Author Archives: ais9943

Marriott’s Settlement with the FTC: What it Means for Businesses

by Katherine McCarron and Kamay Lafalaise

Photos of authors

Left to Right: Katherine McCarron and Kamay Lafalaise (photos courtesy of the authors)

Marriott International, Inc. has long highlighted core values of putting people first, pursuing excellence, acting with integrity, and serving the world. The FTC and Attorneys General from 49 states and D.C. are jointly announcing an action that suggests the company may want to add a fifth value to that list: protecting customer data and privacy. 

According to a proposed complaint, Marriott International, Inc. and its subsidiary Starwood Hotels & Resorts Worldwide, LLC had data security failures that led to at least three breaches between 2014 and 2020. First, the FTC says between 2014 and 2018 bad actors were able to take advantage of weak data security to steal 339 million consumer records from Marriott’s subsidiary, Starwood, in two separate breaches. That included millions of passport, payment card, and loyalty numbers. Then, in 2020, according to the complaint, Marriott told its customers bad actors had breached Marriott’s own network through a franchised hotel.  This time the intruders stole 5.2 million guest records, which included significant personal information and loyalty account information. The stolen information was detailed enough, the complaint explains, that bad actors could use it to create highly successful, targeted phishing campaigns to commit fraud.

Continue reading

CJEU: Competitors Can Sue over Data Protection Violations

by Dr. Detlev Gabel, Erasmus Hoffmann, and Markus Langen

Photos of authors

Left to Right: Dr. Detlev Gabel, Erasmus Hoffmann and Markus Langen (photos courtesy of White & Case LLP)

Background

The German Federal Court of Justice (Bundesgerichtshof), tasked with resolving a conflict between two competing pharmacists, sought guidance from the Court of Justice of the European Union (“CJEU”) on interpreting the General Data Protection Regulation (“GDPR”). The defendant’s business sells over-the-counter (“OTC”) medicinal products online. During the ordering process, customers must provide certain information, including their name, delivery address, and details about the relevant OTC product. Invoking German legislation on unfair commercial practices, the claimant, a competitor, asked the German courts to halt this practice of the competing pharmacy, unless there is assurance that customers give prior consent for the processing of their health-related data.

The courts at both the first and second instance determined that the ordering process involves processing of health data, which is prohibited under the GDPR in the absence of explicit customer consent or other justification. The courts found this practice to be in breach of the GDPR, and thus unfair and unlawful under the German Unfair Competition Act. The German Federal Court of Justice sought clarification on whether the GDPR allows national legislation to permit competitors to initiate legal action against a person allegedly violating the GDPR. Furthermore, it inquired if the information provided during the ordering process qualifies as health data under the GDPR, even though the relevant OTC products do not require a prescription.

In its judgement of October 4, 2024, the CJEU provided clarity on these issues.

Continue reading

California Pushes Ahead With Climate Disclosure Law

by Ronald C. Chen, Raaj S. Narayan, and Carmen X. W. Lu

Photos of the authors

Left to Right: Ronald C. Chen, Raaj S. Narayan and Carmen X. W. Lu (photos courtesy of Wachtell, Lipton, Rosen & Katz)

Recently, California Governor Gavin Newsom signed into law Senate Bill 219, which applies broadly to public and private companies “doing business” in California.  The law will require companies that have total annual revenues of over $1 billion dollars to disclose and independently assure their scopes 1 and 2 emissions (direct and purchased emissions) beginning in 2026 and to disclose scope 3 emissions (value chain emissions) beginning in 2027.  In addition, companies that have annual revenues of over $500 million dollars will be required to prepare a climate-related financial risk report in accordance with the recommendations of the Task Force on Climate-related Financial Disclosures beginning on or before January 1, 2026.  Emissions disclosures will need to be submitted to the California Air Resources Board (“CARB”), or a non-profit emissions reporting organization designated by CARB, while climate-related financial risk disclosures will need to be publicly posted on the company’s website.

Continue reading

ICO Dawn Raids: How to respond and what you can do to prepare – An FAQ

by Robert Maddox and Aisling Cowell

Left to Right: Robert Maddox and Aisling Cowell (photos courtesy of Debevoise & Plimpton LLP)

In the UK, unannounced inspections of businesses’ premises, or “dawn raids”, are most often associated with authorities such as the Serious Fraud Office, National Crime Agency, Competition and Markets Authority and Metropolitan Police. However, data controllers and processers should be aware that the UK’s Information Commissioner’s Office (“ICO”) can also carry out dawn raids as part of investigations into compliance with data protection laws.

Such inspections can be stressful and complex for businesses to respond to, with a risk of criminal liability for failing to cooperate properly.

Here, we examine the ICO’s powers to conduct dawn raids, how those powers have been exercised in the past, and outline the steps which businesses should consider taking to prepare effectively for – and appropriately respond to – dawn raids.

Continue reading

California’s Privacy Regulator Issues Enforcement Guidance on How To Avoid “Dark Patterns” in Obtaining Consumer Consent

by David L. Rice and Christopher W. Savage

Photos of the authors

Left to Right: David L. Rice and Christopher W. Savage (photos courtesy of Davis Wright Tremaine LLP)

On September 4, 2024, the California Privacy Protection Agency (“CPPA”) announced that it issued an Enforcement Advisory (“Advisory”) providing guidance on how to avoid using prohibited “Dark Patterns” to obtain consent from consumers. Businesses subject to the California Consumer Privacy Act (CCPA) routinely request consent from consumers related to their personal information and in handling consumer requests to exercise their statutory rights regarding their personal information. The CPPA’s advisory is a strong signal that the time for businesses to identify and remove Dark Patterns in these processes is now—before the CPPA commences enforcement—by reviewing user interfaces to ensure the language and interface design offering consumers privacy choices is clear and symmetrical.

Continue reading

SEC Order Provides Warning to Fund Managers with Access to CLO-Related MNPI

by Matthew E. Kaplan, Jonathan R. Tuttle, Benjamin R. Pedersen, and Anna Moody

Photos of the authors

Left to Right: Matthew E. Kaplan, Jonathan R. Tuttle, Benjamin R. Pedersen and Anna Moody (photos courtesy of Debevoise & Plimpton LLP)

Introduction

On August 26, 2024, the Securities and Exchange Commission (“SEC”) announced settled charges against registered investment adviser Sound Point Capital Management, LP (“Sound Point”) for violating Sections 204A and 206(4) of the Investment Advisers Act of 1940 (“Advisers Act”) and Rule 206(4)-7 thereunder. According to the order, Sound Point failed to establish, maintain or enforce written policies and procedures reasonably designed to prevent the misuse of material non-public information (“MNPI”) concerning its trading of collateralized loan obligations (“CLOs”) that contained loans for which Sound Point was a lender.[1] Andrew Dean, Co-Chief of the SEC Enforcement Division’s Asset Management Unit, issued a statement on the same day reminding fund managers that they “must evaluate how their roles as lenders could expose them to MNPI that may relate to their CLO trading positions.”[2] These issues could also arise in contexts where the firm otherwise has access to MNPI.

Continue reading