Understanding the FTC’s Non-Compete Clause Rule and Its Impact on NDAs

by Joshua H. Lerner, Laura E. Schneider, and Andrew Stauber

photos of the authors

From left to right: Joshua H. Lerner, Laura E. Schneider, and Andrew Stauber (Photos courtesy of WilmerHale)

As we previously reported, the Federal Trade Commission (FTC) announced on April 23, 2024, its Non-Compete Clause Rule (Final Rule), which aims to ban all new post-employment non-competition restrictions and invalidate most existing ones. The Final Rule already has sparked multiple lawsuits seeking to prevent it from taking effect as scheduled on September 4, 2024. The United States District Court for the Northern District of Texas is expected to make a decision in one such lawsuit by July 3, 2024.

As September 4 approaches, many questions remain regarding the potential impact and scope of the Final Rule. This alert focuses on how the Final Rule might affect confidentiality and non-disclosure agreements (NDAs) that employers use to protect their trade secrets and other confidential information.

Continue reading

EU Digital Operational Resilience Act (“DORA”): Incident and Cyber Threat Reporting and Considerations for Incident Response Plans

by Robert MaddoxStephanie ThomasAnnabella M. Waszkiewicz, and Michiko Wongso 

Photos of the authors

Left to right: Robert Maddox, Stephanie Thomas, Annabella M. Waszkiewicz, and Michiko Wongso (photos courtesy of Debevoise & Plimpton LLP)

With the EU Digital Operational Resilience Act (“DORA”) implementation deadline set for January 2025, many financial services firms are spending 2024 preparing for the new regime. Amongst many operational resilience and management oversight requirements, DORA will require covered entities to monitor for, identify, and classify Information and Communications Technology (“ICT”)-related incidents (“incidents”) and cyber threats and report them under certain circumstances to regulators, clients, and the public.

In this post, we take a closer look at DORA’s ICT-related incident and cyber threat reporting obligations (which can require notifications as fast as four hours) and how covered entities can prepare to address them within their existing incident response plans (“IRPs”).

For a more general overview of DORA’s requirements, please see our previous blog post here, along with our coverage of management obligations for covered entities under DORA and how DORA will impact fund managers and the insurance sector in Europe.

Continue reading

Limited-Risk AI—A Deep Dive Into Article 50 of the European Union’s AI Act

by Martin Braun, Anne Vallery, and Itsiq Benizri

Photo of the authors

Left to right: Martin Braun, Anne Vallery and Itsiq Benizri (photos courtesy of the authors)

This blog post focuses on the transparency requirements associated with certain limited-risk artificial intelligence (AI) systems under Article 50 of the European Union’s AI Act.

As explained in our previous blog post, the AI Act’s overall risk-based approach means that, depending on the level of risk, different requirements apply. In total, there are four levels of risk: (1) unacceptable risk, in which case AI systems are prohibited (see our blog post on prohibited AI practices for more details); (2) high risk, in which case AI systems are subject to extensive requirements, including regarding transparency; (3) limited risk, which triggers only transparency requirements; and (4) minimal risk, which does not trigger any obligations.

Continue reading

SEC Adopts Amendments to Regulation S-P That Require Reporting Breaches of “Sensitive Customer Information”

by Mike Borgia and Andrew Lewis

From left to right: Mike Borgia and Andrew Lewis (Photos courtesy of authors)

Broker-dealers, registered investment advisors, and funds are now required to report breaches of “sensitive” nonpublic personal information (NPI) to affected individuals.

On May 15, the Securities and Exchange Commission adopted amendments to Regulation S-P, which covers broker-dealers, registered investment advisors (RIAs), and investment companies (funds). These entities are now required to report data breaches affecting “sensitive customer information,” which is “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.”

The amendments were originally proposed on March 15, 2023 (covered in a previous post). The amendments will go into effect 60 days after they are published in the Federal Register.

Continue reading

Second Circuit: Crypto Exchange Binance Subject to U.S. Securities Laws to Avoid a Regulatory Vacuum

by David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, Jacob Johnston, and Seve Kale

Photos of the authors

Left to right: David Livshiz, Timothy Howard, Andrew Gladstein, Peter Linken, and Seve Kale (photos courtesy of authors)

A recent Second Circuit decision underscores that decentralized crypto exchanges with no claimed “home” jurisdiction face a substantial likelihood of exposure to U.S. securities laws.  In Williams v. Binance, 96 F.4th 129 (2d Cir. 2024), the Second Circuit held plaintiffs adequately alleged crypto token purchases made on Binance’s trading platform by U.S. persons were domestic transactions and subject to U.S. securities laws on two independent grounds.  First, it was plausible that plaintiffs’ purchase orders were matched with sellers on servers located in the U.S.  Second, Binance’s Terms of Use stated orders became irrevocable once they were sent to Binance, which the plaintiffs alleged occurred from their homes in the United States.  The Court’s extraterritoriality analysis focused on Binance’s express disclaimer of a physical presence or geographical headquarters and the inapplicability of any other country’s securities regime.  These factors created the possibility of a regulatory vacuum absent imposition of U.S. securities laws.  Underscoring this point, the Court reasoned that “[e]ven if the Binance exchange lacks a physical location, the answer to where [it matches transactions] cannot be ‘nowhere.’”  Williams, 96 F.4th at 138. 

