The NYU School of Law Program on Corporate Compliance and Enforcement (PCCE) is delighted to announce that experienced privacy, cybersecurity, insurance, and compliance experts Douglas Bloom, Jonathan Martin, and My Chi To have joined PCCE’s Board of Advisors.
Douglas Bloom and My Chi To (photos courtesy of board members)
by Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, Jeff Robins, Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, Mengyi Xu, and Ned Terrace
Top row from left to right: Luke Dembosky, Avi Gesser, Erez Liebermann, Marc Ponchione, Julie M. Riewe, and Jeff Robins.
Bottom row from left to right: Kristin Snyder, Charu A. Chandrasekhar, Sheena Paul, Suchita Brundage, Michael R. Roberts, and Mengyi Xu.
(Photos courtesy of Debevoise & Plimpton LLP)
On March 15, 2023, the U.S. Securities and Exchange Commission (the “SEC”) released a suite of proposed new rules (the “Proposed Rules”) that include:
by Stephen T. Gannon and Madison J. Breshears
From left to right: Stephen T. Gannon and Madison J. Breshears (photos courtesy of Davis Wright Tremaine LLP)
The first quarter of 2023 may go down in history as one the most intensive periods of enforcement activity and related oversight in the history of the SEC and the bank regulatory agencies.[1] While digital assets have never been free of regulatory scrutiny, this most recent escalation could have an existential impact on an industry which has been subject to repeated disruptions since mid-2022.[2] The market has made quick work of separating the wheat from the chaff, sparing not even key, widely-respected players. Such conditions, coupled with increasingly aggressive regulatory action, could result in an increase in the number of firms who choose to seek shelter off-shore, or protection through acquisition by larger, traditional incumbent financial institutions. What follows is a brief summary of this recent regulatory activity, but there is surely more to come. This article will also reflect on the causes and consequences of this regulatory initiative, and what lessons might be learned.
Editor’s Note: The NYU Program on Corporate Compliance and Enforcement (PCCE) has been following the recent banking crisis and will be publishing articles exploring the reasons for the banks’ failures and the broader regulatory, policy, and legal implications arising therefrom.
by Ijeoma Okoli
Ijeoma Okoli (photo courtesy of the author)
Introduction
On March 8, 2023, Silvergate Bank entered into voluntary liquidation. Two days later, Silicon Valley Bank (“SVB”), after experiencing a severe bank run, was taken over by regulators and with it, the most fraught weekend in global banking since the 2008 financial crisis began. Regulators in the US and UK (SVB had a UK banking subsidiary) scrambled to ensure that there were solutions in place before Asian markets opened Sunday night, East Coast time. Tech founders in Silicon Valley and the many venture capital firms (“VCs”) backing them used social media to rally the troops to put pressure on governments to ensure that they had access to their money by open of business the following Monday morning.
by James Goldfarb, Brendan T. Mangan, Ted Snyder, and Cameron Matheson
From left to right: James Goldfarb, Brendan T. Mangan, Ted Snyder, and Cameron Matheson (photos courtesy of Davis Wright Tremaine LLP)
The number of securities class actions filed last year fell for the fourth year in a row. But these time-consuming, costly litigations still target 5 percent of all S&P 500 companies in an average year, and settlement costs rose in 2022. Those and other insights emerge from annual surveys published by NERA Economic Consulting and Cornerstone Research, two economic-consulting firms.[1] In this post, we summarize the data and trends revealed in those reports. The information highlighted here provides some perspective and benchmarks in terms of industries targeted, litigation length, potential offramps (mainly moving to dismiss or settling), and settlement costs. We conclude with some key takeaways.
by Caleb Skeath, Shayan Karbassi, and Ashden Fein
From left to right: Caleb Skeath, Shayan Karbassi, and Ashden Fein (Photos courtesy of Covington & Burling LLP)
In February, the Federal Trade Commission (“FTC”) published a blog post that elucidated key security principles from recent FTC data security and privacy orders. Specifically, the FTC highlighted three practices that the Commission regards as “effectively protect[ing] user data.” These practices include: (1) offering multi-factor authentication (“MFA”) for consumers and requiring it for employees; (2) requiring that connections within a company’s system be both encrypted and authenticated (e.g., deploying a “zero trust” methodology); and (3) requiring companies to develop data retention schedules. The FTC noted that while these measures “are not the sum-total of everything the FTC expects from an effective security program, they are a sample of provisions [that the FTC has] seen recently that speak directly to the idea of attacking things at their root cause to produce uniquely effective results.”
