Author Archives: Jason Kelly

Colorado Consumer Privacy Bill Passes, Heads to Governor’s Desk

by Marian A. Waldmann Agarwal, Cynthia J. Rich, and Robert N. Famigletti

With the passage of SB21-190, Colorado is poised to become the third U.S. state—behind California and, most recently, Virginia—to enact a comprehensive consumer privacy law. On June 8, 2021, the Colorado Senate approved House amendments to the bill, which previously sailed through full Senate and House votes with overwhelming approval. The bill will soon be transmitted to Governor Jared Polis for his approval and, if enacted, the Colorado Privacy Act (CPA) will become operative on July 1, 2023.  

The CPA tracks closely with the recently-enacted Virginia Consumer Data Protection Act (VCDPA), including by distinguishing between data “controllers” (i.e., businesses that determine the purpose and means of processing personal data) and “processors” (i.e., businesses that process personal data on behalf of a controller), and by prescribing GDPR-like obligations. However, the CPA’s enforcement regime would mark a significant departure from the other state consumer privacy laws, empowering both the Colorado Attorney General (AG) and district attorneys to enforce violations of the Act and prescribing civil penalties of up to $20,000 per violation.

Continue reading

SEC Charges Issuer for Inadequate Cybersecurity Disclosure Controls: Action Suggests a More Active SEC Enforcement Role Concerning Disclosure Controls and Procedures for Cybersecurity

by Cathy Clarkin, Bob Downes, John Evangelakos, Nicole Friedlander, Tony Lewis, Sarah Payne, Steve Peikin, Kamil Shields and Rebecca Sobel

On June 15, 2021, the Securities and Exchange Commission (“SEC”) announced charges against First American Financial Corporation (“First American”) for failure to maintain adequate disclosure controls and procedures in violation of Exchange Act Rule 13a-15(a).[1]  The charges, which were simultaneously settled pursuant to a cease-and-desist order (the “Order”) imposing a $487,616 civil money penalty, related to a vulnerability in First American’s proprietary software application that caused tens of millions of document images—many containing consumers’ personal information—to be publicly accessible.  After being notified by a journalist about the vulnerability on May 24, 2019, First American issued a press release and subsequently filed a Form 8-K with the SEC.  According to the Order, however, the senior executives responsible for these disclosures were not informed prior to the time the disclosures were made that certain First American personnel had longstanding prior knowledge of the vulnerability, and that the vulnerability had not been remediated in accordance with the company’s policies.  In light of the action—and increased scrutiny by U.S. authorities concerning cybersecurity in the wake of nationally significant ransomware attacks and cyberattacks involving SolarWinds and Microsoft software—issuers should review and confirm the efficacy of their disclosure controls and procedures for analyzing and escalating key information about cybersecurity incidents and vulnerabilities.

Continue reading

The Forecast for the EU Whistleblowing Directive in Member States: Cloudy with a Chance of Implementation

By Alja Poler De Zwart and Mercedes Samavi

Do you work for an organization that does not know what to do with its whistleblowing hotline in Europe? Are you patiently waiting for any news on what is happening with the implementation throughout the European Economic Area (“EEA”) of the new EU’s Directive on the protection of persons who report breaches of European Union law (PDF: 1.5 MB) (the “Whistleblowing Directive”), while getting more and more concerned about the lack of information? Well, if it helps at all, you are not alone. Although the implementation deadline of December 17 appears quite far away for now, this is deceptive — especially for multinational organizations that have to start preparing to comply with likely varying local implementation requirements in multiple countries.

We have been monitoring the implementation progress in 30 EEA countries, and the outlook does not look that great. As far as we can tell, not a single country has managed to adopt its implementing law to date, and some countries appear to have not even started yet. The good news is that the majority of countries are in the middle of their implementation process, but whether local legislators will manage to agree on the bills soon enough to have them ready before December 17 is anyone’s guess. As eternal optimists, we hope for the best. But while we wait, we put together a short summary of our findings and thoughts to help provide some context.

Continue reading

Revealing Potential New Strategy, FTC Teams Up with States After Supreme Court Rules Agency Not Authorized to Seek Monetary Remedies Under Section 13(b) of the FTC Act

by Corey W. Roush and Mitchell E. Khader

On April 22, 2021, the Supreme Court dismantled a longstanding FTC enforcement tool in a unanimous decision holding that the FTC Act does not permit the agency to use its authority to seek injunctive relief under Section 13(b) as a means to pursue monetary remedies against wrongdoers. In its first major use of Section 13(b) since that decision, the FTC has enlisted the aid of states whose competition laws authorize restitution, disgorgement, and other monetary remedies. Notwithstanding this potential new strategy, the FTC continues to urge Congress to act to restore its power under Section 13(b).

Continue reading

House Passes Insider Trading Bill

by Greg D. Andres, Martine M. Beamon, Angela T. Burgess, Tatiana R. Martins, Uzo Asonye, Robert A. Cohen, Neil H. MacBride, Fiona R. Moran, Stefani Johnson Myrick, and Paul J. Nathanson

The House of Representatives has passed a bill on a bipartisan basis that would be the first statute directly banning insider trading in the securities markets.  The bill largely would preserve current case law, but would expand the scope of insider trading by prohibiting trades based on information obtained by theft or computer hacking.  The House passed an identical bill in late 2019 that did not receive a Senate vote, but Senate action may be more likely under current Democratic control. 

