.com/court-approves-anthem-115-million-data-breach-settlement/.
[197] Press Release, Department of Health and Human Services, OCR Announces Notification of Enforcement Discretion for Telehealth Remote Communications During the COVID-19 Nationwide Public Health Emergency (Mar. 30, 2020), available at https://www.hhs.gov/hipaa/for-professionals/special-topics/emergency-preparedness/notification-enforcement-discretion-telehealth/index.html.
[198] Department of Health and Human Services, FAQs on Telehealth and HIPAA during the COVID-19 nationwide public health emergency, available at https://www.hhs.gov/sites/default/files/telehealth-faqs-508.pdf.
[199] Press Release, Department of Health and Human Services, OCR Announces Notification of Enforcement Discretion for Community-Based Testing Sites During the COVID-19 Nationwide Public Health Emergency (Apr. 9, 2020), available at https://www.hhs.gov/sites/default/files/notification-enforcement-discretion-community-based-testing-sites.pdf.
[200] Press Release, Department of Health and Human Services, OCR Issues Guidance on How Health Care Providers Can Contact Former COVID-19 Patients About Blood and Plasma Donation Opportunities (Aug. 2020), available at https://www.hhs.gov/sites/default/files/guidance-on-hipaa-and-contacting-former-covid-19-patients-about-plasma-donation.pdf .
[201] New Release, Center for Medicare and Medicaid Services, CMS Snapshot (Aug. 27, 2020), available at https://www.cms.gov/files/document/snapshotupdate08272020.pdf.
[202] Press Release, Department of Health and Human Services, HHS Proposes Modifications to the HIPAA Privacy Rule to Empower Patients, Improve Coordinated Care, and Reduce Regulatory Burdens (Dec. 10, 2020), available at https://www.hhs.gov/hipaa/for-professionals/regulatory-initiatives/index.html.
[203] Department of Health and Human Services, Proposed Modifications to the HIPAA Privacy Rule to Support, and Remove Barriers to, Coordinated Care and Individual Engagement, available at https://www.hhs.gov/sites/default/files/hhs-ocr-hipaa-nprm.pdf.
[204] Proposed Modifications to the HIPAA Privacy Rule To Support, and Remove Barriers to, Coordinated Care and Individual Engagement, 86 Fed. Reg. 6446 (published Jan. 21, 2021), available at https://www.federalregister.gov/documents/2021/01/21/2020-27157/proposed-modifications-to-the-hipaa-privacy-rule-to-support-and-remove-barriers-to-coordinated-care.
[205] Press Release, U.S. Securities and Exchange Commission, SEC Office of Compliance Inspections and Examinations Announces 2020 Examination Priorities (Jan. 7, 2020), available at https://www.sec.gov/news/press-release/2020-4.
[208] SEC Office of Compliance Inspection and Examinations, Cybersecurity and Resiliency Observations (Jan. 27, 2020), available at https://www.sec.gov/files/
OCIE%20Cybersecurity%20and%20Resiliency%20Observations.pdf.
[209] Press Release, U.S. Securities and Exchange Commission, SEC Announces Creation of the Event and Emerging Risk Examination Team in the Office of Compliance Inspections and Examinations and the Appointment of Adam D. Storch as Associate Director (July 28, 2020), available at https://www.sec.gov/news/press-release/2020-165.
[210] U.S. Securities and Exchange Commission, Cyber Enforcement Actions: Digital Assets/Initial Coin Offerings (last updated Dec. 28, 2020), available at https://www.sec.gov/spotlight/cybersecurity-enforcement-actions.
[211] Final Judgment as to Defendants Telegram Group Inc. and Ton Issuer Inc., SEC v. Telegram Group Inc. et al., 1:19-cv-09439 (S.D.N.Y. June 26, 2020), ECF No. 242.
[212] Opinion and Order, SEC v. Telegram Group Inc. et al., 1:19-cv-09439 (S.D.N.Y. Mar. 24, 2020), ECF No. 227.
[215] Opinion and Order, SEC v. Kik Interactive Inc., 1:19-cv-5244 (S.D.N.Y. Sept. 30, 2020), ECF No. 88.
[216] See, e.g., Complaint, SEC v. Ackerman, 1:20-cv-01181 (S.D.N.Y. Feb. 11, 2020), ECF No. 1 (complaint against Ohio-based businessman who allegedly orchestrated a digital asset scheme that defrauded approximately 150 investors, including many physicians); Complaint, SEC v. Meta 1 Coin Trust, et al., 1:20-cv-00273 (W.D. Tex. Mar. 16, 2020), ECF No. 1 (complaint against an unincorporated entity purporting to be an irrevocable trust, a former state senator, and two others for allegedly conducting a fraudulent ICO of unregistered digital asset securities, and secured a temporary restraining order against the parties); Complaint, SEC v. Dropil, Inc., et al., 8:20-cv-00793 (C.D. Cal. Apr. 23, 2020), ECF No. 1 (complaint against a digital currency company and its three founders for allegedly raising money from thousands of investors through a fraudulent ICO of unregistered digital asset securities); Complaint, SEC v. FLiK, et al., 1:20-cv-03739 (N.D. Ga. Sept. 10, 2020), ECF No. 1 (complaint against several Georgia-based individuals who allegedly promoted two unregistered and fraudulent ICOs); Tierion, Inc., Administrative Proceeding File No. 3-20188, Order Instituting Cease-and-Desist Proceedings Pursuant to Section 8A of the Securities Act of 1933, Making Findings, and Imposing Penalties and a Cease-and-Desist Order (Dec. 23, 2020) (cease-and-desist proceeding against blockchain startup for unregistered offering of securities via “token sale”; company agreed to return funds to investors, pay $250,000 penalty, and disable trading in its “tokens”).
[217] Complaint, SEC v. Sotnikov, et al., 1:20-cv-02784 (D.N.J. Mar. 13, 2020), ECF No. 1; Press Release, U.S. Securities and Exchange Commission, SEC Charges Russian National for Defrauding Older Investors of Over 26 Million in Phony Certificates of Deposit Scam (Mar. 13, 2020), available at https://www.sec.gov/news/press-release/2020-61.
[218] See id., Clerk’s Entry of Default (Dec. 23, 2020) [electronic order], ECF No. 23
[219] Complaint, SEC v. Ross, 1:20-cv-05140 (N.D. Ga. Dec. 18, 2020), ECF No. 1; U.S. Securities and Exchange Commission, SEC Charges Former Day Trader with Market Manipulation, Litigation Release No. 24989 (Dec. 18, 2020), available at https://www.sec.gov/litigation/litreleases/2020/lr24989.htm.
[220] Telephone Robocall Abuse Criminal Enforcement and Deterrence Act, 47 U.S.C. § 227.
[221] 35 FCC Rcd 11186 (13) (2020).
[223] See Facebook, Inc. v. Duguid, 141 S. Ct. 193 (2020).
[224] See Carlton & Harris Chiropractic, Inc. v. PDR Network, LLC, 982 F.3d 258 (4th Cir. 2020) (previously vacated and remanded by the Supreme Court in PDR Network, LLC v. Carlton & Harris Chiropractic, Inc., 139 S. Ct. 2051 (2019)).
[225] Eric J. Troutman, A Jarring Shift, National Law Review (Dec. 11, 2020), available at https://www.natlawreview.com/article/jarring-shift-here-s-why-fourth-circuit-holding-fcc-tcpa-rulings-aren-t-entitled-to.
[226] See, e.g., Notice of Apparent Liability in the Matter of Sprint Corp., 35 FCC Rcd 1655 (2) (2020); Notice of Apparent Liability in the Matter of T-Mobile USA, Inc., 35 FCC Rcd 1785 (2) (2020); Notice of Apparent Liability in the Matter of Verizon Comm., 35 FCC Rcd 1698 (2) (2020).
[227] Jennifer Valentino-DeVries, Cellphone Carriers Face $200 Million Fine for Not Protecting Location Data, N.Y. Times (Feb. 28, 2020), available at https://www.nytimes.com/2020/02/28/technology/fcc-cellphones-location-data-fines.html.
[228] Jennifer Valentino-DeVries, Cellphone Carriers Face $200 Million Fine for Not Protecting Location Data, NY Times (Feb. 28, 2020), available at https://www.nytimes.com/2020/02/28/technology/fcc-cellphones-location-data-fines.html.
[229] William Barr, Statement of the Attorney General on the Announcement of Civil Antitrust Lawsuit Filed Against Google, U.S. Dep’t of Just. (Oct. 20, 2020), available at https://www.justice.gov/opa/pr/statement-attorney-general-announcement-civil-antitrust-lawsuit-filed-against-google.
[231] Tony Romm, US, States Sue Facebook as an Illegal Monopoly, Setting Stage for Potential Breakup, Wash. Post (Dec. 9, 2020), available at https://www.washingtonpost.com/technology/2020/12/09/facebook-antitrust-lawsuit/.
[232] See Cryptocurrency: Enforcement Framework, Report of the Att’y Gen.’s Cyber Digital Task Force (Oct. 1, 2020), available at https://www.justice.gov/ag/page/file/1326061/download.
[233] International Statement: End-To-End Encryption and Public Safety, Dep’t of Just. Office of Public Affairs (Oct. 11, 2020), available at https://www.justice.gov/opa/pr/international-statement-end-end-encryption-and-public-safety.
[235] Russel Brandom, US Joins Six Countries in New Call for Backdoor Encryption Access, The Verge (Oct. 12, 2020), available at https://www.theverge.com/2020/10/12/21513212/backdoor-encryption-access-us-canada-australia-new-zealand-uk-india-japan.
[236] Jackson Barnett, Final CMMC Acquisition Rule Goes Into Effect, Fed Scoop (Dec. 1, 2020), available at https://www.fedscoop.com/cmmc-rule-change-goes-effect/.
[238] Jackson Barnett, The DoD Wants Better Cybersecurity for Its Contractors. The First Steps haven’t Been Easy, Fed Scoop (June 23, 2020), available at https://www.fedscoop.com/cmmc-dod-cybersecurity-requirments-contractors-timeline.
[239] See, e.g., Jackson Barnett, Final CMMC Acquisition Rule Goes Into Effect, Fed Scoop (Dec. 1, 2020), available at https://www.fedscoop.com/cmmc-rule-change-goes-effect/.
[240] See Ensuring American Leadership in Automated Vehicle Technologies, A Report by the Nat’l Sci. & Tech. Council and the U.S. Dep’t of Transportation (Jan. 2020), available at https://www.transportation.gov/sites/dot.gov/files/docs/policy-initiatives/automated-vehicles/360956/ensuringamericanleadershipav4.pdf.
[242] Linda Chiem, NHTSA Eyes New Self-Driving Car Regulatory Framework, Law360 (Nov. 23, 2020), available at https://www.law360.com/articles/1331573/nhtsa-eyes-new-self-driving-car-regulatory-framework.
[244] See Nat’l Inst. of Standards and Tech., Foundational Cybersecurity Activities for IoT Device Manufacturers, NISTIR 8259 (May 2020); Nat’l Inst. of Standards and Tech., IoT device Cybersecurity Capability Core Baseline, NISTIR 8259A (May 2020).
[245] Internet of Things Cybersecurity Improvement Act of 2020, Pub. L. No. 116-207.
[246] Press Release, New York Attorney General, Attorney General James Helps Secure $39.5 Million After Anthem’s 2014 Data Breach (Sept. 30, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-395-million-after-anthems-2014-data-breach.
[249] Press Release, New York Attorney General, Attorney General James Helps Secure $17.5 Million After Data Breach at The Home Depot (Nov. 24, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-helps-secure-175-million-after-data-breach-home-depot.
[252] Press Release, New York Attorney General, Attorney General James Secures New Protections, Security Safeguards for All Zoom Users (May 7, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.
[253] Danny Hakim & Natasha Singer, New York Attorney General Looks Into Zoom’s Privacy Practices, N.Y. Times (Mar. 30, 2020), available at https://www.nytimes.com/2020/03/30/technology/new-york-attorney-general-zoom-privacy.html.
[254] Press Release, New York Attorney General, Attorney General James Secures New Protections, Security Safeguards for All Zoom Users (May 7, 2020), available at https://ag.ny.gov/press-release/2020/attorney-general-james-secures-new-protections-security-safeguards-all-zoom-users.
[255] Press Release, Arizona Attorney General, Attorney General Mark Brnovich Files Lawsuit Against Google Over Deceptive and Unfair Location Tracking (May 27, 2020), available at https://www.azag.gov/press-release/attorney-general-mark-brnovich-files-lawsuit-against-google-over-deceptive-and-unfair.
[258] Ruling, State of Arizona, et al. v. Google LLC, CV 2020-006219 (Super. Ct. Ariz. Maricopa Cnty. Sept. 25, 2020), available at https://www.azag.gov/sites/default/files/2020-10/CV2020-006219-926-09252020.pdf.
[259] Press Release, Office of Attorney General Maura Healey, AG Healey Announces New Division Focused on Protecting Data Privacy and Security of Massachusetts Consumers (Aug. 13, 2020), available at https://www.mass.gov/news/ag-healey-announces-new-division-focused-on-protecting-data-privacy-and-security-of.
[260] Twitter Investigation Report, N.Y. Dep’t Fin. Serv., Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security (Oct. 14, 2020), available at https://www.dfs.ny.gov/Twitter_Report.
[261] In the Matter of First American Title Insurance Company, No. 2020-0030-C (July 21, 2020), available at https://www.law360.com/articles/1301950/attachments/0.
[264] See, e.g., First American, “First American Reports Completion of Investigation into Customer Impact of Information Security Incident,” July 16, 2019, available at https://web.archive.org/web/20190827180436/
https://www.firstam.com/incidentupdate/update20190716.html.
[266] Twitter Investigation Report, N.Y. Dep’t Fin. Serv., Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security (Oct. 14, 2020), available at https://www.dfs.ny.gov/Twitter_Report.
[269] Press Release, N.Y. Dep’t Fin. Serv., Superintendent Lacewell Announces DFS to Host First-Ever Techsprint to Advance the Department’s Regulator of the Future Vision (Oct. 15, 2020), available at https://www.dfs.ny.gov/reports_and_publications/
press_releases/pr202010151.
[272] See Risk-Based Security, Data Breach Quickview Report, 2019 Q3 Trends (Nov. 2019), available at https://pages.riskbasedsecurity.com/hubfs/Reports/
2019/Data%20Breach%20QuickView%20Report%202019%20Q3%20Trends.pdf.
[273] Twitter Investigation Report, N.Y. Dep’t Fin. Serv., Report on Investigation of Twitter’s July 15, 2020 Cybersecurity Incident and the Implications for Election Security (Oct. 14, 2020), available at https://www.dfs.ny.gov/Twitter_Report.
[274] See, e.g., Christopher Bing, Suspected Russian Hackers Spied on U.S. Treasury Emails – Sources, Reuters (Dec. 13, 2020), available at https://www.usnews.com/news/top-news/articles/2020-12-13/exclusive-us-treasury-breached-by-hackers-backed-by-foreign-government-sources.
[275] Mot. to Dismiss Pls.’ First Am. Consolidated Shareholder Derivative Compl. Pursuant to Fed. R. Civ. P. 23.1 Or in the Alternative to Stay, In Re Facebook, Inc. Shareholder Derivative Privacy Litigation, No. 4:18-cv-01792-HSG (N.D. Cal. Feb. 18, 2020), ECF No. 145.
[276] Plaintiff’s Opp. to Facebook’s Mot. to Dismiss Plaintiff’s First Amended Consolidated Shareholder Derivative Complaint, In Re Facebook, Inc. Shareholder Derivative Privacy Litigation, No. 4:18-cv-01792-HSG (N.D. Cal. Apr. 20, 2020), EFC No. 153; see also Emilie Ruscoe, Citing Zuckerberg’s ‘Iron Glove,’ Facebook Investors Urge Trial, Law360 (Apr. 21, 2020), available at https://www.law360.com/articles/1265937.
[277] Order Adopting Report and Recommendation, B.F. and A.A. v. Amazon.com Inc., No. C19-910 RAJ-MLP (W.D. Wa. Apr. 9, 2020), ECF No. 137.
[279] Drieu v. Zoom Video Communications, Inc., Case No. 3:20-cv-02353 (N.D. Cal. Apr. 7, 2020), ECF. No. 1.
[282] Gervat v. Yuan et al., Case No. 1:20-cv-00797-LPS (D. Del. June 11, 2020), ECF. No. 1.
[284] Eugenio v. Berberian et al., Case No. 2020-0305-PAF (Del. Ch. Apr. 28, 2020).
[287] Complaint, Brekhus v. Google LLC, 5:20-cv-05488 (N.D. Cal. Aug. 7, 2020), ECF. No. 1.
[289] Plaintiff’s Response in Support of Administrative Motion to Consider Whether Cases Should be Related, Brekhus v. Google LLC, 5:20-cv-05488-NC (N.D. Cal. Aug. 18, 2020), ECF No. 10.
[290] Complaint, Allen v. Blackbaud, Inc., Case No. 2:20-cv-2930-RMG (D.S.C. Aug. 12, 2020), ECF No. 1.
[294] Hollett v. Gilmore et al., Case No. 1:20-cv-01620-UNA (D.S.C. Nov. 25, 2020), ECF. No. 1.
[298] Order Granting Final Approval of Settlement, In re Google Street View Elec. Commc’ns Litig., Case No. 10-md-02184-CRB (N.D. Cal. Mar. 18, 2020), ECF No. 184.
[300] Benjamin Joffe, et al v. Google, Inc., Case No. 20-15616 (9th Cir. 2020).
[301] In re Google Plus Profile Litig., Case No. 5:18-cv-06164-EJD (N.D. Cal. June 10, 2020), ECF No. 13.
[303] In re Yahoo! Inc. Customer Data Security Breach Litig., Case No. 5:16-md-02752-LHK (N.D. Cal. July 22, 2020), ECF No. 497.
[304] Id. (comparing settlement to the settlement in In re Anthem, Inc. Data Breach Litigation, 327 F.R.D. 299 (N.D. Cal. 2018)).
[307] See EF Cultural Travel BV v. Explorica Inc., 274 F.3d 577, 581–83 (1st Cir. 2001); United States v. John, 597 F.3d 263, 272 (5th Cir. 2010); Int’l Airport Ctrs., LLC v. Citrin, 440 F.3d 418, 420–21 (7th Cir. 2006); United States v. Rodriguez, 628 F.3d 1258, 1263–64 (11th Cir. 2010).
[308] See United States v. Valle, 807 F.3d 508, 523-28 (2d Cir. 2015); WEC Carolina Energy Sols. LLC v. Miller, 687 F.3d 199, 206 (4th Cir. 2012); Royal Truck & Trailer Sales & Serv., Inc. v. Kraft, 974 F.3d 756, 759–62 (6th Cir. 2020); United States v. Nosal, 676 F.3d 854, 856–64 (9th Cir. 2012) (en banc).
[309] Order List at 3, United States v. Van Buren, No. 19-783 (U.S. Apr. 20, 2020).
[310] Petition for Writ of Certiorari, Van Buren, No. 19-783 (U.S. Dec. 18, 2019).
[311] Id.; Order, Van Buren, No. 19-783 (U.S. Apr. 20, 2020).
[312] Transcript of Oral Argument at 48, 54, Van Buren, No. 19-783 (U.S. Nov. 30, 2020).
[313] Petition for Writ of Certiorari at 2–5, LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116 (U.S. Mar. 9, 2020).
[314] hiQ Labs, Inc. v. LinkedIn Corp., 938 F.3d 985, 1003–04 (9th Cir. 2019).
[315] Petition for Writ of Certiorari at 3, LinkedIn Corp. v. hiQ Labs, Inc., No. 19-1116 (U.S. Mar. 9, 2020).
[316] 451 F. Supp. 3d 73 (D.D.C. 2020).
[318] Notice of Appeal, Sandvig v. Barr, No. 1:16-cv-01368 (D.D.C. May 26, 2020).
[319] Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301, 1306 (11th Cir. 2020); see also ACA Int’l v. Federal Commc’ns Comm’n, 855 F.3d 687 (D.C. Cir. 2018); Dominguez v. Yahoo, Inc., 894 F.3d 116 (3d Cir. 2018).
[320] Glasser, 948 F.3d at 1306.
[322] Gadelhak v. AT&T Servs., Inc., 950 F.3d 458 (7th Cir. 2020); see also Glasser v. Hilton Grand Vacations Co., 948 F.3d 1301, 1306 (11th Cir. 2020); ACA Int’l v. Federal Commc’ns Comm’n, 855 F.3d 687 (D.C. Cir. 2018); Dominguez v. Yahoo, Inc., 894 F.3d 116 (3d Cir. 2018).
[323] Marks v. Crunch San Diego, LLC, 904 F.3d 1041 (9th Cir. 2018).
[324] Duran v. La Boom Disco, Inc., 955 F.3d 279 (2d Cir. 2020).
[325] Allan v. Pennsylvania Higher Education Assistance Agency, 968 F.3d 567 (6th Cir. 2020).
[326] Facebook, Inc. v. Duguid, 141 S. Ct. 193 L. Ed. 2d 1118 (2020) (granting certiorari).
[327] Christopher Cole, Gov’t Backs Facebook’s View of Autodialers at High Court, Law360 (Sept. 4, 2020), available at https://www.law360.com/articles/1307716/gov-t-backs-facebook-s-view-of-autodialers-at-high-court.
[328] Facebook, Inc. v. Duguid, No. 19-511 (U.S. Dec. 8, 2020) (arguments heard).
[329] Barr v. American Ass’n of Pol. Consultants, Inc., 140 S. Ct. 2335 (2020).
[335] Cal. Civ. Code § 1798.150(a)(1).
[336] Complaint for Damages and Equitable Relief, In re: Zoom Video Commc’ns, Inc. Priv. Litig., No. 5:20-cv-02155 (N.D. Cal. Mar. 30, 2020), ECF No. 1. Note, the case was originally filed as Cullen v. Zoom Video Communications, Inc. before it was consolidated.
[339] First Amended Consolidated Class Action Complaint, In re Zoom Video Commc’ns, Inc. Priv. Litig., No. 5:20-cv-02155 (N.D. Cal. Oct. 28, 2020), ECF No. 126.
[340] Defendant Zoom Video Communications, Inc.’s Notice of Motion and Motion to Dismiss the First Amended Consolidated Class Action Complaint; Memorandum of Points and Authorities in Support Thereof, In re Zoom Video Commc’ns, Inc. Priv. Litig., No. 5:20-cv-02155 (N.D. Cal. Dec. 2, 2020), ECF No. 134.
[341] Class Action Complaint, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. July 7, 2020), ECF No. 1.
[342] Id. In the plaintiffs’ amended complaint, they now allege that several additional retailers shared data with The Retail Equation. First Amended Class Action Complaint, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. Aug. 3, 2020), ECF No. 15.
[345] See, e.g., Defendant The Gap, Inc.’s Notice of Motion and Motion to Compel Individual Arbitration and to Dismiss; Memorandum of Points and Authorities, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. Nov. 6, 2020), ECF No. 140.
[346] Id. In the plaintiffs’ amended complaint, they now allege that several additional retailers shared data with The Retail Equation. First Amended Class Action Complaint, Hayden v. The Retail Equation, Inc., 8:20-cv-01203 (C.D. Cal. Aug. 3, 2020), ECF No. 15.
[347] Cal. Civ. Code §§1798.81.5(d)(1), 1798.140(o)(1), 1798.150(a)(1).
[348] Class Action Complaint, Gupta v. Aeries Software, Inc., No. 8:20-cv-00995 (C.D. Cal. May 28, 2020), ECF No. 1.
[350] Defendant Aeries Software, Inc.’s Notice of Motion and Motion to Dismiss Complaint Pursuant to Federal Rule of Civil Procedure 12(b)(6); Memorandum of Points and Authorities in Support, Gupta v. Aeries Software, Inc., No. 8:20-cv-00995 (C.D. Cal. July 21, 2020), ECF No. 20.
[352] Order Granting Joint Stipulation to Stay Litigation Through January 4, 2021, Gupta v. Aeries Software, Inc., No. 8:20-cv-00995 (C.D. Cal. Nov. 24, 2020), ECF No. 40.
[353] Cal. Civ. Code § 1798.115(d).
[354] Cal. Civ. Code §§ 1798.110, 1798.115, 1798.120.
[355] Cal. Civ. Code § 1798.150(c).
[356] Complaint for Damages and Injunctive Relief for Violations of: (1) Negligence (2) Violation of Cal. Bus. & Prof. Code § 17200 (3) Breach of Implied Contract (4) Unjust Enrichment (5) Public Disclosure of Private Facts (6) Violation of California Consumer Privacy Act (7) Violation of Consumer Remedies Act, Sweeney v. Life on Air, Inc., No. 3:20-cv-00742 (S.D. Cal. Apr. 17, 2020), ECF No. 1.
[358] Order Granting Defendants’ Motion to Compel Arbitration, Sweeney v. Life on Air, Inc., No. 3:20-cv-00742 (S.D. Cal. Aug. 4, 2020), ECF No. 15.
[359] Class Action Complaint and Demand for Jury Trial, G.R. v. TikTok, Inc., No. 2:20-cv-04537 (C.D. Cal. May 20, 2020), ECF No. 1.
[362] Conditional Transfer Order (CTO-1), G.R. v. TikTok, Inc., No. 1:20-cv-05212 (N.D. Ill. May 20, 2020), ECF No. 26.
[363] Cal. Bus. & Prof. Code § 17200.
[364] Cal. Civ. Code § 1798.150(c); S. Judiciary Comm., AB-375, 2017-2018 Sess. (Cal. 2018).
[365] Class Action Complaint, Burke v. Clearview AI, Inc., No. 3:20-cv-00370 (S.D. Cal. Feb. 27, 2020), ECF No. 1.
[367] In re Clearview AI, Inc., Consumer Priv. Litig., MDL No. 2967, 2020 WL 7382590 (J.P.M.L. Dec. 15, 2020).
[368] Complaint for: (1) Violation of the California Consumer Privacy Act § 1798.150 (2) Violation of California’s Unfair Competition Law, Cal. Bus. & Prof. Code § 17200, et seq. (3) Negligence (4) Breach of Contract (5) Breach of Implied Contract, Atkinson v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal. June 11, 2020), ECF No. 1.
[371] Amended Stipulated Request for Order Changing Time Pursuant to Civil L.R. 6-2 and Order, Atkinson v. Minted, Inc., No. 3:20-cv-03869 (N.D. Cal. Dec. 1, 2020), ECF No. 35.
[372] 740 Ill. Comp. Stat. Ann. 14/20 (West 2008).
[373] 129 N.E.3d 1197, 1206 (Ill. 2019).