It will take years before the full implications of Williams become clear; but what is already clear is that U.S. courts are likely to be skeptical of corporate structures that appear to leave a company immune from litigation anywhere.  This skepticism is particularly relevant to crypto exchanges and other decentralized actors, which may not have or maintain a traditional “home” jurisdiction or base. Such decentralized actors may wish to consider taking steps to reduce the risk of exposure to U.S. securities laws, including affirmatively establishing a domicile outside the U.S. by opening a non-U.S. office or otherwise formally submitting to regulation by another nation, using servers data centers, and other computer network infrastructure outside of the United States, and drafting terms of service or other contractual agreements to provide that transactions become irrevocable in a location outside the U.S.

Continue reading

Strategic Communications Considerations When a Government Investigation Becomes Public Through Voluntary Self-Reporting or Other Means

by Cari Robinson

Photo of the author

Photo courtesy of the author

The SEC, DOJ, and nationwide USAOs are increasingly encouraging organizations to self-report misconduct, fully cooperate with authorities, and meaningfully remediate. In return, companies may receive reduced penalties, up to and including a government agreement not to criminally prosecute and a declination to bring a civil enforcement action.

However, in addition to being costly and time-consuming, self-reporting presents reputational risks. There also is always a possibility that a sensitive matter will leak. In any event, having complementary legal and crisis communications strategies in place can help companies avoid costly missteps and mitigate reputational damage.

Continue reading

SEC Staff Provides Guidance on Cyber Form 8-K Reporting

by Scott Kimpel 

Photo of the author

Photo courtesy of Hunton Andrews Kurth LLP

On May 21, 2024, staff of the U.S. Securities and Exchange Commission (“SEC”) published additional interpretive guidance on reporting material cybersecurity incidents under Form 8-K.

Since December 18, 2023, when the SEC’s rules for reporting material cybersecurity incidents under Item 1.05 on Form 8-K took effect, we have identified 17 separate companies that have made disclosures under the new rules. Since that date, several other companies also have made disclosures regarding cybersecurity incidents under other Form 8-K items. A large majority of those companies reporting under Item 1.05 have either not yet determined that the triggering incident was material, or determined that the event was in fact immaterial.

Continue reading

BIS Primes the Corporate Enforcement Engine: A Fresh Look at What Recent BIS Actions & Statements Mean and a Proposed Framework for How U.S. Companies Can Best Prepare

by Brent Carlson and Michael Huneke 

Photos of the authors.

From left to right: Brent Carlson and Michael Huneke (Photos courtesy of authors)

The risk of corporate criminal enforcement actions for export controls evasion or diversion is significantly increasing. Recent actions and statements by the Department of Commerce’s Bureau of Industry & Security (“BIS”) suggest that, beyond saber-rattling, BIS is deliberately priming the corporate enforcement engine with the fuel for an enforcement wave that will follow the Foreign Corrupt Practices Act (“FCPA”) “playbook” that the U.S. Department of Justice (“DOJ”) has successfully deployed for the last two decades.

The fuel comes in the form of official, multiagency guidance documents and other actions that describe circumstances indicating a “high probability” of misconduct, which as we have previously written is a freestanding basis for enforcement actions under both the FCPA and the Export Administration Regulations (“EAR”).[1] Such agency actions by BIS notably include the issuance to U.S. companies of lists of counterparties under cover of what BIS officials describe as “red flag” letters. Since our prior analysis,[2] BIS has reemphasized the significance of such letters and underscored the importance of how U.S. companies respond.

Continue reading

FinCEN and SEC Move Closer to New AML Requirements for Investment Advisers & ERAs

by Joel M. Cohen, Claudette Druehl, Marietou Diouf, Tami Stark, Prat Vallabhaneni, and Robert DeNault

Photos of the authors

Top: Joel M. Cohen, Claudette Druehl, and Marietou Diouf
Bottom: Tami Stark, Prat Vallabhaneni, and Robert DeNault
(Photos courtesy of White & Case LLP)

On May 13, 2024, FinCEN and the SEC jointly proposed a new rule that would require SEC-registered investment advisers and exempt reporting advisers to maintain written customer identification programs (CIPs).  The new rule supplements a proposal in February to impose requirements on investment advisers similar to those that have existed for broker-dealers since 2001, as a means to address illicit finance and national security threats in the asset management industry.

For investment advisers who do not currently have an AML/CFT program, this compliance obligation will create a large shift in the way they operate.  This will require significant legal time and attention, but it will be time well spent considering potential regulatory exposure and likely indemnification obligations which flow through commercial agreements in favor of counterparties.

Continue reading

Biden National Security Memorandum Bolsters CISA Role for Cybersecurity Oversight in Critical Infrastructure

by Beth Burgin Waller and Patrick J. Austin

Photos of authors

Beth Burgin Waller and Patrick J. Austin (photos courtesy of Woods Rogers Vandeventer Black PLC)

The Biden Administration recently rolled out a new critical infrastructure memorandum, titled National Security Memorandum on Critical Infrastructure Security and Resilience (NSM-22) which is intended to set forth the role of the federal government, including responsibilities for specific federal agencies, in protecting U.S. critical infrastructure.

NSM-22 serves to supplant PPD-21, formally known as the Presidential Policy Directive — Critical Infrastructure Security and Resilience (pdf). PPD-21, a memorandum issued during the Obama Administration, designated 16 critical infrastructure sectors that will be subject to additional oversight through the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). Pursuant to CIRCIA, entities operating in critical infrastructure sectors will be obligated to report “covered cyber incidents” within 72 hours of the entity developing a reasonable belief that a cyber incident occurred. In addition, critical infrastructure entities must report ransom payments within 24 hours after a payment is made. CIRCIA delegated rulemaking authority to the Cybersecurity and Infrastructure Security Agency (CISA). We wrote about CISA’s proposed rule containing cyber incident reporting requirements in a recent article.

Continue reading