SEC Continues to Elevate its Enforcement of Rule 21F-17(a)

Benjamin Calitri (photo courtesy of Kohn, Kohn, and Colapinto LLP)

In January 2024, the SEC announced an $18 million settlement with J.P Morgan Securities for violations of Rule 21F-17(a), demonstrating its increased enforcement of the whistleblower rule, which prohibits any person from “tak[ing] any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.” This follows a $10 million enforcement against D.E. Shaw, showing the SEC’s new stance of Rule 21F-17(a): sanctions that are actually large enough to deter illegal NDAs.

The SEC Enforcement Order found that J.P. Morgan Securities (JPMS) typically requested certain clients sign a Release if they received a credit or settlement of over $1,000, regardless of whether JPMS admitted or denied any error or wrongdoing in connection with the credit or settlement.

Continue reading →

New Wave of Website Privacy Lawsuits Under the Pen Register and Trap and Trace Device Theory

by Aidan Gross and Halyna Hnatkiv

From left to right: Aidan Gross and Halyna Hnatkiv (photos courtesy of Hunton Andrews Kurth LLP)

In the latest evolution of lawsuits challenging technologies that track website users, California class action plaintiffs have begun to file under a new theory—the pen register and trap and trace device theory under Section 638.51 of the California Invasion of Privacy Act (“CIPA”).

Over the last two years, courts have seen an influx of putative class action lawsuits targeting businesses with websites that utilize technology to track users’ website interactions. Most of the lawsuits have been filed in California under CIPA. These previous lawsuits alleged a violation of section 631 of CIPA, which protects against (1) intentional wiretapping of any telegraph or telephone wire, line or cable; (2) willfully and without the consent of all parties attempting to learn the contents of a communication in transit; and (3) attempting to use or communicate information obtained as a result of engaging in either activity. The statutory penalty is $5,000 per violation.

The cases have often failed at the motion to dismiss stage. Courts have dismissed some suits for lack of standing given the absence of a concrete injury. A number of courts have found that the information collected must in itself have a reasonable expectation of privacy. Plaintiffs are now trying their luck under the pen register and trap and trace theory. Continue reading →

White-Collar and Regulatory Enforcement: What Mattered in 2023 and What to Expect in 2024

by John F. Savarese, Ralph M. Levene, Wayne M. Carlin, David B. Anders, Sarah K. Eddy, Randall W. Jackson, and Kevin S. Schwartz

Top left to right: John F. Savarese, Ralph M. Levene, Wayne M. Carlin, and David B. Anders.
Bottom left to right: Sarah K. Eddy, Randall W. Jackson, and Kevin S. Schwartz. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

This past year was yet another notable and intensely active one across the entire range of white-collar criminal and regulatory enforcement areas. We heard continued tough talk from law enforcement authorities, especially concerning the government’s desire to bring more enforcement actions against individuals and on the need to keep ramping up corporate fines and penalties. The government largely lived up to its talking points about increasing the numbers of individual prosecutions and proceedings, particularly with respect to senior executives in the cryptoasset industry. But there were some notable stumbles. The most striking example of this was DOJ’s failure to secure convictions in cases where it attempted to extend criminal antitrust enforcement in unprecedented areas, such as no-poach employment agreements and against certain vertical arrangements—neither of which has historically been viewed as involving per se violations of the federal antitrust laws. And, as in years past, many state attorneys general remained active throughout 2023, using broad state consumer-protection statutes to bring blockbuster cases across a wide array of industries, from ridesharing and vaping to opioids and consumer technology offerings.