[374] 958 F.3d 617, 626–27 (7th Cir. 2020).
[375] 2020 WL 6738112, at *1 (7th Cir. Nov. 17, 2020).
[376] In re Facebook Biometric Info. Privacy Litig., 2020 WL 4818608, at *3 (N.D. Cal. Aug. 19, 2020).
[377] 740 Ill. Comp. Stat. Ann. 14/20 (West 2008).
[378] The Ninth Circuit has held that pleading a violation of either sections 15(a) or (b) is sufficient to constitute injury-in-fact. Patel v. Facebook, 932 F.3d 1264, 1273–74 (9th Cir. 2019). However, the Second Circuit held that alleging a BIPA violation does not meet the injury-in-fact requirement without a showing that biometric data has been compromised in some manner. Santana v. Take-Two Interactive Software, 717 Fed. App’x 12, 16–17 (2d Cir. 2017).
[379] See, e.g., Meegan v. NFI Indus., Inc., 2020 WL 3000281 (N.D. Ill. June 4, 2020); Frisby v. Sky Chefs, Inc., 2020 WL 4437805 (N.D. Ill. Aug. 3, 2020); Williams v. Jackson Park SLF, LLC, 2020 WL 5702294 (N.D. Ill. Sept. 24, 2020); Complaint, Bartucci v. 401 N. Wabash Venture, No. 2020CH05502 (Ill. Cir. Ct. Aug. 24, 2020); Complaint, Payne v. Yum! Brands, Inc., No. 2020CH06811 (Ill. Cir. Ct. Nov. 16, 2020).
[380] Liu v. Four Seasons Hotel, Ltd., 138 N.E.3d 201, 207 (Ill. App. Ct. 2019).
[381] See, e.g., Acaley v. Vimeo, Inc., 464 F. Supp. 3d 959 (N.D. Ill. 2020).
[382] See, e.g., Miracle-Pond v. Shutterfly, Inc., 2020 WL 2513099 (N.D. Ill. May 15, 2020); Kuznik v. Hooters of America, LLC, 2020 WL 5983879 (C.D. Ill. Oct. 8, 2020).
[383] McDonald v. Symphony Bronzeville Park LLC, 2020 WL 5592607 (Ill. App. Ct. Sept. 18, 2020).
[384] Gail v. Univ. of Chi. Med. Ctr., Inc., 2020 WL 1445608, at *4–*5 (N.D. Ill. Mar. 25, 2020); Peatry v. Bimbo Bakeries USA, Inc., 2020 WL 919202, at *3–*4 (Ill. Cir. Ct. Feb. 26, 2020).
[385] Miller v. Southwest Airlines Co., 926 F3d 898, 903–04 (7th Cir. 2019).
[386] See, e.g., Heard v. Becton, Dickinson & Co., 440 F. Supp. 3d 960 (N.D. Ill. 2020); Bray v. Lathem Time Co., 2020 WL 1492742 (C.D. Ill. Mar. 27, 2020); Figueroa v. Kronos Inc., 2020 WL 4273995 (N.D. Ill. July 24, 2020).
[387] Avery v. State Farm, 835 N.E.2d 801, 184–87 (Ill. 2005).
[388] Complaint, Jerinic v. Amazon.com, No. 2020CH6036 (Ill. Cir. Ct. Sept. 28, 2020).
[389] Complaint, H.K. v. Google, No. 5:20-cv-02257-NC (N.D. Cal. Apr. 2, 2020), ECF No. 1.
[390] See, e.g., Stauffer v. Innovative Heights Fairview Heights, LLC, 2020 WL 4815960 (S.D. Ill. Aug. 19, 2020); Robertson v. Hostmark Hosp. Grp., 2019 WL 8640568, at *4 (Ill. Cir. Ct. July 31, 2019); Heard v. THC-NorthShore, Inc., No. 17CH16918, at *10 (Ill. Cir. Ct. Dec. 12, 2019).
[391] No. 1-20-0563 (Ill. App. Ct.).
[392] Mot. to Reopen Discovery Pursuant to FRCP 1, 26, and 37, In Re Google Location History Litig., No. 5:18-cv-05062-EJD (N.D. Cal. Sept. 30, 2020), ECF No. 151.
[395] Memorandum Opinion and Order, Dinerstein v. Google Inc., No. 19 C 4311 (N.D. Ill. Sept. 4, 2020), ECF No. 85.
[396] Laurann Wood, “Google, U. of Chicago Want Out of Patient Disclosure Suit,” Law360 (Aug. 28, 2019), available at https://www.law360.com/articles/1193298?scroll=1&related=1.
[397] Memorandum Opinion and Order, Dinerstein v. Google Inc., No. 19 C 4311 (N.D. Ill. Sept. 4, 2020), ECF No. 85.
[398] Memorandum and Order, Flynn v. FCA US LLC, No. 15-cv-855-SMY (S.D. Ill. Mar. 27, 2020), ECF No. 650.
[400] Linda Chiem, “Drivers Defend Standing In 7th Circ. Jeep-Hacking Class,” Law360 (June 19, 2020), available at https://www.law360.com/articles/1285000?scroll=1&related=1.
[401] See, e.g., Order, Zak v. Bose Corp., No. 17-cv-02928 (N.D. Ill. May 27, 2020), ECF No. 110.
[402] Jeannie O’Sullivan, “NJ Judge Trims Samsung Privacy Suit Over Smart TVs,” Law360 (Aug. 21, 2019), available at https://www.law360.com/articles/1191213?scroll=1&related=1.
[403] Order, White et al. v. Samsung Elecs. Am. Inc. et al., Case 2:17-cv-01775-MCA-JAD (D. N.J. Mar. 24, 2020), ECF No. 131.
[407] Children’s Online Privacy Protection Rule, 16 C.F.R. § 312.
[408] Order on Google’s Motion to Dismiss and Motion for Judicial Notice, Balderas v. Google Inc., Case No. 20-CV-0143-NDF (D. N.M. Sept. 25, 2020), ECF No. 34
[410] Wendy Davis, “New Mexico Wants Appeals Court To Revive Privacy Claims Against Google,” MediaPost (Nov. 30, 2020).
[411] Order Re Motions to Dismiss, McDonald v. Kiloo, No. 17-cv-04344-JD (N.D. Cal. May 22, 2019), ECF No. 270; Motion for Preliminary Approval of Settlement, McDonald v. Kiloo, No. 3:17-cv-04344-JD (L) (N.D. Cal. Aug. 5, 2020), ECF No. 363.
[413] Id.; see also Craig Clough, “Disney, Viacom Agree To Limit Data Collection In Kids Apps,” Law360 (Aug. 6, 2020).
[414] Press Release, “Developer of Apps Popular with Children Agrees to Settle FTC Allegations It Illegally Collected Kids’ Data without Parental Consent,” Federal Trade Commission (June 4, 2020), available at https://www.ftc.gov/news-events/press-releases/2020/06/developer-apps-popular-children-agrees-settle-ftc-allegations-it.
[415] Stipulated Order for Permanent Injunction and Civil Penalty Judgement, FTC v. Google LLC, no. 1:19-cv-02642 (D.D.C. Sept. 4, 2019), ECF No. 2.
[416] Kate Cox, “YouTube unlawfully violates kids’ privacy, new $3.2B lawsuit claims,” Arstechnica (Sept. 14, 2020), available at https://arstechnica.com/tech-policy/2020/09/google-faces-3-2b-lawsuit-over-claims-it-violated-childrens-privacy/.
[417] Complaint, Wesch v. Yodlee Inc., no. 3:20-cv-05991 (N.D. Cal. Aug. 25, 2020), ECF No. 1.
[418] Defendant Yodlee, Inc.’s Motion to Dismiss Pursuant to Federal Rule of Civil Procedure 12(b)(6), Wesch v. Yodlee Inc., no. 3:20-cv-05991 (N.D. Cal. Nov. 4, 2020), ECF No. 31.
[420] Complaint for Damages and Declaratory and Injunctive Relief, Cottle v. Plaid Inc., no. 3:20-cv-03056 (N.D. Cal. May 4, 2020), ECF No. 1.
[421] Smith v. Maryland, 442 U.S. 735, 743–44 (1979).
[422] United States v. Gratkowski, 964 F.3d 307, 310 (5th Cir. 2020).
[426] 2020 WL 3270877, at *1 (D. Mass. June 17, 2020).
[429] 981. F.3d 961, 964 (11th Cir. 2020).
[431] United States v. Moalin, 973 F.3d 977, 996 (9th Cir. 2020).
[434] 442 U.S. 735, 741 (1979).
[435] Moalin, 973 F.3d at 989–91.
[436] 138 S. Ct. 2206, 2221 (2018).
[437] Moalin, 973 F.3d at 991.
[438] United States v. Hasbajrami, 945 F.3d 641, 642 (2nd Cir. 2019).
[441] S. 3501, 116th Congress (2019–2020).
[442] 50 U.S.C. § 1861 (2018).
[443] 50 U.S.C. § 1801(b)(1)(C) (2015).
[444] 50 U.S.C. § 1805(c)(2)(B) (2018).
[445] 50 U.S.C. § 1861 (2018).
[446] 50 U.S.C. § 1801(b)(1)(C) (2015).
[447] 50 U.S.C. § 1805(c)(2)(B) (2018).
[450] Crime (Overseas Production Orders) Act 2019, c. 5 (Eng.), available at https://www.legislation.gov.uk/ukpga/2019/
5/pdfs/ukpga_20190005_en.pdf.
[451] Press Release, Department of Justice, U.S. and UK Sign Landmark Cross-Border Data Access Agreement to Combat Criminals and Terrorists Online (Oct. 3, 2019), available at https://www.justice.gov/opa/pr/us-and-uk-sign-landmark-cross-border-data-access-agreement-combatcriminals-and-terrorists.
[452] The U.S. Department of Justice, Letter from Assistant Attorney General Stephen E. Boyd to Congress (Jan. 16, 2020), available at https://www.justice.gov/dag/page/file/1236281/download.
[453] Press Release, Department of Justice, Joint Statement Announcing United States and Australian Negotiation of a CLOUD Act Agreement by U.S. Attorney General William Barr and Minister for Home Affairs Peter Dutton (Oct. 7, 2019), available at https://www.justice.gov/opa/pr/joint-statement-announcing-united-states-and-australian-negotiationcloud-act-agreement-us.
[454] Press Release, European Commission, Criminal Justice: Joint Statement on the Launch of EU-U.S. Negotiations to Facilitate Access to Electronic Evidence (Sept. 25, 2019), available at https://ec.europa.eu/commission/presscorner/detail/en/STATEMENT_19_5890.
[455] Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Austl.), available at https://www.legislation.gov.au/Details/C2020B00030; see also Explanatory Memorandum, Telecommunications Legislation Amendment (International Production Orders) Bill 2020 (Austl.), available at https://www.legislation.gov.au/Details/C2020B00030/Explanatory%20Memorandum/Text.
[456] Inquiry Announcement, The Australian Parliamentary Joint Committee on Intelligence and Security, Telecommunications Legislation Amendment (International Production Orders) Bill 2020, available at https://www.aph.gov.au/Parliamentary_Business/Committees/Joint/Intelligence_and_Security/IPOBill2020.
[457] Deham Sadler, Global data-sharing deal ‘deeply flawed’, InnovationAus (Apr. 6, 2020), available at https://www.innovationaus.com/global-data-sharing-deal-deeply-flawed.
[458] Press Release, Court of Justice of the European Union, The Court of Justice invalidates Decision 2016/1250 on the adequacy of the protection provided by the EU-US Data Protection Shield (July 16, 2020), available at https://curia.europa.eu/jcms/upload/docs/application/pdf/2020-07/cp200091en.pdf.
[460] Case C-311/18, Schrems v. Data Protection Commissioner (July 16, 2020), available at https://eur-lex.europa.eu/legal-content/en/TXT/PDF/?uri=uriserv%3AOJ.C_.2015.398.01.0005.01.ENG.
[461] Press Release, Department of Commerce, Joint Press Statement from U.S. Secretary of Commerce Wilbur Ross and European Commissioner for Justice Didier Reynders (Aug. 10, 2020), available at https://www.commerce.gov/news/press-releases/2020/08/joint-press-statement-us-secretary-commerce-wilbur-ross-and-european.
[462] Press Release, noyb, 101 Complaints on EU-US transfers filed (Aug. 17, 2020), available at https://noyb.eu/en/101-complaints-eu-us-transfers-filed.
[463] See, e.g., Samantha Raudins, Facial Recognition, Thermal Imaging Part of the New Normal, Columbus Dispatch (July 31, 2020), available at https://www.dispatch.com/story/business/information-technology/2020/07/30/facial-recognition-thermal-imaging-part-of-future-with-coronavirus/112807346/.
[464] Inioluwa Deborah Raji & Joy Buolamwini, University of Toronto and Massachusetts Institute of Technology, Actionable Auditing: Investigating the Impact of Publicly Naming Biased Performance Results of Commercial AI Products (2019), available at https://dam-prod.media.mit.edu/x/2019/01/24/AIES-19_paper_223.pdf.
[465] Kashmir Hill, The Secretive Company That Might End Privacy as We Know It, N.Y. Times (Jan. 18, 2019), available at https://www.nytimes.com/2020/01/18/technology/clearview-privacy-facial-recognition.html.
[466] Complaint, State of Vermont v. Clearview AI, INC., No. 226-3-20 (Vt. Super. Ct. Mar. 10, 2020), available at https://ago.vermont.gov/wp-content/uploads/2020/03/Complaint-State-v-Clearview.pdf; Order Granting in Part and Denying in Part Clearview AI’s Motion to Dismiss, State of Vermont v. Clearview AI, INC., No. 226-3-20 (Vt. Super. Ct. Sept. 10, 2020), available at https://ago.vermont.gov/wp-content/uploads/2020/09/Clearview-Motion-to-Dismiss-Decision.pdf.
[467] Complaint, Am. Civil Liberties Union et al. v. Clearview AI, INC., No. 9337839 (Cir. Ct. Ill. Sept. 25, 2020).
[468] Press Release, New York Police Department, NYPD Announces Facial Recognition Policy (Mar. 13, 2020), available at https://www1.nyc.gov/site/nypd/news/pr0313/press-release—nypd-facial-recognition-policy.
[470] Richard Winton et al., LAPD Bars Use of Third-Party Facial Recognition Systems, Launches Review after Buzzfeed Inquiry, L.A. Times (Nov. 17, 2020), available at https://www.latimes.com/california/story/2020-11-17/lapd-bars-outside-facial-recognition-use-as-buzzfeed-inquiry-spurs-investigation.
[471] Leaders of a Beautiful Struggle v. Balt. Police Dep’t, 979 F.3d 219, 224 (4th Cir. 2020).
[473] Leaders of a Beautiful Struggle v. Balt. Police Dep’t, 456 F. Supp. 3d 699, 703 (D. Md.); See Carpenter v. United States, 138 S. Ct. 2206, 2220 (2018).
[474] Leaders of a Beautiful Struggle, 979 F.3d at 223.
[478] MDS & One Year Permitting Overview, L.A. Dep’t Transp. (Feb. 7, 2019), available at https://ladot.lacity.org/sites/default/files/2020-03/mds-developer-webinar-one-year-permitting-overview_03-06-19_revision.pdf.
[479] See Complaint, Social Bicycles v. City of Los Angeles Dep’t of Transp., No. 2:20-CV-02746 (C.D. Cal. Mar. 24, 2020), ECF No. 1.
[480] The deal made Uber a primary investor in Lime and gave Uber the option to purchase Lime in 2022. See Kea Wilson, “Lime Just Became the Biggest Micromobility Company in the World,” StreetsBlog (May 11, 2020), available at https://usa.streetsblog.org/2020/05/11/lime-just-became-the-biggest-micromobility-company-in-the-world/.
[481] See Complaint, Sanchez v. L.A. Dep’t of Transp., No. 2:20-CV-05044 (C.D. Cal. June 8, 2020), ECF No. 1.
The following Gibson Dunn lawyers assisted in the preparation of this article: Alexander H. Southwell, Ryan T. Bergsieker, Howard S. Hogan, Roscoe Jones Jr., Timothy W. Loose, Ashley Rogers, Eric D. Vandevelde, Abbey A. Barrera, Cassandra Gaedt-Sheckter, Daniel E. Rauch, Samantha Abrams-Widdicombe, Amanda M. Aycock, Fernando Berdion-Del Valle, Allison Chapin, Iman Charania, Josiah Clarke, Sarah Erickson, Zoey Goldnick, Eric Hornbeck, Andrew Howard, Jordan Jacobsen, Jennifer Katz, Brendan Krimsky, Nicole Lee, Warren Loegering, Prachi Mistry, Lauren Navarro, Macey Olave, Sarah Pongrace, Reid Rector, Jacob Rierson, Sarah Scharf, Raquel Alexa Sghiatti, Collin James Vierra, Hayato Watanabe, Victoria Weatherford, Hannah Yim, and Lisa V. Zivkovic.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, the authors, or any member of the firm’s Privacy, Cybersecurity and Consumer Protection practice group:
United States
Alexander H. Southwell – Co-Chair, PCCP Practice, New York (+1 212-351-3981, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew Benjamin – New York (+1 212-351-4079, [email protected])
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
Howard S. Hogan – Washington, D.C. (+1 202-887-3640, [email protected])
Joshua A. Jessen – Orange County/Palo Alto (+1 949-451-4114/+1 650-849-5375, [email protected])
Kristin A. Linsley – San Francisco (+1 415-393-8395, [email protected])
H. Mark Lyon – Palo Alto (+1 650-849-5307, [email protected])
Karl G. Nelson – Dallas (+1 214-698-3203, [email protected])
Ashley Rogers – Dallas (+1 214-698-3316, [email protected])
Deborah L. Stein – Los Angeles (+1 213-229-7164, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
Michael Li-Ming Wong – San Francisco/Palo Alto (+1 415-393-8333/+1 650-849-5393, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Europe
Ahmed Baladi – Co-Chair, PCCP Practice, Paris (+33 (0)1 56 43 13 00, [email protected])
James A. Cox – London (+44 (0) 20 7071 4250, [email protected])
Patrick Doris – London (+44 (0) 20 7071 4276, [email protected])
Kai Gesing – Munich (+49 89 189 33-180, [email protected])
Bernard Grinspan – Paris (+33 (0)1 56 43 13 00, [email protected])
Penny Madden – London (+44 (0) 20 7071 4226, [email protected])
Michael Walther – Munich (+49 89 189 33-180, [email protected])
Alejandro Guerrero – Brussels (+32 2 554 7218, [email protected])
Vera Lukic – Paris (+33 (0)1 56 43 13 00, [email protected])
Sarah Wazen – London (+44 (0) 20 7071 4203, [email protected])
Asia
Kelly Austin – Hong Kong (+852 2214 3788, [email protected])
Connell O’Neill – Hong Kong (+852 2214 3812, [email protected])
Jai S. Pathak – Singapore (+65 6507 3683, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Palo Alto partner Benjamin Wagner, of counsel Cassandra Gaedt-Sheckter and associate Iman Charania are the authors of “The Evolution of Privacy Enforcement in California: CPRA and the CA Attorney General’s Office,” [PDF] published by The Recorder on January 20, 2021.
On January 19, 2021, the 10th Amendment of the German Competition Act (“ACR”) entered into force, also known as “GWB Digitalization Act” (the “Amendment”).
With the passing of the Amendment[1], Germany is setting the pace for an ambitious goal: the regulation of digital platforms. As noted during the parliamentary discussion[2], the new provisions are specifically designed to provide the German Federal Cartel Office (Bundeskartellamt) with an efficient instrument against alleged “Wild West methods” in the digital sector to keep digital markets open. The Amendment also introduces a number of other changes to the German Competition Act concerning, inter alia, antitrust investigations procedure, leniency and cartel damage claims.
In the legislative process, the German Parliament has also implemented some last-minute changes to the merger control provisions: the two domestic turnover thresholds were increased from EUR 25 million to EUR 50 million, and from EUR 5 million to EUR 17.5 million. This major policy shift will result in a significant decrease of notifiable transactions, thereby freeing up capacities within the Bundeskartellamt for scrutiny of the digital space. However, as highlighted in our 2020 Year-End German Law Update, the “GWB Digitalization Act” provides the Bundeskartellamt with the authority to require companies, which are deemed to reduce competition through a series of small acquisitions in specific markets in which the Bundeskartellamt has conducted sector inquiries, to notify every transaction provided that certain thresholds are met.
A brief overview of the most important provisions with regard to the regulation of digital platforms and related procedural changes is provided below.
NEW PROVISIONS AIMED AT DIGITAL PLATFORMS
Similar to the competition law regime(s) within the European Union, the German Competition Act features rules on the abuse of market dominance. However, unlike many other EU jurisdictions, Germany always had a stricter regime, in that provisions on market abuse also apply to companies, which are not dominant but possess so called ‘relative market power’. Now, the Amendment introduces an additional category of market power, which is clearly aimed at digital platforms. The most important changes include the following:
- “Digitalization” of the abuse of dominance rules. The amended ACR provides that in assessing market dominance, particular account shall be taken of a company’s access to data relevant for competition. Further, the role of a company acting as an ‘intermediary on multi-sided markets’ (i.e. digital platforms) shall be considered when assessing market dominance, in particular with regard to the role the intermediary plays for access to procurement and sales markets. Additionally, the Amendment explicitly stipulates that an abuse of dominance shall occur if a company is considered dominant and (i) refuses to grant other companies access to data, to networks or other infrastructure facilities in return for an appropriate consideration, (ii) such access is objectively necessary in order to operate on an upstream or downstream market, and (iii) the refusal threatens to eliminate effective competition on that market.
- Giving up the ‘SME’ requirement for determining ‘relative market power’. In light of the structural changes digital services and platforms have created in the economy, the German legislator decided to drop the requirement that small or medium-sized enterprises have to be dependent on another company, in order for the latter to be deemed to have ‘relative market power’. Under the amended ACR, irrespective of size, a company is considered to have ‘relative market power’, if another company is dependent on it in such a way that sufficient and reasonable possibilities of switching to other third companies do not exist and provided that there is a clear imbalance to the countervailing powers of the other company. Again, the provision also explicitly mentions ‘intermediaries on multi-sided markets’ (i.e. digital platforms) and extends the definition of ‘relative market power’ to such intermediaries, provided that other companies are dependent on them for access to procurement and sales markets in such a way that there are no sufficient and reasonable alternatives to those intermediaries.
- ‘Access to data’ as a crucial criterion. Pursuant to the Amendment, the dependency on another company, and thus its ‘relative market power’, might also arise from the fact that a company is dependent for its own activities on access to data controlled by another company. The refusal to provide access to such data in exchange for an adequate fee may also constitute an abuse. This provision might affect not only digital platforms, but also industry players which have collected significant amounts of data through intelligent products and networked devices.
- Introduction of a new type of market power. The Amendment introduces a completely new category of market power, namely companies with ‘paramount significance for competition across markets’. The rationale behind the new category can be summarized as follows: While large digital players may not have significant market shares in all affected markets, they may nevertheless have significant influence on these markets due to their key position for competition and their conglomerate structures (also referred to as gatekeepers).
If the Bundeskartellamt issues an order declaring that it considers a company to have paramount significance for competition across markets, the authority can prohibit the company from, inter alia, (i) preferential treatment of own services, (ii) the impediment of competition on markets where the company is not dominant, (iii) the creation of entry barriers by the use of data collected on a dominated market, or (iv) the restriction of the interoperability of products, services or data. The Bundeskartellamt shall also have the power to prohibit measures, which impede other companies conducting their business activities on procurement or sales markets (e.g. through pre-installation or integration of the dominant company’s offers) and to prohibit the demanding of benefits for the treatment of offers from another company, which are disproportionate to the reason for the demand (e.g. if the dominant company requires the transfer of data or rights for the presentation of the offers, which are not strictly necessary for this purpose).
PROCEDURAL CHANGES
Some stakeholders have complained that, so far, the Bundeskartellamt has not been able to react swiftly enough to the fast-paced developments in the digital realm[3]. To address this perceived lack of ‘clout’, as the German Federal Minister for Economic Affairs and Energy, Peter Altmaier has put it, the Amendment introduces new provisions with regard to interim measures. The Bundeskartellamt will have the power to step in already on the basis that it finds an infringement of antitrust rules ‘predominantly likely’ and it deems the interim measure necessary for the protection of competition or because of an imminent threat of serious harm on another company. For appeals against such interim measures and all measures taken by the Bundeskartellamt in connection with the new category of ‘super dominant’ market players, the Amendment introduces a fast-track to the Federal Court of Justice, Germany’s highest civil court. All disputes in connection with these measures, including all independently contestable procedural acts, are decided in the first and last instance by the Federal Court of Justice. By establishing the Federal Court of Justice as the first and final authority to decide on these measures, the German legislator makes clear that they are well aware of the sweeping scope of the Bundeskartellamt’s new powers and the potential harm they may cause. However, for companies seeking judicial relief under the new rules, one layer of judicial review has been stripped away. This could raise some constitutional concerns.
OUTLOOK
It is hard to predict, how these new provisions will play out in practice. Nonetheless, Germany has certainly rung in the first round. Regulators around the globe are increasingly trying to curb digital platforms’ powers and to tackle the competitive challenges resulting from the mass collection of data, which is perceived as the new gold of the 21st century. In light of the recent publication of the draft regulation on an EU Digital Markets Act by the European Commission, it remains to be seen how the German provisions will fit into the proposed European framework. However, the EU Digital Markets Act is not expected to come into force before 2022. Thus, the “GWB Digitalization Act” might prove to be a welcome opportunity for all stakeholders to put these new legal concepts to the test.
_____________________
[1] Please also refer to our previous alerts in this respect: “Competition 4.0 in Germany: Proposed Changes to German Antitrust Rules Targeting Digital Platforms”, November 8, 2019 (available at: https://www.gibsondunn.com/competition-4-0-in-germany-proposed-changes-to-german-antitrust-rules-targeting-digital-platforms/) and Section 9.3 in the 2020 Year-End German Law Update, January 14, 2021 (available at: https://www.gibsondunn.com/2020-year-end-german-law-update/#_Toc61506166).
[2] https://www.cducsu.de/themen/wirtschaft-und-energie-haushalt-und-finanzen/dr-matthias-heider-wollen-einen-moderaten-aber-effektiven-regulierungsansatz-ueber-das-kartellrecht-waehlen.
[3] See for example, the results of an expert working group regarding the topic “Industry 4.0 – Antitrust Considerations”, which was established by the Federal Ministry for Economic Affairs and Energy in 2018 (available in German at: https://www.plattform-i40.de/PI40/Redaktion/DE/Downloads/Publikation/hm-2018-kartellrecht-ag4.pdf?__blob=publicationFile&v=6).
