By Avi Gesser, David Popkin, and Michael Washington
Until recently, biometric privacy was a niche area of the law that had little application to most companies. But with the rapid growth in commercial biometric data collection, including voice samples, fingerprints, retina scans, and facial geometry, as well as some recent developments in the applicable case law, it’s probably time for companies to start paying attention. Indeed, one of our top privacy law predictions for 2019 was a judicial expansion of the notion of harm, which happened quicker than we anticipated in the context of gathering biometric data.
On January 25, 2019, the Illinois Supreme Court decided Rosenbach v. Six Flags EntertainmentCorporation, 2019 IL 123186 (PDF: 61.7 KB), unanimously finding that plaintiffs could bring a private cause of action for violations of the notice and consent requirements of the state’s biometric privacy law without any showing of harm. In Six Flags, a mother sued the owner of a theme park on behalf of her teenaged son after he was fingerprinted in connection with the purchase of a season pass to the park. Neither the son nor the mother consented in writing to the taking of the fingerprint or signed any written release. Further, the park did not provide any documentation about their retention schedule or guidelines for retaining and then destroying the data. The court found that individuals possess a right to privacy in and control over their biometric identifiers. Continue reading →
One of the well-established concepts in social psychology and behavioral economics is loss aversion: i.e., “the idea that losses generally have a much larger psychological impact than gains of the same size.” Though usually discussed in the context of tangible gains and losses, loss aversion has some bearing on our response when a person who has made significant contributions in life passes away. Our immediate sadness at the loss of the person can distract us from thinking about and appreciating the gains that he or she provided to society or to specific people. For that reason, this post is devoted to a brief appreciation of Professor John Darley, focusing on aspects of his work that have applications to corporate compliance.
Professor Darley, who died several months ago at age 80, was not merely a distinguished Professor of Psychology and Public Affairs at Princeton University for many years, but “one of the foremost figures of social psychology.” He strongly influenced the growth and development of that field, in areas such as “morality and the law, the function of punishment, and the way organizations inadvertently promote evil.”Continue reading →
FinCEN and Federal Financial Institution Supervisory Agencies Issue Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
On December 3, 2018, the Financial Crimes Enforcement Network (“FinCEN”) and the four federal financial institution supervisory agencies (“the agencies”) issued a joint statement (“Joint Statement”) encouraging banks (i.e., banks, savings associations, credit unions, and foreign banks) “to consider, evaluate, and, where appropriate, responsibly implement innovative approaches to meet their Bank Secrecy Act/anti-money laundering (BSA/AML) compliance obligations, in order to further strengthen the financial system against illicit financial activity.”Continue reading →
Whether the macroprudential regulation enacted to protect the stability of the financial system is sufficient to prevent another crisis is uncertain. Although much of that regulation represents good faith and, in many cases, highly thoughtful efforts to control systemic risk, its primary focus is on banks and other systemically important financial institutions (“SIFI”s). This entity-based approach may be too narrow because it largely ignores other critical elements of the system, such as financial markets.
Furthermore, influenced by political and media pressure to assign blame for the financial crisis, some of the entity-based regulation is itself imperfect. A major focus of that regulation, for example, is on controlling morally hazardous risk-taking by SIFIs that deem themselves “too big to fail” (“TBTF”). Capital requirements epitomize this approach, protecting SIFIs against losses by requiring them to hold minimum levels of capital. However, the ability of capital requirements to control systemic risk is unclear. The cost of capital requirements is also uncertain; some argue they impose no public costs, others argue to the contrary. Continue reading →
Beginning next month, Democrats will control the House of Representatives for the first time since 2010. Given the pent-up demand for House Democrats to make robust use of their oversight and investigative authorities, the current relative lull in congressional investigations of corporations is expected to end. Corporations across sectors should anticipate an uptick in investigative activity.
In addition to holding the majority for the first time in nearly a decade, this will be the first time that Democrats control the House since a 2015 rule change that empowered a number of committee chairs to subpoena witnesses or documents unilaterally. The chairs of the following committees, among others, have this authority: Energy and Commerce; Financial Services; Intelligence; Judiciary; Natural Resources; and Oversight and Government Reform.Continue reading →
On November 29, 2018, in a speech at the Georgetown University Law School, Deputy Attorney General Rod Rosenstein renewed his call for tech companies to build into their products the means for law enforcement to legally access decrypted data, the development of so-called “responsible encryption.” Mr. Rosenstein analogized such encryption to requirements that buildings disable elevators in the event of a fire but still retain firemen’s access, and he beseeched the private sector to work with the government to mitigate the security threats posed by rapid technological advances.
Summary of Mr. Rosenstein’s Address
Detailing the threat of ransomware, Mr. Rosenstein warned that the “malicious use of technology will be more pernicious and pervasive tomorrow than it is today, and even more difficult to combat.” To “forestall those ominous consequences,” he proposed three steps: Continue reading →
A little-noticed consent decree entered into by the U.S. Securities and Exchange Commission earlier this year should be setting off alarm bells for financial firms and their boards of directors.
In a cease and desist order against Voya Financial Advisors, the investment advisory unit of Voya Financial, the SEC – for the first time – enforced its “Identity Theft Red Flags Rule” in punishing the firm for allegedly lackluster data security practices. The SEC charged that hackers were able to access sensitive client information including Social Security Numbers, account balances and even details of client investment accounts. The commission called out the company’s board of directors for failing to “administer and oversee” compliance with the rule. Continue reading →
The European Data Protection Board (“EDPB”)—a working group of representatives of the EU data protection authorities—has issued Guidelines (PDF: 255 KB) on the territorial scope of the EU General Data Protection Regulation (“GDPR”), which are open for comment until 18 January 2019. The Guidelines clarify one of the main areas of concern for non-EU companies: when will GDPR reach them?
A new Department of Justice policy (the “Policy”) modifies critical elements of the prominent 2015 “Yates Memorandum” on individual accountability. Introduced on November 29 by Deputy Attorney General Rod J. Rosenstein (the “DAG”), the Policy is manifested, in part, by specific revisions toJustice Manual (previously referred to as the U.S. Attorneys’ Manual).
The Policy clarifies the relationship between the scope of a defendant’s disclosures regarding individuals and qualifying for cooperation credit, particularly in the context of civil litigation. In so doing, it also raises critical compliance oversight issues for corporate governance. Continue reading →
With limited time, corporate directors are accustomed to monitoring firms by using aggregated information that is supplied by firms’ management. Nearly every task conducted by a board of directors involves data curated by employees working for a firm’s CEO. A critical challenge for directors is to be informed of important situations that may have been lost in data aggregation or that may have been selectively not reported. Indeed, this is why firms with stellar directors and high-quality external auditors still have major public debacles. One way a corporate director can obtain unfiltered information regarding a firm’s operations and potential problems within a firm is by reviewing reports made by employees through internal reporting systems (also known as internal whistleblowing systems). The problem with this solution is that there have been differing views and understandings as to how to appropriately manage these systems and interpret these submitted reports—until now. Continue reading →