Continue reading →

Export Controls Experts Comment on Enhancements to Voluntary Self-Disclosure Policies for Export Control Violations

Panelists John D. Sonderman, Director, Office of Export Enforcement, BIS; Jana del-Cerro, Partner, Crowell & Moring LLP; Michael H. Huneke, Partner, Hughes Hubbard & Reed LLP; Sharon Cohen Levin, Partner, Sullivan & Cromwell LLP; and Joseph Facciponti, Executive Director, PCCE (Moderator) (©Hollenshead: Courtesy of NYU Photo Bureau)

On January 16, 2024, the NYU Law Program on Corporate Compliance and Enforcement hosted Matthew Axelrod, Assistant Secretary for Export Enforcement at the Bureau of Industry and Security (BIS), U.S. Department of Commerce, to deliver remarks on enhancements to BIS’s corporate enforcement policy for voluntary self-disclosures of export control violations. Assistant Secretary Axelrod’s speech was accompanied by the release of an enforcement policy memo, available here. After Secretary Axelrod’s remarks, he participated in a fireside chat and took questions from the audience. The event also featured a panel of experts on export control enforcement policy. A full agenda of the event is available here. In this post, participants from the panel share further thoughts on the issues.

Continue reading →

How to Avoid Risk of SEC Whistleblower Rule Violations in Connection with Settlement Agreement Confidentiality Provisions

by Tami Stark and Joel M. Cohen

Tami Stark and Joel M. Cohen (Photos courtesy of White & Case LLP)

The SEC levied charges against a registered broker-dealer and investment adviser that expand the enforcement of the whistleblower protection rule to encompass settlement agreements with clients.[1] This article should be instructive for other registered entities seeking to avoid rule violations when drafting such agreements.

As of the end of the 2023 fiscal year, the SEC has brought twenty-one enforcement actions involving violations of Rule 21F-17 since the Dodd-Frank Act empowered the SEC with the ability to bring actions against persons, including companies, for impeding reports to the SEC.[2] Last year, these actions arose primarily from employment-related agreements that violated the Rule.[3] For example, in September of 2023, the SEC levied a $10 million civil penalty against an investment adviser for using employee agreements that prohibited the disclosure of “confidential information” unless authorized by the company or required by law or an order of a court or other regulatory or governmental body.[4]

Continue reading →

The NYDFS Plans to Impose Significant Obligations on Insurers Using AI or External Data

by Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, Matt Kelly, Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji

Top (from left to right): Eric Dinallo, Avi Gesser, Erez Liebermann, Marshal Bozzo, and Matt Kelly
Bottom (from left to right): Johanna Skrzypczyk, Corey Goldstein, Samuel J. Allaman, Michelle Huang, and Sharon Shaji (Photos courtesy of Debevoise & Plimpton LLP)

On January 17, 2024, the New York State Department of Financial Services (the “NYDFS”) issued a Proposed Insurance Circular Letter regarding the Use of Artificial Intelligence Systems and External Consumer Data and Information Sources in Insurance Underwriting and Pricing (the “Proposed Circular” or “PCL”). The Proposed Circular is the latest regulatory development in artificial intelligence (“AI”) for insurers, following the final adoption of Colorado’s AI Governance and Risk Management Framework Regulation (“CO Governance Regulation”) and the proposed Colorado AI Quantitative Testing Regulation (the “CO Proposed Testing Regulation”), discussed here, and the National Association of Insurance Commissioners’ (“NAIC”) model bulletin on the “Use of Artificial Intelligence Systems by Insurers” (the “NAIC Model Bulletin”), discussed here. In the same way that NYDFS’s Part 500 Cybersecurity Regulation influenced standards for cybersecurity beyond New York State and beyond the financial sector, it is possible that the Proposed Circular will have a significant impact on the AI regulatory landscape.

The PCL builds on the NYDFS’s 2019 Insurance Circular Letter No. 1 (the “2019 Letter”) and includes some clarifying points on the 2019 Letter’s disclosure and transparency obligations. The 2019 Letter was limited to the use of external consumer data and information sources (“ECDIS”) for underwriting life insurance and focused on risks of unlawful discrimination that could result from the use of ECDIS and the need for consumer transparency. The Proposed Circular incorporates the general obligations from the 2019 Letter, adding more detailed requirements, expands the scope beyond life insurance, and adds significant governance and documentation requirements.