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For additional information, please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Antitrust and Competition Practice Group, or the following authors:
Kai Gesing – Munich (+49 89 189 33 180, [email protected])
Michael Walther – Munich (+49 89 189 33 180, [email protected])
Jens-Olrik Murach – Brussels (+32 2 554 7240, [email protected])
Georg Weidenbach – Frankfurt (+49 69 247 411 550, [email protected])
David Wood – Brussels (+32 2 554 7210, [email protected])
Selina Grün – Munich (+49 89 189 33-180, [email protected])
Antitrust and Competition Group:
Brussels
Peter Alexiadis (+32 2 554 7200, [email protected])
Attila Borsos (+32 2 554 72 11, [email protected])
Jens-Olrik Murach (+32 2 554 7240, [email protected])
Christian Riis-Madsen (+32 2 554 72 05, [email protected])
Lena Sandberg (+32 2 554 72 60, [email protected])
David Wood (+32 2 554 7210, [email protected])
Frankfurt
Georg Weidenbach (+49 69 247 411 550, [email protected])
Munich
Michael Walther (+49 89 189 33 180, [email protected])
Kai Gesing (+49 89 189 33 180, [email protected])
London
Patrick Doris (+44 20 7071 4276, [email protected])
Charles Falconer (+44 20 7071 4270, [email protected])
Ali Nikpay (+44 20 7071 4273, [email protected])
Philip Rocher (+44 20 7071 4202, [email protected])
Deirdre Taylor (+44 20 7071 4274, [email protected])
Hong Kong
Kelly Austin (+852 2214 3788, [email protected])
Sébastien Evrard (+852 2214 3798, [email protected])
Washington, D.C.
Adam Di Vincenzo (+1 202-887-3704, [email protected])
Scott D. Hammond (+1 202-887-3684, [email protected])
Kristen C. Limarzi (+1 202-887-3518, [email protected])
Joshua Lipton (+1 202-955-8226, [email protected])
Richard G. Parker (+1 202-955-8503, [email protected])
Cynthia Richman (+1 202-955-8234, [email protected])
Jeremy Robison (+1 202-955-8518, [email protected])
Andrew Cline (+1 202-887-3698, [email protected])
Chris Wilson (+1 202-955-8520, [email protected])
New York
Eric J. Stock (+1 212-351-2301, [email protected])
Lawrence J. Zweifach (+1 212-351-2625, [email protected])
Los Angeles
Daniel G. Swanson (+1 213-229-7430, [email protected])
Samuel G. Liversidge (+1 213-229-7420, [email protected])
Jay P. Srinivasan (+1 213-229-7296, [email protected])
Rod J. Stone (+1 213-229-7256, [email protected])
San Francisco
Rachel S. Brass (+1 415-393-8293, [email protected])
Caeli A. Higney (+1 415-393-8248, [email protected])
Dallas
Veronica S. Lewis (+1 214-698-3320, [email protected])
Mike Raiff (+1 214-698-3350, [email protected])
Brian Robison (+1 214-698-3370, [email protected])
Robert C. Walters (+1 214-698-3114, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Join Michelle Kirschner, Matthew Nunan, Steve Melrose and Martin Coombes in a review of financial services regulatory developments in 2020 and what these developments indicate about the future regulatory direction of travel.
The webinar will provide an overview of the regulatory landscape, now and in the coming years, through the prism of three areas of increasing regulatory focus: (1) governance, culture and individual accountability; (2) conduct and enforcement; and (3) operational and financial resilience. We will provide practical guidance to firms to ensure continuing compliance with regulatory expectations in each of these three areas. We will then focus on the UK’s post-Brexit regulatory framework including the potential for regulatory divergence and the UK’s role on the global stage.
We also invite you to read our recent UK Financial Services Regulation – 2020 Year-End Review published on 14 January.
View Slides (PDF)
PANELISTS:
Michelle M Kirschner: A partner in the London office. She advises a broad range of financial institutions, including investment managers, integrated investment banks, corporate finance boutiques, private fund managers and private wealth managers at the most senior level.
Matthew Nunan: A partner in the London office. He specializes in financial services regulation and enforcement, investigations and white collar defense having previously been the Head of Conduct Risk for EMEA at a major global bank. Prior to that he was Head of Wholesale Enforcement at the UK Financial Conduct Authority and has also been a case controller at the UK Serious Fraud Office.
Steve Melrose: An associate in the London office and a member of the Dispute Resolution and White Collar Defense and Investigations groups. His practice focuses on domestic and cross-border corporate investigations, regulatory investigations and white-collar criminal matters.
Martin Coombes: An associate in the London office and a member of the Financial Institutions group. He specializes in advising on UK and EU financial services regulation, including a wide range of financial services and compliance issues including advice on UK and EU regulatory developments, the regulatory aspects of corporate transactions and the on-going compliance obligations of financial services firms.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
In a decision with far-reaching implications for the online gaming industry, on January 20, 2021, the U.S. Court of Appeals for the First Circuit held that the prohibition on the transmission of interstate wagers under the Wire Act, 28 U.S.C. § 1084, applies only to bets and wagers placed on sporting events, and not, as the Office of Legal Counsel within the United States Department of Justice had opined, to all types of bets and wagers. New Hampshire Lottery Comm’n v. Rosen, No. 19-1835 (1st Cir. Jan. 20, 2021). In this alert, we summarize (1) the background of the Wire Act, (2) the First Circuit’s decision, and (3) the potential impact of the ruling.
I. Overview of the Wire Act
The Wire Act, enacted in 1961 as part of Attorney General Robert F. Kennedy’s effort to crackdown on organized crime, provides, in relevant part:
Whoever being engaged in the business of betting or wagering knowingly uses a wire communication facility for the transmission in interstate or foreign commerce of bets or wagers or information assisting in the placing of bets or wagers on any sporting event or contest, or for the transmission of a wire communication which entitles the recipient to receive money or credit as a result of bets or wagers, or for information assisting in the placing of bets or wagers, shall be fined under this title or imprisoned not more than two years, or both.
18 U.S.C. § 1084(a). The legislative history surrounding the enactment of the statute makes clear that the intent was to target sports bookmakers who supplied an important stream of revenue for organized crime. For many years after its enactment, the Department of Justice took the view that the statute’s express reference to “bets or wagers on any sporting event or contest” meant that the statute prohibited only interstate bets or wagers on sporting events, and not other types of interstate gambling. Representatives of the Department expressly testified as much in hearings before Congress in the 1990s.
In the early 2000s, however, the Department began to take the position, in various informal letters to gaming commissions and state lottery operators, that interstate transmissions of non-sports wagers would also violate the Wire Act. That change in position prompted New York and Illinois—both of whom operated lotteries that relied in some part on interstate wire facilities—to seek clarification in 2009 from the Department as to the scope of the Wire Act.
In 2011, the Office of Legal Counsel (“OLC”) within the Department issued an opinion concluding that the Wire Act’s prohibitions with respect to the interstate transmission of bets and wagers apply only to those bets or wagers involving sporting events—meaning that sales of lottery tickets online were not covered by the statute. The OLC concluded as much by examining the text of the statute, and also by considering the absurd consequences that would follow if the statute were read to cover certain types of non-sports betting activities, but not others. In reliance on that opinion, States began moving their lottery systems online, taking full advantage of the freedom and certainty afforded by the OLC opinion.
In late 2018, however, the Trump Administration’s OLC issued a new opinion, reversing the interpretation adopted in the 2011 OLC opinion, and arguing that the Wire Act does extend beyond sports betting. The 2018 opinion concluded that the statute’s limiting language—“on any sporting event or contest”—applied only to the transmission of “information assisting in the placing of bets or wagers,” and not to the transmission of bets or wagers themselves, or to the transmission of information regarding payment on a bet or wager. As a result, the 2018 opinion called into question the legality of state lotteries that sold tickets online, or even those that simply used the Internet to facilitate their operations. The 2018 opinion expressly acknowledged that “some may have relied on the” 2011 opinion, including States that “began selling lottery tickets via the Internet after [its] issuance.”
Gibson Dunn filed suit in the U.S. District Court for the District of New Hampshire on behalf of NeoPollard Interactive LLC and Pollard Banknote Limited—a parent and subsidiary that provides lottery infrastructure for the New Hampshire Lottery Commission—arguing that the 2011 opinion was contrary to law and seeking declaratory relief. NeoPollard and Pollard joined their lawsuit with one filed the same day by the New Hampshire Lottery Commission, seeking the same relief. The Department opposed the lawsuit on the ground that in the absence of a pending or threatened prosecution, the dispute was not ripe for review, and that the 2018 interpretation was legally correct.
Judge Paul J. Barbadoro expedited the proceedings, and held in June 2019 that the 2011 OLC opinion was correct in holding that the Wire Act is limited in all respects to bets and wagers placed on sporting events, declaring the 2018 OLC opinion wrong as a matter of law and vacating the decision as contrary to law under the Administrative Procedure Act, 5 U.S.C. § 706. The Department appealed to the First Circuit.
II. The First Circuit’s Decision
On January 20, 2021, the First Circuit affirmed the district court’s decision in all relevant aspects. It agreed with the district court’s decision that the dispute was ripe for review and that the Wire Act is limited to sports betting. The Court departed from the district court only in that it did not believe vacatur under the Administrative Procedure Act was a necessary form of relief.
With respect to standing and ripeness, the Court explained that in the pre‑enforcement context, it is not necessary that there be an actual threatened prosecution against the specific plaintiff. Rather, it was sufficient that the government had declared that the conduct plaintiffs were engaged in was criminal. The Court pointed out that the Department had expressly warned at least one state lottery (Illinois) that its operations were in violation of the Wire Act as construed prior to 2011, and also that the Department had prosecuted non-sports-betting operations in the past.
The First Circuit rejected the Department’s argument that a memorandum released during the pendency of the proceedings—which purported to reserve decision on whether state lotteries, specifically, were subject to the prohibitions of the Wire Act—rendered the case moot or unripe. The new memorandum, the Court observed, did not disclaim that the Wire Act covered state lotteries, but rather offered only a temporary forbearance from prosecution.
On the merits, the First Circuit agreed with the district court that the plain text of the statute is not clear as to the scope of the prohibition. The Court thus focused instead principally on the structure and context of the statute, concluding that the Department’s proffered reading made no sense. The First Circuit observed, in particular, that reading the sports limitation to apply to only some of the prohibitions in the statute would be incongruent, as it would criminalize the transmission of any type of bet or wager, but would not reach the transmission of information with respect to bets or wagers other than those on sporting events. The Court also examined the history of the statute, agreeing with the district court that the history confirmed that the statute was directed at sports betting.
The Court thus affirmed the district court’s grant of declaratory relief, although it vacated the relief awarded under the Administrative Procedure Act on the ground that such relief was not necessary.
III. Implications of the Decision
The First Circuit’s decision gives some comfort and certainty to those state lotteries and other industry participants who relied on the 2011 opinion in taking their operations online. The decision restores the 2011 interpretation of the Wire Act, which was itself sought by state lotteries seeking to operate online facilities. It also has similar implications for gaming platforms other than state lotteries, who similarly faced a threat of prosecution as a result of the 2018 opinion if they used the Internet to process bets or wagers.
It is important to note, however, that as a formal matter, the First Circuit directly binds the Department only with respect to the named parties in the lawsuit. It also precludes, as a matter of binding precedent, any attempted prosecutions within the First Circuit that are based on the interpretation advanced in the 2018 opinion. The Department could, however, adhere to its 2018 interpretation in other federal circuits, and pursue prosecutions of online lotteries and other non-sports gambling operations in defiance of the First Circuit’s interpretation.
There is some indication, however, that the Biden Administration is not inclined to take such an aggressive stance. In July 2019, then former-Vice-President Biden stated his position that if elected, he “would reverse the White House opinion [on the Wire Act] that was then reversed and overruled by the [district] court. The court is correct. That should be the prevailing position.” Dustin Gouker, Should You Vote for Biden or Trump if You Want Legal Online Poker and Gambling?, Online Poker Report (Oct. 23, 2020), https://perma.cc/595G-2EVH. He later stated at an event in December 2019 that he did not “support adding unnecessary restrictions to the gaming industry like the Trump Administration has done.” Howard Stutz, Biden Says DOJ’s Wire Act Changes Add “Unnecessary Restrictions” to the Gaming Industry, CDC Gaming Reports (Dec. 16, 2019), https://perma.cc/R9XU-U6NX. The decision of the First Circuit may push the Biden Administration to make its stance on the statute clear right away, perhaps through a formal rescission of the 2018 opinion, or through a memo advising U.S. Attorneys to adhere to the First Circuit’s decision.
Even if the Biden Administration does not make a formal announcement, given the First Circuit’s decision and President Biden’s express opposition to the 2018 re-interpretation, it seems unlikely that the Department of Justice is poised to pursue an aggressive campaign to disobey or overturn the First Circuit’s decision. Indeed, the Department’s principal argument before the First Circuit was that the dispute was not ripe. Although the Department also defended the 2018 opinion on the merits, there may be little appetite for maintaining that position now that there has been a firm decision by a U.S. court of appeals and a change in administration.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, or the following authors:
Theodore B. Olson – Washington, D.C. (+1 202-955-8500, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Matthew D. McGill – Washington, D.C. (+1 202-887-3680, [email protected])
Lochlan F. Shelfer – Washington, D.C. (+1 202-887-3641, [email protected])
Joshua M. Wesneski – Washington, D.C. (+1 202-887-3598, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Looking back on the incredible year that was 2020, some observers of the False Claims Act (“FCA”) enforcement space may note that the year’s FCA recoveries were the lowest they have been in twelve years, but the most important takeaway for those who deal in government funds is this: the government opened the most new FCA investigations ever in 2020. Despite the global pandemic, closed courts, and the realities of remote work (including remote investigations and litigation), the government and qui tam relators still opened 922 new FCA cases last year. This is the largest single-year total ever by a substantial margin and brings the total number of new FCA cases opened in the last 5 years to more than 4,100.
If the government’s enforcement activity around past economic crises and resulting government stimulus programs is any indication, the stage is set for FCA cases to surge further still in the next few years. Last year, the government enacted legislative stimulus packages totaling nearly $4 trillion in COVID-relief funds, and anytime the government spends money, FCA cases follow. A huge portion of that spending, moreover, has been in health care and health care-adjacent fields, areas which have accounted for more than 80% of all FCA recoveries over the last four years. Further, the Department of Justice (“DOJ”) swiftly prioritized rooting out COVID-related fraud in 2020—a focus that we expect to continue and likely intensify under the Biden administration. As the incoming administration’s enforcement priorities solidify, we also will monitor any efforts to change course from steps previously taken by the Trump administration toward reining in FCA enforcement through various policy changes, such as the Brand Memorandum’s prohibition of DOJ enforcement actions predicated on violations of non-binding agency guidance.[1]
Meanwhile, 2020 saw no major legislative developments relating to the FCA at the federal level. But states continue to enact or amend false claims statutes that enable states to receive a higher percentage share of recoveries and expand potential liability. On the judicial front, courts issued a number of significant decisions in 2020, including important decisions exploring the FCA’s materiality and scienter requirements, and several decisions regarding DOJ’s discretion to dismiss qui tam cases where the government has not intervened.
As always, Gibson Dunn’s recent publications on the FCA may be found on our website, including industry-specific articles, webcasts, presentations, and practical guidance to help companies avoid or limit liability under the FCA. And, of course, we would be happy to discuss these developments—and their implications for your business—with you.
I. FCA ENFORCEMENT ACTIVITY
A. New FCA Activity
The government and qui tam relators filed more FCA cases in 2020 (922) than in any other year since Congress enacted the FCA during the Civil War.[2] Although that figure is staggering in and of itself, equally surprising is who drove the increase in cases.[3]
During the last five years, there has been an average of approximately 800 new FCA cases a year, with qui tam relators filing approximately 660 cases on average and the government filing approximately 135 cases on average. But in 2020, the federal government was the impetus behind the increase to more than 900 new cases. These non-qui tam cases may arise from a variety of sources, including referrals from government agencies based on their program oversight activities or from mining government spending data for leads. With 250 cases last year, federal enforcement attorneys filed 120 more cases than in an average year, a mark last seen in 1994 when the modern qui tam provisions were still relatively new. As discussed below in the following section, cases where the government is involved—either because the government brought the case, or later intervened—typically account for 90% of all FCA cases with a recovery. The fact that the government brought so many new cases in 2020 suggests that recoveries in years to come will be robust.
Some of the government’s new cases stem from COVID relief efforts and a desire to police fraud in the government’s massive spending programs during the last year. But it does not appear that COVID-related cases account for the entirety of the nearly 100% increase in cases by the government. As more details are released about those cases, we will be watching carefully to identify where the government’s actions are focused.
Number of FCA New Matters, Including Qui Tam Actions
Source: DOJ “Fraud Statistics – Overview” (Jan. 14, 2021)
B. Total Recovery Amounts: 2020 Recoveries Exceed $2 Billion
The federal government also recovered more than $2.2 billion during fiscal year 2020, which ended September 30, 2020. Of this amount, more than 90% was recovered in intervened cases, underscoring that companies face more significant exposure in cases in which the government initiated the case or intervened.
The total of $2.2 billion is down from recent years, as shown in the chart below. Given the continued high number of new investigations being opened, this is likely a reflection of disruptions caused by the COVID-19 pandemic. Although COVID never resulted in a total work stoppage, investigations were delayed as were court proceedings in the middle of 2020. As noted, however, the overall pace of FCA litigation has not slowed whatsoever, and the pipeline of new cases is as full as ever. Significant settlements entered into after the close of fiscal year 2020, such as the $2.8 billion settlement entered into with an opioid manufacturer discussed below, are likewise poised to boost next fiscal year’s figures drastically.
Settlements or Judgments in Cases Where the Government Declined Intervention as a Percentage of Total FCA Recoveries
Source: DOJ “Fraud Statistics – Overview” (Jan. 14, 2021)
C. Industry Breakdown
While filings are up and recoveries are (perhaps temporarily) down, the industry breakdown of recoveries remains largely unchanged. As Assistant Attorney General Michael D. Granston recently remarked at the ABA Civil False Claims Act and Qui Tam Enforcement Institute, “[o]f the $11.4 billion recovered over the last four years, approximately 80 percent, or $9 billion, was recovered in health care fraud matters,” while “procurement fraud and mortgage fraud” marked the next two largest categories.[4]
2020 was no exception: Health care cases comprised 83% of total recoveries, Department of Defense procurement issues made up 3%, and the remaining 14% was split among other areas.[5]
FCA Recoveries by Industry
Source: DOJ “Fraud Statistics – Overview” (Jan. 14, 2021)
II. NOTEWORTHY DOJ ENFORCEMENT ACTIVITY DURING THE SECOND HALF OF 2020
We summarize below some of the notable FCA settlements announced since July 2020 (we covered notable settlements and judgments from the first half of 2020 in our 2020 Mid-Year False Claims Act Update). These summaries provide insight into the theories of liability and industries that have been a focus of government (and relator) enforcement efforts during the last year.
A. Health Care and Life Science Industries
- On July 1, a molecular diagnostics testing company agreed to pay $8.25 million to settle allegations that it violated the FCA by conspiring with hospitals to artificially delay orders for the company’s genetic test. The company allegedly sought to circumvent Medicare’s 14-Day Rule, which prohibited laboratories from separately billing for certain tests ordered within 14 days of a patient’s discharge from an inpatient or outpatient hospital setting. The government previously alleged in a separate settlement in 2017 that a Kentucky hospital also participated in the scheme in which the company separately billed Medicare instead of the hospital for the tests. A former employee initially filed the qui tam lawsuit, and the whistleblower’s share was not disclosed at the time of the settlement announcement.[6]
- On July 1, a pharmaceutical company agreed to pay $678 million to resolve claims that it violated the FCA. As part of the settlement, the company agreed to pay $51.25 million to resolve allegations that it improperly used three foundations as conduits to pay copayments of Medicare patients taking its drugs in a manner that resulted in disproportionate assistance for those patients. The company also agreed to pay $591.44 million to resolve allegations that it paid kickbacks through speaker programs and related events. As purported inducement to prescribe its products, the company’s managers allegedly instructed sales representatives to select high-volume prescribers as paid speakers. The company further agreed to forfeit $38.4 million, to pay approximately $48 million to resolve state claims, and to abide by strict limitations on future speaker programs and other events under a five-year Corporate Integrity Agreement.[7]
- On July 8, a hospice care company agreed to pay $3.2 million to settle claims that it violated the FCA by knowingly submitting false claims to Medicare, Medicaid, and TRICARE for hospice care provided to purportedly non-terminally-ill beneficiaries who did not qualify for those services. The settlement also resolves allegations that the company submitted false claims for a medically unnecessary level of hospice care. The company agreed to enter into a Corporate Integrity Agreement as part of the settlement, and the whistleblower, a former employee, will receive 19% of the recovery.[8]
- On July 8, an Oklahoma City-based specialty hospital, its part-owner and management company, a physician group, and two physicians agreed to pay $72.3 million to resolve allegations that they violated the FCA and the Oklahoma Medicaid False Claims Act. The government alleged that improper relationships between the specialty hospital and physician group resulted in the submission of false claims to Medicare, Medicaid and TRICARE, and that the specialty hospital and its management company provided improper remuneration to the physician group and certain physicians in exchange for referrals. The settlement also resolves claims related to the management company’s purportedly preferential offering of investment opportunities to physicians at four surgery facilities in Texas. The specialty hospital agreed to pay $60.86 million to the United States, $5 million to Oklahoma, and $206,000 to Texas. The physician group and two of its physicians, agreed to pay $5.7 million to the United States and $495,619 to Oklahoma. The specialty hospital and the physician group also agreed to enter five-year Corporate Integrity Agreements. The whistleblower’s share had not yet been determined at the time of the settlement announcement.[9]
- On July 10, a hospital management company, its subsidiary, and one of its facilities agreed to pay a total of $122 million to resolve alleged violations of the FCA. The management company and its subsidiary agreed to pay a total of $117 million, split between the United States and participating states, to resolve allegations that they submitted false claims to Medicare, Medicaid, TRICARE, Department of Veterans Affairs, and Federal Employee Health Benefit programs for billing for medically unnecessary inpatient behavior health services and failing to provide appropriate and adequate services to patients. The company expressly denied the allegations. In a separate settlement, the facility agreed to pay the United States and the State of Georgia $5 million to resolve allegations that it provided free or discounted transportation services to induce Medicare and Medicaid beneficiaries to seek treatment at certain of the facility’s programs. The management company, on behalf of its inpatient acute and residential behavioral health facilities, also agreed to enter into a five-year corporate integrity agreement. The settlement with the management company resolves 18 qui tam lawsuits, and the whistleblowers will receive a total of $15.86 million of the federal recovery. The settlement with the facility stemmed from a separate qui tam lawsuit, and the whistleblower will receive $861,853 from the recovery.[10]
- On July 13, a management corporation and 27 affiliated skilled nursing facilities agreed to pay $16.7 million to settle allegations that they violated the FCA by submitting false claims to Medicare for unnecessary or unreasonable rehabilitation therapy services. The facilities allegedly pressured therapists to increase the amount of patient therapy to meet pre-planned Medicare revenue targets, purportedly set without regard to patients’ needs and at an amount achievable only by billing high percentages of patients at the highest Medicare reimbursement level. The company entered into a five-year Corporate Integrity Agreement, and the whistleblowers collectively will receive approximately $3 million of the recovery.[11]
- On July 20, a health care company agreed to pay $11.94 million to resolve allegations that the company violated the FCA and Anti-Kickback Statute (“AKS”) by paying kickbacks to two companies in exchange for referrals of urine drug tests paid for by federal healthcare programs. The company agreed to fully cooperate and enter a five-year Corporate Integrity Agreement, under which the company must routinely report to the Office of Inspector General for the United States Department of Health and Human Services (“HHS-OIG”) and retain an Independent Review Organization to monitor its arrangements with other individuals and entities. One of the companies receiving the kickbacks and three of its executives also were indicted for conspiracy to pay and solicit kickbacks. The trial is set to take place in 2021.[12]
- On July 23, a biotech testing company agreed to pay $49 million to resolve allegations that the company fraudulently overbilled Medicaid and the Department of Veterans Affairs by miscoding its prenatal tests and that it provided illegal kickbacks to physicians in the form of excessive “draw fees,” meals and happy hours, and improperly reduced or waived patient coinsurance and deductible payments to induce orders for the company’s tests. The company agreed to pay $19.45 million to the United States and $13.15 million to various states to resolve the kickback and fraudulent billing claims and agreed to enter a five-year Corporate Integrity Agreement. The allegations stemmed from a qui tam lawsuit; the whistleblower’s share in the recovery had not been announced at the time of settlement. In a separate settlement, the company agreed to pay $16.4 million to resolve similar fraudulent billing claims related to TRICARE and the Federal Employees Health Benefits Program with the U.S. Attorney’s Office for the Southern District of California, and the company entered into a Non-Prosecution Agreement with that office.[13]
- On July 24, a pharmaceutical company’s two parent companies agreed to pay $300 million to resolve allegations that they caused the submission of false claims to government health care programs in violation of the FCA. The government alleged that the companies improperly promoted the sale and use of an opioid-addiction-treatment drug to physicians for indications that were not medically accepted, among other allegations. The government also alleged that the companies promoted the drug to physicians and state Medicaid agencies using false and misleading claims regarding the diversion, abuse, and safety risks of the drug, and that they took steps to improperly control the pricing of the drug by seeking to delay the entry of generic competitors, including through a petition to the U.S. Food and Drug Administration (“FDA”) claiming safety issues with the drug’s tablet version. Approximately $209.3 million of the civil settlement will go to the federal government and $90.7 million will go to states opting in to the agreement. The civil settlement stemmed from six qui tam lawsuits, and the whistleblowers’ share in the recovery had not been announced at the time of settlement. Separately, the pharmaceutical company agreed to pay another $289 in a criminal fine, forfeiture, and restitution in connection with pleading guilty to a one-count felony charge for making false statements relating to health care matters in connection with marketing and promoting the safety of its products, and the former CEO of its parent pleaded guilty to a one-count misdemeanor information related to the company’s alleged false and misleading representations to the Massachusetts Medicaid program. The pharmaceutical company also entered into a five-year Corporate Integrity Agreement that includes numerous accountability and auditing provisions as part of the resolution, and the company separately agreed to pay $10 million to the FTC to resolve unfair competition claims. The settlements come on the heels of a $1.4 billion resolution with the pharmaceutical company’s former parent, announced in 2019, which also related to the marketing of the company’s opioid drug.[14]
- On July 28, a pharmaceutical company agreed to pay $3.5 million to resolve claims that it violated the FCA by paying kickbacks to physicians through sham research grants as inducement to prescribe the company’s newly-launched analgesic drug. Among other allegations, the pharmaceutical company purportedly required placement of its drug on the formulary of the physicians’ institution before agreeing to award research grants and subsequently expressed little interest in the physicians’ proposed research. The whistleblower, a pharmacist, will receive approximately $520,000 of the federal recovery and approximately $118,000 of the state recovery.[15]
- On August 19, a nonprofit hospice provider agreed to pay $5.2 million to settle allegations that it improperly billed Medicare and Medicaid for services provided to hospice patients at unnecessarily heightened levels of care for which the patients did not qualify. The provider agreed to pay $4.85 million to the United States and agreed to pay $375,000 to New York. The allegations stem from a qui tam lawsuit, and the whistleblower’s share in the recovery was not disclosed at the time of the settlement announcement.[16]
- On August 24, a Massachusetts-based pharmaceuticals company agreed to pay $20.75 million to settle claims that it knowingly promoted a drug administration process that contradicted the FDA-approved instructions and was unsupported by sufficient clinical evidence, thereby causing physicians to submit false claims to Medicare and the Federal Employee Health Benefit Program. The company allegedly encouraged physicians to use a less effective drug administration process through paid speaker programs and physician peer-to-peer discussions, promotion by the company’s sales personnel, and dissemination of incomplete or misleading responses to questions asked by physicians, among other means. The company also allegedly failed to inform physicians that the administration process resulted in significantly lower clearance rates for the condition and, at times, falsely stated that the clearance rates were the same. The company and its parent company agreed to enter a Corporate Integrity Agreement, and the whistleblower, a former sales representative, will receive approximately $3.5 million of the recovery.[17]
- On September 9, a West Virginia-based acute care hospital agreed to pay $50 million to resolve allegations that it paid illegal kickbacks under the FCA to referring physicians. The government alleged that, over thirteen years, the hospital improperly paid the physicians based on the volume or value of their referrals, or otherwise paid them above-fair-market-value rates. The whistleblower will receive $10 million of the recovery.[18]
- Also on September 9, two companies that operate eleven radiology facilities in California agreed to pay $5 million to resolve allegations that they knowingly submitted claims for improperly supervised CT scans and MRIs in violation of the FCA. The companies also agreed to enter into a three-year Integrity Agreement with HHS-OIG. The whistleblower will receive approximately $925,000 of the recovery.[19]
- On September 11, a research institute agreed to pay $10 million to settle allegations that for a period of eight years it improperly charged research grants funded by the National Institutes of Health for activities unrelated to the grants, such as faculty time spent writing new grant applications, teaching, administrative activities, and committee tasks. The whistleblower will receive $1.75 million of the recovery.[20]
- On September 22, a biotechnology company that provides molecular and diagnostic tests agreed to pay $11.5 million to resolve claims that it knowingly billed government healthcare programs for inpatient testing for which the hospitals should have paid, and that it paid a percentage of the cost of electronic medical records transition software for sixty-nine physicians’ offices that the company calculated would generate revenue for the company equal to three times its payment.[21] The company made several admissions related to the purported conduct as part of the settlement.
