SEC Takes First Rule 21F-17(a) Action Against Private Company

by Benjamin Calitri

Benjamin Calitri. Photo courtesy of Kohn, Kohn & Colapinto, LLP.

On September 8th, the SEC announced its first enforcement action against a private company for violation of Rule 21F-17(a). Rule 21F-17(a) prohibits any person from “tak[ing] any action to impede an individual from communicating directly with the Commission staff about a possible securities law violation, including enforcing, or threatening to enforce, a confidentiality agreement.” In other words, this rule prevents companies from silencing whistleblowers.

The Commission already has a strong record of enforcing this rule among public companies, but its recent $225,000 sanction against Monolith Resources marks the first time the Commission has charged a privately held company, that is not a broker or investment advisor, for violating this rule.

Continue reading

Eight GDPR Questions when Adopting Generative AI

by Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst

Photos of the authors

From left to right: Avi Gesser, Robert Maddox, Friedrich Popp, and Martha Hirst. (Photos courtesy of Debevoise & Plimpton LLP)

As businesses adopt Generative AI tools, they need to ensure that their governance frameworks address not only AI-specific regulations such as the forthcoming EU AI Act, but also existing regulations, including the EU and UK GDPR.

In this blog post, we outline eight questions businesses may want to ask when developing or adopting new Generative AI tools or when considering new use cases involving GDPR-covered data. At their core, they highlight the importance of integrating privacy-by-design default principles into Generative AI development and use cases (see here).

If privacy is dealt with as an afterthought, it may be difficult to retrofit controls that are sufficient to mitigate privacy-related risk and ensure compliance. Accordingly, businesses may want to involve privacy representatives in any AI governance committees. In addition, businesses that are developing their own AI tools may want to consider identifying opportunities to involve privacy experts in the early stages of Generative AI development planning.

Continue reading

The Final Colorado AI Insurance Regulations: What’s New and How to Prepare

by Avi Gesser, Erez Liebermann, Eric Dinallo, Matt Kelly, Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman, and Basil Fawaz

Photo of authors

Top left to right: Avi Gesser, Erez Liebermann, Eric Dinallo and Matt Kelly
Bottom left to right: Corey Jeremy Goldstein, Stephanie D. Thomas, Samuel J. Allaman and Basil Fawaz
(Photos courtesy of Debevoise & Plimpton LLP)

On September 21, 2023, the Colorado Division of Insurance (the “DOI”) released its Final Governance and Risk Management Framework Requirements for Life Insurers’ Use of External Consumer Data and Information Sources, Algorithms, and Predictive Models (the “Final Regulation”). As discussed below, the Final Regulation (which becomes effective on November 14, 2023) reflects several small changes from the previous version of the regulation that was released on May 26, 2023 (the “Draft Regulation”). A redline reflecting these changes can be found here.

The most substantive change is the requirement that insurers must remediate any detected unfair discrimination. This change is especially significant in light of the DOI’s release of its draft regulation on Quantitative Testing for Unfairly Discriminatory Outcomes for Algorithms and Predictive Models Used for Life Insurance Underwriting (the “Draft Testing Regulation”) on September 28, 2023, which requires insurers to estimate the race and ethnicity of all proposed insureds that have applied for life insurance coverage and then conduct detailed quantitative testing of models that use external consumer data and information sources (“ECDIS”) for potential bias. The Testing Regulation provides that certain results of that prescribed testing methodology will be deemed to be unfairly discriminatory and thereby require the insurer to “immediately take reasonable steps . . . to remediate the unfairly discriminatory outcome . . .”  We will be writing much more about our concerns over the Draft Testing Regulation in the coming weeks.

In this Blog Post, we discuss the Final Regulation, how it differs from the Draft Regulation, and what companies should be doing now to prepare for compliance.

Continue reading

Companies Face Increased Criminal Enforcement Risk From Aging Infrastructure-Related Disasters

by Alexander C.K. Wyman, Aron Potash, and Mikaela Wynne Gilbert-Lurie

From left to right: Alexander C.K. Wyman, Aron Potash, and Mikaela Wynne Gilbert-Lurie. (Photos courtesy of Latham & Watkins LLP)

Utilities and energy companies can implement strategies to mitigate risks from more frequent environmental disasters and infrastructure failures.

In the early morning of June 11, 2023, a tanker truck carrying gasoline up I-95 in Philadelphia crashed and caught fire, and the overpass above buckled and collapsed. The section of the highway is critical to the roughly 160,000 vehicles that cross it daily. The immediate cause of the collapse is believed to be either the heat from the flames or the impact of the explosion weakening the steel beams supporting the overpass. Some, however, identified a more fundamental problem: “the fragility of the state’s aging infrastructure.”[1]

While the I-95 collapse presents a recent example of the significant risks associated with the US’s aging infrastructure, it is by no means unique. Many of the roads, bridges, dams, and electrical grids that keep the country running are decades old and often in need of repair. Infrastructure failures combined with environmental disasters can be catastrophic, and the consequences dire, for the public, the environment, and the utility or corporate entity potentially responsible for operating the failed infrastructure component. Moreover, a vicious cycle is often at work with respect to the environment and infrastructure failures in which, for example, extreme weather causes an infrastructure breakdown that in turn may result in environmental damage.

Continue reading

Seven Steps to Mitigate Hazing Risks

by Helen V. Cantwell, Mary Beth Hogan, Arian June, Daniel Alford, Omid Golmohammadi, and Michael Compton McGregor

Top left to right: Helen V. Cantwell, Mary Beth Hogan, and Arian June. Bottom right to left: Daniel Alford, Omid Golmohammadi, and Michael Compton McGregor. (Photos courtesy of Debevoise & Plimpton LLP)

Hazing and abuse in athletics at academic institutions have reached a boiling point recently, with high-profile allegations levied at top universities. These incidents are not only painful for those students personally affected, but they can also result in intense media coverage, reputational harm, and legal actions.

