We are pleased to announce that registration is open for our 4th Annual Directors’ Academy at NYU School of Law on October 31st and November 1st, 2024. The agenda and registration portal are available here. The program is for directors who currently serve on public and for-profit private company boards, as well as C-Suite legal, risk, ethics, audit, and compliance professionals.[1]
by Staff at the Federal Trade Commission’s Office of Technology
Federal Trade Commission
The FTC’s Tech Summit on AI[1] convened three panels that highlighted different layers of the AI tech stack: hardware and infrastructure, data and models, and consumer-facing applications. This third Quote Book is focused on consumer-facing applications. This post outlines the purpose of the quote book, a summary of the panel, and relevant topics and actions raised by the FTC.
by Avi Gesser, Jim Pastore, Matt Kelly, Gabriel Kohan, Melissa Muse and Joshua A. Goland
Top left to right: Avi Gesser, Jim Pastore, and Matt Kelly. Bottom left to right: Gabriel Kohan, Melissa Muse and Joshua A. Goland (photos courtesy of Debevoise & Plimpton LLP)
Online customer service chatbots have been around for years, allowing companies to triage customer queries with pre-programmed responses that addressed customers’ most common questions. Now, Generative AI (“GenAI”) chatbots have the potential to change the customer service landscape by answering a wider variety of questions, on a broader range of topics, and in a more nuanced and lifelike manner. Proponents of this technology argue companies can achieve better customer satisfaction while reducing costs of human-supported customer service. But the risks of irresponsible adoption of GenAI customer service chatbots, including increased litigation and reputational risk, could eclipse their promise.
We have previously discussed risks associated with adopting GenAI tools, as well as measures companies can implement to mitigate those risks. In this Debevoise Data Blog post, we focus on customer service chatbots and provide some practices that can help companies avoid legal and reputational risk when adopting such tools.
by Nelson O. Fitts, Michael J. Schobel, and Emily E. Samra
Left to right: Nelson O. Fitts, Michael J. Schobel, and Emily E. Samra (photos courtesy of Wachtell, Lipton, Rosen & Katz)
In a recent public meeting, a divided Federal Trade Commission voted along party lines to issue a final rule prohibiting non-compete clauses for nearly all U.S. workers. The FTC previously published the proposed ban in January 2023, drawing thousands of public comments. The final rule hews closely to the initial proposal, but with slightly broader exceptions.
by Jonny Frank, Michele Edwards, and Chris Hoyle
Left to right: Jonny Frank, Michele Edwards, and Chris Hoyle (photos courtesy of StoneTurn, LLP)
It is tempting for organizations to downplay compliance violations as an isolated event attributable to a few bad apples. However, experience teaches that misconduct is often worse than initially thought. Wrongdoers who confess rarely admit to their complete wrongdoing. And it is common for the same or similar misconduct to occur across business lines and geographies.
Because wrongdoing is often much more extensive than originally believed, organizations cannot afford to assume that an incident is an isolated event. Imagine the legal implications—and embarrassment—if the government, public or other stakeholders discover that an organization’s internal investigation failed to detect the full extent of the perpetrators’ wrongdoing or similar schemes committed by others in the organization. There may also be more extensive financial losses to recover that the organization needs to be aware of.
by Olivia Lee and Ashley Webber
From left to right: Olivia Lee and Ashley Webber (Photos courtesy of Hunton Andrews Kurth LLP)
On April 17, 2024, the European Data Protection Board (“EDPB”) adopted its non-binding Opinion 08/2024 on Valid Consent in the Context of Consent or Pay Models Implemented by Large Online Platforms (the “Opinion”), stating that such models generally are not compliant with the EU General Data Protection Regulation (“GDPR”), though their use should be considered on a case-by-case basis.
by Staff at the Federal Trade Commission’s Office of Technology
Federal Trade Commission
For more than two decades, the FTC has been bringing enforcement actions for violations of national consumer protection laws due to companies’ poor security practices. These poor practices have included failure to encrypt sensitive data, storing credentials in source code, failing to test for common vulnerabilities, and failure to use multi-factor authentication, among others. To remedy these practices, the orders the FTC has obtained in these enforcement actions have required companies to improve their security practices. Last year FTC staff published a blog post on how the agency’s orders incorporate modern security best practices that take inspiration from research into the causes of risk in complex systems. This post is a continuation on the theme of effectively addressing risks in complex systems.
by Steven P. Solow and Chloe Graham
From left to right: Steven P. Solow, and Chloe Graham (Photos courtesy of Baker Botts LLP)
The Assistant Administrator for EPA’s Office of Enforcement and Compliance Assurance (OECA) announced a new Strategic Civil-Criminal Enforcement Policy (Policy) that is perhaps the most significant change in environmental enforcement since the passage of the basic environmental laws decades ago. At bottom, the new Policy addresses the long-standing concern that the decision to enforce a matter civilly or criminally ultimately depended on whose “desk” it landed on.
On April 15, 2024, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) held its 10th Anniversary Conference, featuring keynote speakers Nicole Argentieri, Principal Deputy Assistant Attorney General and Head of DOJ’s Criminal Division; Gurbir Grewal, Director of Enforcement, SEC; and Andrea Griswold, Deputy U.S. Attorney, SDNY, among other distinguished speakers. More information on the conference can be found here. At the conference, Principal Deputy Assistant Attorney General Argentieri first announced a new voluntary self-disclosure program for individuals. A blog post by her, which describes the program and provides links to more information, is republished below.
©Myaskovsky: Courtesy of NYU Photo Bureau
by Elliot Greenfield, Matthew E. Kaplan, Maeve O’Connor, Benjamin R. Pedersen, Jonathan R. Tuttle, Anna Moody, Brandon Fetzer, and Mark D. Flinn
Top left to right: Elliot Greenfield, Matthew E. Kaplan, Maeve O’Connor, and Benjamin R. Pedersen.
Bottom left to right: Jonathan R. Tuttle, Anna Moody, Brandon Fetzer, and Mark D. Flinn. (Photos courtesy of Debevoise & Plimpton LLP).
On April 12, 2024, in a highly anticipated decision, the Supreme Court held in Macquarie Infrastructure Corp. v. Moab Partners, L.P.[1] that pure omissions are not actionable in private litigation under Rule 10b-5(b). Resolving a circuit split, the Court held that Rule 10b-5(b) does not support a “pure omissions” theory based on an alleged failure to disclose material information required by Item 303 of SEC Regulation S-K (Management’s discussion and analysis of financial condition and results of operations, or MD&A). Instead, a “failure to disclose information required by [MD&A] can support a Rule 10b-5(b) claim only if the omission renders affirmative statements made misleading.”[2] While the decision arose in the context of Item 303, which requires disclosure of “known trends and uncertainties” that have had or are “reasonably likely” to have a material impact on net sales, revenues or income from continuing operations,[3] the decision stands for the broader principle that Rule 10b-5(b) does not support pure omissions theories based on alleged violation of any disclosure requirement. Such claims remain viable, however, under Section 11 of the Securities Act of 1933. This ruling provides welcome clarity to issuers and eliminates the risk of pure-omission claims under Rule 10b-5(b) based on the judgment-based requirements of MD&A.