- On September 23, a pharmaceutical company joined the growing list of companies to face FCA liability for allegedly setting up a fund within a charitable foundation to pay the co-pays of Medicare patients using the company’s pulmonary arterial hypertension drug. The government alleged that the company used spend data from the foundation to assess the amount patients were paying for its drug, then made charitable donations to the foundation sufficient to cover only those payments while simultaneously referring patients to the foundation. The company entered into a $97 million settlement to resolve the matter, without admitting any wrongdoing.[22]
- On September 28, a Texas-based hospital and co-defendants agreed to pay more than $15.3 million to resolve allegations that they overstated support and understated risks of construction of the hospital in order to obtain a federal mortgage loan, including by delaying refunds for cancelled investments, resulting in a loss for the U.S. Department of Housing and Urban Development, which had purchased the mortgage note.[23]
- On October 14, a medical device maker settled allegations that for a period of six years it paid kickbacks in the form of free advertising and practice support to physicians and hospitals in exchange for referrals of its embolization devices. DOJ alleged that the device maker ignored numerous warnings that its conduct may violate the AKS, including from its own Chief Compliance Officer. To settle the allegations, the device maker agreed to pay $18 million and enter into a five-year Corporate Integrity Agreement with HHS-OIG, pursuant to which it must hire a compliance expert and undergo review by an independent review organization. The whistleblower will receive $2.65 million.[24]
- On October 21, an opioid manufacturer agreed to pay $2.8 billion to resolve allegations that it promoted opioids for uses that were unsafe and medically unnecessary and engaged in kickback schemes to induce physicians to prescribe its drugs. With respect to the AKS, DOJ alleged that the manufacturer paid physicians to prescribe its opioids under the guise of payments for educational talks and consultant agreements; paid an electronic health records company to facilitate referrals, recommendations, and orders of its opioids; and contracted with specialty pharmacies to fill prescriptions other pharmacies had rejected. The manufacturer’s settlement is part of a broader global resolution, pursuant to which the manufacturer agreed to pay $8.3 billion to settle the FCA allegations and related criminal charges.[25]
- On October 29, a medical device maker agreed to pay $8.1 million to resolve allegations that, in order to induce a neurosurgeon to use the device maker’s implantable pumps, it paid for meals and drinks at more than one hundred social events hosted at a restaurant owned by the neurosurgeon and his wife and attended by the neurosurgeon’s acquaintances, colleagues, and existing and potential referral sources.[26]
- On November 16, a Medicare Advantage provider agreed to pay over $6.3 million to settle allegations that it violated the FCA by knowingly submitting invalid diagnoses to Medicare that were not supported by Medicare Advantage beneficiaries’ medical records. These submissions allegedly resulted in inflated payments from Medicare. The allegations stem from a qui tam lawsuit brought by a former employee. The whistleblower will receive approximately $1.5 million of the recovery.[27]
- On November 19, the former owners of a drug and device subsidiary agreed to pay $10 million to resolve allegations that the subsidiary violated the FCA by promoting two systems for unapproved uses for pediatric patients between 2006 and 2012. A private equity company that also formerly owned the subsidiary agreed to pay an additional $1.5 million to settle allegations that the subsidiary continued the allegedly improper practices after that owner acquired the company in 2012. The allegations stem from a qui tam lawsuit, and the whistleblowers’ share of the settlement was not announced at the time of the settlement announcement.[28]
- On November 20, a Florida-based home health agency and two former executives agreed to pay $5.8 million in total to settle allegations that the home health agency provided improper financial inducements to referring physicians in violation of the FCA. The home health agency paid just over $3.85 million and each executive paid $647,000. The government alleged that the home health agency violated the AKS and the Stark Law by entering into fake medical director agreements as a way of providing remuneration for referrals. The government also alleged that the home health agency violated the Stark Law by providing bonuses to employees based on referrals made by their physician spouses. The home health agency also agreed to pay an additional $675,000 to settle separate allegations that its employees pressured clinical personnel to increase the number of home visits to Medicare patients to avoid a Medicare adjustment that would have decreased the home health agency’s Medicare reimbursement. The government alleged that these services were medically unnecessary. The allegations stem from two qui tam lawsuits. The relators in one lawsuit received approximately $145,000 of the proceeds related to the Medicare adjustment allegations, and the relator’s share in the other lawsuit had yet to be determined at the time of the settlement announcement.[29]
- On December 17, a Massachusetts-based pharmaceutical company agreed to pay $22 million to resolve allegations that it violated the FCA by illegally using two foundations as a conduit to pay copays for Medicare patients to induce the patients to fill certain Medicare-reimbursed prescriptions. The pharmaceutical company allegedly identified certain patients in its free drug program for its vendor, and purportedly worked with the vendor to transfer the patients to the foundations, which received payments from the pharmaceutical company and then paid the copays for the Medicare patients. The allegations stem from a qui tam lawsuit, and the whistleblower will receive approximately $3.96 million of the recovery.[30]
B. Government Contracting and Procurement
- On July 22, a holding company agreed to pay $8 million to settle allegations that it violated the FCA by knowingly avoiding tariffs on imported brake parts. The government alleged that the holding company falsely improperly identified the brake parts as a type exempt from the tariffs. The whistleblowers, two former employees, will receive $1.48 million of the recovery.[31]
- On August 31, an engineering and construction firm and related entity agreed to pay approximately $5.6 million to resolve allegations that they violated the FCA and other civil claims by submitting inaccurate cost and labor hour estimates and certifications related to certain task orders for a federal contract with the U.S. Navy. The allegations stem from a qui tam lawsuit brought by a former employee, and the whistleblower’s share in the recovery was not disclosed at the time of the settlement announcement.[32]
- On September 10, an asphalt contractor agreed to pay more than $4.25 million over four years to resolve allegations that it misrepresented the materials it would use to pave federally-funded roads by falsely claiming that its asphalt mix contained a sufficient amount of binder to hold together and last a reasonable amount of time, in violation of the FCA.[33]
- On September 15, a software engineering firm that provides training systems to the Department of Defense agreed to pay more than $37 million in restitution to resolve allegations that the firm bribed an Air Force contracting official in exchange for procurement information. According to the government, the firm leveraged that information to secure government contracts for training simulators, causing a prime contractor to submit false invoices to the government. The firm paid the restitution as part of a broader plea agreement based on the same conduct, pursuant to which the firm pleaded guilty to conspiracy to commit wire fraud, but the civil settlement did not require admissions of liability. The majority owner, president and CEO of the firm separately agreed to pay $500,000 to resolve FCA allegations regarding his personal conduct.[34]
- On September 22, major federal construction contractors and a subsidiary admitted to improperly billing the Department of Energy for unreasonable and unallowable idle time in connection with a waste treatment plant project over a period of ten years, in violation of the FCA. Pursuant to the settlement, the companies agreed to pay $57.75 million and enter into a three-year corporate monitorship. Four whistleblowers will split $13.75 million.[35]
- On November 3, an Illinois-based charter school management company agreed to pay $4.5 million to settle allegations that it engaged in non-competitive bidding practices related to the Federal Communications Commission’s (“FCC”) E-Rate Program, thereby violating the FCA. The company allegedly rigged the bidding for E-Rate contracts between 2009 and 2012 so that its charter schools selected chosen technology vendors. The company’s chosen vendors also allegedly provided equipment at higher prices than FCC-approved prices for equipment with the same functionality. Finally, the company allegedly failed to maintain sufficient control over the FCC-reimbursed equipment, such that some of the equipment was missing. The company agreed to enter into a corporate compliance plan with the FCC.[36]
- On November 20, a federal contractor providing health care and IT services and solutions to federal agencies agreed to pay $18.98 million to settle allegations that it violated the FCA by using labor that did not meet requisite contractual qualifications and overcharging government agencies in connection with services provided under two General Services Administration (“GSA”) Multiple Award Schedule contracts. The federal contractor allegedly provided false information regarding its commercial discounting practices during contract negotiations with the government. The federal contractor investigated and disclosed the contractual violations to the United States, and received disclosure and cooperation credit.[37]
- On December 3, an ergonomic office furniture maker and its parent company agreed to pay $7.1 million to settle claims that they violated the FCA by overcharging the government for office furniture under a GSA contract. The government alleged that the company did not fulfill contractual obligations to provide GSA with accurate information about its sales practices during the contract negotiations, and the company also did not offer lower prices to government customers as required under the GSA contract. The allegations stem from a qui tam lawsuit brought by a former employee. The whistleblower will receive approximately $1.27 million of the recovery.[38]
- On December 17, a nationwide provider of electricity solutions for buildings and data centers agreed to pay $11 million to settle criminal and civil allegations relating to kickbacks and overcharges on federally-funded energy savings performance contracts. The provider agreed to pay $9.3 million to resolve allegations that it violated the FCA and AKS by soliciting and receiving over $2.5 million in kickbacks from subcontractors working on the contracts; including inflated estimates and improper costs in contract proposals; and overcharging federal agencies under the contracts. In a separate criminal settlement announced on the same day, the company admitted that it committed wire fraud when it fraudulently charged the government for design costs that it disguised and spread across various line items and also admitted that it violated the AKS when its former convicted employee solicited and received kickbacks from the subcontractors.[39]
III. LEGISLATIVE AND POLICY DEVELOPMENTS
A. Federal Legislative Developments
As we have reported previously, several COVID-19 related federal legislative developments in 2020—economic spending and stimulus packages—are likely to spur FCA enforcement. We have covered these developments in detail in updates throughout the COVID‑19 crisis (available here and here). The most notable legislation, the Coronavirus Aid, Relief, and Economic Security Act (“CARES Act”), marked the largest emergency stimulus package in history, providing $2.2 trillion worth of government funds to mitigate the effects of COVID-19.[40] The Act provides relief for businesses, industries, individuals, employers, and states in a number of ways, including a Small Business Administration (“SBA”) loan program offering up to $350 billion in relief, the Paycheck Protection Program (“PPP”), as well as economic stabilization programs to provide loans, loan guarantees, and funding for eligible industries, businesses, states, and municipalities.
In late December 2020, then President Trump signed a second massive stimulus bill, providing $900 billion of additional relief. Among other things, this new legislation renewed the PPP program, providing an additional $285 billion for additional loans for small businesses.[41] The new economic relief program tightened the funding terms and conditions in some respects, an effort apparently aimed at correcting some of the elements of the original program that were subject to criticism. The legislation caps new loans at $2 million, for example, and makes them available only to borrowers with fewer than 300 employees that experienced at least a 25% drop in sales from a year earlier in at least one quarter. In addition, publicly traded companies will not be eligible to apply for loans.
Before taking office on January 20, 2021, President Biden also announced a $1.9 trillion COVID relief plan that he aims to pass during his first 100 days in office.[42] Among other things, the plan provides $416 billion to launch a national vaccination program, $35 billion to make low-interest loans available to certain businesses, and sets aside another $1 trillion in additional stimulus checks for Americans.
There were no major developments with respect to federal FCA legislation in 2020. This may change soon, however. For example, in July, Senator Chuck Grassley (R-IA)—the original author of the FCA’s 1986 amendments—announced he is drafting legislation that would “clarify[y]” purported “ambiguities created by the courts” regarding the proper interpretation of the FCA.[43] In particular, Senator Grassley’s remarks highlighted his concerns about DOJ’s authority to dismiss FCA cases despite relators’ objections, as well as DOJ’s practice of increasingly exercising that authority following DOJ’s issuance of the Granston Memo, on which we have reported previously. We will closely monitor this and other developments at the federal level in the coming year.
B. COVID-19 Enforcement Policy
Under the outgoing administration, DOJ focused on preventing and punishing COVID-19-related fraud. To date, DOJ has scrutinized several aspects of the stimulus funding under the CARES Act, in particular, such as in connection with certifications of compliance with loan program requirements, as well as submission of false claims allegedly kickback-tainted, medically unnecessary, and/or otherwise not provided as represented.[44]
This policy played out in 2020, with DOJ officials announcing plans to “deploy the [FCA] against those who commit fraud related to the various COVID-19 stimulus programs,” particularly the Provider Relief Fund (“PRF”) and the Paycheck Protection Program—funding programs put into place by the CARES Act. These programs, which impose numerous requirements on funding recipients, make available significant sums of money that DOJ considers may provide “a number of opportunities for fraud.”[45]
The Biden administration will almost certainly continue to focus on COVID-19 enforcement. What other enforcement changes or priorities come from the Biden administration remain to be seen.
C. State Legislative Developments
As an incentive for seeking HHS-OIG approval of their false claims act statutes, states can receive “a 10-percentage-point increase in their share of any amounts” recovered under the relevant laws.[46] To receive approval, state statutes must (among other requirements) contain provisions that are “at least as effective in rewarding and facilitating qui tam actions” as those in the federal FCA, and must contain civil penalties at least equivalent to those imposed by the federal FCA.[47] A similar requirement is that a given state’s statute must provide for civil penalty increases “at the same rate and time as those authorized under the [federal] FCA” pursuant to the Federal Civil Penalties Inflation Adjustment Act Improvements Act of 2015.[48]
Currently, the total number of states with approved statutes stands at twenty-one (California, Colorado, Connecticut, Delaware, Georgia, Hawaii, Illinois, Indiana, Iowa, Massachusetts, Montana, Nevada, New York, North Carolina, Oklahoma, Rhode Island, Tennessee, Texas, Vermont, Virginia, and Washington). Eight states have laws that have not yet been deemed to meet the federal standards (Florida, Louisiana, Michigan, Minnesota, New Hampshire, New Jersey, New Mexico, and Wisconsin).[49] Thirty-one states have enacted some version of the False Claims Act.[50
Several jurisdictions also enacted or advanced false claims act legislation in 2020. In the District of Columbia, the D.C. Council enacted legislation amending the District’s existing false claims act (D.C. Code Ann. § 2-381.01 et seq.) to expressly authorize tax-related false claims actions against persons who “reported net income, sales, or revenue totaling $1 million or more in a tax filing to which [the relevant] claim, record, or statement pertained, and the damages pleaded in the action total $350,000 or more.”[51] The bill authorizes treble damages for tax-related violations, meaning District taxpayers could be liable for three times the amount not only of any taxes, but also of any interest and tax penalties.[52] Because the District’s existing false claims statute excluded tax-related claims from false claims liability, the new legislation represents a major policy shift.[53] In amending its false claims statute in this fashion, the District joins Illinois and New York as jurisdictions that provide for tax-related FCA liability.[54]
In Pennsylvania, which has no statute analogous to the FCA, the legislature advanced a false claims act bill that would enable private citizens to bring lawsuits on behalf of the state against anyone who “[k]nowingly presents or causes to be presented a false or fraudulent claim for payment or approval” or “[k]nowingly makes, uses or causes to be made or used, a false record or statement material to a false or fraudulent claim.”[55] The bill would also require the Attorney General to make recommendations to state agencies on how to prevent false claims violations from occurring.[56] The new law would empower the Pennsylvania Office of the Attorney General to enforce its provisions, including via civil investigative demands.[57] The bill largely mirrors the FCA and was first referred to the House Human Services Committee on May 21, 2020.[58] In September 2020, the House committee approved an amended bill to include limited civil liability protections for entities that follow all state and federal directives regarding COVID-19, along with civil fraud provisions matching federal law.[59] To date, the bill is awaiting a vote in the Pennsylvania General Assembly.
We also reported in our 2020 Mid-Year Update on a bill passed by the California Assembly, Assembly Bill No. 1270, which would alter the state’s false claim act considerably, including by amending the act to limit the definition of materiality to include only “the potential effect” of an alleged false record or statement “when it is made,” without consideration—contrary to the U.S. Supreme Court’s 2016 decision in Universal Health Services v. United States ex rel. Escobar[60]—of “the actual effect of the false record or statement when it is discovered.”[61] The amendments would also extend the act to tax-related cases where the damages pleaded exceed $200,000 and a defendant’s state-taxable income or sales exceed $500,000.[62] After the bill stalled in the State Senate, a California Assembly member (Mark Stone, D-Monterey Bay) introduced a substantially similar bill, Assembly Bill No. 2570.[63] As with its predecessor, AB-2570 stalled in the State Senate in 2020.
IV. NOTABLE CASE LAW DEVELOPMENTS
The second half of 2020 saw a number of important case law developments, including with respect to falsity, materiality, and the FCA’s important threshold bars. We cover the most notable cases below.
A. A Circuit Split Over “Objective Falsity” Progresses to the Supreme Court
As discussed in our Mid-Year Update, the issue of whether and when differences in physician medical opinions may satisfy the FCA’s “falsity” element is driving critical developments in FCA jurisprudence. In particular, a circuit split emerged after the Eleventh Circuit’s decision in United States v. AseraCare, Inc., in which the court held that claims cannot be “deemed false” under the FCA based solely on “a reasonable disagreement between medical experts” as to a medical provider’s clinical judgment. 938 F.3d 1278, 1281 (11th Cir. 2019). By contrast, the Third Circuit held in United States ex rel. Druding v. Care Alternatives that a “physician’s judgment may be scrutinized and considered ‘false’” and that a “difference of medical opinion is enough evidence to create a triable dispute of fact regarding FCA falsity.” 952 F.3d 89, 100–01 (3d Cir. 2020). The Ninth Circuit reached a similar result in Winter ex rel. United States v. Gardens Regional Hospital and Medical Center, holding that an FCA claim based on an alleged lack of medical necessity may suffice to survive a motion to dismiss. 953 F.3d 1108, 1117 (9th Cir. 2020).
In September 2020, Care Alternatives petitioned the Supreme Court for a writ of certiorari to challenge the Third Circuit’s rejection of the AseraCare “objective falsity” standard. Specifically, Care Alternatives asked the Court to decide “[w]hether a physician’s honestly held clinical judgment regarding hospice certification can be ‘false’ under the False Claims Act based solely on a reasonable difference of opinion among physicians.” Pet. for Writ of Cert., Care Alternatives v. United States, et al., No. 20-371 (U.S. Sept. 16, 2020).
In its petition, Care Alternatives contended that the Third Circuit’s recent decision created a “square split” with the Eleventh Circuit’s AseraCare decision “on an issue of critical importance to the millions of Americans who require hospice care annually and the thousands of hospices and physicians who provide that care.” Id. at 1–2. Care Alternatives also argued that the Third Circuit’s rejection of an objective falsity standard “opens up hospices and physicians to crushing financial liability and reputational harm, notwithstanding near universal acknowledgment that determinations about life expectancy are notoriously difficult and inexact.” Id. at 2. Further, it highlighted the “untenable prospect . . . that hospices in New Jersey [because of the Third Circuit’s decision] will face treble damages for the same difficult medical judgments that cannot be second-guessed in Florida,” in light of the Eleventh Circuit’s AseraCare case. Id. at 3.
Given the stakes, the case has attracted attention from industry participants. After Care Alternatives filed its petition, two groups submitted amicus briefs: one by a group of Hospice, Health Care, and Physician Organizations, and the other from the Chamber of Commerce of the United States of America and the Pharmaceutical Research and Manufacturers of America (“PhRMA”). See Br. for the Hospice, Health Care, and Physician Organizations as Amici Curiae, Care Alternatives v. United States, et al., No. 20-371 (U.S. Oct. 23, 2020) (“Hospice Brief”); Br. of Chamber of Commerce of the United States et al. as Amici Curiae, Care Alternatives v. United States, et al., No. 20-371 (U.S. Oct. 23, 2020) (“Chamber of Commerce Brief”). The briefs highlighted the risks the Third Circuit’s decision poses for providers and for recipients of government benefits more broadly (such as government contractors). See generally Hospice Brief; Chamber of Commerce Brief. The amici likewise cited the broader developing circuit split over “objective falsity” as another reason why the Court should grant Care Alternatives’ petition. Chamber of Commerce Brief at 8–10.
B. Courts Continue to Grapple with the FCA’s Materiality and Scienter Requirements Post-Escobar
In the latter half of 2020, federal appellate courts continued to weigh in on the critical issues of materiality and scienter under the FCA in the wake of the Supreme Court’s seminal decision in Universal Health Services v. United States ex rel. Escobar, 136 S. Ct. 1989 (2016). The Court’s clear directive in Escobar was that courts should scrutinize whether plaintiffs have alleged facts sufficient to satisfy the “rigorous” and demanding materiality standard the FCA imposes. See id. at 2004 n.6 (rejecting the notion that materiality cannot be decided at the pleadings stage). Two Circuit Courts of Appeals took up this task in notable ways in the latter half of 2020.
First, in United States v. Strock, the Second Circuit considered what counts as a “payment decision” for purposes of assessing materiality under a fraudulent inducement theory of FCA liability. 982 F.3d 51 (2d Cir. Dec. 3, 2020). Under a fraudulent inducement theory, “FCA liability attaches not because a defendant has submitted any claim for payment that is ‘literally false,’ but instead because ‘the contract under which payment [is] made is procured by fraud.’” Id. at 60 (quoting United States ex rel. Longhi v. United States, 575 F.3d 458, 467–68 (5th Cir. 2009)). In Strock, the court evaluated whether Escobar materiality analysis applied to the government’s initial decision to award the contract, the government’s subsequent decision to pay claims under the contract, or both. The government alleged that a putatively service-disabled veteran-owned small business (“SDVOSB”) was used “as a front to funnel [government] contract work” to another contractor. Id. at 56. The U.S. District Court for the Western District of New York granted the defendants’ motion to dismiss and concluded that Escobar only required a showing of materiality in connection with the government’s initial awarding of the contract. Id. at 58–60.
On appeal, the Second Circuit reversed the district court’s dismissal of the FCA claims against one individual defendant and vacated the district court’s dismissal of the FCA claims against the corporate defendant under a vicarious liability theory. The Second Circuit reasoned that the nature of fraudulent inducement cases required it to assign the meaning of “payment decisions” subject to Escobar analysis a “broader scope” than the lower court had. Id. at 60. The Second Circuit interpreted both the government’s initial contract award and subsequent payments of claims as “payment decisions” requiring a materiality analysis under Escobar. Id. at 59–60.
Earlier in 2020, the Fifth Circuit in United States ex rel. Porter v. Magnolia Health Plan, Inc. also applied Escobar’s materiality standard to a case decided at the pleadings stage. 810 F. App’x 237 (5th Cir. 2020). There, a registered nurse alleged that her former employer violated the FCA by staffing care and case manager positions with licensed practical nurses in contravention of contractual requirements. The district court dismissed the FCA claims, concluding that “broad boilerplate language generally requiring a contractor to follow all laws” was “too general to support a FCA claim.” Id. at 242. In affirming, the Fifth Circuit agreed that the applicable contracts did not require the defendant to staff relevant positions with registered nurses and that the boilerplate language was not sufficient to establish an FCA claim. The Fifth Circuit also explained that the “continued payments to and contracts with” the defendant “substantially increase the burden . . . in establishing materiality,” which the plaintiff did not meet. Id. Specifically, the Fifth Circuit noted that “the Mississippi Division of Medicaid took no action after Plaintiff-Appellant informed the Division” of this alleged misconduct but rather “continued payment and renewed its contract with [the former employer] several times.” Id. Even after the plaintiff’s suit was unsealed, the third-party Medicaid contractor awarded the plaintiff’s former employer “a contract for the fourth time.” Id. The Fifth Circuit also affirmed the district court’s dismissal with prejudice, finding “no reasonable basis to predict that [the plaintiff] c[ould] recover on her claims” and that any amendment of the nurse’s complaint thus would be futile, in part, because of the government’s continued payments and contracting arrangements with the nurse’s former employer. Id. at 243.