Continue reading →

How “Location, Location, Location” Can Lead to “Enforcement, Enforcement, Enforcement”

By Lesley Fair

Lesley Fair (photo courtesy of the author)

Do consumers attend a Christian church? Are they the parents of preschoolers? Would the description “wealthy and not healthy” apply to them? By tracking people’s mobile devices, Texas-based InMarket Media has collected their precise geolocation and cross-referenced their location histories with other personal data to categorize them into roughly 2,000 different audience segments that the company then marketed for the purpose of targeted advertising. According to a proposed FTC complaint, InMarket Media did that without fully informing consumers and without getting their consent to use their location – including information linking them to particularly sensitive places – for commercial purposes.

Continue reading →

SDNY Whistleblower Pilot Program Incentivizes Self-Disclosure and Cooperation

by Helen V. Cantwell, Andrew J. Ceresney, Andrew M. Levine, David A. O’Neil, Winston M. Paes, Jane Shvets, Bruce E. Yannett, Douglas S. Zolkind, Erich O. Grosz, and Rebecca Maria Urquiola

Top left to right: Helen V. Cantwell, Andrew J. Ceresney, Andrew M. Levine, David A. O’Neil, and Winston M. Paes.
Bottom left to right: Jane Shvets, Bruce E. Yannett, Douglas S. Zolkind, Erich O. Grosz, and Rebecca Maria Urquiola. (Photos courtesy of Debevoise & Plimpton LLP)

On Wednesday, January 10, 2024, the U.S. Attorney’s Office for the Southern District of New York (“SDNY”) launched the SDNY Whistleblower Pilot Program (the “Program”).[1] The Program seeks to incentivize individuals to report criminal wrongdoing—including corporate control failures, state and local bribery, and fraudulent dealings involving public funds—before SDNY learns of the conduct and to fully cooperate with any resulting investigations and prosecutions. U.S. Attorney Damian Williams encouraged individuals “to come clean, cooperate, and get on the right side of the law,” cautioning “[c]all us before we call you.”[2]

Continue reading →

Creating A European Union-Wide Anti-Money Laundering/Counter Financing of Terrorism Regime (Part II): Changes in Anti-Money Laundering Rules

by Jonathan J. Rusch

Photo courtesy of the author

As part of its continuing efforts to strengthen the capacity and capability of the European Union (EU) to combat money laundering and terrorism financing[1], on January 18, 2024 the Council of the European Union announced that it and the European Parliament had found a provisional agreement on parts of the anti-money laundering and countering the financing of terrorism (AML/CFT) package to protect EU citizens and the EU’s financial system.

This provisional agreement is intended to accomplish two fundamental objectives: (1) to transfer all AML/CFT rules applying to the private sector to a new regulation; and (2) in doing so, for the first time to make those rules more stringent and harmonize them “exhaustively”, in order to close possible loopholes that criminals use to launder illicit proceeds or finance terrorist activities through the financial system.[2]

The first post in this series covered the provisional agreement relating to the creation and operation of a new EU-wide anti-money laundering authority (AMLA).[3] This post will summarize and comment on the extensive and detailed provisions of this provisional agreement with regard to two elements: (1) the new AML regulation[4]; and (2) a new AML/CFT directive (to be designated by the EU as the “Sixth Anti-Money Laundering Directive”) that would establish the mechanisms that EU Member States should put in place for AML/CFT purposes and repeal the EU’s 2015 Fourth AML Directive.[5]

Continue reading →

FCC Updates and Expands Data Breach Notification Rules

by Beth Burgin Waller and Patrick J. Austin

From left to right: Beth Burgin Waller and Patrick J. Austin (photos courtesy of authors)

The updated data breach notification rules broaden the definition of what is considered a breach and expand the scope of who must be notified when a data breach occurs.

The Federal Communications Commission (FCC or Commission) voted to adopt new and expanded data breach notification requirements that apply to telecommunications, interconnected Voice over Internet Protocol (VoIP), and telecommunications relay services (TRS). The updated rules now include personally identifiable information (PII), as opposed to just customer proprietary network information (CPNI). This means carriers must provide notice when a consumer’s PII is breached.

The new data breach notification rules will go into effect approximately 30 days after publication in the Federal Register. Below is an overview of the new rules.

Continue reading →