by Alejandra Montenegro Almonte, Sandra M. Hanna, Ann Sultan, and Maame Esi Austin
From left to right: Alejandra Montenegro Almonte, Sandra M. Hanna, Ann Sultan, and Maame Esi Austin (photos courtesy of Miller & Chevalier Chartered)
The SEC is taking a hardline against workplace misconduct and signaling to public companies that they ought to handle those issues with the same care and consideration as they have for other potential securities violations, such as those with financial statement implications. The SEC’s latest action in this regard – a settled administrative proceeding against Activision Blizzard Inc. (Activision Blizzard or the Company) – faults Activision Blizzard for alleged “disclosure control” deficiencies related to employee complaints of workplace misconduct.
On February 3, 2023, Activision Blizzard, a California-based video game development and publishing company, consented to the entry of an SEC Order and agreed to pay a $35 million civil penalty for allegedly inadequate disclosure controls and procedures that failed to ensure that management could assess and, where necessary, disclose employee complaints of workplace misconduct. The Order also settles allegations that the Company violated SEC whistleblower protection rules by including language in settlement agreements with separated employees requiring those employees to notify Activision Blizzard if they receive requests from the agency. As is typical, the Company settled the matter on a neither-admit-nor-deny basis.
Ekene Chuks-Okeke (photo courtesy of the author)
On March 2, 2023,[i] the White House Office of the National Cyber Director (“ONCD”) published the new U.S. National Cybersecurity Strategy (the “Strategy”).[ii] This article highlights key provisions of the Strategy that are relevant to cybersecurity compliance for businesses, internet infrastructure providers and government contractors, as well as a general overview of the United States’ ambitious, collaborative vision for cybersecurity.
Background
The Strategy is released further to President Biden’s Executive Order on Improving the Nation’s Cybersecurity (May 2021, E.O. 14028)[iii] and significant budgetary commitment by Congress in the Bipartisan Infrastructure Deal[iv] to expand Americans’ access to reliable high-speed internet and incentivize domestic innovation and manufacturing in the CHIPS and Science Act, 2022.[v]
by Megan Bannigan, Avi Gesser, Henry Lebowitz, Benjamin Leb, Jarrett Lewis, Melissa Muse, Michael R. Roberts, and Lex Gaillard
Top row from left to right: Megan Bannigan, Avi Gesser, Henry Lebowitz, and Benjamin Leb
Bottom row from left to right: Jarrett Lewis, Melissa Muse, Michael R. Roberts, and Lex Gaillard
(Photos courtesy of Debevoise & Plimpton LLP)
Last month, we wrote about how many companies probably need a policy for Generative AI tools like ChatGPT, Bard and Claude (which we collectively refer to as “ChatGPT”). We discussed how employees were using ChatGPT for work (e.g., for fact-checking, first drafts, editing documents, generating ideas and coding) and the various risks of allowing all employees at a company to use ChatGPT without any restrictions (e.g., quality control, contractual, privacy, consumer protection, intellectual property, and vendor management risks). We then provided some suggestions for ways that companies could reduce these risks, including having a ChatGPT policy that organizes ChatGPT use cases into three categories: (1) uses that are prohibited; (2) uses that are permitted with some restrictions, such as labeling, training, and monitoring; and (3) uses that are generally permitted without any restrictions.
by
From left to right: Michael T. Borgia, Robertson Park, and Alexander Sisto. (Photos courtesy of Davis Wright Tremaine LLP)
The U.S. Securities and Exchange Commission (“SEC” or the “Commission”) has ordered Blackbaud, Inc. (“Blackbaud”) to pay $3 million to resolve claims that it made materially misleading statements about a 2020 ransomware attack and failed to maintain adequate disclosure controls related to cybersecurity. The SEC’s March 9, 2023 order and accompanying press release focuses on three allegedly material misstatements: Blackbaud’s failure to correct a statement on its website that the attack did not compromise bank account information or Social Security numbers—even after Blackbaud personnel investigating the attack found clear information to the contrary; the company’s failure to disclose the compromise of that sensitive data in a Form 10-K; and the company’s cybersecurity risk statement in its Form 10-Q characterizing the risk of sensitive data exfiltration as merely hypothetical, despite knowing that exfiltration of unencrypted bank account information, Social Security numbers, and usernames and/or passwords had occurred as a result of the ransomware attack.