On December 9, 2020, after the Fifth Circuit refused to rehear the case, the relator petitioned for a writ of certiorari, asking the Supreme Court to clarify to what extent Escobar altered the Rule 12(b)(6) plausibility standard the Court imposed in Bell Atlantic Corp. v. Twombly, 550 U.S. 544 (2007) and Ashcroft v. Iqbal, 556 U.S. 662 (2009). Pet. for Writ of Cert., United States ex rel. Porter v. Magnolia Health Plan, Inc., No. 20-786 (U.S. Dec. 9, 2020). Specifically, the petition asked the Court to decide “whether the Supreme Court ruling in Escobar overruled or modified the standard of review to be used in ruling upon Rule 12(b)(6) motions to dismiss in cases involving the False Claims Act so as to require ‘proof’ or ‘evidence’ at the initial pleading stage above and beyond the plausibility standard set forth in Twombly and Iqbal.” Id. at iii. The Court denied the qui tam plaintiff’s petition on January 19, 2021.
C. Courts Continue to Scrutinize DOJ’s Discretion to Dismiss Qui Tam Claims
1. A Third Standard for DOJ’s Dismissal Authority?
In the wake of the 2018 Granston Memo, which instructed DOJ attorneys to consider dismissal of a qui tam case when recommending declination, DOJ has more regularly invoked its dismissal authority under 31 U.S.C. § 3730(c)(2)(A) than it did in for decades previously. Historically, courts have split based on whether they follow the Ninth Circuit’s Sequoia Orange test or the D.C. Circuit’s Swift test. Under the Sequoia Orange approach, the government may dismiss a qui tam case if: (1) it identifies a valid government purpose; (2) a rational relation exists between the dismissal and the accomplishment of that purpose; and (3) dismissal is not fraudulent, arbitrary and capricious, or illegal. United States ex rel. Sequoia Orange Co. v. Baird-Neece Packing Corp., 151 F.3d 1139, 1145 (9th Cir. 1998). The Swift test, by contrast, affords the government an “unfettered” right to dismiss a case such that the decision is “unreviewable” except in instances of “fraud on the court.” Swift v. United States, 318 F.3d 250, 252–53 (D.C. Cir. 2003). Both standards generally favor the government’s discretion, albeit to different degrees, and DOJ regularly argues in its motions to dismiss that it has sufficient discretion to dismiss a case under either standard.
This past August, the Seventh Circuit suggested that the split may have little practical significance. In United States ex rel. CIMZNHCA, LLC v. UCB, Inc., 970 F.3d 835 (7th Cir. 2020), the court reviewed a district court’s denial of the government’s attempt to dismiss the case, which concerned the alleged provision of kickbacks to physicians for prescriptions of a drug used to treat Crohn’s disease. Id. at 839. In moving for dismissal, the government argued that the allegations “lack[ed] sufficient merit to justify the cost of investigation and prosecution and [were] otherwise . . . contrary to the public interest.” Id. at 840. But the district court, applying the Sequoia Orange standard, deemed the government’s decision “arbitrary and capricious” and “not rationally related to a valid governmental purpose.” Id. (internal quotation marks omitted).
The Seventh Circuit reversed, calling the choice between the Sequoia Orange and Swift standards “a false one, based on a misunderstanding of the government’s rights and obligations under the False Claims Act.” Id. at 839. Instead, the court viewed the government’s motion as a motion to intervene and dismiss and held that Federal Rule of Civil Procedure 41 (which governs voluntary dismissal by plaintiffs generally) supplied “the beginning and end of [the court’s] analysis.” Id. at 849. While Rule 41(a)(1)(A) states that the voluntary dismissal right is “[s]ubject to . . . any applicable federal statute,” the “only authorized statutory deviation from Rule 41” in the FCA itself is the requirement that a relator be given notice and an opportunity to be heard in the event that the government seeks to dismiss the case over the relator’s objection. See id. at 850. The court acknowledged that such a hearing may amount to little more than formality in cases where there are no questions about the propriety of the government’s exercise of its dismissal authority; but the court noted that Rule 41’s conditions on the timing of voluntary dismissal motions could arise in Section 3730(c)(2)(A) hearings in cases where “the government’s chance to serve notice of dismissal has passed . . . and the relator . . . refuses to agree to dismissal.” Id. at 850–51.
Turning to the Sequoia Orange and Swift standards, the court held that Sequoia Orange simply means that dismissal “may not violate the substantive component of the Due Process Clause,” id. at 851, which the court characterized as a “bare rationality standard” targeting “only the most egregious official conduct” that “shocks the conscience” or “offend[s] even hardened sensibilities,” id. at 852 (internal quotation marks omitted) (alteration in original). The court found that the government’s dismissal decision, based as it was on the fact that agency guidance and rules had repeatedly “held that the conduct complained of is probably lawful,” did not rise to this level. See id. At the same time, the court rejected the idea that the relatively formal nature of Section 3730(c)(2)(A) hearings “justif[ies] imposing on the government in each case the burden of satisfying Sequoia Orange’s ‘two-step test’ before the burden is put back on the relator to show unlawful executive conduct.” Id. at 853.
In sum, while the court recognized the value of a Sequoia Orange-type standard focused on the outer constitutional limits on the exercise of the government’s prosecutorial discretion, the court’s holding suggested that it believes that limit lies closer to the even‑more‑forgiving Swift standard than to the “two-step” approach set forth in Sequoia Orange. The Seventh Circuit seems to have believed that the district court lost sight of the constitutional underpinnings of the “rational basis” test—and that a focus on the procedural parameters of Rule 41 can help avoid this error, insofar as they are consistent with a very forgiving approach to the government’s exercise of its dismissal authority. Accordingly, going forward we may well see DOJ intervene for the purposes of dismissal to exercise its (c)(2)(A) dismissal authority more often, at least in Seventh Circuit courts.
2. The Ninth Circuit Explores Limits on the Appealability of Denials of the Government’s Motions to Dismiss Under Section 3730(C)(2)(A)
In another notable case regarding DOJ’s dismissal authority, the Ninth Circuit issued a decision that could create more pressure for DOJ, when it wishes to dismiss a case, to intervene in the action first. In United States v. Academy Mortgage Corp., 968 F.3d 996 (9th Cir. 2020), the district court denied DOJ’s motion to dismiss on the ground that the government’s cost-benefit justification was insufficient to satisfy the Sequoia Orange standard. Id. at 1001. The government had claimed that discovery would be burdensome, but the court believed that the government had an incomplete understanding of the potential monetary recovery in the case given the limited nature of the government’s investigation. Id. The government appealed the denial of its motion under the collateral order doctrine, rather than seek to have the issue certified for interlocutory review. See id.
The Ninth Circuit dismissed the appeal for lack of jurisdiction, holding that the collateral order doctrine does not apply to denials of motions to dismiss under Section 3730(c)(2)(A), “at least in cases where the Government has not exercised its right to intervene.” Id. at 1005. Citing the government’s professed concern regarding discovery burdens, the court reasoned that, when the government has not intervened in a qui tam action, it is not a party to the action and its discovery obligations accordingly are the same as those of any other non‑party under Federal Rule of Civil Procedure 45. Id. at 1006. The court noted that the path to appellate review of a question of discovery burdens on a third party typically is to defy a subpoena and appeal the resulting contempt citation; orders merely denying motions to quash under Rule 45 “generally cannot be immediately appealed under the collateral order doctrine.” Id. at 1006–07. The court stated the core of its concern as follows: “It would be incongruous to hold, as we are asked to do here, that the Government’s interest in dismissing the case to avoid the possibility of future onerous discovery requests is important enough to merit an immediate appeal, when third parties actually faced with burdensome subpoenas have no such right.” Id. at 1007 (emphases in original). Although the court stated that the government could pursue interlocutory review, the court’s opinion could be read to suggest that the case does not present a “controlling question of law as to which there is substantial ground for difference of opinion” where the government’s rationale for dismissal is a mere “run-of-the-mill litigation burden[].” Id. at 1009.
The courts in both Academy Mortgage and UCB treated the question of DOJ’s intervention as affecting which legal framework should apply to the analysis of DOJ’s dismissal authority. Practically speaking, that reasoning may encourage DOJ to intervene in cases in which it otherwise would not seek to do so, for the limited purpose of strengthening its posture in moving to dismiss the case.
D. Developments on the First-to-File Bar and Res Judicata
Under Section 3730(b)(5) of the FCA, “[w]hen a person brings an [FCA] action . . . no person other than the Government may intervene or bring a related action based on the facts underlying the pending action.” 31 U.S.C. § 3730(b)(5). The Circuits have split over whether this “first-to-file bar” is jurisdictional. The First, Second, and D.C. Circuits have held that the bar is not jurisdictional, whereas the Fourth, Fifth, Sixth, Ninth, and Tenth Circuits have concluded that the bar is a matter of courts’ subject‑matter jurisdiction. See In re Plavix Marketing, Sales Practices & Products Liability Litig., 974 F.3d 228, 232 (3d Cir. 2020) (collecting cases).
In a September 1, 2020 opinion, the Third Circuit joined the former camp, relying primarily on the “clear statement rule”: “As the Supreme Court has recently instructed, unless Congress states clearly that a rule is jurisdictional, we will treat it as nonjurisdictional. . . . [Defendants] point to no language in § 3730(b)(5), nor do we see any, that ‘plainly show[s] that Congress imbued [the first-to-file] bar with jurisdictional consequences.’” Id. at 232 (second and third alterations in original) (citation omitted). The court also rejected the defendants’ argument that the bar is a matter of constitutional standing, concluding instead that it “asks only ‘whether [the relator] falls within the class of plaintiffs whom Congress has authorized to sue,’ which is another way to ask whether the statute gives it a cause of action.” Id. (alteration in original) (citation omitted). Accordingly, a motion to dismiss under the first‑to‑file bar “falls under Rule 12(b)(6) for failure to state a claim.” Id. at 233.
In a separate case, the State of New Mexico filed a complaint in state court while the Plavix litigation was pending but after the State declined to intervene in that litigation. See State ex rel. Balderas v. Bristol-Myers Squibb Co., 436 P.3d 724, 727 (N.M. Ct. App. 2018). The state trial and appellate courts held that the dismissal of the Plavix relator’s claims with prejudice did not act as dismissal with prejudice as to the government. Id. at 734. The court cited favorably to other decisions reasoning that a non-intervention decision does not automatically mean the government does not see merit in the case in question, and that “perverse incentives” would arise if dismissal with prejudice as to a relator also precluded claims by the government. Id. at 731. For example, the government essentially would have to intervene in every case simply to protect its ability to sue a defendant later, id., which would defeat the purpose of statutory provisions granting the government discretion to intervene.
The defendants filed a petition in the Supreme Court for a writ of certiorari in early September, a request which remains pending. See generally Pet. for Writ of Cert., State ex rel. Balderas v. Bristol-Myers Squibb Co., No. 20-293 (U.S. Sept. 3, 2020). If the Court takes the case, it will be an opportunity to resolve a Circuit split over whether the government is bound by with-prejudice dismissals of qui tam complaints. The Fifth and Eleventh Circuits have answered that question in the negative, the Seventh and Ninth Circuits in the affirmative. See id. at 13–19.
E. The D.C. Circuit Affirms an Award of Summary Judgment Where Defendant Failed to Adequately Address Government’s Legal Theories
It is difficult for any plaintiff to prevail on a motion for summary judgment. This is particularly so in FCA actions, which demand that plaintiffs prove various rigorously construed and fact‑intensive elements, including materiality and scienter.
In August 2016, however, the U.S. District Court for the District of Columbia granted the government’s motion for summary judgment in a case against a home health care company alleged to have submitted claims for reimbursement to the District of Columbia Medicaid Program for services that purportedly lacked adequate documentation. United States v. Dynamic Visions Inc., 220 F. Supp. 3d 16, 22 (D.D.C. 2016).
The district court’s opinion is notable given how rarely these motions are granted. Just as noteworthy is the fact that, in August 2020, the D.C. Circuit largely affirmed the lower court’s award of summary judgment in the government’s favor. United States v. Dynamic Visions Inc, 971 F.3d 330, 338–40 (D.C. Cir. 2020). The D.C. Circuit highlighted that, on appeal, the defendant-appellant had failed to meaningfully address the government’s theory that patients had inadequate “plan of care” documentation in several different regards, having chosen instead to “respond[] only with highly generalized statements to the effect that they submitted plans of care for Medicaid recipients signed by their physicians, . . . that they maintained a policy and procedure manual that was compliant with [Department of Health Care Finance] regulations[,] and [that they] followed the policy and procedures stated in the manual.” Id. at 337 (internal quotation marks omitted). Because the defendant-appellant failed to provide supporting evidence for those assertions—namely, the manual in question—the court held that “[t]hose statements are too conclusory to create a genuine issue.” Id.
V. CONCLUSION
As always, Gibson Dunn will continue to monitor these developments and others in the FCA space and stands ready to answer any questions you may have. We will report back to you on the latest news mid-year, in July 2021.
____________________
[1] See U.S. Dep’t of Justice, Memorandum from Rachel Brand, Associate Attorney General (Nov. 16, 2017), https://www.justice.gov/opa/press-release/file/1012271/download.
[2] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Recovers Over $2.2 Billion from False Claims Act Cases in Fiscal Year 2020 (Jan. 14, 2021), https://www.justice.gov/opa/pr/justice-department-recovers-over-22-billion-false-claims-act-cases-fiscal-year-2020 [hereinafter DOJ FY 2020 Recoveries Press Release].
[3] See U.S. Dep’t of Justice, Fraud Statistics Overview (Jan. 14, 2021), https://www.justice.gov/opa/press-release/file/1354316/download [hereinafter DOJ FY 2020 Stats].
[4] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Remarks of Deputy Assistant Attorney General Michael D. Granston at the ABA Civil False Claims Act and Qui Tam Enforcement Institute (Dec. 2, 2020), https://www.justice.gov/opa/speech/remarks-deputy-assistant-attorney-general-michael-d-granston-aba-civil-false-claims-act.
[5] See DOJ FY 2020 Stats.
[6] See Press Release, U.S. Atty’s Office for the W. Dist. Of Ky., California Genetic Testing Company Agrees To Pay $8.25 Million To Resolve False Claims Allegations; Paducah, Ky, Area Hospital Also Settles (July 1, 2020), https://www.justice.gov/usao-wdky/pr/california-genetic-testing-company-agrees-pay-825-million-resolve-false-claims.
[7] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Novartis Pays Over $642 Million to Settle Allegations of Improper Payments to Patients and Physicians (July 1, 2020), https://www.justice.gov/opa/pr/novartis-pays-over-642-million-settle-allegations-improper-payments-patients-and-physicians; Press Release, U.S. Atty’s Office for the S. Dist. of N.Y., Acting Manhattan U.S. Attorney Announces $678 Million Settlement Of Fraud Lawsuit Against Novartis Pharmaceuticals For Operating Sham Speaker Programs Through Which It Paid Over $100 Million To Doctors To Unlawfully Induce Them To Prescribe Novartis Drugs (July 1, 2020), https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-678-million-settlement-fraud-lawsuit-against.
[8] See Press Release, U.S. Atty’s Office for the Middle Dist. of Fla., Hope Hospice Agrees To Pay $3.2 Million To Settle False Claims Act Liability (July 8, 2020), https://www.justice.gov/usao-mdfl/pr/hope-hospice-agrees-pay-32-million-settle-false-claims-act-liability.
[9] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Oklahoma City Hospital, Management Company, And Physician Group To Pay $72.3 Million To Settle Federal And State False Claims Act Allegations Arising From Improper Payments To Referring Physicians (July 8, 2020), https://www.justice.gov/opa/pr/oklahoma-city-hospital-management-company-and-physician-group-pay-723-million-settle-federal.
[10] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Universal Health Services, Inc. And Related Entities To Pay $122 Million To Settle False Claims Act Allegations Relating To Medically Unnecessary Inpatient Behavioral Health Services And Illegal Kickbacks (July 10, 2020), https://www.justice.gov/opa/pr/universal-health-services-inc-and-related-entities-pay-122-million-settle-false-claims-act.
[11] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Twenty-Seven Skilled Nursing Facilities Controlled By Longwood Management Corporation To Pay $16.7 Million To Resolve False Claims Act Allegations (July 13, 2020), https://www.justice.gov/opa/pr/twenty-seven-skilled-nursing-facilities-controlled-longwood-management-corporation-pay-167.
[12] See Press Release, U.S. Atty’s Office for the W. Dist. of Wash., DOJ settles False Claims Act allegations against drug testing lab with operations in Tacoma and Denver (July 20, 2020), https://www.justice.gov/usao-wdwa/pr/doj-settles-false-claims-act-allegations-against-drug-testing-lab-operations-tacoma-and.
[13] See Press Release, U.S. Atty’s Office for the S. Dist. of N.Y., Acting Manhattan U.S. Attorney Announces $49 Million Settlement With Biotech Testing Company For Fraudulent Billing And Kickback Practices (July 23, 2020), https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-49-million-settlement-biotech-testing-company.
[14] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Indivior Solutions Pleads Guilty To Felony Charge And Indivior Entities Agree To Pay $600 Million To Resolve Criminal And Civil Investigations As Part Of DOJ’s Largest Opioid Resolution (July 24, 2020), https://www.justice.gov/opa/pr/indivior-solutions-pleads-guilty-felony-charge-and-indivior-entities-agree-pay-600-million.
[15] See Press Release, U.S. Atty’s Office for the Dist. of N.J., Pharmaceutical Company Agrees to Pay $3.5 Million to Resolve Allegations of Violating False Claims Act (July 28, 2020), https://www.justice.gov/usao-nj/pr/pharmaceutical-company-agrees-pay-35-million-resolve-allegations-violating-false-claims.
[16] See Press Release, U.S. Atty’s Office for the E. Dist. of N.Y., New York Hospice Provider Settles Civil Healthcare Fraud Allegations (Aug. 19, 2020), https://www.justice.gov/usao-edny/pr/new-york-hospice-provider-settles-civil-healthcare-fraud-allegations.
[17] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, DUSA Pharmaceuticals To Pay U.S. $20.75 Million To Settle False Claims Act Allegations Relating To Promotion Of Unsupported Drug Administration Process (Aug. 24, 2020), https://www.justice.gov/opa/pr/dusa-pharmaceuticals-pay-us-2075-million-settle-false-claims-act-allegations-relating.
[18] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, West Virginia Hospital Agrees To Pay $50 Million To Settle Allegations Concerning Improper Compensation To Referring Physicians (Sept. 9, 2020), https://www.justice.gov/opa/pr/west-virginia-hospital-agrees-pay-50-million-settle-allegations-concerning-improper.
[19] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, William M. Kelly, M.D., Inc And Omega Imaging, Inc. Agree To Pay $5 Million To Resolve Alleged False Claims For Unsupervised And Unaccredited Radiology Services (Sept. 9, 2020), https://www.justice.gov/opa/pr/william-m-kelly-md-inc-and-omega-imaging-inc-agree-pay-5-million-resolve-alleged-false-claims.
[20] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, The Scripps Research Institute To Pay $10 Million To Settle False Claims Act Allegations Related To Mischarging NIH-Sponsored Research Grants (Sept. 11, 2020), https://www.justice.gov/opa/pr/scripps-research-institute-pay-10-million-settle-false-claims-act-allegations-related.
[21] See Press Release, U.S. Atty’s Office for the S. Dist. of N.Y., Acting Manhattan U.S. Attorney Announces $11.5 Million Settlement With Biotech Testing Company For Fraudulent Billing And Kickback Practices (Sept. 22, 2020), https://www.justice.gov/usao-sdny/pr/acting-manhattan-us-attorney-announces-115-million-settlement-biotech-testing-company.
[22] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Gilead Agrees To Pay $97 Million To Resolve Alleged False Claims Act Liability For Paying Kickbacks (Sept. 23, 2020), https://www.justice.gov/opa/pr/gilead-agrees-pay-97-million-resolve-alleged-false-claims-act-liability-paying-kickbacks.
[23] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Lakeway Regional Medical Center LLC And Co-Defendants Agree To Pay Over $15.3 Million To Resolve Allegations They Fraudulently Obtained Government-Insured Loan And Misused Loan Funds (Sept. 28, 2020), https://www.justice.gov/opa/pr/lakeway-regional-medical-center-llc-and-co-defendants-agree-pay-over-153-million-resolve.
[24] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medical Device Maker Merit Medical To Pay $18 Million To Settle Allegations Of Improper Payments To Physicians (Oct. 14, 2020), https://www.justice.gov/opa/pr/medical-device-maker-merit-medical-pay-18-million-settle-allegations-improper-payments.
[25] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Justice Department Announces Global Resolution of Criminal and Civil Investigations with Opioid Manufacturer Purdue Pharma and Civil Settlement with Members of the Sackler Family (Oct. 21, 2020), https://www.justice.gov/opa/pr/justice-department-announces-global-resolution-criminal-and-civil-investigations-opioid.
[26] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medtronic to Pay Over $9.2 Million To Settle Allegations of Improper Payments to South Dakota Neurosurgeon (Oct. 29, 2020), https://www.justice.gov/opa/pr/medtronic-pay-over-92-million-settle-allegations-improper-payments-south-dakota-neurosurgeon.
[27] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Medicare Advantage Provider to Pay $6.3 Million to Settle False Claims Act Allegations (Nov. 16, 2020), https://www.justice.gov/opa/pr/medicare-advantage-provider-pay-63-million-settle-false-claims-act-allegations.
[28] See Press Release, U.S. Atty’s Office for the E. Dist. of Pa., Former Owners of Therakos, Inc. Pay $11.5 Million to Resolve False Claims Act Allegations of Promotion of Drug-Device System for Unapproved Uses to Pediatric Patients (Nov. 19, 2020), https://www.justice.gov/usao-edpa/pr/former-owners-therakos-inc-pay-115-million-resolve-false-claims-act-allegations.
[29] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Home Health Agency and Former Owner to Pay $5.8 Million to Settle False Claims Act Allegations (Nov. 20, 2020), https://www.justice.gov/opa/pr/home-health-agency-and-former-owner-pay-58-million-settle-false-claims-act-allegations.
[30] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Biogen Agrees To Pay $22 Million To Resolve Alleged False Claims Act Liability For Paying Kickbacks (Dec. 17, 2020), https://www.justice.gov/opa/pr/biogen-agrees-pay-22-million-resolve-alleged-false-claims-act-liability-paying-kickbacks.
[31] See Press Release, U.S. Atty’s Office for the E. Dist. of Mich., CWD Holdings To Pay $8 Million To Resolve False Claims Act Allegations Relating To Unpaid Import Duties (July 22, 2020), https://www.justice.gov/usao-edmi/pr/cwd-holdings-pay-8-million-resolve-false-claims-act-allegations-relating-unpaid-import.
[32] See Press Release, U.S. Atty’s Office for the E. Dist. of Va., CDM Smith and CDM Federal Programs Agrees to $5.6 Million Settlement (Aug. 31, 2020), https://www.justice.gov/usao-edva/pr/cdm-smith-and-cdm-federal-programs-agrees-56-million-settlement.
[33] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Asphalt Contractor To Pay $4.25 Million To Settle Claims That It Misled The Government As To The Materials Used To Pave Road (Sept. 10, 2020), https://www.justice.gov/opa/pr/asphalt-contractor-pay-425-million-settle-claims-it-misled-government-materials-used-pave.
[34] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Quantadyn Corporation And Owner Settle False Claims Act Allegations of Bribery To Obtain Government Contracts For Simulators (Sept. 15, 2020), https://www.justice.gov/opa/pr/quantadyn-corporation-and-owner-settle-false-claims-act-allegations-bribery-obtain-government.
[35] See Press Release, U.S. Atty’s Office for the E. Dist. of Wash., Bechtel & Aecom, U.S. Department of Energy (DOE) Contractors, Agree to Pay $57.75 Million to Resolve Claims of Time Charging Fraud at Doe’s Hanford Waste Treatment Plant (Sept. 22, 2020), https://www.justice.gov/usao-edwa/pr/bechtel-aecom-us-department-energy-doe-contractors-agree-pay-5775-million-resolve-0.
[36] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Illinois-Based Charter School Management Company To Pay $4.5 Million To Settle Claims Relating To E-Rate Contracts (Nov. 3, 2020), https://www.justice.gov/opa/pr/illinois-based-charter-school-management-company-pay-45-million-settle-claims-relating-e-rate.
[37] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Federal Contractor Agrees to Pay $18.98 Million for Alleged False Claims Act Caused by Overcharges and Unqualified Labor (Nov. 20, 2020), https://www.justice.gov/opa/pr/federal-contractor-agrees-pay-1898-million-alleged-false-claims-act-caused-overcharges-and.
[38] See Press Release, Office of Pub. Affairs, U.S. Dep’t of Justice, Workrite Companies to Pay $7.1 Million to Settle Alleged Furniture Overcharges (Dec. 3, 2020), https://www.justice.gov/opa/pr/workrite-companies-pay-71-million-settle-alleged-furniture-overcharges.
[39] See Press Release, U.S. Atty’s Office for the Dist. of Vt., Government Contractor Admits Scheme to Inflate Costs on Federal Projects and Pays $11 Million to Resolve Criminal and Civil Probes (Dec. 17, 2020), https://www.justice.gov/usao-vt/pr/government-contractor-admits-scheme-inflate-costs-federal-projects-and-pays-11-million.
[40] See Gibson, Dunn, & Crutcher LLP, Emergency Federal Measures to Combat Coronavirus (Mar. 18, 2020), https://www.gibsondunn.com/emergency-federal-measures-to-combat-coronavirus/.
[41] Consolidated Appropriations Act, 2021, Pub. L. No. 116-159, 116th Cong. (2019-2020).
[42] Build Back Better, President-elect Biden Announces American Rescue Plan (Jan. 14, 2021), https://buildbackbetter.gov/wp-content/uploads/2021/01/COVID_Relief-Package-Fact-Sheet.pdf.
[43] Senator Chuck Grassley, Prepared Floor Remarks by U.S. Senator Chuck Grassley of Iowa
Celebrating Whistleblower Appreciation Day (Jul. 30, 2020), https://www.grassley.senate.gov/news/news-releases/grassley-celebrating-whistleblower-appreciation-day.
[44] United States v. Mark Schena, Indictment (Jun. 8, 2020), https://www.justice.gov/opa/press-release/file/1283931/download.
[45] U.S. Dep’t of Justice, Principal Deputy Assistant Attorney General Ethan P. Davis delivers remarks on the False Claims Act at the U.S. Chamber of Commerce’s Institute for Legal Reform (June 26, 2020), https://www.justice.gov/civil/speech/principal-deputy-assistant-attorney-general-ethan-p-davis-delivers-remarks-false-claims.