As recent events have shown, it is imperative for academic institutions to have a plan for both preventing and addressing hazing. The best approach is to be proactive, as no institution is above scrutiny and most, if not all, institutions have room for improvement. In order to help mitigate potential legal, financial and reputational risks, administrators and board trustees at these institutions should consider taking the following steps:

Continue reading

SEC Files Two More Actions Alleging Employee Severance Agreements Violated Whistleblower Protections

by Sidney Bashago, Angela T. Burgess, Adam Kaminsky, Emily Roberts, Veronica M. Wissel, Martine M. Beamon, Jennifer S. Conway, Kyoko Takahashi Lin, and Travis S. Triano

From top left to right: Sidney Bashago, Angela T. Burgess, Adam Kaminsky, Emily Roberts, and Veronica M. Wissel From bottom left to right: Martine M. Beamon, Jennifer S. Conway, Kyoko Takahashi Lin, and Travis S. Triano. (Photos courtesy of Davis Polk & Wardwell LLP)

The SEC has announced settlement of enforcement actions against two companies stemming from each company’s use of separation agreements that allegedly violated Dodd-Frank whistleblower protection rules. The settled enforcement actions demonstrate that whistleblower protection remains a priority for the SEC’s Enforcement Division.

Continue reading

Reading the Fine Print: The NYDFS Assessment of Comments on its Proposed Cybersecurity Amendments

by Matthew L. Levine

Photo of Matthew L. Levine

Matthew L. Levine (Photo courtesy of the author)

The New York State Department of Financial Services (“DFS”) has issued its long-awaited proposed revision to “Part 500,” the agency’s groundbreaking Cybersecurity Regulation.[1]  This revision may be the basis for the final rule that will go into effect in stages after the Notice of Adoption is published in the State Register.

A catalog of analysis by law and consulting firms has already popped up online concerning the specific changes proposed, and not proposed, in this latest revision.  There is no question that, when implemented, the regulation’s final changes are likely to have a material impact on financial institutions regulated by DFS.

Yet another document that accompanied the proposed revision should not be overlooked:  the DFS “Assessment of Public Comments” (the “Assessment”).  The rough equivalent of the “fine print” accompanying the proposal, the Assessment responds to an extensive body of commentary received by DFS from financial institutions, trade groups, law firms and others after DFS issued a previous iteration of the proposed amendments in November 2022.[2]

Continue reading

Collecting, Using, or Sharing Consumer Health Information? Look to HIPAA, the FTC Act, and the Health Breach Notification Rule

by the Federal Trade Commission

FTC logo

Federal Trade Commission

Does your business collect, use, or share consumer health information? When it comes to privacy and security, you’ve probably thought about the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and the HIPAA Privacy, Security, and Breach Notification Rules (HIPAA Rules). But did you know you also may need to comply with the Federal Trade Commission Act and the FTC’s Health Breach Notification Rule? Learn more about your obligations under these laws to maintain the privacy and security of consumers’ health information and provide notification if you experience a breach. Continue reading

Integrated Intelligence: Acquiring, Interpreting and Disseminating Knowledge to Support Enterprise Risk Management and Corporate Governance

by Lawrence Cunningham and Arvin Maskin

Photos of the authors

From left to right: Lawrence Cunningham and Arvin Maskin. Photos courtesy of the authors.

Enterprise risk management (“ERM”) and corporate governance are two sides of the same coin, being united by the importance of relevant decision-makers acquiring, interpreting and disseminating intelligence about risk and oversight. The goal of ERM is to help corporate managers visualize, interpret, contextualize and prioritize various forms of risk input in a timely and objective manner, and to convert it to insightful and actionable intelligence to enhance the quality, reliability and transparency of corporate decision-making and board oversight (“corporate governance”). This modern-day “distant early warning” system attempts to preempt crisis-level events and mitigate the impact of unexpected or unavoidable occurrences of consequence, while seizing on opportunities to be innovative, competitive, and resilient.

Continue reading

FTC Alleges “Serial Acquirer” Theory in Challenge to Consummated PE Deals

by Andrew J. Nussbaum, Jonathan M. Moses, Nelson O. Fitts, Adam L. Goodman, and Itai Y. Thaler

Photos of the authors

From left to right: Andrew J. Nussbaum, Jonathan M. Moses,  Nelson O. Fitts, Adam L. Goodman, and Itai Y. Thaler. (Photos courtesy of Wachtell, Lipton, Rosen & Katz)

Last week, the Federal Trade Commission sued U.S. Anesthesia Partners, Inc. (“USAP”) and its private equity investor, Welsh, Carson, Anderson & Stowe, as well as a number of Welsh Carson entities, in federal district court, alleging that USAP and Welsh Carson conspired to monopolize and reduce competition for anesthesia services in Texas.  The FTC’s complaint alleges that, beginning in 2012, Welsh Carson, through its investment in USAP — which varied between 23% and 50.2% over the relevant period — directed a “roll-up scheme” to acquire and consolidate over a dozen Texas anesthesia practices; caused price increases across the state; and coordinated prices and allocated markets with some of the remaining independent anesthesia providers.  The complaint claims violations of the Sherman Act, the Clayton Act, and the FTC Act, and seeks unspecified “structural relief” that could include restitution and divestitures.

Continue reading