Author Archives: David Schulman

How to Avoid Risk of SEC Whistleblower Rule Violations in Connection with Employee-related Documents

by Tami StarkMaia Gez, Scott Levi, and Tal Marnin

From left to right: Tami Stark, Maia Gez, Scott Levi, and Tal Marnin (Photos courtesy of Covington & Burling LLP)

On February 3, 2023, the US Securities and Exchange Commission (“SEC”) announced that a public company agreed to pay $35 million to settle charges of, among other things, violations of the whistleblower protection rule.[1] Securities Exchange Act of 1934 Rule 21F-17(a) prohibits any person from taking “any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement . . . with respect to such communications.”

Since the Dodd-Frank Act provided the Commission with the power to bring actions against persons, including companies, for impeding reports to the SEC, the SEC has brought over 16 enforcement actions for violations of the whistleblower protection rule.[2] As this is the second time in a little over six months that the SEC has brought such an action, it appears to be a continuing area of focus for enforcement.

Continue reading

FTC Publishes Blog Post on Data Security Practices for Complex Systems

by Caleb Skeath, Shayan Karbassi, and Ashden Fein

From left to right: Caleb Skeath, Shayan Karbassi, and Ashden Fein (Photos courtesy of Covington & Burling LLP)

In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders.  Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.” These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules.  The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”

Continue reading

SEC Signals Workplace Misconduct is a Disclosure Issue with Activision Blizzard’s $35 Million Settlement

by Alejandra Montenegro Almonte, Sandra M. Hanna, Ann Sultan, and Maame Esi Austin

Photos of the authors

From left to right: Alejandra Montenegro Almonte, Sandra M. Hanna, Ann Sultan, and Maame Esi Austin (photos courtesy of Miller & Chevalier Chartered)

The SEC is taking a hardline against workplace misconduct and signaling to public companies that they ought to handle those issues with the same care and consideration as they have for other potential securities violations, such as those with financial statement implications. The SEC’s latest action in this regard – a settled administrative proceeding against Activision Blizzard Inc. (Activision Blizzard or the Company) – faults Activision Blizzard for alleged “disclosure control” deficiencies related to employee complaints of workplace misconduct.

On February 3, 2023, Activision Blizzard, a California-based video game development and publishing company, consented to the entry of an SEC Order and agreed to pay a $35 million civil penalty for allegedly inadequate disclosure controls and procedures that failed to ensure that management could assess and, where necessary, disclose employee complaints of workplace misconduct. The Order also settles allegations that the Company violated SEC whistleblower protection rules by including language in settlement agreements with separated employees requiring those employees to notify Activision Blizzard if they receive requests from the agency. As is typical, the Company settled the matter on a neither-admit-nor-deny basis. 

Continue reading

Explaining MiCA: Part of the EU’s Approach to Crypto and Digital Asset Regulation

by Katja Langenbucher

Photo of Professor Katja Langenbucher

Professor Katja Langenbucher

FTX, Kraken, TerraLuna, and similar cases have recently prompted the SEC to move ahead with a long list of enforcement actions. While some applaud the securities regulator‘s push ahead, others criticize its lack of explicit rule-making. Yet some would prefer a banking regulator to step in and authorize a national trust bank charter for issuers of stablecoins. Against this background, the upcoming EU Markets in Crypto Assets Regulation (MiCA) provides an illustration of a tailor-made regime combining elements of securities and banking regulation.

MiCA is part of the larger EU digital finance package which includes rules on operational resilience (DORA), a DLT pilot regime for security tokens, and amendments to several financial services Directives. Arguably, the “libra/diem-scare” to monetary autonomy was a main driver pushing the EU Commission to consider new legislation. Additionally, the differing speed of legislators across EU Member States brought about the risk of unhelpful regulatory competition, suggesting a level playing field strategy instead.

Continue reading

EDPB Publishes Report of Cookie Banners Taskforce

by Kristof Van Quathem, Anna Oberschelp de Meneses, and Diane Valat

Photos of the authors

From left to right: Kristof Van Quathem and Anna Oberschelp de Meneses (Photos courtesy of Covington & Burling LLP)

On January 18, 2023, the European Data Protection Board (“EDPB”) published a report setting out the common positions of the EDPB and EEA member state supervisory authorities (“SAs”) with respect to interpreting the EU rules applying to cookies. SAs will take these common positions into account when handling cookie complaints.

The report was drafted by the EDPB’s Cookie Banner Taskforce (“Taskforce”), which is composed of the EDPB and 18 SAs. However, the report does not have the same interpretative value as EDPB guidance. Moreover, SAs will not take into account the positions mentioned in the report in isolation – they will also take into account additional national requirements stemming from the national laws transposing the ePrivacy Directive and SAs’ national guidance.

Continue reading

Federal Reserve Adopts Supervisory Framework for Supervised Insurance Organizations

by Marion Leydier, Benjamin Weiner, and Rodrick Gilman Jr. 

New Supervisory Framework Applies to Depository Institution Holding Companies Significantly Engaged in Insurance Activities

SUMMARY

The Board of Governors of the Federal Reserve System (“Board”) issued, on September 28, 2022, final guidance (“Final Guidance”) establishing a framework (“Framework”) for the supervision of depository institution holding companies significantly engaged in insurance activities, or “supervised insurance organizations” (“SIOs”).[1]  A depository institution holding company is considered to be an SIO if (1) it is an insurance company, or (2) over 25% of its consolidated assets are held by insurance company subsidiaries, or (3) it has been otherwise designated as an SIO by the Board.  The Framework provides a risk-based approach to establishing supervisory expectations and conducting supervisory activities; a supervisory rating system with three components for capital management, liquidity management, and governance and controls; and a description of how Board examiners will incorporate and rely on the work of state insurance regulators and other supervisors of SIOs in order to limit supervisory duplication.  Board supervisory activities will focus on understanding risks that could threaten the safety and soundness of the SIO or its ability to act as a source of strength for its depository institutions.  Each SIO will be classified by the Board as either complex or noncomplex, which will serve as the basis for determining the level of supervisory resources dedicated to the SIO and the frequency and intensity of the Board’s supervisory activities.  Classification under the Framework will be based on the Board’s assessment of various factors relating to an SIO’s risk profile, with a firm automatically classified as complex if its depository institution’s average assets exceed $100 billion.

The Framework will become effective November 3, 2022.

Continue reading