[46] State False Claims Act Reviews, Dep’t of Health & Human Servs.–Office of Inspector Gen., https://oig.hhs.gov/fraud/state-false-claims-act-reviews/index.asp.
[47] Id.
[48] Id.
[49] Id.
[50] National Whistleblower Center, The False Claims Act, https://www.whistleblowers.org/protect-the-false-claims-act/.
[51] DC B23-0035, 23d Council (2019-2020), https://lims.dccouncil.us/Legislation/B23-0035.
[52] See D.C. Code § 2-381.02(a) (2013).
[53] See D.C. Code § 2-381.02(d) (2013) (stating that “[t]his section shall not apply to claims, records, or statements made pursuant to those portions of Title 47 of the District of Columbia Official Code that refer or relate to taxation”).
[54] N.Y. State Fin. Law section § 189; 740 Ill. Comp. Stat. 175/3(c).
[55] See HB 2352 Pennsylvania General Assembly Bill Information (2019-2020), here.
[56] Id.
[57] Id.
[58] Id.
[59] Id.; Press Release, Penn. State Rep. Seth Grove, House Advances Amended Grove Bill to Protect Small Businesses and Combat Fraud (Sept. 30, 2020), http://www.repgrove.com/News/18371/Latest-News/House-Advances-Amended-Grove-Bill-to-Protect-Small-Businesses-and-Combat-Fraud.
[60] Universal Health Servs. v. United States ex rel. Escobar, 136 S. Ct. 1989, 2002 (2016).
[61] See AB-1270 False Claims Act, California Legislative Information (2019-2020), https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB1270.
[62] Id.
[63] See AB-2570 False Claims Act, California Legislative Information (2019-2020) http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201920200AB2570.
The following Gibson Dunn lawyers assisted in the preparation of this article: John Partridge, James Zelenay, Jonathan Phillips, Ryan Bergsieker, Sean Twomey, Reid Rector, Allison Chapin, Michael Dziuban, Jasper Hicks, Julie Hamilton and Eva Michaels.
Gibson Dunn lawyers regularly counsel clients on the False Claims Act issues. Please feel free to contact the Gibson Dunn lawyer with whom you usually work, the authors, or any of the following members of the firm’s False Claims Act/Qui Tam Defense Group:
Washington, D.C.
F. Joseph Warin (+1 202-887-3609, [email protected])
Joseph D. West (+1 202-955-8658, [email protected])
Andrew S. Tulumello (+1 202-955-8657, [email protected])
Karen L. Manos (+1 202-955-8536, [email protected])
Jonathan M. Phillips (+1 202-887-3546, [email protected])
Geoffrey M. Sigler (+1 202-887-3752, [email protected])
New York
Zainab N. Ahmad (+1 212-351-2609, [email protected])
Matthew L. Biben (+1 212-351-6300, [email protected])
Reed Brodsky (+1 212-351-5334, [email protected])
Alexander H. Southwell (+1 212-351-3981, [email protected])
Denver
Robert C. Blume (+1 303-298-5758, [email protected])
Monica K. Loseman (+1 303-298-5784, [email protected])
John D.W. Partridge (+1 303-298-5931, [email protected])
Ryan T. Bergsieker (+1 303-298-5774, [email protected])
Dallas
Robert C. Walters (+1 214-698-3114, [email protected])
Los Angeles
Nicola T. Hanna (+1 213-229-7269, [email protected])
Timothy J. Hatch (+1 213-229-7368, [email protected])
James L. Zelenay Jr. (+1 213-229-7449, [email protected])
Deborah L. Stein (+1 213-229-7164, [email protected])
Palo Alto
Benjamin Wagner (+1 650-849-5395, [email protected])
San Francisco
Charles J. Stevens (+1 415-393-8391, [email protected])
Winston Y. Chan (+1 415-393-8362, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Washington, D.C. partner M. Kendall Day and Los Angeles associate Chris Jones are the authors of “New federal anti-money laundering law could affect your company,” [PDF] published by the Daily Journal on January 20, 2021.
The year 2020 was marked by robust FCPA enforcement and record-setting corporate fines and penalties. Join our panelists for an in-depth discussion of the FCPA and other domestic and international anti-corruption enforcement, litigation, and policy developments from 2020, as well as the trends we see from this activity.
View Slides (PDF)
PANELISTS:
F. Joseph Warin is Co-Chair of Gibson Dunn’s global White Collar Defense and Investigations Practice Group, and he is chair of the Washington, D.C. office’s 200-person Litigation Department. Mr. Warin is ranked annually in the top-tier by Chambers USA, Chambers Global, and Chambers Latin America for his FCPA, fraud and corporate investigations experience. Mr. Warin has handled cases and investigations in more than 40 states and dozens of countries involving federal regulatory inquiries, criminal investigations and cross-border inquiries by international enforcers, including UK’s SFO and FCA, and government regulators in Germany, Switzerland, Hong Kong, and the Middle East. He has served as a compliance monitor or counsel to the compliance monitor in three separate FCPA monitorships, pursuant to settlements with the SEC and DOJ.
Patrick Stokes is a litigation partner in the Washington, D.C. office, where his practice focuses on internal corporate investigations and enforcement actions regarding corruption, securities fraud, and financial institutions fraud. Mr. Stokes is ranked nationally and globally by Chambers USA and Chambers Global as a leading attorney in FCPA. Prior to joining the firm, Mr. Stokes headed the DOJ’s FCPA Unit, managing the FCPA enforcement program and all criminal FCPA matters throughout the United States covering every significant business sector. Previously, he served as Co-Chief of the DOJ’s Securities and Financial Fraud Unit.
John W.F. Chesley is a partner in the Washington, D.C. office. Mr. Chesley has been recognized repeatedly recognized for his white collar defense work by Global Investigations Review’s “40 Under 40,” as well as Law 360’s “Rising Stars”. He represents corporations, audit committees, and executives in internal investigations and before government agencies in matters involving the FCPA, procurement fraud, environmental crimes, securities violations, antitrust violations, and whistleblower claims. He also litigates government contracts disputes in federal courts and administrative tribunals.
Christopher W.H. Sullivan is of counsel in the Washington D.C. office and a member of the White Collar Defense and Investigations Practice Group. Mr. Sullivan has significant experience representing clients in government investigations and compliance monitorships, including FCPA, False Claims Act, and OFAC matters, before the Department of Justice, Securities and Exchange Commission, and other enforcement authorities. Mr. Sullivan held a leadership role in a major FCPA compliance monitorship, has counseled several companies in connection with navigating compliance monitorships, and he regularly conducts training for in-house compliance professionals.
Ella Alves Capone is a senior associate in the Washington, D.C. office, where she is a member of the White Collar Defense and Investigations and Anti-Money Laundering practice groups. Her practice focuses primarily in the areas of white collar criminal defense, corporate compliance, and securities litigation. Ms. Capone regularly conducts internal investigations and advises multinational corporations and financial institutions, including major banks and casinos, on compliance with anti-corruption and anti-money laundering laws and regulations.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 2.0 credit hours, of which 2.0 credit hours may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 2.0 hours.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
For more than forty years, California’s Density Bonus Law (Government Code Section 65915 et seq.) has been a mechanism to encourage developers to incorporate affordable units within a residential project in exchange for density bonuses and relief from other base development standards. Effective as of January 1, 2021, Assembly Bill 2345 (“AB 2345”) amends the Density Bonus Law to expand and enhance development incentives for projects with affordable and senior housing components. AB 2345 is modeled after the City of San Diego’s Affordable Homes Bonus Program, and is intended to be another tool to address the state’s ongoing housing crisis.
Under the Density Bonus Law, developers are entitled to a density bonus corresponding to specified percentages of units set aside for very low income, low-income, or moderate-income households. Prior to 2021, the Density Bonus Law permitted a maximum density bonus of thirty-five percent (35%) for a housing development in which (a) at least eleven percent (11%) of the total units are for very low income households, (b) at least twenty percent (20%) of the total units are for low income households, or (c) at least forty percent (40%) of the total for-sale units are for moderate income households.
AB 2345 amends the Density Bonus Law to increase the maximum density bonus from thirty-five percent (35%) to fifty percent (50%). To be eligible for the maximum bonus, a project must set aside at least (i) fifteen percent (15%) of total units for very low income households, (ii) twenty-four percent (24%) of total units for low income households, or (iii) forty-four percent (44%) of for-sale units for moderate income households. Levels of bonus density between thirty-five percent (35%) and fifty percent (50%) are granted on a sliding scale.
|
Maximum Density Bonus Tiers | ||
|
Pre-2021 Density Bonus Law |
AB 2345 Amendments | |
|
Very Low Income |
35% bonus for 11% set aside |
50% bonus for 15% set aside |
|
Low Income |
35% bonus for 20% set aside |
50% bonus for 24% set aside |
|
Moderate Income |
35% bonus for 40%* reserve |
50% bonus for 44%* reserve |
|
*For-sale units only | ||
As a state-level regulation, projects satisfying the requirements of the Density Bonus Law are eligible for the corresponding bonus notwithstanding potential resistance to densification efforts at the local level. Further, as localities continue to adopt inclusionary housing requirements, it is important to note that units required pursuant to a local inclusionary zoning ordinance also qualify as affordable units for purposes of meeting the requirements on the Density Bonus Law.
In addition to the density bonuses outlined above, projects satisfying the requirements of the Density Bonus Law are entitled to one or more development incentives or concessions that will result in identifiable and actual cost reductions to provide for affordable housing costs, so long as the incentive or concession will not have specific unmitigable adverse impacts upon public health and safety, the physical environment or on historic properties, and the incentive or concession is not contrary to state or federal law. The local approving government has the burden of proof in defending the denial of a requested concession or incentive. These additional incentives or concessions could include any of the following:
- A reduction in site development standards or a modification of zoning or architectural design requirements that exceed minimum building standards approved by the California Building Standards Commission (e.g. a reduction in setback and square footage requirements);
- Approval of mixed-use zoning; or
- Any other regulatory incentives or concessions that would result in identifiable and actual cost reductions. The number of incentives or concessions to which a project is entitled is based on the percentage of affordable units set aside. AB 2345 amends the Density Bonus Law to decrease the set aside requirement for low income households as shown in the table below.
|
Incentives and Concessions Tiers | |||
|
Number Entitled |
Very Low Income |
Low Income |
Moderate Income |
|
1 |
5% |
10% |
10% |
|
2 |
10% |
20% → 17% |
20%** |
|
3 |
15% |
30% → 24% |
30%** |
|
** applies to a common interest development, as defined in Section 4100 of the Civil Code | |||
In addition to the incentives and concessions summarized above, a local government is prohibited from applying any development standard that would physically preclude construction of the development with the density bonus and incentives and concessions to which the project is entitled.
Further, the Density Bonus Law provides that, upon a developer’s request, a locality must utilize state-mandated parking ratios (inclusive of handicapped and guest parking) for qualifying projects. AB 2345 amends these parking ratios to decrease requirements for two and three bedroom units, as shown in the table below.
|
Maximum Parking Requirements | |
|
Rooms |
Number of spaces required |
|
Studio / 1 bedroom |
1 space |
|
2 bedroom / 3 bedroom |
2 space → 1.5 space |
|
4 bedroom |
2.5 space |
Finally, AB 2345 amends the Density Bonus Law to provide local governments discretion to grant additional waivers or reductions in development standards for projects located within a one-half mile radius of a major transit stop and provide further reduced parking standards for eligible residential projects that (i) provide unobstructed access to a major transit stop or (ii) are restricted to for-rent housing for individuals who are 62 years of age or older with paratransit service or unobstructed access to a fixed bus route that operates at least eight (8) times per day.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these issues. For additional information on these recent changes to the Density Bonus Law, please contact any member of the firm’s Real Estate or Land Use practice groups, or the following authors:
Doug Champion – Los Angeles (+1 213-229-7128, [email protected])
Amy Forbes – Los Angeles (+1 213-229-7151, [email protected])
Ben Saltsman – Los Angeles (+1 213-229-7480, [email protected])
Lauren Traina – Los Angeles ( +1 213-229-7951, [email protected])
Matthew Saria – Los Angeles (+1 213-229-7988, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Introduction
In December 2020, California Attorney General Xavier Becerra was announced to be President-Elect Joseph R. Biden, Jr.’s pick to lead the Department of Health and Human Services. The California Attorney General’s Office is the second largest Justice Department in the United States, second only to the U.S. Department of Justice, and California Attorney General Xavier Becerra was the first Latino Attorney General in California’s history. Before becoming the Attorney General of California, Becerra had a 24-year career in the U.S. House of Representatives.[1] In 2017, Governor Jerry Brown appointed Becerra to the last two years of Kamala Harris’s term as Attorney General, after she won election to the United States Senate. Now, Governor Gavin Newsom will appoint a successor to complete the remaining two years of Becerra’s term, assuming he is confirmed by the U.S. Senate.[2]
In his time as California’s Attorney General, Becerra investigated and brought lawsuits against businesses across a wide range of industries, products, and practices, including over-the-counter medications, alleged wire fraud scams, for-profit colleges, alleged opioid abuse, oil and gas mergers, and contracting practices in the healthcare field.[3] Since winning his first statewide election at the end of 2018, AG Becerra and his Office have been particularly active in the following areas: antitrust, privacy, environmental, and consumer protection, and his Office’s stated priorities have also included the opioid epidemic, gun control and public safety, and challenging the Trump administration. Gibson Dunn provides this January 2021 end-of-term update summarizing the most significant recent work of AG Becerra’s elected term in office, and providing some initial thoughts about how his successor will deploy the Office’s resources in 2021 and beyond as California finds a new partner in the incoming Biden Administration.
Antitrust
AG Becerra’s antitrust section has investigated, litigated, and entered into settlements of multiple cases involving major healthcare and technology companies and generic drug manufacturers, and sought to enforce California’s primary antitrust statute (the Cartwright Act) and the Unfair Competition Law.
Healthcare Mergers
The California Department of Justice monitors and regulates healthcare mergers within California. AG Becerra highlighted this area in a recent tweet paired with the conditional approval of a merger between two hospitals in Los Angeles County, emphasizing his view that, “[a]s our hospital systems get bigger by affiliating with one another, it is critical that they continue to provide quality services at affordable prices to the families that count on them in times of crisis.”[4] In October 2019, the California Department of Justice issued a letter denying a proposed partnership between Adventist System/West and St. Joseph Health System on the grounds that the merger might increase costs or limit access to health care services.[5] Similarly, in August 2020, AG Becerra announced a settlement with Verity Health System of California, Inc., and Prime Healthcare Services, Inc., that imposed additional conditions on the sale of St. Francis Medical Center in Los Angeles.[6] The settlement required Prime to provide additional funding for charity care and community benefit services.[7] Aiming to expand his authority in this sphere, AG Becerra also supported SB 977, which would expand the Attorney General’s authority to review certain transactions, such as acquisitions or change-of-control transactions, involving health care facilities.[8] The bill, which has already passed the state Senate, also authorizes the Attorney General to file civil suits to slow hospital mergers under certain circumstances.
Sutter Health
This longstanding case, along with the parallel class action lawsuit on behalf of self-managed healthcare plans, against Sutter Health was announced to have reached a settlement on December 19, 2020.[9] Under the terms of the settlement, Sutter Health would pay $575 million to the plaintiff class and agreed to end practices that the private plaintiffs and California Attorney General alleged stifled competition, such as all-or-nothing contracting deals and patient steering practices. Sutter would also be required to limit what it charged patients for out-of-network services, increase its transparency on pricing information, and limit the bundling of certain services. A provision within the settlement required that a monitor be established to ensure Sutter abide by the settlement terms. In June 2020, Sutter Health attempted to delay final approval of the settlement due to catastrophic losses stemming from the COVID-19 pandemic.[10] On July 9, 2020, the court ultimately denied Sutter’s motion to delay the final settlement hearing, which would take place in August. As of the publishing of this alert, the court had rejected the proposed settlement and sent the proposal back to the parties in order to select a monitor with a more diverse background. This case is just one of the many now being handled by AG Becerra’s new Healthcare Rights and Access Section, which is charged with increasing and protecting the affordability, accessibility, and quality of healthcare in the State of California including healthcare and prescription drug marketing, nonprofit healthcare transactions, alleged violations of antitrust laws in the healthcare context, and healthcare privacy and healthcare civil rights, such as reproductive rights and LGBTQ healthcare-related rights.
This year, in July 2020, it was reported that the Office had launched an antitrust investigation into Google—and had declined to join in either of the two ongoing investigations involving 48 other state attorneys general.[11] The investigation follows both the ongoing state AG investigations as well as other publicly announced investigations by federal prosecutors and Congressional subcommittees. On July 11, 2020, AG Becerra filed to join the Department of Justice’s antitrust suit against Google, which alleges that Google violated antitrust laws by entering into exclusionary business agreements that shut out competitors and suppressed innovation.[12]
While the various investigations have not concluded, this recent action may signal the Office’s further interest in policing alleged anticompetitive conduct under novel interpretations of the Cartwright Act and Unfair Competition Law.
Generic Drugs
AG Becerra reached settlement agreements with three pharmaceutical companies (Teva, Endo, and Teikoku) for allegedly entering into so-called “pay-for-delay agreements,” wherein brand-name drug companies compensate generic drug manufacturers for not introducing a generic version of a brand-name drug for some period of time in order to avoid unnecessary and burdensome litigation costs.[13] In addition to these alleged “pay for delay” and other price fixing conspiracies,[14] AG Becerra was instrumental in pushing through AB 824, which was signed into law by Governor Newsom in October 2019. The law increases antitrust scrutiny of patent settlement agreements between branded and generic pharmaceutical manufacturers. Not only does the law cover the traditional “pay-for-delay” agreement under the Hatch-Waxman Act, but it also covers settlements brought under the Biologics Price Competition and Innovation Act (BPCIA). The California Attorney General’s Office is granted specific enforcement capabilities under the new law but has yet to bring any enforcement action under AB 824. It has been reported that AG Becerra is investigating various pharmaceutical companies over a multitude of drugs.
For more information on AB 824, please find a detailed client alert prepared by Gibson Dunn here.
T-Mobile/Sprint Merger
Last year, AG Becerra, along with New York Attorney General Letitia James, led a coalition of fourteen states that unsuccessfully sued to enjoin the merger between T-Mobile and Sprint.[15] The trial was an uphill battle as the Department of Justice and the Federal Communications Commission approved the proposed merger, with qualifications, before the trial started. As part of the efforts to gain the federal government’s approval to the merger, T-Mobile and Sprint agreed to set up satellite TV company Dish as a new cellular competitor. The coalition of states, however, argued this was not an adequate replacement for Sprint. Additionally, the state AGs alleged that the merger would harm consumers by reducing competition in the shrinking wireless telecommunications market and result in higher prices and/or reduced services.[16] Ultimately, a New York federal judge disagreed with the states and allowed the merger to close.[17] Under previously agreed-to settlement terms with various states that individually settled, T-Mobile agreed to reimburse the state-led working group $15 million and agreed to provide various consumer benefits such as freezing prices in California for five years and offering free internet and Wi-Fi hot spots to low-income households.
In a statement made after the defense verdict was announced, one of the attorneys from the California Attorney General’s Office stated that moving forward, the Office may not “put too much faith in the economics,” noting that she believed the decision did not consider the complicated economic theory and models put forth by the States.[18] “The economics went out the window, so anyone that comes in to talk to [the California Attorney General] needs more than just an economic story.”[19]
Employment
The Office appeared as an amicus in support of employees in labor actions. In Bernstein v. Virgin America, Inc., the district court awarded a class of flight attendants $77 million.[20] The court found that Virgin America was subject to California’s labor laws, both as to work done in California and based on employment policies decided from Virgin’s California headquarters, and that the plaintiff flight attendants had been undercompensated.[21] (Virgin’s meal break policy was not centralized, so meal break violations that happened outside California were not covered.) The Office appeared when Virgin appealed to the Ninth Circuit. The Office’s amicus brief in support of the flight attendants focused on California’s state labor policy and laws and argued that certain aspects of California’s labor laws are not preempted by federal law. Although the Ninth Circuit has not yet issued its decision in this case, it offers yet another example of how AG Becerra, apart from his enforcement authority, inserted himself into private litigation to advance a regulatory agenda.
AG Becerra, however, has not limited himself to amicus briefs. Recently, the Office became involved in litigation related to employee classification. In December 2019, AG Becerra announced an $800,000 settlement with Infosys stemming out of allegations that Infosys claimed that some of its foreign workers were covered by B-1 visas as opposed to H-1B visas.[22] H-1B visas, unlike B-1 visas, are subject to payroll taxes and require employers to pay workers at the prevailing local wage. The suit, brought under both California’s False Claims Act and Unfair Competition Law, demonstrated the range of legal approaches that AG Becerra has been willing to deploy, by seeking to enforce California’s labor laws even though such laws are primarily the province of the Labor Commissioner.
AG Becerra also moved to enforce AB 5, a recently enacted California statute that codifies the so-called “ABC test” for determining whether a worker is an employee or an independent contractor.[23] On May 5, 2020, the Office, along with the City Attorneys of Los Angeles, San Diego, and San Francisco, filed suit against rideshare companies, alleging violations of both California’s Unfair Competition Law and the Labor Code, even though Labor Code enforcement is traditionally the province of the Labor Commissioner.[24] Becerra sought injunctive relief under AB 5, seeking reclassification of rideshare drivers as employees and not independent contractors.[25] Becerra also sought restitution for drivers and civil penalties for alleged violations under the Unfair Competition Law.
Despite these enforcement efforts, California voters overwhelmingly approved Proposition 22 in the November election, passing it by the largest margin of any ballot initiative that year. Proposition 22 exempts app-based workers from AB 5 and definitively classifies them as independent contractors so long as basic guarantees of driver independence are satisfied. Proposition 22 can be seen as a rebuke of the Attorney General and City Attorneys’ attempt to stifle worker independence, and the outcome of the Office’s and City Attorneys’ suit may serve as a bellwether for future enforcement as to workers who do not fall within the Prop 22 exemption. If AG Becerra’s successor succeeds in using the Unfair Competition Law to enforce Labor Code provisions he lacks authority to directly enforce, this may signal more aggressive enforcement of the labor laws in the future, including the provisions of Prop 22.
Beyond AB 5, AG Becerra also obtained several employment-related settlements. In March 2020, he, along with other state attorneys general, announced three agreements with Burger King, Popeyes, and Tim Hortons in which they agreed to stop including “no-poach” provisions in their U.S. franchise agreements.[26] These follow similar settlements with Arby’s, Dunkin’, Five Guys, and Little Caesars in 2019,[27] and were part of AG Becerra’s attack on non-competes and similar agreements.[28]
Environmental
Shortly after winning election, in 2018 AG Becerra announced the creation of an Environmental Justice Bureau within the Environment Section of the California Department of Justice.[29] Charged with “protect[ing] people and communities that endure a disproportionate share of environmental pollution and public health hazards,” the Bureau launched investigations and actions seeking to recover damages for and abatement of alleged violations, including allegedly contaminated drinking water, purported exposure to lead and other toxins in the environment and consumer products, and claimed discharges to air and water.
In addition to the Office’s wide-ranging challenges to Trump administration environmental policies, AG Becerra coordinated with local district and city attorneys to secure a settlement with Autozone over allegations of improper waste disposal.[30] The settlement required Autozone to submit to a range of audits of its trash receptacles, prohibited unlawful waste, and required payment of $11 million to dozens of district attorneys’ offices throughout the state, including nearly a million dollars directly to his own Office.[31]
AG Becerra also lent the support of his Office to municipalities’ ongoing lawsuits against energy companies through his amicus submissions. In March 2019, the Office filed an amicus brief in the Ninth Circuit supporting Oakland and San Francisco in their suit against several major energy companies.[32] Oakland and San Francisco had sued the defendant energy companies for alleged injuries from sea-level rise induced by global warming. Opposing federal removal, the Office’s brief emphasized the need for state courts to be able to adjudicate climate-change related claims brought by state political subdivisions.[33] Similarly in July 2020, the Office filed a brief in support of an Oakland ordinance prohibiting the storage and handling of coal and petroleum coke within city limits.[34] The Office brief claimed broad authority of the State and municipalities to regulate activities that may contribute to climate change.[35] While his Office supported these suits, the Attorney General did not bring any such suits himself.
False Claims Act
Under AG Becerra, the Office’s False Claims Unit has investigated and prosecuted alleged overcharges by private companies to State agencies and pension funds, with some actions dating back more than a decade. One area of particular False Claims Act focus over the past decade, which continued during AG Becerra’s term, has been the recovery of investment losses suffered by California’s public pension funds during the 2008 financial crisis. In December 2017, AG Becerra announced a $120 million settlement with Royal Bank of Scotland (RBS), over alleged misrepresentations about residential mortgage-backed securities sold to California’s public employee and teacher pension funds.[36] In April 2019, the Office announced a $150 million settlement with Morgan Stanley for allegedly failing to provide adequate disclosures for mortgage-backed securities sold to those same pensions from 2003 to 2007.[37] The Office has pursued other pension-related False Claims Act cases, including a recent $7 million settlement with HSBC for alleged foreign currency trading overcharges to the California Public Employees Retirement System (CalPERS) in 2008 and 2009.[38] The Office has also participated in multi-state and federal Medicaid-related False Claims Act cases, including most recently a $40 million dollar nationwide settlement with Apria Healthcare over Medicaid reimbursements for ventilation machines that allegedly were unnecessary.[39]
Other recent settlements include a $102 million settlement with BP Energy Company over alleged natural gas contract overcharges dating from 2003 to 2012, which originated as a qui tam suit brought by a former employee and in which the Office intervened[40]; and a $4 million settlement with VMware for alleged overcharges to the State and local governments for information technology software spanning a period of six years.[41] Finally, AG Becerra has been a vocal supporter of legislation that would broaden the scope of the False Claims Act. In 2019 and 2020, he sponsored legislation that would have expanded the statute to cover tax fraud—creating a whole new class of claims for which private plaintiffs could profit through qui tam actions and for which the Attorney General could obtain treble damages and civil penalties. Each attempt to date has failed to pass in the Legislature despite Democratic majorities in both the Assembly and the Senate, due to significant concerns about creating financial incentives for private plaintiffs to file predatory qui tam lawsuits against unsuspecting businesses, and the potentially devastating financial cost associated with responding to even frivolous claims. Nevertheless, the bills’ author, Assembly Member Mark Stone, is expected to continue to attempt to expand the statute to cover tax claims.[42]
Healthcare
In addition to the Office’s activity regulating healthcare mergers and alleged price-fixing agreements discussed above, AG Becerra obtained substantial awards based on allegedly deceptive marketing of certain health care products. In January 2019, AG Becerra announced a $120 million nationwide settlement—of which California will receive $8 million—with Johnson & Johnson related to purported misrepresentations as to the effectiveness and safety of hip implants devices.[43] In November 2019, the Office (along with the Los Angeles District Attorney and Los Angeles County Counsel) filed suit against JUUL Labs, for allegedly marketing and selling electronic cigarettes to minors.[44] And, in January 2020, the Office secured a $344 million judgment after a trial against Johnson & Johnson for deceptive marketing related to its pelvic mesh for women.[45]
Along the same lines, in late 2017, numerous pharmaceutical companies announced in public filings that the California Attorney General’s Office, along with other state attorneys general and federal prosecuting and enforcement agencies, were investigating the pricing and sales of insulin, which had increased in price over the preceding decade.[46] AG Becerra also recently announced a $11.8 million settlement with Novartis Pharmaceuticals, covering alleged violations of California’s False Claims Act as well as the federal False Claims Act and Anti-Kickback Statute related to the provision of various drugs to Medicare and Medi-Cal patients.[47]
Privacy and Cybersecurity
The Attorney General’s Office has long been active in investigating and prosecuting companies for data breaches that exposed consumers’ personally identifiable information. For example, over the last two years, the Office has announced various multi-million dollar settlements arising out of data breaches, including against large health insurance and retail companies for allegedly failing to maintain adequate data security measures.[48] In September 2020, the Attorney General’s Office also secured a settlement against an app developer in which no breach was alleged, but in which the design of the app was alleged to pose risks to the personal information of app users.[49]
During this time period, California’s privacy landscape also witnessed a sea change with the passage of two recent statutes: the California Consumer Privacy Act (“CCPA”), which went into effect on January 1, 2020 (and which the California Attorney General has been empowered to enforce as of July 1, 2020),[50] and the California Privacy Rights Act (“CPRA”), which California’s voters approved in the November 2020 general election. AG Becerra and his Office stand to play a pivotal role in their enforcement in the coming years.