Continue reading

The House Oversight Committee Investigative Agenda for the Next Two Years Highlights Likely Private Sector Targets for Congressional Investigations

by Robert Kelner, Brian Smith, Angelle Baugh, Brendan Parets, Perrin Cooke, Bill Sokolove, and Darcy Slayton

On May 21, the House Committee on Oversight and Reform’s “Oversight Plan” was published, after being submitted for publication by Committee Chairwoman Carolyn Maloney (D-NY) over a month ago. The Oversight Plan outlines the “topics designated for investigation, evaluation, and review” by the Committee over the next two years. The Oversight Plan provides a very useful roadmap of the Committee’s investigative priorities and should be seen as a fair warning to the industries and companies identified in the plan.

The Committee’s Oversight Plan is required by the House Rules. Under House Rule X, Clause 2, each standing committee of the House is required to submit an oversight plan to the Oversight Committee. The Oversight Committee then reviews the plans and reports to the full House on each committee’s plan and the Oversight Committee’s recommendations for coordinating oversight activities. The 2021 Oversight Plan included the Oversight Committee’s compilation that, along with its own plan, included the oversight plans of all other House committees. The nearly 300-page compilation generally indicated an interest in oversight of the coronavirus crisis, health care, economic prosperity and infrastructure investments, and climate change and the environment.

Continue reading

UK Steps Up Enforcement Efforts with New Global Anti-Corruption Sanctions Regime (Part II of II)

by Ryan D. Junck, Elizabeth Robertson, and Zahra Mashhood

This is Part II of a two-part post. This Part discusses practical ramifications of the UK’s new Global Anti-Corruption Sanctions Regulations. For Part I, discussing technical aspects of the regulations, click here.

The new Global Anti-Corruption Sanctions Regime is a further step by the UK on its path to forge its own post-Brexit sanctions policy. It mirrors the approach taken by its international partners, the US and Canada, both of which already have systems in place that impose sanctions on people and entities based on allegations of corruption. For example, under the new rules, the UK sanctioned current Guatemalan official Felipe Alejos Lorenzana on the same day the US did. Furthermore, a large number of the individuals on the UK’s list have already been sanctioned by the US.

Continue reading

Executive Order on Cybersecurity Expands Mandatory Breach Notification and Supply Chain Security Requirements for Government Contractors

by Tina D. Reynolds, Alex Iftimie, and Sandeep N. Nandivada

On May 12, 2021, the Biden administration issued an ambitious Executive Order on Improving the Nation’s Cybersecurity (EO) declaring the prevention, detection, assessment, and remediation of cyber incidents to be a “top priority and essential to national and economic security.” Over 8,000 words long, the EO establishes a series of initiatives designed to better equip the U.S. federal government to respond to cybersecurity threats.  The most notable provisions of the EO are as follows:

  • It sets in motion changes to federal contracts that will add breach notification and information sharing requirements for government service providers and remove existing contractual barriers to threat information sharing by the private sector;
  • It establishes baseline security standards for the development of software sold to the government by all commercial suppliers; and
  • It provides minimum cybersecurity requirements for federal agencies, like the use of multifactor authentication and encryption, and helps to move the federal government toward secure cloud services and zero-trust architecture.

The EO reflects the government’s heightened concerns about cyber threats, particularly following the SolarWinds, Microsoft Exchange, and Colonial Pipeline incidents.  It also reflects the Administration’s efforts to leverage the buying power of the federal government to incentivize the software market to build security into the software development lifecycle, and to expand and enhance the information sharing between the private sector and the government.    Continue reading

UK Steps Up Enforcement Efforts with New Global Anti-Corruption Sanctions Regime (Part I of II)

by Ryan D. Junck, Elizabeth Robertson, and Zahra Mashhood

This is Part I of a two-part post. This Part discusses the technical aspects of the UK’s new Global Anti-Corruption Sanctions Regulations. For Part II, discussing practical ramifications of the regulations, click here.

On 27 April 2021, the UK implemented its new Global Anti-Corruption Sanctions Regime, enhancing its existing Global Human Rights Sanctions Regime, which came into force in July 2020. The new Global Anti-Corruption Sanctions Regulations 2021 (the Regulations) enable the UK Foreign Secretary to impose asset freezes and travel bans on designated individuals and entities linked to certain corrupt activities, and criminalises the breach of those sanctions within the UK, as well as any breach by any UK individual or UK entity wherever located. That includes UK subsidiaries of foreign companies.

The purpose of the regime is to prevent and combat serious governmental corruption, by stopping those involved from entering and channelling money through the UK. The system is broadly similar to those in place in the US and Canada. The regime has been implemented under the Sanctions and Anti-Money Laundering Act 2018 (SAMLA), which established the legal framework for the UK to introduce new sanctions regimes post-Brexit.

Continue reading

The Future of AI Regulation: 24 Ways That Companies Can Reduce Their Regulatory and Reputational AI Risks

by Avi Gesser, Anna R. Gressel, and Tara Raam

This post is Part V of a five-part series by the authors on The Future of AI Regulation. For Part I, discussing U.S. banking regulators’ recent request for information regarding the use of AI by financial institutions, click here. For Part II, outlining key features of the EU’s draft AI legislation, click here. For Part III, discussing new obligations for companies under the EU’s draft AI legislation, click here. For Part IV, discussing a recent FTC blog post on companies’ use of AI, click here

In this final post, we have taken those important developments in AI regulation, along with some other recently issued guidance, and prepared a list of 24 measures that companies can adopt now to prepare for the coming AI regulatory landscape, which is an update to a post we wrote last year on this same topic.

Continue reading