Even before it was empowered to enforce the CCPA, the Office was vested with the duty under that statute to draft its implementing regulations—essentially, creating the regulations it would then enforce. The Office announced on June 1, 2020 that those regulations had been submitted to the California Office of Administrative Law,[51] which issued the final text of the regulations on August 14, 2020. At that time, the final regulations became enforceable.[52] To execute its enforcement power, the Office has the authority to bring a civil action for any violation of the CCPA, and can seek to impose civil penalties of up to $2,500 per violation or $7,500 per intentional violation (or violation involving a minor’s personal information). Beyond reports of compliance letters being issued by the Office, to date, no enforcement actions have been brought by the Office under the CCPA.
The CPRA is an initiative statute that was placed on the November 3, 2020 ballot and was passed by the voters. The CPRA amends the CCPA to clarify and broaden it, and imposes a January 1, 2023 deadline for businesses to come into compliance with the new CPRA provisions.[53] The Office preserves its authority to issue CCPA regulations during part of the time period before CPRA takes effect, until a new privacy agency, the California Privacy Protection Agency (“CPPA”)—the first enforcement agency in the United States focused solely on privacy—would be formed with its own rulemaking authority.[54] While the composition of the CPPA has not yet been announced, it is likely that at least some of its staff will come from the California Attorney General’s Office. The Office will continue to be tasked with enforcing the CCPA until January 1, 2023, at which time the California Privacy Protection Agency and the Office will have parallel authority to enforce the CPRA (CPPA from an administrative enforcement standpoint, and the Office maintaining its civil action enforcement authority). The CPRA contains various additional provisions governing the two enforcement bodies’ interactions and detailing their enforcement powers.
For more information on the CCPA or the CPRA, find Gibson Dunn Client Alerts here, here, and here.
Looking Forward Into 2021 and Beyond
California’s Constitution provides that the Governor fills any vacancy in the office of the Attorney General, to complete the remainder of the existing term, by nominating a candidate who must be confirmed by a majority of the state Assembly and state Senate.[55] Unlike other statewide offices such as Secretary of State, the Attorney General must be admitted to the California Bar, and for at least five years immediately preceding his or her appointment or election to that Office.[56] Numerous potential candidates have been named, and we expect Governor Newsom to consider carefully Becerra’s replacement as one piece of the larger reshuffling of California’s highest elected offices, which includes the appointment of Secretary of State Alex Padilla to replace Vice-President-Elect Harris in the U.S. Senate, and the appointment of Assemblywoman Shirley Weber to replace Padilla in his prior role. It is likely that Governor Newsom will announce his choice for Attorney General once Becerra is confirmed by the U.S. Senate.
Regardless of who Governor Newsom appoints to replace AG Becerra, we expect the next two years to look directionally similar to Becerra’s term. The incoming Biden Administration (including AG Becerra himself at the helm of the Department of Health and Human Services) will undoubtedly result in a shift in the Attorney General’s priorities. We expect to see litigation against the federal government to take a back burner as the Biden Administration rolls-back and ceases enforcement of Trump-era policies, and implements new policies that are more aligned with California’s elected officeholders. We also expect to see the Attorney General partner with federal agencies, including the Department of Justice, Federal Trade Commission, Environmental Protection Agency, and Consumer Financial Protection Bureau on various initiatives. As a result, the change in the occupant at the White House will likely shift the Attorney General’s focus away from challenging federal actions and toward greater litigation against private actors within California. The Office’s aggressive enforcement positions on antitrust, consumer protection, environmental, and labor issues, for example, are unlikely to change in the coming months and will require that companies pay careful attention to the incoming statements and actions of the new Attorney General—including the potential reshuffling of the Office’s senior leadership. The Office will likely continue to look for and seize upon opportunities in a broad range of areas.
______________________
[1] https://xavierbecerra.com/about/
[2] Numerous candidates have been mentioned in media reports as to possible replacements, and the potential field remains wide open. As of mid-January 2021, some of the reported potential candidates include Assembly member Rob Bonta, Contra Costa County District Attorney Diana Becton, San Francisco City Attorney Dennis Herrera, and California Supreme Court Justice Goodwin Liu.
[4] @AGBecerra, Twitter, https://twitter.com/AGBecerra/status/1337180686810148867 (Dec. 10, 2020).
[5] Press Release, Cal. Attorney General, California Department of Justice Denies Transaction between Adventist Health and St. Joseph Health Systems (Oct. 31, 2019), available at https://oag.ca.gov/news/press-releases/california-department-justice-denies-transaction-between-adventist-health-and-st.
[6] Press Release, Cal. Attorney General, Attorney General Becerra Reaches Settlement with Verity Health on Conditions of Transfer of St. Francis Medical Center (Aug. 14, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-reaches-settlement-verity-health-conditions-transfer-st.
[7] In re Verity Health Sys. of Cal., Inc., No. 2:18-bk-20151-ER (C.D. Cal. Aug. 31, 2020) (Stipulation).
[8] Press Release, Cal. Attorney General, Attorney General Becerra and Senator Monning Announce That Legislation to Reduce Healthcare Costs, Increase Access to Affordable Care Passes Senate Health Committee (May 13, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-and-senator-monning-announce-legislation-reduce.
[9] Lesley Stahl, 60 Minutes, How a Hospital System Grew to Gain Market Power and Drove Up California Health Care Costs (December 13, 2020), available at https://www.cbsnews.com/news/california-sutter-health-hospital-chain-high-prices-lawsuit-60-minutes-2020-12-13/.
[10] Robert King, Fierce Healthcare, Sutter Health Seeks Delay of $575M Settlement to Assess Impact of COVID-19 (June 17, 2020), available at https://www.fiercehealthcare.com/hospitals/sutter-health-seeks-delay-575m-settlement-to-assess-impact-covid-19.
[11] Leah Nylen, Politico, California Investigating Google for Potential Antitrust Violations (July 9, 2020), available at https://www.politico.com/news/2020/07/09/california-google-anti-trust-investigation-355710.
[12] Press Release, Cal. Attorney General, Attorney General Becerra Moves to Join Federal Lawsuit Against Google for Anticompetitive Actions (December 11, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-moves-join-federal-lawsuit-against-google.
[13] Press Release, Cal. Attorney General, Attorney General Becerra Secures Nearly $70 Million against Several Drug Companies for Delaying Competition and Increasing Drug Prices (July 29, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-secures-nearly-70-million-against-several-drug.
[14] See Press Release, Cal. Attorney General, Attorney General Becerra Joins Price-Fixing Lawsuit Against Six Drug Companies (March 1, 2017), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-joins-price-fixing-lawsuit-against-six-drug-companies.
[15] State of New York et al. v. Deutsche Telekom AG et al., No. 1:19-cv-05434 (June 11, 2019 S.D.N.Y.)
[16] Id. (Complaint) at Dkt. 2.
[17] Id. (Complaint) at Dkt. 410.
[18] Matthew Perlman, Law360, Calif. Enforcer Sees Less Focus On Economics After T-Mobile (Sept. 10, 2020), available at https://www.law360.com/articles/1308930/calif-enforcer-sees-less-focus-on-economics-after-t-mobile.
[20] Bernstein v. Virgin America, Inc., No. 15-cv-02277-JST, Doc. No. 365 (N.D. Cal. Jan. 16, 2019).
[21] Bernstein v. Virgin America, Inc., No. 15-cv-02277-JST, Doc. No. 97 (N.D. Cal. Jan. 5, 2017).
[22] Press Release, Cal. Attorney General, Attorney General Becerra Announces $800,000 Settlement Against Infosys for Misclassification of Foreign Workers and Tax Fraud (Dec. 17, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-800000-settlement-against-infosys.
[23] Pursuant to AB5, Labor Code § 2750.3(a)(1) was amended to read:
[A] person providing labor or services for remuneration shall be considered an employee rather than an independent contractor unless the hiring entity demonstrates that all of the following conditions are satisfied:
(A) The person is free from the control and direction of the hiring entity in connection with the performance of the work, both under the contract for the performance of the work and in fact.
(B) The person performs work that is outside the usual course of the hiring entity’s business.
(C) The person is customarily engaged in an independently established trade, occupation, or business of the same nature as that involved in the work performed.
[24] People v. Uber Techs., Inc., No. CGC-20-584402 (Cal. Super. Ct., S.F. Cty. May 5, 2020) (Complaint).
[26] Press Release, Cal. Attorney General, Attorney General Becerra Announces Multistate Settlements to Block “No-Poach” Contract Provisions That Harm Fast Food Workers (Mar. 2, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-multistate-settlements-block-%E2%80%9Cno-poach%E2%80%9D.
[27] Press Release, Cal. Attorney General, Attorney General Becerra Announces Multistate Settlements Targeting “No-Poach” Policies that Harm Workers (Mar. 12, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-multistate-settlements-targeting-%E2%80%9Cno-poach%E2%80%9D.
[28] Press Release, Cal. Attorney General, Attorney General Becerra Calls for Nationwide Ban on Non-Compete Agreements, Reminds Businesses of Existing Prohibition in California (Nov. 15, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-calls-nationwide-ban-non-compete-agreements-reminds.
[29] Press Release, Cal. Attorney General, Attorney General Becerra Establishes Bureau of Environmental Justice (Feb. 22, 2018), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-establishes-bureau-environmental-justice.
[30] Press Release, Cal. Attorney General, Attorney General Becerra Announces $11 Million Settlement Against Autozone for Illegal Disposal of Hazardous Waste Statewide (June 18, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-11-million-settlement-against-autozone.
[31] California v. Autozone, Inc., No. RG19019395 (Cal. Super. Ct., Alameda Cty. June 18, 2019) (Final Judgment and Permanent Injunction on Consent).
[32] Press Release, Cal. Attorney General, Attorney General Becerra Filed Brief in Support of Lawsuit by Oakland and San Francisco Communities to Hold Oil and Coal Companies Accountable for Costs of Sea-Level Rise (Mar. 20, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-files-brief-support-lawsuit-oakland-and-san-francisco.
[33] City of Oakland v. BP P.L.C., No. 18-16663 (9th Cir. Mar. 20, 2019) (Brief of Amici Curiae States of California, Connecticut, Maryland, Minnesota, New Jersey, New York, Oregon, Rhode Island, Vermont, and Washington, and the District of Columbia).
[34] Press Release, Cal. Attorney General, Attorney General Becerra Files Brief in Support of Oakland’s Authority to Protect Environmental Justice Communities (July 20, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-files-amicus-brief-support-oaklands-authority-protect.
[35] City of Oakland v. Oakland Bulk & Oversized Terminal, LLC, No. 18-16105 (9th Cir. July 20, 2020) (Brief of the State of California as Amicus Curiae)
[36] Press Release, Cal. Attorney General, Attorney General Xavier Becerra Announces $125 Million Settlement Against Royal Bank of Scotland For Misleading California’s Pension Funds (Dec. 22, 2017), available at https://oag.ca.gov/news/press-releases/attorney-general-xavier-becerra-announces-125-million-settlement-against-royal.
[37] Press Release, Cal. Attorney General, Attorney General Becerra Announces $150 Million Settlement Against Morgan Stanley for Misleading California’s Teachers and Workers with Pensions (April 25, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-150-million-settlement-against-morgan-stanley.
[38] Press Release, Cal. Attorney General, Attorney General Becerra Announces $7 Million Settlement Against Multinational Bank HSBC for Overcharging CalPERS on Foreign Exchange Transactions (Sept. 24, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-7-million-settlement-against-multinational.
[39] Press Release, Cal. Attorney General, Attorney General Becerra Announces $40 Million Nationwide Settlement with Apria Healthcare (January 22, 2021), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-40-million-nationwide-settlement-apria.
[40] Press Release, Cal. Attorney General, Attorney General Becerra: BP Energy Company Pays $102 Million in Settlement for Overcharging Californians for Natural Gas (Jan. 11, 2018), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-bp-energy-company-pays-102-million-settlement.
[41] Press Release, Cal. Attorney General, Attorney General Becerra Announces Settlement Against Cloud Software Manufacturer VMware for Overcharging California (Oct. 23, 2020), available here.
[42] See AB 2570 False Claims Act (2019-2020), California Legislative Information, available here; AB 1270 False Claims Act (2019-2020), California Legislative Information, available at https://leginfo.legislature.ca.gov/faces/billStatusClient.xhtml?bill_id=201920200AB1270.
[43] Press Release, Cal. Attorney General, Attorney General Becerra Announces $120 Million Settlement against Johnson & Johnson for Deceptive Marketing of Hip Replacement Products (Jan. 21, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-120-million-settlement-against-johnson.
[44] Press Release, Cal. Attorney General, Attorney General Becerra and Los Angeles Leaders Announce Lawsuit Against JUUL for Deceptive Marketing Practices Targeting Underage Californians and Endangering Users of Its Vaping Products (Nov. 18, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-and-los-angeles-leaders-announce-lawsuit-against-juul.
[45] Press Release, Cal. Attorney General, Attorney General Becerra Secures nearly $344 Million Judgment Against Johnson & Johnson for Endangering Patients through Deceptive Marketing of Pelvic Mesh Products (Jan. 30. 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-secures-nearly-344-million-judgment-against-johnson.
[46] See, e.g., Sarah Jane Tribble, Kaiser Health News, Business Insider, States Are Investigating Drug Companies And Middlemen Involved In The Pricing Of A Key Diabetes Medicine (Oct. 30, 2017), available at https://www.businessinsider.com/federal-and-state-probes-target-insulin-drugmakers-and-middlemen-2017-10.
[47] See, e.g., Press Release, Cal. Attorney General, Attorney General Becerra Announces $11.8 Million Settlement Against Novartis Pharmaceuticals (Sept. 14, 2020), available here; Press Release, Cal. Attorney General, Attorney General Becerra Announces $17.5 Million Settlement Against Home Depot Over Credit Card Data Breach (November 24, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-175-million-settlement-against-home-depot; Press Release, Cal. Attorney General, Attorney General Becerra Recovers Over $1 Million for California from Premera Blue Cross Health Records Data Breach (July 11, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-recovers-over-1-million-california-premera-blue-cross.
[48] Press Release, Cal. Attorney General, Attorney General Becerra Announces $8.69 Million Settlement Against Anthem, Inc., Over Failure to Protect Patients’ Personal Data (Sept. 30, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-869-million-settlement-against-anthem-inc; Press Release, Cal. Attorney General, Attorney General Becerra Recovers Over $1 Million for California from Premera Blue Cross Health Records Data Breach (July 11, 2019), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-recovers-over-1-million-california-premera-blue-cross.
[49] Press Release, Cal. Attorney General, Attorney General Becerra Announces Landmark Settlement Against Glow, Inc. – Fertility App risks Exposing Millions of Women’s Personal and Medical Information (September 17, 2020), available at https://oag.ca.gov/news/press-releases/attorney-general-becerra-announces-landmark-settlement-against-glow-inc-%E2%80%93.
[51] Cal. Attorney General, CCPA Regulations, available at https://www.oag.ca.gov/privacy/ccpa/regs.
[53] Cal. Secretary of State, Official Voter Information Guide, Proposition 24, available at https://voterguide.sos.ca.gov/propositions/24/.
[55] Cal. Const. Art. V, Sec. 5, subd. (b).
[56] Gov’t Code, § 12503. The Attorney General must also be a registered voter (Elections Code § 201), not been convicted of certain felonies (Elections Code § 20), and not already subject to term limits (Cal. Const. Art. V, Sec. 1).
The following Gibson Dunn lawyers assisted in the preparation of this client update: Victoria Weatherford, Abiel Garcia, Jacob Arber, Winston Chan, Benjamin Wagner, Alexander Southwell, Rachel Brass, Eric Vandevelde, Ryan Bergsieker, Cassandra Gaedt-Sheckter, and Katherine Warren Martin.
Gibson Dunn’s lawyers are available to assist with any questions you may have regarding these developments. For additional information, please feel free to contact the Gibson Dunn lawyer with whom you usually work, the authors, or the following lawyers in the firm’s White Collar Defense and Investigations Practice Group with significant experience with the California Attorney General’s Office:
San Francisco
Rachel S. Brass – San Francisco (+1 415-393-8293, [email protected])
Winston Y. Chan – San Francisco (+1 415-393-8362, [email protected])
Charles J. Stevens – San Francisco (+1 415-393-8391, [email protected])
Michael Li-Ming Wong – San Francisco (+1 415-393-8234, [email protected])
Victoria L. Weatherford – San Francisco (+1 415-393-8265, [email protected])
Palo Alto
Benjamin Wagner – Palo Alto (+1 650-849-5395, [email protected])
Cassandra L. Gaedt-Sheckter – Palo Alto (+1 650-849-5203, [email protected])
Los Angeles
Nicola T. Hanna – Los Angeles (+1 213-229-7269, [email protected])
Debra Wong Yang – Los Angeles (+1 213-229-7472, [email protected])
Michael M. Farhang – Los Angeles (+1 213-229-7005, [email protected])
Douglas Fuchs – Los Angeles (+1 213-229-7605, [email protected])
Eric D. Vandevelde – Los Angeles (+1 213-229-7186, [email protected])
James L. Zelenay Jr. – Los Angeles (+1 213-229-7449, [email protected])
New York
Alexander H. Southwell – New York (+1 212-351-3981, [email protected])
Denver
Ryan T. Bergsieker – Denver (+1 303-298-5774, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
On January 13, 2021, the Office of the Comptroller of the Currency (“OCC”) conditionally approved the charter conversion application for Anchorage Trust Company (“Anchorage”), permitting Anchorage to become a national trust bank.[1] This is the first approval by the OCC of a virtual currency firm’s becoming a federally regulated banking institution and demonstrates the ongoing leadership that the OCC has shown with respect to virtual currency issues.
Although this development is significant in and of itself, the Anchorage approval relies on a new OCC Chief Counsel’s Interpretation, released as OCC Interpretive Letter 1176,[2] that substantially increases the trust powers of national banks, making them a more attractive business model generally and particularly for fintech firms. This Client Alert discusses these developments.
I. The Anchorage Approval – Virtual Currency Activities Are Permissible Fiduciary Activities under the National Bank Act
The OCC’s approval order affirms that the following virtual currency activities, which were fiduciary in nature under the law of Anchorage’s home state, South Dakota, are permissible under the National Bank Act:
- Fiduciary custody of digital assets.
- Custody of cash deposits (Anchorage holds such deposits at FDIC-insured banks, in omnibus accounts for its clients).
- Providing on-chain governance services allowing Anchorage clients to participate in the governance of the underlying protocols on which their virtual assets operate.
- Via an affiliate or otherwise, operating validator nodes, providing staking as a service, and providing clients the ability to delegate staking to third-party validators.
- Settling transactions facilitated by its affiliates, other third-party brokers, and clients. Clients or their brokers may direct Anchorage Trust to receive digital assets into and to transfer digital assets out of their vaults from and to external accounts or digital asset addresses controlled by third parties, including but not limited to transfers made in connection with the settlement of a purchase or sale of digital assets.[3]
Tellingly, the OCC did not discuss each of these activities as fiduciary activities under its applicable regulation, 12 C.F.R. Part 9. Part 9 defines “fiduciary capacity” as follows:
Fiduciary capacity means: trustee, executor, administrator, registrar of stocks and bonds, transfer agent, guardian, assignee, receiver, or custodian under a uniform gifts to minors act; investment adviser, if the bank receives a fee for its investment advice; any capacity in which the bank possesses investment discretion on behalf of another; or any other similar capacity that the OCC authorizes pursuant to 12 U.S.C.§ 92a.
12 C.F.R. § 9.2(e).
Relying on Section 9.2(e) would have required analogies to have been drawn to the specific activities in that section. Rather than making such analogies, the approval order notes simply that “since ADB-NA will continue performing the current activities of Anchorage Trust, in a manner authorized by South Dakota law for a state trust company, ADB-NA will be a national bank whose operations are those of a trust company and activities related thereto. Accordingly, ADB-NA’s activities are permissible pursuant to the plain terms of 12 U.S.C. § 27(a).”[4]
II. New Expansion of National Bank Fiduciary Powers
12 U.S.C. § 27(a), which was enacted in 1978 in reaction to a federal district court case that called into question the propriety of the OCC’s chartering a non-depository trust bank under the National Bank Act, states that “[a] National Bank Association . . . is not illegally constituted solely because its operations are or have been required by the Comptroller of the Currency to be limited to those of a trust company and activities related thereto.”[5]
Section 27(a) thus clearly authorizes national trust banks. However, notwithstanding an apparently clear statutory command that national bank fiduciary powers include “any other fiduciary capacity in which State banks, trust companies, or other corporations which come into competition with national banks are permitted to act under the laws of the State in which the national bank is located,” 12 U.S.C. § 92a, the OCC has traditionally not exercised its legal authority to the full extent under that statute. Rather, as Interpretive Letter 1176 states, a prior OCC interpretation had required that the OCC look to state law “to determine whether a fiduciary capacity of national bank is permissible [only] after the activity is determined to be ‘fiduciary’ within the meaning of 12 U.S.C. § 92a.”[6]
Interpretive Letter No. 1176 reverses this at least 37-year-old position. For the OCC to use Section 92a’s so-called “bootstrap provision” and determine that an activity that a state’s law regards as being performed in a fiduciary capacity is a fiduciary capacity for purposes of 12 U.S.C § 92a, the OCC must determine that a national bank is engaging in the relevant activity, role, or function consistent with the parameters provided for in the relevant state law to the same extent as a state bank to qualify as a fiduciary capacity. This will make conversions of state trust companies much easier as a powers matter.
This new interpretation accords not only with the plain language of Section 92a, but also with its legislative history, when the relevant provision was added to the Federal Reserve Act in 1918.[7] As an example, under the New York Banking Law in 1918, a national bank was prohibited by state law from acting as a fiscal and paying agent in New York,[8] even though doing so was a permissible fiduciary activity for a New York state-chartered trust company. Section 92a was enacted to level this playing field.
III. Confirmation That National Trust Banks Are Not Limited to Performing Primarily in a Fiduciary Capacity and May Exercise Banking Powers
In addition, Interpretive Letter 1176 confirms that national trust banks may perform other national bank activities permitted under 12 U.S.C. § 24(SEVENTH), and, indeed, that fiduciary activities need not be their primary business activity: “ A national bank that only performs one fiduciary capacity under 12 U.S.C § 92a would need trust powers. Conversely, there is also no requirement that a national trust bank chartered under 12 U.S.C. § 27(a) perform primarily in a fiduciary capacity.”[9]
This confirmation – of what is clearly the case under the National Bank Act – is an important one. National trust banks are clearly authorized by Congress under 12 U.S.C. § 27(a), and they not “banks” within the meaning of the Bank Holding Company Act.
The OCC’s confirmation means that as long as a national trust bank has a valid fiduciary business, it may engage in a traditional bank power such as lending, with all of the preemption benefits of a national charter, without concern over whether such activities are beyond the OCC’s authority to permit as a matter of statutory interpretation.
IV. Confirmation That Certain State Trust Company Activities May Be Permissible for National Banks under Traditional Banking Powers
Interpretive Letter 1176 also confirms that the OCC may find that an activity of a state-chartered trust company is permissible under 12 U.S.C. § 24(Seventh), which permits national banks may engage in the business of banking and activities incidental to the business of banking.
When determining whether an activity is part of the business of banking, the OCC considers the following factors under 12 C.F.R. § 7.5001(c)(1):
- Whether the activity is the functional equivalent to, or a logical outgrowth of, a recognized banking activity;
- Whether the activity strengthens the bank by benefiting its customers or its business;
- Whether the activity involves risks similar in nature to those already assumed by banks; and
- Whether the activity is authorized for state-chartered banks.
The OCC stated that, given the fourth factor, “an activity permitted for state trust banks may be part of the business of banking under the authority of 12 U.S.C. § 24(Seventh) for national banks if the activity is authorized for state-chartered banks, and the OCC is satisfied that the remaining three factors are also sufficiently met.”[10]
V. Conclusion
The Anchorage approval came at the end of Brian Brooks’ tenure as Acting Comptroller of the Currency. It is another sign of the OCC’s leadership on virtual currency issues and Acting Comptroller Brooks’ pushing at the boundaries of the National Bank Act to facilitate innovation in financial services. In this case, the expansion of the national trust bank fiduciary and banking powers is well grounded in federal statutory law, and should benefit numerous companies, including fintech companies, that are seeking to benefit from a federal charter.
Gibson Dunn has extensive experience with the issues related to national trust bank chartering and would be pleased to discuss them with you.
____________________
[1] https://www.occ.treas.gov/news-issuances/news-releases/2021/nr-occ-2021-6a.pdf.
[2] https://occ.gov/topics/charters-and-licensing/interpretations-and-actions/2021/int1176.pdf.
[3] OCC Conditional Approval, Application by Anchorage Trust Company to Convert to a National Trust Bank (January 13, 2021).
[6] Interpretive Letter No. 1176, OCC Chief Counsel’s Interpretation on National Trust Banks (January 11, 2021) (emphasis added) (citing OCC Interpretive Letter No. 265, reprinted in [1983-1984 Transfer Binder] Fed. Banking L. Rep. (CCP) ¶ 85,429 (July 14, 1983)). Interpretive Letter 1176 states that Interpretive Letter 265’s position on this issue is superseded.
[7] Walter S. Logan, “Amendments to the Federal Reserve Act,” The Annals of the American Academy of Political and Social Science, Vol. 99, The Federal Reserve System – Its Purpose and Work (January 1922), pp. 114-121. The authority over national bank fiduciary powers was transferred from the Federal Reserve Board to the OCC in 1962.
[8] New York Banking Law, § 223 (1918) (currently, Section 131 of the New York Banking Law).
[9] Interpretive Letter No. 1176, OCC Chief Counsel’s Interpretation on National Trust Banks (January 11, 2021).
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Financial Institutions or Derivatives practice groups, or the following authors:
Arthur S. Long – New York (+1 212-351-2426, [email protected])
Jeffrey L. Steiner – Washington, D.C. (+1 202-887-3632, [email protected])
Please also feel free to contact the following practice group leaders and members:
Matthew L. Biben – New York (+1 212-351-6300, [email protected])
Michael D. Bopp – Washington, D.C. (+1 202-955-8256, [email protected])
Stephanie Brooker – Washington, D.C. (+1 202-887-3502, [email protected])
M. Kendall Day – Washington, D.C. (+1 202-955-8220, [email protected])
Mylan L. Denerstein – New York (+1 212-351- 3850, [email protected])
Michelle M. Kirschner – London (+44 (0) 20 7071 4212, [email protected])
Benjamin B. Wagner – Palo Alto (+1 650-849-5395, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
Our year-end 2020 report provides an update on the application of Article III in class and other complex litigation. First, we discuss the significance of the Supreme Court’s recent grant of certiorari in TransUnion LLC v. Ramirez, No. 20-297, __ S. Ct. __, 2020 WL 7366280 (U.S. Dec. 16, 2020), which concerns the propriety of certifying class actions with uninjured class members.
Second, we review recent cases in which courts have continued to grapple with issues of Article III standing in the wake of Spokeo, Inc. v. Robins, 136 S. Ct. 1540 (2016), often reaching divergent conclusions in similar cases involving claims under consumer credit, privacy, and related laws.
I. The Supreme Court Will Resolve Whether Uninjured Class Members Can Be Part of a Certified Class Action
On December 16, 2020, the Supreme Court granted certiorari in TransUnion LLC v. Ramirez to resolve a very important class action issue that has split the federal courts of appeals for years: “whether either Article III or Rule 23 permits a damages class action where the vast majority of the class suffered no actual injury, let alone an injury anything like what the class representative suffered.”
In Ramirez, the plaintiff asserted that TransUnion violated the Fair Credit Reporting Act (FCRA) by inaccurately labelling class members as potential terrorists, drug traffickers, and other threats to national security on their consumer credit reports. See Ramirez v. TransUnion LLC, 951 F.3d 1008, 1017 (9th Cir. 2020). After a jury awarded $60 million in damages, TransUnion appealed, arguing that the verdict “cannot stand because only Sergio Ramirez, the representative plaintiff, suffered a concrete and particularized injury as a result of TransUnion’s unlawful practice.” Id.
As discussed in a prior update, the Ninth Circuit agreed with TransUnion on this point and held that “each member of a class certified under Rule 23 must satisfy the bare minimum of Article III standing at the final judgment stage of a class action in order to recover monetary damages in federal court.” Id. at 1023. Citing Chief Justice Roberts’s observation that “‘Article III does not give federal courts the power to order relief to any uninjured plaintiff, class action or not,’” the Ninth Circuit reasoned that a contrary rule would “transform the class action—a mere procedural device—into a vehicle for individuals to obtain money judgments in federal court even though they could not show sufficient injury to recover those judgments individually.” Id. at 1023–24 (quoting Tyson Foods, Inc. v. Bouaphakeo, 136 S. Ct. 1036, 1053 (2016) (Roberts, C.J., concurring)); see also Castillo v. Bank of Am., NA, 980 F.3d 723, 730 (9th Cir. 2020) (reiterating that a district court has the duty to ensure that any proposed “class is not defined so broadly as to include a great number of members who for some reason could not have been harmed by the defendant’s allegedly unlawful conduct”).
Nonetheless, the Ninth Circuit upheld the verdict upon finding that each class member had Article III standing. Ramirez, 951 F.3d at 1017. The court reasoned that even though plaintiff had stipulated that more than 75% of the absent class members did not have a credit report disseminated to any third party during the class period, FCRA was enacted to protect consumers’ concrete interests and “the fact that TransUnion made the reports available to numerous potential creditors,” along with “the highly sensitive and distressing nature of the [Office of Foreign Assets Control] alerts,” was “sufficient to show a material risk of harm to the concrete interests of all class members.” Id. at 1027.
In a separate opinion, Judge McKeown disagreed with the certification of absent class members’ claims. In particular, she was troubled by the lack of evidence that any absent class members were injured at all: although the named plaintiff and “a limited number of class members” had their “credit report[s] disclosed to third parties, there was no evidence of any harm or damages to remaining class members.” Id. at 1038 (McKeown, J., concurring-in-part and dissenting-in-part). Thus, not only did the named plaintiff’s “stark atypicality as the lone class representative” “strain Rule 23’s typicality requirements,” but the absence of evidence regarding the actual experiences of the absent class members made the “harm as to the bulk of the class … conjectural,” and therefore falling far short of showing a constitutionally cognizable injury. Id. at 1038–40.
The disagreement between the majority panel’s decision in Ramirez and Judge McKeown’s dissent highlights an issue that frequently arises in class litigation: whether and to what extent (including at what stage of the case) absent class members must satisfy Article III standing requirements. Different courts have reached different conclusions on this question. Compare Denney v. Deutsche Bank AG, 443 F.3d 253, 264 (2d Cir. 2006) (“[N]o class may be certified that contains members lacking Article III standing.”), with Kohen v. Pac. Inv. Mgmt. Co., 571 F.3d 672, 676 (7th Cir. 2009) (“[A]s long as one member of a certified class has a plausible claim to have suffered damages, the requirement of standing is satisfied.”). By agreeing to review Ramirez, the Supreme Court will have an opportunity to address this important issue and provide guidance on whether uninjured class members can be part of a certified class action.
II. Courts Continue to Reach Diverging Results on What Constitutes a Concrete Injury Sufficient to Establish Standing Under Spokeo, Inc. v. Robins
As reported in our second quarter 2019 update, in Muransky v. Godiva Chocolatier, Inc., a three-judge panel of the Eleventh Circuit held that a retailer’s failure to truncate a credit card number on a receipt in violation of the Fair and Accurate Credit Transactions Act (FACTA) was sufficient to create standing. 922 F.3d 1175 (11th Cir. 2019). In October 2020, the Eleventh Circuit reversed that decision en banc, holding that a bare procedural violation of FACTA, devoid of any claim of individual injury, is insufficient to confer Article III standing. Muransky v. Godiva Chocolatier, 979 F.3d 917 (11th Cir. 2020) (en banc).
The panel had noted that Congress set forth the remedial procedures in FACTA to minimize a risk of harm to a concrete interest (namely, preventing identity theft), and held that any violation presenting even a marginal risk of harming that interest should be “sufficient to constitute a concrete injury.” 922 F.3d at 1188. The en banc Eleventh Circuit disagreed, and criticized the panel’s standard as essentially adopting a presumption that statutory injury alone can constitute Article III injury, which was what the Supreme Court had rejected in Spokeo. 979 F.3d at 930. Instead, the en banc court focused on whether the violation in question caused actual harm or posed a material risk of harm to the plaintiff.
The en banc court concluded that even though the plaintiff had received a noncompliant receipt that contained his private information, he had not alleged any actual harm more concrete than time spent “safeguarding” his receipt and experiencing a “breach of confidence.” Id. at 931. The court rejected both theories. As for “safeguarding” the receipt, the court noted that under Clapper v. Amnesty International USA, 568 U.S. 398, 416 (2013), self-inflicted harm alone cannot constitute injury under Article III. Id. at 931. As for the “breach of confidence,” the court was skeptical that the analogy to the common law breach of confidence was appropriate, and even if it were, it would require third-party disclosure of private information, and the plaintiff had not alleged that anyone else had seen the receipt. Id. at 931–32.
The Sixth Circuit took a markedly different approach when addressing similar facts in Donovan v. FirstCredit, Inc., 983 F.3d 246 (6th Cir. 2020). The plaintiff alleged that a creditor sent a letter inside an envelope with an envelope window that revealed language describing the plaintiff as a debtor. Id. at 249. The plaintiff sued under the Fair Debt Collection Practices Act’s (FDCPA) provisions regulating the language and symbols debt collectors may employ on envelopes when communicating with consumers, alleging that the letter had violated these provisions by revealing the plaintiff’s status as a debtor. Id.
The Sixth Circuit held that the exposure of information through an envelope window, even if “benign,” created a sufficient risk that the plaintiff’s status as a purported debtor would be disclosed, which established an injury-in-fact under the FDCPA. Id. at 252–53. The court reasoned that because the letter had actually been sent in the mail, and an invasion of privacy is a “harm that has traditionally been regarded as providing a basis for a lawsuit,” the mailing of the letter with the exposed information provided “a degree of risk sufficient to meet the concreteness requirement” under Spokeo. Id. at 253.
The Seventh and Ninth Circuits this past quarter also addressed standing in putative class actions. In Fox v. Dakkota Integrated Systems, LLC, 980 F.3d 1146 (7th Cir. 2020), the Seventh Circuit addressed allegations that the defendant had failed to develop, publicly disclose, and comply with a data-retention schedule and guidelines for the permanent destruction of biometric data under the Illinois Biometric Information Privacy Act (BIPA). In particular, the plaintiff alleged that the defendant had retained her biometric data after her employment ended, in violation of BIPA’s requirements. Id. at 1149.
The Seventh Circuit acknowledged that in a prior related case, it had held that merely alleging the non-disclosure of data-retention and data-destruction policies was insufficient to show injury-in-fact under Article III. Id. at 1153–54 (citing Bryant v. Compass Grp. US, Inc., 958 F.3d 617, 619 (7th Cir. 2020)). But the court noted that in this specific case, the defendant’s alleged failure to disclose those policies had led to an unlawful retention of the plaintiff’s handprint and also to her biometric data being unlawfully shared with a third party. Id. at 1154. Analogizing this unlawful retention of data to the unlawful collection of data (which the court had previously found conferred standing in Bryant), the court reasoned that “the invasion of a legally protected privacy right, though intangible, is personal and real,” and therefore sufficient to plead an injury in fact. Id. at 1155.
The Ninth Circuit addressed standing in McGee v. S-L Snacks National, 982 F.3d 700 (9th Cir. 2020), a putative consumer class action. The plaintiff alleged that she had purchased and consumed defendant’s popcorn containing trans fats, despite the FDA’s determination that trans fats are no longer “generally recognized as safe,” and she brought claims under both California’s Unfair Competition Law and for present and future physical injury from the ingestion of trans fats. Id. at 703. In support of her claim for physical injury, the plaintiff estimated that she had consumed 0.2 grams of trans fats per day, and cited studies showing a link between consuming trans fats and organ damage. Id. at 709.
The Ninth Circuit held that the plaintiff did not have standing to bring claims for her alleged physical injury. Id. at 710. Even though the plaintiff’s cited studies showed a connection between trans fats and organ damage, they did not show that the consumption of trans fats invariably lead to such damage, which is required to establish concrete injury without any individual medical evidence of harm. Id. at 708. As for future injury, the court noted that the plaintiff cited studies involving far greater levels of trans fats consumption, such that the plaintiff had alleged no substantial risk of future health consequences to her. Id. at 710.
The following Gibson Dunn lawyers contributed to this client update: Christopher Chorba, Theane Evangelis, Kahn Scolnick, Bradley Hamburger, Lauren Blas, Jillian London, Wesley Sze, Jessica Pearigen, and Jonathan Haderlein.
Gibson Dunn attorneys are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work in the firm’s Class Actions or Appellate and Constitutional Law practice groups, or any of the following lawyers:
Theodore J. Boutrous, Jr. – Co-Chair, Litigation Practice Group – Los Angeles (+1 213-229-7000, [email protected])
Christopher Chorba – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7396, [email protected])
Theane Evangelis – Co-Chair, Class Actions Practice Group – Los Angeles (+1 213-229-7726, [email protected])
Kahn A. Scolnick – Los Angeles (+1 213-229-7656, [email protected])
Bradley J. Hamburger – Los Angeles (+1 213-229-7658, [email protected])
Lauren M. Blas – Los Angeles (+1 213-229-7503, [email protected])
© 2021 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.
With the swearing in of a new president and a new Congress, this presentation will explore the policy agenda of the Biden Administration and the legislative agenda of how the 117th Congress could impact the private sector. The presentation will discuss the upcoming Washington agenda, potential roadblocks, and what to expect in the new legislative and regulatory environment. The presentation will highlight the new heads of federal regulatory agencies and powerful congressional committees.
View Slides (PDF)
PANELISTS:
Roscoe Jones Jr., Michael Bopp, Ashley Rogers & Caeli Higney
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
The California Privacy Rights Act (CPRA) was passed in November by California voters and will take effect January 1, 2023. In this webinar, we will walk through the most significant additions and how businesses should consider these changes in light of their current CCPA compliance programs. We will also discuss expectations regarding the new enforcement regime, as well as examine the first year of private litigation under the CCPA and what we expect to see in the coming year.
View Slides (PDF)
PANELISTS:
Cassandra Gaedt-Sheckter, Eric Vandevelde & Jeremy Smith
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
Palo Alto partner H. Mark Lyon and associate Cassandra L. Gaedt-Sheckter and Los Angeles associate Frances A. Waldmann are the authors of “United States: Artificial Intelligence,” [PDF] published in the Global Data Review Insight Handbook 2021 in December 2020.
In the second in the series of three ESG focused webinars, members of the ESG Practice Group of Gibson Dunn’s London and New York offices will provide some insights specifically to address the ESG issues for Private Fund Managers including the following areas:
- Regulatory overview – Global, Europe, UK
- Approach to SFDR and regulatory change
- Engaging with investors, investor reporting and trends
- Integrating ESG into investment processes and portfolio companies
- Sustainability as an asset class
View Slides (PDF)
PANELISTS:
Michelle Kirschner is a Partner in Gibson Dunn’s financial regulatory team. She advises a broad range of financial institutions, including investment managers, integrated investment banks, corporate finance boutiques, private fund managers and private wealth managers at the most senior level. Ms. Kirschner has extensive experience in advising clients on areas such as systems and controls, market abuse, conduct of business and regulatory change management, including MiFID II, MAR and Senior Managers & Certification Regime. Following the EU referendum, she has spent considerable time advising regulated clients in relation to their options for conducting business in / into the EU following Brexit. She has also conducted internal investigations, in particular reviews of corporate governance and systems and controls in the context of EU and UK regulatory requirements and expectations.
Selina Sagayam is a Partner in Gibson Dunn’s international corporate team. Her practice focuses on international corporate finance transactional work, including public and private M&A, joint ventures, international equity capital markets offerings and advisory work focused on corporate governance, shareholder activism and securities law advice. Regarded as one of the leading public M&A advisers in the UK, Ms. Sagayam has advised on hostile, competitive and recommended takeovers. Ms. Sagayam is also noted for her expertise in financial services and regulatory advice. She advises boards and senior management of international corporations, exchanges, regulators, investment banks, and financial sponsors (private equity and hedge funds) on such issues. Her experience as a senior secondee at the UK takeover Panel and also as a non-executive director of a FTSE250 company has positioned her uniquely in her practice area. Ms. Sagayam established and co-chairs the firm’s UK ESG Practice Group.
John Senior is a Partner in the corporate department based in New York. He has extensive experience counselling sponsors on the organisation and operation of private investment funds, including buyout, infrastructure, real estate, natural resources, social impact and venture capital funds; co-investment funds; independent sponsor transactions and investment club programs. He was named a Rising Star for Investment Funds by IFLR1000 (2021). Mr. Senior also advises sponsors on internal partnership arrangements, strategic secondary and spin-out transactions, regulatory compliance and negotiations with service providers.
Chris Hickey is an Associate in the London office and is a member of the firm’s Financial Institutions Practice Group. He advises on a range of UK and EU financial services regulatory matters. This includes the regulatory elements of corporate transactions, regulatory change management and ongoing compliance requirements to which firms are subject. His clients include, among others, private equity firms, institutional asset managers, corporate finance boutiques and investment banks.
Partners Debra Wong Yang, Co-Chair of the Crisis Management Practice Group, and Diana Feinstein, provide an overview of Gibson Dunn’s Crisis Management Practice Group and the firm’s long history of guiding clients through crisis management. James Keshavaraz, Global Wellness Director, will then explain how Gibson Dunn’s Global Wellness Department integrated crisis management principals of adaptation, innovation, and resilience to deliver wellness strategies and activities to our attorneys and staff.
View Slides (PDF)
PANELISTS:
Deb Yang & Diana Feinstein
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
This webcast explores the antitrust policy agenda of the Biden Administration and what legislative reforms to the antitrust laws may be on the horizon under the 117th Congress. Our panelists discuss what the change in administration means for ongoing enforcement efforts and potential new initiatives in both merger and non-merger enforcement. Finally, the webcast covers President Biden’s nominations for leadership positions at the Department of Justice Antitrust Division and the Federal Trade Commission and the impact that those choices will have on antitrust law and enforcement over the next four years.
View Slides (PDF)
PANELISTS:
Rachel S. Brass is a partner in the San Francisco office of Gibson, Dunn & Crutcher and co-chair of the Firm’s Antitrust and Competition Practice Group. She is a member of the firm’s Litigation Department where her practice focuses on investigations and litigation in the antitrust, labor, and employment areas. Ms. Brass has extensive experience representing international and domestic clients in high-stakes appellate litigation in the Supreme Court, as well as Federal and state appellate courts throughout the United States. Her extensive antitrust and competition experience includes litigation and trial of indirect and direct purchaser claims, international cartel matters, mergers and acquisitions, grand jury investigations, and other antitrust investigations by the Federal Trade Commission, United States Department of Justice, European Commission, Canadian Competition Bureau, Korean Fair Trade Commission, Japan Fair Trade Commission and Australian Competition and Consumer Commission, as well as litigation in trial and appellate courts.
Caeli A. Higney is a partner in the San Francisco office of Gibson, Dunn & Crutcher and a member of the firm’s Antitrust and Competition Practice Group. Ms. Higney has experience handling a wide variety of antitrust matters in a broad range of industries, such as semiconductors, consumer electronics, retail food, consumer products, automotive parts, and financial services. She has represented companies before appellate and trial courts in matters alleging a range of antitrust-based claims, including allegations of price fixing, monopolization and attempted monopolization, tying, bundling, exclusive dealing, and refusal to deal.
Richard Parker is a partner in the Washington, D.C. office of Gibson, Dunn & Crutcher and a member of the firm’s Antitrust and Competition Practice Group. Mr. Parker is a leading antitrust lawyer who has successfully represented clients before both enforcement agencies and the courts. As an experienced antitrust trial and regulatory lawyer, Mr. Parker has been involved in many major antitrust representations, including merger clearance cases, cartel matters, class actions, and government civil investigations. He has extensive experience representing clients in matters before the Federal Trade Commission (FTC) and the U.S. Department of Justice Antitrust Division.
MCLE CREDIT INFORMATION:
This program has been approved for credit in accordance with the requirements of the New York State Continuing Legal Education Board for a maximum of 1.0 credit hour, of which 1.0 credit hour may be applied toward the areas of professional practice requirement.
This course is approved for transitional/non-transitional credit. Attorneys seeking New York credit must obtain an Affirmation Form prior to watching the archived version of this webcast. Please contact [email protected] to request the MCLE form.
Gibson, Dunn & Crutcher LLP certifies that this activity has been approved for MCLE credit by the State Bar of California in the amount of 1.0 hour.
California attorneys may claim “self-study” credit for viewing the archived version of this webcast. No certificate of attendance is required for California “self-study” credit.
On January 20, 2021, the inaugural day of the new presidency, the Biden administration issued a series of across-the-board regulatory directives. These directives press pause on federal rulemakings, rescind Trump-era executive orders on the regulatory process, and set a framework for “modernizing” review of regulatory actions.
First, the new administration issued a memorandum freezing rulemakings pending review. Covered agencies are not to “propose or issue” any rule “until a department or agency head appointed or designated” by President Biden “approves the rule,” unless the rule falls into an exception “for emergency situations or other urgent circumstances relating to health, safety, environmental, financial, or national security matters,” as permitted by the Director of the Office of Management and Budget (“OMB”). For rules that have been published in the Federal Register but have not yet taken effect, agencies should consider “postponing the rules’ effective dates for 60 days” and opening a new “30-day comment period” to evaluate the rules further. After the 60-day delay, if a rule raises “substantial questions of fact, law, or policy,” agencies should “take further appropriate action in consultation” with the Director of OMB. This memorandum applies broadly to all “substantive action by an agency” that is anticipated to lead to “a final rule or regulation.” It does not appear to include independent agencies, though there is some ambiguity; while the memorandum is addressed to executive departments and agencies, its definition of “rule” is expansive enough that it could be read to cover actions by independent agencies such as the SEC. Either way, this memorandum will likely cause reconsideration of a wide variety of rules proposed or issued in the final days of the Trump administration.
This memorandum is similar to the regulatory freeze put in place on the first day of the Trump administration four years ago, though there are notable differences. For example, the Trump administration left agencies with no choice but to postpone by 60 days the effective date of any regulations published in the Federal Register that had not yet taken effect. By contrast, and as noted above, the Biden administration’s freeze instructs agencies to “consider” instituting this 60-day delay for such rules, which gives them more flexibility. Even with this added flexibility, it is still expected that many agencies will exercise the option to delay rules.
Second, President Biden issued an Executive Order revoking a number of Trump-era orders on the regulatory process, including:
- Executive Order 13771 “Reducing Regulation and Controlling Regulatory Costs” (Jan. 30, 2017), which created the 2-for-1 rule requiring agencies to repeal two regulations for every one new regulation they issued. This order also established a budgeting process that required agencies to limit the incremental cost of new regulations under supervision of the OMB Director.
- Executive Order 13777 “Enforcing the Regulatory Reform Agenda” (Feb. 24, 2017), which required each agency to designate a Regulatory Reform Officer and establish a Regulatory Reform Task Force to oversee regulatory reform initiatives and recommend regulations to be repealed. The order further required agencies to measure and report their progress in implementing these reforms.
- Executive Order 13875 “Evaluating and Improving the Utility of Federal Advisory Committees” (June 14, 2019), which required each executive department and agency (independent regulatory agencies excepted) to review, reduce, and limit the number of federal advisory committees, terminating at least one-third of these committees by September 30, 2019. The order also capped the government-wide total number of advisory committees at 350.
- Executive Order 13891 “Promoting the Rule of Law Through Improved Agency Guidance Documents” (Oct. 9, 2019), which required agencies to treat guidance documents as “non-binding both in law and in practice,” maintain an online database of all guidance documents, rescind outdated guidance documents, and establish procedures for issuing new guidance documents, including a clear statement of their non-binding effect, opportunities for the public to petition for withdrawal or modification of guidance documents, and a 30-day period of notice and comment for certain significant guidance documents.
- Executive Order 13892 “Promoting the Rule of Law Through Transparency and Fairness in Civil Administrative Enforcement and Adjudication” (Oct. 9, 2019), which limited agencies’ ability to enforce standards of conduct that were not publicly stated or issued in formal rulemakings. It also provided that agencies issuing notices of noncompliance provide an affected party the opportunity to be heard, encouraged “self-reporting of regulatory violations . . . in exchange for reductions or waivers of civil penalties,” and imposed requirements governing administrative inspections and certain statutory obligations.
- Executive Order 13893 “Increasing Government Accountability for Administrative Actions by Reinvigorating Administrative PAYGO” (Oct. 10, 2019), which sought to ensure compliance with the “pay-as-you-go” requirement (“PAYGO”) first adopted in 2005. PAYGO mandates that agencies propose ways to reduce mandatory spending whenever they undertake a discretionary action that would increase mandatory spending. Executive Order 13893 required agencies to submit proposed discretionary actions and proposals for compliance with PAYGO to the OMB Director for review.
In sum, this sweeping order undoes many of the reforms implemented by the Trump administration that were designed to reduce regulatory burdens, cut costs, shrink the size of government, and increase agency transparency.
Third, the Biden Administration issued a memorandum on “Modernizing Regulatory Review,” which instructs the Director of OMB to make “recommendations for improving and modernizing” review of regulations. Such recommendations should provide “concrete suggestions” on how to “promote public health and safety, economic growth, social welfare, racial justice, environmental stewardship, human dignity, equity, and the interests of future generations” in the regulatory process. Specifically, these recommendations should ensure that policies “reflect new developments in scientific and economic understanding,” account for “regulatory benefits that are difficult or impossible to quantify,” and do not cause detrimental “deregulatory effects.” OMB is also instructed to evaluate ways that the Office of Information and Regulatory Affairs (“OIRA”) can partner with agencies to support “regulatory initiatives that are likely to yield significant benefits” and to identify reforms that further the “efficiency” and “transparency” of the interagency review process.
* * * *
We will continue to monitor changes to the regulatory and rulemaking process taken by the new administration and keep you apprised of significant developments.
The following Gibson Dunn lawyers assisted in the preparation of this client update: Helgi C. Walker, Lucas Townsend, Michael Bopp, Jessica Wagner, Matt Gregory, Robert Batista, and Matthew Butler.
Gibson Dunn’s lawyers are available to assist in addressing any questions you may have regarding these developments. Please contact the Gibson Dunn lawyer with whom you usually work, any member of the firm’s Administrative Law and Regulatory Practice Group or Congressional Investigations Practice Group, or the following authors:
Helgi C. Walker – Chair, Administrative Law and Regulatory Practice, Washington, D.C. (+1 202-887-3599, [email protected])
Michael D. Bopp – Chair, Congressional Investigations Practice, Washington, D.C. (+1 202-955-8256, [email protected])
Lucas C. Townsend – Member, Administrative Law and Regulatory Practice, Washington, D.C. (+1 202-887-3731, [email protected])
© 2020 Gibson, Dunn & Crutcher LLP
Attorney Advertising: The enclosed materials have been prepared for general informational purposes only and are not intended as legal advice.